To Next Page

To Previous Page

Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches

Configuring and Assigning an ACL

Example of an Extended ACL. Suppose that you want to implement these

policies on ports 1, 2, and 3:

A. Permit Telnet traffic from 10.10.10.44 inbound on port 1 to 10.10.20.78,

deny all other inbound IP traffic from network 10.10.10.0 (VLAN 10) to

10.10.20.0 (VLAN 20), and permit all other IP traffic from any source to

any destination. (See “A” in figure

10-17, below.)

B. Permit FTP traffic from IP address 10.10.20.100 on port 2 to 10.10.30.55.

Deny FTP traffic from other hosts on network10.10.20.0 to any destina-

tion, but permit all other traffic.

VLAN 10

10.10.10.1

VLAN 20

10.10.20.1

VLAN 30

10.10.30.1

3400cl or 6400cl

Switch

10.10.10.0

10.10.20.0

10.10.30.0

Figure 10-17. Example of an Extended ACL

10-52

Table of Contents5
Command Syntax Statements24
Getting Started24
Conventions24
Overview24
Command Prompts25
Screen Simulations25
Keys26
Related Publications26
Getting Documentation from the Web28
Sources for more Information29
Need Only a Quick Start30
IP Addressing30
To Set up and Install the Switch in Your Network30
Contents31
Overview32
Static Virtual Lans (Vlans)32
General VLAN Operation33
Introduction33
Types of Static Vlans Available in the Switch34
Port-Based Vlans34
Protocol-Based Vlans34
Designated Vlans34
Terminology35
Static VLAN Operation36
VLAN Environments37
VLAN Operation38
Routing Options for Vlans39
Overlapping (Tagged) Vlans39
VLAN Operating Rules43
General Steps for Using Vlans46
Multiple VLAN Considerations47
Single Forwarding Database Operation48
Correct It49
Example of an Unsupported Configuration and How to49
Multiple Forwarding Database Operation50
Configuring Vlans51
Menu: Configuring Port-Based VLAN Parameters51
To Change VLAN Support Settings51
Adding or Editing VLAN Names54
Adding or Changing a VLAN Port Assignment55
CLI: Configuring Port-Based and Protocol-Based VLAN57
Parameters57
Web: Viewing and Configuring VLAN Parameters67
802.1Q VLAN Tagging68
Special VLAN Types73
VLAN Support and the Default VLAN73
The Primary VLAN73
The Secure Management VLAN74
Preparation76
Configuration77
Deleting the Management VLAN78
Operating Notes for Management Vlans78
Voice Vlans79
Operating Rules for Voice Vlans79
Components of Voice VLAN Operation80
Voice VLAN Qos Prioritizing (Optional)80
Voice VLAN Access Security81
Effect of Vlans on Other Switch Features81
Spanning Tree Operation with Vlans81
IP Interfaces82
VLAN MAC Address82
Port Trunks82
Port Monitoring82
VLAN Restrictions83
Switches83
Jumbo Packet Support on the Series 3400Cl and Series 6400Cl83
- Contents85
- Gvrp86
Overview86
Introduction87
General Operation88
Per-Port Options for Handling GVRP "Unknown Vlans91
Per-Port Options for Dynamic VLAN Advertising and Joining93
GVRP and VLAN Access Control95
Port-Leave from a Dynamic VLAN95
Planning for GVRP Operation96
Configuring GVRP on a Switch97
Menu: Viewing and Configuring GVRP97
CLI: Viewing and Configuring GVRP98
Web: Viewing and Configuring GVRP102
GVRP Operating Notes102
- Contents105
- Multimedia Traffic Control with IP Multicast (IGMP)106
Overview106
IGMP General Operation and Features107
IGMP Terms108
IGMP Operating Features109
CLI: Configuring and Displaying IGMP110
Web: Enabling or Disabling IGMP115
How IGMP Operates115
Operation with or Without IP Addressing117
Automatic Fast-Leave IGMP117
Forced Fast-Leave IGMP119
Configuration Options for Forced Fast-Leave119
Listing the Forced Fast-Leave Configuration120
Configuring Per-Port Forced Fast-Leave IGMP122
Using the Switch as Querier123
Excluding Well-Known or Reserved Multicast Addresses from IP Multicast Filtering124
Excluding Well-Known or Reserved Multicast Addresses from IP Multicast Filtering125
- PIM-DM (Dense Mode) on the 5300Xl Switches127
Contents127
Overview128
Introduction129
Feature Overview130
