HP E3800 Series, Руководство по обеспечению безопасности доступа

Страница: 490 / 732

10-110
IPv4 Access Control Lists (ACLs)
Creating or Editing ACLs Offline
In this example, the CLI would show the following output to indicate that
the ACL was successfully downloaded to the switch:
N o t e
If a transport error occurs, the switch does not execute the command and the
ACL is not configured.
Figure 10-41. Example of Using “copy tftp command-file” To Configure an ACL in the Switch
3. In this example, the command to assign the ACL to a VLAN was included
in the .txt command file. If this is not done in your applications, then the
next step is to manually assign the new ACL to the intended VLAN.
vlan < vid > ip access-group < identifier > in
4. You can then use the show run or show access-list config command to
inspect the switch configuration to ensure that the ACL was properly
downloaded.
HP Switch(config)# copy tftp command-file 10.10.10.1 LIST-20-IN.txt pc
Running configuration may change, do you want to continue [y/n]? Y
1. ip access-list extended LIST-20-IN
3. ; CREATED ON JUNE 27
5. 10 remark "THIS ACE APPLIES INBOUND ON VLAN 20"
6. 10 permit tcp any host 10.10.20.98 eq http
7. 20 permit tcp any host 10.10.20.21 eq http
8. 30 deny tcp any 10.10.20.1/24 eq http
10. ; VLAN 20 SOURCES TO VLAN 10 DESTINATIONS.
12. 40 deny tcp host 10.10.20.17 host 10.10.10.100 eq telnet log
13. 50 deny tcp host 10.10.20.23 host 10.10.10.100 eq telnet log
14. 60 deny tcp host 10.10.20.40 host 10.10.10.100 eq telnet log
15. 70 permit ip 10.10.20.1/24 host 10.10.10.100
16. 80 remark "VLAN 30 POLICY."
17. 80 deny ip 10.10.30.1/24 host 10.10.10.100
18. 90 permit ip 10.10.30.1/24 10.10.10.1/24
19. exit
20. vlan 20 ip access-group "LIST-20-in" in
As illustrated here, blank lines in the .txt
file in figure 10-39 cause breaks in the
displayed line-numbering sequence
when you copy the command file to the
switch. This is normal operation. (See
also figure 10-42 for the configuration
resulting from this output.)