H3C Technologies H3C Intelligent Management Center User Manual
Page 862
848
11.
Select the time range you want to apply to this rule from the Time Range list you created in the Step
7.
12.
Select the source IP address option you want to use by clicking the radio button to the left of the
desired option in the Source Address field of the Add Rule page.
This option specifies where the pattern matching occurs in this rule. In this case, the pattern
matching is applied to the source IP address.
•
All: Allows you to permit or deny traffic for all IP addresses.
•
IP Address/Mask: Allows you to enter a specific IP address and its subnet mask for which you want
to either permit or deny traffic for.
a.
Enter an IP address/subnet mask combination in the IP Address/Mask field.
The subnet mask must be entered in dotted decimal notation. A valid IP address/subnet mask using
dotted decimal notation would be
192.168.1.0/255.255.255.0
A forward slash "/" must be used to separate the IP address from the subnet mask.
13.
Do one of the following:
{
Click the radio button to the left of Yes in the Fragment option if you want to apply the rule
to each fragment.
{
Click the radio button to the left of No in the Fragment option if you want to apply the rule to
first fragments.
Traditional packet filtering matched only first fragments of IPv4 packets and allowed all
subsequent non-first fragments to pass through. This resulted in security risks as hackers can
fabricate non-first fragments to attack networks.
14.
Click the radio button to the left of Yes in the Logging option if you want to enable logging for
this rule.
This feature enables the logging of packet filtering only when a module (for example, a firewall)
using the ACL supports logging.
15.
Enter the VPN instance you want to apply to this rule by entering the VPN-instance-name in the
VPN Instance field.
A valid entry must be 0 – 31 characters that cannot contain question marks or blank spaces. This
field is case sensitive. If no VPN instance is specified in this field, the rule applies only to non-VPN
packets.
16.
Click OK to create the rule you have just configured or to accept the modifications to the existing
rule.
17.
To add more rules, modify, copy, sort, optimize or delete existing rules, select one of the following:
{
To add more rules to the ACL, repeat Steps 8-16.
{
To copy rules you have already created, click the Copy icon
associated with the rule
sequence you want to copy. For more information about copying a rule set, see "
{
Rules that belong to a rule set that is configured with a Match Order of 'Config' are executed in
the order in which they appear in the rule set. The order in which rules appear in a rule set is
initially defined by the order in which they are created. You can reorder the rules in a rule set
using the Sort feature. For more information about using Sort to redefine the order of
appearance of rules in a rule set, see "
Using sort to reorder the rules in an ACL rules set
{
ACLs can have a profound effect on the performance of networks. ACL Management
automatically evaluates the effectiveness of rules and their effect on overall network