【正文】 。 Specify tos vpninstance Specify a VPNInstance cr[Huaweiacladv3000]rule 1 permit udp source any des[Huaweiacladv3000]rule 1 permit udp source any destination ? Specify destination address any Any destination IP address[Huaweiacladv3000]rule 1 permit udp source any destination ? 0 Wildcard bits : ( a host ) Wildcard of destination[Huaweiacladv3000]rule 1 permit udp source any destination 0 ? destinationport Specify destination port dscp Specify dscp fragmenttype Specify the fragment type of packet precedence Specify precedence sourceport Specify source port timerange Specify a special time tos Specify tos vpninstance Specify a VPNInstance cr[Huaweiacladv3000]rule 1 permit udp source any destination 0 destinationport ? eq Equal to given port number gt Greater than given port number lt Less than given port number neq Not equal to given port number 不等于指定端口 range Between two port numbers[Huaweiacladv3000]rule 1 permit udp source any destination 0 destinationport eq ? 065535 Protocol number biff Mail notify (512) bootpc Bootstrap Protocol Client (68) bootps Bootstrap Protocol Server (67) discard Discard (9) dns Domain Name Service (53) dnsix DNSIX Security Attribute Token Map (90) echo Echo (7) mobilipag MobileIPAgent (434) mobilipmn MobilIPMN (435) nameserver Host Name Server (42) netbiosdgm NETBIOS Datagram Service (138) netbiosns NETBIOS Name Service (137) netbiosssn NETBIOS Session Service (139) ntp Network Time Protocol (123) rip Routing Information Protocol (520) snmp SNMP (161) snmptrap SNMPTRAP (162) sunrpc SUN Remote Procedure Call (111) syslog Syslog (514) tacacsds TACACSDatabase Service (65) talk Talk (517) tftp Trivial File Transfer (69) time Time (37) who Who(513) xdmcp X Display Manager Control Protocol (177)[Huaweiacladv3000]rule 1 permit udp source any destination 0 destinationport eq 21 ? dscp Specify dscp fragmenttype Specify the fragment type of packet precedence Specify precedence sourceport Specify source port timerange Specify a special time tos Specify tos vpninstance Specify a VPNInstance cr高級acl可以匹配的功能有：、高級acl常用協(xié)議數(shù)值對照表協(xié)議類型數(shù)值ICMP1IGMP2IPinIP4TCP6UDP17GRE47IPOSPF8高級acl常用功能說明參數(shù)說明deny拒絕符合條件的報文permit允許符合條件的報文source{souraddr sourwildcard|any}souraddr sourwildcard:源ip地址源通配符掩碼any：任意源IP地址destination{destaddr destwildcaard|anydestaddr destwildcaard：目的IP地址及通配符掩碼any：任意目的IP地址icmptype{icmpname|icmptype icmpcode}指定acl規(guī)則匹配報文的icmp報文的類型和消息碼信息，僅在報文協(xié)議是ICMP的情況下有效precedence指定acl匹配報文時依據(jù)優(yōu)先級字段進行過濾。與tos參數(shù)一起共同構成DSCP組成的二選一參數(shù)。tos指定acl匹配報文時依據(jù)服務類型字段進行過濾。與precedence參數(shù)一起共同構成DSCP組成的二選一參數(shù)。dscp指定acl匹配報文時區(qū)分服務代碼點，依據(jù)IP包中的DSCP優(yōu)先級字段進行過濾。tcpflag指定acl規(guī)則匹配TCP報文中的SYN標志的類型timerange指定acl規(guī)則生效時間段destinationport{eq prot|gt port|lt port|rage portstart port end}指定acl規(guī)則匹配報文的UDP或TCP的目的端口，僅在報文協(xié)議是UDP或TCP時生效。端口號可用名稱或數(shù)字表示eq port :指定等于目的端口gt port:指定大于目的端口lt port :指定小于目的端口range portstart portend:指定目的端口范圍start為起始端口end為結束端口soureport{eq prot|gt port|lt port|rage portstart port end}指定acl規(guī)則匹配報文的UDP或TCP的源端口，僅在報文協(xié)議是UDP或TCP時生效。loging指定acl匹配的報文信息進行日志記錄fragmen指定acl規(guī)則是否僅對非首片分片報文有效，當包含此參數(shù)時僅對非首片分片報文有效。但此參數(shù)不能同時與sourceport、destinationport、icmptype、tcpflag參數(shù)同時配置。ttlexpired指定acl是否依據(jù)數(shù)據(jù)報文中的ttl值是否為1進行過濾。啟用此命令表示過濾。5700SI及以下版本不支持。舉例： 9090通信[Huaweiacladv3002]rule deny udp source destination 0. destinationport eq 9090二層ACL規(guī)則配置二層ACL編號aclnumber的范圍是4000～4999。二層acl對源/目的MAC、二層協(xié)議等二層信息進行過濾。[HuaweiaclL24000]rule 1 ? deny Specify matched packet deny description Specify rule description permit Specify matched packet permit[HuaweiaclL24000]rule 1 deny sourcemac 111111111111 ? format 8021p Vlan priority HHH Source MAC address mask, default is ffffffffffff cvlan8021p Vlan priority of inner vlan cvlanid Inner vlan id destinationmac Destinationmac doubletag Double tag etherii Ethernet II format l2protocol Layer 2 protocol snap Snap format timerange Specify a special time vlanid Vlan id cr[HuaweiaclL24000]rule 1 deny sourcemac 111111111111 destinationmac ? HHH Destination MAC address value[HuaweiaclL24000]rule 1 deny sourcemac 111111111111 destinationmac 222222222222 ? format 8021p Vlan priority HHH Destination MAC address mask, default is ffffffffffff cvlan8021p Vlan priority of inner vlan cvlanid Inner vlan id doubletag Double tag etherii Ethernet II format l2protocol Layer 2 protocol snap Snap format timerange Specify a special time vlanid Vlan id cr二層acl支持的常用功能二層acl支持的常用功能參數(shù)說明　8021p指定acl規(guī)則匹配報文的外層vlan的8021p優(yōu)先級cvlan8021p指定acl規(guī)則匹配報文的內層vlan的8021p優(yōu)先級cvlanidcvlanid[cvlanidmask]指定acl規(guī)則匹配報文的內層vlan IDcvlanidmas