Using Access Control Lists (ACLs)

NOTE: Do not place other commands in the file. The HP device reads only the ACL information in the file and ignores other commands, including ip access-groupcommands. To assign ACLs to interfaces, use the CLI.

Applying an ACL to a Subset of Ports on a Virtual Interface

You can apply an ACL to a virtual routing interface. The virtual interface is used for routing between VLANs and contains all the ports within the VLAN. If the ACL is for the inbound traffic direction, you also can specify a subset of ports within the VLAN containing a specified virtual interface when assigning an ACL to that virtual interface.

Use this feature when you do not want the ACLs to apply to all the ports in the virtual interface’s VLAN or when you want to streamline ACL performance for the VLAN.

NOTE: This feature applies only to a virtual interface’s inbound direction. You cannot use this feature to specify a subset of ports for a virtual interface’s outbound direction.

To apply an ACL to a subset of ports within a virtual interface, enter commands such as the following:

HP9300(config)# vlan 10 name IP-subnet-vlan HP9300(config-vlan-10)# untag ethernet 1/1 to 2/12 HP9300(config-vlan-10)# router-interface ve 1 HP9300(config-vlan-10)# exit

HP9300(config)# access-list 1 deny host 209.157.22.26 log HP9300(config)# access-list 1 deny 209.157.29.12 log HP9300(config)# access-list 1 deny host IPHost1 log HP9300(config)# access-list 1 permit any HP9300(config)# interface ve 1

HP9300(config-vif-1)# ip access-group 1 in ethernet 1/1 ethernet 1/3 ethernet 2/1 to 2/4

The commands in this example configure port-based VLAN 10, add ports 1/1 – 2/12 to the VLAN, and add virtual routing interface 1 to the VLAN. The commands following the VLAN configuration commands configure ACL 1. Finally, the last two commands apply ACL 1 to a subset of the ports associated with virtual interface 1.

Syntax: [no] ip access-group <num> in ethernet <portnum> [<portnum>...] to <portnum>

Enabling Strict TCP or UDP Mode

By default, when you use ACLs to filter TCP or UDP traffic, the HP device does not compare all TCP or UDP packets against the ACLs.

TCP – By default, the device compares TCP control packets against the ACLs, but not data packets. Control packets include packet types such as SYN (Synchronization) packets, FIN (Finish) packets, and RST (Reset) packets

UDP – By default, the device compares the source and destination information against entries in the session table. The session table contains forwarding entries based on Layer 3 and Layer 4 information.

If the session table contains a matching entry, the device forwards the packet, assuming that the first packet the device received that contains the same address information was permitted by the ACLs.

If the session table does not contain a matching entry, the device sends the packet to the CPU, where the software compares the packet against the ACLs. If the ACLs permit the packet (explicitly by a permit ACL entry or implicitly by the absence of a deny ACL entry), the CPU creates a session table entry for the packet’s forwarding information and forwards the packet.

For tighter access or forwarding control, you can enable the device to perform strict TCP or UDP ACL processing. Strict ACL processing causes every TCP or UDP packet to go to the CPU for examination. The following sections describe the strict modes in more detail.

3 - 21