Modifying advanced rules in advanced acl templates – H3C Technologies H3C Intelligent Management Center User Manual

820

This option specifies where the pattern matching occurs in this template rule. In this case, the

pattern matching is applied to the source IP address.

•

All: Allows you to permit or deny traffic for all IP addresses.

•

IP Address/Mask: Allows you to enter a specific IP address and its subnet mask for which you want

to either permit or deny traffic for.
Enter an IP address/subnet mask combination in the IP Address/Mask field. The subnet mask must
be entered in dotted decimal notation. A valid IP address/subnet mask using dotted decimal

notation would be

192.168.1.0/255.255.255.0

Note too that a forward slash "/" must be used to separate the IP address from the subnet mask.

•

Variable Address: Enter a name for this variable in the field to the right. This option allows you to
create a named variable without requiring you to enter the IP addresses/masks in the template. The

named variable then serves as a placeholder for Net Address Group you created using the
Assistant combination when you import the template as a rule set into an existing ACL.

7.

Do one of the following:

{

Click the radio button to the left of Yes in the Fragment option if you want to apply the rule
to each fragment.

{

Click the radio button to the left of No in the Fragment option if you want to apply the rule to

first fragments.

Traditional packet filtering matched only first fragments of IPv4 packets and allowed all
subsequent non-first fragments to pass through. This resulted in security risks as hackers can

fabricate non-first fragments to attack networks.

8.

Click the radio button to the left of Yes in the Logging option if you want to enable logging for
this rule.
This feature enables the logging of packet filtering only when a module (for example, a firewall)
using the ACL supports logging.

9.

Enter the VPN instance you want to apply to this rule by entering the VPN-instance-name in the
VPN Instance field.
A valid entry must be 0 – 31 characters that cannot contain question marks or blank spaces. This
field is case sensitive. If no VPN instance is specified in this field, the rule applies only to non-VPN

packets.

10.

Click OK to accept the modifications to the rule.

11.

Click OK to accept the modifications to the template.

Modifying advanced rules in advanced ACL templates

To modify the advanced rule of an advanced ACL template:

1.

Navigate to ACL Template:

a.

Click the Service tab from the tabular navigation system on the top.

b.

Click ACL Management section of the navigation tree on the left.

c.

Click the ACL Template link located under ACL Management on the navigation tree on the left.
The Template List displays in the main pane of the page.

2.

Click the icon in the Modify field associated with the advanced template you want to modify.
The Modify Template page displays with the Rule List for the selected ACL template in the main
pane of the Modify Template page.