10-124
IPv4 Access Control Lists (ACLs)
Enable ACL “Deny” Logging
Note IPv4 ACE counters assigned as RACLs operate differently than described
above. For more information, refer to the following section.
IPv4 Counter Operation with Multiple Interface
Assignments
Where the same IPv4 ACL is assigned to multiple interfaces as a VLAN ACL
(VACL) or port ACL (PACL), the switch maintains a separate instance of ACE
counters for each interface assignment. Thus, when there is a match with
traffic on one of the ACL’s VACL- or PACL -assigned interfaces, only the ACE
counter in the affected instance of the ACL is incremented. However, if an ACL
has multiple assignments as an RACL, then a match with an ACE in any RACL
instance of the ACL increments that same counter on all RACL-assigned
instances of that ACL. (The ACE counters for VACL and PACL instances of an
ACL are not affected by counter activity in RACL instances of the same ACL.)
For example, suppose that an IPv4 ACL named “Test-1” is configured as shown
in figure 10-54 to block Telnet access to a server at 10.10.20.12 on VLAN 20,
and that the Test-1 ACL is assigned to VLANs as follows:
■ VLAN 20: VACL
■ VLAN 50: RACL
■ VLAN 70: RACL
Figure 10-54. ACL “Test-1” and Interface Assignment Commands
HP Switch(config)# show access-list config
ip access-list extended “Test1”
10 deny tcp 0.0.0.0 255.255.255.255 10.10.20.12 0.0.0.0 eq 23 log
20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
HP Switch(config)# vlan 20 ip access-group Test-1 vlan
HP Switch(config)# vlan 50 ip access-group Test-1 in
HP Switch(config)# vlan 70 ip access-group Test-1 in
Assigns the ACL as a VACL to VLAN 20.
Assigns the ACL as
an RACL to VLANs
50 and 70.
To Next Page
Loading...
Need help?
General
