HP ProCurve Series 3400cl Release Notes page 65

Procurve series

Hide thumbs Also See for ProCurve Series 3400cl:

Management manual (664 pages)

Management and configuration manual (508 pages)

Access security manual (404 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

page of 197

/ 197
Contents
Table of Contents
Bookmarks

Table of Contents

Is it important to keep track of the number of matches for a particular client or ACE? If so,

■

you can use the optional cnt (counter) feature in ACEs where you want to know this

information. This is especially useful if you want to verify that the switch is denying

unwanted client packets. (Note that configuring a high number of counters can exhaust the

counter resources. Refer to

C a u t i o n

ACLs can enhance network security by blocking selected IP traffic, and can serve as one aspect of

maintaining network security. However, because ACLs do not provide user or device authentication,

or protection from malicious manipulation of data carried in IP packet transmissions, they should

not be relied upon for a complete security solution.

Planning the ACLs Needed To Enforce Traffic Policies

This section can help in understanding how to order the ACEs in a RADIUS-based ACL and in

understanding how clients and the switch operate in this dynamic environment.

Guidelines for Structuring a RADIUS-Based ACL.

■

The sequence of ACEs is significant. When the switch uses an ACL to determine whether to

permit or deny a packet on a particular port, it compares the packet to the criteria specified

in the individual Access Control Entries (ACEs) in the ACL, beginning with the first ACE in

the list and proceeding sequentially until a match is found. When a match is found, the switch

applies the indicated action (permit or deny) to the packet. This is significant because, when

a match is found for a packet, subsequent ACEs in the same ACL will not be used for that

packet, regardless of whether they match the packet.

■

Inbound Traffic Only: RADIUS-based ACLs filter only the inbound IP traffic from an

authenticated client for which an ACL has been configured on the appropriate RADIUS

server.

■

Result of an ACE/Packet Match: The first match of a given packet to an ACE dictates the

action for that packet. Any subsequent match possibilities are ignored.

Explicitly Permitting Any IP Traffic from the Authenticated Client: Entering a permit

■

in ip from any to any (permit any any) ACE in a RADIUS-based ACL permits all IP traffic (from

the authenticated client) that is not previously permitted or denied by that ACL. Any ACEs

listed after that point do not have any effect. (While a RADIUS-based ACL is applied to a

port, traffic inbound from sources other than the client whose authentication caused the

ACL assignment is denied.)

Table 5 on page

57.)

Enhancements

Release M.10.02 Enhancements

Table of Contents

This manual is also suitable for:

Procurve 3400cl-48g Procurve 6400cl-6xg Procurve 6410cl-6xg Procurve 3400cl-24g

HP ProCurve Series 3400cl Release Notes page 65

Related Manuals for HP ProCurve Series 3400cl

Related Products for HP ProCurve Series 3400cl

This manual is also suitable for:

Table of Contents