HP (Hewlett-Packard) 6208M-SX Switch User Manual


  Open as PDF
of 710
 
Using Access Control Lists (ACLs)
NOTE: If the devices configuration currently has ACLs associated with interfaces, remove the ACLs from the
interfaces before changing the ACL mode.
To enable the strict ACL UDP mode, enter the following command at the global CONFIG level of the CLI:
HP9300(config)# ip strict-acl-udp
Syntax: [no] ip strict-acl-udp
This command configures the device to compare all UDP packets against the configured ACLs before forwarding
them.
To disable the strict ACL mode and return to the default ACL behavior, enter the following command:
HP9300(config)# no ip strict-acl-udp
Displaying ACLs
To display the ACLs configured on a device, use the following method.
USING THE CLI
To display detailed information for the ACLs and their entries, enter the following command at any level of the CLI.
HP9300(config)# show access-list
Access-list = 101
TCP applicable filters
Port 80
den y M:209.157.22.26:255.255.255.255
M:209.157.22.26:255.255.255.255, tcp eq 80 log
Any other por t applicable filters
UDP applicable filters
Any other por t applicable filters
ICMP applicable filters
Othe r protocol applicable filters
Syntax: show access-list [<num>]
To display the syntax for the entries in the ACLs, enter the show ip access-lists command. Here is an example:
HP9300(config)# show access-list
Extended IP access list 101
d eny tcp host 209.157.22.26 host 209.157.22.26 eq http log
Syntax: show ip access-lists [<num>]
Displaying the Log Entries
The first time an entry in an ACL denies a packet and logging is enabled for that entry, the software generates a
Syslog message and an SNMP trap. Messages for packets denied by ACLs are at the warning level of the Syslog.
When the first Syslog entry for a packet denied by an ACL is generated, the software starts a five-minute ACL
timer. After this, the software sends Syslog messages every five minutes. The messages list the number of
packets denied by each ACL during the previous five-minute interval. If an ACL entry does not deny any packets
during the five-minute interval, the software does not generate a Syslog entry for that ACL entry.
NOTE: For an ACL entry to be eligible to generate a Syslog entry for denied packets, logging must be enabled
for the entry. The Syslog contains entries only for the ACL entries that deny packets and have logging enabled.
3 - 23
 previous next