H3C S7500E Series Ethernet Switches Operation Manual
Operation Manual – ACL
H3C S7500E Series Ethernet Switches Chapter 2 IPv4 ACL Configuration
2-5
To do… Use the command… Remarks
Enter system view
system-view
––
Create and enter
advanced IPv4 ACL
view
acl number acl-number
[ name acl-name ]
[ match-order { auto |
config } ]
Required
The default match order is
config.
If you specify a name for an
IPv4 ACL when creating the
ACL, you can use the acl
name acl-name command
to enter the view of the ACL
later.
Create or modify a
rule
rule [ rule-id ] { deny |
permit } protocol
[ destination { dest-addr
dest-wildcard | any } |
destination-port operator
port1 [ port2 ] | dscp dscp |
established | fragment |
icmp-type { icmp-type
icmp-code | icmp-message } |
logging | precedence
precedence | reflective |
source { sour-addr
sour-wildcard | any } |
source-port operator port1
[ port2 ] | time-range
time-name | tos tos |
vpn-instance
vpn-instance-name ] *
Required
To create multiple rules,
repeat this step.
Note that if the ACL is to be
referenced by a QoS policy
for traffic classification, the
logging , reflective and
vpn-instance keywords are
not supported and the
operator argument cannot
be:
neq, if the policy is for the
inbound traffic,
gt, lt, neq or range, if the
policy is for the outbound
traffic.
Set a rule numbering
step
step step-value
Optional
The default step is 5.
Create an IPv4 ACL
description
description text
Optional
By default, no IPv4 ACL
description is present.
Create a rule
description
rule rule-id comment text
Optional
By default, no rule
description is present.
Note that:
z You will fail to create or modify a rule if its permit/deny statement is exactly the
same as another rule. In addition, if the ACL match order is set to auto rather than
config, you cannot modify ACL rules.
z You may use the display acl command to verify rules configured in an ACL. If the
match order for this ACL is auto, rules are displayed in the depth-first match order
rather than by rule number.