Manualshelf

Command Reference Guide

ManualsBrandsHP ManualsRoutersHP 7000 dl Router Series
251252253254255256257258259260
SROS Command Line Interface Reference Guide Global Configuration Mode Command Set
5991-2114 © Copyright 2005 Hewlett-Packard Development Company, L.P. 257
ip access-list standard <listname>
Use the ip access-list standard command to create an empty access list and enter the standard access-list.
Use the no form of this command to delete an access list and all the entries contained in it.
The following lists the complete syntax for the ip access-list standard commands:
ip access-list standard <listname> [permit or deny] any [permit or deny] host <ip address> [permit
or deny] <ip address> <wildcard>
Default Values
By default, all
Secure Router OS
security features are disabled and there are no configured access lists.
Command Modes
(config)# Global Configuration Mode
Functional Notes
Access control lists are used as packet selectors by access policies (ACPs); by themselves they do
nothing. ACLs are composed of an ordered list of entries with an implicit deny all at the end of each list. An
ACL entry contains two parts: an action (permit or deny) and a packet pattern. A permit ACL is used to
allow packets (meeting the specified pattern) to enter the router system. A deny ACL advances the Secure
Router OS to the next access policy entry. The Secure Router OS provides two types of ACLs: standard
and extended. Standard ACLs allow source IP address packet patterns only. Extended ACLs may specify
patterns using most fields in the IP header and the TCP or UDP header.
Syntax Description
<listname>
Alphanumeric descriptor for identifying the configured access list (all access list
descriptors are case-sensitive).
<action>
Permit or deny entry to the routing system for specified packets.
<source ip>
Specifies the source IP address used for packet matching.
IP addresses can be expressed in one of three ways:
1. Using the keyword
any
to match any IP address. For example, entering
deny
any
will effectively shut down the interface that uses the access list because all
traffic will match the
any
keyword.
2. Using the
host
<A.B.C.D> to specify a single host address. For example,
entering
permit 196.173.22.253
will allow all traffic from the host with an IP
address of 196.173.22.253.
3. Using the <A.B.C.D> <wildcard> format to match all IP addresses in a “range”.
Wildcard masks work in reverse logic from subnet mask. Specifying a one in
the wildcard mask equates to a “don’t care”. For example, entering
deny
192.168.0.0 0.0.0.255
will deny all traffic from the 192.168.0.0/24 network.