PIM-DM Operation130
Multicast Flow Management133
General Configuration Elements135
Terminology135
PIM-DM Operating Rules136
Configuring PIM-DM on the Series 5300Xl Switches137
PIM Global Configuration Context138
PIM VLAN (Interface) Configuration Context141
Displaying PIM Data and Configuration Settings on the Series 5300Xl Switches148
Displaying PIM Data and Configuration Settings on the Series148
Displaying PIM Route Data149
Displaying PIM Status153
Operating Notes160
Troubleshooting162
Messages Related to PIM Operation163
Applicable Rfcs166
Exceptions to Support for RFC 2932 - Multicast Routing MIB167
- Spanning-Tree Operation169
Contents169
Overview170
The RSTP (802.1W) and STP (802.1D) Spanning Tree Options173
RSTP (802.1W)174
Stp (802.1D)174
How STP and RSTP Operate175
Configuring Rapid Reconfiguration Spanning Tree (RSTP)177
Overview177
Transitioning from STP to RSTP178
Optimizing the RSTP Configuration179
Configuring RSTP179
CLI: Configuring RSTP180
Menu: Configuring RSTP186
Web: Enabling or Disabling RSTP188
D Spanning-Tree Protocol (STP)189
Menu: Configuring 802.1D STP189
CLI: Configuring 802.1D STP192
STP Fast Mode196
Fast-Uplink Spanning Tree Protocol (STP)197
Terminology199
Operating Rules for Fast Uplink200
Menu: Viewing and Configuring Fast-Uplink STP201
CLI: Viewing and Configuring Fast-Uplink STP207
Operating Notes210
Web: Enabling or Disabling STP211
Multiple Spanning Tree Protocol (MSTP)212
MSTP Structure213
How MSTP Operates215
MST Regions215
Regions, Legacy STP and RSTP Switches, and the Common Spanning Tree (CST)217
MSTP Operation with 802.1Q Vlans217
Terminology218
Operating Rules220
Transitioning from STP or RSTP to MSTP221
Tips for Planning an MSTP Application222
Steps for Configuring MSTP223
Configuring MSTP Operation Mode and Global Parameters225
Configuring Basic Port Connectivity Parameters229
Configuring MST Instance Parameters231
Configuring MST Instance Per-Port Parameters234
Enabling or Disabling Spanning Tree Operation237
Enabling an Entire MST Region at Once or Exchanging One Region Configuration for Another237
Displaying MSTP Statistics and Configuration239
Displaying MSTP Statistics239
Displaying the MSTP Configuration242
Operating Notes246
Troubleshooting246
- Switch Meshing247
Contents247
Introduction248
Switch Meshing Fundamentals250
Terminology250
Operating Rules251
Using a Heterogeneous Switch Mesh254
Bringing up a Switch Mesh Domain256
Further Operating Information256
Configuring Switch Meshing257
Preparation257
Menu: to Configure Switch Meshing257
CLI: to View and Configure Switch Meshing260
Viewing Switch Mesh Status260
CLI: Configuring Switch Meshing263
Operating Notes for Switch Meshing264
Flooded Traffic264
Unicast Packets with Unknown Destinations265
Spanning Tree Operation with Switch Meshing266
Filtering/Security in Meshed Switches268
IP Multicast (IGMP) in Meshed Switches268
Static Vlans269
Dynamic Vlans270
Jumbo Packets (3400Cl and 6400Cl Switches Only)270
Requirements and Restrictions271
- Quality of Service (Qos): Managing Bandwidth more Effectively275
Contents275
Introduction276
Terminology279
Overview280
Classifiers for Prioritizing Outbound Packets283
5300Xl Packet Classifiers and Evaluation Order283
3400Cl/6400Cl Packet Classifiers and Evaluation Order284
Preparation for Configuring Qos287
Planning Qos for the Series 3400Cl/6400Cl Switches289
Prioritizing and Monitoring Qos, ACL, and Rate Limiting Feature Usage on the 3400Cl/6400Cl Switches289
Qos Resource Usage and Monitoring on 3400Cl/6400Cl290
Switches290
Switches291
Managing Qos Resource Consumption on the 3400Cl/6400Cl291
Troubleshooting a Shortage of Per-Port Rule Resources on the 3400Cl/6400Cl Switches292
Examples of Qos Resource Usage on 3400Cl/6400Cl293
Switches293
Using Qos Classifiers to Configure Quality of Service for296
Viewing the Qos Configuration296
Using Qos Classifiers to Configure Quality of Service for Outbound Traffic296
