HP ProCurve 2910al Access Security Manual page 320
Hide thumbs
Also See for ProCurve 2910al:
- Configuration manual (194 pages) ,
- Manual (126 pages) ,
- Installation and getting started manual (114 pages)
Table of Contents
Advertisement
IPv4 Access Control Lists (ACLs)
Planning an ACL Application
ip access-list standard Fileserver
permit 10.28.252.117
ACE
exit
Inbound Packet "A" On VLAN 20
– Destination Address: 10.35.248.184
– Source Address: 10.28.252.117
Inbound Packet "B" On VLAN 20
– Destination Address: 10.35.248.184
– Source Address: 10.28.252.120
Figure 9-5. Example of an ACL with an Access Control Entry (ACE) that Allows Only One Source Address
Table 9-2.
Example of Using an IPv4 Address and Mask in an Access Control Entry
Address in the ACE
A: 10.38.252.195
0.0.0.255
B: 10.38.252.195
0.0.7.255
C: 10.38.252.195
0.0.0.0
D: 10.38.252.195
0.15.255.255 Exact match in the first octet
9-32
dictates that a match occurs only when the source address on such packets
is identical to the address configured in the ACE.
This ACL (a standard ACL named "Fileserver") includes an ACE (Access Control Entry)
that permits matches only with the packets received from 10.28.252.117 (the SA).
Packets from any other source do not match and are denied.
0.0.0.0
Examples Allowing Multiple IPv4 Addresses. Table 9-2 provides exam
ples of how to apply masks to meet various filtering requirements.
Mask
Policy for a Match Between a
Packet and the ACE
Exact match in first three
octets only.
Exact match in the first two
octets and the leftmost five bits
(248) of the third octet.
Exact match in all octets.
and the leftmost four bits of the
second octet.
Source Address (SA)
Mask (All zeros mean that a match occurs
only when an IP packet's source address is
identical to the source address configured
in the ACE.
The VLAN permits packet "A"
because its source address matches
the source address in the ACE.
The VLAN denies packet "B"
because its source address does not
match the source address in the ACE.
Allowed Addresses
10.38.252.< 0-255 >
(See row A in table 9-3, below.)
10.38.< 248-255 >.< 0-255 >
(In the third octet, only the rightmost three bits are
wildcard bits. The leftmost five bits must be a
match, and in the ACE, these bits are all set to 1. See
row B in table 9-3, below.)
10.38.252.195
(There are no wildcard bits in any of the octets. See
row C in table 9-3, below.)
10.< 32-47 >.< 0-255 >.<0-255>
(In the second octet, the rightmost four bits are
wildcard bits. See row D in table 9-3, below.)
Hide quick links:
Advertisement
Table of Contents
