Packet-Filtering - HP 2530 Manual Supplement
Hide thumbs
Also See for 2530:
- Installation and getting started manual (93 pages) ,
- Quick setup manual (9 pages) ,
- Quick setup manual (6 pages)
Table of Contents
Advertisement
NOTE:
On a given port or trunk, after you assign an ACL, the default action denies any traffic
not specifically permitted by the ACL.
Packet-filtering
Sequential Comparison and Action. When the switch uses an ACL to filter a packet, it sequentially
compares each ACE's filtering criteria to the corresponding data in the packet until it finds a match.
Example 20 Sequential comparison
10 permit ipv6 ::/0 fe80::136:24/128
20 permit ipv6 ::/0 fe80::156:7/128
30 deny ipv6 ::/0 fe80::156:3/128
40 deny tcp ::/0 ::/0 eq 23
50 permit ipv6 ::/0 ::/0
(deny ipv6 ::/0 ::/0)
As shown in
Example 20 "Sequential
If there is not a match, it tries the second ACE, and so on. When a match is found, the ACL invokes
the configured action for that entry (permit or drop the packet) and makes no further comparisons
of the packet with the remaining ACEs in the list. Thus when an ACE whose criteria match a packet
is found, the action configured for that ACE is invoked, and any remaining ACEs in the ACL are
ignored. Because of this sequential processing, successfully implementing an ACL depends in part
on configuring ACEs in the correct order for the overall policy you want the ACL to enforce.
Implicit Deny. If a packet does not have a match with the criteria in any ACEs in the ACL, the switch
denies (drops) the packet (implicit deny). To override the implicit deny so that any packet that does
not have a match is permitted, enter permit any as the last ACE in the ACL. This directs the
switch to permit (forward) any packets that do not have a match with any earlier ACE listed in the
ACL, and prevents these packets from being filtered by the implicit deny.
NOTE:
For ACLs configured to filter inbound packets, Implicit Deny filters any packets, including
those with a DA specifying the switch itself. This helps prevent management access from
unauthorized IP sources.
Figure 19 Packet-filtering process in an ACL with N entries (ACEs)
64
Updates for the HP Switch Software IPv6 Configuration Guide
comparison", the ACL tries to apply the first ACE in the list.
- Quick Links:
- Dhcp Snooping
- Enabling Dhcp Snooping
Hide quick links:
Advertisement
Table of Contents
