Command Reference Guide
SROS Command Line Interface Reference Guide Global Configuration Mode Command Set
5991-2114 © Copyright 2005 Hewlett-Packard Development Company, L.P. 254
Functional Notes
Access control lists (ACLs) are used as packet selectors by other Secure Router OS systems; by
themselves they do nothing. ACLs are composed of an ordered list of entries with an implicit deny all at
the end of each list. An ACL entry contains two parts: an action (permit or deny) and a packet pattern. A
permit ACL is used to allow packets (meeting the specified pattern) to enter the router system. A deny ACL
advances the Secure Router OS to the next access policy entry. The Secure Router OS provides two types
of ACLs: standard and extended. Standard ACLs allow source IP address packet patterns only. Extended
ACLs may specify patterns using most fields in the IP header and the TCP or UDP header.
ACLs are performed in order from the top of the list down. Generally, the most specific entries should be at
the top and the most general at the bottom.
The following commands are contained in the access-list extended:
remark
Use the remark command to associate a descriptive tag (up to 80 alphanumeric characters encased in
quotation marks) to the access-list. Enter a functional description for the list such as “This list blocks all
outbound web traffic”.
log
Using the log keyword logs a message (if debug access-list is enabled for this access list) when the access
list finds a packet match.
Usage Examples
The following example creates an access list AllowIKE to allow all IKE (UDP Port 500) packets from the
190.72.22.55.0/24 network:
(config)#ip access-list extended AllowIKE
(config-ext-nacl)#permit udp 190.72.22.55.0 0.0.0.255 eq 500 any eq 500
For more details, refer to the ProCurve SROS Documentation CD for technical support notes regarding
access-list configuration.
Technology Review
Creating access policies and lists to regulate traffic through the routed network is a four-step process:
Step 1:
Enable the security features of the
Secure Router OS
using the ip firewall command.
Step 2:
Create an access control list (using the ip access-list command) to permit or deny specified traffic.
Standard access lists provide pattern matching for source IP addresses only. (Use extended access lists
for more flexible pattern matching.) IP addresses can be expressed in one of three ways:
1. Using the keyword any to match any IP address. For example, entering deny any will effectively shut
down the interface that uses the access list because all traffic will match the any keyword.