【正文】 b、startaddress系統(tǒng)視圖下執(zhí)行命令nat addressgroup}，應(yīng)用流策略。|{在系統(tǒng)視圖、接口視圖或VLAN視圖下，執(zhí)行命令trafficpolicyclassifiernamef、configauto[matchorder系統(tǒng)視圖下執(zhí)行命令traffic policy報(bào)文過(guò)濾有兩種流動(dòng)作：deny或permit。behavior–name，定義流行為并進(jìn)入流行為視圖。c、aclnameaclnumberb、執(zhí)行命令ifmatch aclprecedenceprecedencevalueorandoperatorclassifiernameFilter logout connections from the current user interfaceoutboundFilter login connections from the current user interfaceFilter IPv6 addressesipv6Apply basic or advanced ACLINTEGER20003999SFTP中應(yīng)用ACL配置[Huawei]ssh server acl ?或[Huaweiuivty04]acl ?Apply basic ACLINTEGER20002999FTP中應(yīng)用acl配置[Huawei]ftp acl ?Filter logout connections from the current user interfaceoutboundFilter login connections from the current user interfaceFilter IPv6 addressesipv6Apply basic or advanced ACLINTEGER20003999或[Huaweiuivty04]acl ?設(shè)備接口板提供擴(kuò)展表項(xiàng)空間寄存器，通過(guò)配置擴(kuò)展表項(xiàng)空間資源的分配模式，可以選擇性擴(kuò)大MAC、ACL和FIB表項(xiàng)的底層空間大小。配置接口板擴(kuò)展表項(xiàng)空間資源的分配模式后，需要重啟接口板才能生效。IPV4NAC：表示同時(shí)擴(kuò)展IPV4的三層ACL表項(xiàng)和NAC特性專用的ACL表項(xiàng)。IPV4ACL：表示同時(shí)擴(kuò)展IPV4的IP表項(xiàng)和IPV4的三層ACL表項(xiàng)。缺省情況下，擴(kuò)展表項(xiàng)空間寄存器的資源模式為1，僅擴(kuò)展MAC表項(xiàng)。slotid 配置接口板ACL規(guī)格的資源分配模式。modeid[Huawei]slotid 配置接口板擴(kuò)展表項(xiàng)空間資源的分配模式，用來(lái)靜態(tài)分配MAC、ACL和FIB表項(xiàng)的底層空間大小。modeid[Huawei]擴(kuò)展ACL表項(xiàng)空間資源模式設(shè)置Huaweidisplay resourceassign configuration 查看接口板擴(kuò)展表項(xiàng)空間資源的配置信息。當(dāng)ACL資源的使用率（即設(shè)備上實(shí)際存在的ACL表項(xiàng)占設(shè)備支持的最大ACL表項(xiàng)總數(shù)的比例）等于或高于上限告警閾值百分比時(shí)，設(shè)備將會(huì)發(fā)出超限告警。}*lowerlimitupperlimit{ACL資源告警閾值百分比設(shè)置[Huawei] User Datagram Protocol(17) Transmission Control Protocol(6) OSPF routing protocol(89) ospf Internet Control Message Protocol6(58) icmpv6 gre 1255 Specify matched packet permit permit description[Huaweiacl6adv3000]rule 1 ? Specify matched packet permit permit description高級(jí)ACL6規(guī)則配置[Huawei]acl ipv6 3000[Huaweiacl6adv3000]rule 1 ? Specify a special time Log matched packet logging fragment Any source IPv6 address any X:X::X:X/M X:X::X:X Specify a special time Specify source address Log matched packet logging fragmentSpecify matched packet permit permit description[Huaweiacl6basic2000]rule 1 ? number name INTEGER30003999 INTEGER20002999具體配置及參數(shù)同前。使用IPv4報(bào)文的源IP地址或源UCL（User Control List）組、目的地址或目的UCL組、IP協(xié)議類型、ICMP類型、TCP源端口/目的端口、UDP源端口/目的端口號(hào)等來(lái)定義規(guī)則。 Specify a special time Offset from L4 head l4head Offset from IP(v6) head ipv6head Rule string, the string must be hexadecimal and start with 39。[Huaweiacluser5000]rule 1 deny ?用戶自定義ACL支持的常用功能有用戶自定義ACL支持的常用功能參數(shù)說(shuō)明STRING310用戶自定義ACL規(guī)則配置用戶自定義ACL編號(hào)aclnumber的范圍是5000～5999。