HP 6120XG HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 340
Example of How an ACL Filters Packets, deny any
View all HP 6120XG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 340 highlights
IPv4 Access Control Lists (ACLs) ACL Operation 2. Deny only the inbound Telnet traffic sent from IP address 11.11.11.101. 3. Permit only inbound Telnet traffic sent from IP address 11.11.11.33. 4. Deny all other inbound traffic on port 12. The following ACL model, when assigned to inbound filtering on port 12, supports the above case: 1 2 3 4 5 1. Permits IP traffic inbound from source address 11.11.11.42. Packets matching this criterion are permitted and will not be compared to any later ACE in the list. Packets not matching this criterion will be compared to the next entry in the list. 4. Permits Telnet traffic from source address 11.11.11.33. Packets matching this criterion are permitted and are not compared to any later criteria in the list. Packets not matching this criterion are compared to the next entry in the list. 2. Denies Telnet traffic from source address 11.11.11.101. Packets matching this criterion are dropped and are not compared to later criteria in the list. Packets not matching this criterion are compared to the next entry in the list. 5. This entry does not appear in an actual ACL, but is implicit as the last entry in every ACL. Any inbound packets on port 12 that do not match any of the criteria in the ACL's preceding entries will be denied (dropped). 3. Permits any IP traffic from source address 11.11.11.101. Any packets matching this criterion will be permitted and will not be compared to any later criteria in the list. Because this entry comes after the entry blocking Telnet traffic from this same address, there will not be any Telnet packets to compare with this entry; they have already been dropped as a result of matching the preceding entry. Figure 9-4. Example of How an ACL Filters Packets It is important to remember that this ACL (and all ACLs) include an implicit deny any. That is, inbound IP packets (including switched packets having the switch as the destination IP address) that the ACL does not explicitly permit or deny will be implicitly denied, and therefore dropped. You can preempt the implicit deny by inserting a "permit IP any" at the end of an ACL, but this solution does not apply in the preceding example, where the intention is for the switch to allow only explicitly permitted packets inbound on port 12. 9-16