10-9
IPv4 Access Control Lists (ACLs)
Terminology
ACL ID:
A number or alphanumeric string used to identify an ACL. A
standard
IPv4 ACL ID can have either an alphanumeric string or a number in the
range of 1 to 99. An
extended
IPv4 ACL ID can have either an alphanumeric
string or a number in the range of 100 to 199. See also “Identifier”.
Note:
RADIUS-assigned ACLs are identified by client authentication data
and do not use the ACL ID strings described here.
ACL Mask:
Follows any IPv4 address (source or destination) listed in an ACE.
Defines which bits in a packet’s corresponding IPv4 addressing must
exactly match the addressing in the ACE, and which bits need not match
(wildcards). See also “How an ACE Uses a Mask To Screen Packets for
Matches” on page 10-35.)
CIDR:
This is the acronym for Classless Inter-Domain Routing.
Connection-Rate ACL:
An optional feature used with Connection-Rate
filtering based on virus-throttling technology. For more information, refer
to the chapter 3, “Virus Throttling”.
DA:
The acronym used in text to represent
Destination Address
. In an IPv4
packet, this is the destination address carried in the header, and identifies
the destination intended by the packet’s originator. In an extended ACE,
this is the second of two addresses required by the ACE to determine
whether there is a match between a packet and the ACE. See also “SA”.
Deny:
An ACE configured with this action causes the switch to drop a packet
for which there is a match within an applicable ACL.
Dynamic Port ACL:
See “RADIUS-Assigned ACL”.
Extended ACL:
This type of IPv4 Access Control List uses layer-3 IP criteria
composed of source and destination addresses and (optionally) TCP/UDP
port, ICMP, IGMP, precedence, or ToS criteria to determine whether there
is a match with an IP packet. Except for RADIUS-assigned ACLs, which
use client credentials for identifiers, extended ACLs require an alphanu-
meric name or an identification number (ID) in the range of 100 - 199.
IDENTIFIER
:
A term used in ACL syntax statements to represent either the name
or number by which the ACL can be accessed. See also
NAME-STR
. Note
that RADIUS-assigned ACLs are identified by client authentication data
and do not use the identifiers described in this chapter.
Implicit Deny:
If the switch finds no matches between an IPv4 packet and
the configured criteria in an applicable static or dynamic ACL, then the
switch denies (drops) the packet with an implicit
deny any
function (for
standard ACLs) or an implicit
deny ip any any
function (for extended
Summary of Contents for E3800 Series
Page 2: ......
Page 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Page 30: ...xxviii ...
Page 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Page 186: ...4 72 Web and MAC Authentication Client Status ...
Page 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Page 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Page 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Page 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Page 730: ...20 Index ...
Page 731: ......