The Packet-Filtering Process - HP 3500yl Series Access Security Manual
Switch software
Hide thumbs
Also See for 3500yl Series:
- Release notes (219 pages) ,
- Specifications (16 pages) ,
- Features (6 pages)
Table of Contents
Advertisement
IPv4 Access Control Lists (ACLs)
IPv4 Static ACL Operation
Note
For an inbound packet with a destination
IP address of 18.28.156.3, the ACL:
1. Compares the packet to this ACE first.
2. Since there is not a match with the first
ACE, the ACL compares the packet to the
second ACE, where there is also not a
match.
3. The ACL compares the packet to the third
ACE. There is a exact match, so the ACL
denies (drops) the packet.
The packet is not compared to the
4.
ACE.
Figure 10-5. Example of Sequential Comparison
10-26
After you assign an IPv4 ACL to an interface, the default action on the interface
is to implicitly deny IPv4 traffic that is not specifically permitted by the ACL.
(This applies only in the direction of traffic flow filtered by the ACL.)
The Packet-filtering Process
Sequential Comparison and Action. When an ACL filters a packet, it
sequentially compares each ACE's filtering criteria to the corresponding data
in the packet until it finds a match. The action indicated by the matching ACE
(deny or permit) is then performed on the packet.
Implicit Deny. If a packet does not have a match with the criteria in any of
the ACEs in the ACL, the ACL denies (drops) the packet. If you need to
override the implicit deny so that a packet that does not have a match will be
permitted, then you can use the "permit any" option as the last ACE in the
ACL. This directs the ACL to permit (forward) packets that do not have a
match with any earlier ACE listed in the ACL, and prevents these packets from
being filtered by the implicit "deny any".
Example. Suppose the ACL in figure 10-5 is assigned to filter the IPv4 traffic
from an authenticated client on a given port in the switch:
Permit in ip from any to 18.28.136.24
Permit in ip from any to 18.28.156.7
Deny in ip from any to 18.28.156.3
Deny in tcp from any to any 23
Permit in ip from any to any
(Deny in ip from any to any)
This line demonstrates the "deny any any" ACE implicit in every
RADIUS-assigned ACL. Any inbound IPv4 traffic from the
authenticated client that does not have a match with any of the five
fourth
explicit ACEs in this ACL will be denied by the implicit "deny any
any".
As shown above, the ACL tries to apply the first ACE in the list. If there is not
a match, it tries the second ACE, and so on. When a match is found, the ACL
invokes the configured action for that entry (permit or drop the packet) and
Hide quick links:
Advertisement
Chapters
Table of Contents
