KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

301

302

303

304

305

306

307

308

309

310

A standard ACL uses an alphanumeric ID string or a numeric ID of 1 through 99. Specify a single

host, a finite group of hosts, or any host.

Named and numbered standard ACL

A named, standard ACL is identified by an alphanumeric string of up to 64 characters and is

created by entering the Named ACL (nacl) context.

A numbered, standard ACL is identified by a number in the range of 1 - 99 and is created without

having to leave the global config context. Note that the CLI command syntax for creating a named

ACL differs from the command syntax for creating a numbered ACL.

For example, the first pair of entries below illustrate how to create (or enter) a named, standard

ACL and enter an ACE. The next entry illustrates creating a numbered, standard ACL with the same

ACE.

HP Switch(config)# ip access-list standard Test-List

HP Switch(config-std-nacl)# permit host 10.10.10.147

HP Switch(config)# access-list 1 permit host 10.10.10.147

Once a numbered ACL has been created, it can be accessed using the named ACL method. This

is useful if it becomes necessary to edit a numbered ACL by inserting or removing individual ACEs.

(Inserting or deleting an ACE is done by sequence number, and requires the Named ACL (nacl)

context.) The switch allows a maximum of 2048 unique ACL identities (IPv4 and IPv6 combined).

See “Monitoring shared resources” (page 225).

NOTE: See “Configuring standard ACLs” (page 318) for a summary of standard ACL commands.

For a summary of all IPv4 ACL commands, see “IPv4 Access Control Lists (ACLs)” (page 259).

Extended ACL

Use an extended ACL when simple IPv4 source address restrictions do not provide the sufficient

traffic selection criteria needed on an interface. Extended ACLs allow use of the following criteria:

• source and destination IPv4 address combinations

• IPv4 protocol options

Extended, named ACLs also offer an option to permit or deny IPv4 connections using TCP for

applications such as Telnet, http, ftp, and others.

Connection Rate ACL

An optional feature used with Connection-Rate filtering based on virus-throttling technology. See

“Virus throttling (connection-rate filtering)” (page 53).

ACL applications

ACL filtering is applied to IPv4 traffic as follows:

Routed ACL (RACL)

on a VLAN configured with an RACL:

• Routed IPv4 traffic entering or leaving the switch. (Routing can be between different VLANs

or between different subnets in the same VLAN. Routing must be enabled.)

• Routed IPv4 traffic having a destination address (DA) on the switch itself. In Figure 224

(page 307), this is any of the IP addresses shown in VLANs "A", "B", and "C". (Routing

need not be enabled.)

• outbound traffic generated by the switch itself.

VLAN ACL (VACL)

on a VLAN configured with a VACL, inbound IP traffic, regardless of whether it is switched or

routed. On a multinetted VLAN, this includes inbound IPv4 traffic from any subnet.

306 IPv4 Access Control Lists (ACLs)