HP 6120XG HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 342
Rule Usage, deny any, Table 9-2., ACL Rule and Mask Resource Usage
View all HP 6120XG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 342 highlights
IPv4 Access Control Lists (ACLs) Planning an ACL Application Rule Usage ■ There is only one implicit "deny any" entry per device for CLI ACLs, and one implicit "deny any" entry per device for IDM ACLs. ■ The implicit "deny any" entry is created only the first time an ACL is applied to a port. After that the port-map is updated for that "deny any" entry to include or remove additional ports. ■ Each ACE, including the implicit deny any ACE in a standard ACL, uses one rule. ■ There is a separate rule for every ACE whether the ACE uses the same mask or a new mask. ■ Two hardware rules are used for any "permit" ACE with TCP or UDP specified. One rule is for normal packets and one is for fragmented packets. Table 9-2 on page 9-18 summarizes switch use of resources to support ACES. Table 9-2. ACL Rule and Mask Resource Usage ACE Type Standard ACLs Implicit deny any (automatically included in any standard ACL, but not displayed by show accesslist < acl-# > command). First ACE entered Next ACE entered with same ACL mask Next ACE entered with a different ACL mask Closing ACL with a deny any or permit any ACE having the same ACL mask as the preceding ACE Closing ACL with a deny any or permit any ACE having a different ACL mask than the preceding ACE Extended ACLs Implicit deny ip any (automatically included in any standard ACL, but not displayed by show accesslist < acl-# > command). First ACE entered Next ACE entered with same SA/DA ACL mask and same IP or TCP/UDP protocols specified Next ACE entered with any of the following differences from preceding ACE in the list: - Different SA or DA ACL mask - Different protocol (IP as opposed to TCP/UDP) specified in either the SA or DA Closing an ACL with a deny ip any any or permit ip any any ACE preceded by an IP ACE with the same SA and DA ACL masks Closing an ACL with a deny ip any any or permit ip any any ACE preceded by an IP ACE with different SA and/or DA ACL masks Rule Usage 1 1 1 1 1 1 1 1 2 1 1 1 9-18