< Home

Creating a Basic ACL

Basic ACLs filter traffic only by source IP address and time range.

Context

Table 1 describes the matching conditions of basic ACL rules.

Table 1 Matching conditions of basic ACL rules

Matching Condition

Parameter

Description

Source IP address

source
  • source-ip-address source-wildcard: specifies a source address with a wildcard mask or mask length.
  • any: indicates any IP address.
  • address-set address-set-name: specifies an address or address group.

Time range

time-range

For details of time ranges, see Schedule.

Procedure

  1. Access the system view.

    system-view

  2. Create a basic ACL and access the basic ACL view.

    acl [ number ] acl-number [ vpn-instance vpn-instance-name ]

    acl-number determines the type of an ACL. The basic ACL number ranges from 2000 to 2999.

  3. Optional: Configure a description for the ACL.

    description description

    Appropriate descriptions of ACLs help you to further manage the ACLs.

  4. Optional: Set a step for the ACL.

    step step

    The default step is 5.

    After you set a step for the ACL, the system can automatically assign rule IDs if you do not specify the rule IDs. The automatically assigned rule IDs are multiple of the step in ascending order. The step allows you to insert rules between two rules.

    You can set a step for an ACL only when no rule is configured for the ACL. After you configure an ACL rule, you are not allowed to change the step.

  5. Configure an ACL rule.

    rule [ rule-id ] { deny | permit } [ logging | source { source-ip-address { 0 | source-wildcard } | address-set address-set-name | any } | time-range time-name ] * [ description description ]

    When you configure an ACL rule, note the following points:
    • If rule-id is not specified during the configuration, a new rule is added. In this case, the system automatically assigns a minimum number that is larger than the maximum number of the existing rule and integer times of the step to the new rule according to the step. For example, if the maximum number of the existing rule is 21 and the step is 5, the system assigns number 25 to the new rule.
    • If rule-id is specified and the related rule with the same ID exists, the existing rule is edited. If no related rule with the same ID exists, a new rule is added and inserted to the corresponding position according to its rule-id.
    • A new or modified rule should be different from any existing one; otherwise, the creation or modification fails and the system prompts you that the rule already exists.
    • Parameter logging specifies that matched packets are logged.

Parent Topic: Configuring ACLs
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >