KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

301

302

303

304

305

306

307

308

309

310

NOTE: After you assign an IPv4 ACL to an interface, the default action on the interface is to

implicitly deny IPv4 traffic that is not specifically permitted by the ACL. (This applies only in the

direction of traffic flow filtered by the ACL.)

Options for applying IPv4 ACLs on the switch

To apply IPv4 ACL filtering, assign a configured IPv4 ACL to the interface on which you want traffic

filtering to occur. VLAN and routed IPv4 traffic ACLs can be applied statically using the switch

configuration. Port traffic ACLs can be applied either statically or dynamically (using a RADIUS

server).

Static ACLS

Static ACLs are configured on the switch. To apply a static ACL, you must assign it to an interface

(VLAN or port). The switch supports three static ACL applications:

• Routed IPv4 Traffic ACL (RACL)

An RACL is an ACL configured on a VLAN to filter routed traffic entering or leaving the switch on

that interface, as well as traffic having a destination on the switch itself. (Except for filtering traffic

to an address on the switch itself, RACLs can operate only while IPv4 routing is enabled.

• VLAN ACL (VACL)

A VACL is an ACL configured on a VLAN to filter traffic entering the switch on that VLAN interface

and having a destination on the same VLAN.

• Static port ACL

A static port ACL is an ACL configured on a port to filter traffic entering the switch on that port,

regardless of whether the traffic is routed, switched, or addressed to a destination on the switch

itself.

RADIUS-assigned ACLs

A RADIUS-assigned ACL is configured on a RADIUS server for assignment to a given port when

the server authenticates a specific client on that port. When the server authenticates a client

associated with that ACL, the ACL is assigned to the port the client is using. The ACL then filters

the IP traffic received inbound on that port from the authenticated client. If the RADIUS server

supports both IPv4 and IPv6 ACEs, then the ACL assigned by the server can be used to filter both

traffic types, or filter IPv4 traffic and drop IPv6 traffic. When the client session ends, the ACL is

removed from the port. The switch allows as many RADIUS-assigned ACLs on a port as it allows

authenticated clients. For information on RADIUS-assigned ACLs assigned by a RADIUS server,

see “RADIUS server support for switch services” (page 199).

NOTE: The information provided here describes the IPv4 ACL applications you can statically

configure on the switch. See "IPv6 Access Control Lists (ACLs)" in the latest IPv6 Configuration

Guide for your switch.

Types of IPv4 ACLs

A permit or deny policy for IPv4 traffic you want to filter can be based on source address alone,

or on source address plus other factors.

Standard ACL

Use a standard ACL when you need to permit or deny IPv4 traffic based on source address only.

Standard ACLs are also useful when you need to quickly control a performance problem by limiting

IPv4 traffic from a subnet, group of devices, or a single device. This can block all IPv4 traffic from

the configured source, but does not hamper IPv4 traffic from other sources within the network.

Overview 305