Transferring ACL command files

This section describes how to upload and execute a command file to the switch for configuring or replacing an ACL in the switch configuration. Such files should contain only access control entry (ACE) commands. For more on this general topic, including an Example: of an ACL command file created offline, see the section "Editing ACLs and Creating an ACL Offline" in the "Access Control Lists (ACLs)" chapter of the latest Access Security Guide for your switch.

TFTP: Uploading an ACL command file from a TFTP server (CLI)

Syntax:

copy tftp command-file <ip-addr> <filename.txt> <unix | pc>

Copies and executes the named text file from the specified TFTP server address and executes the ACL commands in the file.

<ip-addr> The IP address of a TFTP server available to the switch
<filename.txt> A text file containing ACL commands and stored in the TFTP directory of the server identified by ip-addr

<unix | pc>

The type of workstation used for serial, Telnet, or SSH access to the switch CLI

Depending on the ACL commands used, this action does one of the following in the running-config file:

  • Creates a new ACL.

  • Replaces an existing ACL. (See "Creating an ACL Offline" in the "Access Control Lists (ACLs)" chapter in the latest Access Security Guide for your switch.)

  • Adds to an existing ACL.

Example:

Suppose you:

  1. Created an ACL command file named vlan10_in.txt to update an existing ACL.

  2. Copied the file to a TFTP server at 18.38.124.16.

Using a PC workstation, you then execute the following from the CLI to upload the file to the switch and implement the ACL commands it contains:

HP Switch(config)# copy tftp command-file 18.38.124.16
vlan10_in.txt pc

The switch displays this message:

Running configuration may change, do you want to continue
[y/n]?

To continue with the upload, press the [Y] key. To abort the upload, press the [N] key. Note that if the switch detects an illegal (non-ACL) command in the file, it bypasses the illegal command, displays a notice (as shown in Using the copy command to download and configure an ACL), and continues to implement the remaining ACL commands in the file.

Using the copy command to download and configure an ACL

HP Switch(config)# copy tftp command-file 10.38.124.18 v1an10_in.txt pc
Running configuration may change, do you want to continue [y/n]? y
  1. ip access-list extended "155"
  2. deny tcp 0.0.0.0 255.255.255.255 10.10.10.2 0.0.0.0 eq 23 1og
  3. permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
  4. show running
Command files are limited to access-list commands. 1


  5. exit
Switch(config)# show running 2


Running configuration:

; J9091A Configuration Editor; Created on release #W.15.05.0000x
; Ver #01:01:00

hostname "HP Switch"
cdp run
ip default-gateway 10.38.248.1
logging 10.38.227.2
snmp-server community "public" unrestricted
ip access-list extended "155"
deny tcp 0.0.0.0 255.255.255.255 10.10.10.2 0.0.0.0 eq 23 1og
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

1

This message indicates that the show running command just above it is not an ACL command and will be ignored by the switch.

2

Manually executing the show running from the CLI indicates that the file was implemented, creating ACL 155 in the switch’s running configuration.

Xmodem: Uploading an ACL command file from a serially connected PC or UNIX workstation (CLI)

Syntax:

copy xmodem command-file <unix | pc>

Uses Xmodem to copy and execute an ACL command from a PC or UNIX workstation. Depending on the ACL commands used, this action does one of the following in the running-config file:

  • Creates a new ACL.

  • Replaces an existing ACL. (See "Creating an ACL Offline" in the "Access Control Lists (ACLs)" chapter in the latest Access Security Guide for your switch.)

  • Adds to an existing ACL.