Configuration prerequisites, Configuration procedure, 4 configuration procedure – H3C Technologies H3C WX6000 Series Access Controllers User Manual

41-4

In addition, advanced IPv4 ACLs allow you to filter packets based on three priority criteria: type of
service (ToS), IP precedence, and differentiated services codepoint (DSCP) priority.

Advanced IPv4 ACLs are numbered in the range 3000 to 3999. Compared with basic IPv4 ACLs, they
allow of more flexible and accurate filtering.

Configuration Prerequisites

If you want to reference a time range to a rule, define it with the time-range command first.

Configuration Procedure

Follow these steps to configure an advanced IPv4 ACL:

To do…

Use the command…

Remarks

Enter system view

system-view

––

Create and enter advanced IPv4
ACL view

acl number

acl-number [ name

acl-name

] [ match-order { auto |

config

} ]

Required
The default match order is config.
If you specify a name for an IPv4
ACL when creating the ACL, you
can use the acl name acl-name
command to enter the view of the
ACL later.

Create or modify a rule

rule

[ rule-id ] { deny | permit }

protocol

[ destination { dest-addr

dest-wildcard

| any } |

destination-port operator port1

[ port2 ] | dscp dscp | established |
fragment

| icmp-type { icmp-type

icmp-code

| icmp-message } |

logging

| precedence precedence

| reflective | source { sour-addr
sour-wildcard

| any } | source-port

operator port1

[ port2 ] |

time-range

time-name | tos tos ] *

Required
To create multiple rules, repeat this
step.
Note that if the ACL is to be
referenced by a QoS policy for
traffic classification, the logging
and reflective keywords are not
supported and the operator
argument cannot be neq.

Set a rule numbering step

step

step-value

Optional
The default step is 5.

Create an IPv4 ACL description

description

text

Optional
By default, no IPv4 ACL
description is present.

Create a rule description

rule rule-id comment text

Optional
By default, no rule description is
present.

Note that:

z

You will fail to create or modify a rule if its permit/deny statement is exactly the same as another
rule. In addition, if the ACL match order is set to auto rather than config, you cannot modify ACL
rules.

z

You may use the display acl command to verify rules configured in an ACL. If the match order for
this ACL is auto, rules are displayed in the depth-first match order rather than by rule number.