Manualshelf

Product guide

ManualsBrandsProCurve ManualsComputer equipment6400cl
371372373374375376377378379380
Access Control Lists (ACLs) for the Series 5300xl Switches
Overview
Features Common to All per-VLAN ACLs
On any VLAN you can apply one ACL to inbound traffic and one ACL
to outbound traffic. You can use the same ACL or different ACLs for
the inbound and outbound traffic.
Any ACL can have multiple entries (ACEs).
You can apply any one ACL to multiple VLANs.
A source or destination IP address and a mask, together, can define
a single host, a range of hosts, or all hosts.
The IP address(es) assigned to a VLAN must not be configured from
a DHCP server.
Every standard ACL includes an implied “deny IP any” as the last entry,
and every extended ACL includes an implied “deny IP any any” as the
last entry. The switch applies this action to any packets that do not
match other criteria in the ACL.
In any ACL, you can apply an ACL log function to ACEs that have a
“deny” action. The logging occurs when there is a match on a “deny”
ACE. (The switch sends ACL logging output to Syslog and, optionally,
to a console session.)
You can configure ACLs using either the CLI or a text editor. The text-editor
method is recommended when you plan to create or modify an ACL that has
more entries than you can easily enter or edit using the CLI alone. Refer to
“Editing ACLs and Creating an ACL Offline” on page 9-53.
General Steps for Planning and Configuring ACLs
1. Identify the traffic type to filter. Options include:
Any routed IP traffic
Routed TCP traffic only
Routed UDP traffic only
2. The SA and/or the DA of routed traffic you want to permit or deny.
3. Determine the best points at which to apply specific ACL controls. For
example, you can improve network performance by filtering unwanted
traffic at the edge of the network instead of in the core. Also, on the switch
itself, you can improve performance by filtering unwanted traffic where
it is inbound to the switch instead of outbound.
9-10