HP 7102dl - ProCurve Secure Router Configuration Manual page 242

Applying Access Control to Router Interfaces
Using ACLs Alone to Configure Access Control
5-10
For example, if you want to permit all traffic that enters through the Ethernet
interface, you create a permit entry in the ACL:
ProCurve(config-std-nacl)# permit any
You can also permit or deny a specific host:
ProCurve(config-std-nacl)# permit host <A.B.C.D>
ProCurve(config-std-nacl)# deny host <A.B.C.D>
For example, if you want to deny a host with the IP address of 192.168.115.90,
enter:
ProCurve(config-std-nacl)# deny host 192.168.115.90
If you want to permit a host with the hostname user1.procurve.com, enter:
ProCurve(config-std-nacl)# permit hostname user1.procurve.com
You can also omit the host keyword to permit or deny a specific IP address:
ProCurve(config-std-nacl)# permit 192.168.115.80
ProCurve(config-std-nacl)# deny 192.168.115.80
Use Wildcard Bits. You can use wildcard bits to permit or deny a range of
IP addresses. Wildcard bits define which address bits the Secure Router OS
should match and which address bits it should ignore. Essentially, you use the
wildcard bits to specify the subnet to which you want the Secure Router OS
to match packets.
When you enter wildcard bits, you use a 0 to indicate that the Secure Router
OS should match the corresponding bit in the IP address. You use a 1 to
indicate that the Secure Router OS can ignore the corresponding bit in the IP
address. In other words, the Secure Router OS does not have to match that bit.
For example, you might enter:
ProCurve(config-std-nacl)# deny 192.168.1.0 0.0.0.255
If you enter 192.168.1.90 with the wildcard bits 0.0.0.255, the Secure Router
OS will not match any address bits in the fourth octet of the IP address. The
Secure Router OS will match incoming packets to the IP subnet address
192.115.1.0 /24. (because it will not match the bits in the fourth octet). (See
Figure 5-3.)