Configuring an IPv4 advanced ACL
IPv4 advanced ACLs match packets based on the following criteria:
Source IP addresses.
Destination IP addresses.
Packet priorities.
Protocol numbers.
Other protocol header information, such as TCP/UDP source and destination port numbers, TCP flags, ICMP message types, and ICMP message codes.
Compared to IPv4 basic ACLs, IPv4 advanced ACLs allow more flexible and accurate filtering.
To configure an IPv4 advanced ACL:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enable outbound packet matching for rules with the established keyword. | acl-outbound-enhance enable | By default, outbound packet matching for rules with the established keyword is disabled. |
3. Create an IPv4 advanced ACL and enter its view. | acl advanced { acl-number | name acl-name } [ match-order { auto | config } ] acl number acl-number [ match-order { auto | config } ] | By default, no ACLs exist. The value range for a numbered IPv4 advanced ACL is 3000 to 3999. Use the acl number acl-number or acl advanced acl-number command to create a numbered IPv4 advanced ACL. Use the acl number acl-number or acl advanced acl-number command to enter the view of a numbered IPv4 advanced ACL. Use the acl advanced name acl-name command to enter the view of a named IPv4 advanced ACL. |
4. (Optional.) Configure a description for the IPv4 advanced ACL. | description text | By default, an IPv4 advanced ACL does not have a description. |
5. (Optional.) Set the rule numbering step. | step step-value [ start start-value ] | By default, the rule numbering step is 5 and the start rule ID is 0. |
6. Create or edit a rule. | rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { dest-address dest-wildcard | any } | destination-port operator port1 [ port2 ] | { dscp dscp | { precedence precedence | tos tos } * } | fragment | icmp-type { icmp-type [ icmp-code ] | icmp-message } | logging | source { source-address source-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name ] * | By default, no IPv4 advanced ACL rules exist. The logging keyword takes effect only when the module (for example, packet filtering) that uses the ACL supports logging. If an ACL is for QoS traffic classification or packet filtering, do not specify neq for the operator argument. |
7. (Optional.) Add or edit a rule comment. | rule rule-id comment text | By default, no rule comment is configured. |