Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
261262263264265266267268269270
Used after deny or permit to specify the packet protocol type required for a
match. An extended ACL must include one of the following:
ip —any IPv4 packet.
ip-protocol — any one of the following IPv4 protocol names:
ip-in-ip ipv6-in-ipgre es pah
ospfpim vrrp sctp tcp*
udp* icmp* igmp*
ip-protocol-nbr — the protocol number of an IPv4 packet type, such as
"8" for Exterior Gateway Protocol or 121 for Simple Message Protocol. (For
a listing of IPv4 protocol numbers and their corresponding protocol names,
see theIANA "Protocol Number Assignment Services" at www.iana.com.)
(Range: 0 - 255)
*For TCP, UDP, ICMP, and IGMP, additional criteria can be specified, as described
on pages “Including options for TCP and UDP traffic in extended ACLs (page 267)
through “Controlling IGMP traffic in extended ACLs” (page 270).
<any | host < SA > | SA <mask | SA/ masklength>
This is the first instance of IPv4 addressing in an extended ACE. It follows the protocol
specifier and defines the source address (SA) a packet must carry for a match with
the ACE.
any
Allows IPv4 packets from any SA.
host< SA >
Specifies only packets having a single address as the SA. Use this criterion
when you want to match only the IPv4 packets from a single SA.
SA < mask > or SA/mask-length
Specifies packets received from an SA, where the SA is either a subnet or a
group of addresses. The mask can be in either dotted-decimal format or CIDR
format (number of significant bits). See “How an ACE uses a mask to screen
packets for matches” (page 322).
SA Mask application
The mask is applied to the SA in the ACL to define which bits in a packet's SA
must exactly match the SA configured in the ACL and which bits need not
match.
Example
10.10.10.1/24 and 10.10.10.1 0.0.0.255 both define any address in the
range of 10.10.10.(1 - 255).
Note: Specifying a group of contiguous addresses may require more than one
ACE. For more on how masks operate in ACLs, see “How an ACE uses a mask
to screen packets for matches” (page 322).
<any | host < DA > | DA <mask | DA/ mask-length>>
Configuring 265