H3C S7500E Series Command Manual page 1093

Command Manual – ACL
H3C S7500E Series Ethernet Switches
insensitive and must start with an English letter. To avoid confusion, this name cannot
be all.
vpn-instance vpn-instance-name: Specifies a VPN instance. The vpn-instance-name
argument is a case-sensitive string of 1 to 31 characters. Without this combination, the
rule applies to only non-VPN packets.
Description
Use the rule command to create a basic IPv4 ACL rule or modify the rule if it has
existed.
Use the undo rule command to remove a basic IPv4 ACL rule or parameters from the
rule.
With the undo rule command, if no parameters are specified, the entire ACL rule is
removed; if other parameters are specified, only the involved information is removed.
Note that:
You will fail to create or modify a rule if its permit/deny statement is exactly the
same as another rule. In addition, if the ACL match order is set to auto rather than
config, you cannot modify ACL rules.
When defining ACL rules, you need not assign them IDs. The system can
automatically assign rule IDs starting with 0 and increasing in certain rule
numbering steps. A rule ID thus assigned is greater than the current highest rule
ID. For example, if the rule numbering step is 5 and the current highest rule ID is
28, the next rule will be numbered 30.
You may use the display acl command to verify rules configured in an ACL. If the
match order for this ACL is auto, rules are displayed in the depth-first match order
rather than by rule number.
Note:
For a basic IPv4 ACL rule to be referenced by a QoS policy for traffic classification, the
logging and vpn-instance keywords are not supported.
Examples
# Create a rule to deny packets with the source IP address 1.1.1.1.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule deny source 1.1.1.1 0
Chapter 1 ACL Configuration Commands
1-13