Configuration example, Acl assignment – H3C Technologies H3C S3100 Series Switches User Manual
Page 568
1-11
z
IPv6 ACLs do not match IPv6 packets with extension headers.
z
Do not use IPv6 ACLs with VLAN mapping and trusted port priority together.
Configuration example
# Configure an rule for IPv6 ACL 5000, denying packets sent from 3001::1/64 to 3002::1/64.
[Sysname] acl number 5000
[Sysname-acl-user-5000] rule deny src-ip 3001::1 64 dest-ip 3002::1 64
# Display the configuration information of ACL 5000.
[Sysname-acl-user-5000] display acl 5000
User defined ACL 5000, 1 rule
Acl's step is 1
rule 0 deny src-ip 3001::1 64 dest-ip 3002::1 64
ACL Assignment
On an S3100-EI Ethernet switch, you can assign ACLs to the hardware for packet filtering.
As for ACL assignment, the following four ways are available.
z
Assigning ACLs globally, for filtering the inbound packets on all the ports.
z
Assigning ACLs to a VLAN, for filtering the inbound packets on all the ports and belonging to a
VLAN.
z
Assigning ACLs to a port group, for filtering the inbound packets on all the ports in a port group. For
information about port group, refer to Port Basic Configuration.
z
Assigning ACLs to a port, for filtering the inbound packets on a port.
You can assign ACLs in the above-mentioned ways as required.
In terms of priority, the ACLs assigned globally, ACLs assigned to a VLAN and ACLs assigned to a port
group (or a port) rank in descending order. If a packet matches multiple rules in these ACLs and is
permitted by some rules but denied by the others, the device permits or denies the packet based on the
rule in the ACL with the highest priority.