Filter
Top Products
Using Access Control Lists (ACLs)
The second entry denies all FTP traffic from the 209.157.21.x network to the 209.157.22.x network, if the traffic
has the IP precedence value “6” (equivalent to “internet”).
The third entry permits all packets that are not explicitly denied by the other entries. Without this entry, the ACL
would deny all incoming or outgoing IP traffic on the ports to which you assign the ACL.
To configure an IP ACL that matches based on TOS, enter commands such as the following:
HP9300(config)# access-list 104 deny tcp 209.157.21.0/24 209.157.22.0/24 tos normal
HP9300(config)# access-list 104 deny tcp 209.157.21.0/24 eq ftp 209.157.22.0/24 tos
13
HP9300(config)# access-list 104 permit any any
The first entry in this IP ACL denies TCP traffic from the 209.157.21.x network to the 209.157.22.x network, if the
traffic has the IP TOS option “normal” (equivalent to “0”).
The second entry denies all FTP traffic from the 209.157.21.x network to the 209.157.22.x network, if the traffic
has the IP precedence value “13” (equivalent to “max-throughput”, “min-delay”, and “min-monetary-cost”).
The third entry permits all packets that are not explicitly denied by the other entries. Without this entry, the ACL
would deny all incoming or outgoing IP traffic on the ports to which you assign the ACL.
Extended ACL Syntax
Syntax: access-list <num> deny | permit <ip-protocol> <source-ip> | <hostname> <wildcard> [<operator>
<source-tcp/udp-port>] <destination-ip> | <hostname> <wildcard> [<operator> <destination-tcp/udp-port>]
[precedence <name> | <num>] [tos <name> | <num>] [log]
Syntax: [no] access-list <num> deny | permit host <ip-protocol> any any [log]
Syntax: [no] ip access-group <num> in | out
The <num> parameter indicates the ACL number and be from 100 – 199 for an extended ACL.
The deny | permit parameter indicates whether packets that match the policy are dropped or forwarded.
The <ip-protocol> parameter indicates the type of IP packet you are filtering.
• icmp
• igmp
• igrp
• ip
• ospf
• tcp
• udp
• <protocol-number>
You can specify one of the following:
The <source-ip> | <hostname> parameter specifies the source IP host for the policy.
match on all source addresses, enter any.
If you want the policy to
The <wildcard> parameter specifies the portion of the source IP host address to match against. The <wildcard> is
a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask
mean the packet’s source address must match the <source-ip>. Ones mean any value matches. For example,
the <source-ip> and <wildcard> values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C sub-net
209.157.22.x match the policy.
If you prefer to specify the wildcard (mask value) in Classless Interdomain Routing (CIDR) format, you can enter a
forward slash after the IP address, then enter the number of significant bits in the mask. For example, you can
enter the CIDR equivalent of “209.157.22.26 0.0.0.255” as “209.157.22.26/24”. The CLI automatically converts
the CIDR number into the appropriate ACL mask (where zeros instead of ones are the significant bits) and
changes the non-significant portion of the IP address into zeros. For example, if you specify 209.157.22.26/24 or
3 - 11