beautypg.com

Packet filtering with acls, Applying an ipv4 acl for packet filtering – H3C Technologies H3C SecBlade NetStream Cards User Manual

Page 150

background image

135

CAUTION:

ACL acceleration is not available for ACLs that contain a non-contiguous wildcard mask.

After you modify an IPv4 ACL with ACL acceleration enabled, disable and re-enable ACL acceleration
to ensure correct rule matching.

Packet filtering with ACLs

You can use an ACL to filter incoming or outgoing IPv4 packets.
With a basic or advanced ACL, you can log filtering events by specifying the logging keyword in the ACL

rules and enabling the counting function. To enable counting for rule matches performed in hardware,

specify the counting keyword in the ACL rules.
You can set the packet filter to periodically send packet filtering logs to the information center as

informational messages. The interval for generating and outputting packet filtering logs is configurable.

The log information includes the number of matching packets and the ACL rules used in an interval. For

more information about the information center, see the System Management and Maintenance
Configuration Guide.

NOTE:

ACLs on VLAN interfaces filter only packets forwarded at Layer 3.

Applying an IPv4 ACL for packet filtering

1.

Configuring IPv4 ACL-based packet filtering

You can use the host device to generate comprehensive log data for the ACL matching packets.
Follow these steps to apply an IPv4 ACL for packet filtering:

To do…

Use the command…

Remarks

Enter system view

system-view

Enter interface view

interface interface-type
interface-number

Apply an IPv4 basic, IPv4
advanced, or Ethernet frame

header ACL to the interface to filter
packets (on a distributed device)

packet-filter { acl-number | name
acl-name } { inbound [ logging-slot

slot-number ] | outbound }

Required
By default, no ACL is applied to
any interface.

Apply an IPv4 basic, IPv4
advanced, or Ethernet frame

header ACL to the interface to filter

packets (on a distributed IRF
member device)

packet-filter { acl-number | name
acl-name } { inbound [ chassis
chassis-number logging-slot

slot-number ] | outbound }

Exit to system view

quit

Set the interval for generating and
outputting IPv4 packet filtering logs acl logging frequence frequence

Required
By default, the interval is 0. No

IPv4 packet filtering logs are
generated.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: