ProCurve 6200yl User's Guide Page 313
- Page / 596
- Table of contents
- BOOKMARKS
Rated. / 5. Based on customer reviews
10-27
Access Control Lists (ACLs)
ACL Operation
Note After you assign an ACL to an interface, the default action on the interface is
to implicitly deny any IP traffic that is not specifically permitted by the ACL.
(This applies only in the direction of traffic flow filtered by the ACL.)
The Packet-filtering Process
Sequential Comparison and Action. When an ACL filters a packet, it
sequentially compares each ACE’s filtering criteria to the corresponding data
in the packet until it finds a match. The action indicated by the matching ACE
(deny or permit) is then performed on the packet.
Implicit Deny. If a packet does not have a match with the criteria in any of
the ACEs in the ACL, the ACL denies (drops) the packet. If you need to
override the implicit deny so that a packet that does not have a match will be
permitted, then you can use the “permit any” option as the last ACE in the
ACL. This directs the ACL to permit (forward) packets that do not have a
match with any earlier ACE listed in the ACL, and prevents these packets from
being filtered by the implicit “deny any”.
Example. Suppose the ACL in figure 10-5 is assigned to filter the IP traffic
from an authenticated client on a given port in the switch:
Figure 10-5. Example of Sequential Comparison
As shown above, the ACL tries to apply the first ACE in the list. If there is not
a match, it tries the second ACE, and so on. When a match is found, the ACL
invokes the configured action for that entry (permit or drop the packet) and
For an inbound packet with a destination
IP address of 18.28.156.3, the ACL:
1. Compares the packet to this ACE first.
2. Since there is not a match with the first
ACE, the ACL compares the packet to the
second ACE, where there is also not a
match.
3. The ACL compares the packet to the third
ACE. There is a exact match, so the ACL
denies (drops) the packet.
4. The packet is not compared to the fourth
ACE.
Permit in ip from any to 18.28.136.24
Permit in ip from any to 18.28.156.7
Deny in ip from any to 18.28.156.3
Deny in tcp from any to any 23
Permit in ip from any to any
(Deny in ip from any to any)
This line demonstrates the “deny any any” ACE implicit in every
RADIUS-assigned ACL. Any inbound ip traffic from the
authenticated client that does not have a match with any of the five
explicit ACEs in this ACL will be denied by the implicit “deny any
any”.
- ProCurve Switches 1
- ProCurve 3
- Series 5400zl Switches 3
- Series 3500yl Switches 3
- 6200yl Switch 3
- Hewlett-Packard Company 4
- 3 Virus Throttling 7
- 4 Web and MAC Authentication 8
- 5 TACACS+ Authentication 8
- 13 Configuring Port-Based and 17
- 16 Key Management System 20
- Product Documentation 21
- Software Feature Index 22
- Intelligent Edge Software 23
- Features 23
- Security Overview 27
- Introduction 28
- Switch Access Security 29
- Note on SNMP 31
- Access to 31
- Secure File Transfers 32
- Authorized IP Managers 33
- Secure Management VLAN 33
- RADIUS Authentication 33
- Network Security Features 34
- Secure Shell (SSH) 35
- Traffic/Security Filters 36
- Advanced Threat Detection 38
- Identity-Driven Manager (IDM) 39
- Menu: Setting Passwords 45
- Front-Panel Security 48
- When Security Is Important 49
- Front-Panel Button Functions 50
- Reset Button 51
- Password Recovery 58
- [Y] (for “Yes”) 59
- [N] (for “No”) 59
- Password Recovery Process 60
- Virus Throttling 61
- Features and Benefits 64
- General Operation 65
- Application Options 66
- Operating Rules 67
- Sensitivity 71
- Configuring and Applying 79
- Connection-Rate ACLs 79
- Connection-Rate ACL Operation 80
- Source IP Address Criteria 81
- Criteria 83
- Applying Connection-Rate ACLs 86
- Client Options 95
- General Features 95
- Authenticator Operation 97
- MAC-based Authentication 99
- Web and MAC Authentication 100
- Terminology 101
- Operating Rules and Notes 102
- Authentication 104
- RADIUS Server 106
- Overview 109
- Configuration Overview 123
- Client Status 131
- TACACS+ Authentication 133
- Terminology Used in TACACS 135
- Applications: 135
- General System Requirements 137
- Note on 139
- Privilege Levels 139
- Before You Begin 140
- Configuration 141
- Server Contact Configuration 142
- Caution Regarding 145
- Login Primary 145
- Encryption Keys 148
- First-Choice TACACS+ Server 150
- How Authentication Operates 152
- Local Authentication Process 154
- Using the Encryption Key 155
- Access When Using TACACS+ 156
- Messages Related to TACACS+ 157
- Operation 157
- Operating Notes 157
- Contents 159
- Accounting Services 162
- Configuration MIB 162
- You Want RADIUS To Protect 168
- (hpSwitchAuth) is disabled 179
- Commands Authorization Type 182
- Configuring the RADIUS Server 184
- Configuring RADIUS Accounting 190
- Interim Updating Options 196
- Viewing RADIUS Statistics 198
- RADIUS Accounting Statistics 201
- as both the primary 205
- Configuring and Using 214
