Policies and Filters

Syntax

Use the following CLI commands or Web management interface panels to configure IP access policies.

Table C.6: IP Access Policies

CLI syntax

Web management links

 

 

HP9300(config)# ip access-policy <policy-num> permit deny

Configure->IP->Access Policy

<ip-addr> <ip-mask> any <ip-addr> <ip-mask> any tcp udp

 

[<operator> [<tcp/udp-port-num>]] [log]

 

HP9300(config-if-1/1)# ip access-policy-group in out <policy-list>

 

 

 

Layer 4 Policies

Layer 4 policies are rules that control transmission and receipt of packets based on Layer 4 transport information. You can configure the following types of Layer 4 policies:

TCP/UDP access policies (same as TCP/UDP filters)

TCP/UDP Access Policies

TCP/UDP access policies are IP filters that contain Layer 4 information. Layer 4 policies enable you to forward or drop packets for individual Layer 4 applications, giving you finer access control. You do not need to completely block an IP address to deny certain types of traffic from that address. You can selectively allow some types of traffic while dropping others. For example, you can configure a Layer 4 policy to drop web (HTTP) packets from a host but allow all other traffic from the host.

You can filter on the following Layer 4 application types:

ICMP

IGMP

IGRP

OSPF

TCP

UDP

For TCP and UDP, you also specify an operator and the port number or well-known name for the port. For example, if you want to filter on FTP traffic, you configure the filter to match on packets that contain the TCP application port number for FTP.

When you can configure a Layer 4 policy, you specify the source and destination IP address of the hosts or servers for which you are controlling access.

Figure D.2 shows an example of TCP/UDP access policies. Although this example does not explicitly identify these policies as inbound policies or outbound policies, when you apply the policies to individual ports you specify whether they are for inbound or outbound traffic.

C - 9