How An Ace Uses A Mask To Screen Packets For Matches - HP ProCurve 6120G/XG Manual

IPv4 Access Control Lists (ACLs)
Traffic Management and Improved Network Performance
■
■
■
■
■
How an ACE Uses a Mask To Screen Packets for
Matches
When the switch applies an ACL to inbound traffic on an interface, each ACE
in the ACL uses an IP address and ACL mask to enforce a selection policy on
the packets being screened. That is, the mask determines the range of IP
addresses (SA only or SA/DA) that constitute a match between the policy and
a packet being screened.
9-26
ACLs Operate On Ports and Static Trunk Interfaces: You can
assign an ACL to any port and/or any statically configured trunk on
the switch. ACLs do not operate with dynamic (LACP) trunks.
ACLs Screen Only the Traffic Entering the Switch on a Port or
Static Trunk Interface: On a given interface, ACLs can screen
inbound traffic at the point where it enters the switch. ACLs do not
screen traffic routed between VLANs within the switch, between
subnets in a multinetted VLAN, or at the interface where the traffic
exits from the switch. (See figure 9-1 on page 9-11.)
Before Modifying an Applied ACL, You Must First Remove It
from All Assigned Interfaces: An ACL cannot be changed while it
is assigned to an interface.
Before Deleting an Applied ACL, You Must First Remove It
from All Interfaces to Which It Is Assigned: An assigned ACL
cannot be deleted.
Port and Static Trunk Interfaces:
• Removing a port from an ACL-assigned trunk returns the port to its
default settings.
• To add a port to a trunk when an ACL is already assigned to the port,
you must first remove the ACL assignment from the port.
• Adding a new port to an ACL-assigned trunk automatically applies the
ACL to the new port.