HP ProCurve 5300xl Series Management Manual page 360

Access Control Lists (ACLs) for the Series 5300xl Switches
ACL Operation
N o t e o n I m p l i c i t
D e n y
Figure 9-3. The Packet-Filtering Process in an ACL with N Entries (ACEs)
9-14
For ACLs configured to filter inbound packets on a VLAN, remember that
Implicit Deny filters routed packets and any bridged packets with a DA
specifying the switch itself. This operation helps to prevent management
access from unauthorized IP sources.
Test a packet against
criteria in first ACE.
Yes
Is there a
match?
No
Test the packet against
criteria in second ACE.
Yes
Is there a
match?
No
Test packet against
criteria in Nth ACE.
Yes
Is there a
match?
No
Deny the packet
End
(invoke implicit
deny any).
Perform action
End
(permit or deny).
Perform action
End
(permit or deny).
Perform action
End
(permit or deny).
1. If a match is not found with
the first ACE in an ACL, the
switch proceeds to the next
ACE and so on.
2. If a match with an explicit
ACE is subsequently found,
the packet is either permit­
ted (forwarded) or denied
(dropped), depending on
the action specified in the
matching ACE. In this case
the switch ignores all sub-
sequent ACEs in the ACL.
3. If a match is not found with
any explicit ACE in the ACL,
the switch invokes the
implicit deny IP any at the
end of every ACL, and
drops the packet.
Note: If the list includes a
permit IP any entry, no
packets can reach the
implicit deny IP any at the
end of the list. Also, a
permit IP any ACE at any
point in an ACL defeats the
purpose of any subsequent
ACEs in the list.