Configuration Guide Configuring ACL
No matter whether the standard IP ACL is a named or number ACL, you can run the following command in standard IP
ACL mode to add an ACE:
[ sn ] { permit | deny } {hostsource| any | sourcesource-wildcard } [ time-rangetime-range-name ]
For a numbered standard IP ACL, you can also run the following command in global configuration mode to add an ACE:
access-list acl-id { permit | deny } {hostsource| any | sourcesource-wildcard } [ time-rangetm-rng-name ]
For an extended IP ACL, you can add ACEs as follows:
No matter whether the extended IP ACL is a named or numbered ACL, you can run the following command in extended
IP ACL mode to add an ACE:
[ sn ] { permit | deny } protocol{hostsource| any | sourcesource-wildcard } {hostdestination | any | destination
destination-wildcard }[ [ precedenceprecedence [ tos tos ] ] | dscpdscp] [ fragment ] [ time-rangetime-range-name ]
For a numbered extended IP ACL, you can also run the following command in global configuration mode to add an ACE:
access-list acl-id { permit | deny } protocol{hostsource| any | sourcesource-wildcard } {hostdestination | any |
destination destination-wildcard }[ [ precedenceprecedence [ tos tos ] ] | dscpdscp] [ fragment ]
[ time-rangetime-range-name ]
Applying an IP ACL
By default, the IP ACL is not applied to any interface, that is, the IP ACL does not filter incoming or outgoing IP packets of the
device.
Run the ip access-group { acl-id | acl-name } { in| out }[reflect] command in interface configuration mode to apply a
standard or an extended IP ACL to a specified interface. By default, a reflexive ACL is disabled on a router. You can run the
reflect command to enable the reflexive ACL. The working principle of the reflexive ACL is as follows:
a. A temporary ACL is automatically generated based on the L3 and L4 information of the traffic originated by the internal
network. The temporary ACL is created according to the following principles:The IP protocol number remains unchanged, the
source and destination IP addresses are swapped, and the TCP/UDP source and destination ports are also swapped. b. The
router allows traffic to enter the internal network only when the L3 and L4 information of the returned traffic exactly matches
that of the temporary ACL previously created based on the outgoing traffic.
11.3.2 MAC Extended ACL
The MAC extended ACL implements refined control on incoming and outgoing packets based on the L2 header of packets.
You can permit or deny the entry of specific L2 packets to a network, thus protecting network resources against attacks or
control users' access to network resources.
Working Principle
Define a series of MAC access rules in the MAC extended ACL, and then apply the ACL to the incoming or outgoing direction
of an interface. The device checks whether the incoming or outgoing packets match the rules and accordingly forwards or
blocks these packets.
To configure an MAC extended ACL, you must specify a unique name or ID for this ACL to uniquely identify the ACL. The
following table lists the range of IDs that identify MAC extended ACLs.
To Next Page
Loading...
Need help?
General
