Filter
Top Products
Installation and Getting Started Guide
NOTE: The following sections describe how to configure ACLs using the HP device’s CLI. You also can create
and modify ACLs using a text editor on a file server, then copy them to the device’s running-config file. In fact, this
method is a convenient way to reorder individual ACL entries within an ACL. See
“Modifying ACLs” on page 3-19.
Disabling or Re-Enabling Access Control Lists (ACLs)
A routing switch cannot actively use both IP access policies and ACLs for filtering IP traffic. When you boot a
routing switch with software release 06.6.x or higher, the software checks the device’s startup-config file for ip
access-policy-group commands, which associate IP access policies with ports. If the software finds an ip
access-policy-group command in the file, the software disables all packet-forwarding ACLs (those associated
with specific ports) and also prevents you from applying an ACL to a port.
The next time you save the startup-config file, the software adds the following command near the top of the file,
underneath the ver (software version) statement:
ip dont-use-acl
This command disables all packet-forwarding ACLs (those associated with specific ports) and also prevents you
from associating an ACL with a port. However, the command does not remove existing ACLs from the startup-
config file. In addition, the command does not affect ACLs used for controlling management access to the device.
Enabling ACL Mode
If you try to apply an ACL to a port when the ACL mode is disabled (when the ip dont-use-acl command is in
effect), a message is displayed, as shown in the following CLI example:
HP9300(config-if-e1000-1/1)# ip access-group 1 out
Must enable ACL mode first by using no ip dont-use-acl command and removing all ip
access-policy-group commands from interfaces, write memory and reload
As the message states, if you want to use ACLs, you must first enable the ACL mode. To do so, use either of the
following methods.
USING THE CLI
To enable the ACL mode, enter the following commands:
HP9300(config-if-e1000-1/1)# exit
HP9300(config)# no ip dont-use-acl
HP9300(config)# write memory
HP9300(config)# end
HP9300# reload
The write memory command removes the ip dont-use-acl command from the startup-config file. The reload
command reloads the software. When the software finishes loading, you can apply ACLs to ports.
The commands that configure the IP access policies and apply them to ports remain in the startup-config file in
case you want to use them again, but they are disabled. If you later decide you want to use the IP access policies
again instead of ACLs, you must disable the ACL mode again. See the following section.
USING THE WEB MANAGEMENT INTERFACE
1. Log on to the device using a valid user name and password for read-write access. The System configuration
panel is displayed.
2. Click on the plus sign next to Configure in the tree view to expand the list of configuration options.
3. Click on the plus sign next to IP in the tree view to expand the list of IP option links.
4. Click on the General
link to display the IP configuration panel.
5. Select the Enable radio button next to Access Control List.
6. Click the Apply button to save the change to the device’s running-config file.
3 - 4