Acl Configuration Factors; The Sequence Of Entries In An Acl Is Significant - HP ProCurve 5300xl Series Management Manual

Protocol Types
End-of-List
Marker
ACE Action
(permit or deny)
Figure 9-9. Example of a Displayed Extended ACL Configuration
For example, figure 9-9 shows how to interpret the entries in an extended ACL.
Source IP Addresses and
Masks.
Upper entry denies certain
UDP packets from a single
host. Lower entry denies all
UDP packets from all hosts.

ACL Configuration Factors

The Sequence of Entries in an ACL Is Significant

When the switch uses an ACL to determine whether to permit or deny a packet
on a particular VLAN, it compares the packet to the criteria specified in the
individual Access Control Entries (ACEs) in the ACL, beginning with the first
ACE in the list and proceeding sequentially until a match is found. When a
match is found, the switch applies the indicated action (permit or deny) to the
packet. This is significant because, once a match is found for a packet,
subsequent ACEs in the same ACL will not be used for that packet, regardless
of whether they match the packet.
For example, suppose that you have applied the ACL shown in figure 9-10 to
inbound traffic on VLAN 1 (the default VLAN):
Access Control Lists (ACLs) for the Series 5300xl Switches
ACL List Heading with
List Type and ID String
(Name or Number)
Optional Source UDP or
TCP Operator and Port Address and Mask
Number
In this case, the ACL
specifies UDP port 69
packets coming from the
source IP address.
Configuring and Assigning an ACL
Specifies all destination
IP addresses.
Denies TCP
traffic to any
destination
Destination IP Optional Destination
UDP or TCP Operator
and Range of Port
Numbers
In this case, the ACL
specifies UDP port
numbers 3680-3690.
Port 80
from any
source.
9-29