R3166-R3206-HP High-End Firewalls Access Control Configuration Guide-6PW101

ACL configuration

NOTE:

The web interface supports only configuration of IPv4 ACLs.

ACL overview

An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on

criteria such as source IP address, destination IP address, and port number.

ACLs are primarily used for packet filtering. You can use ACLs in QoS, firewall, routing, and other feature

modules for identifying traffic. The packet drop or forwarding decisions varies with the modules that use

ACLs.

IPv4 ACL categories

Cate

ACL number

Matchin

criteria

Basic ACL 2000 to 2999 Source IPv4 address

Advanced ACL 3000 to 3999

Source IPv4 address, destination IPv4

address, packet priority, protocols over

IPv4, and other Layer 3 and Layer 4

header fields

Ethernet frame header ACL 4000 to 4999

Layer 2 header fields, such as source and

destination MAC addresses, 802.1p

priority, and link layer protocol type

ACL numbering and naming

Each ACL category has a unique range of ACL numbers. When creating an ACL, you must assign it a

number. In addition, you can assign the ACL a name for the ease of identification. After creating an ACL

with a name, you can neither rename it nor delete its name.

For an Ethernet frame header ACL, the ACL number and name must be globally unique. For an IPv4 basic

or advanced ACLs, its ACL number and name must be unique among all IPv4 ACLs.

Match order

The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops the

match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting

rules, the matching result and action to take depend on the rule order.

The following ACL match orders are available:

• config—Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a

rule with a higher ID. If you use this approach, carefully check the rule content and order.