Global Acl Configuration Example - H3C S9500 Series Operating Manual

Operation Manual – QoS
H3C S9500 Series Routing Switches
Caution:
The global-acl maximum slot command applies to only D-type interface boards.
Additionally, to make the command take effect, you must restart the interface board
after configuring the command.
Without the global-acl maximum slot command, a D-type board supports up to
1024 hardware ACL entries, including global ACLs, port ACLs, and VLAN ACLs.
With the command configured, the maximum number of hardware ACL entries
supported on the board is 2048 minus the number specified for the max-entry-num
argument, including global ACLs, port ACLs, and VLAN-ACLs. Among them, the
maximum number of global ACLs can be the one specified by max-entry-num, and
the maximum number of port ACLs and VLAN-ACLs is 2048 minus two times
max-entry-num.
With the global-acl maximum slot command configured, the total number of port
ACLs and VLAN-ACLs decreases. Therefore, some port ACL entries and
VLAN-ACL entries may be lost after the board restarts.

7.3 Global ACL Configuration Example

I. Network requirements
As shown in
A company uses VLANs to isolate its two departments. The R&D department
belongs to VLAN 10 and on the network segment 10.10.10.0/24. The HR
department belongs to VLAN 11 and on the network segment 10.11.11.0/24.
The PCs of the R&D department are connected to GigabitEthernet 2/1/1 through
GigabitEthernet 2/1/4 of the switch; the PCs of the HR department are connected
to GigabitEthernet 3/1/1 through GigabitEthernet 3/1/5 of the switch.
The HR department has a salary server, whose IP address is 10.11.11.11/24.
Configure ACLs to prevent all the PCs (except the PCs with IP addresses
10.10.10.2/24 and 10.10.10.3/24) of the R&D department from accessing the salary
server from 8:00 to 18:00 during working days.
Figure 7-1,
Chapter 7 Global ACL Configuration
7-3