Filter
Top Products
ACL Commands List 189
a number which ranges from 0 to 255; code represents ICMP code, which appears
when the protocol is “icmp” and the type of packet is not notated by a character,
ranging from 0 to 255.
established: Means that it is only effective to the first SYN packet established by
TCP, appears when protocol is TCP.
precedence precedence: IP precedence, can be a name or a number ranging from
0 to 7.
tos tos: ToS (Type of Service) value, can be a name or a number ranging from 0 to
15. Packets can be classified according to TOS value.
dscp dscp: DSCP (Differentiated Services Code Point) value, can be a name or a
number ranging from 0 to 63. Packets can be classified according to DSCP value.
fragment: Means this rule is only effective for fragment packets and is ignored for
non-fragment packets.
Parameters specific to Layer 2 ACL:
source { source-vlan-id | source-mac-addr source-mac-wildcard }*: The
source information of a packet,
source-vlan-id represents source VLAN of the
packet,
source-mac-addr source-mac-wildcard represents source MAC address
of the packet. For example, if you set
source-mac-wildcard to 0-0-ffff, it means
that you will take the last 16 bits of source MAC address as the rule of traffic
classification.
dest { dest-vlan-id | dest-mac-addr dest-mac-wildcard }*: The
destination information of a packet:
dest-mac-addr dest-mac-wildcard
represents the packet’s destination MAC address. For example, if you set
source-mac-wildcard to 0-0-ffff, it means that you will take the last 16 bits of
source MAC address as the rule of traffic classification.
type protocol-type protocol-type-mask: Protocol type carried by the Ethernet
frame.
lsap lsap-type lsap-type-mask: lsap type carried by the Ethernet frame.
The parameter for user-defined ACL
{ rule-string rule-mask offset }&<1-8>: rule-string is a character string
of a rule defined by a user ranging from 2 to 80 characters. It is a hexadecimal
string with even digits.
rule-mask offset is used to extract the packet
information. Here,
rule-mask is rule mask, used for logical AND operation with
data packets, and
offset determines to perform AND operation from which bytes
apart from the packet header.
rule-mask offset extracts a character string from
the packet and compares it with the user-defined rule-string to get and process
the matched packets.
&<1-8> indicates that you can define up to 8 such rules at a
time. This parameter is used for the user-defined ACL.
Description
Use the rule command to add a subrule to an ACL.
Use the undo rule command to cancel a subrule from an ACL.