H3C S7500 Series Ethernet Switches Operation Manual
Operation Manual – ACL
H3C S7500 Series Ethernet Switches Chapter 1
ACL Configuration
1-8
1.5.2 Configuration Procedure
Table 1-4 Define a basic ACL rule
To do... Use the command... Remarks
Enter system view
system-view
—
Create or enter
basic ACL view
acl { number acl-number | name
acl-name [ advanced | basic |
link | user ] } [ match-order
{ config | auto } ]
Required
By the default, the match
order is config.
Define an rule
rule [ rule-id ] { permit | deny }
[ source { source-addr wildcard |
any } | fragment | time-range
time-name ]*
Required
Display ACL
information
display acl config { all |
acl-number | acl-name }
Optional
This command can be
executed in any view.
In the case that you specify the rule ID when defining a rule:
z If the ACL is created with the config keyword specified and the rule identified by
the rule-id argument exists, the settings specified in the rule command overwrite
the counterparts of the existing rule (other settings of the rule remain unchanged).
If the ACL is created with the auto keyword specified, the rules of the ACL cannot
be edited. In this case, the system prompts errors when you execute the rule
command.
z If the rule corresponding to the specified rule ID does not exist, you will create and
define a new rule.
z The content of a modified or newly created rule must not be identical with the
content of any existing rule; otherwise the rule modification or creation will be
failed, and the system will prompt that the rule already exists.
If you do not specify a rule ID, you will create and define a new rule, and the system will
assign an ID for the rule automatically.
1.5.3 Configuration Example
# Configure ACL 2000 to deny packets with source IP address being 1.1.1.1.
<H3C> system-view
[H3C] acl number 2000
[H3C-acl-basic-2000] rule deny source 1.1.1.1 0
[H3C-acl-basic-2000] display acl config 2000
Basic ACL 2000, 1 rule
rule 0 deny source 1.1.1.1 0 (0 times matched)