KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

321

322

323

324

325

326

327

328

329

330

VACLs and RACLs operate on static VLANs

You can assign an ACL to any VLAN that is statically configured on the switch. ACLs do not

operate with dynamic VLANs.

A VACL or RACL affects all physical ports in a static VLAN

A VACL or RACL assigned to a VLAN applies to all physical ports on the switch belonging to

that VLAN, including ports that have dynamically joined the VLAN.

RACLs screen routed IPv4 traffic entering or leaving the switch on a given VLAN interface:

This means that the following traffic is subject to ACL filtering:

• IPv4 traffic arriving on the switch through one VLAN and leaving the switch through another

VLAN

• IPv4 traffic arriving on the switch through one subnet and leaving the switch through

another subnet within the same, multinetted VLAN

Filtering the desired, routed traffic requires assigning an RACL to screen traffic inbound or

outbound on the appropriate VLAN(s). In the case of a multinetted VLAN, it means that IPv4

traffic inbound from different subnets in the same VLAN is screened by the same inbound RACL,

and IPv4 traffic outbound from different subnets is screened by the same outbound RACL. See

Figure 224 (page 307).

RACLs do not filter switched IPv4 traffic unless the switch itself is the SA or DA

RACLs do not filter traffic moving between ports belonging to the same VLAN or subnet (in the

case of a subnetted VLAN). (IPv4 traffic moving between ports in different subnets of the same

VLAN can be filtered.)

NOTE: RACLs do filter routed or switched IPv4 traffic having an SA or DA on the switch itself.

How an ACE uses a mask to screen packets for matches

When the switch applies an ACL to IPv4 traffic, each ACE in the ACL uses an IPv4 address and

ACL mask to enforce a selection policy on the packets being screened. That is, the mask determines

the range of IPv4 addresses (SA only or SA/DA) that constitute a match between the policy and

a packet being screened.

What Is the difference between network (or subnet) masks and the masks used with ACLs?

In common IPv4 addressing, a network (or subnet) mask defines which part of the address to use

for the network number and which part to use for the hosts on the network. For example:

Host addressNetwork addressMaskAddress

The fourth octet.first three octets255.255.255.010.38.252.195

The right most three bits of

the third octet and all bits in

the fourth octet.

first two octets and the left-

most five bits of the third

octet

255.255.248.010.38.252.195

Thus, the bits set to 1 in a network mask define the part of an IPv4 address to use for the network

number, and the bits set to 0 in the mask define the part of the address to use for the host number.

In an ACL, IPv4 addresses and masks provide criteria for determining whether to deny or permit

a packet, or to pass it to the next ACE in the list. If there is a match, the configured deny or permit

action occurs. If there is not a match, the packet is compared with the next ACE in the ACL. Thus,

where a standard network mask defines how to identify the network and host numbers in an IPv4

address, the mask used with ACEs defines which bits in a packet's SA or DA must match the

corresponding bits in the SA or DA listed in an ACE, and which bits can be wildcards.

322 IPv4 Access Control Lists (ACLs)