3Com Switch 8800 Advanced Software V5 Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

801

802

803

804

805

806

807

808

809

810

808 CHAPTER 57: IPV4 ACL CONFIGURATION

You will fail to create or modify a rule if its permit/deny statement is exactly the

same as another rule. In addition, if the ACL match order is set to auto rather than

config, you cannot modify ACL rules.

When defining ACL rules, you need not assign them IDs. The system can

automatically assign rule IDs, starting with 0 and increasing in certain rule

numbering steps. A rule ID thus assigned is greater than the current highest rule

ID. For example, if the rule numbering step is five and the current highest rule ID is

28, the next rule will be numbered 30. For detailed information about step, refer

to the step command in the Switch 8800 Command Reference Guide.

You may use the display acl command to verify rules configured in an ACL. If the

match order for this ACL is auto, rules are displayed in the depth-first match order

rather than by rule number.

CAUTION:

■ You can modify the match order of an ACL with the acl number acl-number

match-order { auto | config } command but only when it does not contain

any rules.

■ The rule specified in the rule comment command must have existed.

■ For common I/O Modules, matching packets against an ACL rule with the

VPN-Instance keyword or the logging keyword specified is not supported.

■ For common interface cards, matching packets against an ACL rule with the

reflective keyword specified is not supported.

To do... Use the command... Remarks

Enter system view system-view --

Create and enter advanced

IPv4 ACL view

acl number acl-number [

match-order { auto | config }

]

Required

The default match order is

config.

Create or modify a rule rule [ rule-id ] { deny | permit

} protocol [ destination {

dest-addr dest-wildcard | any }

| destination-port operator

port1 [ port2 ] | dscp dscp |

established | fragment |

icmp-type { icmp-type

icmp-code | icmp-message } |

logging | precedence

precedence | reflective |

source { sour-addr

sour-wildcard | any } |

source-port operator port1 [

port2 ] | time-range

time-name | tos tos |

vpn-instance

vpn-instance-name ] *

Required

To create multiple rules,

repeat this step.

Set a rule numbering step step step-value Optional

The default step is 5.

Create an IPv4 ACL

description

description text Optional

Create a rule description rule rule-id comment text Optional