Creating an Advanced ACL

An advanced ACL is an extension of a basic ACL. An advanced ACL filters traffic by source IP address, destination IP address, time range, and protocol type. An advanced ACL is used for accurate traffic matching.

Context

Table 1 describes the matching conditions of advanced ACL rules.

**Table 1** Matching conditions of advanced ACL rules
Matching Condition	Parameter	Description
Protocol type	protocol	You can specify a protocol using either of the following parameters: specifies a protocol number. specifies a protocol name.
Source/Destination IP address	source or destination	source-ip-address source-wildcard: specifies a source address with a wildcard mask. destination-ip-address destination-wildcard: specifies a destination address with a wildcard mask. any: indicates any IP address. address-set address-set-name: specifies an address or address group.
TCP/UDP port range	source-port or destination-port	Specify the port range by the operator expression. operator supported comparison operations include eq (equal to), gt (greater than), lt (lower than), and range (between). If the operator is range, two port numbers are used.
ICMP Type	icmp-type	You can specify an ICMP message type using either of the following parameters: icmp-type-name: specifies an ICMP message type by the ICMP type name. icmp-type-number icmp-code: specifies an ICMP message type by the ICMP type number and ICMP code.
Time range	time-range	For details of time ranges, see Schedule.
Service	service-set	For details of services, see Service and Service Group.
Precedence field value in a packet	precedence	The precedence field in an IP packet header marks the forwarding priority of the packet and is widely applied to quality of service (QoS). The precedence value can be in either of the following formats: An integer ranging from 0 to 7. Name, which is routine, priority, immediate, flash, flash-override, critical, internet, or network, corresponding to 0 to 7 in sequence.
ToS field value in a packet	tos	The ToS field in an IP packet header marks the service type of the packet and is widely applied to QoS. The tos value can be in either of the following formats: An integer ranging from 0 to 15 Name, which can be normal, min-monetary-cost, max-reliability, max-throughput, or min-delay, corresponding to 0, 1, 2, 4, and 8 in sequence.
Differentiated Services CodePoint field value in a packet	dscp	DSCP is stored in the first six bits of the ToS field in an IP packet. During packet transmission, an intermediate device can grant different processing priorities to packets based on DSCP values, ensuring that important packets are prioritized when the network is busy. The value can be an integer or a string. That is, the value can be an integer ranging from 0 to 63, or a character string, which can be AF11, AF12, AF13, AF21, AF22, AF23, AF31, AF32, AF33, AF41, AF42, AF43, CS1, CS2, CS3, CS4, CS5, CS6, CS7, EF, or default.
TCP flag bit	tcp-flag	You can specify the TCP flag bit to perform access control over corresponding traffic. In this way, you can implement TCP flag bit-based QoS. Three ways are available: The value is an integer ranging from 0 to 63. established, which indicates TCP packets in established status. Input in name format, which can be ack, fin, psh, rst, syn, and urg.

Procedure

Access the system view.
system-view
Create an advanced ACL and access the advanced ACL view.
acl [ number ] acl-number [ vpn-instance vpn-instance-name ]

acl-number determines the type of an ACL. The advanced ACL number ranges from 3000 to 3999.
Optional: Configure a description for the ACL.
description description

Appropriate descriptions of ACLs help you to further manage the ACLs.
Optional: Set a step for the ACL rules.
step step

The default step is 5.

After you set a step for the ACL, the system can automatically assign rule IDs if you do not specify the rule IDs. The automatically assigned rule IDs are multiple of the step in ascending order. The step allows you to insert rules between two rules.

You can set a step for an ACL only when no rule is configured for the ACL. After you configure an ACL rule, you are not allowed to change the step.
Perform either of the following operations to create an advanced ACL rule.
- Run the rule [ rule-id ] { permit | deny } protocol [ source { source-ip-address { 0 | source-wildcard } | address-set address-set-name | any } | destination { destination-ip-address { 0 | destination-wildcard } | address-set address-set-name | any } | source-port operator port [ port2 ] | destination-port operator port [ port2 ] | icmp-type { icmp-type-name | icmp-type-number icmp-code } | precedence precedence | tos tos | time-range time-name | logging | dscp dscp-value | tcp-flag { tcp-flag [ mask mask-value ] | established | { ack | fin | psh | rst | syn | urg } ^* } ] ^* [ description description ] command to configure an advanced ACL rule with specified protocol information.
  
  The parameters vary according to protocol. You can select tcp-flag only when TCP is selected, select source-port and destination-port only when TCP/UDP is selected, and select icmp-type only when ICMP is selected.
- Run the rule [ rule-id ] { permit | deny } service-set service-set-name [ source { source-ip-address { 0 | source-wildcard } | address-set address-set-name | any } | destination { destination-ip-address { 0 | destination-wildcard } | address-set address-set-name | any } | precedence precedence | tos tos | time-range time-name | logging | dscp dscp-value ] ^* [ description description ] command to configure an advanced ACL rule based a specific service.
- If rule-id is not specified during the configuration, a new rule is added. In this case, the system automatically assigns a minimum number that is larger than the maximum number of the existing rule and integer times of the step to the new rule according to the step. For example, if the maximum number of the existing rule is 21 and the step is 5, the system assigns number 25 to the new rule.
- If rule-id is specified and the related rule with the same ID exists, the existing rule is edited. If no related rule with the same ID exists, a new rule is added and inserted to the corresponding position according to its rule-id.
- A new or modified rule should be different from any existing one; otherwise, the creation or modification fails and the system prompts you that the rule already exists.
- Parameter logging specifies that matched packets are logged.