Product guide

ManualsBrandsProCurve ManualsComputer equipment6200yl

331

332

333

334

335

336

337

338

339

340

10-54

Access Control Lists (ACLs)

Configuring Standard ACLs

Configuring ACEs in a Named, Standard ACL. Configuring ACEs is

done after using the ip access-list standard < name-str > command described

above to enter the “Named ACL” (nacl) context of an access list. For a

standard ACL syntax summary, refer to table 10-9 on page 10-51.

Syntax: < deny | permit >

< any | host < SA > | SA <mask | SA/ mask-length >> [log]

Executing this command appends the ACE to the end of the list

of ACEs in the current ACL. In the default ACL configuration,

ACEs are automatically assigned consecutive sequence num-

bers in increments of 10 and can be renumbered using

resequence (page 10-91).

Note: To insert a new ACE between two existing ACEs, precede

deny or permit with an appropriate sequence number. (Refer to

“Inserting an ACE in an Existing ACL” on page 10-88.)

< deny | permit >

For named ACLs, used in the “Named ACL” (nacl) context to

configure an ACE. Specifies whether the ACE denies or permits

a packet matching the criteria in the ACE, as described below.

< any | host < SA > | SA < mask > | SA/mask-length >

Defines the source IP address (SA) a packet must carry for a

match with the ACE.

• any — Allows IP packets from any SA.

• host < SA > — Specifies only packets having < SA > as the

source. Use this criterion when you want to match the IP

packets from a single source IP address.

• SA < mask > or SA /mask-length — Specifies packets received

from either a subnet or a group of IP addresses. The mask

format can be in either dotted-decimal format or CIDR

format (number of significant bits). (Refer to “Using CIDR

Notation To Enter the ACL Mask” on page 10-50).

Mask Application: The mask is applied to the IP address

in the ACE to define which bits in a packet’s source IP

address must exactly match the IP address configured in the

ACE and which bits need not match. For example: 10.10.10.1/

24 and 10.10.10.1 0.0.0.255 both define any IP address in the

range of 10.10.10.(1 - 255).

Note: Specifying a group of contiguous IP addresses may

require more than one ACE. For more on how masks operate,

refer to “How an ACE Uses a Mask To Screen Packets for

Matches” on page 10-36.