Configuring an ethernet frame header acl – H3C Technologies H3C SecPath F1000-E User Manual

19

Step

Command

Remarks

5.

Create or edit a rule.

rule [ rule-id ] { deny | permit } protocol
[ { { ack ack-value | fin fin-value | psh
psh-value | rst rst-value | syn syn-value |

urg urg-value } * | established } |

counting | destination { dest dest-prefix |
dest/dest-prefix | any } |

destination-port operator port1 [ port2 ]

| dscp dscp | flow-label flow-label-value
| fragment | icmp6-type { icmp6-type

icmp6-code | icmp6-message } |

logging | source { source source-prefix |

source/source-prefix | any } |
source-port operator port1 [ port2 ] |

time-range time-range-name |

vpn-instance vpn-instance-name ] *

By default IPv6 advanced ACL
does not contain any rule.
To create or edit multiple rules,

repeat this step.
The logging keyword takes effect

only when the module using the
ACL supports logging.

6.

Configure or edit a rule
description.

rule rule-id comment text

Optional.
By default, an IPv6 advanced

ACL rule has no rule description.

Configuring an Ethernet frame header ACL

Ethernet frame header ACLs, also called "Layer 2 ACLs," match packets based on Layer 2 protocol

header fields such as source MAC address, destination MAC address, 802.1p priority (VLAN priority),
and link layer protocol type.
To configure an Ethernet frame header ACL:

Step

Command

Remarks

1.

Enter system view.

system-view N/A

2.

Create an Ethernet frame

header ACL and enter its

view.

acl number acl-number [ name
acl-name ] [ match-order { auto |

config } ]

By default, no ACL exists.
Ethernet frame header ACLs are
numbered in the range 4000 to

4999.
You can use the acl name acl-name

command to enter the view of a
named Ethernet frame header

ACL.

3.

Configure a description for

the Ethernet frame header
ACL.

description text

Optional.
By default, an Ethernet frame
header ACL has no ACL

description.

4.

Set the rule numbering step.

step step-value

Optional.
5 by default.