Configuring An Advanced Ipv4 Acl; Configuration Prerequisites; Configuration Procedure - H3C S9500 Operation Manual

Operation Manual – ACL
H3C S9500 Series Routing Switches
# Verify the configuration.
[Sysname-acl-basic-2000] display acl 2000
Basic ACL
ACL's step is 5
rule 0 deny source 1.1.1.1 0 (5 times matched)

2.3 Configuring an Advanced IPv4 ACL

Advanced IPv4 ACLs filter packets based on source IP address, destination IP address,
protocol carried on IP, and other protocol header fields, such as the TCP/UDP source
port, TCP/UDP destination port, TCP flag, ICMP message type, and ICMP message
code.
In addition, advanced IPv4 ACLs allow you to filter packets based on three priority
criteria: type of service (ToS), IP precedence, and differentiated services codepoint
(DSCP) priority.
Advanced IPv4 ACLs are numbered in the range 3000 to 3999. Compared with basic
IPv4 ACLs, they allow of more flexible and accurate filtering.

2.3.1 Configuration Prerequisites

If you want to reference a time range to a rule, define it with the time-range command
first.

2.3.2 Configuration Procedure

Follow these steps to configure an advanced IPv4 ACL:
To do...
Enter system
view
Create and enter
advanced IPv4
ACL view
Create or modify
a rule
2000, 1 rule,
Use the command...
system-view
acl number acl-number [ match-order
{ auto | config } ]
rule [ rule-id ] { deny | permit } protocol
[ destination { dest-addr dest-wildcard
| any } | destination-port operator
port1 [ port2 ] | dscp dscp | established
| fragment | icmp-type { icmp-type
icmp-code | icmp-message } | logging |
precedence precedence | reflective |
source { sour-addr sour-wildcard |
any } | source-port operator port1
[ port2 ] | time-range time-name | tos
tos | vpn-instance
vpn-instance-name ] *
Chapter 2 IPv4 ACL Configuration
2-4
Remarks
––
Required
The default match
order is config.
Required
To create multiple
rules, repeat this
step.