HP ProCurve 7102dl Reference Manual page 379
Secure router sros command line interface
Hide thumbs
Also See for ProCurve 7102dl:
- Configuration manual (1114 pages) ,
- Product end-of-life disassembly instructions (2 pages) ,
- Advanced management and configuration manual (1005 pages)
Table of Contents
Advertisement
SROS Command Line Interface Reference Guide
<destination>
<destination port>
<destination port>
<icmp-type>
<icmp-code>
<icmp-message>
Default Values
By default, all SROS security features are disabled and there are no configured access lists.
Functional Notes
Access control lists (ACLs) are used as packet selectors by other SROS features (firewall, VPN, QoS); by
themselves they do nothing. ACLs are composed of an ordered list of entries with an implicit deny all at
the end of each list. An ACL entry contains two parts: an action (permit or deny) and a packet pattern. A
permit ACL is used to allow packets (meeting the specified pattern) to enter the router system. A deny ACL
advances the SROS to the next access policy entry. The SROS provides two types of ACLs: standard and
extended. Standard ACLs match based on the source of the packet. Extended ACLs match based on the
source and destination of the packet.
ACLs are performed in order from the top of the list down. Generally, the most specific entries should be at
5991-2114
Specifies the destination used for packet matching. Destinations can be
expressed in one of four ways:
1. Using the keyword any to match any IP address.
2. Using host <A.B.C.D> to specify a single host address.
3. Using the <A.B.C.D> <wildcard> format to match all IP addresses in a range.
Wildcard masks work in reverse logic from subnet masks. Specifying 255 in
any octet of the wildcard mask equates to a "don't care".
4. Using the keyword hostname to match based on a DNS name. The unit must
be configured with DNS servers for this function to work.
Optional. Specifies the destination port. Only valid when <protocol> is tcp or udp.
The same keywords and port numbers/names used for the <source port> field are
valid for the <destination port> field. Refer to previously listed <source port> for
more details.
Optional. Specifies the destination port. Only valid when <protocol> is tcp or udp.
(Refer to previously listed <source port> for more details.)
Optional. Filters packets using ICMP defined (and numbered) messages carried
in IP datagrams (used to send error and control information). Valid range is
0 to 255.
Optional. Filters ICMP packets that are filtered using the ICMP message type
(using the <icmp-type> keyword) can also be filtered using the ICMP message
code (valid range: 0 to 255).
An <icmp-type> must be specified when entering an <icmp-code>.
Optional. Filters packets using ICMP descriptive message rather than the
corresponding type and code associations.
© Copyright 2007 Hewlett-Packard Development Company, L.P.
Global Configuration Mode Command Set
377
Advertisement
Chapters
Table of Contents
