H3C S6550X-HI Series Command Reference Manual page 2137

To view the existing IPv4 basic and advanced ACL rules, use the
The
undo rule rule-id
specify optional parameters, the
the rule.
The
undo rule { deny | permit }
specify all the attributes of the rule for the command.
The
counting
hardware-count
hardware for all rules in an ACL. For more information about the
packet filter commands in Security Command Reference.
Examples
# Create a rule in IPv4 basic ACL 2000 to deny the packets from any source IP subnet but 10.0.0.0/8,
172.17.0.0/16, or 192.168.1.0/24.
<Sysname> system-view
[Sysname] acl basic 2000
[Sysname-acl-ipv4-basic-2000] rule permit source 10.0.0.0 0.255.255.255
[Sysname-acl-ipv4-basic-2000] rule permit source 172.17.0.0 0.0.255.255
[Sysname-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255
[Sysname-acl-ipv4-basic-2000] rule deny source any
Related commands
acl
display acl
packet-filter
packet-filter global
step
time-range
rule (IPv6 advanced ACL view)
Use to create or edit an IPv6 advanced ACL rule.
rule
Use
undo rule
Syntax
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value |
psh psh-value | rst rst-value | syn syn-value | urg urg-value } * |
established } | counting | destination { dest-address dest-prefix |
dest-address/dest-prefix | any } | destination-port operator port1 [ port2 ]
| dscp dscp | flow-label flow-label-value | fragment | icmp6-type
{ icmp6-type icmp6-code | icmp6-message } | routing [ type routing-type ] |
hop-by-hop [ type hop-type ] | source { source-address source-prefix |
source-address/source-prefix | any } | source-port operator port1 [ port2 ]
| time-range time-range-name | vpn-instance vpn-instance-name ] *
undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } |
counting | destination | destination-port | dscp | flow-label | fragment |
icmp6-type | routing | hop-by-hop | source | source-port | time-range |
vpn-instance] *
command without any optional parameters deletes an entire rule. If you
undo rule rule-id
command can only be used to delete an entire rule. You must
keyword in this command enables match counting specific to rules, and the
keyword in the
(interface view) (Security Command Reference)
(Security Command Reference)
to delete an entire IPv6 advanced ACL rule or some attributes in the rule.
command deletes the specified attributes for
packet-filter command enables match counting in
13
display acl all
command , see
packet-filter
command.