3com 5500-ei pwr Reference Guide
1-24
Protocol
Protocol number
in hexadecimal
Offset when VLAN-VPN is
not enabled on any port
Offset when VLAN-VPN is
enabled on a port
RARP 0x8035
16
20
IP 0x0800 16
20
IPX 0x8137 16
20
AppleTalk 0x809B
16
20
ICMP 0x01
27
31
IGMP 0x02
27
31
TCP 0x06
27
31
UDP 0x11
27
31
Examples
# Create user-defined ACL 5000 and define rule 1 to deny all TCP packets (it is assumed that no port is
enabled with the VLAN-VPN function). In the following rule command line, 06 is the protocol number of
TCP, ff is the rule mask, and 27 is the offset of the protocol field in an IP packet that the switch
processes internally.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] acl number 5000
[Sysname-acl-user-5000] rule 1 deny 06 ff 27
[Sysname-acl-user-5000] quit
# Create user-defined ACL 5001 and define rule 1 to deny ARP packets sourced from 192.168.0.1 (it is
assumed that no port is enabled with the VLAN-VPN function). In the following rule command line,
0806 is the protocol number of ARP, 16 is the offset of the protocol field in an Ethernet packet that the
switch processes internally, c0a80001 is the representation of 192.168.0.1 in hexadecimal, and 32 is
the offset of the source IP address field in an ARP packet that the switch processes internally.
[Sysname] acl number 5001
[Sysname-acl-user-5001] rule 1 deny 0806 ffff 16 c0a80001 ffffffff 32
[Sysname-acl-user-5001] quit
# Create user-defined ACL 5002 and define rule 1, specifying a 32-byte rule string, a rule mask of all Fs,
and an offset of 4. Then, apply the ACL to Ethernet 1/0/1.
[Sysname] acl number 5002
[Sysname-acl-user-5002] rule 1 deny
1234567890123456789012345678901234567890123456789012345678901234
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 4
[Sysname-acl-user-5002] quit
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] packet-filter inbound user-group 5002