HP VPN Firewall Appliances Getting Started Command Reference

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

101

102

103

104

105

106

107

108

109

110

104

If an ACL is referenced in VTY user interface view, the connection is permitted to be established only

when packets for establishing a Telnet or SSH connection match a permit statement in the ACL.

The system regards the basic/advanced ACL with the inbound keyword, the basic/advanced ACL with

the outbound keyword, and Ethernet frame header ACL as different types of ACLs, which can coexist in

one VTY user interface. The match order is basic/advanced ACL, Ethernet frame header ACL. At most

one ACL of each type can be referenced in the same VTY user interface, and the last configured one

takes effect.

For more information about ACL, see Access Control Configuration Guide.

Examples

# Allow only the user with the IP address of 192.168.1.26 to access the device through Telnet or SSH.

<Sysname> system-view

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule permit source 192.168.1.26 0

[Sysname-acl-basic-2001] quit

[Sysname] user-interface vty 0

[Sysname-ui-vty0] acl 2001 inbound

After the configuration, user A at 192.168.1.26 can Telnet to the device, but user B at 192.168.1.60 cannot

Telnet to the device. If a connection failure occurs, the following message appears: %connection closed

by remote host!

# Allow the device to only Telnet to the Telnet server with IP address 192.168.1.41.

<Sysname> system-view

[Sysname] acl number 3001

[Sysname-acl-adv-3001] rule permit tcp destination 192.168.1.41 0

[Sysname-acl-adv-3001] quit

[Sysname] user-interface vty 0 4

[Sysname-ui-vty0-4] acl 3001 outbound

[Sysname-ui-vty0-4] return

After your configuration, if you Telnet to 192.168.1.46, your operation fails.

<Sysname> telnet 192.168.1.46

%Can't access the host from this terminal!

But you can Telnet to 192.168.1.41.

<Sysname> telnet 192.168.1.41

Trying 192.168.1.41 ...

Press CTRL+K to abort

Connected to 192.168.1.41 ...

# Allow only the WLAN client with the SSID of Admin to access the device through VTY 0.

<Sysname> system-view

[Sysname] acl number 100

[Sysname-acl-wlan-100] rule permit ssid Admin

[Sysname-acl-wlan-100] quit

[Sysname] user-interface vty 0

[Sysname-ui-vty0] acl 100 inbound