Acl Configuration Factors; Acl Resource Consumption; The Sequence Of Entries In An Acl Is Significant - HP ProCurve 6120G/XG Manual

ACL Configuration Factors

ACL Resource Consumption

Consumption of resources can be a significant factor in switches using exten­
sive ACL applications. In this case, resource usage takes precedence over
other factors when planning and configuring ACLs. For more information on
this topic, refer to "Planning an ACL Application" on page 9-17.

The Sequence of Entries in an ACL Is Significant

When the switch uses an ACL to determine whether to permit or deny a packet
on a particular interface, it compares the packet to the criteria specified in the
individual Access Control Entries (ACEs) in the ACL, beginning with the first
ACE in the list and proceeding sequentially until a match is found. When a
match is found, the switch applies the indicated action (permit or deny) to the
packet. This is significant because, once a match is found for a packet,
subsequent ACEs in the same ACL will not be used for that packet, regardless
of whether they match the packet.
For example, suppose that you have applied the ACL shown in figure 9-9 to
inbound traffic on port 10:
access-list extended "101"
deny ip 10.28.235.10 0.0.0.0 0.0.0.0 255.255.255.255
deny ip 10.28.245.89 0.0.0.0 0.0.0.0 255.255.255.255
permit tcp 10.28.18.100 0.0.0.0 10.28.237.1 0.0.0.0
deny tcp 10.28.18.100 0.0.0.0 0.0.0.0 255.255.255.255
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
Figure 9-12. Example of an Extended ACL that Permits All Traffic Not Implicitly Denied
Destination
Source
Following the last explicit ACE in the ACL there is always an implicit "deny
any". However, in this case it will not be used because the last, explicit
permit statement allows all IP packets that earlier ACEs have not already
permitted or denied.
IPv4 Access Control Lists (ACLs)
Configuring and Assigning an ACL
Source and
Destination
IP Addresses
for the ACE in
line 4 of the
ACL.
9-37