H3C MSR 20-20 Command Reference Manual page 2093

2093
fragment: Indicates that the rule applies only to non-first fragments. Without this
keyword, the rule applies to both fragments and non-fragments
logging: Specifies to log matched packets. The log provides information about
ACL rule number, whether packets are permitted or dropped, upper layer protocol
that IP carries, source/destination address, source/destination port number, and
number of packets.
source { sour-addr sour-wildcard | any }: Specifies a source address. The sour-addr
sour-wildcard argument specifies a source IP address in dotted decimal notation.
Setting the wildcard to a zero indicates a host address. The any keyword indicates
any source IP address.
time-range time-name: Specifies the time range in which the rule takes effect.
The time-name argument specifies a time range name with 1 to 32 characters. It is
case insensitive and must start with an English letter. To avoid confusion, this name
cannot be all.
vpn-instance vpn-instance-name: Specifies a VPN instance. The
vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
Description Use the command to create a basic IPv4 ACL rule or modify the rule if it has
rule
existed.
Use the undo rule command to remove a basic IPv4 ACL rule or parameters from
the rule.
With the undo rule command, if no parameters are specified, the entire ACL rule
is removed; if other parameters are specified, only the involved information is
removed.
You will fail to create or modify a rule if its permit/deny statement is exactly the
same as another rule. In addition, if the ACL match order is set to auto rather than
config, you cannot modify ACL rules.
When defining ACL rules, you need not assign them IDs. The system can
automatically assign rule IDs starting with 0 and increasing in certain rule
numbering steps. A rule ID thus assigned is greater than the current highest rule
ID. For example, if the rule numbering step is 5 and the current highest rule ID is
28, the next rule will be numbered 30. For detailed information about step, refer
to "step (for IPv4)" on page 2100 and "step (for IPv6)" on page 2116.
You may use the display acl command to verify rules configured in an ACL. If the
match order for this ACL is auto, rules are displayed in the depth-first match order
rather than by rule number.
Example # Create a rule to deny packets with the source IP address 1.1.1.1.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule deny source 1.1.1.1 0