3com 8807 User Guide
174
C
HAPTER
21: ACL C
ONFIGURATION
■
If the time-range keyword is not selected, the ACL will be effective at any time
after being activated.
after being activated.
■
You can define multiple sub rules for the ACL by using the rule command
several times.
several times.
■
When the QoS/ACL action is configured under the port, if the QoS/ACL is
applied without sub rules, the QoS/ACL is matched as per the matching order
defined in the ACL rule; if applied with specific sub rules, the QoS/ACL is
matched as per the sequence applied under the port.
applied without sub rules, the QoS/ACL is matched as per the matching order
defined in the ACL rule; if applied with specific sub rules, the QoS/ACL is
matched as per the sequence applied under the port.
■
By default, ACL rules are matched in config order.
■
If you want to replace an existing rule, you are recommended to use the undo
command to delete the original rule first and then reconfigure the rule.
command to delete the original rule first and then reconfigure the rule.
Defining basic ACL
Basic ACLs only make rules and process packets according to the source IP
addresses.
addresses.
Perform the following configurations in the specified views.
Defining advanced ACL
Advanced ACLs define classification rules and process packets according to the
attributes of the packets such as source and destination IP addresses, TCP/UDP
ports used, and packet priority. ACLs support three types of priority schemes: ToS
(type of service) priority, IP priority and DSCP priority.
attributes of the packets such as source and destination IP addresses, TCP/UDP
ports used, and packet priority. ACLs support three types of priority schemes: ToS
(type of service) priority, IP priority and DSCP priority.
Perform the following configurations in the specified view.
Table 151 Define basic ACL
Operation
Command
Enter basic ACL view (system view)
acl { number acl-number | name acl-name
basic } [ match-order { config | auto } ]
basic } [ match-order { config | auto } ]
Define an ACL rule (basic ACL view)
rule [ rule-id ] { permit | deny } [ source {
source-addr wildcard | any } | fragment |
time-range name | vpn-instance
instance-name ]*
source-addr wildcard | any } | fragment |
time-range name | vpn-instance
instance-name ]*
Delete an ACL rule (basic ACL view)
undo rule rule-id [ source | fragment |
time-range | vpn-instance instance-name ]*
time-range | vpn-instance instance-name ]*
Delete an ACL or all ACLs (system view)
undo acl { number acl-number | name
acl-name | all }
acl-name | all }
Table 152 Define advanced ACL
Operation
Command
Enter advanced ACL view
(system view)
(system view)
acl { number acl-number | name acl-name advanced } [
match-order { config | auto } ]
match-order { config | auto } ]
Define an ACL rule
(advanced ACL view)
(advanced ACL view)
rule [ rule-id ] { permit | deny } protocol [ source { source-addr
wildcard | any } ] [ destination { dest-addr wildcard | any } ] [
source-port operator port1 [ port2 ] ] [ destination-port
operator port1 [ port2 ] ] [ icmp-type type code ] [ established
] [ [ precedence precedence | tos tos ]* | dscp dscp ] [
fragment ] [ bt-flag ] [ time-range name ] [ vpn-instance
instance-name ]
wildcard | any } ] [ destination { dest-addr wildcard | any } ] [
source-port operator port1 [ port2 ] ] [ destination-port
operator port1 [ port2 ] ] [ icmp-type type code ] [ established
] [ [ precedence precedence | tos tos ]* | dscp dscp ] [
fragment ] [ bt-flag ] [ time-range name ] [ vpn-instance
instance-name ]