Manualshelf

mac

ManualsBrandsip ManualsNetworkingipv6
431432433434435436437438439440
Commands for Self-defined ACL
435
[swindow1 <value> <mask>] [swindow2 <value> <mask>] [lwindow1 <value> <
mask>] [lwindow2 <value> < mask>] [lwindow3 <value> < mask>] [lwindow4
<value> < mask>] [lwindow5 <value> < mask>] [lwindow6 <value> < mask>]
[lwindow7 <value> < mask>] [lwindow8 <value> < mask>]
no userdefined-access-list <num>
Function: Create a numbered extended self-defined ACL. If the extended self-defined
ACL exists, then a rule will be added to the ACL. The no command deletes a numbered
extended self-defined ACL.
Parameter: <num> is the access-list No. from 1300 to 1399 in decimal notation; deny if
rules are matching, deny access; permit if rules are matching, permit access;
untagged-eth2 format of untagged ethernet II packet; tagged-eth2 format of tagged
ethernet II packet; untagged-802-3 format of untagged ethernet 802.3 packet;
tagged-802-3 format of tagged ethernet 802.3 packet. cos and vlanId can be configured
when the tagged-eth2 or tagged-802-3 is configured. cos can configure <vlaue> only,
range is 0-7, matching a single value; it also can configure <mask>, range is 0-7,
matching multiple cos values with <value>. vlanId can configure <vlaue> only, range is
1-4095, matching a single value; it also can configure <mask>, range is 0-4094,
matching multiple vlanId values with <value>. The <value> and <mask> of every
swindow are 2Bytes length in hexadecimal notation. And the <value> and <mask> of
every lwindow are 4Bytes length in hexadecimal notation.
Command Mode: Global Mode
Default: No any access-list configured
Usage Guide: When users specify the specified <num> for the first time, create the ACL
with this serial number, then add the lists into this ACL.
Example: Permit tagged-eth2 of any source MAC address and any destination MAC
address. Permit the packets that the first and the second bytes of the start of l3 is 0x4501.
Permit the packets that the forth byte of the start of l4 is 0xFF.
Switch(config)#userdefined-access-list extended offset swindow1 l3 0 swindow2 l4 1
Switch(config)#userdefined-access-list extended 1300 permit tagged-eth2 swindow1
4501 FFFF swindow2 00FF 00FF
Configure a rule in the same list to deny untagged-eth2 of any source MAC address and
any destination MAC address. Permit the packets that the fifth and the sixth bytes of the
start of l3 is 0xFFAA.
Switch(config)#userdefined-access-list extended offset lwindow1 l3 1
Switch(config)#userdefined-access-list extended 1300 deny untagged-eth2 lwindow1
FFAA0000 FFFF0000