R3166-R3206-HP High-End Firewalls Access Control Configuration Guide-6PW101
13
To do… Use the command…
Remarks
Set the rule numbering step step step-value
Optional
5 by default.
Create or edit a rule
rule [ rule-id ] { deny | permit }
protocol [ { { ack ack-value | fin
fin-value | psh psh-value | rst
rst-value | syn syn-value | urg
urg-value } * } | destination
{ dest-addr dest-wildcard | any }
| destination-port operator port1
[ port2 ] | dscp dscp | fragment |
icmp-type { icmp-type
[ icmp-code ] | icmp-message } |
logging | precedence
precedence | reflective | source
{ sour-addr sour-wildcard | any }
| source-port operator port1
[ port2 ] | time-range
time-range-name | tos tos |
vpn-instance vpn-instance-name ]
*
Required
By default, an IP
v4 advanced ACL
does not contain any rule.
Support for the counting keyword
depends on the device model.
The logging keyword takes effect
only when the module (for
example, a firewall) using the
ACL supports logging.
Add or edit a rule comment
rule rule-id comment text
Optional
By default, an IPv4 advanced ACL
rule has no rule description.
Configuring an Ethernet frame header ACL
Ethernet frame header ACLs, also called "Layer 2 ACLs," match packets based on Layer 2 protocol
header fields such as source MAC address, destination MAC address, 802.1p priority (VLAN priority),
and link layer protocol type.
Follow these steps to configure an Ethernet frame header ACL:
To do… Use the command…
Remarks
Enter system view
system-view ––
Create an Ethernet frame header ACL
and enter its view
acl number acl-number [ name
acl-name ] [ match-order { auto |
config } ]
Required
By default, no ACL exists.
Ethernet frame header ACLs are
numbered in the range 4000 to
4999.
You can use the acl name
acl-name command to enter the
view of a named Ethernet frame
header ACL.
Configure a description for the
Ethernet frame header ACL
description text
Optional
By default, an Ethernet frame
header ACL has no ACL
description.