This article describes how to set up an Access Control List (ACL) to deny access to all users with an exception of few.

In NetScaler all users are allowed by default.

Instructions

Complete the following procedure if you want to deny access to all users except those coming from an IP address (in this example, 10.200.13.1) to your NetScaler:

1. Set up an ACL to allow access from IP address 10.200.13.1 and give the ACL the highest priority. Use the following command:
   > add ns acl allow_10.200.13.1 ALLOW -srcIP 10.200.13.1 –priority 1

2. Set up another ACL to deny access to everything else and give it the next-highest priority. Use the following command:
   > add ns acl deny_all DENY -priority 2
   Because the ACL with the highest priority is applied first, the machine with the IP address 10.200.13.1 is given access.

3. Issue the following command to apply the ACLs:
   > apply acls
   Caution! Be careful when assigning the deny_all ACL. If you set up a deny_all ACL alone, you no longer have network connectivity to the NetScaler. Then you can only access the NetScaler only through the console connection.

Priority of the ACL defines the order in which ACLs are evaluated. As a result, an ACL with a priority of 1 is used first. If an incoming/outgoing packet matches the condition defined by the ACL, the system performs an action. If the packet does not match the condition defined by the ACL, the system compares the packet against an ACL with the next-highest priority.