Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
61626364656667686970
For more information on when to apply connection-rate ACLs, see Application options (page 66).
NOTE: Connection-rate ACLs are a special case of the switch ACL feature. If you need information
on other applications of ACLs or more detailed information on how ACLs operate, see “IPv4 Access
Control Lists (ACLs)” (page 259).
Connection-rate ACL operation
A connection-rate ACL applies to inbound traffic on all ports configured for connection-rate filtering
in the assigned VLAN, and creates an exception to the connection-rate filter policy configured on
each port. A connection-rate ACL has no effect on ports in the VLAN that are not configured for
connection-rate filtering.
A connection-rate ACL accepts inbound, legitimate traffic from trusted sources without filtering the
traffic for the configured connection-rate policy. You can configure an ACL to assign policy filtering
(filter) for traffic from some sources and no policy filtering (ignore) for traffic from other
sources. However, the implicit filter invoked as the last entry in any connection-rate ACL ensures
that any traffic not specifically excluded from policy filtering (by the ignore command) will be
filtered by the configured policy for the port on which that traffic entered the switch.
Figure 37 Connection-rate ACL applied to traffic received through a given port
Connection-Rate ACL operating notes
ACE Types:
A connection-rate ACL allows you to configure two types of ACEs (Access Control Entries):
ignore <source-criteria>
This ACE type directs the switch to permit all inbound traffic meeting the configured
<source-criteria> without filtering the traffic through the connection-rate policy
configured on the port through which the traffic entered the switch. For example, ignore
host 15.45.120.70 tells the switch to permit traffic from the host at 15.45.120.70
without filtering this host's traffic through the connection-rate policy configured for the
port on which the traffic entered the switch.
filter <source-criteria >
This ACE type does the opposite of an ignore entry. That is, all inbound traffic meeting
the configured source-criteria must be filtered through the connection-rate policy
68 Virus throttling (connection-rate filtering)