HPE FlexNetwork HSR6800 series Command Reference Manual page 30

deny: Denies matching packets.
permit: Allows matching packets to pass.
counting: Counts the times that the rule is matched. If you do not specify this keyword, matches for
the rule are not counted.
fragment: Applies the rule only to non-first fragments. If you do not specify this keyword, the rule
applies to both fragments and non-fragments.
logging: Logs matching packets. This feature is available only when the application module (for
example, packet filtering) that uses the ACL supports the logging feature.
source { object-group address-group-name | source-address source-wildcard | any }: Matches a
source address. The object-group address-group-name option specifies an object group of source
IP addresses. The source-address and source-wildcard arguments specify a source IP address and
a wildcard mask in dotted decimal notation. A wildcard mask of zeros represents a host address. The
any keyword represents any source IP address.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is
a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is
not configured, the system creates the rule. However, the rule using the time range can take effect
only after you configure the time range. For more information about time range, see ACL and QoS
Configuration Guide.
vpn-instance vpn-instance-name: Applies the rule to an MPLS L3VPN instance. The
vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify a
VPN instance, the rule applies to both non-VPN packets and VPN packets.
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating
or editing has the same deny or permit statement as another rule in the ACL, the rule will not be
created or changed.
The object group you specify when creating or editing a rule must already exist. Otherwise, the rule
will not be created or changed.
You can edit ACL rules only when the match order is config.
The counting keyword in this command enables match counting specific to rules, and the
hardware-count keyword in the packet-filter command enables match counting for all rules in an
ACL.
To view the existing IPv4 basic and advanced ACL rules, use the display acl all command.
The undo rule rule-id command without any optional parameters deletes an entire rule. If you
specify optional parameters, the undo rule rule-id command deletes the specified attributes for the
rule.
The undo rule [ rule-id ] { deny | permit } command can only be used to delete an entire rule. You
must specify all the attributes of the rule for the command.
Examples
# Create a rule in IPv4 basic ACL 2000 to deny the packets from any source IP subnet but 10.0.0.0/8,
172.17.0.0/16, or 192.168.1.0/24.
<Sysname> system-view
[Sysname] acl basic 2000
[Sysname-acl-ipv4-basic-2000] rule permit source 10.0.0.0 0.255.255.255
[Sysname-acl-ipv4-basic-2000] rule permit source 172.17.0.0 0.0.255.255
[Sysname-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255
[Sysname-acl-ipv4-basic-2000] rule deny source any
Related commands
acl
25