HP ProCurve Switch 5300xl Series Reviewer’s Guide
ignored. If a packet does not match any of the conditions in the ACL, it is denied. This is in keeping
with the typical use of ACLs as a security mechanism. If the automatic denial property is not wanted,
the ACL should end with an ACE statement permitting ANY. To assist in writing and editing ACLs, the
ACL file can be edited externally and downloaded into the 5300.
A typical use for standard ACLs is to allow a single end node on one subnet access to a server on
another subnet, while denying all other ends nodes on the first subnet similar access. An example of
this situation would be an human resource representative getting access to a personnel database on
another subnet, while keeping all other end nodes from accessing this same database. Similarly, a
Standard ACL could be used to deny access of an entire subnet to anywhere in the corporate network
other than out to the Internet.
Extended ACLs can be used as filters for application traffic that uses fixed TCP/UDP port numbers. For
example, an Extended ACL can be set up to only allow traffic from a particular subnet access to the
email servers on another subnet. Or an extended ACL could deny any traffic destined for custom
applications (those applications using port numbers above 1024).
The ACL functionality of the HP ProCurve Switch 5300xl Series supports ACL logging. When logging is
specified in a particular ACE, an entry is made in the log when that ACE results in an explicitly denied
packet. Logging of permitted packets is not supported. The 5300 ACL logging is primarily useful for
troubleshooting.
ACLs, being a Layer 3 service in the 5300, are only executed for packets that are routed, crossing a
VLAN/router boundary. They have no effect on packets that are being switched in a Layer 2
environment.
ACLs for the HP ProCurve Switch 5300xl Series are flexible and can be used to create sophisticated
filters. Before implementing ACLs, ACL details should be consulted in the HP ProCurve Switch 5300xl
Series documentation located at:
http://www.hp.com/go/hpprocurve
under the Technical Support
section.
2.5.1.2 Static Filters
Static filtering can be used to provide security and/or bandwidth control within the network. When a
static filter is defined it can be applied to any or all ports on the switch. The following three types of
static filters can be defined:
•
Source port: Packets coming from a particular port can be dropped. Source port filters can
be used to isolate ports from each other and allow communication only to uplinks, for
example. Ports that can use a particular source port filter must be in the same VLAN as
the source port. Up to 78 source port filters can be defined on the chassis
•
Multicast MAC address: If an IGMP group is active in the address range of a static multicast
filter, IGMP takes precedence. Once the IGMP group becomes inactive, the static
multicast filter takes affect. Up to 16 multicast address filters can be defined
•
Protocol type: up to 7 protocol filters. Protocols that apply to the protocol filter are:
• AppleTalk
• ARP
• SNA
• DEC LAT
• IP
• NetBEUI
• IPX
These filters are done in hardware; there is no performance penalty when using them.
2.5.2 802.1x – Port-based access control / RADIUS Authentication
The IEEE 802.1x standard governs a methodology for client system network log-in. Through 802.1x a
user is given access to the network only after the HP ProCurve Switch 5300xl Series (the network
access server) authenticates the user through a RADIUS server. As part of this authentication, the user
© Hewlett-Packard Co. 2002, 2003
Rev 1.1 – 2/11/2003
http://www.hp.com/go/hpprocurve
Page 20 of 35
Summary of Contents for 5300
Page 34: ......