l2protocol指定acl規(guī)則匹配報(bào)文的幀封裝格式etherii指定acl匹配報(bào)文時(shí)匹配帶雙層tag的報(bào)文doubletag指定acl規(guī)則匹配報(bào)文的目的mac地址信息cvlan8021p指定acl規(guī)則匹配報(bào)文的外層vlan的8021p優(yōu)先級(jí) cr vlanid Snap format snap l2protocol Double tag doubletag Vlan priority of inner vlan Destination MAC address mask, default is ffffffffffff Vlan priority format[HuaweiaclL24000]rule 1 deny sourcemac 111111111111 destinationmac 222222222222 ? HHH cr vlanid Snap format snap l2protocol Double tag doubletag destinationmac Vlan priority of inner vlan Source MAC address mask, default is ffffffffffff Vlan priority format[HuaweiaclL24000]rule 1 deny sourcemac 111111111111 ? Specify rule description Specify matched packet deny denyudp source destination 0. destinationport eq 9090二層ACL規(guī)則配置二層ACL編號(hào)aclnumber的范圍是4000～4999。舉例：?jiǎn)⒂么嗣畋硎具^(guò)濾。但此參數(shù)不能同時(shí)與sourceport、destinationport、icmptype、tcpflag參數(shù)同時(shí)配置。end為結(jié)束端口soureport{eq prot|gt port|lt port|rage portstart port end}指定acl規(guī)則匹配報(bào)文的UDP或TCP的源端口，僅在報(bào)文協(xié)議是UDP或TCP時(shí)生效。starttcpflag指定acl規(guī)則匹配TCP報(bào)文中的SYN標(biāo)志的類型timerange指定acl規(guī)則生效時(shí)間段destinationport{eq prot|gt port|lt port|rage portstart port end}指定acl規(guī)則匹配報(bào)文的UDP或TCP的目的端口，僅在報(bào)文協(xié)議是UDP或TCP時(shí)生效。與precedence參數(shù)一起共同構(gòu)成DSCP組成的二選一參數(shù)。參數(shù)一起共同構(gòu)成DSCP組成的二選一參數(shù)。源通配符掩碼any：任意源IP地址destination{destaddr destwildcaard|anydestaddr destwildcaard：目的IP地址及通配符掩碼any：任意目的IP地址icmptype{icmpname|icmptype icmpcode}指定acl規(guī)則匹配報(bào)文的icmp報(bào)文的類型和消息碼信息，僅在報(bào)文協(xié)議是ICMP的情況下有效precedence指定acl匹配報(bào)文時(shí)依據(jù)優(yōu)先級(jí)字段進(jìn)行過(guò)濾。、高級(jí)acl常用功能說(shuō)明參數(shù)說(shuō)明deny拒絕符合條件的報(bào)文permit允許符合條件的報(bào)文source{souraddr sourwildcard|any}souraddr sourwildcard:源ip地址 cr Specify tos Specify a special time timerange sourceport Specify the fragment type of packetSpecify dscp dscp[Huaweiacladv3000]rule 1 permit udp source any destination 0 destinationport eq xdmcp who Trivial File Transfer (69) tftp TACACSDatabase Service (65) Syslog (514) syslog SNMPTRAP (162) snmptrap Routing Information Protocol (520) Network Time Protocol (123) NETBIOS Session Service (139) NETBIOS Name Service (137) netbiosns netbiosdgm MobilIPMN (435) mobilipmn Echo (7) echo dnsix dns discard Bootstrap Protocol Client (68) bootpc Protocol numbereq ? range neq Greater than given port number gt[Huaweiacladv3000]rule 1 permit udp source any destination 0 destinationport ? cr vpninstance Specify a special time Specify source port sourceport precedence Specify dscp Specify destination port[Huaweiacladv3000]rule 1 permit udp source any destination 0 ? 0 Any destination IP address Specify destination address[Huaweiacladv3000]rule 1 permit udp source any destination ? Specify a VPNInstance Specify tos tos timerange Sp