Manualshelf

Product guide

ManualsBrandsProCurve ManualsComputer equipment6400cl
441442443444445446447448449450
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches
Planning an ACL Application on a Series 3400cl or Series 6400cl Switch
Table 10-2. Minimizing Per-Port Mask Usage
Contiguous ACEs with the Same Subnet
Mask
Contiguous ACEs with Different Subnet Masks
The ACEs in this sequence use two port
masks because entries with identical
subnet masks are contiguous. This method
optimizes the capacity of an ACL to accept
ACEs requiring different port masks
because it minimizes port mask usage.
This sequence uses the same entries as the
column to the left, but each consecutive entry
has a subnet mask that differs from its
predecessor, and requires four port masks.
This method of ordering ACEs unnecessarily
consumes port masks and reduces the
capacity of an ACL to accept ACEs requiring
different port masks.
15.28.247.1/24
15.28.253.1/24
10.0.8.0/32
10.0.8.105/32
(15.28.247.1 255.255.255.0)
(15.28.253.1 255.255.255.0)
(10.0.8.0 0.0.0.0)
(10.0.8.0 0.0.0.0)
15.28.247.1/24
10.0.8.0/32
15.28.253.1/24
10.0.8.105/32
(15.28.247.1 255.255.255.0)
(10.0.8.0 0.0.0.0)
(15.28.253.1 255.255.255.0)
(10.0.8.0 0.0.0.0)
An ACL with no ACEs except a permit any or a deny any uses only one
rule and one mask because the IP address and subnet mask are dupli-
cates of the IP address and subnet mask used for the implicit deny any
ACE that the switch automatically includes at the end of each ACL.
Table 10-3 on page 10-21 summarizes switch use of resources to support ACES.
Extended ACLs:
Each ACE, including the implicit deny ip any any ACE in an extended
ACL uses one port rule.
Contiguous ACE entries with the same subnet mask and the same IP
or TCP/UDP protocol applications use the same port mask. Contig-
uous ACE entries with different subnet masks or different IP-TCP/
UDP applications use one port mask per entry. To conserve ACL mask
resources, group ACEs with identical subnet masks and IP or TCP/
UDP applications together. (The effect of this grouping is the same as
above for the standard ACLs, but with more elements to consider.)
An extended ACL with no ACEs except a permit ip any any or deny ip
any any uses one rule and one mask. This is because the IP address
and subnet mask are duplicates of the IP address and subnet mask
used for the implicit deny ip any any ACE that the switch automatically
includes at the end of every ACL.
10-20