ACL configuration and operating rules
•
Per-Interface ACL Limits.
At a minimum, an ACL will have one explicit "deny" Access Control
Entry. You can assign one ACL per interface, as follows:
◦
Standard ACLs—Numeric range: 1-99
◦
Extended ACLs—Numeric range: 100-199
◦
Named (Extended or Standard) ACLs: Up to the maximum number of ports on the switch
(minus any numeric ACL assignments)
•
ACL assignment exclusivity:
The switch allows one ACL assignment on an interface. If a port
or static trunk already has an ACL assigned, you cannot assign another ACL to the interface
without first removing the currently assigned ACL.
•
ACLs operate on ports and static trunk interfaces:
You can assign an ACL to any port and/or
any statically configured trunk on the switch. ACLs do not operate with dynamic (LACP) trunks.
•
Before deleting an applied ACL, you must first remove it from all interfaces to which it is
assigned:
An assigned ACL cannot be deleted.
•
Before modifying an applied ACL, you must first remove it from all assigned interfaces:
An
ACL cannot be changed while it is assigned to an interface.
•
Explicitly denying any IP traffic:
Entering a
deny any
or a
deny ip any any
ACE in an
ACL denies all IP traffic not previously permitted or denied by that ACL.
•
Explicitly permitting any IP traffic:
Entering a
permit any
or a
permit ip any any
ACE
in an ACL permits all IP traffic not previously permitted or denied by that ACL.
•
Implicit “deny any”:
In any ACL, the switch automatically applies an implicit “deny IP any”
that does not appear in
show
listings. Thus the ACL denies any packet it encounters that does
not have a match with an entry in the ACL, and for t an ACL to permit any packets you have
not expressly denied, enter a
permit any
or
permit ip any any
as the last visible ACE
in an ACL. Because, for a given packet, the switch sequentially applies the ACEs in an ACL
until it finds a match, any packet that reaches the
permit any
or
permit ip any any
entry is permitted and will not encounter the “deny ip any” ACE the switch automatically
includes at the end of the ACL. For rule usage, see
•
Port and Static Trunk Interfaces:
Removing a port from an ACL-assigned trunk returns the port to its default settings.
◦
◦
To add a port to a trunk when an ACL is already assigned to the port, you must first
remove the ACL assignment from the port.
◦
Adding a new port to an ACL-assigned trunk automatically applies the ACL to the new
port.
•
Replacing one ACL with another:
Where an ACL is already assigned to an interface, you must
remove the current ACL assignment before assigning another ACL to that interface. If an
assignment command fails because one or more interfaces specified in the command already
has an ACL assignment, the following message appears in the CLI and in the Event Log:
<acl-list-#>: Unable to apply access control list.
How an ACE uses a mask to screen packets for matches
For an IPv6 ACL, a match with a packet occurs when both the protocol and the SA/DA configured
in a given ACE within the ACL are a match with the same criteria in a packet filtered by the ACL.
In IPv6 ACEs, prefixes define how many leading bits in the SA and DA to use for determining a
match. Thus the switch uses IPv6 prefixes in CIDR format to specify how many leading bits in a
72
Updates for the HP Switch Software IPv6 Configuration Guide
