Configuration examples, Configuring an advanced ipv4 acl – H3C Technologies H3C WX6000 Series Access Controllers User Manual
Page 411
41-3
To do…
Use the command…
Remarks
Create or modify a
rule
rule
[ rule-id ] { deny |
permit
} [ fragment | logging
| source { sour-addr
sour-wildcard
| any } |
time-range
time-name ] *
Required
To create multiple rules, repeat this step.
Note that the logging keyword is not supported if the
ACL is to be referenced by a QoS policy for traffic
classification.
Set a rule
numbering step
step
step-value
Optional
The default step is 5.
Create an IPv4
ACL description
description
text
Optional
By default, no IPv4 ACL description is present.
Create a rule
description
rule rule-id comment text
Optional
By default, no rule description is present.
Note that:
z
You will fail to create or modify a rule if its permit/deny statement is exactly the same as another
rule. In addition, if the ACL match order is set to auto rather than config, you cannot modify ACL
rules.
z
You may use the display acl command to verify rules configured in an ACL. If the match order for
this ACL is auto, rules are displayed in the depth-first match order rather than by rule number.
z
You can modify the match order of an ACL with the acl number acl-number [ name acl-name ]
match-order
{ auto | config } command but only when it does not contain any rules.
z
The rule specified in the rule comment command must have existed.
Configuration Examples
# Create IPv4 ACL 2000 to deny the packets with source address 1.1.1.1 to pass.
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule deny source 1.1.1.1 0
# Verify the configuration.
[Sysname-acl-basic-2000] display acl 2000
Basic ACL 2000, named -none-, 1 rule,
ACL's step is 5
rule 0 deny source 1.1.1.1 0
Configuring an Advanced IPv4 ACL
Advanced IPv4 ACLs filter packets based on source IP address, destination IP address, protocol
carried on IP, and other protocol header fields, such as the TCP/UDP source port, TCP/UDP destination
port, ICMP message type, and ICMP message code.