1-17
User-defined ACL Configuration Example
Network requirements
As shown in Figure 1-6, PC 1 and PC 2 are connected to the switch through Ethernet 1/0/1
and Ethernet 1/0/2 respectively. They belong to VLAN 1 and access the Internet through
the same gateway, which has an IP address of 192.168.0.1 (the IP address of
VLAN-interface 1).
Configure a user-defined ACL to deny all ARP packets from PC 1 that use the gateway IP
address as the source address from 8:00 to 18:00 everyday.
Network diagram
Figure 1-6 Network diagram for user-defined ACL
Configuration procedure
# Define a periodic time range that is active from 8:00 to 18:00 everyday.
<Sysname> system-view
[Sysname] time-range test 8:00 to 18:00 daily
# Define ACL 5000 to deny any ARP packet whose source IP address is 192.168.0.1 from
8:00 to 18:00 everyday (provided that VLAN-VPN is not enabled on any port). In the ACL
rule, 0806 is the ARP protocol number, ffff is the mask of the rule, 16 is the protocol type
field offset of the internally processed Ethernet frame, c0a80001 is the hexadecimal form
of 192.168.0.1, and 32 is the source IP address field offset of the internally processed ARP
packet.
[Sysname] acl number 5000
[Sysname-acl-user-5000] rule 1 deny 0806 ffff 16 c0a80001 ffffffff 32 time-range
test
# Apply ACL 5000 on Ethernet 1/0/1.
[Sysname] interface Ethernet1/0/1
[Sysname-Ethernet1/0/1] packet-filter inbound user-group 5000
To Next Page
Loading...
