Configuration Guide Configuring ACL
Add ACEs to a standard IP ACL.
Use either of the following methods to add ACEs to a standard IP ACL:
[ sn ] { permit | deny } {host source | any | source source-wildcard } [ time-range time-range-name ]
sn: Indicates the sequence number of an ACE. The value ranges from 1 to 2,147,483,647. This sequence
number determines the priority of this ACE in the ACL. A smaller sequence number indicates a higher
priority. An ACE with a higher priority will be preferentially used to match packets. If you do not specify the
sequence number when adding an ACE, the system automatically allocates a sequence number, which is
equal to an increment (10 by default) plus the sequence number of the last ACE in the current ACL. For
example, if the sequence number of the last ACE is 100, the sequence number of a newly-added ACE will
be 110 by default. You can adjust the increment using a command.
permit: Indicates that the ACE is a permit ACE.
deny: Indicates that the ACE is a deny ACE.
host source: Indicates that IP packets sent from a host with the specified source IP address are filtered.
any: Indicates that IP packets sent from any host are filtered.
source source-wildcard: Indicates that IP packets sent from hosts in the specified IP network segment are
filtered.
time-range time-range-name: Indicates that this ACE is associated with a time range. The ACE takes effect
only within this time range. For details about the time range, see the configuration manual of the time range.
Standard IP ACL configuration mode
Run this command to add ACEs in standard IP ACL configuration mode. The ACL can be a named or
numbered ACL.
access-list acl-id { permit | deny } {host source | any | source source-wildcard } [ time-range
tm-rng-name ]
acl-id: Indicates the ID of a numbered ACL. It uniquely identifies an ACL. The value range of acl-id is
100–199 and 1300–1999.
permit: Indicates that the ACE is a permit ACE.
deny: Indicates that the ACE is a deny ACE.
host source: Indicates that IP packets sent from a host with the specified source IP address are filtered.
any: Indicates that IP packets sent from any host are filtered.
source source-wildcard: Indicates that IP packets sent from hosts in the specified IP network segment are
filtered.
time-range time-range-name: Indicates that this ACE is associated with a time range. The ACE takes effect
only within this time range. For details about the time range, see the configuration manual of the time range.
Standard IP ACL configuration mode
Run this command to add ACEs to a numbered IP ACL in global configuration mode.It cannot be used to
add ACEs to a named IP ACL.
To Next Page
Loading...
Need help?
General
