Configuring an ipv6 advanced acl – H3C Technologies H3C SR8800 User Manual

Page 18

Advertising
background image

9

Step

Command

Remarks

7.

Enable rule match counting

for the IPv4 advanced ACL.

hardware-count enable

Optional.
By default, rule match counting is

disabled.

Configuring an IPv6 advanced ACL

IPv6 advanced ACLs match packets based on the source IPv6 address, destination IPv6 address,

protocol carried over IPv6, and other protocol header fields such as the TCP/UDP source port number,

TCP/UDP destination port number, ICMP message type, and ICMP message code.
Compared to IPv6 basic ACLs, IPv6 advanced ACLs allow more flexible and accurate filtering.
To configure an IPv6 advanced ACL:

Step

Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create an IPv6 advanced

ACL and enter its view.

acl ipv6 number acl6-number [ name
acl6-name ] [ match-order { auto |

config } ]

By default, no ACL exists.
IPv6 advanced ACLs are

numbered in the range 3000 to
3999.
You can use the acl ipv6 name
acl6-name command to enter the

view of a named IPv6 ACL.

3.

Configure a description
for the IPv6 advanced

ACL.

description text

Optional.
By default, an IPv6 advanced

ACL has no ACL description.

4.

Set the rule numbering
step.

step step-value

Optional.
The default setting is 5.

5.

Create or edit a rule.

rule [ rule-id ] { deny | permit } protocol
[ { { ack ack-value | fin fin-value | psh

psh-value | rst rst-value | syn syn-value |
urg urg-value } * | established } |

counting | destination { dest dest-prefix |

dest/dest-prefix | any } |
destination-port operator port1 [ port2 ]

| dscp dscp | flow-label flow-label-value

| fragment | icmp6-type { icmp6-type

icmp6-code | icmp6-message } |
logging | source { source source-prefix |

source/source-prefix | any } |

source-port operator port1 [ port2 ] |
time-range time-range-name |

vpn-instance vpn-instance-name ] *

By default IPv6 advanced ACL
does not contain any rule.
To create or edit multiple rules,

repeat this step.
The logging keyword takes effect

only when the module (for
example, a packet-filter firewall)

using the ACL supports logging.

6.

Configure or edit a rule
description.

rule rule-id comment text

Optional.
By default, an IPv6 advanced
ACL rule has no rule description.

7.

Enable rule match

counting for the IPv6
advanced ACL.

hardware-count enable

Optional.
By default, rule match counting is
disabled.

Advertising
This manual is related to the following products:

H3C SR6600-X, H3C SR6600, H3C SecPath F5020, H3C SecPath F5040, H3C VMSG VFW1000

Popular Brands
Popular manuals