Configuration Guide Configuring ACL
Use the following methods to verify the configuration effects of the expert extended ACL:
If IP-based access rules are configured in an expert extended ACL to permit or deny some IP packets, run the ping
command to verify whether these rules take effect.
If MAC-based access rules are configured in an expert extended ACL to permit or deny some L2 packets (e.g. ARP
packets), also run the ping command to check whether ACEs of this ACL takes effect on the specified interface. For
example, to filter out ARP packets, run the ping command for verification.
If VLAN ID-based access rules are configured in an expert extended ACL to permit or deny some L2 packets in some
network segments (e.g., to prevent communication between VLAN 1 users and VLAN 2 users), ping PCs of VLAN 2 on
a PC of VLAN 1. If the ping operation fails, the rules take effect.
Related Commands
Configuring an Expert Extended ACL
expert access-list extended {acl-name | acl-id }
acl-name: Indicates the name of an expert extended ACL. If this option is configured, a named ACL is
created. The name is a string of 1 to 99 characters. The ACL name cannot start with numbers (0–9), "in", or
"out".
acl-id: Indicates the ID of an expert extended ACL. If this option is configured, a numbered ACL is created.
The value range of acl-id is 2700-2899.
Global configuration mode
Run this command to configure an expert extended ACL and enter expert extended ACL configuration
mode.
Adding ACEs to an Expert Extended ACL
Use either of the following methods to add ACEs to an expert extended ACL:
Add ACEs in expert extended ACL configuration mode.
[sn] { permit | deny } [ protocol | [ ethernet-type ] [ cos [ out ] [ inner in ] ] ] [ [ VID [ out ] [ inner in ] ] ]
{ source source-wildcard | host source | any } { host source-mac-address | any } { destination
destination-wildcard | host destination | any } { host destination-mac-address | any } [ precedence
precedence ] [ tos tos ] [ fragment ] [ range lower upper ] [ time-range time-range-name ]]
sn: Indicates the sequence number of an ACE. The value ranges from 1 to 2,147,483,647. This sequence
number determines the priority of this ACE in the ACL. A smaller sequence number indicates a higher
priority. An ACE with a higher priority will be preferentially used to match packets. If you do not specify the
sequence number when adding an ACE, the system automatically allocates a sequence number, which is
equal to an increment (10 by default) plus the sequence number of the last ACE in the current ACL. For
example, if the sequence number of the last ACE is 100, the sequence number of a newly-added ACE will
be 110 by default. You can adjust the increment using a command.
permit: Indicates that the ACE is a permit ACE.
To Next Page
Loading...
Need help?
General
