Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
311312313314315316317318319320
For more details on ACL planning considerations, see “Configuring named, standard ACLs
(page 259).
CAUTION:
Regarding the Use of Source Routing
Source routing is enabled by default on the switch and can be used to override ACLs. For this
reason, if you are using ACLs to enhance network security, the recommended action is to use the
no ip source-route
command to disable source routing on the switch.
If source routing is disabled in the running-config file, the
show running
command includes
no ip source-route
in the running-config file listing.
NOTE: To activate a RACL to screen inbound IPv4 traffic for routing between subnets, assign the
RACL to the statically configured VLAN on which the traffic enters the switch. Also, ensure that IPv4
routing is enabled. Similarly, to activate a RACL to screen routed, outbound IPv4 traffic, assign the
RACL to the statically configured VLAN on which the traffic exits from the switch. A RACL configured
to screen inbound IPv4 traffic with a destination address on the switch itself does not require routing
to be enabled. (ACLs do not screen outbound IPv4 traffic generated by the switch, itself.)
The packet-filtering process
Sequential comparison and action
When an ACL filters a packet, it sequentially compares each ACE's filtering criteria to the
corresponding data in the packet until it finds a match. The action indicated by the matching ACE
(deny or permit) is then performed on the packet.
Implicit Deny
If a packet does not have a match with the criteria in any of the ACEs in the ACL, the ACL denies
(drops) the packet. If you need to override the implicit deny so that a packet that does not have a
match will be permitted, then you can use the "permit any" option as the last ACE in the ACL. This
directs the ACL to permit (forward) packets that do not have a match with any earlier ACE listed
in the ACL, and prevents these packets from being filtered by the implicit "deny any".
Example
Suppose the ACL in figure is assigned to filter the IPv4 traffic from an authenticated client on a
given port in the switch:
Figure 228 Sequential comparison
As shown above, the ACL tries to apply the first ACE in the list. If there is no match it tries the
second ACE, and so on. When a match is found, the ACL invokes the configured action for that
314 IPv4 Access Control Lists (ACLs)