HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual page 260

Applying Access Control to Router Interfaces
Using ACPs to Control Access to Router Interfaces
.10
.11
Edge Switch
.12
.13
.14
Device
192.168.1.14
sends a
packet
5-40
Subnet
192.168.1.0
Eth 0/1
Router B
interface ppp 2
ip address 10.1.1.1 255.255.255.252
access-policy Private
ip policy-class Private
allow list Group1
discard list Group2
allow list Group3
allow list Group 4
Figure 5-9. Using ACLs with ACPs
In Figure 5-10, device 10.10.10.1 sends a packet to server 192.168.1.10. Router
B forwards the packet to Router A, which receives the packet on its PPP 1
interface. The WAN ACP has been assigned to PPP 1, so the Secure Router OS
firewall begins to process the entries in that ACP.
The Secure Router OS firewall first tries to match the packet from 10.10.10.1
to the allow list Web entry. It checks the entry in the Web ACL, but the packet
does not match this entry.
The Secure Router OS then checks the second entry in the WAN ACP: discard
list Host. It tries to match the packet from 10.10.10.1 to the first entry in the
Host ACL and then to the second entry. There is no match.
Next, the Secure Router OS checks the last entry in the WAN ACP: allow list
MatchAll. It tries to match the packet from 10.10.10.1 to the first entry in the
MatchAll ACL. Then, it tries to match the packet to the second entry, and this
time the packet matches the packet pattern.
PPP 1
Router A
ip access-list standard Group1
permit host 192.168.1.10 log
deny host 192.168.1.11 log
ip access-list standard Group2
deny host 192.168.1.12 log
permit host 192.168.1.13 log
permit host 192.168.1.14 log
ip access-list standard Group3
permit host 192.168.1.12 log
deny host 192.168.1.15 log
ip access-list standard Group4
permit host 192.168.1.16 log
permit host 192.168.1.17 log
PPP 2
Router B
No match
Matches
last entry
in Group2;
packet is
discarded