HP 7102dl - ProCurve Secure Router Configuration Manual page 272

Applying Access Control to Router Interfaces
Using ACPs to Control Access to Router Interfaces
5-40
When a packet enters an interface that has been assigned an ACP, the Secure
Router OS firewall checks the first entry in the ACP. The firewall then reads
the associated ACL to determine if the packet matches the IP address and any
other fields that are specified. If the packet matches a permit entry in the ACL,
the firewall performs the action specified for that entry in the ACP. If the
packet matches a deny entry in the ACL, the Secure Router OS firewall does
not perform the action specified for that entry in the ACP. Instead, the Secure
Router OS firewall moves to the next entry in the ACP and checks whether
the packet matches that entry.
In Figure 5-9, for example, device 192.168.1.14 sends a packet that is destined
for the internal network attached to Router B. The access-policy (ACP) Private
has been applied to the PPP 2 interface on Router B, so Router B will try to
match all incoming traffic on that interface to the Private ACP.
Router B first attempts to match the packet to the Group 1 ACL. It checks each
entry in the Group 1 ACL, one-by-one, but the packet does not match any of
the entries. Router B then checks the next entry in the ACP and tries to match
the packet to the first entry in the Group 2 ACL. Because the packet does not
match the first entry, Router B moves to the second entry. When the packet
does not match the second entry, Router B moves to the next entry.
The packet matches the third entry in the Group 2 ACL: permit host
192.168.1.14. Because it is a permit entry, Router B selects the packet and
then takes the action specified in the ACP: it discards the packet.