Configuring An Advanced Acl - H3C S5120-EI Series Configuration Manual

You can only modify the existing rules of an ACL that uses the match order of config. When
modifying a rule of such an ACL, you may choose to change just some of the settings, in which
case the other settings remain the same.
You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an
existing rule in the ACL.
When the ACL match order is auto, a newly created rule will be inserted among the existing rules
in the depth-first match order. Note that the IDs of the rules still remain the same.
You can modify the match order of an IPv6 ACL with the acl ipv6 number acl6-number [ name
acl6-name ] match-order { auto | config } command but only when it does not contain any rules.

Configuring an Advanced ACL

Configuring an IPv4 advanced ACL
IPv4 advanced ACLs match packets based on source and destination IP addresses, protocols over IP,
and other protocol header information, such as TCP/UDP source and destination port numbers, TCP
flags, ICMP message types, and ICMP message codes.
IPv4 advanced ACLs also allow you to filter packets based on three priority criteria: type of service
(ToS), IP precedence, and differentiated services codepoint (DSCP) priority.
Compared with IPv4 basic ACLs, IPv4 advanced ACLs allow of more flexible and accurate filtering.
Follow these steps to configure an IPv4 advanced ACL:
To do...
Enter system view
Create an IPv4 advanced ACL and
enter its view
Configure a description for the
IPv4 advanced ACL
Set the rule numbering step
Use the command...
system-view
acl number acl-number [ name
acl-name ] [ match-order { auto |
config } ]
description text
step step-value
1-9
Remarks
––
Required
By default, no ACL exists.
IPv4 advanced ACLs are
numbered in the range 3000 to
3999.
You can use the acl name
acl-name command to enter the
view of an existing named IPv4
ACL.
Optional
By default, an IPv4 advanced ACL
has no ACL description.
Optional
5 by default.