IPv4 Access Control Lists (ACLs)

An Access Control List (ACL) is a list of one or more Access Control Entries (ACEs), where each ACE consists of a matching criteria and an action (permit or deny). The information below describes how to configure, apply, and edit static IPv4 ACLs in a network populated with HP switches, and how to monitor IPv4 ACL actions.

[NOTE: ]

NOTE: ACLs for IPv4 configuration and operation: because the switches covered by this guide support IPv4/IPv6 dual-stack operation, simultaneous operation of statically configured IPv4 and IPv6 ACLs is supported in these switches as well as dynamic (RADIUS-assigned) ACLs capable of filtering both IPv4 and IPv6 traffic from authenticated clients. However:

  • IPv4 and IPv6 ACEs cannot be combined in the same static ACL.

  • IPv4 and IPv6 static ACLs do not filter each other’s traffic.

In the following information, unless otherwise noted:
  • The term “ACL” refers to static IPv4 ACLs.

  • Descriptions of ACL operation apply only to static IPv4 ACLs.

See “IPv6 Access Control Lists (ACLs)” in the IPv6 Configuration Guide for your switch.

IPv4 filtering with ACLs can help improve network performance and restrict network use by creating policies for:

Switch Management Access: Permits or denies in-band management access. This includes limiting and/or preventing the use of designated protocols that run on top of IPv4, such as TCP, UDP, IGMP, ICMP, and others. Also included are the use of precedence and ToS criteria, and control for application transactions based on source and destination IPv4 addresses and transport layer port numbers.

Application Access Security: Eliminates unwanted traffic in a path by filtering IPv4 packets where they enter or leave the switch on specific VLAN interfaces.

IPv4 ACLs can filter traffic to or from a host, a group of hosts, or entire subnets.

[NOTE: ]

NOTE: IPv4 ACLs can enhance network security by blocking selected traffic, and can serve as part of your network security program. However, because ACLs do not provide user or device authentication, or protection from malicious manipulation of data carried in IPv4 packet transmissions, they should not be relied upon for a complete security solution.

IPv4 ACLs on the switches covered by this manual do not filter non-IPv4 traffic such as IPv6, AppleTalk, and IPX packets.

Options for applying IPv4 ACLs on the switch

To apply IPv4 ACL filtering, assign a configured IPv4 ACL to the interface on which you want traffic filtering to occur. VLAN and routed IPv4 traffic ACLs can be applied statically using the switch configuration.

Port traffic ACLs can be applied either statically or dynamically (using a RADIUS server).

Static ACLs

Static ACLs are configured on the switch. To apply a static ACL, you must assign it to an interface (VLAN or port).

  • VLAN ACL (VACL) A VACL is an ACL configured on a VLAN to filter traffic entering the switch on that VLAN interface and having a destination on the same VLAN.

  • Static port ACL A static port ACL is an ACL configured on a port to filter traffic entering the switch on that port, regardless of whether the traffic is routed, switched, or addressed to a destination on the switch itself.

RADIUS-assigned ACLs

A RADIUS-assigned ACL is configured on a RADIUS server for assignment to a given port when the server authenticates a specific client on that port. When the server authenticates a client associated with that ACL, the ACL is assigned to the port the client is using. The ACL then filters the IP traffic received inbound on that port from the authenticated client. If the RADIUS server supports both IPv4 and IPv6 ACEs, then the ACL assigned by the server can be used to filter both traffic types, or filter IPv4 traffic and drop IPv6 traffic. When the client session ends, the ACL is removed from the port. The switch allows as many RADIUS-assigned ACLs on a port as it allows authenticated clients. For information on RADIUS-assigned ACLs assigned by a RADIUS server, see RADIUS Services Support on HP Switches.

[NOTE: ]

NOTE: The information provided here describes the IPv4 ACL applications you can statically configure on the switch. See "IPv6 Access Control Lists (ACLs)" in the latest IPv6 Configuration Guide for your switch.