Hà Nội: NTT03, Line 1, Thống Nhất Complex, 82 Nguyễn Tuân, Thanh Xuân, Hà Nội. ● HCM: Số 31B, Đường 1, Phường An Phú, Quận 2 (Thủ Đức), TP HCM. ===> Đơn Vị Hàng Đầu Trong Lĩnh Vực Cung Cấp Thiết Bị Security - Network - Wifi - CCTV - Conference - Máy chủ Server - Lưu trữ Storge.
Danh mục sản phẩm

Configure IP Extended ACL

IP extended ACL can make the classification rule according to the IP protocol number, source IP address, destination IP address, source TCP/UDP port number, destination TCP/UDP port number, packet priority, TCP tag, and fragment tag to filter the packets.

Configuration Condition

None

Configure IP Extended ACL

IP extended ACL name can use the number and also can use the customized character string. If the IP extended ACL name adopts the numbers, we can configure the maximum quantity limitation of ACL; if adopting the customized character string, there is no limitation for the maximum quantity of ACL. The user can select the ACL name as desired. IP extended ACL is richer, more correct, and more flexible than the contents defined by IP standard ACL.

Table 15-4 Configure the IP extended ACL

Step

Command

Description

Enter global configuration mode

configure terminal

-

Configure the IP extended ACL

ip access-list extended { access-list-number | access-list-name }

Mandatory

By default, IP extended ACL is not configured.

The sequence range of the IP extended ACL is 1001-2000.

Configure the permit rule of ACL

[ sequence ] permit protocol { any | source-addr source-wildcard | host source-addr } [ operator source-port ] { any | destination-addr destination-wildcard | host destination-addr } [ operator destination-port ] [ ack | fin | psh | rst | syn | urg ] [ precedence precedence ] [ tos tos ] [ dscp dscp ] [fragments] [log] [ time-range time-range-name ] [ pbr-action-group pbr-action-group-name ] [ l3-action-group l3-action-group-name ] [ egr-action-group egr-action-group-name ] [ vfp-action-group vfp-action-group-name ]

Optional

By default, the permit rule of ACL is not configured.

Configure the refuse rule of ACL

[ sequence ] deny protocol { any | source-addr source-wildcard | host source-addr } [ operator source-port ] { any | destination-addr destination-wildcard | host destination-addr } [ operator destination-port ] [ ack | fin | psh | rst | syn | urg ] [ precedence precedence ] [ tos tos ] [ dscp dscp ] [fragments] [log] [ time-range time-range-name ] [ pbr-action-group pbr-action-group-name ] [ l3-action-group l3-action-group-name ] [ egr-action-group egr-action-group-name ] [ vfp-action-group vfp-action-group-name ]

Optional

By default, the refuse rule of ACL is not configured.

Configure the ACL remarks

[ sequence ] remark comment

Optional

By default, the remarks of the ACL are not configured.

note


  • When using the ip access-list extended command to create the IP extended ACL, the ACL can be created only after configuring the rules in the IP extended ACL configuration mode.
  • Sequence means the order number of the rule in the ACL. ACL matches and filters the packet strictly according to the order from small sequence to large sequence. The rule with the small sequence first takes effect. When all rules do not match, execute the default drop action, that is, all the packets not permitted to pass are dropped.

Configure IP Extended ACL Named by Numbers

The IP extended ACL named by numbers can let the user identify the type of the ACL quickly. However, the IP extended ACL named by numbers has some limitations. For example, the ACL quantity is limited. IP extended ACL is richer, more correct, and more flexible than the contents defined by IP standard ACL.

Table 15-5 Configure the IP extended ACL named by numbers

Step

Command

Description

Enter global configuration mode

configure terminal

-

Configure the IP extended ACL named by numbers

access-list access-list-number { permit | deny } protocol { any | source-addr source-wildcard | host source-addr } [ operator source-port ] { any | destination-addr destination-wildcard | host destination-addr } [ operator destination-port [ ack | fin | psh | rst | syn | urg [ precedence precedence ] [ tos tos ] [ dscp dscp ] [fragments] [log] [ time-range time-range-name ] [ pbr-action-group pbr-action-group-name ] [ l3-action-group l3-action-group-name ] [ egr-action-group egr-action-group-name ] [ vfp-action-group vfp-action-group-name ]

Mandatory

By default, the IP extended ACL named by numbers is not configured.

The sequence range of the IP extended ACL is 1001-2000.

Configure the remarks of the IP extended ACL named by numbers

access-list access-list-number remark comment

Optional

By default, the remarks of the IP extended ACL named by numbers are not configured.

note


  • If the ACL with the specified sequence does not exist, create one new ACL and add new rules. If the ACL with the specified number exists, just add new rules.