KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

311

312

313

314

315

316

317

318

319

320

NOTE: In cases where an RACL and any type of port or VLAN ACL are filtering traffic entering

the switch, the switched traffic explicitly permitted by the port or VLAN ACL is not filtered by the

RACL, except where the traffic has a destination on the switch itself. However, routed traffic explicitly

permitted by the port or VLAN ACL (and any switched traffic having a destination on the switch

itself) must also be explicitly permitted by the RACL, or it is dropped.

Also, a switched packet is not affected by an outbound RACL assigned to the VLAN on which the

packet exits from the switch.

Beginning with software release K.14.01, static ACL mirroring and static ACL rate-limiting are

deprecated in favor of classifier-based mirroring and rate-limiting features that do not use ACLs.

If ACL mirroring or ACL rate-limiting are already configured in a switch running software version

K.13.xx, then downloading and booting from release K.14.01 or greater automatically modifies

the deprecated configuration to conform to the classifier-based mirroring and rate-limiting supported

in release K.14.01 or greater. For more information on this topic, see "Classifier-Based Software

Configuration" in the latest Advanced Traffic Management Guide for your switch.

For information on traffic mirroring see "Monitoring and Analyzing Switch Operation" in the

Management and Configuration Guide for your switch.

For a packet to be permitted, it must have a match with a "permit" ACE in all applicable ACLs

assigned to an interface

On a given interface where multiple ACLs apply to the same traffic, a packet having a match with

a deny ACE in any applicable ACL on the interface (including an implicit deny any) will be

dropped.

For example, suppose the following is true:

• Port A10 belongs to VLAN 100.

• A static port ACL is configured on port A10.

• A VACL is configured on VLAN 100.

• An RACL is also configured for inbound, routed traffic on VLAN 100.

An inbound, switched packet entering on port A10, with a destination on port A12, will be screened

by the static port ACL and the VACL, regardless of a match with any permit or deny action. A

match with a deny action (including an implicit deny) in either ACL will cause the switch to drop

the packet. (If the packet has a match with explicit deny ACEs in multiple ACLs and the log option

is included in these ACEs, then a separate log event will occur for each match.) The switched

packet will not be screened by the RACL.

However, suppose that VLAN 2 in Figure 227 (page 311) is configured with the following:

• A VACL permitting traffic having a destination on the 10.28.10.0 subnet

• An RACL that denies inbound traffic having a destination on the 10.28.10.0 subnet

In this case, no IPv4 traffic received on the switch from clients on the 10.28.20.0 subnet will reach

the 10.28.10.0 subnet, even though the VACL allows such traffic. This is because the deny in the

RACL causes the switch to drop the traffic regardless of whether any other VACLs permit the traffic.

Figure 227 Order of application for multiple ACLs on an interface

Overview 311