Chapter 10 IP Access Lists: Standard NOTE: This chapter contains information for standard ACLs configured using the ip access-list command. The command manages named and numbered ACLs under the standard ACL configuration level. Numbered ACLs configured using the access-list command are discussed in the section Global CONFIG Commands on page 6 1. delete Deletes a specific entry from the ACL. ProCurveRS(config)# ip access-list standard melon ProCurveRS(config-std-nacl)# delete 2 Syntax: delete <line-number> [remark <comment-text>] Use the remark parameter to delete a remark for an ACL entry. deny Denies the specified traffic ProCurveRS(config)# ip access-list standard "block Telnet" ProCurveRS(config-std-nac1)# deny host 209.157.22.26 log Syntax: [no] deny <hostname> <ip-address> [<wildcard> log] Syntax: [no] deny host <host-ip> <hostname> [log] Syntax: [no] deny any [log] The <ip-address> parameter specifies the source IP address. Alternatively, you can use the <hostname> parameter and specify the host name. NOTE: To specify the host name instead of the IP address, the host name must be configured using the HP device s DNS resolver. To configure the DNS resolver name, use the ip dns server-address command at the global CONFIG level of the CLI. June 2005 10-1
Command Line Interface Reference for ProCurve 9300/9400 Series Routing Switches The <wildcard> parameter specifies the mask value to compare against the host address specified by the <source-ip> parameter. The <wildcard> is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet s source address must match the <source-ip>. Ones mean any value matches. For example, the <source-ip> and <wildcard> values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C sub-net 209.157.22.x match the policy. If you prefer to specify the wildcard (mask value) in CIDR format, you can enter a forward slash after the IP address, then enter the number of significant bits in the mask. For example, you can enter the CIDR equivalent of 209.157.22.26 0.0.0.255 as 209.157.22.26/24. NOTE: When you save ACL policies to the startup-config file, the software changes your <source-ip> values if appropriate to contain zeros where the packet value must match. For example, if you specify 209.157.22.26/24 or 209.157.22.26 255.255.255.0, then save the startup-config file, the values appear as 209.157.22.0/24 (if you have enabled display of sub-net lengths) or 209.157.22.0 255.255.255.0 in the startup-config file. If you enable the software to display IP sub-net masks in CIDR format, the mask is saved in the file in /<maskbits> format. To enable the software to display the CIDR masks, enter the ip show-subnet-length command at the global CONFIG level of the CLI. You can use the CIDR format to configure the ACL entry regardless of whether the software is configured to display the masks in CIDR format. NOTE: If you use the CIDR format, the ACL entries appear in this format in the running-config and startup-config files, but are shown with sub-net mask in the display produced by the show ip access-list command. The host <host-ip> <hostname> parameter lets you specify a host IP address or name. When you use this parameter, you do not need to specify the mask. A mask of all zeros (0.0.0.0) is implied. The any parameter configures the policy to match on all host addresses. The log argument configures the device to generate Syslog entries and SNMP traps for packets that are permitted or denied by the access policy. end Moves activity to the privileged EXEC level from any level of the CLI except the user EXEC level. To move to the privileged level, enter the following from any level of the CLI. ProCurveRS(config-std-nac1)# end ProCurveRS# Syntax: end exit Moves activity up one level from the current level. In this case, activity will be moved to the global level. ProCurveRS(config-std-nac1)# exit ProCurveRS(config)# Syntax: exit 10-2 June 2005
IP Access Lists: Standard insert Adds an ACL entry at a specific sequence ProCurveRS(config)# ip access-list standard melon ProCurveRS(config-std-nacl)# insert 2 deny host 10.1.1.1 Syntax: insert <line-number> deny <options> permit <options> remark <comment-text> <options> Use the insert <line-number> if you want to insert an ACL entry in the middle of an ACL. The deny <options> or permit <options> parameters permit or deny traffic that matches the condition of the ACL entry See deny on page 10-1 or permit on page 10-3 for the options you can use. The remark <comment-text> adds a comment to the ACL entry. The remark can have up to 128 characters in length. no Disables other commands. To disable a command, place the word no before the command. permit Permits the specified traffic. ProCurveRS(config)# ip access-list standard "block Telnet" ProCurveRS(config-std-nac1)# permit host 209.157.22.26 