10-50
Access Control Lists (ACLs)
Configuring and Assigning an ACL
To insert an ACE anywhere in a numbered ACL, use the same process
as described above for inserting an ACE anywhere in a named ACL.
For example, to insert an ACE denying IP traffic from the host at
10.10.10.77 as line 52 in an existing ACL identified (named) with the
number 11:
ProCurve(config)# ip access-list standard 99
ProCurve(config-std-nacl)# 52 deny host 10.10.10.77
Note After a numbered ACL has been created (using access-list < 1 - 99 | 100 - 199 >),
it can be managed as either a named or numbered ACL, as shown above.
■ Deleting an ACE: Enter the ACL context and delete the sequence
number for the unwanted ACE. (To view the sequence numbers of the
ACEs in a list, use show access-list < acl-name-str >.)
■ Duplicate ACEs are not allowed in the same ACL. Attempting to enter
a duplicate ACE displays the Duplicate access control entry message.
Using CIDR Notation To Enter the ACL Mask
You can use CIDR (Classless Inter-Domain Routing) notation to enter ACL
masks. The switch interprets the bits specified with CIDR notation as the IP
address bits in an ACL and the corresponding IP address bits in a packet that
must match. The switch then converts the mask to inverse notation for ACL
use.
Table 10-8. Examples of CIDR Notation for Masks
IP Address Used In an ACL
with CIDR Notation
Resulting ACL Mask Meaning
10.38.240.125/15 0.1.255.255 The leftmost 15 bits must match; the
remaining bits are wildcards.
10.38.240.125/20 0.0.15.255 The leftmost 20 bits must match; the
remaining bits are wildcards.
10.38.240.125/21 0.0.7.255 The leftmost 21 bits must match; the
remaining bits are wildcards.
10.38.240.125/24 0.0.0.255 The leftmost 24 bits must match; the
remaining bits are wildcards.
18.38.240.125/32 0.0.0.0 All bits must match.
Comments to this Manuals