KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

311

312

313

314

315

316

317

318

319

320

General steps for planning and configuring ACLs

1. Identify the ACL action to apply. As part of this step, determine the best points at which to

apply specific ACL controls. For example, you can improve network performance by filtering

unwanted IPv4 traffic at the edge of the network instead of in the core. Also, on the switch

itself, you can improve performance by filtering unwanted IPv4 traffic where it is inbound to

the switch instead of outbound.

ACL applicationTraffic source

RADIUS-assigned ACL for inbound IP traffic from an

authenticated client on a port

IPv4 or IPv6 traffic from a specific, authenticated client

static port ACL (static-port assigned) for any inbound

IPv4 traffic on a port from any source

IPv4 traffic entering the switch on a specific port

VACL (VLAN ACL)switched or routed IPv4 traffic entering the switch on a

specific VLAN

RACL (routed ACL)routed IPv4 traffic entering or leaving the switch on a

specific VLAN

For more on this option, see “RADIUS server support for switch services” (page 199), and see also the documentation

for your RADIUS server.

2. Identify the traffic types to filter. (IPv4 only, unless the ACL is a RADIUS-assigned ACL, which

supports IPv4 and IPv6 filtering.

• The SA and/or the DA of traffic you want to permit or deny. This can be a single host,

a group of hosts, a subnet, or all hosts.

• Traffic of a specific IPv4 protocol type (0-255)

• Any TCP traffic (only) for a specific TCP port or range of ports, including optional control

of connection traffic based on whether the initial request should be allowed

• All UDP traffic or UDP traffic for a specific UDP port

• All ICMP traffic or ICMP traffic of a specific type and code

• All IGMP traffic or IGMP traffic of a specific type

• Any of the above with specificprecedence and/or ToS settings

3. Design the ACLs for the control points (interfaces) selected. When using explicit "deny" ACEs,

optionally use the VACL logging feature for notification that the switch is denying unwanted

packets.

4. Configure the ACLs on the selected switches.

5. Assign the ACLs to the interfaces you want to filter, using the ACL application (static port ACL,

VACL, or RACL) appropriate for each assignment.

6. If using an RACL, ensure thatIPv4 routing is enabled on the switch.

7. Test for desired results.

Overview 313