Installation and Getting Started Guide
• “Displaying the Log Entries” on page 3-23
• “Policy-Based Routing (PBR)” on page 3-24
Usage Guidelines for Access Control Lists (ACLs)
This section provides some guidelines for implementing ACLs to ensure wire-speed ACL performance.
For optimal ACL performance, use the following guidelines:
• Apply ACLs to inbound traffic rather than outbound traffic.
• Use the default filtering behavior as much as possible. For example, if you are concerned with filtering only a
few specific addresses, create deny entries for those addresses, then create a single entry to permit all other
traffic. For tighter control, create explicit permit entries and use the default deny action for all other
addresses.
• Use deny ACLs sparingly. When a deny ACL is applied to an interface, the software sends all packets sent or
received on the interface (depending on the traffic direction of the ACL) to the CPU for examination.
• Adjust system resources if needed:
• If IP traffic is going to be high, increase the size of the IP forwarding cache to allow more routes. To do
so, use the system-max ip-cache <num> command at the global CONFIG level of the CLI.
• If much of the IP traffic you are filtering is UDP traffic, increase the size of the session table to allow more
ACL sessions. To do so, use the system-max session-limit <num> command at the global CONFIG
level of the CLI.
Avoid the following implementations when possible:
• Do not apply ACLs to outbound traffic. The system creates separate inbound ACLs to ensure that an
outbound ACL is honored for traffic that normally would be forwarded to other ports.
• Do not enable the strict TCP ACL mode unless you need it for tighter security.
• Avoid ICMP-based ACLs where possible. If you are interested in providing protection against ICMP Denial of
Service (DoS) attacks, use HP’s DoS protection features. See
“Protecting Against Denial of Service Attacks”
on page B-1.
If the IP traffic in your network is characterized by a high volume of short sessions, this also can affect ACL
performance, since this traffic initially must go to the CPU. All ICMP ACLs go to the CPU, as do all TCP SYN,
SYN/ACK, FIN, and RST packets and the first UDP packet of a session.
ACL Support on the HP Products
HP ACLs have two basic types of uses:
• Filtering forwarded traffic through the device – described in this chapter
• Controlling management access to the device itself – described in the “Securing Access” chapter in the
Installation and Getting Started Guide
ACL IDs and Entries
ACLs consist of ACL IDs and ACL entries:
• ACL ID – An ACL ID is a number from 1 – 99 (for a standard ACL) or 100 – 199 (for an extended ACL) or a
character string. The ACL ID identifies a collection of individual ACL entries. When you apply ACL entries to
an interface, you do so by applying the ACL ID that contains the ACL entries to the interface, instead of
applying the individual entries to the interface. This makes applying large groups of access filters (ACL
entries) to interfaces simple.
NOTE: This is different from IP access policies. If you use IP access policies, you apply the individual
policies to interfaces.
3 - 2