10-29
IPv4 Access Control Lists (ACLs)
Planning an ACL Application
It is important to remember that all IPv4 ACLs configurable on the switch
include an implicit
deny ip any
. That is, IPv4 packets that the ACL does not
explicitly
permit or deny will be
implicitly
denied, and therefore dropped
instead of forwarded on the interface. If you want to preempt the implicit deny
so that IPv4 packets not explicitly denied by other ACEs in the ACL will be
permitted, insert an explicit “permit any” as the last ACE in the ACL. Doing so
permits any packet not explicitly denied by earlier entries. (Note that this
solution does not apply in the preceding example, where the intention is for
the switch to forward only explicitly permitted IPv4 packets routed on VLAN
12.)
Planning an ACL Application
Before creating and implementing ACLs, you need to define the policies you
want your ACLs to enforce, and understand how the ACL assignments will
impact your network users.
N o t e
All IPv4 traffic entering the switch on a given interface is filtered by all ACLs
configured for inbound traffic on that interface. For this reason, an inbound
IPv4 packet will be denied (dropped) if it has a match with either an implicit
or explicit
deny
in
any
of the inbound ACLs applied to the interface. (This does
not apply to traffic leaving the switch because only one type of ACL—an
RACL—can be applied, and only to routed IPv4 traffic.)
(Refer to “Multiple ACLs on an Interface” on page 10-19.)
IPv4 Traffic Management and Improved Network
Performance
You can use ACLs to block traffic from individual hosts, workgroups, or
subnets, and to block access to VLANs, subnets, devices, and services. Traffic
criteria for ACLs include:
■
Switched and/or routed traffic
■
Any traffic of a specific IPv4 protocol type (0-255)
Содержание E3800 Series
Страница 1: ...HP Switch Software E3800 switches Software version KA 15 03 September 2011 Access Security Guide ...
Страница 2: ......
Страница 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Страница 30: ...xxviii ...
Страница 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Страница 186: ...4 72 Web and MAC Authentication Client Status ...
Страница 290: ...6 74 RADIUS Authentication Authorization and Accounting Dynamic Removal of Authentication Limits ...
Страница 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Страница 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Страница 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Страница 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Страница 659: ...14 11 Configuring and Monitoring Port Security Port Security Figure 14 5 Examples of Show Mac Address Outputs ...
Страница 730: ...20 Index ...
Страница 731: ......