Connection-Rate Acl Operating Notes - HP ProCurve 6400cl Series Access Security Manual
Hide thumbs
Also See for ProCurve 6400cl Series:
- Management and configuration manual (508 pages) ,
- Installation and getting started manual (84 pages) ,
- Management manual (664 pages)
Table of Contents
Advertisement
Virus Throttling (5300xl Switches Only)
Connection-Rate ACL Operating Notes
3-30
Connection-Rate ACL Operating Notes
■
A connection-rate ACL allows you to configure two types of ACEs
(Access Control Entries):
ignore < source-criteria >: This ACE type directs the switch to permit
•
all inbound traffic meeting the configured < source-criteria > without
filtering the traffic through the connection-rate policy configured on
the port through which the traffic entered the switch. For example,
ignore host 15.45.120.70 tells the switch to permit traffic from the host
at 15.45.120.70 without filtering this host's traffic through the connec-
tion-rate policy configured for the port on which the traffic entered
the switch.
filter < source-criteria >: This ACE type does the opposite of an ignore
•
entry. That is, all inbound traffic meeting the configured < source-
criteria > must be filtered through the connection-rate policy config
ured for the port on which the traffic entered the switch. This option
is most useful in applications where it is easier to use filter to specify
suspicious traffic sources for screening than to use ignore to specify
exceptions for trusted traffic sources that don't need screening. For
example, if the host at 15.45.127.43 requires connection-rate screen
ing, but all other hosts in the VLAN do not, you would configure and
apply a connection-rate ACL with filter ip host 15.45.127.43 as the first
ACE and ignore ip any as the second ACE. In this case, the traffic from
host 15.45.127.43 would be screened, but traffic from all other hosts
on the VLAN would be permitted without connection-rate screening.
A connection-rate ACL includes a third, implicit filter ip any ACE
■
which is automatically the last ACE in the ACL. This implicit ACE
does not appear in displays of the ACL configuration, but is always
present in any connection-rate ACL you configure. For example,
assume that a port is configured with a connection-rate policy and is
in a VLAN configured with a connection-rate ACL. If there is no match
between an incoming packet and the ACE criteria in the ACL, then
the implicit filter ip any sends the packet for screening by the connec-
tion-rate policy configured on that port. To preempt the implicit filter
ip any in a given connection-rate ACL, you can configure ignore IP any
as the last explicit ACE in the connection-rate ACL. The switch will
then ignore (permit) traffic that is not explicitly addressed by other
ACEs configured sequentially earlier in the ACL without filtering the
traffic through the existing connection-rate policy.
Advertisement
Table of Contents
