KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

321

322

323

324

325

326

327

328

329

330

VACLs and switched or routed IPv4 traffic

A VACL filters traffic entering the switch on the VLANs to which it is assigned.

Static port ACLs

A static port ACL filters traffic entering the switch on the ports or trunks to which it is assigned.

Per switch ACL limits for all ACL types.

At a minimum an ACL must have one, explicit "permit" or "deny" Access Control Entry. You

can configure up to 2048 IPv4ACLs each for IPv4 and IPv6. The maximums are as follows:

• Named (Extended or Standard) ACLs: Up to 2048 (minus any numeric standard or

extended ACL assignments, and any RADIUS-assigned ACLs)

• Numeric Standard ACLs: Up to 99; numeric range: 1 - 99

• Numeric Extended ACLs: Up to 100; numeric range: 100 - 199

• The maximum number of ACEs supported by the switch is up to 3072 IPv4 ACEs, and up

to 3072 IPv6 ACEs. The maximum number of ACEs allowed on a VLAN or port depends

on the concurrent resource usage by multiple configured features. For more information,

use the

show < qos | access-list >

resources command. For a summary of IPv4 and IPv6 ACL resource limits, see the appendix

covering scalability in the latest Management and Configuration Guide for your switch.

Implicit deny

In any static IPv4 ACL, the switch automatically applies an implicit deny ip any that does

not appear in show listings. This means that the ACL denies any IPv4 packet it encounters that

does not have a match with an entry in the ACL. Thus, if you want an ACL to permit any packets

that you have not expressly denied, you must enter a permit any or permit ip any any as

the last ACE in an ACL. Because, for a given packet the switch sequentially applies the ACEs

in an ACL until it finds a match, any packet that reaches the permit any or permit ip any

any entry will be permitted, and will not encounter the deny ip any ACE the switch

automatically includes at the end of the ACL. For Implicit Deny operation in dynamic ACLs,

see “RADIUS server support for switch services” (page 199).

Explicitly permitting any IPv4 traffic

Entering a permit any or a permit ip any any ACE in an ACL permits all IPv4 traffic not

previously permitted or denied by that ACL. Any ACEs listed after that point do not have any

effect.

Explicitly denying any IPv4 traffic

Entering a deny any or a deny ip any any ACE in an ACL denies all IPv4 traffic not

previously per-mitted or denied by that ACL. Any ACEs after that point have no effect.

Replacing one ACL with another using the same application

For a specific interface, the most recent ACL assignment using a given application replaces

any previous ACL assignment using the same application on the same interface. For example,

configuring an RACL named "100" to filter inbound routed traffic on VLAN 20, but later, you

configured another RACL named 112 to filter inbound routed traffic on this same VLAN, RACL

112 replaces RACL 100 as the ACL to use.

Static port ACLs:

These are applied per-port, per port-list, or per static trunk. Adding a port to a trunk applies

the trunk's ACL configuration to the new member. If a port is configured with an ACL, the ACL

must be removed before the port is added to the trunk. Also, removing a port from an

ACL-configured trunk removes the ACL configuration from that port.

VACLs

These filter any IPv4 traffic entering the switch through any port belonging to the designated

VLAN. VACLs do not filter traffic leaving the switch or being routed from another VLAN.

Overview 321