No Override297
Qos UDP/TCP Priority298
Number299
Assigning a DSCP Policy Based on TCP or UDP Port300
Number300
Qos IP-Device Priority304
Assigning a Priority Based on IP Address305
Assigning a DSCP Policy Based on IP Address306
Qos IP Type-Of-Service (Tos) Policy and Priority310
Assigning an 802.1P Priority to Ipv4 Packets on the Basis of the Tos Precedence Bits311
Assigning an 802.1P Priority to Ipv4 Packets on the Basis of Incoming DSCP312
Assigning a DSCP Policy on the Basis of the DSCP in Ipv4 Packets Received from Upstream Devices316
Details of Qos IP Type-Of-Service320
Qos Layer-3 Protocol Priority (5300Xl Switches Only)323
Assigning a Priority Based on Layer-3 Protocol323
Assigning a Priority Based on VLAN-ID325
Qos VLAN-ID (VID) Priority325
Assigning a DSCP Policy Based on VLAN-ID (VID)327
Qos Source-Port Priority331
Assigning a Priority Based on Source-Port331
Assigning a DSCP Policy Based on the Source-Port333
Differentiated Services Codepoint (DSCP) Mapping336
Default Priority Settings for Selected Codepoints338
Quickly Listing Non-Default Codepoint Settings338
Note on Changing a Priority Setting339
IP Multicast (IGMP) Interaction with Qos343
Qos Messages in the CLI343
Qos Operating Notes and Restrictions344
- Access Control Lists (Acls) for the Series 5300Xl347
Contents347
Introduction349
Terminology351
ACL Inbound and Outbound Application Points354
Types of IP Acls354
Overview354
Features Common to All Acls355
General Steps for Planning and Configuring Acls356
ACL Operation358
Introduction358
The Packet-Filtering Process359
Planning an ACL Application362
Traffic Management and Improved Network Performance362
Security363
Guidelines for Planning the Structure of an ACL364
ACL Configuration and Operating Rules364
How an ACE Uses a Mask to Screen Packets for Matches366
What Is the Difference between Network (or Subnet) Masks and the Masks Used with Acls366
Rules for Defining a Match between a Packet and an Access Control Entry (ACE)367
General Steps for Implementing Acls371
Configuring and Assigning an ACL371
Overview371
Types of Acls372
ACL Configuration Structure372
Standard ACL Structure373
Extended ACL Configuration Structure374
ACL Configuration Factors375
The Sequence of Entries in an ACL Is Significant375
In any ACL, There will Always be a Match377
Interface377
You Can Assign an ACL Name or Number to a VLAN Even if the ACL Does Not yet Exist in the Switch's Configuration377
Using the CLI to Create an ACL377
General ACE Rules378
Using CIDR Notation to Enter the ACL Mask378
Configuring and Assigning a Numbered, Standard ACL379
Configuring and Assigning a Numbered, Extended ACL384
Configuring a Named ACL390
Enabling or Disabling ACL Filtering on a VLAN392
Deleting an ACL from the Switch393
Displaying ACL Data394
Display an ACL Summary394
Display the Content of All Acls on the Switch395
Display the ACL Assignments for a VLAN396
Displaying the Content of a Specific ACL397
Display All Acls and Their Assignments in the Switch Startup-Config File and Running-Config File399
Editing Acls and Creating an ACL Offline399
Using the CLI to Edit Acls399
General Editing Rules400
Deleting any ACE from an ACL400
Working Offline to Create or Edit an ACL402
Enable ACL "Deny" Logging405
Requirements for Using ACL Logging405
Enabling ACL Logging on the Switch406
ACL Logging Operation406
Operating Notes for ACL Logging408
General ACL Operating Notes409
Introduction413
Terminology416
Overview419
Types of IP Acls419
ACL Inbound Application Points419
Features Common to All Acls420
General Steps for Planning and Configuring Acls421
ACL Operation422
The Packet-Filtering Process423
Switch Resource Usage426
Prioritizing and Monitoring ACL, IGMP, Qos, and Rate Limiting Feature Usage427
ACL Resource Usage and Monitoring427
Standard Acls428
Extended Acls428
Managing ACL Resource Consumption430
Oversubscribing Available Resources430