log Syntax: [no] permit <hostname> <ip-address> [<wildcard> log] Syntax: [no] permit host <host-ip> <hostname> [log] Syntax: [no] permit any [log] The <ip-address> parameter specifies the source IP address. Alternatively, you can use the <hostname> parameter and specify the host name. NOTE: To specify the host name instead of the IP address, the host name must be configured using the HP device s DNS resolver. To configure the DNS resolver name, use the ip dns server-address command at the global CONFIG level of the CLI. The <wildcard> parameter specifies the mask value to compare against the host address specified by the <source-ip> parameter. The <wildcard> is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet s source address must match the <source-ip>. Ones mean any value matches. For example, the <source-ip> and <wildcard> values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C sub-net 209.157.22.x match the policy. If you prefer to specify the wildcard (mask value) in CIDR format, you can enter a forward slash after the IP address, then enter the number of significant bits in the mask. For example, you can enter the CIDR equivalent of 209.157.22.26 0.0.0.255 as 209.157.22.26/24. NOTE: When you save ACL policies to the startup-config file, the software changes your <source-ip> values if appropriate to contain zeros where the packet value must match. For example, if you specify 209.157.22.26/24 or 209.157.22.26 255.255.255.0, then save the startup-config file, the values appear as 209.157.22.0/24 (if you have enabled display of sub-net lengths) or 209.157.22.0 255.255.255.0 in the startup-config file. June 2005 10-3
Command Line Interface Reference for ProCurve 9300/9400 Series Routing Switches If you enable the software to display IP sub-net masks in CIDR format, the mask is saved in the file in /<maskbits> format. To enable the software to display the CIDR masks, enter the ip show-subnet-length command at the global CONFIG level of the CLI. You can use the CIDR format to configure the ACL entry regardless of whether the software is configured to display the masks in CIDR format. NOTE: If you use the CIDR format, the ACL entries appear in this format in the running-config and startup-config files, but are shown with sub-net mask in the display produced by the show ip access-list command. The host <host-ip> <hostname> parameter lets you specify a host IP address or name. When you use this parameter, you do not need to specify the mask. A mask of all zeros (0.0.0.0) is implied. The any parameter configures the policy to match on all host addresses. The log argument configures the device to generate Syslog entries and SNMP traps for packets that are permitted or denied by the access policy. quit Returns you from any level of the CLI to the User EXEC mode. ProCurveRS(config-msdp-router)# quit ProCurveRS> Syntax: quit remark Creates a remark for the next ACL entry you will be configuring. See delete on page 10-1, insert on page 10-3, or replace on page 10-4 if you want to delete, add, or modify remarks for specific ACL entries. ProCurveRS(config)# ip access-list extended melon ProCurveRS(config-ext-nacl)# remark Stops igmp traffic Syntax: remark <comment-text> Enter up to 128 characters in for <comment-text>. The comment must be entered separately from the actual ACL entry; that is, you cannot enter the ACL entry and the ACL comment with the same command. Also, in order for the remark to be displayed correctly in the output of show commands, the comment must be entered immediately before the ACL entry it describes. replace Modifies the definition of an ACL entry. ProCurveRS(config)# ip access-list standard melon ProCurveRS(config-std-nacl)# replace 2 deny host 10.1.1.1 Syntax: replace <line-number> deny <options> permit <options> remark <comment-text> Enter the line number of the ACL entry you want to modify for <line-number>. 10-4 June 2005
IP Access Lists: Standard show The deny <options> or permit <options> parameters permit or deny traffic that matches the condition of the ACL entry See deny on page 10-1 or permit on page 10-3 for the options you can use. The remark <comment-text> adds a comment to the ACL entry. The remark can have up to 128 characters in length. Displays a variety of configuration and statistical information about the device. See Show Commands on page 40-1. write memory Saves the running configuration into the startup-config file. ProCurveRS(config-std-nac1)# wr mem Syntax: write memory write terminal Displays the running configuration of the HP device on the terminal screen. NOTE: This command is equivalent to the show running-config command. ProCurveRS(config-std-nac1)# wr term Syntax: write terminal June 2005 10-5
Command Line Interface Reference for ProCurve 9300/9400 Series Routing Switches 10-6 June 2005