Packet filtering with acls, Applying an ipv4 acl for packet filtering – H3C Technologies H3C SecBlade NetStream Cards User Manual

Page 150

Advertising
background image

135

CAUTION:

ACL acceleration is not available for ACLs that contain a non-contiguous wildcard mask.

After you modify an IPv4 ACL with ACL acceleration enabled, disable and re-enable ACL acceleration
to ensure correct rule matching.

Packet filtering with ACLs

You can use an ACL to filter incoming or outgoing IPv4 packets.
With a basic or advanced ACL, you can log filtering events by specifying the logging keyword in the ACL

rules and enabling the counting function. To enable counting for rule matches performed in hardware,

specify the counting keyword in the ACL rules.
You can set the packet filter to periodically send packet filtering logs to the information center as

informational messages. The interval for generating and outputting packet filtering logs is configurable.

The log information includes the number of matching packets and the ACL rules used in an interval. For

more information about the information center, see the System Management and Maintenance
Configuration Guide.

NOTE:

ACLs on VLAN interfaces filter only packets forwarded at Layer 3.

Applying an IPv4 ACL for packet filtering

1.

Configuring IPv4 ACL-based packet filtering

You can use the host device to generate comprehensive log data for the ACL matching packets.
Follow these steps to apply an IPv4 ACL for packet filtering:

To do…

Use the command…

Remarks

Enter system view

system-view

Enter interface view

interface interface-type
interface-number

Apply an IPv4 basic, IPv4
advanced, or Ethernet frame

header ACL to the interface to filter
packets (on a distributed device)

packet-filter { acl-number | name
acl-name } { inbound [ logging-slot

slot-number ] | outbound }

Required
By default, no ACL is applied to
any interface.

Apply an IPv4 basic, IPv4
advanced, or Ethernet frame

header ACL to the interface to filter

packets (on a distributed IRF
member device)

packet-filter { acl-number | name
acl-name } { inbound [ chassis
chassis-number logging-slot

slot-number ] | outbound }

Exit to system view

quit

Set the interval for generating and
outputting IPv4 packet filtering logs acl logging frequence frequence

Required
By default, the interval is 0. No

IPv4 packet filtering logs are
generated.

Advertising
This manual is related to the following products:

H3C S10500 Series Switches, H3C S7500E Series Switches, H3C S6800 Series Switches, H3C S6300 Series Switches, H3C S5800 Series Switches, H3C S5820X Series Switches, H3C S5820V2 Series Switches, H3C S5830 Series Switches, H3C S5830V2 Series Switches, H3C S3600V2 Series Switches, H3C S3100V2 Series Switches

Popular Brands
Popular manuals