Chapter 3

Using Access Control Lists (ACLs)

Access control lists (ACLs) enable you to permit or deny packets based on source and destination IP address, IP protocol information, or TCP or UDP protocol information. You can configure the following types of ACLs:

Standard – Permits or denies packets based on source IP address. Valid standard ACL IDs are 1 – 99 or a string.

Extended – Permits or denies packets based on source and destination IP address and also based on IP protocol information. Valid extended ACL IDs are a number from 100 – 199 or a string.

This chapter also describes Policy-Based Routing (PBR), a feature that allows you to use ACLs and route maps to selectively modify and route IP packets based on their source IP address.

NOTE: This chapter describes IP forwarding ACLs and management access ACLs only. For information about ACLs used for BGP4 filtering, see “Configuring BGP4” on page 10-1.

NOTE: For optimal performance, apply deny ACLs to inbound ports instead of outbound ports. This way, traffic is dropped as it tries to enter the HP device, instead of being dropped after it has been forwarded internally to the outbound port.

NOTE: Outbound ACLs do not filter broadcast traffic or any traffic (including ICMP replies) generated by the HP device itself.

Overview

The following section describes ACLs. To configure ACLs, go to the following sections:

“Disabling or Re-Enabling Access Control Lists (ACLs)” on page 3-4

“Configuring Standard ACLs” on page 3-5

“Configuring Extended ACLs” on page 3-9

“Configuring Named ACLs” on page 3-18

“Modifying ACLs” on page 3-19

“Applying an ACL to a Subset of Ports on a Virtual Interface” on page 3-21

“Enabling Strict TCP or UDP Mode” on page 3-21

“Displaying ACLs” on page 3-23

3 - 1