Brief Introduction to ACL
133
■
If ACL is used to filter or classify the data transmitted by the hardware of the
Switch, the match order defined in the acl command will not be effective. If
ACL is used to filter or classify the data treated by the software of the Switch,
the match order of ACL’s sub-rules will be effective. Once the user specifies the
match-order of an ACL rule, he cannot modify it later.
■
The default matching-order of ACL is config, that is, following the order as that
configured by the user.
Define Basic ACL
The rules of the basic ACL are defined on the basis of the Layer-3 source IP address
to analyze the data packets.
You can use the following command to define basic ACL.
Perform the following configuration in the corresponding view.
Table 135
Define Basic ACL
Define Advanced ACL
The rules of the classification for advanced ACL are defined on the basis of the
attributes such as source and destination IP address, the TCP or UDP port number
in use and packet priority to process the data packets. The advanced ACL supports
the analysis of three types of packet priorities, ToS (Type of Service), IP and DSCP
priorities.
You can use the following command to define advanced ACL.
Perform the following configuration in the corresponding view.
Table 136
Define Advanced ACL
Operation
Command
Enter basic ACL view (from System
View)
acl number
acl_number
[ match-order {
config | auto } ]
add a sub-item to the ACL (from
Basic ACL View)
rule [
rule_id
] { permit | deny } [
source {
source_addr wildcard
|
any } |
fragment ]*
delete a sub-item from the ACL (from
Basic ACL View)
undo rule
rule_id
[ source | fragment
]*
Delete one ACL or all the ACL (from
System View)
undo acl { number
acl_number
| all }
Operation
Command
Enter advanced ACL view (from
System View)
acl number
acl_number
[ match-order {
config | auto } ]
Add a sub-item to the ACL (from
Advanced ACL View)
rule [
rule_id
] { permit | deny }
protocol
[ source {
source_addr wildcard
|
any } ] [ destination {
dest_addr wildcard
| any } ] [ source-port
operator port1
[
port2
] ] [ destination-port
operator
port1
[
port2
] ] [ icmp-type
type code
] [
established ] [ [ { precedence
precedence
tos
tos
| dscp
dscp
vpn-instance
instance
] fragment ]*
Summary of Contents for 400 Family
Page 12: ......
Page 16: ...14 ABOUT THIS GUIDE ...
Page 58: ...56 CHAPTER 2 PORT OPERATION ...
Page 68: ...66 CHAPTER 3 VLAN OPERATION ...
Page 98: ...96 CHAPTER 5 NETWORK PROTOCOL OPERATION ...
Page 124: ...122 CHAPTER 6 IP ROUTING PROTOCOL OPERATION ...
Page 156: ...154 CHAPTER 8 ACL CONFIGURATION ...
Page 218: ...216 CHAPTER 11 802 1X CONFIGURATION ...
Page 298: ...296 CHAPTER 13 PASSWORD CONTROL CONFIGURATION OPERATIONS ...
Page 336: ...334 APPENDIX B RADIUS SERVER AND RADIUS CLIENT SETUP ...