HP E3800-24G-PoE+-2SFP+ Access Security Manual page 506

IPv4 Access Control Lists (ACLs)
Enable ACL "Deny" Logging
HP Switch(config)# show statistics aclv4 Test-1 vlan 20 vlan
Hit Counts for ACL Test-1
Total
( 5) 10 deny tcp 0.0.0.0 255.255.255.255 10.10.20.2 0.0.0.0 eq 23 log
( 2) 20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
HP Switch# show statistics aclv4 Test-1 vlan 50 in
Hit Counts for ACL Test-1
Total
( 0) 10 deny tcp 0.0.0.0 255.255.255.255 10.10.20.2 0.0.0.0 eq 23 log
( 0) 20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
Figure 10-57. Resulting ACE Hits on ACL "Test-1"
10-126
Indicates denied attempts to Telnet to 10.10.20.12 filtered by the instance of the "Test-1" VACL
assignment on VLAN 20.
Indicates permitted attempts to reach any accessible destination via the instance of the "Test-
1" VACL assignment on VLAN 20. In this example, shows the succesful pings permitted by ACE 20.
Shows that the hits on the instance of the "Test-1" VACL assignment on VLAN 20
have no effect on the counters for the RACL assignment of "Test-1" on VLAN 50.
However, using a device at 10.10.30.11 on VLAN 50 for attempts to ping and
Telnet to 10.10.20.12 requires routing, and filters the attempts through the
RACL instance of the "Test-1" ACL on VLAN 50.
HP Switch# ping 10.10.20.2
10.10.20.2 is alive, time = 25 ms
HP Switch# telnet 10.10.20.2
Telnet failed: Connection timed out.
HP Switch#
Figure 10-58. Ping and Telnet from 10.10.30.11 to 10.10.20.2 Filtered by the
Assignment of "Test-1" as a RACL on VLAN 30
This action has an identical effect on the counters in all RACL instances of the
"Test-1" ACL configured and assigned to interfaces on the same switch. In this
example, it means that the RACL assignments of "Test-1" on VLANs 50 and 70
will be incremented by the above action occurring on VLAN 50.