Configuration Guide Configuring ACL
For an individual expert extended ACL, multiple independent statements can be used to define multiple rules. All statements
reference the same ID or name so that these statements are bound with the same ACL.
If rules in an expert extended ACL are not defined specifically for IPv6 packets, that is, the Ethernet type is not specified
or the value of the Ethernet type field is not 0x86dd, the expert extended ACL does not filter IPv6 packets. If you want to
filter IPv6 packets, use the IPv6 extended ACL.
Implicit "Deny All Traffic" Rule Statement
At the end of every expert extended ACL is an implicit "deny all traffic" rule statement. Therefore, if a packet does not match
any rule, the packet will be denied.
For example:
access-list 2700permit 0x0806 any any any any any
This ACL permits only ARP packets whose Ethernet type is 0x0806, and denies all other types of packets. This is because
the following statement exists at the end of this ACL: access-list 2700 deny any any any any.
Related Configuration
Configuring an Expert Extended ACL
By default, no expert extended ACL is configured on a device.
Run the expert access-list extended {acl-name | acl-id } command in global configuration mode to create an expert
extended ACL and enter expert extended ACL mode.
Adding ACEs to an Expert Extended ACL
By default, a newly created expert extended ACL contains an implicit ACE that denies all packets. This ACE is hidden from
users, but takes effect when the ACL is applied to an interface. That is, all L2 packets will be discarded. Therefore, if you
want the device to receive or send some specific L2 packets, add some ACEs to the ACL.
You can add ACEs to an expert extended ACL as follows:
No matter whether the expert extended ACL is a named or numbered ACL, you can run the following command in
expert extended ACL mode to add an ACE:
[sn] { permit | deny } [ protocol| [ ethernet-type ] [ cos [ out ] [ inner in ] ] ] [ [ VID [ out ] [ inner in ] ] ]
{ sourcesource-wildcard | hostsource | any } { host source-mac-address | any } { destination destination-wildcard |
hostdestination | any } { host destination-mac-address | any } [ precedenceprecedence ] [ tos tos ] [ fragment ]
[ rangelowerupper ] [ time-rangetime-range-name ]]
For a numbered expert extended ACL, you can also run the following command in expert extended ACL mode to add
an ACE:
access-list acl-id { permit | deny } [ protocol| [ ethernet-type ] [ cos [ out ] [ inner in ] ] ] [ [ VID [ out ] [ inner in ] ] ]
{ sourcesource-wildcard | hostsource | any } { host source-mac-address | any } { destination destination-wildcard |
hostdestination | any } { host destination-mac-address | any } [ precedenceprecedence ] [ tos tos ] [ fragment ]
[ rangelowerupper ] [ time-rangetime-range-name ]]
To Next Page
Loading...
Need help?
General
