Example For Applying An Acl To A Vlan - H3C S3100-52P Operation Manual

Operation Manual – ACL
H3C S3100-52P Ethernet Switch
II. Network diagram
Figure 1-6 Network diagram for user-defined ACL
III. Configuration procedure
# Define a periodic time range that is active from 8:00 to 18:00 everyday.
<Sysname> system-view
[Sysname] time-range test 8:00 to 18:00 daily
# Define ACL 5000 to deny any ARP packet whose source IP address is 192.168.0.1
from 8:00 to 18:00 everyday (provided that VLAN-VPN is not enabled on any port). In
the ACL rule, 0806 is the ARP protocol number, ffff is the mask of the rule, 16 is the
protocol type field offset of the internally processed Ethernet frame, c0a80001 is the
hexadecimal form of 192.168.0.1, and 32 is the source IP address field offset of the
internally processed ARP packet.
[Sysname] acl number 5000
[Sysname-acl-user-5000] rule 1 deny 0806 ffff 16 c0a80001 ffffffff 32
time-range test
# Apply ACL 5000 on Ethernet 1/0/1.
[Sysname] interface Ethernet1/0/1
[Sysname-Ethernet1/0/1] packet-filter inbound user-group 5000

1.5.5 Example for Applying an ACL to a VLAN

I. Network requirements
PC 1, PC 2 and PC 3 belong to VLAN 10 and connect to the switch through Ethernet
1/0/1, Ethernet 1/0/2 and Ethernet 1/0/3 respectively. The IP address of the database
server is 192.168.1.2. Apply an ACL to deny packets from PCs in VLAN 10 to the
database server from 8:00 to 18:00 in working days.
1-18
Chapter 1 ACL Configuration