Листовка для HP ProCurve Wireless Edge Services xl Module J9001A
Модели
J9001A
10
3. To set the L3 ACL type “ip access-group <ID> in” where <ID> is the ACL ID that you gave to the IP
Extended List created on step 1 of the previous subsection.
4. You can verify that the correct ACLs are set using the commands “show ip access-group uplink” (for L3
ACLs) and “show mac access-group uplink” (for L2 ACLs). Check Figure 17 for an example of the output of
those commands.
those commands.
Figure 17: Verifying the ACLs applied on the uplink port
Checking that the behavior is as expected
To verify that the ACLs are operating correctly, check what you can or can’t do in the wireless network before
setting the ACLs and what you can or can’t do after you set it. Take note of the protocols that you want to block
were allowed before and later. If you want to just allow certain protocols and have anything else blocked,
verify that it works that way after setting the ACLs.
To verify that the ACLs are operating correctly, check what you can or can’t do in the wireless network before
setting the ACLs and what you can or can’t do after you set it. Take note of the protocols that you want to block
were allowed before and later. If you want to just allow certain protocols and have anything else blocked,
verify that it works that way after setting the ACLs.
Let’s start by using a wireless station and connecting to an active wireless network on your WESM. For
example, try to ping several wired network devices that are on the same VLAN as the wireless station. If it
works, then you are on track, if it doesn’t, check that there aren’t any other ACLs applied on the VLAN you
are connecting to. There may be an interruption connecting to these devices. If it still doesn’t work, try pinging
another device and if this succeeds verify that the IP addresses you gave were correct, the devices are turned
on, and correctly configured in your network.
example, try to ping several wired network devices that are on the same VLAN as the wireless station. If it
works, then you are on track, if it doesn’t, check that there aren’t any other ACLs applied on the VLAN you
are connecting to. There may be an interruption connecting to these devices. If it still doesn’t work, try pinging
another device and if this succeeds verify that the IP addresses you gave were correct, the devices are turned
on, and correctly configured in your network.
Once you have completed this previous step, apply the ACL as indicated in the previous subsections and try
pinging again. If you can’t ping, everything is fine. Take out the ACLs from the uplink port and ping again to be
sure that it works correctly and you are done with testing.
pinging again. If you can’t ping, everything is fine. Take out the ACLs from the uplink port and ping again to be
sure that it works correctly and you are done with testing.
Example case 3: Denying a TCP application protocol to a specific host.
In this scenario we will deny the usage of the FTP protocol (a TCP application protocol) from any wireless
station to a specific wired host. Once you learn how to do this, applying it to several specific hosts or different
TCP or UDP application protocols will be simple.
station to a specific wired host. Once you learn how to do this, applying it to several specific hosts or different
TCP or UDP application protocols will be simple.
Steps to follow on the Web UI
Preparing the ACLs:
To block ftp traffic you have to create a L3 ACL that blocks port 21 of the TCP protocol. To do this, follow the
next steps.
Preparing the ACLs:
To block ftp traffic you have to create a L3 ACL that blocks port 21 of the TCP protocol. To do this, follow the
next steps.
1. Navigate to the Security hash, select the ACLs node and click the Add button on the lower right of the
ACLs box section.
2. A popup window will appear, select Extended IP List from the dropdown menu and give the ACL an ID in
the indicated range.
3. Select the recently created Extended IP List and click the Add button on the lower left side of the Associated
Rules section.
4. Set a precedence number, select “deny” as the operation, select “tcp” as the protocol, click on “Protocol
Options” and a popup window will appear. Type “21” as the Port in the Source Options section; leave
blank the Port for the Destination Options section. Watch Figure 18 to check how it should look. Finally hit
OK. Note: In this example we are using 21 as the port because that is the FTP port. If we were going to
allow or deny HTTP we would use 80 or 443 for HTTPS, and so on.
blank the Port for the Destination Options section. Watch Figure 18 to check how it should look. Finally hit
OK. Note: In this example we are using 21 as the port because that is the FTP port. If we were going to
allow or deny HTTP we would use 80 or 443 for HTTPS, and so on.
5. Back in the Add Rule dialog for the source wildcard, select “host” from the drop down menu and in the
source address fill in the IP address of the device or computer to which you don’t want the wireless clients
to access via ftp. Use “any” as the destination wildcard and finally click OK to save the rule. Check Figure
19 to see how everything should look.
to access via ftp. Use “any” as the destination wildcard and finally click OK to save the rule. Check Figure
19 to see how everything should look.