Installation and Getting Started Guide

“Displaying the Log Entries” on page 3-23

“Policy-Based Routing (PBR)” on page 3-24

Usage Guidelines for Access Control Lists (ACLs)

This section provides some guidelines for implementing ACLs to ensure wire-speed ACL performance.

For optimal ACL performance, use the following guidelines:

Apply ACLs to inbound traffic rather than outbound traffic.

Use the default filtering behavior as much as possible. For example, if you are concerned with filtering only a few specific addresses, create deny entries for those addresses, then create a single entry to permit all other traffic. For tighter control, create explicit permit entries and use the default deny action for all other addresses.

Use deny ACLs sparingly. When a deny ACL is applied to an interface, the software sends all packets sent or received on the interface (depending on the traffic direction of the ACL) to the CPU for examination.

Adjust system resources if needed:

If IP traffic is going to be high, increase the size of the IP forwarding cache to allow more routes. To do so, use the system-maxip-cache<num> command at the global CONFIG level of the CLI.

If much of the IP traffic you are filtering is UDP traffic, increase the size of the session table to allow more ACL sessions. To do so, use the system-maxsession-limit<num> command at the global CONFIG level of the CLI.

Avoid the following implementations when possible:

Do not apply ACLs to outbound traffic. The system creates separate inbound ACLs to ensure that an outbound ACL is honored for traffic that normally would be forwarded to other ports.

Do not enable the strict TCP ACL mode unless you need it for tighter security.

Avoid ICMP-based ACLs where possible. If you are interested in providing protection against ICMP Denial of Service (DoS) attacks, use HP’s DoS protection features. See “Protecting Against Denial of Service Attacks” on page B-1.

If the IP traffic in your network is characterized by a high volume of short sessions, this also can affect ACL performance, since this traffic initially must go to the CPU. All ICMP ACLs go to the CPU, as do all TCP SYN, SYN/ACK, FIN, and RST packets and the first UDP packet of a session.

ACL Support on the HP Products

HP ACLs have two basic types of uses:

Filtering forwarded traffic through the device – described in this chapter

Controlling management access to the device itself – described in the “Securing Access” chapter in the Installation and Getting Started Guide

ACL IDs and Entries

ACLs consist of ACL IDs and ACL entries:

ACL ID – An ACL ID is a number from 1 – 99 (for a standard ACL) or 100 – 199 (for an extended ACL) or a character string. The ACL ID identifies a collection of individual ACL entries. When you apply ACL entries to an interface, you do so by applying the ACL ID that contains the ACL entries to the interface, instead of applying the individual entries to the interface. This makes applying large groups of access filters (ACL entries) to interfaces simple.

NOTE: This is different from IP access policies. If you use IP access policies, you apply the individual policies to interfaces.

3 - 2