SNR S2940-8G-v2 Switch Configuration Guide
Self-defined ACL Configuration
4. Bind user-defined ACL to specified VLAN
Command Explanation
Global Mode
[no] vacl userdefined access-group
<name> {in} vlan <vlanId> [traffic-statistic]
Apply userdefined-access-list to one direction of
the specified VLAN, decide whether the statisti-
cal counter should be added to the ACL accord-
ing to the options. The no command deletes the
configuration bound to the specified VLAN.
44.3 Self-defined ACL Example
Scenario 1:
The user has the following configuration requirement: port 10 of the switch connects to 10.0.0.0/24
segment; ftp is not desired for the user.
Configuration description:
1. Create a self-defined ACL template according to condition
2. Create a corresponding self-defined ACL
3. Bind the self-defined ACL to the port
The configuration steps are listed below:
Switch(config)#userdefined-access-list extended offset swindow1
l3start 4 swindow2 l4start 1 lwindow1 l3start 3
Switch(config)#userdefined-access-list extended 1300 deny untagged-eth2
swindow1 0006 00FF swindow2 0015 FFFF lwindow1 0A000000 FFFFFF00
Switch(config)#firewall enable
Switch(config)#interface ethernet1/10
Switch(config-if-ethernet1/10)#userdefined access-group 1300 in
Switch(config-if-ethernet1/10)#exit
Switch(config)#exit
Configuration result:
Switch#show access-lists
userdefined-access-list extended 1300(used 1 time(s)) 1 rule(s)
rule ID 1: deny untagged-eth2 swindow1 6 ff swindow2 15 ffff lwindow1 a000000 ffffff00
Switch#show access-group interface ethernet 1/10
interface name:Ethernet1/10
Userdefined Ingress access-list used is 1300,traffic-statistics Disable.
Scenario 2:
The configuration requirement is stated as below: The switch should drop all the 802.3 data-
gram with 00-12-11-23-xx-xx as the source MAC address and 10.1.1.0/24 segment as the source
IP coming from VLAN 10.
Configuration description:
303
To Next Page
Loading...
General