10-32
IPv4 Access Control Lists (ACLs)
Planning an ACL Application
■
The sequence of ACEs is significant. When the switch uses an ACL to
determine whether to permit or deny a packet on a particular VLAN,
it compares the packet to the criteria specified in the individual
Access Control Entries (ACEs) in the ACL, beginning with the first
ACE in the list and proceeding sequentially until a match is found.
When a match is found, the switch applies the indicated action (permit
or deny) to the packet.
■
The first match in an ACL dictates the action on a packet. Subsequent
matches in the same ACL are ignored. However, if a packet is
permitted by one ACL assigned to an interface, but denied by another
ACL assigned to the same interface, the packet will be denied on the
interface.
■
On any ACL, the switch implicitly denies IPv4 packets that are not
explicitly permitted or denied by the ACEs configured in the ACL. If
you want the switch to forward a packet for which there is not a match
in an ACL, append an ACE that enables Permit Any forwarding as the
last ACE in the ACL. This ensures that no packets reach the Implicit
Deny case for that ACL.
■
Generally, you should list ACEs from the most specific (individual
hosts) to the most general (subnets or groups of subnets) unless doing
so permits traffic that you want dropped. For example, an ACE
allowing a small group of workstations to use a specialized printer
should occur earlier in an ACL than an entry used to block widespread
access to the same printer.
IPv4 ACL Configuration and Operating Rules
■
RACLs and Routed IPv4 Traffic:
Except for any IPv4 traffic with a
DA on the switch itself, RACLs filter only routed IPv4 traffic that is
entering or leaving the switch on a given VLAN. Thus, if routing is not
enabled on the switch, there is no routed traffic for RACLs to filter.
For more on routing, refer to the latest
Multicast and Routing Guide
for your switch.
■
VACLs and Switched or Routed IPv4 Traffic:
A VACL filters traffic
entering the switch on the VLAN(s) to which it is assigned.
■
Static Port ACLs:
A static port ACL filters traffic entering the switch
on the port(s) or trunk(s) to which it is assigned.
Summary of Contents for E3800 Series
Page 2: ......
Page 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Page 30: ...xxviii ...
Page 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Page 186: ...4 72 Web and MAC Authentication Client Status ...
Page 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Page 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Page 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Page 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Page 730: ...20 Index ...
Page 731: ......