HP VPN Firewall Appliances Access Control Configuration Guide
1
Configuring ACLs
An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on
criteria such as source IP address, destination IP address, and port number.
The Web interface does not support configuring IPv6 ACLs.
Overview
You can use ACLs in QoS, firewall, routing, and other feature modules for identifying traffic. The packet
drop or forwarding decisions varies with the modules that use ACLs.
ACL categories
Cate
g
or
y
ACL number IP version
Match criteria
Basic ACLs 2000 to 2999
IPv4 Source IPv4 address
IPv6 Source IPv6 address
Advanced ACLs 3000 to 3999
IPv4
Source IPv4 address, destination IPv4 address,
packet priority, protocol number, and other
Layer 3 and Layer 4 header fields
IPv6
Source IPv6 address, destination IPv6 address,
packet priority, protocol number, and other
Layer 3 and Layer 4 header fields
Ethernet frame
header ACLs
4000 to 4999 N/A
Layer 2 header fields, such as source and
destination MAC addresses, 802.1p priority,
and link layer protocol type
Numbering and naming ACLs
Each ACL category has a unique range of ACL numbers. When creating an ACL, you must assign it a
number. In addition, you can assign the ACL a name for ease of identification. After creating an ACL with
a name, you cannot rename it or delete its name.
For an IPv4 basic or advanced ACLs, its ACL number and name must be unique in IPv4, and for an IPv6
basic or advanced ACL, its ACL number and name must be unique in IPv6.
Match order
The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops the
match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting
rules, the matching result and action to take depend on the rule order.
The following ACL match orders are available: