H3C S7500E Series Operation Manual page 986

Operation Manual – ACL
H3C S7500E Series Ethernet Switches
To do...
Enter system view
Create and enter
advanced IPv4 ACL
view
Create or modify a
rule
Set a rule numbering
step
Create an IPv4 ACL
description
Create a rule
description
Note that:
You will fail to create or modify a rule if its permit/deny statement is exactly the
same as another rule. In addition, if the ACL match order is set to auto rather than
config, you cannot modify ACL rules.
You may use the display acl command to verify rules configured in an ACL. If the
match order for this ACL is auto, rules are displayed in the depth-first match order
rather than by rule number.
Use the command...
system-view
acl number acl-number
[ name acl-name ]
[ match-order { auto |
config } ]
rule [ rule-id ] { deny |
permit } protocol
[ destination { dest-addr
dest-wildcard | any } |
destination-port operator
port1 [ port2 ] | dscp dscp |
established | fragment |
icmp-type { icmp-type
icmp-code | icmp-message } |
logging | precedence
precedence | reflective |
source { sour-addr
sour-wildcard | any } |
source-port operator port1
[ port2 ] | time-range
time-name | tos tos |
vpn-instance
vpn-instance-name ] *
step step-value
description text
rule rule-id comment text
2-5
Chapter 2 IPv4 ACL Configuration
Remarks
––
Required
The default match order is
config.
If you specify a name for an
IPv4 ACL when creating the
ACL, you can use the acl
name acl-name command
to enter the view of the ACL
later.
Required
To create multiple rules,
repeat this step.
Note that if the ACL is to be
referenced by a QoS policy
for traffic classification, the
logging , reflective and
vpn-instance keywords are
not supported and the
operator argument cannot
be:
neq, if the policy is for the
inbound traffic,
gt, lt, neq or range, if the
policy is for the outbound
traffic.
Optional
The default step is 5.
Optional
By default, no IPv4 ACL
description is present.
Optional
By default, no rule
description is present.