HP 6120G/XG HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 347
Traffic Management and Improved Network Performance, Security
View all HP 6120G/XG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 347 highlights
IPv4 Access Control Lists (ACLs) Traffic Management and Improved Network Performance Traffic Management and Improved Network Performance You can use ACLs to block unnecessary traffic caused by individual hosts, workgroups, or subnets, and to block user access to subnets, devices, and services. Answering the following questions can help you to design and properly position ACLs for optimum network usage. ■ What are the logical points for minimizing unwanted traffic? In many cases it makes sense to block unwanted traffic from the core of your network by configuring ACLs to drop such traffic at or close to the edge of the network. (The earlier in the network path you block unwanted traffic, the greater the benefit for network performance.) ■ What traffic should you explicitly block? Depending on your network size and the access requirements of individual hosts, this can involve creating a large number of ACEs in a given ACL (or a large number of ACLs), which increases the complexity of your solution and rapidly consumes the resources. ■ What traffic can you implicitly block by taking advantage of the implicit deny any to deny traffic that you have not explicitly permitted? This can reduce the number of entries needed in an ACL and make more economical use of switch resources. ■ What traffic should you permit? In some cases you will need to explicitly identify permitted traffic. In other cases, depending on your policies, you can insert a permit any (standard ACL) or permit ip any any (extended ACL) entry at the end of an ACL. This means that all IP traffic not specifically matched by earlier entries in the list will be permitted. Security ACLs can enhance security by blocking inbound IP traffic carrying an unau thorized source IP address (SA). This can include: ■ Blocking access to or from subnets in your network ■ Blocking access to or from the internet ■ Blocking access to sensitive data storage or restricted equipment 9-23