10-47
IPv4 Access Control Lists (ACLs)
Configuring and Assigning an IPv4 ACL
Allowing for the Implied Deny Function
In any ACL having one or more ACEs there will always be a packet match.
This is because the switch automatically applies an Implicit Deny as the last
ACE in any ACL. This function is not visible in ACL listings, but is always
present. (Refer to figure 10-13.) This means that if you configure the switch to
use an ACL for filtering either inbound or outbound IPv4 traffic on a VLAN,
any packets not specifically permitted or denied by the explicit entries you
create will be denied by the Implicit Deny action. If you want to preempt the
Implicit Deny (so that IPv4 traffic not specifically addressed by earlier ACEs
in a given ACL will be permitted), insert an explicit
permit any
(for standard
ACLs) or
permit ip any any
(for extended ACLs) as the last explicit ACE in the
ACL.
A Configured ACL Has No Effect Until You Apply It
to an Interface
The switch stores ACLs in the configuration file. Thus, until you actually assign
an ACL to an interface, it is present in the configuration, but not used (and
does not use any of the monitored resources described in the appendix titled
“Monitored Resources” in the
Management and Configuration Guide
for
your switch.)
You Can Assign an ACL Name or Number to an Interface
Even if the ACL Does Not Exist in the Switch’s Configuration
In this case, if you subsequently create an ACL with that name or number, the
switch automatically applies each ACE as soon as you enter it in the running-
config file. Similarly, if you modify an existing ACE in an ACL you already
applied to an interface, the switch automatically implements the new ACE as
soon as you enter it. (See “” on page 10-128.) The switch allows up to 2048
ACLs each for IPv4 and determines the total from the number of unique ACL
names in the configuration.For example, if you configure two ACLs, but assign
only one of them to a VLAN, the ACL total is two, for the two unique ACL
names. If you then assign the name of a nonexistent ACL to a VLAN, the new
ACL total is three, because the switch now has three unique ACL names in its
configuration. (RADIUS-based ACL resources are drawn from the IPv4 allo-
cation).
(For information on switch resource use, refer to “Monitoring Shared
Resources” on page 10-129. For a summary of ACL resource limits, refer to
the appendix covering scalability in the latest
Management and Configura-
tion Guide
for your switch.)
Содержание E3800 Series
Страница 1: ...HP Switch Software E3800 switches Software version KA 15 03 September 2011 Access Security Guide ...
Страница 2: ......
Страница 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Страница 30: ...xxviii ...
Страница 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Страница 186: ...4 72 Web and MAC Authentication Client Status ...
Страница 290: ...6 74 RADIUS Authentication Authorization and Accounting Dynamic Removal of Authentication Limits ...
Страница 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Страница 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Страница 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Страница 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Страница 659: ...14 11 Configuring and Monitoring Port Security Port Security Figure 14 5 Examples of Show Mac Address Outputs ...
Страница 730: ...20 Index ...
Страница 731: ......