Acl Rule Numbering; Implementing Time-Based Acl Rules; Filtering Ipv4 Fragments With Acls; Applying Acl - HP A6600 Configuration Manual

Acl and qos

Hide thumbs Also See for A6600:

Configuration manual (501 pages)

Getting started (222 pages)

Limited warranty (41 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

page of 156

/ 156
Contents
Table of Contents
Bookmarks

Table of Contents

ACL rule numbering

If you do not assign an ID for the rule you are creating, the system automatically assigns it a rule ID.

Rule numbering step

The rule numbering step sets the increment by which the system automatically numbers rules. For example,

the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are numbered

0, 5, 10, 15, and so on. The wider the numbering step, the more rules insert between two rules.

By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of

inserting rules in an ACL. This feature is important for a configuration order ACL, where ACL rules are

matched in ascending order of rule ID.

Automatic rule numbering and renumbering

The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to the

current highest rule ID, starting with 0.

For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10, and

12, the newly defined rule is numbered 15. If the ACL does not contain any rule, the first rule is numbered 0.

Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules

numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4,

6, and 8.

Implementing time-based ACL rules

Implement ACL rules based on the time of day by applying a time range to them. A time-based ACL rule takes

effect only in any time periods specified by the time range.

The following basic types of time ranges are available:

Periodic time range—Recurs periodically on a day or days of the week.



Absolute time range—Represents only a period of time and does not recur.



You may apply a time range to ACL rules before or after you create it. However, the rules using the time range

can take effect only after you define the time range.

Filtering IPv4 fragments with ACLs

Traditional packet filtering matches only first fragments of IPv4 packets, and allows all subsequent non-first

fragments to pass through. Attackers can fabricate non-first fragments to attack networks.

To avoid the risks, the HP ACL implementation:

Filters all fragments by default, including non-first fragments.



Provides ACL-based firewalls with standard and exact match modes for matching ACLs that contain



advanced attributes, such as TCP/UDP port number and ICMP type. The standard match mode is the

default mode; it considers only Layer 3 attributes. Exact match considers all header attributes defined

in IPv4 ACL rules. For more information, see Security Configuration Guide.

Applying ACL

Use ACLs in QoS, firewall, routing, and other technologies for identifying traffic.

Table of Contents

Acl Rule Numbering; Implementing Time-Based Acl Rules; Filtering Ipv4 Fragments With Acls; Applying Acl - HP A6600 Configuration Manual

ACL rule numbering

Implementing time-based ACL rules

Filtering IPv4 fragments with ACLs

Applying ACL

Related Manuals for HP A6600

Related Content for HP A6600

Table of Contents