Troubleshooting a Shortage of Per-Port Resources431
Example of ACL Resource Usage433
Viewing the Current Per-Port Rule and Mask Usage433
Traffic Management and Improved Network Performance436
Security436
Guidelines for Planning the Structure of an ACL437
ACL Configuration and Operating Rules438
How an ACE Uses a Mask to Screen Packets for Matches440
What Is the Difference between Network (or Subnet) Masks and the Masks Used with Acls440
Rules for Defining a Match between a Packet and an Access Control Entry (ACE)441
General Steps for Implementing Acls445
Types of Acls445
Overview445
Configuring and Assigning an ACL445
ACL Configuration Structure446
Standard ACL Structure447
Extended ACL Configuration Structure447
ACL Configuration Factors449
ACL Resource Consumption449
The Sequence of Entries in an ACL Is Significant449
In any ACL, There will Always be a Match451
Interface451
Using the CLI to Create an ACL451
General ACE Rules451
Using CIDR Notation to Enter the ACL Mask452
Configuring and Assigning a Numbered, Standard ACL453
Configuring and Assigning a Numbered, Extended ACL458
Configuring a Named ACL464
Enabling or Disabling ACL Filtering on an Interface467
Deleting an ACL from the Switch468
Displaying ACL Data468
Display an ACL Summary469
Display the Content of All Acls on the Switch469
Display the ACL Assignments for an Interface470
Displaying the Content of a Specific ACL471
Displaying the Current Per-Port ACL Resources473
Display All Acls and Their Assignments in the Switch Startup-Config File and Running-Config File474
Editing Acls and Creating an ACL Offline475
Using the CLI to Edit Acls475
General Editing Rules475
Deleting any ACE from an ACL476
Working Offline to Create or Edit an ACL477
Enable ACL "Deny" Logging481
Requirements for Using ACL Logging481
ACL Logging Operation482
Enabling ACL Logging on the Switch482
Operating Notes for ACL Logging484
General ACL Operating Notes485
- IP Routing Features487
Contents487
Overview of IP Routing489
IP Interfaces490
IP Tables and Caches490
ARP Cache Table491
IP Route Table491
IP Forwarding Cache492
IP Route Exchange Protocols493
IP Global Parameters for Routing Switches493
IP Interface Parameters for Routing Switches495
Configuring IP Parameters for Routing Switches496
Configuring IP Addresses496
Changing the Router ID496
How ARP Works497
Configuring ARP Parameters497
Enabling Proxy ARP499
Configuring Forwarding Parameters499
Changing the TTL Threshold500
Enabling Forwarding of Directed Broadcasts500
Configuring ICMP501
Disabling ICMP Messages501
Disabling Replies to Broadcast Ping Requests501
Disabling ICMP Destination Unreachable Messages502
Disabling ICMP Redirects503
Configuring Static IP Routes503
Static Route Types503
Static IP Route Parameters504
Static Route States Follow Port States504
Configuring a "Null" Route505
Configuring a Static IP Route505
Configuring the Default Route505
Configuring RIP507
Overview of RIP507
RIP Parameters and Defaults508
RIP Global Parameters508
Configuring RIP Parameters509
Enabling RIP509
Changing the RIP Type on a VLAN Interface510
Changing the Cost of Routes Learned on a VLAN Interface510
Configuring RIP Redistribution511
Define RIP Redistribution Filters511
Modify Default Metric for Redistribution512
Enable RIP Route Redistribution512
Changing the Route Loop Prevention Method513
Displaying RIP Information513
Displaying General RIP Information514
Displaying RIP Interface Information516
Displaying RIP Peer Information517
Displaying RIP Redistribution Information519
Displaying RIP Redistribution Filter (Restrict) Information519
Configuring OSPF520
Overview of OSPF520
Designated Routers in Multi-Access Networks521
OSPF RFC 1583 and 2328 Compliance522
Configuring OSPF524
Dynamic OSPF Activation and Configuration524
Configuration Rules525
Enabling OSPF526
Assigning an Area Range (Optional)528
Assigning Vlans to an Area529
Assigning Virtual Links531
