Planning And Configuring Acls; Acl Operation - HP 2530 Manual Supplement

Planning and configuring ACLs

1. Identify the ACL action to apply and determine where best to apply specific ACL controls. For
example, you can improve network performance by filtering unwanted IPv6 traffic at the edge
of the network instead of in the core. Also, on the switch itself, you can improve performance
by filtering unwanted IPv6 traffic inbound to the switch instead of outbound.
Traffic source
IPv6 traffic from a specific, authenticated client
IPv6 traffic entering the switch on a specific port
Switched or routed IPv6 traffic entering the switch on a
specific VLAN
* For more information, see the chapter "Configuring RADIUS Server Support for Switch Services" in the latest version of
the HP Switch Software Access Security Guide for your switch. See also the documentation for your RADIUS server.
2. Identify the SA and/or the DA of IPv6 traffic you want to permit or deny.
3. Determine the best points at which to apply specific ACL controls.
4. Design the ACLs for the selected control points. Where you are using explicit "deny" or "permit"
ACEs, you can use the ACL logging feature to verify that the switch is denying unwanted
packets where intended. Excessive ACL logging activity can degrade the switch's performance.
(See "Enable IPv6 ACL "deny" logging" (page
5. Create the ACLs in the selected switches.
6. Assign the ACLs to filter the inbound traffic on ports or static trunk interfaces configured on
the switch.
7. Test for desired results.
For more details on ACL planning considerations,
CAUTION: Source routing is enabled by default on the switch and can be used to override ACLs.
Thus, if you are using ACLs to enhance network security, HP recommends that you use the no ip
source-route command to disable source routing on the switch. (If source routing is disabled
in the running-config file, the show running command includes no ip source-route in the
running-config file output.)

ACL operation

An ACL applies only to the switch where it is configured. ACLs operate on assigned ports and
static trunks, and filter these traffic types:
Traffic entering the switch. (ACLs do not screen traffic at any internal point where traffic moves
between VLANs or subnets within the switch; only on inbound ports and static trunks. See
"ACL inbound application points" (page
Switched or routed traffic entering the switch and having an IP address on the switch as the
destination
You can apply one inbound ACL to each port and static trunk configured on the switch, as follows:
No ACL assigned (default). All traffic enters the switch on the interface without ACL filtering.
One ACL assigned to filter the inbound traffic entering the switch on the interface.
Multiple Assignments for the same ACL. The switch allows one ACL assignment to an interface,
but you can assign the same ACL to multiple interfaces.
ACL application
RADIUS-assigned ACL for inbound IPv6 traffic from an
authenticated client on a port*
Static port ACL (static-port assigned) for inbound IPv6 traffic on
a port from any source
VACL (VLAN ACL)
105).)
see"Planning an ACL application" (page 68)
59))
Planning and configuring ACLs
.
63