HP 6120G/XG HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 349
ACL Configuration and Operating Rules, Explicitly Denying Any IP Traffic
View all HP 6120G/XG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 349 highlights
IPv4 Access Control Lists (ACLs) Traffic Management and Improved Network Performance ACL Configuration and Operating Rules ■ Per-Interface ACL Limits. At a minimum an ACL will have one explicit "deny" Access Control Entry. You can assign one ACL per interface, as follows: • Standard ACLs-Numeric range: 1 - 99 • Extended ACLs-Numeric range: 100 - 199 • Named (Extended or Standard) ACLs: Up to the maximum number of ports on the switch (minus any numeric ACL assignments) ■ Implicit "deny any": In any ACL, the switch automatically applies an implicit "deny IP any" that does not appear in show listings. This means that the ACL denies any packet it encounters that does not have a match with an entry in the ACL. Thus, if you want an ACL to permit any packets that you have not expressly denied, you must enter a permit any or permit ip any any as the last visible ACE in an ACL. Because, for a given packet the switch sequentially applies the ACEs in an ACL until it finds a match, any packet that reaches the permit any or permit ip any any entry will be permitted, and will not encounter the "deny ip any" ACE the switch automatically includes at the end of the ACL. For an example, refer to figure 9-4 on page 9-16. ■ Explicitly Permitting Any IP Traffic: Entering a permit any or a permit ip any any ACE in an ACL permits all IP traffic not previously permitted or denied by that ACL. ■ Explicitly Denying Any IP Traffic: Entering a deny any or a deny ip any any ACE in an ACL denies all IP traffic not previously permitted or denied by that ACL. ■ An ACL Assignment Is Exclusive: The switch allows one ACL assignment on an interface. If a port or static trunk already has an ACL assigned, you cannot assign another ACL to the interface without first removing the currently assigned ACL. ■ Replacing One ACL with Another: Where an ACL is already assigned to an interface, you must remove the current ACL assign ment before assigning another ACL to that interface. If an assignment command fails because one or more interfaces specified in the command already have an ACL assignment, the switch generates this message in the CLI and in the Event Log: < acl-list-# >: Unable to apply access control list. 9-25