14-3
Configuration Procedure
Follow these steps to configure a basic IPv4 ACL:
To do…
Use the command…
Remarks
Enter system view
system-view
––
Create a basic IPv4 ACL
and enter its view
acl number
acl-number
[
name acl-name
]
[
match-order
{
auto
|
config
} ]
Required
The default match order is
config
.
If you specify a name for an IPv4 ACL
when creating the ACL, you can use
the
acl
name
acl-name
command to
enter the view of the ACL later.
Create or modify a rule
rule
[
rule-id
] {
deny
|
permit
} [
fragment
|
logging
|
source
{
sour-addr
sour-wildcard
|
any
} |
time-range
time-range-name
|
vpn-instance
vpn-instance-name
] *
Required
To create or modify multiple rules,
repeat this step.
Note that the
logging
keyword is not
supported if the ACL is to be
referenced by a QoS policy for traffic
classification.
Set the rule numbering
step
step
step-value
Optional
5 by default
Configure a description
for the basic IPv4 ACL
description
text
Optional
By default, a basic IPv4 ACL has no
ACL description.
Configure a rule
description
rule rule-id comment text
Optional
By default, an IPv4 ACL rule has no
rule description.
Note that:
z
You can only modify the existing rules of an ACL that uses the match order of
config
. When
modifying a rule of such an ACL, you may choose to change just some of the settings, in which
case the other settings remain the same.
z
You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an
existing rule in the ACL.
z
When the ACL match order is
auto
, a newly created rule will be inserted among the existing rules
in the depth-first match order. Note that the IDs of the rules still remain the same.
z
You can modify the match order of an ACL with the
acl number
acl-number
[
name acl-name
]
match-order
{
auto
|
config
} command, but only when the ACL does not contain any rules.
z
The rule specified in the
rule comment
command must already exist.
Configuration Example
# Configure IPv4 ACL 2000 to deny packets with source address 1.1.1.1.