Manualshelf

Product guide

ManualsBrandsProCurve ManualsComputer equipment6400cl
371372373374375376377378379380
Access Control Lists (ACLs) for the Series 5300xl Switches
Overview
4. Design the ACLs for the control points you have selected. Where you are
using explicit “deny” ACEs, you can optionally use the ACL logging feature
to help verify that the switch is denying unwanted packets where
intended. Remember that excessive ACL logging activity can degrade the
switch's performance. (Refer to “Enable ACL “Deny” Logging” on page
9-59.)
5. Create the ACLs in the selected switches.
6. Assign the ACLs to filter the inbound and/or outbound traffic on static
VLAN interfaces configured on the switch.
7. Enable IP routing on the switch. (Except for an ACL configured to filter
traffic having the switch itself as the destination IP address, IP routing
must be enabled before ACLs will operate.)
8. Test for desired results.
For more details on ACL planning considerations, refer to “Planning an ACL
Application” on page 9-16.
Notes on IP Routing To activate an ACL to screen inbound traffic for routing between subnets,
assign the ACL to the statically configured VLAN on which the traffic enters
the switch. Also, ensure that IP routing is enabled. Similarly, to activate an
ACL to screen routed, outbound traffic, assign the ACL to the statically
configured VLAN on which the traffic exits from the switch. The only excep-
tion to these rules is for an ACL configured to screen inbound traffic with a
destination IP address on the switch. In this case, an ACL assigned to a VLAN
screens traffic addressed to an IP address on the switch, regardless of whether
IP routing is also enabled. (ACLs do not screen outbound traffic generated by
the switch, itself. Refer to “ACL Screening of Traffic Generated by the Switch”
on page 9-63.)
Caution Regarding
the Use of Source
Routing
Source routing is enabled by default on the switch and can be used to override
ACLs. For this reason, if you are using ACLs to enhance network security, the
recommended action is to use the no ip source-route command to disable
source routing on the switch. (If source routing is disabled in the running-
config file, the show running command includes “no ip source-route” in the
running-config file listing.)
9-11