WESM zl Management and Configuration Guide WT.01.28 and greater

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

541

542

543

544

545

546

547

548

549

550

7-8

Access Control Lists (ACLs)

Overview

ACL Strategies

The Wireless Edge Services zl Module’s ACLs can enforce a variety of flexible

policies. Within a given rule, or among the rules in a given ACL, you can combine

filter criteria—for example, to filter based on a port number and source and destina-

tion addresses, or based on an Ethertype and a WLAN index value, and so on.

Example policies include:

■ limiting a particular subnetwork to accessing certain servers only

For example, your Wireless Edge Services zl Module places wireless traffic in

VLAN 8 (192.168.8.0/24). You want to limit the wireless users to accessing a

Web server. You would create an extended IP ACL and add a permit rule with

the destination address of the Web server. The source address would be

192.168.1.0, and the prefix length would be 24.

You would then apply the ACL to inbound traffic on VLAN 8. The module only

forwards traffic matching the permit rule (that is, traffic destined to the Web

server).

■ marking traffic destined for a particular port (or range of ports) for QoS or TOS

You may want to mark time-sensitive traffic, which is often destined to one of

UDP’s real-time ports, for higher QoS. For example, to mark traffic destined for

UDP port 1720 with a TOS value, you would create an extended IP ACL with

a rule that includes these specifications:

• a mark operation and the desired TOS value

• the UDP protocol

• the 1720 destination port

The source and destination wildcard/masks would both be set to “any,” and you

would not specify the WLAN index.

■ permitting or denying traffic based on the WLAN from which it arrives

Perhaps your Wireless Edge Services zl Module places all wireless traffic in the

same VLAN, VLAN 16. However, one WLAN grants guests access, and you

want to prohibit guest access to VLAN 2, which include servers holding sensitive

information.

When you configure the extended IP ACL to control traffic that arrives on the

VLAN 16 interface, add a rule that does the following:

• denies traffic destined to the VLAN 2 subnetwork

• specifically selects traffic from the guest WLAN

Make sure that this rule has a lower precedence order than any rule that permits

traffic to VLAN 2.