- The Packet-filtering Process 222
- ■ vendor and ACL identifiers: 224
- Configuration Notes 228
- ACEs in the list 229
- Event Log Messages 234
- After Authenticating 235
- Monitoring Shared Resources 235
- Prerequisite for Using SSH 241
- Public Key Formats 241
- Host Public 248
- Key for the 248
- Bit Size 249
- Exponent <e> 249
- Modulus <n> 249
- Client Contact Behavior 251
- ■ Execute no ip ssh 252
- Note on Port 253
- Public-Key Authentication 258
- Bit Size Exponent <e> 259
- Note on Public 261
- Key Index Number 262
- Prerequisite for Using SSL 269
- Password Button 272
- Security Tab 272
- Generate New Key 275
- Enter certificate Arguments 275
- Generate New Certificate 275
- Show host certificate command 276
- [SSL] button 278
- Web browser interface 279
- Browser Contact Behavior 281
- Common Errors in SSL setup 285
- Access Control Lists (ACLs) 287
- Static ACLS 291
- Dynamic Port ACLs 291
- RACL Applications 302
- VACL Applications 304
- Multiple ACLs on an Interface 306
- ACL Operation 312
- Planning an ACL Application 316
- Security 318
- Access Control Entry (ACE) 323
- IP Address Mask 324
- ACL Configuration Structure 328
- Standard ACL Structure 329
- ACL Configuration Factors 332
- General ACE Rules 335
- Configuring Standard ACLs 337
- 10-14 on page 10-55 345
- Configuring Extended ACLs 346
- [Shift] [?] key combination 355
- On an Interface 367
- Deleting an ACL 371
- Editing an Existing ACL 372
- Sequence Numbering in ACLs 373
- Attaching a Remark to an ACE 378
- Operating Notes for Remarks 381
- Display an ACL Summary 383
- Indicates whether the ACL 387
- The Offline Process 390
- ■ ID: “LIST-20-IN” 391
- Enable ACL “Deny” Logging 395
- ACL Logging Operation 396
- General ACL Operating Notes 399
- DHCP Snooping 403
- Enabling DHCP Snooping 404
- The DHCP Binding Database 411
- Enabling Debug Logging 412
- Operational Notes 412
- Log Messages 413
- Dynamic ARP Protection 415
- Configuring Trusted Ports 417
- Examples 425
- Filter Types and Operation 431
- Source-Port Filters 432
- Named Source-Port Filters 434
- [ index ] 436
- Static Multicast Filters 443
- Protocol Filters 444
- * ), indicating that the 447
- Editing a Source-Port Filter 448
- Filter Indexing 450
- Configuring Port-Based and 453
- User Authentication Methods 456
- as defined in the 459
- 802.1X standard 459
- VLAN Membership Priority 462
- Access Control 466
- Authenticators 468
- Based Authentication 470
- Wake-on-LAN Traffic 476
- 802.1X Open VLAN Mode 478
- VLAN Membership Priorities 479
- Unauthorized-Client VLANs 485
- Configure Port-Security 494
- Port-Security 495
- Other Switches 496
- Supplicant Port Configuration 498
- Statistics, and Counters 500
- ■ Unauth-VLAN ID (if any) 501
- ■ Auth-VLAN ID (if any) 501
- ■ The switch reboots 507
- Affects VLAN Operation 508
- After the 802.1X session 511
- < port-number >: 513
- Port Security 518
- Eavesdrop Protection 519
- Blocking Unauthorized Traffic 519
- Trunk Group Exclusion 520
- Planning Port Security 521
- Port Security Display Options 522
- Configuring Port Security 526
- listing 529
- use this command syntax: 529
- Retention of Static Addresses 532
- MAC Lockdown 537
- MAC Lockdown Operating Notes 540
- Deploying MAC Lockdown 541
- MAC Lockout 545
- < = 1024 16 16 546
- 1025-2048 8 8 546
- Port Security and MAC Lockout 547
- Security Features 548
- Alert Flags 548
- Send-Disable 550
- Resetting Alert Flags 551
- Yes” for the port on which 552
- Using Authorized IP Managers 559
- Access Levels 561
- Stations 562
- Managers 563
- Building IP Masks 567
- IP Entry 568
- Key Management System 573
- Numerics 581
- 2 – Index 582
- See also port based 582
- Index – 3 583
- See sequence, ACEs 583
- 4 – Index 584
- Index – 5 585
- 6 – Index 586
- Index – 7 587
- 8 – Index 588
- Index – 9 589
- 10 – Index 590
- Index – 11 591
- 12 – Index 592
- Index – 13 593
- 14 – Index 594
- 5991-3828 596
Related products and manuals for Network switches ProCurve 6200yl
Network switches ProCurve 8200zl User Manual
(12 pages)
(12 pages)
Network switches ProCurve 5400zl User Manual
(33 pages)
(33 pages)
Network switches ProCurve 5400zl Specifications
(765 pages)
(765 pages)
Network switches ProCurve 2900 User's Guide
(104 pages)
(104 pages)
(12 pages)
Network switches ProCurve 6400cl User's Guide
(718 pages)
(718 pages)
Network switches ProCurve 3500yl User Manual
(15 pages)
(15 pages)
Network switches ProCurve 8212zl Manual
(667 pages)
(667 pages)
Network switches ProCurve 6200yl User Manual
(14 pages)
(14 pages)
Network switches ProCurve 3500yl User Manual
(16 pages)
(16 pages)
Network switches ProCurve 5300xl Specifications
(108 pages)
(108 pages)
Network switches ProCurve 5400zl Specifications
(110 pages)
(110 pages)
Network switches ProCurve 8200zl User's Guide
(360 pages)
(360 pages)
Network switches ProCurve 8200zl User's Guide
(195 pages)
(195 pages)
© 2020, manymanuals.com. All rights reserved. | 0.547 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comments to this Manuals