beautypg.com

Configuring an advanced acl, Configuring an ipv4 advanced acl – H3C Technologies H3C SR8800 User Manual

Page 17

background image

8

Configuring an advanced ACL

Configuring an IPv4 advanced ACL

IPv4 advanced ACLs match packets based on source and destination IP addresses, protocols over IP, and

other protocol header information, such as TCP/UDP source and destination port numbers, TCP flags,

ICMP message types, and ICMP message codes.
IPv4 advanced ACLs also allow you to filter packets based on these priority criteria: type of service (ToS),

IP precedence, and differentiated services codepoint (DSCP) priority.
Compared to IPv4 basic ACLs, IPv4 advanced ACLs allow more flexible and accurate filtering.
To configure an IPv4 advanced ACL:

Step

Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create an IPv4 advanced

ACL and enter its view.

acl number acl-number [ name
acl-name ] [ match-order { auto |

config } ]

By default, no ACL exists.
IPv4 advanced ACLs are

numbered in the range 3000 to
3999.
You can use the acl name acl-name
command to enter the view of a

named IPv4 ACL.

3.

Configure a description for

the IPv4 advanced ACL.

description text

Optional.
By default, an IPv4 advanced ACL

has no ACL description.

4.

Set the rule numbering step.

step step-value

Optional.
The default setting is 5.

5.

Create or edit a rule.

rule [ rule-id ] { deny | permit }
protocol [ { { ack ack-value | fin

fin-value | psh psh-value | rst

rst-value | syn syn-value | urg
urg-value } * | established } |

counting | destination { dest-addr

dest-wildcard | any } |
destination-port operator port1

[ port2 ] | dscp dscp | fragment |

icmp-type { icmp-type [ icmp-code ]
| icmp-message } | logging |

precedence precedence | reflective

| source { sour-addr sour-wildcard
| any } | source-port operator

port1 [ port2 ] | time-range

time-range-name | tos tos |

vpn-instance vpn-instance-name ] *

By default, an IPv4 advanced ACL
does not contain any rule.
To create or edit multiple rules,

repeat this step.
The logging keyword takes effect
only when the module (for

example, a packet-filter firewall)

using the ACL supports logging.

6.

Configure or edit a rule

description.

rule rule-id comment text

Optional.
By default, an IPv4 advanced ACL

rule has no rule description.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: