HP 6120XG HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 348
Guidelines for Planning the Structure of an ACL, permit any, deny any
View all HP 6120XG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 348 highlights
IPv4 Access Control Lists (ACLs) Traffic Management and Improved Network Performance ■ Preventing the use of specific TCP or UDP functions (such as Telnet, SSH, web browser) for unauthorized access You can also enhance switch management security by using ACLs to block inbound IP traffic that has the switch itself as the destination address (DA). Caution ACLs can enhance network security by blocking selected IP traffic, and can serve as one aspect of maintaining network security. However, because ACLs do not provide user or device authentication, or protection from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete security solution. Note 9-24 ACLs do not screen non-IP traffic such as AppleTalk and IPX. Guidelines for Planning the Structure of an ACL The first step in planning a specific ACL is to determine where you will apply it. (Refer to "ACL Inbound Application Points" on page 9-10.) You must then determine the order in which you want the individual ACEs in the ACL to filter traffic. Some applications require high usage of the resources the switch uses to support ACLs. In these cases it is important to order the individual ACEs in a list to avoid unnecessarily using resources. For more on this topic, refer to "Planning an ACL Application" on page 9-17. ■ The first match dictates the action on a packet. possible, subsequent matches are ignored. ■ On any ACL, the switch implicitly denies packets that are not explic itly permitted or denied by the ACEs configured in the ACL. If you want the switch to forward a packet for which there is not a match in an ACL, add permit any as the last ACE in an ACL. This ensures that no packets reach the implicit deny any case. ■ Generally, you should list ACEs from the most specific (individual hosts) to the most general (subnets or groups of subnets) unless doing so permits traffic that you want dropped. For example, an ACE allowing a small group of workstations to use a specialized printer should occur earlier in an ACL than an entry used to block widespread access to the same printer.