A standard ACL matches only one packet pattern: the source IP address. An
extended ACL matches more complex packet patterns:
source and a destination address
most fields in the IP, TCP, and UDP header, including IP protocol and TCP
or UDP source or destination port
You should create a standard ACL if you want to select traffic based only on
the source IP address. (See Figure 5-6.) If you want to select traffic based on
other fields in the IP, TCP, or UDP header or if you want the firewall to filter
traffic based on the destination IP address of traffic, you must create an
extended ACL. (See Figure 5-7.)
Server
Server
Core Switch
Edge Switch
LAN
LAN
Figure 5-6. With Standard ACLs, the ProCurve Secure Router Checks Only the
Source Address
Applying Access Control to Router Interfaces
Using ACPs to Control Access to Router Interfaces
Router
Is this source address
permitted or denied?
Edge Switch
LAN
LAN
Internet
User
5-27