F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Access Control Command Reference-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

Table 4 Match criteria and other rule information for IPv4 advanced ACL rules

Parameters Function Descri

tion

source

{ source-address

source-wildcard |

any }

Specifies a source address

The source-address source-wildcard arguments

represent a source IP address and wildcard mask in

dotted decimal notation. An all-zero wildcard specifies

a host address.

The any keyword specifies any source IP address.

destination

{ dest-address

dest-wildcard |

any }

Specifies a destination

address

The dest-address dest-wildcard arguments represent a

destination IP address and wildcard mask in dotted

decimal notation. An all-zero wildcard specifies a host

address.

The any keyword represents any destination IP address.

counting

Counts the number of times the

ACL rule has been matched.

This option is disabled by

default.

N/A

precedence

Specifies an IP precedence

value

The precedence argument can be a number in the range

of 0 to 7, or in words, routine (0), priority (1),

immediate (2), flash (3), flash-override (4), critical (5),

internet (6), or network (7).

tos tos Specifies a ToS preference

The tos argument can be a number in the range of 0 to

15, or in words, max-reliability (2), max-throughput

(4), min-delay (8), min-monetary-cost (1), or normal

(0).

dscp dscp Specifies a DSCP priority

The dscp argument can be a number in the range of 0 to

63, or in words, af11 (10), af12 (12), af13 (14), af21

(18), af22 (20), af23 (22), af31 (26), af32 (28), af33

(30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16),

cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default

(0), or ef (46).

logging Logs matching packets

This function requires that the module that uses the ACL

supports logging.

reflective

Specifies that the rule be

reflective

A rule with the reflective keyword can be defined only

for TCP, UDP, or ICMP packets and can only be a permit

statement.

vpn-instance

vpn-instance-name

Applies the rule to packets in a

VPN instance

The vpn-instance-name argument takes a case-sensitive

string of 1 to 31 characters.

If no VPN instance is specified, the rule applies only to

non-VPN packets.

fragment

Applies the rule to only

non-first fragments

Without this keyword, the rule applies to all fragments

and non-fragments.

time-range

time-range-name

Specifies a time range for the

rule

The time-range-name argument takes a case-insensitive

string of 1 to 32 characters. It must start with an English

letter. If the time range is not configured, the system

creates the rule. However, the rule using the time range

can take effect only after you configure the timer range.