Manualshelf

User's Manual

ManualsBrandsPLANET Technology ManualsLAN SwitchesLayer 3 48-Port 10G SFP+ + 2-Port 40G QSFP+ + 4-Port 100G QSFP28 Managed Switch
401402403404405406407408409410
401
non-allowed is set; totallen means the total
length of the packet; timer-rage means the time
range of conditions being effective; ttl means IP
packet Time To Live; dest-portrange means the
range of destination port; established means
established connection
Exit Log out from the access list configuration mode.
After the access list is originally created, any part that is added later can be put at the end of the list. That is to
say, you cannot add the command line to the designated access list. However, you can run no permit and no
deny to delete items from the access list.
Note:
When you create the access list, the end of the access list includes the implicit deny sentence by default. If
the mask is omitted in the relative IP host address access list, 255.255.255.255 is supposed to be the mask.
When ip acl is applied on the ONU interface, the device does not support configuration of larger, smaller and
not equal to L4 port. In other words, L4 port can only be a fixed value.
After the access list is created, the access list must be applied on the route or interface. For details, refer to
the following section “Applying the Access List to the Interface”.
53.2.3 Applying the Access List to the Routing Interface
After the access list is created, you can apply it to the routing interface including ingress and egress.
Run the following command in VLAN interface configuration mode.
Command Purpose
{ip|ipv6} access-group name {in | out}
Applies the access list to the interface.
The access control list can be used on the incoming or outgoing interface. After a packet is received, the source
address of the packet will be checked according to the standard egress interface access control list. For the
expanded access control list, the SWITCH also checks the objective address. If the access control list permits
the destination address, the system will continue handling the packet. However, if the access control list forbids
the destination address, the system will drop the packet and then returns an ICMP unreachable packet.
For the standard access list of the out interfaces, after a packet is received or routed to the control interface,
the software checks the source address of the packet according to the access list. For the expanded access
control list, the SWITCH will also check the access control list at the receiver terminal. If the access list permits
the address, the software will send the packet. If the access list does not permit the address, the software
drops the packet and returns an ICMP unreachable message.
If the designated access control list does not exist, all packets are allowed to pass through.