HP ProCurve 6120G/XG Manual page 332
Hp procurve series 6120 blade switches access security guide
Hide thumbs
Also See for ProCurve 6120G/XG:
- Configuration manual (662 pages) ,
- Manual (469 pages) ,
- Management manual (222 pages)
Table of Contents
Advertisement
IPv4 Access Control Lists (ACLs)
Terminology
ACL ID: A number or alphanumeric string used to identify an ACL. A standard
ACL Mask: Follows an IP address (source or destination) listed in an ACE to
DA: The acronym for Destination IP Address. In an IP packet, this is the
Deny: An ACE configured with this action causes the switch to drop an
Extended ACL: This type of Access Control List uses layer-3 IP criteria
Implicit Deny: If the switch finds no matches between an inbound packet
9-8
ACL ID can have either a number from 1 to 99 or an alphanumeric string.
An extended ACL ID can have either a number from 100 to 199 or an
alphanumeric string.
specify either a subnet or a group of devices. Defines which bits in a
packet's corresponding IP addressing must exactly match the IP address
ing in the ACE, and which bits need not match (wildcards). For example:
As shown above, zeros in an ACL mask specify an exact match require
ment for IP addresses, and ones specify a wildcard. In this example, a
matching IP address would be any address in the range 10.10.10.1-255.
(See also "How an ACE Uses a Mask To Screen Packets for Matches" on
page 9-26.)
destination IP address carried in the header, and identifies the destination
intended by the packet's originator. In an extended ACE, this is the second
of two IP addresses required by the ACE to determine whether there is a
match between a packet and the ACE. See also "SA".
inbound packet for which there is a match within an applicable ACL. As
an option, you can configure the switch to generate a logging output to a
Syslog server and a console session.)
composed of source and destination IP addresses and (optionally) TCP
or UDP port criteria to determine whether there is a match with an IP
packet.You can apply an extended ACL to inbound traffic on a port or
trunk, including any inbound traffic with a DA belonging to the switch
itself. Extended ACLs require an identification number (ID) in the range
of 100 - 199 or an alphanumeric name.
and the configured criteria in an applicable ACL, then the switch denies
(drops) the packet with an implicit "deny IP any" operation. You can
preempt the implicit "deny IP any" in a given ACL by configuring permit
any (standard) or permit IP any any (extended) as the last explicit ACE in
Dotted-Decimal and CIDR
versions of the same mask. In both
cases, zeros in the mask indicate
significant digits. Ones in the mask
indicate wildcard digits.
Hide quick links:
Advertisement
Table of Contents
