3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

121

122

123

124

125

126

127

128

129

130

Configuring Transparent Firewall 127

unknown MAC address. The transparent firewall saves the mapping between

the MAC address and the interface after receiving the ARP response packet.

■ Floods the ARP request packet to the interfaces in a specific security zone other

than the interface receiving the packet. The transparent firewall saves the

mapping between the MAC address and the interface after receiving the ARP

response packet.

Perform the following configuration in system view.

By default, the firewall handles IP unicast packets in arp mode, and IP broadcast

and multicast packets in drop mode.

Configuring MAC

Address-Based ACLs

You can configure MAC address-based ACLs, whose IDs are in the range of 4,000

to 4,999.

Perform the following configuration in specified views.

By default, no MAC-address ACL is defined.

Applying MAC

Address-Based ACL to

the Interface

Perform the following configuration in interface view.

Tab le 114 Configure handling approach for the packets with unknown MAC address

Operation Command

Configure handling approach for unicast IP

packets, multicast and broadcast packets with

unknown MAC address

firewall unknown-mac { drop | flood }

Configure handling approach for the unicast

IP packets with unknown MAC address

firewall unknown-mac [ unicast ] { drop |

arp | flood }

Configure handling approach for IP broadcast

and multicast packets

firewall unknown-mac { broadcast |

multicast } { drop | flood }

Restore the default handling approach for the

packets with unknown MAC address

undo firewall unknown-mac [ unicast |

broadcast | multicast ]

Tab le 115 Configure MAC address-based ACLs

Operation Command

Configure a MAC address-based ACL

and enter the corresponding view

(system view)

acl number acl-number

Delete the existing ACL undo acl { number acl-number | all }

Define a MAC address-based ACL rule

(ACL view)

rule [ rule-id ] { permit | deny } [ type type-code

type-wildcard | lsap lsap-code lsap-wildcard ] ] [

source-mac sour-addr source-wildcard ] [ dest-mac

dest-addr dest-wildcard ] [ time-range time-name ]

[ logging ]

Delete the existing ACL rule

undo rule rule-id [ time-range time-name ] [

logging ]

Tab le 116 Apply MAC address-based ACL to the interface

Operation Command

Apply the MAC address-based ACL to the

interface

firewall ethernet-frame-filter acl-number {

inbound | outbound }