KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

321

322

323

324

325

326

327

328

329

330

Table 33 Examples of CIDR notation for masks

MeaningResulting ACL maskAddress used in an ACL with

CIDR notation

The leftmost 15 bits must match; the remaining bits

are wildcards.

0.1.255.25510.38.240.125/15

The leftmost 20 bits must match; the remaining bits

are wildcards.

0.0.15.25510.38.240.125/20

The leftmost 21 bits must match; the remaining bits

are wildcards.

0.0.7.25510.38.240.125/21

The leftmost 24 bits must match; the remaining bits

are wildcards.

0.0.0.25510.38.240.125/24

All bits must match.0.0.0.018.38.240.125/32

General steps for implementing ACLs

1. Configure one or more ACLs. This creates and stores the ACL(s) in the switch configuration.

2. Assign an ACL. This step uses one of the following applications to assign the ACL to an

interface:

• RACL (routed IPv4 traffic entering or leaving the switch on a given VLAN)

• VACL (any IPv4 traffic entering the switch on a given VLAN)

• Static Port ACL (any IPv4 traffic entering the switch on a given port, port list, or static

trunk)

3. If the ACL is applied as an RACL, enable IPv4 routing. Except for instances where the switch

is the traffic source or destination, assigned RACLs filter IPv4 traffic only when routing is

enabled on the switch.

CAUTION:

IPv4 source routing is enabled by default on the switch and can be used to override ACLs. For this

reason, if you are using ACLs to enhance network security, the recommended action is to disable

source routing on the switch. To do so, execute no ip source-route.

Options for permit/deny policies

The permit or deny policy for IPv4 traffic you want to filter can be based on source address alone,

or on source address plus other IPv4 factors.

• Standard ACL: Uses only a packet's source IPv4 address as a criterion for permitting or denying

the packet. For a standard ACL ID, use either a unique numeric string in the range of 1-99 or

a unique name string of up to 64 alphanumeric characters.

• Extended ACL: Offers the following criteria as options for permitting or denying a packet:

source IPv4 address•

• destination IPv4 address

• IPv4 protocol options:

Any IPv4 traffic•

• Any traffic of a specific IPv4 protocol type (0-255)

• Any TCP traffic (only) for a specific TCP port or range of ports, including optional

use of TCP control bits or control of connection (established) traffic based on whether

the initial request should be allowed

• Any UDP traffic (only) or UDP traffic for a specific UDP port

• Any ICMP traffic (only) or ICMP traffic of a specific type and code

Overview 327