HP 3500yl Series Access Security Manual page 545

ACL "Test-1" assigned as a VACL
to VLAN 20.
10.10.20.12
ACL "Test-1" assigned as an RACL
to both VLAN 50 and VLAN 70.
Figure 10-55. Example of Using the Same ACL for VACL and RACL Applications
In the above case:
Matches with ACEs 10 or 20 that originate on VLAN 20 will increment
■
only the counters for the instances of these two ACEs in the Test-1
VACL assignment on VLAN 20. The same counters in the instances of
ACL Test-1 assigned to VLANs 50 and 70 will not be incremented.
Any Telnet requests to 10.10.20.12 that originate on VLANs 50 or 70
■
will be filtered by instances of Test-1 assigned as RACLs, and will
increment the counters for ACE 10 on both RACL instances of the
Test-1 ACL.
Using the network in figure 10-55, a device at 10.10.20.4 on VLAN 20 attempting
to ping and Telnet to 10.10.20.12 is filtered through the VACL instance of the
"Test-1" ACL on VLAN 20 and results in the following:
HP Switch(config)# ping 10.10.20.2
10.10.20.2 is alive, time = 5 ms
HP Switch(config)# telnet 10.10.20.2
Telnet failed: Connection timed out.
HP Switch(config)#
Figure 10-56. Ping and Telnet from 10.10.20.4 to 10.10.20.2 Filtered by the
Assignment of "Test-1" as a VACL on VLAN 20
IPv4 Access Control Lists (ACLs)
Enable ACL "Deny" Logging
5400zl Switch
VLAN 20
10.10.20.1
VLAN 50
10.10.55.1
VLAN 70
10.10.70.1
10-125