How to manage Network ACLs for virtual hosts

The virtual machine infrastructure's network is located behind Cisco routers that are ACL'd to prohibit most incoming connections by default. This means that ACLs will need to be filed to open ports for incoming connections that need to communicate with any virtual machine.

Please note: Default ACLs are already in place on the hosting network to allow connections from UFAD's servers, the UF security scanners, and also to the UF name servers.

ACLs can be done on a per port level, a per machine level, or a per-network range model or any combination of the previous. ACLs can be restricted at the protocol level as well - UDP, TCP, both, ICMP.

In most cases customers are listed as "subnet managers" for the IPs on which their VMs reside.  This allows you to directly request ACL changes from CNS Network Services.  To request ACL changes please submit a ticket at https://my.it.ufl.edu

Some typical ACL requests might be:

open ports 80,443 (tcp) for all ip addresses for virtual-apache-server.somebody.ufl.edu

open incoming connections to port 22 using tcp to host virtual-apache-server.somebody.ufl.edu from all hosts on campus

allow all incoming connections to host virtual-apache-server.somebody.ufl.edu from all hosts on network 10.241.33.0/24

allow incoming connections to ports 135-139 using tcp, port 135 using udp, and port 445 using tcp to hosts on ranges 10.241.33.0/24, 128.227.156.0/24

Allow all connections to virtual hosts 10.241.33.200-225 from all hosts on networks 128.227.0.240/27 using tcp or udp

permit icmp traffic to virtual host virtual-apache-server.somebody.ufl.edu from host 128.227.0.240