Manualshelf

WESM zl Management and Configuration Guide WT.01.28 and greater

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
541542543544545546547548549550
7-5
Access Control Lists (ACLs)
Overview
All ACLs include an implicit “deny any” rule at the end. In other words, if traffic
does not match any of the ACLs rules, the ACL drops the traffic. MAC standard
ACLs, which are configured as filters for local MAC authentication, are the excep-
tion. They include an implicit “permit any” rule at the end. See “MAC Filters (Local
MAC Authentication)” on page 12-75 of Chapter 12: “Wireless Network Manage-
ment.”
Precedence
An ACLs rules are processed in ascending numeric order until a “match” is found
for the packet or frame. When the Wireless Edge Services zl Module matches traffic
to the rule, the rule has “selected” the traffic. The module then performs the operation
defined for the rule.
Each ACL has a list of ordered rules separate from all other ACLs. For example, two
ACLs can each have one rule with a precedence value of 1.
Filters
Filters specify the information that a packet’s header must match. As discussed in
“ACL Types” on page 7-3, valid fields depend on the ACL type. A packet or frame
must match every filter that you specify.
Rules for all ACL types can include these filters:
source address, either IP or MAC address
The filter can select:
all addresses
a single address
a range of addresses, specified either by subnetwork address and prefix
length (for IP ACLs) or by mask (for MAC extended ACLs)
WLAN index number (from 1 through 256)
The traffic must arrive from this WLAN to match the rule. This setting is optional
and takes effect only for ACLs applied to physical interfaces. You should only
use it for the ACLs applied to the downlink port.
Extended IP ACL rules can include these additional filters:
destination IP address
The filter can select:
all addresses
a single address
a range of addresses, specified by subnetwork address and a prefix length