Using Access Control Lists (ACLs)
Configuring Extended ACLs
This section describes how to configure extended ACLs.
•For configuration information on named ACLs, see “Configuring Named ACLs” on page
•For configuration information on standard ACLs, see “Configuring Standard ACLs” on page
•IP protocol
•Source IP address or host name
•Destination IP address or host name
•Source TCP or UDP port (if the IP protocol is TCP or UDP)
•Destination TCP or UDP port (if the IP protocol is TCP or UDP)
The IP protocol can be one of the following
0 – 255:
•Internet Control Message Protocol (ICMP)
•Internet Group Management Protocol (IGMP)
•Internet Gateway Routing Protocol (IGRP)
•Internet Protocol (IP)
•Open Shortest Path First (OSPF)
•Transmission Control Protocol (TCP)
•User Datagram Protocol (UDP)
For TCP and UDP, you also can specify a comparison operator and port name or number. For example, you can configure a policy to block web access to a specific website by denying all TCP port 80 (HTTP) packets from a specified source IP address to the website’s IP address.
USING THE CLI
To configure an extended access list that blocks all Telnet traffic received on port 1/1 from IP host 209.157.22.26, enter the following commands.
HP9300(config)#
HP9300(config)# int eth 1/1
Here is another example of commands for configuring an extended ACL and applying it to an interface. These examples show many of the syntax choices. Notice that some of the entries are configured to generate log entries while other entries are not thus configured.
HP9300(config)#
HP9300(config)#
The first entry permits ICMP traffic from hosts in the 209.157.22.x network to hosts in the 209.157.21.x network. The second entry denies IGMP traffic from the host device named “rkwong” to the 209.157.21.x network.
The third entry denies IGRP traffic from the 209.157.21.x network to the host device named “rkwong”.
3 - 9