Installation and Getting Started Guide

NOTE: The following sections describe how to configure ACLs using the HP device’s CLI. You also can create and modify ACLs using a text editor on a file server, then copy them to the device’s running-config file. In fact, this method is a convenient way to reorder individual ACL entries within an ACL. See “Modifying ACLs” on page 3-19.

Disabling or Re-Enabling Access Control Lists (ACLs)

A routing switch cannot actively use both IP access policies and ACLs for filtering IP traffic. When you boot a routing switch with software release 06.6.x or higher, the software checks the device’s startup-config file for ip access-policy-groupcommands, which associate IP access policies with ports. If the software finds an ip access-policy-groupcommand in the file, the software disables all packet-forwarding ACLs (those associated with specific ports) and also prevents you from applying an ACL to a port.

The next time you save the startup-config file, the software adds the following command near the top of the file, underneath the ver (software version) statement:

ip dont-use-acl

This command disables all packet-forwarding ACLs (those associated with specific ports) and also prevents you from associating an ACL with a port. However, the command does not remove existing ACLs from the startup­ config file. In addition, the command does not affect ACLs used for controlling management access to the device.

Enabling ACL Mode

If you try to apply an ACL to a port when the ACL mode is disabled (when the ip dont-use-aclcommand is in effect), a message is displayed, as shown in the following CLI example:

HP9300(config-if-e1000-1/1)# ip access-group 1 out

Must enable ACL mode first by using no ip dont-use-acl command and removing all ip access-policy-group commands from interfaces, write memory and reload

As the message states, if you want to use ACLs, you must first enable the ACL mode. To do so, use either of the following methods.

USING THE CLI

To enable the ACL mode, enter the following commands:

HP9300(config-if-e1000-1/1)# exit

HP9300(config)# no ip dont-use-acl

HP9300(config)# write memory

HP9300(config)# end

HP9300# reload

The write memory command removes the ip dont-use-aclcommand from the startup-config file. The reload command reloads the software. When the software finishes loading, you can apply ACLs to ports.

The commands that configure the IP access policies and apply them to ports remain in the startup-config file in case you want to use them again, but they are disabled. If you later decide you want to use the IP access policies again instead of ACLs, you must disable the ACL mode again. See the following section.

USING THE WEB MANAGEMENT INTERFACE

1.Log on to the device using a valid user name and password for read-write access. The System configuration panel is displayed.

2.Click on the plus sign next to Configure in the tree view to expand the list of configuration options.

3.Click on the plus sign next to IP in the tree view to expand the list of IP option links.

4.Click on the General link to display the IP configuration panel.

5.Select the Enable radio button next to Access Control List.

6.Click the Apply button to save the change to the device’s running-config file.

3 - 4