WESM zl Management and Configuration Guide WT.01.03 and greater

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

551

552

553

554

555

556

557

558

559

560

7-3

Access Control Lists (ACLs)

Overview

ACL Types

The Wireless Edge Services zl Module supports two basic ACL types:

■ IP ACLs—based on the IP header (Layer 3)

IP ACLs control traffic inbound on an interface. They can apply to the

Wireless Edge Services zl Module’s virtual LAN (VLAN) interfaces or to

its two physical interfaces: the internal uplink and downlink ports. If

applied to a VLAN interace, the IP ACLs control routed traffic. If applied

to a physical port, the IP ACLs control inbound traffic on all VLANs tagged

for that interface.

■ MAC ACLs—based on the Media Access Control (MAC) header (Layer 2)

Standard MAC ACLs are used for MAC authentication. You can apply

extended MAC ACLs to the module’s physical interfaces, but not to its

VLAN interfaces. Like IP ACLs, the extended MAC ACLs affect inbound

traffic.

Both types of ACLs include two subtypes: standard and extended.

Standard IP ACLs

Standard IP ACLs permit and deny traffic according to source IP addresses.

They match inbound traffic based on the following IP header fields:

■ source IP address—either any IP address, an individual (“host”) IP

address, or all IP addresses in a particular subnetwork

■ WLAN index—the index number (1 through 256) of the WLAN through

which the packet arrived (for physical interfaces only)

You can apply a standard IP ACL to inbound traffic on either a logical (VLAN)

interface or a physical (internal uplink or downlink) interface. When you apply

an ACL to a logical interface, the traffic must be routed to be filtered.

Extended IP ACLs

Extended IP ACLs can permit and deny traffic according to more sophisticated

criteria than standard IP ACLs. They match inbound traffic based on the

following IP header fields:

■ source and destination IP address—either any IP address, an individ-

ual (“host”) IP address, or all IP addresses in a particular subnetwork

■ ICMP message type and code

■ TCP and UDP source and destination ports

■ WLAN index—the index number (1 through 256) of the WLAN through

which the packet arrived (for physical interfaces only)