H3C LS-3100-52P-OVS-H3 Operation Manual - page 1526
2-3
Configuration Procedure
Follow these steps to configure a basic IPv4 ACL:
To do…
Use the command…
Remarks
Enter system view
system-view
––
Create a basic IPv4 ACL
and enter its view
acl number acl-number
[ name acl-name ]
[ match-order { auto |
config } ]
Required
The default match order is config.
If you specify a name for an IPv4 ACL
when creating the ACL, you can use
the acl name acl-name command to
enter the view of the ACL later.
Create or modify a rule
rule [ rule-id ] { deny |
permit } [ fragment | logging
| source{ sour-addr
sour-wildcard | any } |
time-range time-range-name
| vpn-instance
vpn-instance-name ] *
Required
To create or modify multiple rules,
repeat this step.
Note that the logging keyword is not
supported if the ACL is to be
referenced by a QoS policy for traffic
classification.
Set the rule numbering
step
step step-value
Optional
5 by default
Configure a description for
the basic IPv4 ACL
description text
Optional
By default, a basic IPv4 ACL has no
ACL description.
Configure a rule
description
rule rule-id comment text
Optional
By default, an IPv4 ACL rule has no
rule description.
Note that:
z
You can only modify the existing rules of an ACL that uses the match order of config. When
modifying a rule of such an ACL, you may choose to change just some of the settings, in which
case the other settings remain the same.
z
You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an
existing rule in the ACL.
z
When the ACL match order is auto, a newly created rule will be inserted among the existing rules in
the depth-first match order. Note that the IDs of the rules still remain the same.
z
You can modify the match order of an ACL with the acl number acl-number [ name acl-name ]
match-order { auto | config } command, but only when the ACL does not contain any rules.
z
The rule specified in the rule comment command must already exist.
Configuration Example
# Configure IPv4 ACL 2000 to deny packets with source address 1.1.1.1.