3com 5500G ユーザーズマニュアル
208
C
HAPTER
22: ACL C
ONFIGURATION
G
UIDE
Complete Configuration
#
acl number 2000
rule 1 deny source 10.1.1.1 0 time-range test
#
interface Ethernet1/0/1
packet-filter inbound ip-group 2000 rule 1
#
time-range test 08:00 to 18:00 daily
#
Precautions
■
If a packet matches multiple ACL rules at the same time and some actions of
the rules conflict, the last assigned rule takes effective.
the rules conflict, the last assigned rule takes effective.
■
When applying multiple rules, you are recommended to apply rules in the
ascending order of their mask ranges and apply rues with the same mask range
at the same time. This is to ensure that the actual operation of the rules is
consistent with the requirements.
ascending order of their mask ranges and apply rues with the same mask range
at the same time. This is to ensure that the actual operation of the rules is
consistent with the requirements.
■
Some functions and protocols configured on the device may occupy ACL rule
resources. The actual occupation varies with functions and protocols.
resources. The actual occupation varies with functions and protocols.
Configuring Advanced
ACLs
ACLs
Advanced ACLs filter packets based on Layer 3 and Layer 4 header information
such as the source and destination IP addresses, type of the protocols carried by IP,
protocol-specific features (such as TCP or UDP source port and destination port,
ICMP message type and message code).
such as the source and destination IP addresses, type of the protocols carried by IP,
protocol-specific features (such as TCP or UDP source port and destination port,
ICMP message type and message code).
The numbers of advanced ACLs range from 3000 to 3999.
Network Diagram
Figure 59 Network diagram for advanced ACL configuration
Networking and
Configuration
Requirements
Different departments of an enterprise are interconnected through a switch
(assuming that the switch is a Switch 5500).The IP address of the wage query
server is 192.168.1.2. The R&D department is connected to Ethernet 1/0/1 of the
switch. Apply an advanced ACL on the interface to deny access requests that are
sourced from the R&D department and destined for the wage server during
working hours (8:00 to 18:00).
(assuming that the switch is a Switch 5500).The IP address of the wage query
server is 192.168.1.2. The R&D department is connected to Ethernet 1/0/1 of the
switch. Apply an advanced ACL on the interface to deny access requests that are
sourced from the R&D department and destined for the wage server during
working hours (8:00 to 18:00).
Applicable Products
Eth1/0 /1
The R&D
department
Switch
To the router
Wage query server
Eth1/0 /2
192 .168 .1 .2
Product series
Software version
Hardware version
Switch 5500
Release V03.02.04
All versions