HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual page 283

N o t e
N o t e
If you want to exclude all ICMP traffic from a specific host, such as
host 192.168.115.90, to any destination, enter:
ProCurve(config-ext-nacl)# deny icmp host 192.168.115.90 any
To exclude ICMP traffic from a range of IP addresses to a specific
destination, enter:
Syntax: deny icmp <A.B.C.D> <wildcard bits> host <A.B.C.D>
The entries are processed in the order in which you enter them. In addition,
each ACL contains an implicit "deny any" entry at the end of the list. If you do
not create an entry to allow a specific type of traffic, it will be denied. That is,
the traffic will be excluded from the action specified in the related entry in
the ACP.
3. After configuring the entries for the ACL, exit the ACL.
Syntax: exit
4. From the global configuration mode context, enter the following com-
mand to create an ACP:
Syntax: ip policy-class <policyname>
Replace <policyname> with a unique name that is a maximum of 255
alphanumeric characters.
You are moved to the policy class configuration mode context.
5. Create entries to allow packets selected by an ACL or to deny packets
selected by an ACL:
Syntax: allow list <listname>
Syntax: discard list <listname>
You can also NAT the packets selected by an ACL. This option is discussed in
Chapter 6: Configuring Network Address Translation.
The order in which you create entries in the ACP affects how the policy
is enforced. The first entry you create is the first entry processed. After
the Secure Router OS firewall matches a packet to an ACL and performs
the action specified in the corresponding ACP entry, it stops processing
the ACP.
6. To apply the ACP to an interface, move to the configuration mode context
for that interface:
ProCurve(config)# interface <interface> <number>
Applying Access Control to Router Interfaces
Quick Start
5-63