Manualshelf

3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module
61626364656667686970
5
ACL CONFIGURATION
Introduction to ACL
ACL Overview In order to filter data packets, a series of rules need to be configured on the
security gateway to decide which data packets can pass. These rules are defined
by ACL (Access Control List), which are a series of sequential rules consisting of
the permit and the deny statements. The rules are described by source address,
destination address and port number of data packets. ACL classifies data packets
through these security gateway interface applied rules, by which the security
gateway decides which packets can be received and which should be rejected.
Classification of ACL According to application purpose, ACL falls into four groups:
Basic ACL
Advanced ACL
Interface-based ACL
MAC-based ACL
The application purpose of ACL is specified by the range of the number.
Interface-based ACL ranges from 1,000 to 1,999; basic ACL ranges from 2,000 to
2,999; advanced ACL ranges from 3,000 to 3,999; and MAC-based ACL ranges
from 4,000 to 4,999.
Match Order of ACL An access control rule may consist of several permit and deny statements, each
statement specifying different rules. In this case, match order problem exists on
matching a packet and access control rule.
There are two kinds of match orders:
Configuration sequence: match ACL rules according to their configuration
order.
Automatic sequencing: follow the principle of "depth priority".
Depth priority" rule puts the statement that specifies the smallest packet range
into first place. This can be realized by comparing address wildcard. The smaller
the wildcard is, the smaller the specified host range. For example, 129.102.1.1
0.0.0.0 specifies a host: 129.102.1.1, while 129.102.1.1 0.0.255.255 specifies a
network segment: from 129.102.1.1 to 129.102.255.255. Obviously, the former is
put first in access control rule. The detailed standard is: for statements of basic
access control rule, directly compare their source address wildcards. If the same
wildcard is shared, arrange them according to configuration sequence. For
interface-based access control rules, put the rule configured with "any" behind,