4-8
To do…
Use the command…
Remarks
Set the rule numbering
step
step
step-value
Optional
5 by default.
Create or edit a rule
rule
[
rule-id
] {
deny
|
permit
}
protocol
[ { {
ack
ack-value
|
fin
fin-value
|
psh
psh-value
|
rst
rst-value
|
syn
syn-value
|
urg
urg-value
} *
| established
} |
destination
{
dest-addr
dest-wildcard
|
any
} |
destination-port operator port1
[
port2
] |
dscp
dscp | fragment
|
icmp-type
{
icmp-type
icmp-code
|
icmp-message
} |
logging
|
precedence
precedence
|
reflective
|
source
{
sour-addr
sour-wildcard
|
any
} |
source-port
operator port1
[
port2
] |
time-range
time-range-name
|
tos
tos
] *
Required
By default, an IPv4 advanced ACL does
not contain any rule.
To create or edit multiple rules, repeat this
step.
The
logging
keyword takes effect only
when the module using the ACL supports
logging.
Configure or edit a rule
description
rule
rule-id comment
text
Optional
By default, an IPv4 advanced ACL rule has
no rule description.
Configuring an IPv6 Advanced ACL
IPv6 advanced ACLs match packets based on the source IPv6 address, destination IPv6 address,
protocol carried over IPv6, and other protocol header fields such as the TCP/UDP source port number,
TCP/UDP destination port number, ICMP message type, and ICMP message code.
Compared with IPv6 basic ACLs, they allow of more flexible and accurate filtering.
Follow these steps to configure an IPv6 advanced ACL:
To do…
Use the command…
Remarks
Enter system view
system-view
––
Create an IPv6
advanced ACL and
enter its view
acl ipv6
number
acl6-number
[
name
acl6-name
] [
match-order
{
auto
|
config
} ]
Required
By default, no ACL exists.
IPv6 advanced ACLs are numbered in
the range 3000 to 3999.
You can use the
acl
ipv6
name
acl6-name
command to enter the view
of an existing named IPv6 ACL.
Configure a
description for the
IPv6 advanced ACL
description
text
Optional
By default, an IPv6 advanced ACL has
no ACL description.
Set the rule
numbering step
step
step-value
Optional
5 by default.
