Applying Access Control to Router Interfaces
Using ACLs Alone to Configure Access Control
5-22
Restricting FTP Access
To control access to the FTP server on the router, you first create a standard
ACL that permits the FTP traffic you want to access the router and denies the
FTP traffic that you want to block. For example, if you want to permit FTP
access only from network 192.168.1.0 /24, you would create a standard ACL:
ProCurve(config)# ip access-list standard FTPaccess
ProCurve(config-std-nacl)# permit 192.168.1.0 0.0.0.255
ProCurve(config-std-nacl)# exit
To apply the ACL globally to all incoming FTP traffic, enter this command
from the global configuration mode context:
Syntax: ip ftp access-class <listname> in
Replace <listname> with the name of the ACL you configured for FTP access.
For example, if you created a standard ACL called FTPaccess, you would
enter:
ProCurve(config)# ip ftp access-class FTPaccess in
Restricting HTTP Access
To configure HTTP access to the ProCurve Secure Router, you must configure
a standard ACL. For example, suppose you want to permit HTTP access only
from the company's two subnetworks. You would create a standard ACL, such
as the following:
ProCurve(config)# ip access-list standard webaccess
ProCurve(config-std-nacl)# permit 192.168.1.0 0.0.0.255
ProCurve(config-std-nacl)# permit 192.168.115.0 0.0.0.255
ProCurve(config-std-nacl)# exit
In this ACL, the first entry permits HTTP traffic from network 192.168.1.0 /24,
and the second entry permits HTTP traffic from network 192.168.115.0 /24.
Because each ACL contains an implicit "deny any" at the end of the list, this
will be the only HTTP traffic that is allowed to access the Web browser
interface once the ACL is applied to the router.
To apply the ACL that controls HTTP access to the router, enter the following
command from the global configuration mode context:
Syntax: ip http access-class <listname> in