Configure Hybrid Extended ACL
Hybrid extended ACL can make the classification rule according to the IP protocol type, source IP address, source MAC address, packet priority, VLAN ID, and 802.1p priority, so as to filter the packets.
Configuration Condition
None
Configure Hybrid Extended ACL
Hybrid extended ACL name can use the number and also can use the customized character string. If the Hybrid extended ACL name adopts the numbers, we can configure the maximum quantity limitation of ACL; if adopting the customized character string, there is no limitation for the maximum quantity of ACL. The user can select the ACL name as desired. Hybrid extended ACL is richer, more correct, and more flexible than using the contents defined by IP ACL and MAC ACL separately, but Hybrid extended ACL can only be applied globally and can only filter the received packets.
Table 15-10 Configure the Hybrid extended ACL
Step
|
Command
|
Description
|
Enter global configuration mode
|
configure terminal
|
-
|
Configure the Hybrid extended ACL
|
hybrid access-list extended { access-list-number | access-list-name }
|
Mandatory
By default, Hybrid extended ACL is not configured.
The sequence range of the Hybrid extended ACL is 5001-6000.
|
Configure the permit rule of ACL
|
[ sequence ] permit protocol { any | source-ip-addr source-wildcard | host source-ip-addr } { any | source-mac-addr source-wildcard | host source-mac-addr } [ precedence precedence ] [ tos tos ] [ dscp dscp ] [ cos cos ] [ vlan-id vlan ] [ time-range time-range-name ]
|
Optional
By default, the permit rule of ACL is not configured.
|
Configure the refuse rule of ACL
|
[ sequence ] deny protocol { any | source-ip-addr source-wildcard | host source-ip-addr } { any | source-mac-addr source-wildcard | host source-mac-addr } [ precedence precedence ] [ tos tos ] [ dscp dscp ] [ cos cos ] [ vlan-id vlan ] [ time-range time-range-name ]
|
Optional
By default, the refuse rule of ACL is not configured.
|
Configure the ACL remarks
|
[ sequence ] remark comment
|
Optional
By default, the remarks of ACL are not configured.
|
-
When using the hybrid access-list extended command to create the Hybrid extended ACL, the ACL can be created only after configuring the rules in the Hybrid extended ACL configuration mode.
- Sequence means the order number of the rule in the ACL. ACL matches and filters the packet strictly according to the order from small sequence to large sequence. The rule with the small sequence first takes effect. When all rules do not match, execute the default drop action, that is, all the packets not permitted to pass are dropped.
Configure Hybrid Extended ACL Named by Numbers
The Hybrid extended ACL named by numbers can let the user identify the type of the ACL quickly. However, the Hybrid extended ACL named by numbers has some limitations. For example, the ACL quantity is limited.
Table 15-11 Configure the Hybrid extended ACL named by numbers
Step
|
Command
|
Description
|
Enter global configuration mode
|
configure terminal
|
-
|
Configure the Hybrid extended ACL named by numbers
|
access-list access-list-number { permit | deny } protocol { any | source-ip-addr source-wildcard | host source-ip-addr } { any | source-mac-addr source-wildcard | host source-mac-addr } [ precedence precedence ] [ tos tos ] [ dscp dscp ] [ cos cos ] [ vlan-id vlan ] [ time-range time-range-name ]
|
Mandatory
By default, the Hybrid extended ACL named by numbers is not configured.
The sequence range of the Hybrid extended ACL is 5001-6000.
|
Configure the remarks of the Hybrid extended ACL named by numbers
|
access-list access-list-number remark comment
|
Optional
By default, the remarks of the Hybrid extended ACL named by numbers are not configured.
|
-
If the ACL with the specified sequence does not exist, create one new ACL and add new rules. If the ACL with the specified number exists, just add new rules.