Manualshelf

Command Reference Guide

ManualsBrandsHP ManualsMoonshot SystemsHP Moonshot-45G Switch Module
661662663664665666667668669670
IP Access Control List Commands
CLI Command Reference
September 2014 Page 663
HP Moonshot Switch Module CLI Command Reference
IP Access Control List Commands
This section describes the commands you use to configure IP Access Control List (ACL) settings. IP ACLs ensure
that only authorized users have access to specific resources and block any unwarranted attempts to reach
network resources.
The following rules apply to IP ACLs:
HP Moonshot Switch Module software does not support IP ACL configuration for IP packet fragments.
The maximum number of ACLs you can create is 100. The limit applies to all ACLs, regardless of type.
The maximum number of rules per IP ACL is 1023.
Wildcard masking for ACLs operates differently from a subnet mask. A wildcard mask is in essence the
inverse of a subnet mask. With a subnet mask, the mask has ones (1's) in the bit positions that are used for
the network address, and has zeros (0's) for the bit positions that are not used. In contrast, a wildcard
mask has (0’s) in a bit position that must be checked. A 1 in a bit position of the ACL mask indicates the
corresponding bit can be ignored.
access-list
This command creates an IP Access Control List (ACL) that is identified by the access list number, which is 1-99
for standard ACLs or 100-199 for extended ACLs. Table 14 describes the parameters for the
access-list
command.
IP Standard ACL:
IP Extended ACL:
Format
access-list 1-99 {deny | permit} {every | srcip srcmask} [log] [time-range time-range-
name][assign-queue queue-id] [{mirror | redirect} unit/slot/port]
Mode Global Config
Format
access-list 100-199 {deny | permit} {every | {{icmp | igmp | ip | tcp | udp | 0–255}
srcip srcmask[{eq {portkey | 0-65535} dstip dstmask [{eq {portkey| 0-65535}]
[precedence precedence | tos tos tosmask | dscp dscp][log][time-range time-range-
name][assign-queue queue-id] [{mirror | redirect} unit/slot/port]
Mode Global Config
Table 14: ACL Command Parameters
Parameter Description
1-99 or 100-199
Range 1 to 99 is the access list number for an IP standard ACL. Range
100 to 199 is the access list number for an IP extended ACL.
{deny | permit}
Specifies whether the IP ACL rule permits or denies an action.
Note: For 5630x and 5650x-based systems, assign-queue, redirect,
and mirror attributes are configurable for a deny rule, but they have
no operational effect.