R3721-F3210-F3171-HP High-End Firewalls Access Control Command Reference-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

Parameters Function Descri

tion

reflective

Specifies that the rule be

reflective

A rule with the reflective keyword can be defined only

for TCP, UDP, or ICMP packets and can only be a permit

statement.

vpn-instance

vpn-instance-name

Applies the rule to packets in a

VPN instance

The vpn-instance-name argument takes a case-sensitive

string of 1 to 31 characters.

If no VPN instance is specified, the rule applies only to

non-VPN packets.

fragment

Applies the rule to only

non-first fragments

Without this keyword, the rule applies to all fragments

and non-fragments.

time-range

time-range-name

Specifies a time range for the

rule

The time-range-name argument takes a case-insensitive

string of 1 to 32 characters. It must start with an English

letter. If the time range is not configured, the system

creates the rule; however, the rule using the time range

can take effect only after you configure the timer range.

NOTE:

If you provide the precedence or tos keyword in addition to the dscp keyword, only the dscp keyword

takes effect.

If the protocol argument takes tcp (6) or udp (7), you can set the parameters shown in Table 6.

Table 6 TCP/UDP-specific parameters for IPv4 advanced ACL rules

Parameters Function Descri

tion

source-port

operator port1

[ port2 ]

Specifies one or more UDP or

TCP source ports

The operator argument can be lt (lower than), gt

(greater than), eq (equal to), neq (not equal to), or range

(inclusive range).

The port1 and port2 arguments are TCP or UDP port

numbers in the range 0 to 65535. port2 is needed only

when the operator argument is range.

TCP port numbers can be represented in these words:

chargen (19), bgp (179), cmd (514), daytime (13),

discard (9), domain (53), echo (7), exec (512), finger

(79), ftp (21), ftp-data (20), gopher (70), hostname

(101), irc (194), klogin (543), kshell (544), login (513),

lpd (515), nntp (119), pop2 (109), pop3 (110), smtp

(25), sunrpc (111), tacacs (49), talk (517), telnet (23),

time (37), uucp (540), whois (43), and www (80).

UDP port numbers can be represented in these words:

biff (5

12), bootpc (68), bootps (67), discard (9), dns

(53), dnsix (90), echo (7), mobilip-ag (434),

mobilip-mn (435), nameserver (42), netbios-dgm

(138), netbios-ns (137), netbios-ssn (139), ntp (123),

rip (520), snmp (161), snmptrap (162), sunrpc (111),

syslog (514), tacacs-ds (65), talk (517), tftp (69), time

(37), who (513), and xdmcp (177).

destination-port

operator port1

[ port2 ]

Specifies one or more UDP or

TCP destination ports