Configuring an Advanced ACL Rule

Advanced ACL rules are defined based on packets' source IP address, destination IP address, protocol type carried over IP, source port, and destination port to filter packets.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run acl { name advance-acl-name { advance | [ advance ] number advance-acl-number } | [ number ] advance-acl-number } [ match-order { config | auto } ]

    The advanced ACL view is displayed.

  3. Run any of the following commands to create an ACL rule:

    • Create an advanced ACL rule when protocol is UDP.

      rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | udp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port operator port-number | destination-port-pool destination-port-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port operator port-number | source-port-pool source-port-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *

    • Create an advanced ACL rule when protocol is TCP.

      rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | tcp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port operator port-number | destination-port-pool destination-port-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port operator port-number | source-port-pool source-port-pool-name } | { tcp-flag | syn-flag } { tcp-flag [ mask mask-value ] | established | { ack [ fin | psh | rst | syn | urg ] * } | { fin [ ack | psh | rst | syn | urg ] * } | { psh [ fin | ack | rst | syn | urg ] * } | { rst [ fin | psh | ack | syn | urg ] * } | { syn [ fin | psh | rst | syn | urg ] * } | { urg [ fin | psh | rst | syn | urg ] * } } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *

    • Create an advanced ACL rule when protocol is ICMP.

      rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | icmp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | icmp-type { icmp-name | icmp-type [ to icmp-type-end ] [ icmp-code ] } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *

    • Create an advanced ACL rule when protocol is any protocol except TCP, UDP, and ICMP.

      rule [ rule-id ] [ name rule-name ] { deny | permit } { zero | protocol | gre | ip | ipinip | igmp | ospf } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *

    Adding new rules to an ACL will not affect the existing rules.

    When an existing rule is edited and the edited contents conflict with the original contents, the edited contents take effect.

    When you configure an advanced ACL:

    • If no VPN instance is specified, (that is, vpn-instance is not configured in Step 3), the traffic belongs to the public network.

    • If a destination IP address is specified by configuring destination, a destination port number is specified by configuring destination-port, a source IP address is specified by configuring source, and a source port number is specified by configuring source-port, the system filters only packets with the specified destination IP address, destination port number, source IP address, and source port number.

    • If all destination IP addresses, destination port numbers, source IP addresses, and source port numbers are specified by configuring any, the system does not check packets' destination IP addresses, destination port numbers, source IP addresses, and source port numbers, and considers that all packets have matched the rule and directly takes an action (deny or permit) on the packets.

    • If a validity period is specified by configuring time-range, the time range name specified by time-name must already exist. Otherwise, the rule configuration fails.

  4. (Optional) Run rule rule-id description destext

    The description for an ACL rule is configured.

    The description of an ACL rule can contain the functions of the ACL rule. Configuring a description for an ACL rule is recommended to prevent misuse of the rule in the following situations:
    • A large number of ACLs are configured, and their functions are difficult to identify.
    • An ACL is used at a long interval, and its function may be left forgotten.

  5. Run commit

    The configuration is committed.

Parent Topic: Configuring an Advanced ACL
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >