1-19
z If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered
automatically. If the ACL has no rules, the rule is numbered 0; otherwise, the number of the rule will
be the greatest rule number plus one. If the current greatest rule number is 65534, however, the
system will display an error message and you need to specify a number for the rule.
z The content of a modified or created rule cannot be identical with that of any existing rules;
otherwise the rule modification or creation will fail, and the system will prompt that the rule already
exists.
z If the ACL is created with the auto keyword specified, the newly created rules will be inserted in the
existent ones by depth-first principle, but the numbers of the existent rules are unaltered.
Examples
# Create advanced ACL 3000 and define rule 1 to deny packets with the source IP address of
192.168.0.1 and DSCP priority of 46.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule 1 deny ip source 192.168.0.1 0 dscp 46
[Sysname-acl-adv-3000] quit
# Create advanced ACL 3001 and define rule 1 to permit TCP packets that are sourced from network
129.9.0.0/16, destined for network 202.38.160.0/24, and using the destination port number of 80.
[Sysname] acl number 3001
[Sysname-acl-adv-3001] rule 1 permit tcp source 129.9.0.0 0.0.255.255 destination
202.38.160.0 0.0.0.255 destination-port eq 80
After completing the above configuration, you can use the display acl command to view the
configuration information of the ACLs.
rule (for Layer 2 ACLs)
Syntax
rule [ rule-id ] { deny | permit } [ rule-string ]
undo rule rule-id
View
Layer 2 ACL view
Parameters
rule-id: ACL rule ID, in the range of 0 to 65534.
deny: Drops the matched packets.
permit: Permits the matched packets.
rule-string: ACL rule information, which can be a combination of the arguments/keywords described in
Table 1-16.
To Next Page
Loading...
Need help?
General