Access Control Lists (ACLs) for the Series 5300xl Switches
General ACL Operating Notes
General ACL Operating Notes
ACLs do not provide DNS hostname support.
Protocol Support: ACL criteria includes IP, TCP, and UDP. ACLs do not use
these protocols:
■ TOS (Type-of-Service)
■ Precedence
■ MAC information
■ QoS
ACLs do not affect switch serial port access.
When the ACL configuration includes TCP or UDP options, the switch
operates in “strict” TCP and UDP mode for increased control. The
switch compares all TCP and UDP packets against the ACLs. (In the HP Series
9300 Routing Switches, the Strict TCP and Strict UDP modes are optional and
must be specifically invoked.)
Replacing or Adding To an Active ACL Policy. If you assign an ACL to a
VLAN and subsequently add or replace ACEs in that ACL, each new ACE
becomes active when you enter it.
Note When an ACE becomes active, it screens the packets resulting from new traffic
connections. It does not screen packets resulting from currently open traffic
connections. If you invoke a new ACE to screen packets in a currently open
traffic connection, you must force the connection to close before the ACE can
begin screening packets from that source.
ACL Screening of Traffic Generated by the Switch. Outbound ACLs on
a switch do not screen traffic (such as broadcasts, Telnet, Ping, and ICMP
replies) generated by the switch itself. Note that ACLs do screen this type of
traffic when other devices generate it. Similarly, ACLs can screen responses
from other devices to unscreened traffic the switch generates.
9-63
To Next Page
Loading...
Need help?
General