HP ProCurve 5300xl Series Management Manual page 450
Advanced traffic
Hide thumbs
Also See for ProCurve 5300xl Series:
- Access security manual (292 pages) ,
- Specification sheet (12 pages) ,
- Management and configuration manual (508 pages)
Table of Contents
Advertisement
Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches
Configuring and Assigning an ACL
Table 10-7. Effect of the ACL in Figure 10-13 on Inbound Traffic on the Assigned Port
Line #
Action
1
Shows list type (extended) and ID (101).
2
A packet from IP source address 10.28.235.10 will be denied (dropped). This line filters out all packets received
from 10.28.235.10. As a result, IP traffic from that device will not be routed or switched, and packets from that
device will not be compared against any later entries in the list.
3
A packet from IP source 10.28.245.89 will be denied (dropped). This line filters out all packets received from
10.28.245.89. As the result, IP traffic from that device will not be routed or switched and packets from that device
will not be compared against any later entries in the list.
4
A packet from TCP source address 10.28.18.100 with a destination address of 10.28.237.1 will be permitted
(forwarded). Since no earlier lines in the list have filtered TCP packets from 10.28.18.100 and destined for
10.28.237.1, the switch will use this line to evaluate such packets. Any packets that meet this criteria will be
forwarded. (Any packets that do not meet this TCP source-destination criteria are not affected by this line.)
A packet from TCP source address 10.28.18.100 to any destination address will be denied (dropped). Since, in
5
this example, the intent is to block TCP traffic from 10.28.18.100 to any destination except the destination stated
in line 4, this line must follow line 4. (If their relative positions were exchanged, all TCP traffic from 10.28.18.100
would be dropped, including the traffic for the 10.28.18.1 destination.)
6
Any packet from any IP source address to any destination address will be permitted (forwarded). The only
traffic to reach this line will be IP packets not specifically permitted or denied in the earlier lines.
n/a
The "implicit deny any any" is a function automatically added as the last action in all ACLs. It denies (drops)
any IP traffic from any source to any destination that has not found a match with earlier entries in the list. In
this example, line 6 permits (forwards) any IP traffic not already permitted or denied by the earlier entries in
the list, so there is no traffic remaining for action by the "implicit deny any any" function.
7
Indicates the end of the ACL.
10-40
Figure 10-14. Per-Port Rule and Mask Usage for the ACL in Figure 10-13
The ACL in figure 10-13, when applied
to port 10, uses five per-port rules and
four per-port masks. Note that the last
ACE in the list is a duplicate of the
implicit deny ip any any that is
automatically included at the end of
every extended ACL. As a result, the
last configured (visible) ACE and the
implicit deny ACE use the same rule and
mask. For more on this topic, refer to
table Table 10-3 on page 10-19.
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
