Configuring a User-defined ACL Rule
Context
User-defined ACLs classify packets by matching packet information against its rules. After a user-defined ACL is created, configure rules in the ACL.
When the device receives a packet, it matches the packet against ACL rules one by one based on the configuration order. Once the packet matches a rule in an ACL rule group, the device stops the matching process and performs the action specified in the matching rule on the packet.
Procedure
- Run system-view
The system view is displayed.
- Run acl { [ number ] acl-number | name acl-name { [ number ] acl-number | user } }
A user-defined ACL is created, and the user-defined ACL view is displayed.
The parameter acl-number specifies the number of a user-defined ACL. The value ranges from 5000 to 5999.
By default, no ACL is created.
- Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ [ l2-head | ipv4-head | l4-head | inner-ipv4-head ] { rule-string rule-mask offset } &<1-4> | time-range time-name ] *
A user-defined ACL rule is configured.
The CE12800E does not support the parameter inner-ipv4-head.
The CE12800E having the FD-X series cards installed does not support the parameters l2-head and ipv4-head.
When you configure a user-defined ACL rule:- If the offset position is not specified, the Ethernet frame header (l2-head) is the default offset position.
When you specify the parameter time-range to reference a time range to the ACL, the ACL cannot be bound to the specified time range if the specified time-name does not exist.
- (Optional) Run rule rule-id description description
The description of a user-defined ACL rule is configured.
By default, no description is configured for an ACL rule.
You are not allowed to configure the description for a rule that has not been created.
- Run commit
The configuration is committed.