H3C S7500E Series Ethernet Switches Operation Manual
Operation Manual – ACL
H3C S7500E Series Ethernet Switches Chapter 3 IPv6 ACL Configuration
3-4
To do… Use the command… Remarks
Create or modify a
rule
rule [ rule-id ] { deny | permit }
protocol [ destination { dest
dest-prefix | dest/dest-prefix |
any } | destination-port
operator port1 [ port2 ] | dscp
dscp | fragment |
icmpv6-type { icmpv6-type
icmpv6-code |
icmpv6-message } | logging |
source { source source-prefix
| source/source-prefix | any } |
source-port operator port1
[ port2 ] | time-range
time-name ] *
Required
To create multiple rules,
repeat this step.
Note that if the ACL is to be
referenced by a QoS policy
for traffic classification, the
logging and fragment
keywords are not supported
and the operator argument
cannot be:
z neq, if the policy is for the
inbound traffic,
z gt, lt, neq or range, if the
policy is for the outbound
traffic.
Set a rule
numbering step
step step-value
Optional
The default step is 5.
Create an ACL
description
description text
Optional
By default, no IPv6 ACL
description is present.
Create a rule
description
rule rule-id comment text
Optional
By default, no rule description
is present.
Note that:
z You will fail to create or modify a rule if its permit/deny statement is exactly the
same as another rule. In addition, if the ACL match order is set to auto rather than
config, you cannot modify ACL rules.
z You may use the display acl command to verify rules configured in an ACL. If the
match order for this ACL is auto, rules are displayed in the depth-first match order
rather than by rule number.
Caution:
z You can modify the match order of an IPv6 ACL with the acl ipv6 number
acl6-number [ name acl6-name ] match-order { auto | config } command but only
when it does not contain any rules.
z The rule specified in the rule comment command must have existed.