How to manage Network ACLs for virtual hosts

The virtual machine infrastructure's network is located behind Cisco routers that are ACL'd to prohibit most incoming connections by default. This means that ACLs will need to be filed to open ports for incoming connections that need to communicate with any virtual machine.

Please note: Default ACLs are already in place on the hosting network to allow connections from UFAD's servers, the UF security scanners, and also to the UF name servers.

ACLs can be done on a per port level, a per machine level, or a per-network range model or any combination of the previous. ACLs can be restricted at the protocol level as well - UDP, TCP, both, ICMP.

In most cases customers are listed as "subnet managers" for the IPs on which their VMs reside.  This allows you to directly request ACL changes from CNS Network Services.  To request ACL changes please submit a ticket at

Some typical ACL requests might be:

open ports 80,443 (tcp) for all ip addresses for

open incoming connections to port 22 using tcp to host from all hosts on campus

allow all incoming connections to host from all hosts on network

allow incoming connections to ports 135-139 using tcp, port 135 using udp, and port 445 using tcp to hosts on ranges,

Allow all connections to virtual hosts from all hosts on networks using tcp or udp

permit icmp traffic to virtual host from host