HP Configuration guidelines, Recommend ACL configuration procedures

For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10, and 12, the newly defined rule is numbered 15. If the ACL does not contain any rule, the first rule is numbered 0.

Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6, and 8.

Implementing time-based ACL rules

You can implement ACL rules based on the time of day by applying a time range to them. A time-based ACL rule takes effect only in any time periods specified by the time range.

The following basic types of time range are available:

•Periodic time range—Recurs periodically on a day or days of the week.

•Absolute time range—Represents only a period of time and does not recur.

IPv4 fragments filtering with ACLs

Traditional packet filtering matches only first fragments of IPv4 packets, and allows all subsequent non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks.

To improve network security, ACL filters all packets by default, including fragments and non-fragmented packets. Meanwhile, to improve match efficiency, you can modify ACL rules. For example, you can configure ACL rules to filter non-first fragments only.

Configuration guidelines

When you configure an ACL, follow these guidelines:

•You cannot add a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.

•You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you can choose to change just some of the settings, in which case the other settings remain the same.

Recommended IPv4 ACL configuration procedure

Add an IPv4 ACL. The category of the added ACL depends on the ACL number that you specify.

452