Using Access Control Lists (ACLs)
NOTE: Do not place other commands in the file. The HP device reads only the ACL information in the file and ignores other commands, including ip
Applying an ACL to a Subset of Ports on a Virtual Interface
You can apply an ACL to a virtual routing interface. The virtual interface is used for routing between VLANs and contains all the ports within the VLAN. If the ACL is for the inbound traffic direction, you also can specify a subset of ports within the VLAN containing a specified virtual interface when assigning an ACL to that virtual interface.
Use this feature when you do not want the ACLs to apply to all the ports in the virtual interface’s VLAN or when you want to streamline ACL performance for the VLAN.
NOTE: This feature applies only to a virtual interface’s inbound direction. You cannot use this feature to specify a subset of ports for a virtual interface’s outbound direction.
To apply an ACL to a subset of ports within a virtual interface, enter commands such as the following:
HP9300(config)# vlan 10 name
HP9300(config)#
The commands in this example configure
Syntax: [no] ip
Enabling Strict TCP or UDP Mode
By default, when you use ACLs to filter TCP or UDP traffic, the HP device does not compare all TCP or UDP packets against the ACLs.
•TCP – By default, the device compares TCP control packets against the ACLs, but not data packets. Control packets include packet types such as SYN (Synchronization) packets, FIN (Finish) packets, and RST (Reset) packets
•UDP – By default, the device compares the source and destination information against entries in the session table. The session table contains forwarding entries based on Layer 3 and Layer 4 information.
•If the session table contains a matching entry, the device forwards the packet, assuming that the first packet the device received that contains the same address information was permitted by the ACLs.
•If the session table does not contain a matching entry, the device sends the packet to the CPU, where the software compares the packet against the ACLs. If the ACLs permit the packet (explicitly by a permit ACL entry or implicitly by the absence of a deny ACL entry), the CPU creates a session table entry for the packet’s forwarding information and forwards the packet.
For tighter access or forwarding control, you can enable the device to perform strict TCP or UDP ACL processing. Strict ACL processing causes every TCP or UDP packet to go to the CPU for examination. The following sections describe the strict modes in more detail.
3 - 21