HP ProCurve 5300xl Series Management Manual page 376
Advanced traffic
Hide thumbs
Also See for ProCurve 5300xl Series:
- Access security manual (292 pages) ,
- Specification sheet (12 pages) ,
- Management and configuration manual (508 pages)
Table of Contents
Advertisement
Access Control Lists (ACLs) for the Series 5300xl Switches
Configuring and Assigning an ACL
1
ip access-list extended "101"
2
deny ip 18.28.235.10 0.0.0.0 0.0.0.0 255.255.255.255
3
deny ip 18.28.245.89 0.0.0.0 0.0.0.0 255.255.255.255
4
permit tcp 18.28.18.100 0.0.0.0 18.28.237.1 0.0.0.0
5
deny tcp 18.28.18.100 0.0.0.0 0.0.0.0 255.255.255.255
6
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
7
exit
Figure 9-10. Example of a Standard ACL that Permits All Traffic Not Implicitly Denied
Table 9-5.
Effect of the Above ACL on Inbound Traffic in the Assigned VLAN
Line #
Action
1
Shows list type (extended) and ID (101).
2
A packet from IP source address 18.28.235.10 will be denied (dropped). This line filters out all packets received
from 18.28.235.10. As a result, IP traffic from that device will not be routed and packets from that device will not
be compared against any later entries in the list.
3
A packet from IP source 18.28.245.89 will be denied (dropped). This line filters out all packets received from
18.28.245.89. As the result, IP traffic from that device will not be routed and packets from that device will not
be compared against any later entries in the list.
4
A packet from TCP source address 18.28.18.100 with a destination address of 18.28.237.1 will be permitted
(forwarded). Since no earlier lines in the list have filtered TCP packets from 18.28.18.100 and destined for
18.28.237.1, the switch will use this line to evaluate such packets. Any packets that meet this criteria will be
forwarded. (Any packets that do not meet this TCP source-destination criteria are not affected by this line.)
A packet from TCP source address 18.28.18.100 to any destination address will be denied (dropped). Since, in
5
this example, the intent is to block TCP traffic from 18.28.18.100 to any destination except the destination stated
in line 4, this line must follow line 4. (If their relative positions were exchanged, all TCP traffic from 18.28.18.100
would be dropped, including the traffic for the 18.28.18.1 destination.)
6
Any packet from any IP source address to any destination address will be permitted (forwarded). The only
traffic to reach this line will be IP packets not specifically permitted or denied in the earlier lines.
n/a
The "implicit deny any any" is a function automatically added as the last action in all ACLs. It denies (drops)
any IP traffic from any source to any destination that has not found a match with earlier entries in the list. In
this example, line 6 permits (forwards) any IP traffic not already permitted or denied by the earlier entries in
the list, so there is no traffic remaining for action by the "implicit deny any any" function.
7
Indicates the end of the ACL.
9-30
Destination
Source
Following the last explicit ACE in the ACL there is always an implicit "deny
any". However, in this case it will not be used because the last, explicit
permit statement allows all IP packets that earlier ACEs have not already
permitted or denied.
Source and
Destination
IP Addresses
for the ACE in
line 4 of the
ACL.
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
