HP ProCurve 7102dl Reference Manual page 397
Secure router sros command line interface
Hide thumbs
Also See for ProCurve 7102dl:
- Configuration manual (1114 pages) ,
- Product end-of-life disassembly instructions (2 pages) ,
- Advanced management and configuration manual (1005 pages)
Table of Contents
Advertisement
SROS Command Line Interface Reference Guide
Global Configuration Mode Command Set
2. Access Policies (ACPs)
SROS access control policies are used to allow, discard, or manipulate (using NAT) data for each physical
interface. Each ACP consists of a selector (access list) and an action (allow, discard, NAT). When packets
are received on an interface, the configured ACPs are applied to determine whether the data will be
processed or discarded.
3. Access Lists (ACLs)
Access control lists are used as packet selectors by ACPs; by themselves they do nothing. ACLs are
composed of an ordered list of entries. Each entry contains two parts: an action (permit or deny) and a
packet pattern. A permit ACL is used to permit packets (meeting the specified pattern) to enter the router
system. A deny ACL advances the SROS to the next access policy entry. The SROS provides two types of
ACLs: standard and extended. Standard ACLs allow source IP address packet patterns only. Extended
ACLs may specify patterns using most fields in the IP header and the TCP or UDP header.
Usage Examples
The following example enables the SROS security features:
ProCurve(config)#ip firewall
Technology Review
Concepts:
Access control using the SROS firewall has two fundamental parts: Access Control Lists (ACLs) and
Access Policy Classes (ACPs). ACLs are used as packet selectors by other SROS systems; by
themselves they do nothing. ACPs consist of a selector (ACL) and an action (allow, discard, NAT). ACPs
integrate both allow and discard policies with NAT. ACPs have no effect until they are assigned to a
network interface.
Both ACLs and ACPs are order dependent. When a packet is evaluated, the matching engine begins with
the first entry in the list and progresses through the entries until it finds a match. The first entry that
matches is executed.
Packet Flow:
Access Control Polices
Packet In
Interface
Association List
Route Lookup
Packet Out
(permit, deny, NAT)
If session hit,
or no ACP configured
5991-2114
© Copyright 2007 Hewlett-Packard Development Company, L.P.
395
Advertisement
Chapters
Table of Contents
