Manualshelf

Product guide

ManualsBrandsProCurve ManualsComputer equipment6200yl
311312313314315316317318319320
10-31
Access Control Lists (ACLs)
Planning an ACL Application
Any TCP traffic (only) for a specific TCP port or range of ports,
including optional control of connection traffic based on whether the
initial request should be allowed
Any UDP traffic (only) or UDP traffic for a specific UDP port
Any ICMP traffic (only) or ICMP traffic of a specific type and code
Any IGMP traffic (only) or IGMP traffic of a specific type
Any of the above with specific precedence and/or ToS settings
Depending on the source and/or destination of a given IP traffic type, you must
also determine the ACL application(s) (RACL, VACL, or static port ACL)
needed to filter the traffic on the applicable switch interfaces. Answering the
following questions can help you to design and properly position ACLs for
optimum network usage.
What are the logical points for minimizing unwanted IP traffic, and
what ACL application(s) should be used? In many cases it makes
sense to prevent unwanted IP traffic from reaching the core of your
network by configuring ACLs to drop unwanted IP traffic at or close
to the edge of the network. (The earlier in the network path you can
block unwanted IP traffic, the greater the benefit for network perfor-
mance.)
From where is the traffic coming? The source and destination of IP
traffic you want to filter determines the ACL application to use (RACL,
VACL, static port ACL, and dynamic port ACL).
What IP traffic should you explicitly block? Depending on your
network size and the access requirements of individual hosts, this can
involve creating a large number of ACEs in a given ACL (or a large
number of ACLs), which increases the complexity of your solution.
What IP traffic can you implicitly block by taking advantage of the
implicit deny IP any to deny IP traffic that you have not explicitly
permitted? This can reduce the number of entries needed in an ACL.
What IP traffic should you permit? In some cases you will need to
explicitly identify permitted IP traffic. In other cases, depending on
your policies, you can insert an ACE with “permit any” forwarding at
the end of an ACL. This means that all IP traffic not specifically
matched by earlier entries in the list will be permitted.