Command Reference Guide
SROS Command Line Interface Reference Guide Global Configuration Mode Command Set
5991-2114 © Copyright 2005 Hewlett-Packard Development Company, L.P. 273
Technology Review
Concepts:
Access control using the Secure Router OS firewall has two fundamental parts: Access Control Lists
(ACLs) and Access Policy Classes (ACPs). ACLs are used as packet selectors by other Secure Router OS
systems; by themselves they do nothing. ACPs consist of a selector (ACL) and an action (allow, discard,
NAT). ACPs integrate both allow and discard policies with NAT. ACPs have no effect until they are
assigned to a network interface.
Both ACLs and ACPs are order dependent. When a packet is evaluated, the matching engine begins with
the first entry in the list and progresses through the entries until it finds a match. The first entry that
matches is executed.
Packet Flow:
Case 1: Packets from interfaces with a configured policy class to any other interface
ACPs are applied when packets are received on an interface. If an interface has not been assigned a
policy class, by default it will allow all received traffic to pass through. If an interface has been assigned a
policy class but the firewall has not been enabled with the ip firewall command, traffic will flow normally
from this interface with no firewall processing.
Case 2: Packets that travel in and out a single interface with a configured policy class
These packets are processed through the ACPs as if they are destined for another interface (identical to
Case 1).
Case 3: Packets from interfaces without a configured policy class to interfaces with one
These packets are routed normally and are not processed by the firewall. The ip firewall command has no
effect on this traffic.
Interface Association List
Access Control Polices
(permit, deny, NAT)
Route Lookup Packet OutPacket In
If session hit,
or no ACP configured