Using Access Control Lists (ACLs)

The second entry denies all FTP traffic from the 209.157.21.x network to the 209.157.22.x network, if the traffic has the IP precedence value “6” (equivalent to “internet”).

The third entry permits all packets that are not explicitly denied by the other entries. Without this entry, the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the ACL.

To configure an IP ACL that matches based on TOS, enter commands such as the following:

HP9300(config)# access-list 104 deny tcp 209.157.21.0/24 209.157.22.0/24 tos normal HP9300(config)# access-list 104 deny tcp 209.157.21.0/24 eq ftp 209.157.22.0/24 tos 13

HP9300(config)# access-list 104 permit any any

The first entry in this IP ACL denies TCP traffic from the 209.157.21.x network to the 209.157.22.x network, if the traffic has the IP TOS option “normal” (equivalent to “0”).

The second entry denies all FTP traffic from the 209.157.21.x network to the 209.157.22.x network, if the traffic has the IP precedence value “13” (equivalent to “max-throughput”, “min-delay”, and “min-monetary-cost”).

The third entry permits all packets that are not explicitly denied by the other entries. Without this entry, the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the ACL.

Extended ACL Syntax

Syntax: access-list <num> deny permit <ip-protocol> <source-ip> <hostname> <wildcard> [<operator> <source-tcp/udp-port>] <destination-ip> <hostname> <wildcard> [<operator> <destination-tcp/udp-port>] [precedence <name> <num>] [tos <name> <num>] [log]

Syntax: [no] access-list <num> deny permit host <ip-protocol> any any [log]

Syntax: [no] ip access-group <num> in out

The <num> parameter indicates the ACL number and be from 100 – 199 for an extended ACL.

The deny permit parameter indicates whether packets that match the policy are dropped or forwarded.

The <ip-protocol> parameter indicates the type of IP packet you are filtering. You can specify one of the following:

icmp

igmp

igrp

ip

ospf

tcp

udp

<protocol-number>

The <source-ip> <hostname> parameter specifies the source IP host for the policy. If you want the policy to match on all source addresses, enter any.

The <wildcard> parameter specifies the portion of the source IP host address to match against. The <wildcard> is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the <source-ip>. Ones mean any value matches. For example, the <source-ip> and <wildcard> values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C sub-net 209.157.22.x match the policy.

If you prefer to specify the wildcard (mask value) in Classless Interdomain Routing (CIDR) format, you can enter a forward slash after the IP address, then enter the number of significant bits in the mask. For example, you can enter the CIDR equivalent of “209.157.22.26 0.0.0.255” as “209.157.22.26/24”. The CLI automatically converts the CIDR number into the appropriate ACL mask (where zeros instead of ones are the significant bits) and changes the non-significant portion of the IP address into zeros. For example, if you specify 209.157.22.26/24 or

3 - 11