Using Access Control Lists (ACLs)
NOTE: If the device’s configuration currently has ACLs associated with interfaces, remove the ACLs from the interfaces before changing the ACL mode.
To enable the strict ACL UDP mode, enter the following command at the global CONFIG level of the CLI:
HP9300(config)# ip
Syntax: [no] ip
This command configures the device to compare all UDP packets against the configured ACLs before forwarding them.
To disable the strict ACL mode and return to the default ACL behavior, enter the following command:
HP9300(config)# no ip
Displaying ACLs
To display the ACLs configured on a device, use the following method.
USING THE CLI
To display detailed information for the ACLs and their entries, enter the following command at any level of the CLI.
HP9300(config)# show
|
|
| ||
TCP | applicable filters |
|
| |
Port | 80 |
|
|
|
den y M:209.157.22.26:255.255.255.255 |
| |||
M:209.157.22.26:255.255.255.255, | tcp eq | 80 log | ||
| Any other por | t applicable filters |
| |
UDP | applicable filters |
|
| |
| Any other por | t applicable filters |
| |
ICMP | applicable filters |
|
| |
Othe r protocol applicable filters |
|
| ||
Syntax: show
To display the syntax for the entries in the ACLs, enter the show ip
HP9300(config)# show
d eny tcp host 209.157.22.26 host 209.157.22.26 eq http log
Syntax: show ip
Displaying the Log Entries
The first time an entry in an ACL denies a packet and logging is enabled for that entry, the software generates a Syslog message and an SNMP trap. Messages for packets denied by ACLs are at the warning level of the Syslog.
When the first Syslog entry for a packet denied by an ACL is generated, the software starts a
NOTE: For an ACL entry to be eligible to generate a Syslog entry for denied packets, logging must be enabled for the entry. The Syslog contains entries only for the ACL entries that deny packets and have logging enabled.
3 - 23