Acl Configuration Factors - ProCurve 2610 Manual

Access Control Lists (ACLs)
Configuring and Assigning an ACL
1
ip access-list extended "101"
2
deny ip 10.28.235.10 0.0.0.0 0.0.0.0 255.255.255.255
3
deny ip 10.28.245.89 0.0.0.0 0.0.0.0 255.255.255.255
4
permit tcp 10.28.18.100 0.0.0.0 10.28.237.1 0.0.0.0
5
deny tcp 10.28.18.100 0.0.0.0 0.0.0.0 255.255.255.255
6
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
7
exit
Figure 9-12. Example of an Extended ACL that Permits All Traffic Not Implicitly Denied
9-36

ACL Configuration Factors

ACL Resource Consumption
Consumption of resources can be a significant factor in switches using exten­
sive ACL applications. In this case, resource usage takes precedence over
other factors when planning and configuring ACLs. For more information on
this topic, refer to "Planning an ACL Application" on page 9-16.
The Sequence of Entries in an ACL Is Significant
When the switch uses an ACL to determine whether to permit or deny a packet
on a particular interface, it compares the packet to the criteria specified in the
individual Access Control Entries (ACEs) in the ACL, beginning with the first
ACE in the list and proceeding sequentially until a match is found. When a
match is found, the switch applies the indicated action (permit or deny) to the
packet. This is significant because, once a match is found for a packet,
subsequent ACEs in the same ACL will not be used for that packet, regardless
of whether they match the packet.
For example, suppose that you have applied the ACL shown in figure 9-9 to
inbound traffic on port 10:
Destination
Source
Following the last explicit ACE in the ACL there is always an implicit "deny
any". However, in this case it will not be used because the last, explicit
permit statement allows all IP packets that earlier ACEs have not already
permitted or denied.
Source and
Destination
IP Addresses
for the ACE in
line 4 of the
ACL.