Product guide

ManualsBrandsProCurve ManualsComputer equipment6400cl

441

442

443

444

445

446

447

448

449

450

Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches

Planning an ACL Application on a Series 3400cl or Series 6400cl Switch

Table 10-3. ACL Rule and Mask Resource Usage

ACE Type Per-Port Rule

Usage

Per-Port

Masks Usage

Standard ACLs

Implicit deny any (automatically included in any standard ACL, but not displayed by 1 1

show access-list < acl-# > command).

First ACE entered 1 1

Next ACE entered with same ACL mask

1 0

Next ACE entered with a different ACL mask

1 1

Closing ACL with a deny any or permit any ACE having the same ACL mask as the 0 0

preceding ACE

Closing ACL with a deny any or permit any ACE having a different ACL mask than 1 1

the preceding ACE

Extended ACLs

Implicit deny ip an any (automatically included in any standard ACL, but not 1 1

displayed by show access-list < acl-# > command).

First ACE entered 1 1

Next ACE entered with same SA/DA ACL mask and same IP or TCP/UDP protocols

1 0

specified

Next ACE entered with any of the following differences from preceding ACE in the 1 1

list:

– Different SA or DA ACL mask

– Different protocol (IP as opposed to TCP/UDP) specified in either the SA or DA

Closing an ACL with a deny ip any any or permit ip any any ACE preceded by an IP 0 0

ACE with the same SA and DA ACL masks

Closing an ACL with a deny ip any any or permit ip any any ACE preceded by an IP 1 1

ACE with different SA and/or DA ACL masks

In a given standard ACL, consecutive ACEs must have identical ACL masks in their SA entries to avoid using a separate

per-port mask for each ACE. In a given standard ACL, If two ACEs having identical SA ACL masks are separated by an

ACE with a different SA ACL mask, then three per-port masks are used instead of two; one for each sequential change

in SA ACL masks. Thus, you can conserve per-port resources by grouping SA entries with the same ACL mask together.

In a given extended ACL, consecutive ACEs must have the same SA and DA ACL mask and the same protocol application

(IP as opposed to TCP/UDP) to avoid using a separate per-port mask for each ACE. If consecutive ACEs have different

SA or DA ACL masks, or different protocol applications, then each such ACE consumes a separate per-port mask.

TCP and UDP are the same for the purpose of determining per-port mask use. Also, actual TCP or UDP port numbers can

vary between ACEs without affecting per-port mask usage. However, if one ACE specifies a TCP/UDP source port and

another does not, another per-port mask will be used.

10-21