HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual page 268

Applying Access Control to Router Interfaces
Using ACPs to Control Access to Router Interfaces
5-48
You may also want to permit Domain Name System (DNS) traffic on WAN
interfaces that are connected to the Internet. To permit DNS traffic, enter:
ProCurve(config-ext-nacl)# permit tcp any any eq domain
You can then create an ACP, as shown below:
ProCurve(config)# ip policy-class WAN
ProCurve(config-policy-class)# allow list Internet
ProCurve(config-policy-class)# exit
Finally, you use the access-policy command to apply the ACP to the appro-
priate WAN interface.
Because the ACP contains an implicit "discard any" entry at the end, any traffic
that is not explicitly allowed is dropped.
Permit Routing Updates. When you configure ACPs, remember that any
traffic that you do not explicitly allow will match the implicit "discard any" at
the end of the ACP. If you have configured a routing protocol and routing
updates are being sent to a router interface, you should ensure that these
routing updates are allowed by the ACP you assign to that interface. For
example, to allow RIP updates, enter:
ProCurve(config)# ip access-list extended Route
ProCurve(config-ext-nacl)# permit udp any any eq rip
To permit BGP updates, enter:
ProCurve(config-ext-nacl)# permit tcp any any eq bgp
You must then assign this ACL to an ACP. For example, you may want to add
entries to the WAN ACP you created in the previous section. You would enter:
ProCurve(config)# ip policy-class WAN
ProCurve(config-policy-class)# allow list Internet
ProCurve(config-policy-class)# allow list Route
ProCurve(config-policy-class)# exit
After configuring the ACP, you must use the access-policy command to apply
the ACP to the appropriate WAN interface.
Permit Traffic from Specific Networks. You may want to restrict access
to specific networks. For example, you may want to permit traffic from
10.1.1.0 /30, but deny traffic from 192.168.115.0 /24.