Manualshelf

R3166-R3206-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
12345678910
3
For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10,
and 12, the newly defined rule is numbered 15. If the ACL does not contain any rule, the first rule is
numbered 0.
Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules
numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2,
4, 6 and 8.
Fragments filtering with ACLs
Traditional packet filtering matches only first fragments of packets, and allows all subsequent non-first
fragments to pass through. Attackers can fabricate non-first fragments to attack networks.
To avoids the risks, the HP ACL implementation:
Filters all fragments by default, including non-first fragments.
Allows for matching criteria modification, for example, filters non-first fragments only.
ACL acceleration
ACL acceleration speeds up ACL lookup. The acceleration effect increases with the number of ACL rules.
ACL acceleration uses memory. To achieve the best trade-off between memory and ACL processing
performance, HP recommends you enable ACL acceleration for large ACLs.
For example, when you use a large ACL for a session-based service, such as NAT, you can enable ACL
acceleration to avoid session timeouts caused by ACL processing delays.
Enable ACL acceleration in an ACL after you have finished editing ACL rules. ACL acceleration always
uses ACL criteria that have been set before it is enabled for rule matching. It does not synchronize with
any subsequent match criterion changes.
Configuring ACL in the web interface
Configuration task list
Perform the tasks in Table 2 to configure an ACL.
Table 2 ACL configuration task list
Task Remarks
Creating an ACL
Required
The category of the created ACL depends on the ACL
number that you specify.
Configuring a basic ACL rule
Required
Complete one of the three tasks according to the ACL
category.
Configuring an advance ACL rule
Configuring an Ethernet frame header ACL rule