H3C s3600 series Command Manual page 744
Hide thumbs
Also See for s3600 series:
- Operation manual (966 pages) ,
- Installation manual (98 pages) ,
- Command manual (92 pages)
Table of Contents
Advertisement
You can modify any existent rule of a user-defined ACL. If you modify only the time range and/or
action, the unmodified parts of the rule remain the same. If you modify the rule-string rule-mask
offset combinations, however, the new combinations will replace all of the original ones.
If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered
automatically. If the ACL has no rules, the rule is numbered 0; otherwise, the number of the rule will
be the greatest rule number plus one. If the current greatest rule number is 65534, however, the
system will display an error message and you need to specify a number for the rule.
The content of a modified or created rule cannot be identical with the content of any existing rules;
otherwise the rule modification or creation will fail, and the system prompts that the rule already
exists.
When specifying the offset, take the following two items into account:
If VLAN-VPN is not enabled on any port, each packet in the switch carries one VLAN tag, which is
four bytes long.
If VLAN-VPN is enabled on a port, each packet in the switch carries two VLAN tags, which occupy
eight bytes.
Frequently used protocol types and offsets are listed in the following table.
Table 1-17 Frequently used protocol types and offsets
Protocol
ARP
RARP
IP
IPX
AppleTalk
ICMP
IGMP
TCP
UDP
Examples
# Create user-defined ACL 5000 and define rule 1 to deny all TCP packets (it is assumed that no port is
enabled with the VLAN-VPN function). In the following rule command line, 06 is the protocol number of
TCP, ff is the rule mask, and 27 is the offset of the protocol field in an IP packet that the switch processes
internally.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] acl number 5000
[Sysname-acl-user-5000] rule 1 deny 06 ff 27
[Sysname-acl-user-5000] quit
# Create user-defined ACL 5001 and define rule 1 to deny ARP packets sourced from 192.168.0.1 (it is
assumed that no port is enabled with the VLAN-VPN function). In the following rule command line, 0806
is the protocol number of ARP, 16 is the offset of the protocol field in an Ethernet packet that the switch
Protocol number
Offset when VLAN-VPN is
in hexadecimal
0x0806
16
0x8035
16
0x0800
16
0x8137
16
0x809B
16
0x01
27
0x02
27
0x06
27
0x11
27
not enabled on any port
1-22
Offset when VLAN-VPN is
enabled on a port
20
20
20
20
20
31
31
31
31
- Quick Links:
- Login
- Reset Saved-Configuration
Hide quick links:
Advertisement
Chapters
Table of Contents
