HP ProCurve 5300xl Series Management Manual page 429

Table 10-3. ACL Rule and Mask Resource Usage
ACE Type
Standard ACLs
Implicit deny any (automatically included in any standard ACL, but not displayed by
show access-list < acl-# > command).
First ACE entered
Next ACE entered with same ACL mask
Next ACE entered with a different ACL mask
Closing ACL with a deny any or permit any ACE having the same ACL mask as the
preceding ACE
Closing ACL with a deny any or permit any ACE having a different ACL mask than
the preceding ACE
Extended ACLs
Implicit deny ip an any (automatically included in any standard ACL, but not
displayed by show access-list < acl-# > command).
First ACE entered
Next ACE entered with same SA/DA ACL mask and same IP or TCP/UDP protocols
2
specified
Next ACE entered with any of the following differences from preceding ACE in the
list:
– Different SA or DA ACL mask
– Different protocol (IP as opposed to TCP/UDP) specified in either the SA or DA
Closing an ACL with a deny ip any any or permit ip any any ACE preceded by an IP
ACE with the same SA and DA ACL masks
Closing an ACL with a deny ip any any or permit ip any any ACE preceded by an IP
ACE with different SA and/or DA ACL masks
1
In a given standard ACL, consecutive ACEs must have identical ACL masks in their SA entries to avoid using a separate
per-port mask for each ACE. In a given standard ACL, If two ACEs having identical SA ACL masks are separated by an
ACE with a different SA ACL mask, then three per-port masks are used instead of two; one for each sequential change
in SA ACL masks. Thus, you can conserve per-port resources by grouping SA entries with the same ACL mask together.
2
In a given extended ACL, consecutive ACEs must have the same SA and DA ACL mask and the same protocol application
(IP as opposed to TCP/UDP) to avoid using a separate per-port mask for each ACE. If consecutive ACEs have different
SA or DA ACL masks, or different protocol applications, then each such ACE consumes a separate per-port mask.
3
TCP and UDP are the same for the purpose of determining per-port mask use. Also, actual TCP or UDP port numbers can
vary between ACEs without affecting per-port mask usage. However, if one ACE specifies a TCP/UDP source port and
another does not, another per-port mask will be used.
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches
Planning an ACL Application on a Series 3400cl or Series 6400cl Switch
and subnet mask are duplicates of the IP address and subnet mask
used for the implicit deny ip any any ACE that the switch automatically
includes at the end of every ACL.
1
1
Per-Port Rule Per-Port
Usage Masks Usage
1
1
1
1
0
1
1
1
1
1
3
0
1
1
1
0
1
0
1
1
1
0
1
0
1
10-19