Operation Manual – ACL
H3C S3100 Series Ethernet Switches Chapter 1 ACL Configuration
1-6
II. Configuration Procedure
Table 1-2 Define a basic ACL rule
Operation Command Description
Enter system view
system-view
—
Create an ACL and
enter basic ACL
view
acl number acl-number
[ match-order { auto | config } ]
Required
config by default
Define an ACL rule
rule [ rule-id ] { deny | permit }
[ rule-string ]
Required
For information about
rule-string, refer to ACL
Command.
Configure a
description string to
the ACL
description text
Optional
Not configured by default
Note that:
z With the config match order specified for the basic ACL, you can modify any
existent rule. The unmodified part of the rule remains. With the auto match order
specified for the basic ACL, you cannot modify any existent rule; otherwise the
system prompts error information.
z If you do not specify the rule-id argument when creating an ACL rule, the rule will
be numbered automatically. If the ACL has no rules, the rule is numbered 0;
otherwise, the number of the rule will be the greatest rule number plus one. If the
current greatest rule number is 65534, however, the system will display an error
message and you need to specify a number for the rule.
z The content of a modified or created rule cannot be identical with the content of
any existing rule; otherwise the rule modification or creation will fail, and the
system prompts that the rule already exists.
z With the auto match order specified, the newly created rules will be inserted in the
existent ones by depth-first principle, but the numbers of the existent rules are
unaltered.
III. Configuration Example
# Configure ACL 2000 to deny packets whose source IP addresses are 192.168.0.1.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule deny source 192.168.0.1 0
# Display the configuration information of ACL 2000.
[Sysname-acl-basic-2000] display acl 2000
Basic ACL 2000, 1 rule
To Next Page
Loading...
Need help?
General