Acl Configuration And Operating Rules - HP ProCurve 5300xl Series Management Manual
Advanced traffic
Hide thumbs
Also See for ProCurve 5300xl Series:
- Access security manual (292 pages) ,
- Specification sheet (12 pages) ,
- Management and configuration manual (508 pages)
Table of Contents
Advertisement
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches
Planning an ACL Application on a Series 3400cl or Series 6400cl Switch
10-28
ACL Configuration and Operating Rules
Per-Interface ACL Limits. At a minimum an ACL must have one,
■
explicit "permit" or "deny" Access Control Entry. You can assign one
ACL per interface, as follows:
•
Standard ACLs—Numeric range: 1 - 99
•
Extended ACLs—Numeric range: 100 - 199
•
Named (Extended or Standard) ACLs: Up to the maximum number of
ports on the switch (minus any numeric ACL assignments)
Implicit "deny any": In any ACL, the switch automatically applies
■
an implicit "deny IP any" that does not appear in show listings. This
means that the ACL denies any packet it encounters that does not
have a match with an entry in the ACL. Thus, if you want an ACL to
permit any packets that you have not expressly denied, you must enter
a permit any or permit ip any any as the last visible ACE in an ACL.
Because, for a given packet the switch sequentially applies the ACEs
in an ACL until it finds a match, any packet that reaches the permit any
or permit ip any any entry will be permitted, and will not encounter the
"deny ip any" ACE the switch automatically includes at the end of the
ACL. For an example, refer to figure 10-5 on page 10-15.
Explicitly Permitting Any IP Traffic: Entering a permit any or a
■
permit ip any any ACE in an ACL permits all IP traffic not previously
permitted or denied by that ACL. Any ACEs listed after that point do
not have any effect and unnecessarily use rule and mask resources.
Explicitly Denying Any IP Traffic: Entering a deny any or a deny ip
■
any any ACE in an ACL denies all IP traffic not previously permitted
or denied by that ACL. Any ACEs listed after that point have no effect.
An ACL Assignment Is Exclusive: The switch allows one ACL
■
assignment on an interface. If a port or static trunk already has an
ACL assigned, you cannot assign another ACL to the interface without
first removing the currently assigned ACL.
Replacing One ACL with Another: Where an ACL is already
■
assigned to an interface, you must remove the current ACL assign
ment before assigning another ACL to that interface. If an assignment
command fails because one or more interfaces specified in the
command already have an ACL assignment, the switch generates this
message in the CLI and in the Event Log:
< acl-list-# >: Unable to apply access control list.
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
