PLANET XGS3-24040 User Manual
Page 746
Commands for Security Function Chapter 2 Commands for 802.1x
41-18
[no]{deny|permit}{any-source-mac|{host-source-mac <host_smac> }|{ <smac>
<smac-mask> }}{any-destination-mac|{host-destination-mac
<host_dmac>
}| { <dmac>
<dmac-mask>
}}udp{{
<source> <source-wildcard>
}|any-source| {host-source
<source-host-ip> }}[s-port{ <port1> | range <sPortMin> <sPortMax> }] {{ <destination>
<destination-wildcard> }|any-destination| {host-destination <destination-host-ip> }} [d-port
{ <port3> | range <dPortMin> <dPortMax> }] [precedence <precedence> ] [tos <tos> ][time-range
<time-range-name> ]
[no]{deny|permit}{any-source-mac|{host-source-mac<host_smac>}|{<smac>
<smac-mask>}}{any-destination-mac|{host-destination-mac<host_dmac>}|
{<dmac><dmac-mask>}}{eigrp|gre|igrp|ip|ipinip|ospf|{<protocol-num>}}
{{<source><source-wildcard>}|any-source|{host-source<source-host-ip>}}
{{<destination><destination-wildcard>}|any-destination|{host-destination <destination-host-ip>}}
[precedence <precedence>] [tos <tos>][time-range<time-range-name>]
Functions: Define an extended name MAC-IP ACL rule, ‘No’ form deletes one extended numeric
MAC-IP ACL access-list rule.
Parameters: num access-list serial No. this is a decimal’s No. from 3100-3199; deny if rules are
matching, deny to access; permit if rules are matching, permit to access; any-source-mac: any source
MAC address; any-destination-mac: any destination MAC address; host_smac, smac: source MAC
address; smac-mask: mask (reverse mask) of source MAC address ; host_dmac , dmas destination
MAC address; dmac-mask mask (reverse mask) of destination MAC address; protocol No. of name or
IP protocol. It can be a key word: eigrp, gre, icmp, igmp, igrp, ip, ipinip, ospf, tcp, or udp, or an integer
from 0-255 of list No. of IP address. Use key word ‘ip’ to match all Internet protocols (including ICMP, TCP,
AND UDP) list; source-host-ip, source No. of source network or source host of packet delivery.
Numbers of 32-bit binary system with dotted decimal notation expression; host: means the address is
the IP address of source host, otherwise the IP address of network; source-wildcard: reverse of source
IP. Numbers of 32-bit binary system expressed by decimal’s numbers with four-point separated, reverse
mask; destination-host-ip, destination No. of destination network or host to which packets are delivered.
Numbers of 32-bit binary system with dotted decimal notation expression; host: means the address is
that the destination host address, otherwise the network IP address; destination-wildcard: mask of
destination. I Numbers of 32-bit binary system expressed by decimal’s numbers with four-point separated,
reverse mask; s-port(optional): means the need to match TCP/UDP source port; port1(optional): value
of TCP/UDP source interface No., Interface No. is an integer from 0-65535; <sPortMin>, the down
boundary of source port; <sPortMax>, the up boundary of source port; d-port(optional): means need to
match TCP/UDP destination interface; port3(optional): value of TCP/UDP destination interface No.,
Interface No. is an integer from 0-65535; <dPortMin>, the down boundary of destination port;
<dPortMax>, the up boundary of destination port; [ack] [fin] [psh] [rst] [urg] [syn], (optional) only for
TCP protocol, multi-choices of tag positions are available, and when TCP data reports the configuration
of corresponding position, then initialization of TCP data report is enabled to form a match when in
connection; precedence (optional) packets can be filtered by priority which is a number from 0-7; tos
(optional) packets can be filtered by service type which ia number from 0-15; icmp-type (optional)
ICMP packets can be filtered by packet type which is a number from 0-255; icmp-code (optional) ICMP
packets can be filtered by packet code which is a number from 0-255; igmp-type (optional) ICMP
packets can be filtered by IGMP packet name or packet type which is a number from 0-255;