H3C S7500E Series Ethernet Switches Operation Manual
Operation Manual – ACL
H3C S7500E Series Ethernet Switches Chapter 2 IPv4 ACL Configuration
2-3
2.2.1 Configuration Prerequisites
If you want to reference a time range to a rule, define it with the time-range command
first.
2.2.2 Configuration Procedure
Follow these steps to configure a basic IPv4 ACL:
To do… Use the command… Remarks
Enter system view
system-view
––
Create and enter
basic IPv4 ACL
view
acl number acl-number
[ name acl-name ]
[ match-order { auto |
config } ]
Required
The default match order is
config.
If you specify a name for an
IPv4 ACL when creating the
ACL, you can use the acl name
acl-name command to enter the
view of the ACL later.
Create or modify a
rule
rule [ rule-id ] { deny |
permit } [ fragment |
logging | source
{ sour-addr sour-wildcard |
any } | time-range
time-name | vpn-instance
vpn-instance-name ] *
Required
To create multiple rules, repeat
this step.
Note that the logging and
vpn-instance keywords are not
supported if the ACL is to be
referenced by a QoS policy for
traffic classification.
Set a rule
numbering step
step step-value
Optional
The default step is 5.
Create an IPv4
ACL description
description text
Optional
By default, no IPv4 ACL
description is present.
Create a rule
description
rule rule-id comment text
Optional
By default, no rule description is
present.
Note that:
z You will fail to create or modify a rule if its permit/deny statement is exactly the
same as another rule. In addition, if the ACL match order is set to auto rather than
config, you cannot modify ACL rules.
z You may use the display acl command to verify rules configured in an ACL. If the
match order for this ACL is auto, rules are displayed in the depth-first match order
rather than by rule number.