H3C S9500 Series Operation Manual page 1113

Operation Manual – ACL
H3C S9500 Series Routing Switches
Note:
If the time-range keyword is not selected, the ACL will be effective at any time after
being activated.
You can define multiple rules for an ACL by executing the rule command
repeatedly.
When the QoS/ACL action is configured under the port, if the QoS/ACL is applied
without sub rules, the QoS/ACL is matched as per the matching order defined in the
ACL rule; if applied with specific sub rules, the QoS/ACL is matched as per the
sequence applied under the port.
By default, ACL rules are matched in config order.
If you want to replace an existing rule, you are recommended to use the undo
command to delete the original rule first and then reconfigure the rule.
I. Defining a basic ACL
Basic ACLs only make rules and process packets according to the source IP
addresses.
Perform the following configurations in the specified views to define/remove a basic
ACL:
Enter basic ACL view (from
system view)
Define an ACL rule (in basic
ACL view)
Remove an ACL rule (in
basic ACL view)
Remove an ACL or all ACLs
(in system view)
II. Defining an advanced ACL
Advanced ACLs define classification rules and process packets according to the
attributes of the packets such as source and destination IP addresses, TCP/UDP ports
used, and packet priority. ACLs support three types of priority schemes: ToS (type of
service) priority, IP priority and DSCP priority.
Perform the following configurations in the specified view to define/remove an
advanced ACL:
To do...
acl { number acl-number | name acl-name basic }
[ match-order { config | auto } ]
rule [ rule-id ] { permit | deny } [ packet-level
{ bridge | route } | source { source-addr wildcard |
any } | fragment | time-range name | vpn-instance
instance-name ] *
undo rule rule-id [ packet-level | source | fragment
| time-range | vpn-instance instance-name ] *
undo acl { number acl-number | name acl-name |
all }
Use the command...
1-11
Chapter 1 ACL Configuration