beautypg.com

Configuration example, Configuring advanced acl, Configuration prerequisites – H3C Technologies H3C S3100 Series Switches User Manual

Page 563: Configuration procedure

background image

1-6

z

With the auto match order specified, the newly created rules will be inserted in the existent ones by

depth-first principle, but the numbers of the existent rules are unaltered.

Configuration example

# Configure ACL 2000 to deny packets whose source IP addresses are 192.168.0.1.

system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] rule deny source 192.168.0.1 0

# Display the configuration information of ACL 2000.

[Sysname-acl-basic-2000] display acl 2000

Basic ACL 2000, 1 rule

Acl's step is 1

rule 0 deny source 192.168.0.1 0

Configuring Advanced ACL

An advanced ACL can filter packets by their source and destination IP addresses, the protocols carried

by IP, and protocol-specific features such as TCP/UDP source and destination ports, ICMP message

type and message code.

An advanced ACL can be numbered from 3000 to 3999. Note that ACL 3998 and ACL 3999 cannot be

configured because they are reserved for cluster management.

Advanced ACLs support analysis and processing of three packet priority levels: type of service (ToS)

priority, IP priority and differentiated services codepoint (DSCP) priority.

Using advanced ACLs, you can define classification rules that are more accurate, more abundant, and

more flexible than those defined for basic ACLs.

Configuration prerequisites

z

To configure a time range-based advanced ACL rule, you need to create the corresponding time

ranges first. For information about of time range configuration, refer to section

Configuring Time

Range

.

z

The settings to be specified in the rule, such as source and destination IP addresses, the protocols

carried by IP, and protocol-specific features, are determined.

Configuration procedure

Table 1-3 Define an advanced ACL rule

Operation

Command

Description

Enter system view

system-view

Create an advanced
ACL and enter
advanced ACL view

acl number acl-number
[ match-order { auto | config } ]

Required

config by default

Define an ACL rule

rule [ rule-id ] { permit | deny }
protocol [ rule-string ]

Required

For information about protocol and
rule-string, refer to ACL Commands.

Assign a description
string to the ACL rule

rule rule-id comment text

Optional

No description by default

See also other documents in the category H3C Technologies Routers: