Access Security Guide K/KA/KB.15.15
• Monitoring Shared Resources. Applied ACLs share internal switch resources with several other
features. The switch provides ample resources for all features. However, if the internal resources
become fully subscribed, additional ACLs cannot be applied until the necessary resources are
released from other applications. For information on determining current resource availability
and usage, see Appendix E, “Monitoring Resources” in the Management and Configuration
Guide for your switch.
• Protocol Support . ACL criteria does not include use of MAC information or QoS.
• Replacing or Adding To an Active ACL Policy. If you assign an ACL to an interface and
subsequently add or replace ACEs in that ACL, each new ACE becomes active when you
enter it. If the ACL is configured on multiple interfaces when the change occurs, then the switch
resources must accommodate all applications of the ACL. If there are insufficient resources to
accommodate one of several ACL applications affected by the change, then the change is
not applied to any of the interfaces and the previous version of the ACL remains in effect.
• “Strict” TCP and UDP. When the ACL configuration includes TCP or UDP options, the switch
operates in “strict” TCP and UDP mode for increased control. In this case, the switch compares
all TCP and UDP packets against the ACLs. (In the HP 9300m and 9404sl Routing Switches,
the Strict TCP and Strict UDP modes are optional and must be specifically invoked.)
About IPv4 static ACL operation
Introduction to IPv4 static ACL operation
An ACL is a list of one or more Access Control Entries (ACEs), where each ACE consists of a
matching criteria and an action (permit or deny). A static ACL applies only to the switch in which
it is configured. ACLs operate on assigned interfaces, and offer these traffic filtering options:
• IPv4 traffic inbound on a port.
• IPv4 traffic inbound on a VLAN.
• Routed IPv4 traffic entering or leaving the switch on a VLAN. (Note that ACLs do not screen
traffic at the internal point where traffic moves between VLANs or subnets within the switch.
See “ACL applications” (page 306).
The following table lists the range of interface options:
Table 28 Range of interface options
Filter ActionApplication PointACL ApplicationInterface
inbound IPv4 trafficinbound on the switchStatic Port ACL (switch
configured)
Port
inbound IPv4 and/or IPv6 traffic
from the authenticated client
inbound on the switch port
used by authenticated client
RADIUS-Assigned ACL
1
inbound IPv4 trafficentering the switch on the
VLAN
VACLVLAN
routed IPv4 traffic entering the
switch and any IPv4 traffic with
a destination on the switch itself
entering the switch on the
VLAN
RACL
2
routed IPv4 traffic exiting from
the switch
exiting from the switch on the
VLAN
1
The information provided here describes ACLs statically configured on the switch. For information on RADIUSassigned
ACLs, see “RADIUS server support for switch services” (page 199).
2
Supports one inbound and/or one outbound RACL. When both are used, one RACL can be assigned to filter both inbound
and outbound, or different RACLs can be assigned to filter inbound and outbound.
304 IPv4 Access Control Lists (ACLs)