How Multiple Acl Rules Are Evaluated - HP procurve 8100fl series Management And Configuration Manual

Hide thumbs Also See for procurve 8100fl series:

Installation and getting started manual (134 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

Table of Contents

Access Control Lists (ACLs)

Layer 3 Access Control List (ACLs)

ProCurve(config)#access-list 101 deny tcp 100.20.20.0/24 any

ProCurve(config)#access-list 101 permit tcp any any

ProCurve(config)#access-list 101 deny tcp 100.20.20.0/24 any

15-6

Notice in the previous example that both the source address and the

destination address are skipped over using the any parameter. The keyword

any is needed only to skip a field in order to explicitly specify another field

whose position is further along in the ACL.

How Multiple ACL Rules are Evaluated

The sequence of the rules within an ACL consisting of multiple rules is

important. When an ACL application checks a packet or route against an ACL,

it applies rules in the order in which they reside within the ACL – from first to

last. The 8100fl switch also applies multiple ACLs in the order in which they

are configured (the order in which they appear in the running-config). If a

packet or route matches a rule, it is forwarded or dropped based on the permit

or deny keyword in the rule. If there is no match, the packet or route is passed

on to the next rule in the ACL.

Consequently, rules that are more specific (contain more match criteria)

should be listed ahead of rules that are less specific. For example, the

following ACL permits all TCP traffic except any TCP traffic from subnet

100.20.20.0/24:

In the previous example, the ACL 101 includes two rules:

Deny TCP packets from subnet 100.20.20.0

Permit TCP packets

A TCP packet coming from subnet 10.2.0.0/16 matches the first ACL rule, which

results in the packet being dropped. However, a TCP packet coming from any

other subnet does not match the first ACL rule. Instead, it matches the second

ACL rule, which allows the TCP packet through.

Consider the case where the ACL rules in the previous example are reversed:

All TCP packets are allowed through, including packets from subnet

100.20.20.0. Because TCP traffic coming from 100.20.20.0 matches the first rule,

"all TCP packets are allowed through." The second rule is not applied because

the first rule that matches determines the action taken on the packet.

Table of Contents

How Multiple Acl Rules Are Evaluated - HP procurve 8100fl series Management And Configuration Manual

How Multiple ACL Rules are Evaluated

Troubleshooting

Related Manuals for HP procurve 8100fl series

Related Content for HP procurve 8100fl series

Table of Contents