KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

311

312

313

314

315

316

317

318

319

320

NOTE: All IPv4 traffic entering the switch on a given interface is filtered by all ACLs configured

for inbound traffic on that interface. For this reason, an inbound IPv4 packet will be denied

(dropped) if it has a match with either an implicit or explicit deny in any of the inbound ACLs

applied to the interface. This does not apply to traffic leaving the switch because only one type of

ACL-an RACL-can be applied, and only to routed IPv4 traffic.

See “Multiple ACLs on an interface” (page 310) for more detail.

IPv4 traffic management and improved network performance

Use ACLs to block traffic from individual hosts, workgroups, or subnets, and to block access to

VLANs, subnets, devices, and services.

Traffic criteria for ACLs include:

• Switched and/or routed traffic

• Any traffic of a specific IPv4 protocol type (0-255)

• Any TCP traffic (only) for a specific TCP port or range of ports, including optional control of

connection traffic based on whether the initial request should be allowed

• Any UDP traffic or UDP traffic for a specific UDP port

• Any ICMP traffic or ICMP traffic of a specific type and code

• Any IGMP traffic or IGMP traffic of a specific type

• Any of the above with specific precedence and/or ToS settings

Depending on the source and/or destination of a given IPv4 traffic type, you must also determine

the ACL application (RACL, VACL, or static port ACL) needed to filter the traffic on the applicable

switch interfaces. Answering the following questions can help you to design and properly position

IPv4 ACLs for optimum network usage.

• What are the logical points for minimizing unwanted traffic, and what ACL application(s)

should be used? In many cases it makes sense to prevent unwanted traffic from reaching the

core of your network by configuring ACLs to drop the unwanted traffic at or close to the edge

of the network. The earlier in the network path you can block unwanted traffic, the greater

the benefit for network performance.

• From where is the traffic coming? The source and destination of traffic you want to filter

determines the ACL application to use (RACL, VACL, static port ACL, and RADIUS-assigned

ACL).

• What traffic should you explicitly block? Depending on your network size and the access

requirements of individual hosts, this can involve creating a large number of ACEs in a given

ACL (or a large number of ACLs), which increases the complexity of your solution.

• What traffic can you implicitly block by taking advantage of the implicit deny ip any to deny

traffic that you have not explicitly permitted? This can reduce the number of entries needed

in an ACL.

• What traffic should you permit? In some cases you will need to explicitly identify permitted

traffic. In other cases, depending on your policies, you can insert an ACE with "permit any"

forwarding at the end of an ACL. This means that all IPv4 traffic not specifically matched by

earlier entries in the list will be permitted.

Security

ACLs can enhance security by blocking traffic carrying an unauthorized source IPv4 address (SA).

This can include:

• Blocking access from specific devices or interfaces (port or VLAN)

• Blocking access to or from subnets in your network

Overview 317