Configuring an advanced acl – H3C Technologies H3C S5120 Series Switches User Manual

1-7

Configuring an Advanced ACL

Advanced ACLs match packets based on source and destination IP addresses, protocols over IP, and

other protocol header information, such as TCP/UDP source and destination port numbers, TCP flags,

ICMP message types, and ICMP message codes.

Advanced ACLs also allow you to filter packets based on three priority criteria: type of service (ToS), IP

precedence, and differentiated services codepoint (DSCP) priority.

Compared with basic ACLs, advanced ACLs allow of more flexible and accurate filtering.

Follow these steps to configure an advanced ACL:

To do…

Use the command…

Remarks

Enter system view

system-view

––

Create an advanced ACL and
enter its view

acl number acl-number [ name
acl-name ] [ match-order { auto |
config } ]

Required

By default, no ACL exists.

Advanced ACLs are numbered in
the range 3000 to 3999.

You can use the acl name
acl-name command to enter the
view of an existing named ACL.

Configure a description for the
advanced ACL

description text

Optional

By default, an Advanced ACL has
no ACL description.

Set the rule numbering step

step step-value

Optional

5 by default.

Create or edit a rule

rule [ rule-id ] { deny | permit }
protocol [ { established | { ack
ack-value | fin fin-value | psh
psh-value | rst rst-value | syn
syn-value | urg urg-value } * } |
destination { dest-addr
dest-wildcard | any } |
destination-port operator port1
[ port2 ] | dscp dscp | fragment |
icmp-type { icmp-type icmp-code |
icmp-message } | logging |
precedence precedence |
reflective | source { sour-addr
sour-wildcard | any } | source-port
operator port1 [ port2 ] |
time-range time-range-name | tos
tos ] *

Required

By default, an advanced ACL does
not contain any rule.

To create or edit multiple rules,
repeat this step.

For an advanced ACL rule to be
referenced by a QoS policy for
traffic classification, the logging
keyword is not supported.

Configure or edit a rule description rule rule-id comment text

Optional

By default, an ACL rule has no rule
description.

Note that:

z

You can only modify the existing rules of an ACL that uses the match order of config. When

modifying a rule of such an ACL, you may choose to change just some of the settings, in which

case the other settings remain the same.

z

You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an

existing rule in the ACL.