Configure IP Extended ACL
IP extended ACL can make the classification rule according to the IP protocol number, source IP address, destination IP address, source TCP/UDP port number, destination TCP/UDP port number, packet priority, TCP tag, and fragment tag to filter the packets.
Configuration Condition
None
Configure IP Extended ACL
IP extended ACL name can use the number and also can use the customized character string. If the IP extended ACL name adopts the numbers, we can configure the maximum quantity limitation of ACL; if adopting the customized character string, there is no limitation for the maximum quantity of ACL. The user can select the ACL name as desired. IP extended ACL is richer, more correct, and more flexible than the contents defined by IP standard ACL.
Table 15-4 Configure the IP extended ACL
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Configure the IP extended ACL
|
ip access-list extended { access-list-number | access-list-name }
|
Mandatory
By default, IP extended ACL is not configured.
The sequence range of the IP extended ACL is 1001-2000.
|
|
Configure the permit rule of ACL
|
[ sequence ] permit protocol { any | source-addr source-wildcard | host source-addr } [ operator source-port ] { any | destination-addr destination-wildcard | host destination-addr } [ operator destination-port ] [ ack | fin | psh | rst | syn | urg ] [ precedence precedence ] [ tos tos ] [ dscp dscp ] [fragments] [log] [ time-range time-range-name ] [ pbr-action-group pbr-action-group-name ] [ l3-action-group l3-action-group-name ] [ egr-action-group egr-action-group-name ] [ vfp-action-group vfp-action-group-name ]
|
Optional
By default, the permit rule of ACL is not configured.
|
|
Configure the refuse rule of ACL
|
[ sequence ] deny protocol { any | source-addr source-wildcard | host source-addr } [ operator source-port ] { any | destination-addr destination-wildcard | host destination-addr } [ operator destination-port ] [ ack | fin | psh | rst | syn | urg ] [ precedence precedence ] [ tos tos ] [ dscp dscp ] [fragments] [log] [ time-range time-range-name ] [ pbr-action-group pbr-action-group-name ] [ l3-action-group l3-action-group-name ] [ egr-action-group egr-action-group-name ] [ vfp-action-group vfp-action-group-name ]
|
Optional
By default, the refuse rule of ACL is not configured.
|
|
Configure the ACL remarks
|
[ sequence ] remark comment
|
Optional
By default, the remarks of the ACL are not configured.
|
-
When using the ip access-list extended command to create the IP extended ACL, the ACL can be created only after configuring the rules in the IP extended ACL configuration mode.
- Sequence means the order number of the rule in the ACL. ACL matches and filters the packet strictly according to the order from small sequence to large sequence. The rule with the small sequence first takes effect. When all rules do not match, execute the default drop action, that is, all the packets not permitted to pass are dropped.
Configure IP Extended ACL Named by Numbers
The IP extended ACL named by numbers can let the user identify the type of the ACL quickly. However, the IP extended ACL named by numbers has some limitations. For example, the ACL quantity is limited. IP extended ACL is richer, more correct, and more flexible than the contents defined by IP standard ACL.
Table 15-5 Configure the IP extended ACL named by numbers
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Configure the IP extended ACL named by numbers
|
access-list access-list-number { permit | deny } protocol { any | source-addr source-wildcard | host source-addr } [ operator source-port ] { any | destination-addr destination-wildcard | host destination-addr } [ operator destination-port [ ack | fin | psh | rst | syn | urg [ precedence precedence ] [ tos tos ] [ dscp dscp ] [fragments] [log] [ time-range time-range-name ] [ pbr-action-group pbr-action-group-name ] [ l3-action-group l3-action-group-name ] [ egr-action-group egr-action-group-name ] [ vfp-action-group vfp-action-group-name ]
|
Mandatory
By default, the IP extended ACL named by numbers is not configured.
The sequence range of the IP extended ACL is 1001-2000.
|
|
Configure the remarks of the IP extended ACL named by numbers
|
access-list access-list-number remark comment
|
Optional
By default, the remarks of the IP extended ACL named by numbers are not configured.
|
-
If the ACL with the specified sequence does not exist, create one new ACL and add new rules. If the ACL with the specified number exists, just add new rules.
Switch
.png){kind=icon}
.png){kind=logo}
