Add Advanced Rule

Add Advanced Rule

Operation Procedure

1. When adding an advanced ACL resource or configuring an advanced ACL template, click Add or Add Rule to configure an advanced rule.
2. In the Basic Info area, perform the following configurations:
   • Select the protocol for which you want to permit or deny traffic.
   • Select the action you want to take for matching packets, permit or deny.
   • Set the  time range you want to apply to this rule.
   • Set the source address and destination address specifying where the pattern matching occurs in this rule
3. Configure advanced settings. The advanced information is available only when the protocol is set to TCP, UDP or ICMP.
   • If you select TCP or UDP as the protocol, you must specify the source port and destination port in the Advanced Settings area.
   • If you set the protocol to ICMP, you must specify the ICMP type and ICMP code in the Advanced Settings area.
4. In the Other Settings area, perform the following configurations to set matching criteria:
   • Select an IP priority.
   • Select a Type of Service from the ToS Value list.
   • Select a DSCP value.
   • Configure the Fragment option. If it is selected, the rule identifies all packets, including fragments and non-fragments. If it is not selected, the rule identifies non-first fragments., which defines which fragments the rule is applied to.
   • Define whether to enable logging.
   • Configure the VPN instance to which you want to apply this rule.
5. Click OK.

Precautions

• The values of IP priority, ToS, and DSCP have bind effects mutually. Changing anyone of them might affect the other two values.

Parameters

• Protocol: Type of protocol, which is represented by either name or number. To select a protocol:
  • Select a name from icmp, igmp, tcp, udp, ip, gre, ospf and ipinip
  • Select a number from 1 to 255.
  • If you select IP, all the above protocols in the TCP/IP protocol stack are matched.
• ICMP setting: Specifies an ICMP packet. This parameter is available only when you set the protocol to ICMP.
  • ICMP-Type: A character string or a number representing the type of ICMP packet.
  • ICMP-Code: ICMP code.
• IP Priority: Specifies an IP precedence. The value can be a number in the range of 0 to 7, or in words.
    
• Routine (0)��This is the default IP precedence value.
    
• Priority (1)��Used for data services.
    
• Immediate (2)��Used for data services.
    
• Flash (3)��Used for voice control data.
    
• Flash-override (4)��Used for video conference and video streaming data.
    
• Critical (5)��Used for voice data.
    
• Internet (6)��Reserved for use by internetwork control data.
    
• Network (7)��Reserved for use by network control data.
• ToS Value: Specifies a ToS value. Valid values are normal (0), min-monetary-cost (1), max-reliability (2), max-throughput (4), and min-delay (8).
• DSCP Value: Specifies a DSCP value. The value can be a number in the range of 0 to 63, in ascending order of priority.
• Fragment: With this parameter specified, the rule applies to only non-first fragments. Otherwise, the rule applies to all fragments and non-fragments.
• Logging: Specifies whether to enable logging for matching packets.
• VPN Instance: Specifies the name of an MPLS L3VPN instance to which you want to apply this rule.
• Dynamic Parameter: Name of a user-defined parameter. Currently you can only use the dynamic parameter to define the source or destination IP address in an advanced basic ACL.
  For more information, see Create and Use Dynamic Parameter File.  
• Variable Address: Name of a user-defined parameter. When an ACL template is exported to an ACL rule set, the variable address value automatically changes. Currently you can only use the variable address to define the source or destination IP address in an advanced ACL.