3Com Switch 8800 Advanced Software V5 Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 9400sl 4-Port 10-GbE Module

801

802

803

804

805

806

807

808

809

810

Configuring an Advanced IPv4 ACL 807

■ You will fail to create or modify a rule if its permit/deny statement is exactly the

same as another rule. In addition, if the ACL match order is set to auto rather

than config, you cannot modify ACL rules.

■ When defining ACL rules, you need not always assign them IDs. The system

can automatically assign rule IDs starting with 0 and increasing in certain rule

numbering steps. A rule ID thus assigned is greater than the current highest

rule ID. For example, if the rule numbering step is 5 and the current highest

rule ID is 28, the next rule will be numbered 30. For detailed information about

step, refer to the step command in the Switch 8800 Command Reference

Guide.

■ You may use the display acl command to verify rules configured in an ACL. If

the match order for this ACL is auto, rules are displayed in the depth-first order

rather than by rule number.

CAUTION:

■ You can modify the match order of an ACL with the acl number acl-number

match-order { auto | config } command but only when it does not contain

any rules.

■ The rule specified in the rule comment command must have existed.

■ For common I/O Modules, matching packets against an ACL rule with the

VPN-Instance keyword or the logging keyword specified is not supported.

Configuration Example # Create IPv4 ACL 2000 to deny the packets with source address 1.1.1.1 to pass.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] rule deny source 1.1.1.1 0

# Verify the configuration.

[Sysname-acl-basic-2000] display acl 2000

Basic ACL 2000, 1 rule,

Acl’s step is 5

rule 0 deny source 1.1.1.1 0 (5 times matched)

Configuring an

Advanced IPv4 ACL

Advanced IPv4 ACLs filter packets based on source IP address, destination IP

address, protocol carried on IP, and other protocol header fields, such as the

TCP/UDP source port, TCP/UDP destination port, TCP flag, ICMP message type,

and ICMP message code.

In addition, advanced IPv4 ACLs allow you to filter packets based on three priority

criteria: type of service (ToS), IP precedence, and differentiated services codepoint

(DSCP) priority.

Advanced IPv4 ACLs are numbered in the range 3000 to 3999. Compared with

basic IPv4 ACLs, they allow of more flexible and accurate filtering.

Configuration

Prerequisites

If you want to reference a time range to a rule, define it with the time-range

command first.

Configuration Procedure Follow these steps to configure an advanced IPv4 ACL: