3com MSR 20-20 참조 매뉴얼
2097
When defining ACL rules, you need not assign them IDs. The system can
automatically assign rule IDs starting with 0 and increasing in certain rule
numbering steps. A rule ID thus assigned is greater than the current highest rule
ID. For example, if the rule numbering step is five and the current highest rule ID is
28, the next rule will be numbered 30. For detailed information about step, refer
to “step (for IPv4)” on page 2100 and “step (for IPv6)” on page 2116.
automatically assign rule IDs starting with 0 and increasing in certain rule
numbering steps. A rule ID thus assigned is greater than the current highest rule
ID. For example, if the rule numbering step is five and the current highest rule ID is
28, the next rule will be numbered 30. For detailed information about step, refer
to “step (for IPv4)” on page 2100 and “step (for IPv6)” on page 2116.
You may use the display acl command to verify rules configured in an ACL. If the
match order for this ACL is auto, rules are displayed in the depth-first order rather
than by rule number.
match order for this ACL is auto, rules are displayed in the depth-first order rather
than by rule number.
Example
# Define a rule to permit the TCP packets to pass with the destination port 80 sent
from 129.9.0.0 to 202.38.160.0.
from 129.9.0.0 to 202.38.160.0.
<Sysname> system-view
[Sysname] acl number 3101
[Sysname-acl-adv-3101] rule permit tcp source 129.9.0.0 0.0.255.255
destination 202.38.160.0 0.0.0.255 destination-port eq 80
rule (in Ethernet frame header ACL view)
Syntax
rule [ rule-id ] { deny | permit } [ cos vlan-pri | dest-mac dest-addr dest-mask | lsap
lsap-code lsap-wildcard | source-mac sour-addr source-mask | time-range time-name |
type type-code type-wildcard ] *
lsap-code lsap-wildcard | source-mac sour-addr source-mask | time-range time-name |
type type-code type-wildcard ] *
undo rule rule-id
View
Ethernet frame header ACL view
Parameter
rule-id: Ethernet frame header ACL rule number in the range 0 to 65534.
deny: Defines a deny statement to drop matched packets.
permit: Defines a permit statement to allow matched packets to pass.
cos vlan-pri: Defines an 802.1p priority. The vlan-pri argument takes a value in the
range 0 to 7; or its equivalent in words, best-effort, background, spare,
excellent-effort, controlled-load, video, voice, or network-management.
range 0 to 7; or its equivalent in words, best-effort, background, spare,
excellent-effort, controlled-load, video, voice, or network-management.
dest-mac dest-addr dest-mask: Specifies a destination MAC address range. The
dest-addr and dest-mask arguments indicate a destination MAC address and mask
in xxxx-xxxx-xxxx format.
dest-addr and dest-mask arguments indicate a destination MAC address and mask
in xxxx-xxxx-xxxx format.
lsap lsap-code lsap-wildcard: Defines the DSAP and SSAP fields in the LLC
encapsulation. The lsap-code argument is a 16-bit hexadecimal number indicating
frame encapsulation. The lsap-wildcard argument is a 16-bit hexadecimal number
indicating the wildcard of the LSAP code.
encapsulation. The lsap-code argument is a 16-bit hexadecimal number indicating
frame encapsulation. The lsap-wildcard argument is a 16-bit hexadecimal number
indicating the wildcard of the LSAP code.
source-mac sour-addr source-mask: Specifies a source MAC address range. The
sour-addr and sour-mask arguments indicate a source MAC address and mask in
xxxx-xxxx-xxxx format.
sour-addr and sour-mask arguments indicate a source MAC address and mask in
xxxx-xxxx-xxxx format.