beautypg.com

Configuring an ipv6 advanced acl – H3C Technologies H3C S12500 Series Switches User Manual

Page 17

background image

8

Step

Command

Remarks

5.

Create or edit a rule.

rule [ rule-id ] { deny | permit }
protocol [ { { ack ack-value | fin
fin-value | psh psh-value | rst

rst-value | syn syn-value | urg

urg-value } * | established } |
counting | destination { dest-addr

dest-wildcard | any } |

destination-port operator port1

[ port2 ] | dscp dscp | fragment |
icmp-type { icmp-type [ icmp-code ]

| icmp-message } | logging |

precedence precedence | reflective
| source { sour-addr sour-wildcard

| any } | source-port operator

port1 [ port2 ] | time-range
time-range-name | tos tos |

vpn-instance vpn-instance-name ] *

By default, an IPv4 advanced ACL
does not contain any rule.
The logging keyword supports only
the packet filter function.
The reflective keyword is not
supported in the current software

version, and is reserved for future
support.
When EB or EC2 cards are
operating in standard ACL mode,

the cards do not support the

vpn-instance keyword for IPv4
advanced ACLs.
When the device is a PE device,
the packets at the private network

side of a VPN cannot match the
vpn-instance vpn-instance-name

option. When the device is a MCE

device, packets of a VPN cannot
match the vpn-instance

vpn-instance-name option. For

more information about PE devices
and MCE devices, see MPLS

Configuration Guide.

6.

Add or edit a rule comment.

rule rule-id comment text

Optional.
By default, an IPv4 advanced ACL
rule has no rule description.

7.

Add or edit a rule range
remark.

rule [ rule-id ] remark text

Optional.
By default, no rule range remarks
are configured.

8.

Enable rule match counting
for the IPv4 advanced ACL.

hardware-count enable

Optional.
By default, rule matching counting
is disabled.

Configuring an IPv6 advanced ACL

IPv6 advanced ACLs match packets based on the source IPv6 addresses, destination IPv6 addresses,

packet priorities, protocols carried over IPv6, and other protocol header fields such as the TCP/UDP

source port number, TCP/UDP destination port number, ICMPv6 message type, and ICMPv6 message

code.
Compared to IPv6 basic ACLs, IPv6 advanced ACLs allow more flexible and accurate filtering.
To configure an IPv6 advanced ACL:

Step

Command

Remarks

1.

Enter system view.

system-view

N/A

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: