Installation and Getting Started Guide
Enabling Strict TCP Mode
By default, when you use ACLs to filter TCP traffic, the HP device does not compare all TCP packets against the ACLs. Instead, the device compares TCP control packets against the ACLs, but not data packets. Control packets include packet types such as SYN (Synchronization) packets, FIN (Finish) packets, and RST (Reset) packets.
In normal TCP operation, TCP data packets are present only if a TCP control session for the packets also is established. For example, data packets for a session never occur if the TCP SYN for that session is dropped. Therefore, by filtering the control packets, the HP device also implicitly filters the data packets associated with the control packets. This mode of filtering optimizes forwarding performance for TCP traffic by forwarding data packets without examining them. Since the data packets are present in normal TCP traffic only if a corresponding TCP control session is established, comparing the packets for the control session to the ACLs is sufficient for filtering the entire session including the data.
However, it is possible to generate TCP data packets without corresponding control packets, in test or research situations for example. In this case, the default ACL mode does not filter the data packets, since there is no corresponding control session to filter. To filter this type of TCP traffic, use the strict ACL TCP mode. This mode compares all TCP packets to the configured ACLs, regardless of whether the packets are control packets or data packets.
Regardless of whether the strict mode is enabled or disabled, the device always compares TCP control packets against the configured ACLs.
To enable the strict ACL TCP mode, use the following CLI method.
NOTE: If the device’s configuration currently has ACLs associated with interfaces, remove the ACLs from the interfaces before changing the ACL mode.
To enable the strict ACL TCP mode, enter the following command at the global CONFIG level of the CLI:
HP9300(config)# ip
Syntax: [no] ip
This command configures the device to compare all TCP packets against the configured ACLs before forwarding them.
To disable the strict ACL mode and return to the default ACL behavior, enter the following command:
HP9300(config)# no ip
Enabling Strict UDP Mode
By default, when you use ACLs to filter UDP traffic, the HP device does not compare all UDP packets against the ACLs. Instead, the device does the following:
•Compares the source and destination information against entries in the session table. The session table contains forwarding entries based on Layer 3 and Layer 4 information.
•If the session table contains a matching entry, the device forwards the packet, assuming that the first packet the device received that contains the same address information was permitted by the ACLs.
•If the session table does not contain a matching entry, the device sends the packet to the CPU, where the software compares the packet against the ACLs. If the ACLs permit the packet (explicitly by a permit ACL entry or implicitly by the absence of a deny ACL entry), the CPU creates a session table entry for the packet’s forwarding information and forwards the packet.
For tighter control, the software provides the strict ACL UDP mode. When you enable strict UDP processing, the device sends every UDP packet to the CPU and compares the packet against the configured ACLs.
To enable the strict ACL UDP mode, use the following CLI method.
3 - 22