3com 3.01.01 User Manual
212
C
HAPTER
7: Q
O
S/ACL O
PERATION
Note that the port1 and port2 parameters in the command should be TCP/UDP
ports for advanced applications. For some common ports, you can use mnemonic
symbols to replace numbers. For example, you can use "bgp" to represent TCP
port 179, which is for BGP protocol.
ports for advanced applications. For some common ports, you can use mnemonic
symbols to replace numbers. For example, you can use "bgp" to represent TCP
port 179, which is for BGP protocol.
Defining L2 ACLs
L2 ACLs define source and destination MAC addresses, source and destination
VLAN IDs, L2 protocol type in their rules and process packets according to these
attributes.
VLAN IDs, L2 protocol type in their rules and process packets according to these
attributes.
Perform the following configurations in the specified view.
Activating ACLs
After you define an ACL, you must activate it. This configuration activates those
ACLs to filter or classify the packets forwarded by hardware.
ACLs to filter or classify the packets forwarded by hardware.
Perform the following configurations in Ethernet interface or VLAN view.
Define an ACL rule (advanced ACL view)
rule [ rule-id ] { permit | deny } protocol [ source {
source-addr wildcard | any } ] [ destination {
dest-addr wildcard | any } ] [ source-port operator
port1 [ port2 ] ] [ destination-port operator port1 [
port2 ] ] [ icmp-type type code ] [ established ] [ [
precedence precedence | tos tos ]* | dscp dscp ] [
fragment ] [ time-range name ] [ vpn-instance
instance-name ]
source-addr wildcard | any } ] [ destination {
dest-addr wildcard | any } ] [ source-port operator
port1 [ port2 ] ] [ destination-port operator port1 [
port2 ] ] [ icmp-type type code ] [ established ] [ [
precedence precedence | tos tos ]* | dscp dscp ] [
fragment ] [ time-range name ] [ vpn-instance
instance-name ]
Delete an ACL rule (advanced ACL view)
undo rule rule-id [ source | destination |
source-port | destination-port | icmp-type |
precedence | tos | dscp | fragment | time-range |
vpn-instance ]*
source-port | destination-port | icmp-type |
precedence | tos | dscp | fragment | time-range |
vpn-instance ]*
Delete an ACL or all ACLs (system view)
undo acl { number acl-number | name acl-name |
all }
all }
Table 8 Defining L2 ACLs
Operation
Command
Enter L2 ACL view (system view)
acl { number acl-number | name acl-name link } [
match-order { config | auto } ]
match-order { config | auto } ]
Define an ACL rule (L2 ACL view)
rule [ rule-id ] { permit | deny } [ protocol | ingress
{ { source-vlan-id | source-mac-addr
source-mac-wildcard }* | any } | egress {
dest-mac-addr dest-mac-wildcard | any } |
time-range name ]*
{ { source-vlan-id | source-mac-addr
source-mac-wildcard }* | any } | egress {
dest-mac-addr dest-mac-wildcard | any } |
time-range name ]*
Delete an ACL rule (L2 ACL view)
undo rule rule-id
Delete an ACL or all ACLs (system view)
undo acl { number acl-number | name acl-name |
all }
all }
Table 7 Defining advanced ACL
Operation
Command
Table 9 Activating ACL
Operation
Command
Activate IP group ACL
packet-filter inbound ip-group { acl-number |
acl-name } [ rule rule [ system-index index ] ]
acl-name } [ rule rule [ system-index index ] ]
Deactivate IP group ACL
undo packet-filter inbound ip-group {
acl-number | acl-name } [ rule rule ]
acl-number | acl-name } [ rule rule ]