3Com WX3000 Configuring Advanced ACL

1-6

rule 0 deny source 192.168.0.1 0

Configuring Advanced ACL

An advanced ACL can filter packets by their source and destination IP addresses, the protocols carried

by IP, and protocol-specific features such as TCP/UDP source and destination ports, ICMP message

type and message code.

An advanced ACL can be numbered from 3000 to 3999. Note that ACL 3998 and ACL 3999 cannot be

configured because they are reserved for cluster management.

Advanced ACLs support analysis and processing of three packet priority levels: type of service (ToS)

priority, IP priority and differentiated services codepoint (DSCP) priority.

Using advanced ACLs, you can define classification rules that are more accurate, more abundant, and

more flexible than those defined for basic ACLs.

Configuration Prerequisites

z To configure a time range-based advanced ACL rule, you need to create the corresponding time

ranges first. For information about of time range configuration, refer to Configuring Time Range.

z The settings to be specified in the rule, such as source and destination IP addresses, the protocols

carried by IP, and protocol-specific features, are determined.

Configuration Procedure

Follow these steps to define an advanced ACL rule:

To do… Use the command… Remarks

Enter system view system-view —

Create an advanced

ACL and enter

advanced ACL view

acl number acl-number

[ match-order { auto | config } ] Required

config by default

Define an ACL rule rule [ rule-id ] { permit | deny }

protocol [ rule-string ]

Required

For information about protocol and

rule-string, refer to ACL Command.

Assign a description

string to the ACL rule rule rule-id comment text Optional

No description by default

Assign a description

string to the ACL description text Optional

No description by default

Note that:

z With the config match order specified for the advanced ACL, you can modify any existent rule. The

unmodified part of the rule remains. With the auto match order specified for the ACL, you cannot

modify any existent rule; otherwise the system prompts error information.

z If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered

automatically. If the ACL has no rules, the rule is numbered 0; otherwise, it is the maximum rule

number plus one.

z The content of a modified or created rule cannot be identical with the content of any existing rules;

otherwise the rule modification or creation will fail, and the system prompts that the rule already

exists.