Step
5.
Create or edit a
rule.
6.
Add or edit a rule
comment.
7.
Add or edit a rule
range remark.
8.
Enable counting
ACL rule matches
performed in
hardware.
Configuring an advanced ACL
Configuring an IPv4 advanced ACL
IPv4 advanced ACLs match packets based on source IP addresses, destination IP addresses, packet
priorities, protocols over IP, and other protocol header information, such as TCP/UDP source and
destination port numbers, TCP flags, ICMP message types, and ICMP message codes.
Compared to IPv4 basic ACLs, IPv4 advanced ACLs allow more flexible and accurate filtering.
To configure an IPv4 advanced ACL:
Step
1.
Enter system
view.
2.
Create an IPv4
advanced ACL
and enter its
view.
3.
Configure a
description for
the IPv4
advanced ACL.
4.
Set the rule
numbering step.
Command
rule [ rule-id ] { deny |
permit } [ counting |
fragment | logging |
routing [ type routing-type ]
| source { ipv6-address
prefix-length |
ipv6-address/prefix-length
| any } | time-range
time-range-name ] *
rule rule-id comment text
rule [ rule-id ] remark text
hardware-count enable
Command
system-view
acl number acl-number [ name
acl-name ] [ match-order { auto
| config } ]
description text
step step-value
6
Remarks
By default, an IPv6 basic ACL does not contain any
rule.
If the ACL is for QoS traffic classification or packet
filtering, do not specify the fragment and routing
keywords. The keywords can cause ACL application
failure.
The logging and counting keywords (even if
specified) do not take effect for QoS.
Optional.
By default, no rule comments are configured.
Optional.
By default, no rule range remarks are configured.
Optional.
Disabled by default.
When the ACL is referenced by a QoS policy, this
command does not take effect.
Remarks
N/A
By default, no ACL exists.
IPv4 advanced ACLs are numbered in the range of
3000 to 3999.
You can use the acl name acl-name command to
enter the view of a named IPv4 ACL.
Optional.
By default, an IPv4 advanced ACL has no ACL
description.
Optional.
The default setting is 5.