Brief Introduction to ACL 131
â– If ACL is used to filter or classify the data transmitted by the hardware of the
Switch, the match order defined in the acl command will not be effective. If
ACL is used to filter or classify the data treated by the software of the Switch,
the match order of ACL’s sub-rules will be effective. Once the user specifies the
match-order of an ACL rule, he cannot modify it later.
â– The default matching-order of ACL is config, that is, following the order as that
configured by the user.
Define Basic ACL
The rules of the basic ACL are defined on the basis of the Layer-3 source IP address
to analyze the data packets.
You can use the following command to define basic ACL.
Perform the following configuration in the corresponding view.
Tab le 128 Define Basic ACL
Define Advanced ACL
The rules of the classification for advanced ACL are defined on the basis of the
attributes such as source and destination IP address, the TCP or UDP port number
in use and packet priority to process the data packets. The advanced ACL supports
the analysis of three types of packet priorities, ToS (Type of Service), IP and DSCP
priorities.
You can use the following command to define advanced ACL.
Perform the following configuration in the corresponding view.
Tab le 129 Define Advanced ACL
Operation Command
Enter basic ACL view (from System
View)
acl number acl_number [ match-order {
config | auto } ]
add a sub-item to the ACL (from
Basic ACL View)
rule [ rule_id ] { permit | deny } [
source { source_addr wildcard | any } |
fragment ]*
delete a sub-item from the ACL (from
Basic ACL View)
undo rule rule_id [ source | fragment
]*
Delete one ACL or all the ACL (from
System View)
undo acl { number acl_number | all }
Operation Command
Enter advanced ACL view (from
System View)
acl number acl_number [ match-order {
config | auto } ]
Add a sub-item to the ACL (from
Advanced ACL View)
rule [ rule_id ] { permit | deny }
protocol [ source { source_addr wildcard |
any } ] [ destination { dest_addr wildcard
| any } ] [ source-port operator port1 [
port2 ] ] [ destination-port operator
port1 [ port2 ] ] [ icmp-type type code ] [
established ] [ [ { precedence precedence
tos tos | dscp dscp vpn-instance instance
] fragment ]*
To Next Page
Loading...
Need help?
General