Manualshelf

Product guide

ManualsBrandsProCurve ManualsComputer equipment6200yl
311312313314315316317318319320
10-33
Access Control Lists (ACLs)
Planning an ACL Application
Access Control Entries (ACEs) in the ACL, beginning with the first
ACE in the list and proceeding sequentially until a match is found.
When a match is found, the switch applies the indicated action (permit
or deny) to the packet.
The first match in an ACL dictates the action on a packet. Subsequent
matches in the same ACL are ignored. However, if a packet is
permitted by one ACL assigned to an interface, but denied by another
ACL assigned to the same interface, the packet will be denied on the
interface.
On any ACL, the switch implicitly denies IP packets that are not
explicitly permitted or denied by the ACEs configured in the ACL. If
you want the switch to forward a packet for which there is not a match
in an ACL, append an ACE that enables Permit Any forwarding as the
last ACE in an ACL. This ensures that no packets reach the Implicit
Deny case for that ACL.
Generally, you should list ACEs from the most specific (individual
hosts) to the most general (subnets or groups of subnets) unless doing
so permits IP traffic that you want dropped. For example, an ACE
allowing a small group of workstations to use a specialized printer
should occur earlier in an ACL than an entry used to block widespread
access to the same printer.
ACL Configuration and Operating Rules
RACLs and Routed IP Traffic: Except for any IP traffic with a DA
on the switch itself, RACLs filter only routed IP traffic that is entering
or leaving the switch on a given VLAN. Thus, if routing is not enabled
on the switch, there is no routed IP traffic for RACLs to filter. For
more on routing, refer to the chapter titled “IP Routing Features” in
the Multicast and Routing Guide for your switch.
VACLs and Switched or Routed IP Traffic: A VACL filters any IP
traffic entering the switch on the VLAN(s) to which it is assigned.
Static Port ACLs: A static port ACL filters any IP traffic entering the
switch on the port(s) or trunk(s) to which it is assigned.
Per Switch ACL Limits for All ACL Types. At a minimum an ACL
must have one, explicit “permit” or “deny” Access Control Entry. You
can configure up to 2048 ACL assignments, as follows:
Named (Extended or Standard) ACLs: Up to 2048 (minus any numeric
standard or extended ACL assignments)