H3C Technologies H3C Intelligent Management Center User Manual

803

4.

To add a new rule to the existing rule set, click Add Rule to add a rule to the ACL template.
The Add Basic Rule page appears.

5.

Select the action you want to take by clicking the radio button to the left of the option you want
to apply to this rule:

{

Select permit if, upon matching the specified conditions, the packet should be forwarded.

{

Select deny if, upon matching the specified conditions, the packet should be discarded.

6.

Enter a named variable for this ACL template in the Time Range field, allowing you to create a
named variable without requiring you enter the time range in the template.
The named variable then serves as a placeholder for Time Range you created using the Assistant
combination when you import the template as a rule set into an existing ACL.

7.

Select the source IP address option you want to use by clicking the radio button to the left of the
desired option in the Source Address field in Basic Info section.
This option specifies where the pattern matching occurs in this template rule. In this case, the
pattern matching is applied to the source IP address.

•

All: Allows you to permit or deny traffic for all IP addresses.

•

IP Address/Mask: Allows you to enter a specific IP address and its subnet mask for which you want
to either permit or deny traffic for.

a.

Enter an IP address/subnet mask combination in the IP Address/Mask field.

The subnet mask must be entered in dotted decimal notation. A valid IP address/subnet mask using
dotted decimal notation would be

192.168.1.0/255.255.255.0

A forward slash "/" must be used to separate the IP address from the subnet mask.

•

Variable Address: Allows you to create a named variable without requiring you to enter the IP
addresses/masks in the template. The named variable then serves as a placeholder for Net

Address Group you created using the Assistant combination when you import the template as a rule

set into an existing ACL.

b.

Enter a name for this variable field to the right.

8.

Do one of the following:

{

Click the radio button to the left of Yes in the Fragment option if you want to apply the rule
to each fragment.

{

Click the radio button to the left of No in the Fragment option if you want to apply the rule to
first fragments.

Traditional packet filtering matched only first fragments of IPv4 packets and allowed all
subsequent non-first fragments to pass through. This resulted in security risks as hackers can

fabricate non-first fragments to attack networks.

9.

Click the radio button to the left of Yes in the Logging option if you want to enable logging for
this rule.
This feature enables the logging of packet filtering only when a module (for example, a firewall) is
using the ACL supports logging.

10.

Enter the VPN instance you want to apply to this rule by entering the VPN-instance-name in the
VPN Instance field.
A valid entry must be 0 – 31 characters that cannot contain question marks or blank spaces. This

field is also case sensitive. If no VPN instance is specified in this field, the rule applies only to
non-VPN packets.