1-24
Protocol
Protocol number
in hexadecimal
Offset when VLAN-VPN is
not enabled on any port
Offset when VLAN-VPN is
enabled on a port
RARP 0x8035 16 20
IP 0x0800 16 20
IPX 0x8137 16 20
AppleTalk 0x809B 16 20
ICMP 0x01 27 31
IGMP 0x02 27 31
TCP 0x06 27 31
UDP 0x11 27 31
Examples
# Create user-defined ACL 5000 and define rule 1 to deny all TCP packets (it is assumed that no port is
enabled with the VLAN-VPN function). In the following rule command line, 06 is the protocol number of
TCP, ff is the rule mask, and 27 is the offset of the protocol field in an IP packet that the switch processes
internally.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] acl number 5000
[Sysname-acl-user-5000] rule 1 deny 06 ff 27
[Sysname-acl-user-5000] quit
# Create user-defined ACL 5001 and define rule 1 to deny ARP packets sourced from 192.168.0.1 (it is
assumed that no port is enabled with the VLAN-VPN function). In the following rule command line, 0806
is the protocol number of ARP, 16 is the offset of the protocol field in an Ethernet packet that the switch
processes internally, c0a80001 is the representation of 192.168.0.1 in hexadecimal, and 32 is the offset
of the source IP address field in an ARP packet that the switch processes internally.
[Sysname] acl number 5001
[Sysname-acl-user-5001] rule 1 deny 0806 ffff 16 c0a80001 ffffffff 32
[Sysname-acl-user-5001] quit
# Create user-defined ACL 5002 and define rule 1, specifying a 32-byte rule string, a rule mask of all Fs,
and an offset of 4. Then, apply the ACL to Ethernet 1/0/1.
[Sysname] acl number 5002
[Sysname-acl-user-5002] rule 1 deny
1234567890123456789012345678901234567890123456789012345678901234
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 4
[Sysname-acl-user-5002] quit
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] packet-filter inbound user-group 5002
To Next Page
Loading...
