HP 6125G HP 6125G & 6125G/XG Blade Switches ACL and QoS Configuration - Page 7

Configuring ACLs, Overview, Applications on the switch, ACL categories, Numbering and naming ACLs

Get HP 6125G PDF manuals and user guides View all HP 6125G manuals
Add to My Manuals
Save this manual to your list of manuals

Page 7 highlights

Configuring ACLs Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document. Overview An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number. ACLs are primarily used for packet filtering. A packet filter drops packets that match a deny rule and permits packets that match a permit rule. ACLs are also used by many modules, QoS and IP routing for example, for traffic classification and identification. Applications on the switch An ACL is implemented in hardware or software, depending on the module that uses it. If the module, the packet filter or QoS module for example, is implemented in hardware, the ACL is applied to hardware to process traffic. If the module, the routing or user interface access control module (Telnet, SNMP, or web) for example, is implemented in software, the ACL is applied to software to process traffic. The user interface access control module denies packets that do not match any ACL. Some modules, QoS for example, ignore the permit or deny action in ACL rules and do not base their drop or forwarding decisions on the action set in ACL rules. See the specified module for information about ACL application. ACL categories Category Basic ACLs ACL number IP version 2000 to IPv4 2999 IPv6 IPv4 Advanced ACLs 3000 to 3999 IPv6 Ethernet frame header ACLs 4000 to 4999 IPv4 and IPv6 Match criteria Source IPv4 address Source IPv6 address Source IPv4 address, destination IPv4 address, packet priority, protocols over IPv4, and other Layer 3 and Layer 4 header fields Source IPv6 address, destination IPv6 address, packet priority, protocols over IPv6, and other Layer 3 and Layer 4 header fields Layer 2 header fields, such as source and destination MAC addresses, 802.1p priority, and link layer protocol type Numbering and naming ACLs Each ACL category has a unique range of ACL numbers. When creating an ACL, you must assign it a number. In addition, you can assign the ACL a name for ease of identification. After creating an ACL with a name, you cannot rename it or delete its name. For an Ethernet frame header ACL, the ACL number and name must be globally unique. For an IPv4 basic or advanced ACLs, its ACL number and name must be unique among all IPv4 ACLs, and for an IPv6 1

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
1
Configuring ACLs
Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document.
Overview
An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on
criteria such as source IP address, destination IP address, and port number.
ACLs are primarily used for packet filtering. A packet filter drops packets that match a deny rule and
permits packets that match a permit rule. ACLs are also used by many modules, QoS and IP routing for
example, for traffic classification and identification.
Applications on the switch
An ACL is implemented in hardware or software, depending on the module that uses it. If the module, the
packet filter or QoS module for example, is implemented in hardware, the ACL is applied to hardware
to process traffic. If the module, the routing or user interface access control module (Telnet, SNMP, or web)
for example, is implemented in software, the ACL is applied to software to process traffic.
The user interface access control module denies packets that do not match any ACL. Some modules, QoS
for example, ignore the permit or deny action in ACL rules and do not base their drop or forwarding
decisions on the action set in ACL rules. See the specified module for information about ACL application.
ACL categories
Category
ACL number
IP version
Match criteria
Basic ACLs
2000 to
2999
IPv4
Source IPv4 address
IPv6
Source IPv6 address
Advanced ACLs
3000 to
3999
IPv4
Source IPv4 address, destination IPv4 address, packet
priority, protocols over IPv4, and other Layer 3 and Layer 4
header fields
IPv6
Source IPv6 address, destination IPv6 address, packet
priority, protocols over IPv6, and other Layer 3 and Layer 4
header fields
Ethernet frame
header ACLs
4000 to
4999
IPv4 and
IPv6
Layer 2 header fields, such as source and destination MAC
addresses, 802.1p priority, and link layer protocol type
Numbering and naming ACLs
Each ACL category has a unique range of ACL numbers. When creating an ACL, you must assign it a
number. In addition, you can assign the ACL a name for ease of identification. After creating an ACL with
a name, you cannot rename it or delete its name.
For an Ethernet frame header ACL, the ACL number and name must be globally unique. For an IPv4 basic
or advanced ACLs, its ACL number and name must be unique among all IPv4 ACLs, and for an IPv6