10-28
IPv4 Access Control Lists (ACLs)
IPv4 Static ACL Operation
N o t e
The order in which an ACE occurs in an ACL is significant. For example, if an
ACL contains six ACEs, but the first ACE allows Permit Any forwarding, then
the ACL permits all IPv4 traffic, and the remaining ACEs in the list do not
apply, even if they specify criteria that would make a match with any of the
traffic permitted by the first ACE.
For example, suppose you want to configure an ACL on the switch (with an
ID of “Test-02”) to invoke these policies for routed traffic entering the switch
on VLAN 12:
1.
Permit inbound IPv4 traffic from IP address 10.11.11.42.
2.
Deny
only
the inbound Telnet traffic from address 10.11.11.101.
3.
Permit
only
inbound Telnet traffic from IP address 10.11.11.33.
4.
Deny
all other
inbound IPv4 traffic.
The following ACL model , when assigned to inbound filtering on an interface,
supports the above case:
Figure 10-7. Example of How an ACL Filters Packets
ip access-list extended "Test-02"
10 permit ip 10.11.11.42 0.0.0.0 0.0.0.0 255.255.255.255
20 deny tcp 10.11.11.101 0.0.0.0 0.0.0.0 255.255.255.255 eq 23
30 permit ip 10.11.11.101 0.0.0.0 0.0.0.0 255.255.255.255
40 permit tcp 10.11.11.33 0.0.0.0 0.0.0.0 255.255.255.255 eq 23
<
Implicit Deny
>
exit
HP Switch(config)# vlan 12 ip access-group Test-02 in
4
2.
Denies
Telnet traffic from source address 10.11.11.101. Packets
matching this criterion are dropped and are not compared to
later criteria in the list. Packets not matching this criterion are
compared to the next entry in the list.
1.
Permits
IPv4 traffic from source address 10.11.11.42. Packets
matching this criterion are permitted and will not be compared
to any later ACE in the list. IPv4 packets not matching this
criterion will be compared to the next entry in the list.
4.
Permits
Telnet traffic from source address 10.11.11.33. Packets
matching this criterion are permitted and are not compared to
any later criteria in the list. Packets not matching this criterion
are compared to the next entry in the list.
5. This entry does not appear in an actual ACL, but is implicit as
the last entry in every ACL. Any IPv4 packets that do not match
any of the criteria in the ACL’s preceding entries will be denied
(dropped), and will not cross VLAN 12.
1
2
3.
Permits
IPv4 traffic from source address 10.11.11.101. Any
packets matching this criterion will be permitted and will not be
compared to any later criteria in the list. Because this entry
comes after the entry blocking Telnet traffic from this same
address, there will not be any Telnet packets to compare with
this entry; they have already been dropped as a result of
matching the preceding entry.
3
5
Содержание E3800 Series
Страница 1: ...HP Switch Software E3800 switches Software version KA 15 03 September 2011 Access Security Guide ...
Страница 2: ......
Страница 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Страница 30: ...xxviii ...
Страница 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Страница 186: ...4 72 Web and MAC Authentication Client Status ...
Страница 290: ...6 74 RADIUS Authentication Authorization and Accounting Dynamic Removal of Authentication Limits ...
Страница 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Страница 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Страница 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Страница 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Страница 659: ...14 11 Configuring and Monitoring Port Security Port Security Figure 14 5 Examples of Show Mac Address Outputs ...
Страница 730: ...20 Index ...
Страница 731: ......