HP ProCurve 2910al Access Security Manual page 299

ACL Mask: Follows any IPv4 address (source or destination) listed in an ACE.
Defines which bits in a packet's corresponding IPv4 addressing must
exactly match the addressing in the ACE, and which bits need not match
(wildcards). See also "How an ACE Uses a Mask To Screen Packets for
Matches" on page 9-28.)
CIDR: This is the acronym for Classless Inter-Domain Routing.
DA: The acronym used in text to represent Destination Address. In an IPv4
packet, this is the destination address carried in the header, and identifies
the destination intended by the packet's originator. In an extended ACE,
this is the second of two addresses required by the ACE to determine
whether there is a match between a packet and the ACE. See also "SA".
Deny: An ACE configured with this action causes the switch to drop a packet
for which there is a match within an applicable ACL.
Dynamic Port ACL: An ACL assigned by a RADIUS server to a port to filter
inbound IP traffic from a client authenticated by the server for that port.
A dynamic port ACL can be configured (on a RADIUS) server to filter
inbound IPv4 traffic. When the client session ends, the dynamic port ACL
for that client is removed from the port. See also "Implicit Deny".
Extended ACL: This type of IPv4 Access Control List uses layer-3 IP criteria
composed of source and destination addresses and (optionally) TCP/UDP
port, ICMP, IGMP, precedence, or ToS criteria to determine whether there
is a match with an IP packet. Except for RADIUS-assigned ACLs, which
use client credentials for identifiers, extended ACLs require an alphanu­
meric name or an identification number (ID) in the range of 100 - 199.
Identifier: A term used in ACL syntax statements to represent either the name
or number by which the ACL can be accessed. See also NAME-STR. Note
that RADIUS-assigned ACLs are identified by client authentication data
and do not use the identifiers described in this chapter.
Implicit Deny: If the switch finds no matches between an IPv4 packet and
the configured criteria in an applicable static or dynamic ACL, then the
switch denies (drops) the packet with an implicit deny any function (for
standard ACLs) or an implicit deny ip any any function (for extended
ACLs). You can preempt the Implicit Deny in a given ACL by configuring
a permit any (standard) or permit ip any any (extended) as the last explicit
ACE in the ACL. Doing so permits any IPv4 packet that is not explicitly
permitted or denied by other ACEs configured sequentially earlier in the
ACL. Unless otherwise noted, Implicit Deny refers to the "deny" function
enforced by both standard and extended ACLs.
IPv4 Access Control Lists (ACLs)
Terminology
9-11