• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4443
  • Last Modified:

How do I make this ACL on an HP Procurve?

I have an HP Procurve switch that I want to set up an ACL on. I have a host on my network that I want to restrict the access to. Say it's 10.10.47.10. I want to block ALL traffic except for a short list of IPs which I want to have un-restricted access to that host. The IPs are not contigious so I can't use a range. I'd need to be able to enter them one at a time. Which is possible though tedious I believe. It's only about 5-6 IPs that need access to this host though. So in short I need an ACL to specifically allow these 5-6 IPs full access, and then a corresponding Deny All for everything else. This will all be applied to a specific port not globally. Any ideas?
0
CCB-Tech
Asked:
CCB-Tech
  • 3
  • 2
2 Solutions
 
CCB-TechAuthor Commented:
The problem with that guide is that I have an HP 5406zl. It does not have a gui for configuration of ACLs. At least not through the web interface. So I need to be able to do it from command line.
0
 
Don JohnstonInstructorCommented:
You don't state if the 5-6 hosts are the same vlan or a different vlan.

EIther way, ACL statements would be similar enough.

conf t
ip access-list Homer
 10 permit ip 10.10.47.10 0.0.0.0 10.10.47.5 0.0.0.0 
 20 permit ip 10.10.47.10 0.0.0.0 10.10.47.51 0.0.0.0
 30 permit ip 10.10.47.10 0.0.0.0 10.10.47.75 0.0.0.0
int b10
 ip access-group Homer in
end
write mem

Open in new window

0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
CCB-TechAuthor Commented:
Excellent Don! That is very helpful. All the IP's to be blocked are on the same VLAN. So the first half of the Permit IP is the target IP, and the second is the allowed IP correct? Also, would this be the block command that would be at the end?

40 deny ip any any

Does that look correct?

Thanks!
0
 
Don JohnstonInstructorCommented:
The first address is the source IP address, the second is the destination.

Your line 40 not needed as there is an "implicit deny any" at the end of every ACL.
0
 
CCB-TechAuthor Commented:
Excellent, thank you very much for your help. Expect to see a few more of these type questions in the future :). I had forgotten about the implicit deny at the end. I just tested it out and it works a treat!

Thanks for all your help dude!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now