Manualshelf

Product guide

ManualsBrandsProCurve ManualsComputer equipment6400cl
361362363364365366367368369370
Access Control Lists (ACLs) for the Series 5300xl Switches
Introduction
For ACL filtering to take effect, configure an ACL and then assign it to either
the inbound or outbound traffic on a statically configured VLAN on the switch.
(Except for ACEs that screen traffic to an IP address on the switch itself, ACLs
assigned to VLANs can operate only while IP routing is enabled. Refer to
“Notes on IP Routing” on page 9-11.)
Table 9-1. Comprehensive Command Summary
Action Command Page
Configuring Standard
(Numbered) ACLs
ProCurve(config)# [no] access-list < 1-99 > < deny | permit >
< any | host <src-ip-addr > | src-ip-address/mask >
1
[log]
2
9-3
3
Configuring Extended
(Numbered) ACLs
ProCurve(config)# [no] access-list <100-199> < deny | permit >
ip < any | host <src-ip-addr > | src-ip-address/mask >
1
[log]
2
9-3
8
ProCurve(config)# [no] access-list < 100-199 > < deny | permit >
< tcp | udp >
< any | host <src-ip-addr > | src-ip-address/mask >
1
[operator < src-port tcp/udp-id >]
< any | host <dest-ip-addr > | dest-ip-address/mask >
1
[operator < dest-port tcp/udp-id >]
[log]
2
Configuring Standard
(Named) ACLs
Configuring Extended
(Named) ACLs
ProCurve(config)# [no] ip access-list standard < name-str | 1-99 >
ProCurve(config-std-nacl)# < deny | permit >
< any | host <src-ip-addr > | src-ip-address/mask >
1
[log]
2
ProCurve(config)# [no] ip access-list extended < name-str | 100-199 >
ProCurve(config-std-nacl)# < deny | permit > ip
< any | host <src-ip-addr > | src-ip-address/mask >
1
< any | host <dest-ip-addr > | dest-ip-address/mask >
1
[log]
2
9-4
4
ProCurve(config-std-nacl)# < deny | permit > < tcp | udp >
< any | host <src-ip-addr > | src-ip-address/mask >
1
[operator < src-port tcp/udp-id >]
< any | host <dest-ip-addr > | dest-ip-address/mask >
1
[operator < dest-port tcp/udp-id >]
[log]
2
Enabling or Disabling
an ACL
ProCurve(config)# [no] vlan < vid > ip access-group
< name-str | 1-99 | 100-199 > < in/out >
1
The mask can be in either dotted-decimal notation (such as 0.0.15.255) or CIDR notation (such as /20).
2
The [log] function applies only to “deny” ACLs, and generates a message only when there is a “deny” match.
9-4
6
9-4