Enhancements

Release M.10.02 Enhancements

Terminology

ACE: See Access Control Entry, below.

Access Control Entry (ACE): An ACE is a policy consisting of a packet-handling action and criteria to define the packets on which to apply the action. For RADIUS-based ACLs, the elements composing the ACE include:

permit or drop (action)

in < ip-packet-type> from any (source)

to < ip-address [/ mask ] any > (destination)

[ port-#] (optional TCP or UDP application port numbers used when the packet type is TCP or UDP)

[ cnt ] (optional counter that increments when there is a packet match)

ACL: See Access Control List, below.

Access Control List (ACL): A list (or set) consisting of one or more explicitly configured Access Control Entries (ACEs) and terminating with an implicit “deny” default which drops any packets that do not have a match with any explicit ACE in the named ACL.

ACL Mask: Follows a destination IP address listed in an ACE. Defines which bits in a packet’s corresponding IP addressing must exactly match the IP addressing in the ACE, and which bits need not match (wildcards).

DA: The acronym for Destination IP Address. In an IP packet, this is the destination IP address carried in the header, and identifies the destination intended by the packet’s originator.

Deny: An ACE configured with this action causes the switch to drop a packet for which there is a match within an applicable ACL.

Deny Any Any: An abbreviated form of deny in ip from any to any, which denies any inbound IP traffic from any source to any destination.

Extended ACL: This type of Access Control List uses layer-3 IP criteria composed of source and destination IP addresses and (optionally) TCP or UDP port criteria to determine whether there is a match with an IP packet. On the 3400cl switches, the source IP address is always defined as “any”, and extended ACLs apply only to inbound bridged or routed traffic. For a RADIUS-based, extended ACL assigned to a port, only the inbound traffic from the client whose authentication caused the ACL assignment is filtered. Inbound traffic from any other sources is denied.

Implicit Deny: If the switch finds no matches between an inbound packet and the configured criteria in an applicable ACL, then the switch denies (drops) the packet with an implicit “deny IP any/ any” operation. You can preempt the implicit “deny IP any/any” in a given ACL by configuring permit in ip from any to any as the last explicit ACE in the ACL. Doing so permits any inbound IP

48

Page 57 Page 59
Page 58
Image 58
HP 3400CL-24G manual Terminology
Page 57 Page 59
Top Page Image Contents