H3C S5100-SI Series Operation Manual page 430

Operation Manual – ACL
H3C S5100-SI/EI Series Ethernet Switches
II. Configuration Procedure
Table 1-2 Define a basic ACL rule
Operation
Enter system view
Create an ACL and
enter basic ACL
view
Define an ACL rule
Configure a
description string to
the ACL
Note that:
With the config match order specified for the basic ACL, you can modify any
existent rule. The unmodified part of the rule remains. With the auto match order
specified for the basic ACL, you cannot modify any existent rule; otherwise the
system prompts error information.
If you do not specify the rule-id argument when creating an ACL rule, the rule will
be numbered automatically. If the ACL has no rules, the rule is numbered 0;
otherwise, the number of the rule will be the greatest rule number plus one. If the
current greatest rule number is 65534, however, the system will display an error
message and you need to specify a number for the rule.
The content of a modified or created rule cannot be identical with the content of
any existing rule; otherwise the rule modification or creation will fail, and the
system prompts that the rule already exists.
With the auto match order specified, the newly created rules will be inserted in the
existent ones by depth-first principle, but the numbers of the existent rules are
unaltered.
III. Configuration Example
# Configure ACL 2000 to deny packets whose source IP addresses are 192.168.0.1.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule deny source 192.168.0.1 0
# Display the configuration information of ACL 2000.
[Sysname-acl-basic-2000] display acl 2000
Basic ACL
system-view
acl number acl-number
[ match-order { auto | config } ]
rule [ rule-id ] { deny | permit }
[ rule-string ]
description text
2000, 1 rule
Command
1-6
Chapter 1 ACL Configuration
Description
—
Required
config by default
Required
For information about
rule-string, refer to ACL
Command.
Optional
Not configured by default