HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual page 281

N o t e
Although ACPs are a little more complicated to configure and apply, they
provide greater flexibility than ACLs do by themselves. With ACPs, you can
apply more than two ACLs to an interface. Each ACP can include an unlimited
number of entries, which reference an unlimited number of ACLs.
There is another major difference between ACLs and ACPs: you can use ACPs
to configure network address translation (NAT), which ACLs, by themselves,
do not support.
You can apply one ACP to each interface, and that ACP will affect only
incoming traffic on the interface. In addition, you can configure a maximum
of five ACPs on the ProCurve Secure Router.
Selecting the Traffic. Creating an ACL to select the traffic may at first seem
confusing because an ACL entry itself includes an action as well as a packet
pattern. The action can be either deny or permit, and the packet pattern can
vary, depending on the type of ACL you are creating:
standard ACL—packet patterns based on source IP address
extended ACL—packet patterns based on protocol, source and destina-
tion IP addresses, and, optionally, UDP or TCP port
When an ACL is used in conjunction with an ACP, a permit entry means that
the traffic defined by the packet pattern is selected for the action specified in
the ACP. A deny entry, on the other hand, means that the traffic is excluded
from the action specified in the ACP. If the ProCurve Secure Router detects
traffic that matches a deny entry in the ACL, it does not take the action
specified in the ACP entry. Instead, the router stops processing the ACL and
the related entry in the ACP and moves to the next entry in the ACP. For more
information about matching traffic to ACLs in ACPs, see "Processing ACPs"
on page 5-38.
ACPs support three types of actions:
allow traffic selected by the ACL
discard traffic selected by the ACL
manipulate traffic selected by the ACL for NAT
This chapter focuses on creating ACPs to allow or discard traffic that is
selected by the ACL. NAT is discussed in Chapter 6: Configuring Network
Address Translation.
Remember that you must enable the Secure Router OS firewall before the
ACPs that you apply to interfaces can take effect.
Applying Access Control to Router Interfaces
Quick Start
5-61