Configuration examples, Configuring an advanced ipv4 acl – H3C Technologies H3C WX6000 Series Access Controllers User Manual

Page 411

Advertising
background image

41-3

To do…

Use the command…

Remarks

Create or modify a
rule

rule

[ rule-id ] { deny |

permit

} [ fragment | logging

| source { sour-addr
sour-wildcard

| any } |

time-range

time-name ] *

Required
To create multiple rules, repeat this step.
Note that the logging keyword is not supported if the
ACL is to be referenced by a QoS policy for traffic
classification.

Set a rule
numbering step

step

step-value

Optional
The default step is 5.

Create an IPv4
ACL description

description

text

Optional
By default, no IPv4 ACL description is present.

Create a rule
description

rule rule-id comment text

Optional
By default, no rule description is present.

Note that:

z

You will fail to create or modify a rule if its permit/deny statement is exactly the same as another
rule. In addition, if the ACL match order is set to auto rather than config, you cannot modify ACL
rules.

z

You may use the display acl command to verify rules configured in an ACL. If the match order for
this ACL is auto, rules are displayed in the depth-first match order rather than by rule number.

z

You can modify the match order of an ACL with the acl number acl-number [ name acl-name ]

match-order

{ auto | config } command but only when it does not contain any rules.

z

The rule specified in the rule comment command must have existed.

Configuration Examples

# Create IPv4 ACL 2000 to deny the packets with source address 1.1.1.1 to pass.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] rule deny source 1.1.1.1 0

# Verify the configuration.

[Sysname-acl-basic-2000] display acl 2000

Basic ACL 2000, named -none-, 1 rule,

ACL's step is 5

rule 0 deny source 1.1.1.1 0

Configuring an Advanced IPv4 ACL

Advanced IPv4 ACLs filter packets based on source IP address, destination IP address, protocol
carried on IP, and other protocol header fields, such as the TCP/UDP source port, TCP/UDP destination
port, ICMP message type, and ICMP message code.

Advertising
Popular Brands
Popular manuals