3com 4210 User Manual
212
C
HAPTER
22: ACL C
ONFIGURATION
G
UIDE
# Define ACL 5000 to deny any ARP packet whose source IP address is
192.168.0.1 from 8:00 to 18:00 everyday (provided that VLAN-VPN is not enabled
on any port).In the ACL rule, 0806 is the ARP protocol number, 16 is the protocol
type field offset of the internally processed Ethernet frame, c0a80001 is the
hexadecimal form of 192.168.0.1, and 32 is the source IP address field offset of
the internally processed ARP packet.
192.168.0.1 from 8:00 to 18:00 everyday (provided that VLAN-VPN is not enabled
on any port).In the ACL rule, 0806 is the ARP protocol number, 16 is the protocol
type field offset of the internally processed Ethernet frame, c0a80001 is the
hexadecimal form of 192.168.0.1, and 32 is the source IP address field offset of
the internally processed ARP packet.
[3Com] acl number 5000
[3Com-acl-user-5000] rule 1 deny 0806 ffff 16 c0a80001 ffffffff 32 t
ime-range test
# Apply ACL 5000 to Ethernet 1/0/1.
[3Com] interface Ethernet 1/0/1
[3Com-Ethernet1/0/1] packet-filter inbound user-group 5000
Complete Configuration
#
acl number 5000
rule 1 deny 0806 ffff 16 c0a80001 ffffffff 32 time-range test
#
interface Ethernet1/0/1
packet-filter inbound user-group 5000 rule 1
#
time-range test 08:00 to 18:00 daily
#
Precautions
■
Some functions and protocols configured on the device may occupy ACL rule
resources. The actual occupation varies with functions and protocols.
resources. The actual occupation varies with functions and protocols.
■
For a Switch 5500, if VLAN-VPN is not enabled, each packet in the switch
carries one VLAN tag which is 4 bytes long; If VLAN-VPN is enabled on a port,
each packet in the switch carries two VLAN tags, which are 8 bytes long. Pay
attention to the above information when configuring a rule that matches
specific fields of packets.
carries one VLAN tag which is 4 bytes long; If VLAN-VPN is enabled on a port,
each packet in the switch carries two VLAN tags, which are 8 bytes long. Pay
attention to the above information when configuring a rule that matches
specific fields of packets.
■
For an Switch 5500Gs Ethernet switch, each packet in the switch carries two
VLAN tags, which are 8 bytes long. Pay attention to the above information
when configuring a rule that matches specific fields of packets.
VLAN tags, which are 8 bytes long. Pay attention to the above information
when configuring a rule that matches specific fields of packets.
■
The command for defining a user-defined ACL rule is rule [ rule-id ] { deny |
permit } [ rule-string rule-mask offset ] &<1-8> [ time-range time-name ],
where, rule-id refers to the ACL number, rule-string the user-defined rule
string, rule-mask the user-defined rule mask, and offset the rule mask offset.
permit } [ rule-string rule-mask offset ] &<1-8> [ time-range time-name ],
where, rule-id refers to the ACL number, rule-string the user-defined rule
string, rule-mask the user-defined rule mask, and offset the rule mask offset.
■
If you specify multiple rule strings in an ACL rule, the valid length of the rule
mask is 128 hexadecimal numerals (64 bytes).For example, assume that you
specify a rule string of aa and set its offset to 2. If you continue to specify a rule
string of bb, its offset must be in the range from 3 to 65 bytes. If you set the
offset of the rule string aa to 3, the offset of the rule string bb must be in the
range of 4 to 66 bytes, and so on. Note that the offset of the rule string bb
cannot be greater than 79 bytes.
mask is 128 hexadecimal numerals (64 bytes).For example, assume that you
specify a rule string of aa and set its offset to 2. If you continue to specify a rule
string of bb, its offset must be in the range from 3 to 65 bytes. If you set the
offset of the rule string aa to 3, the offset of the rule string bb must be in the
range of 4 to 66 bytes, and so on. Note that the offset of the rule string bb
cannot be greater than 79 bytes.
■
As shown in Table 2, the hardware rule of the Switch 5500/5500G logically
divides the rule mask offset of a user-defined string into multiple offset units,
each of which is 4-byte long. Available offset units fall into eight groups, which
are numbered from Offset1 to Offset8
divides the rule mask offset of a user-defined string into multiple offset units,
each of which is 4-byte long. Available offset units fall into eight groups, which
are numbered from Offset1 to Offset8