3com 5500G ユーザーズマニュアル

ページ / 336
208
C
HAPTER
 22: ACL C
ONFIGURATION
 G
UIDE
Complete Configuration
#
acl number 2000
rule 1 deny source 10.1.1.1 0 time-range test
#
interface Ethernet1/0/1
packet-filter inbound ip-group 2000 rule 1
#
time-range test 08:00 to 18:00 daily
Precautions
If a packet matches multiple ACL rules at the same time and some actions of 
the rules conflict, the last assigned rule takes effective.
When applying multiple rules, you are recommended to apply rules in the 
ascending order of their mask ranges and apply rues with the same mask range 
at the same time. This is to ensure that the actual operation of the rules is 
consistent with the requirements.
Some functions and protocols configured on the device may occupy ACL rule 
resources. The actual occupation varies with functions and protocols.
Configuring Advanced 
ACLs
Advanced ACLs filter packets based on Layer 3 and Layer 4 header information 
such as the source and destination IP addresses, type of the protocols carried by IP, 
protocol-specific features (such as TCP or UDP source port and destination port, 
ICMP message type and message code).
The numbers of advanced ACLs range from 3000 to 3999.
Network Diagram
Figure 59   Network diagram for advanced ACL configuration
 
Networking and
Configuration
Requirements
Different departments of an enterprise are interconnected through a switch 
(assuming that the switch is a Switch 5500).The IP address of the wage query 
server is 192.168.1.2. The R&D department is connected to Ethernet 1/0/1 of the 
switch. Apply an advanced ACL on the interface to deny access requests that are 
sourced from the R&D department and destined for the wage server during 
working hours (8:00 to 18:00).
Applicable Products
Eth1/0 /1
The R&D 
department
Switch
To the router
Wage query server
Eth1/0 /2
192 .168 .1 .2
Product series 
Software version 
Hardware version 
Switch 5500
Release V03.02.04 
All versions