R3102-R3103-HP 6600/HSR6600 Routers Security Command Reference
177
mask { mask-length | mask }: Specifies a mask or mask length for the IP address. The mask argument is
a subnet mask in dotted decimal notation. The mask-length argument is a subnet mask length, an integer
in the range of 0 to 32.
tcp tcp-port-number [ to tcp-port-number ]: Specifies a range of TCP port numbers. The value range for the
tcp-port-number argument is 0 to 65535.
udp udp-port-number [ to udp-port-number ]: Specifies a range of UDP port numbers. The value range for
the udp-port-number argument is 0 to 65535.
interface interface-type interface-number: Specifies a source interface.
mac mac-address: Specifies a source MAC address in the format H-H-H.
vlan vlan-id: Specifies a source VLAN ID.
all: Specifies all portal-free rules.
Usage guidelines
If you specify both a source IP address and a source MAC address in a portal-free rule, the IP address
must be a host address with a 32-bit mask. Otherwise, the specified MAC address does not take effect.
If you specify both a VLAN and an interface in a portal-free rule, the interface must belong to the VLAN.
Otherwise, the rule does not take effect.
If you specify both a source port number and a destination port number for a portal-free rule, the source
and destination port numbers must belong to the same transport layer protocol.
You cannot configure a portal-free rule to have the same filtering criteria as that of an existing one. When
attempted, the system prompts that the rule already exists.
Regardless of whether portal authentication is enabled on an interface, you can only add or remove a
portal-free rule. You cannot modify it.
A Layer 2 interface in an aggregation group cannot be specified as the source interface of a portal-free
rule, and the source interface of a portal-free rule cannot be added to an aggregation group.
The following matrix shows the vlan vlan-id option and router compatibility:
Keyword 6602 HSR6602 6604/6608/6616
vlan vlan-id No No
Yes if the SAP interface module is
configured.
Examples
# Configure a portal-free rule, allowing any packet whose source IP address is 10.10.10.1/24, source
interface is GigabitEthernet 3/0/1, and destination port number is within the range of 8042 to 8050 to
bypass portal authentication.
<Sysname> system-view
[Sysname] portal free-rule 15 source ip 10.10.10.1 mask 24 interface gigabitethernet 3/0/1
destination ip any udp 8042 to 8050
Related commands
display portal free-rule
portal max-user
Use portal max-user to set the maximum number of online portal users allowed in the system.