Applying Access Control to Router Interfaces
Quick Start
N o t e
5-62
To permit or deny a specific host, use the host keyword. For example,
enter:
ProCurve(config-std-nacl)# deny host 192.168.115.90
b. If you are configuring an extended ACL, enter:
Syntax: permit | deny <protocol> <source address> <source port> <desti-
nation address> <destination port>
Replace <protocol> with one of the following:
–
ahp
–
esp
–
gre
–
icmp
–
ip
–
tcp
–
udp
To specify a source or destination address, use the following syntax:
Syntax: any | host <A.B.C.D> | hostname <hostname> | <A.B.C.D> <wildcard bits>
For example, if you want to permit all TCP traffic from any source to
any destination, enter:
ProCurve(config-ext-nacl)# permit tcp any any
To deny all ICMP traffic from a specific host, such as host
192.168.115.90, to any destination, enter:
ProCurve(config-ext-nacl)# deny icmp host 192.168.115.90 any
To deny ICMP traffic from a range of IP addresses to a specific
destination, enter:
ProCurve(config-ext-nacl)# deny icmp <A.B.C.D> <wildcard bits> host
<A.B.C.D>
The entries are processed in the order in which you enter them. In addition,
each ACL contains an implicit "deny any" entry at the end of the list. If you do
not create an entry to allow a specific type of traffic, it will be denied.
3.
After configuring the entries for the ACL, enter:
Syntax: exit
4.
To apply the ACL to an interface, move to the configuration mode context
for that interface.
ProCurve(config)# interface <interface> <number>