10-30
IPv4 Access Control Lists (ACLs)
Planning an ACL Application
■
Any TCP traffic (only) for a specific TCP port or range of ports,
including optional control of connection traffic based on whether the
initial request should be allowed
■
Any UDP traffic or UDP traffic for a specific UDP port
■
Any ICMP traffic or ICMP traffic of a specific type and code
■
Any IGMP traffic or IGMP traffic of a specific type
■
Any of the above with specific precedence and/or ToS settings
Depending on the source and/or destination of a given IPv4 traffic type, you
must also determine the ACL application(s) (RACL, VACL, or static port ACL)
needed to filter the traffic on the applicable switch interfaces. Answering the
following questions can help you to design and properly position IPv4 ACLs
for optimum network usage.
■
What are the logical points for minimizing unwanted traffic, and what
ACL application(s) should be used? In many cases it makes sense to
prevent unwanted traffic from reaching the core of your network by
configuring ACLs to drop the unwanted traffic at or close to the edge
of the network. (The earlier in the network path you can block
unwanted traffic, the greater the benefit for network performance.)
■
From where is the traffic coming? The source and destination of
traffic you want to filter determines the ACL application to use (RACL,
VACL, static port ACL, and RADIUS-assigned ACL).
■
What traffic should you explicitly block? Depending on your network
size and the access requirements of individual hosts, this can involve
creating a large number of ACEs in a given ACL (or a large number of
ACLs), which increases the complexity of your solution.
■
What traffic can you implicitly block by taking advantage of the
implicit
deny ip any
to deny traffic that you have not explicitly
permitted? This can reduce the number of entries needed in an ACL.
■
What traffic should you permit? In some cases you will need to
explicitly identify permitted traffic. In other cases, depending on your
policies, you can insert an ACE with “permit any” forwarding at the
end of an ACL. This means that all IPv4 traffic not specifically
matched by earlier entries in the list will be permitted.
Содержание E3800 Series
Страница 1: ...HP Switch Software E3800 switches Software version KA 15 03 September 2011 Access Security Guide ...
Страница 2: ......
Страница 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Страница 30: ...xxviii ...
Страница 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Страница 186: ...4 72 Web and MAC Authentication Client Status ...
Страница 290: ...6 74 RADIUS Authentication Authorization and Accounting Dynamic Removal of Authentication Limits ...
Страница 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Страница 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Страница 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Страница 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Страница 659: ...14 11 Configuring and Monitoring Port Security Port Security Figure 14 5 Examples of Show Mac Address Outputs ...
Страница 730: ...20 Index ...
Страница 731: ......