When you are using ACLs with ACPs, remember that you must use a permit
entry to both select traffic and to have the Secure Router OS firewall take the
action configured in the ACP. If you want to explicitly deny access to a subnet,
you must create a permit entry in the ACL and then create a discard entry in
the ACP.
Because you want to permit some traffic but deny other traffic, you should
create two different ACLs. Enter:
ProCurve(config)# ip access-list extended Allow
ProCurve(config-ext-nacl)# permit ip 10.1.1.0 0.0.0.3 any
ProCurve(config-ext-nacl)# exit
ProCurve(config)# ip access-list extended Discard
ProCurve(config-ext-nacl)# permit ip 192.168.115.0 0.0.0.255 any
ProCurve(config-ext-nacl)# exit
ProCurve(config)# ip policy-class WAN
ProCurve(config-policy-class)# allow list Allow
ProCurve(config-policy-class)# discard list Discard
ProCurve(config-ext-nacl)# exit
Again, you must use the access-policy command to apply the ACP to the
appropriate WAN interface.
Viewing ACLs and ACPs
Table 5-11 lists the show commands that you can use to view and troubleshoot
ACLs and ACPs.
Table 5-11.
show Commands for ACLs and ACPs
Command
show access-lists
show ip access-lists
show ip policy-class
Applying Access Control to Router Interfaces
Explanation
displays all of the ACLs configured on the ProCurve Secure
Router
displays all of the IP ACLs configured on the ProCurve
Secure Router
displays all of the ACPs configured on the ProCurve Secure
Router
Viewing ACLs and ACPs
5-49