Policies and Filters
Syntax
Use the following CLI commands or Web management interface panels to configure IP access policies.
Table C.6: IP Access Policies
CLI syntax Web management links
HP9300(config)# ip access-policy <policy-num> permit | deny
<ip-addr> <ip-mask> | any <ip-addr> <ip-mask> | any tcp | udp
[<operator> [<tcp/udp-port-num>]] [log]
HP9300(config-if-1/1)# ip access-policy-group in | out <policy-list>
Configure->IP->Access Policy
Layer 4 Policies
Layer 4 policies are rules that control transmission and receipt of packets based on Layer 4 transport information.
You can configure the following types of Layer 4 policies:
• TCP/UDP access policies (same as TCP/UDP filters)
TCP/UDP Access Policies
TCP/UDP access policies are IP filters that contain Layer 4 information. Layer 4 policies enable you to forward or
drop packets for individual Layer 4 applications, giving you finer access control. You do not need to completely
block an IP address to deny certain types of traffic from that address. You can selectively allow some types of
traffic while dropping others. For example, you can configure a Layer 4 policy to drop web (HTTP) packets from a
host but allow all other traffic from the host.
You can filter on the following Layer 4 application types:
• ICMP
• IGMP
• IGRP
• OSPF
• TCP
• UDP
For TCP and UDP, you also specify an operator and the port number or well-known name for the port. For
example, if you want to filter on FTP traffic, you configure the filter to match on packets that contain the TCP
application port number for FTP.
When you can configure a Layer 4 policy, you specify the source and destination IP address of the hosts or
servers for which you are controlling access.
Figure D.2 shows an example of TCP/UDP access policies. Although this example does not explicitly identify
these policies as inbound policies or outbound policies, when you apply the policies to individual ports you specify
whether they are for inbound or outbound traffic.
C - 9