HP 6120XG HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 333
Inbound Traffic, Permit, Standard ACL, Wildcard, ACL Mask, IPv4 Access Control Lists ACLs
View all HP 6120XG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 333 highlights
IPv4 Access Control Lists (ACLs) Terminology the ACL. Doing so permits an inbound packet that is not explicitly permit ted or denied by other ACEs configured sequentially earlier in the ACL. Unless otherwise noted, "implicit deny IP any" refers to the "deny" action enforced by both standard and extended ACLs. Inbound Traffic: For the purpose of defining where the switch applies ACLs to filter traffic, inbound traffic is any IP packet that: • Enters the switch through a physical port. • Has a destination IP address (DA) that meets either of these criteria: - The packet's DA is for an external device. - The packet's DA is for an IP address configured on the switch itself. (This increases your options for protecting the switch from unauthorized management access.) Because ACLs are assigned to physical ports or port trunks, an ACL that filters inbound traffic on a particular port or trunk examines packets meeting the above criteria that enter the switch through that port or trunk. Outbound Traffic: This is any traffic leaving the switch through a physical port or trunk. The switch does not apply ACLs to outbound traffic or internally where routed traffic moves between VLANs. That is, ACL operation is not affected by enabling or disabling routing on the switch. (Refer also to "ACL Inbound Application Points" on page 9-10.) Permit: An ACE configured with this action allows a port or trunk to permit an inbound packet for which there is a match within an applicable ACL. SA: The acronym for Source IP Address. In an IP packet, this is the source IP address carried in the IP header, and identifies the packet's sender. In an extended ACE, this is the first of two IP addresses used by the ACE to determine whether there is a match between a packet and the ACE. See also "DA". Standard ACL: This type of Access Control List uses layer-3 IP criteria of source IP address to determine whether there is a match with an inbound IP packet. You can apply a standard ACL to inbound traffic on a port or trunk, including any inbound traffic with a DA belonging to the switch itself. Standard ACLs require an identification number (ID) in the range of 1 - 99 or an alphanumeric name. Wildcard: The part of a mask that indicates the bits in a packet's IP addressing that do not need to match the corresponding bits specified in an ACL. See also ACL Mask on page 9-8. 9-9