Modifying Virtual Link Parameters533
Defining Redistribution Filters534
Modifying Default Metric for Redistribution535
Enabling Route Redistribution536
Modifying OSPF Traps Generated537
Modifying OSPF Standard Compliance Setting538
Displaying OSPF Information539
Displaying OSPF Area Information541
Displaying OSPF External Link State Information542
Displaying OSPF Interface Information543
VLAN or IP Address545
Displaying OSPF Link State Information546
Displaying OSPF Neighbor Information548
Displaying OSFPF Redistribution Filter (Restrict)550
Information550
Displaying OSPF Virtual Neighbor Information551
Displaying OSPF Virtual Link Information552
Displaying OSPF Route Information554
Configuring IRDP556
Enabling IRDP Globally557
Enabling IRDP on an Individual VLAN Interface557
Displaying IRDP Information558
Configuring DHCP Relay559
Overview559
DHCP Packet Forwarding559
Unicast Forwarding559
Broadcast Forwarding559
Minimum Requirements for DHCP Relay Operation560
Enabling DHCP Relay560
Configuring a Helper Address560
Viewing the Current DHCP Relay Configuration561
Overview562
UDP Broadcast Forwarding on 5300Xl Switches562
Subnet Masking for UDP Forwarding Addresses563
Configuring and Enabling UDP Broadcast Forwarding564
Globally Enabling UDP Broadcast Forwarding564
Configuring UDP Broadcast Forwarding on Individual564
Displaying the Current IP Forward-Protocol Configuration566
Operating Notes for UDP Broadcast Forwarding567
Messages Related to UDP Broadcast Forwarding567
Configuring Static Network Address Translation (NAT) for Intranet Applications on the 5300Xl Switches568
Static NAT Operating Rules569
Configuring Static NAT569
Displaying Static NAT Statistics and Configuration571
Static NAT Operating Notes571
- Router Redundancy Using XRRP574
Introduction to XRRP574
Terminology574
Overview of XRRP Operation575
XRRP During Normal Router Operation576
XRRP Fail-Over Operation577
Single VLAN Operation577
Multiple VLAN Operation578
XRRP Operating Notes581
Configuring XRRP583
Customizing the XRRP Configuration584
Enabling and Disabling XRRP587
Configuration Rules587
Configuration Examples588
Configuration for Figure 12-2 - Single VLAN Example588
Configuration for Figure 12-4 - Multiple Vlans589
Displaying XRRP Data590
Comparison between XRRP and VRRP593
Messages Related to XRRP Operation594
Contents599
Introduction to Stack Management on Series 3400Cl and Series599
6400Cl Switches599
Stacking Support on HP Procurve Switches600
Components of HP Procurve Stack Management602
General Stacking Operation602
Operating Rules for Stacking604
General Rules604
Specific Rules605
Configuring Stack Management606
Overview of Configuring and Bringing up a Stack606
Using the Menu Interface to View Stack Status and Configure610
Using the Menu Interface to View and Configure a610
Commander Switch610
Stacking610
Using the Menu to Manage a Candidate Switch612
Stacking614
Using the Commander to Manage the Stack614
Using the Commander to Access Member Switches for Configuration Changes and Monitoring Traffic620
Converting a Commander or Member to a Member of Another Stack621
Monitoring Stack Status622
Using the CLI to View Stack Status and Configure Stacking626
Using the CLI to View Stack Status628
Using the CLI to Configure a Commander Switch630
Adding to a Stack or Moving Switches between Stacks632
Using the CLI to Remove a Member from a Stack637
Using the CLI to Access Member Switches for Configuration Changes and Traffic Monitoring639
SNMP Community Operation in a Stack640
Using the CLI to Disable or Re-Enable Stacking641
Stacking Operation with Multiple Vlans Configured641
Transmission Interval641
Status Messages642

Brand	HP
Model	ProCurve 5300xl Series
Category	Switch
Language	English

HP ProCurve 5300xl Series User Manual

Table of Contents

Other manuals for HP ProCurve 5300xl Series

Questions and Answers:

HP ProCurve 5300xl Series Specifications

Related product manuals