KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

311

312

313

314

315

316

317

318

319

320

a number in the range of 1 - 99 and is created without having to leave the global config context.

Note that the CLI command syntax for creating a named ACL differs from the command syntax for

creating a numbered ACL. For example, the first pair of entries below illustrate how to create (or

enter) a named, standard ACL and enter an ACE. The next entry illustrates creating a numbered,

standard ACL with the same ACE.

HP Switch(config)# ip access-list standard Test-List

HP Switch(config-std-nacl)# permit host 10.10.10.147

HP Switch(config)# access-list 1 permit host 10.10.10.147

Note that once a numbered ACL has been created, it can be accessed using the named ACL

method. This is useful if it becomes necessary to edit a numbered ACL by inserting or removing

individual ACEs. Inserting or deleting an ACE is done by sequence number, and requires the

Named ACL (nacl) context. The switch allows a maximum of 2048 unique ACL identities (IPv4

and IPv6 combined). For more on this topic, see “Monitoring shared resources” (page 225).

Editing an existing ACL

The CLI provides the capability for editing in the switch by using sequence numbers to insert or

delete individual ACEs. An offline method is also available. This section describes using the CLI

for editing ACLs. To use the offline method for editing ACLs, see “Enabling ACL logging on the

switch” (page 294).

Using the CLI to edit ACLs

You can use the CLI to delete individual ACEs from anywhere in an ACL, append new ACEs to

the end of an ACL, and insert new ACEs anywhere within an ACL.

General editing rules

• Named ACLs:

When you enter a new ACE in a named ACL without specifying a sequence number, the

switch inserts the ACE as the last entry in the ACL.

•

• When you enter a new ACE in a named ACL and include a sequence number, the switch

inserts the ACE according to the position of the sequence number in the current list of

ACEs.

• Numbered ACLs: When using the

access-list <1 - 99 | 100 - 199 >

command to create or add ACEs to a numbered ACL, each new ACE you enter is added to

the end of the current list. (This command does not offer a < seq-# > option for including

a sequence number to enable inserting an ACE at other points in the list.) Note, however, that

once a numbered list has been created, you have the option of accessing it in the same way

as a named list by using the

ip access-list < standard | extended >

command. This enables you to edit a numbered list in the same way that you would edit a

named list. (See the next item in this list.)

• You can delete any ACE from any ACL (named or numbered) by using the ip access-list

command to enter the ACL's context, and then using the no < seq-# > command, see

“Deleting an ACE from an existing ACL” (page 289).

• Deleting the last ACE from an ACL leaves the ACL in memory. In this case, the ACL is "empty"

and cannot perform any filtering tasks. (In any ACL the Implicit Deny does not apply unless

the ACL includes at least one explicit ACE.)

Overview 319