Command Reference Guide
260 ● rule 3Com Router 5000 Family and Router 6000 Family
Command Reference
dest-mask
Destination MAC address mask.
Example Create ACL 3001 and add a rule to deny RIP packets.
[3Com] acl number 3001
[3Com-acl-adv-3001] rule deny udp destination-port eq rip
Add a rule to permit hosts in the network segment 129.9.0.0 to send WWW packet
to hosts in the network segment 202.38.160.0.
[3Com-acl-adv-3001] rule permit tcp source 129.9.0.0 0.0.255.255
destination 202.38.160.0 0.0.0.255 destination-port eq www
Add a rule to deny the WWW access (80) from the host in network segment
129.9.0.0 to the host in network segment 202.38.160.0, and log events that violate
the rule.
[3Com-acl-adv-3001] rule deny tcp source 129.9.0.0 0.0.255.255
destination 202.38.160. 0 0.0.0.255 eq www logging
Add a rule to permit the WWW access (80) from the host in network segment
129.9.8.0 to the host in network segment 202.38.160.0.
[3Com-acl-adv-3001] rule permit tcp source 129.9.8.0 0.0.0.255
destination 202.38.160.0 0.0.0.255 destination-port eq www
Add a rule to prohibit all hosts from establishing Telnet (23) connection to the host
with the IP address 202.38.160.1.
[3Com-acl-adv-3001] rule deny tcp destination 202.38.160.1 0
destination-port eq telnet
Add a rule to prohibit create UDP connections with port number greater than 128
from the hosts in network segment 129.9.8.0 to the hosts in network segment
202.38.160.0
[3Com-acl-adv-3001] rule deny udp source 129.9.8.0 0.0.0.255
destination 202.38.160.0 0.0.0.255 destination-port gt 128
Add a rule, denying the packets carrying the source address 1.1.1.1 from VPN vrf1.
[3Com-acl-adv-3001] rule deny ip source 1.1.1.1 vpn-instance vrf1
Configure the reflexive attribute under ACL3001.
[3Com-acl-adv-3001]rule permit tcp reflect 3001 timeout 301
View This command can be used in the following views:
■ ACL view
Description When an ACL-based rule is added, if the interface information of the packet is
specified, it cannot be the L2 Ethernet port information.