Setting Up Quality of Service
Configuring CBWFQ
8-24
For example:
ProCurve(config)# ip access-list extended ClassSelector
ACLs exclude all traffic that you do not explicitly permit, so you may not need
to enter any deny statements. However, you will often permit an entire range
of addresses. If you want to deny a host or hosts within this range, you must
explicitly deny those hosts. You must enter the deny statements first because
the router processes ACL entries in order and stops processing them as soon
as it finds a match.
You use this command to select traffic in the ACL:
Syntax: [deny | permit] ip [any | host <source A.B.C.D> | <source A.B.C.D> <wildcard
bits>] [any | host <destination A.B.C.D> | <destination A.B.C.D> <wildcard bits>]
Very often, you will want an ACL to select an entire range of addresses or
subnets. ACLs on the ProCurve Secure Router use wildcard bits (which
operate on reverse logic from subnet masks) to select a range of addresses.
You can also select certain types of traffic (for example, HTTP or Telnet) by
specifying a protocol such as TCP or UDP and then indicating the source or
destination port after the address:
Syntax: [deny | permit] <protocol> [any | host <A.B.C.D> | <A.B.C.D> <wildcard bits>]
[any | eq <port> | gt <port> | lt <port> | range <first port> <last port> | neq <port> | host
<port>] [any | host <A.B.C.D> | <A.B.C.D> <wildcard bits>] [any | eq <port> | gt <port>
| lt <port> | range <first port> <last port> | neq <port> | host <port>]
For example:
ProCurve(config-ext-nacl)# permit tcp host 192.168.4.1 eq telnet any
The eq keyword selects a single port and the range keyword allows you to
enter a range of ports. You can specify the port by number, or for well-known
protocols, by keyword. Use the ? help command to get a complete list of
keywords. For example:
ProCurve(config-ext-nacl)# permit tcp any ?