3
By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility
of inserting rules in an ACL. This feature is important for a config order ACL, where ACL rules are
matched in ascending order of rule ID.
Automatic rule numbering and renumbering
The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step
to the current highest rule ID, starting with 0.
For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9,
10, and 12, the newly defined rule is numbered 15. If the ACL does not contain any rule, the first rule
is numbered 0.
Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five
rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be
renumbered 0, 2, 4, 6, and 8.
Implementing time-based ACL rules
You can implement ACL rules based on the time of day by applying a time range to them. A
time-based ACL rule only takes effect in any time periods specified by the time range.
The following basic types of time range are available:
•
Periodic time range
—Recurs periodically on a day or days of the week.
•
Absolute time range
—Represents only a period of time and does not recur.
You can specify a time range in ACL rules before or after you create it. However, the rules using the
time range take effect only after you define the time range.
IPv4 fragments filtering with ACLs
Traditional packet filtering matches only first fragments of packets, and allows all subsequent
non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks.
To avoid the risks, the ACL implementation of Hewlett Packard Enterprise does the following:
•
Filters all fragments by default, including non-first fragments.
•
Allows for matching criteria modification, for example, filters non-first fragments only.
Configuration task list
Task Remarks
Optional.
Applicable to IPv4 and IPv6.
Required.
Configure at least one task.
Basic ACLs and advanced ACLs are applicable to
IPv4 and IPv6.
Configuring an Ethernet frame header ACL
Optional.
Applicable to IPv4 and IPv6.