10-33
IPv4 Access Control Lists (ACLs)
Planning an ACL Application
■
Per Switch ACL Limits for All ACL Types.
At a minimum an ACL
must have one, explicit “permit” or “deny” Access Control Entry. You
can configure up to 2048 IPv4 ACLs each for IPv4 and IPv6. The
maximums are as follows:
•
Named (Extended or Standard) ACLs: Up to 2048 (minus any numeric
standard or extended ACL assignments, and any RADIUS-assigned
ACLs)
•
Numeric Standard ACLs: Up to 99; numeric range: 1 - 99
•
Numeric Extended ACLs: Up to 100; numeric range: 100 - 199
•
The maximum number of ACEs supported by the switch is up to 3072
IPv4 ACEs, and up to 3072 IPv6 ACEs. The maximum number of ACEs
allowed on a VLAN or port depends on the concurrent resource usage
by multiple configured features. For more information, use the
show
< qos | access-list > resources
command and/or refer to “Monitoring
Shared Resources” on page 10-129. For a summary of IPv4 and IPv6
ACL resource limits, refer to the appendix covering scalability in the
latest
Management and Configuration Guide
for your switch.
■
Implicit Deny:
In any static IPv4 ACL, the switch automatically
applies an implicit
deny ip any
that does not appear in
show
listings.
This means that the ACL denies any IPv4 packet it encounters that
does not have a match with an entry in the ACL. Thus, if you want an
ACL to permit any packets that you have not expressly denied, you
must enter a
permit any
or
permit ip any any
as the last ACE in an ACL.
Because, for a given packet the switch sequentially applies the ACEs
in an ACL until it finds a match, any packet that reaches the
permit any
or
permit ip any any
entry will be permitted, and will not encounter the
deny ip any
ACE the switch automatically includes at the end of the
ACL. For an example, refer to figure 10-7 on page 10-28. For Implicit
Deny operation in dynamic ACLs, refer to chapter 7, “Configuring
RADIUS Server Support for Switch Services”
■
Explicitly Permitting Any IPv4 Traffic:
Entering a
permit any
or a
permit
ip any any
ACE in an ACL permits all IPv4 traffic not previously
permitted or denied by that ACL. Any ACEs listed after that point do
not have any effect.
■
Explicitly Denying Any IPv4 Traffic:
Entering a
deny any
or a
deny
ip any any
ACE in an ACL denies all IPv4 traffic not previously per-
mitted or denied by that ACL. Any ACEs after that point have no effect.
■
Replacing One ACL with Another Using the Same Application:
For a specific interface, the most recent ACL assignment using a given
application replaces any previous ACL assignment using the same
Содержание HP ProCurve Series 6600
Страница 2: ......
Страница 6: ...iv ...
Страница 26: ...xxiv ...
Страница 102: ...2 48 Configuring Username and Password Security Password Recovery ...
Страница 204: ...4 72 Web and MAC Authentication Client Status ...
Страница 550: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Страница 612: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Страница 734: ...14 44 Configuring and Monitoring Port Security Operating Notes for Port Security ...
Страница 756: ...16 8 Key Management System Configuring Key Chain Management ...
Страница 776: ...20 Index web server proxy 14 42 webagent access 6 6 wildcard See ACL wildcard See ACL ...
Страница 777: ......