H3C LS-3100-52P-OVS-H3 Operation Manual - page 1536
3-3
Advanced IPv6 ACLs are numbered in the range 3000 to 3999. Compared with basic IPv6 ACLs, they
allow of more flexible and accurate filtering.
Configuration Prerequisites
If you want to reference a time range in a rule, define it with the time-range command first.
Configuration Procedure
Follow these steps to configure an advanced IPv6 ACL:
To do…
Use the command…
Remarks
Enter system view
system-view
––
Create an advanced
IPv6 ACL and enter
its view
acl ipv6 number acl6-number
[ name acl6-name ] [ match-order
{ auto | config } ]
Required
The default match order is config.
If you specify a name for an IPv6 ACL
when creating the ACL, you can use
the acl ipv6 name acl6-name
command to enter the view of the ACL
later.
Create or modify a
rule
rule [ rule-id ] { deny | permit }
protocol [ { ack ack-value | fin
fin-value | psh psh-value | rst
rst-value | syn syn-value | urg
urg-value } * | destination { dest
dest-prefix | dest/dest-prefix | any }
| destination-port operator port1
[ port2 ] | dscp dscp | fragment |
icmpv6-type { icmpv6-type
icmpv6-code | icmpv6-message } |
logging | source { source
source-prefix |
source/source-prefix | any } |
source-port operator port1
[ port2 ] | time-range
time-range-name ] *
Required
To create or modify multiple rules,
repeat this step.
Note that if the ACL is to be referenced
by a QoS policy for traffic
classification, the logging and
fragment keywords are not supported
and the operator argument cannot be:
z
neq, if the policy is for the inbound
traffic,
z
gt, lt, neq or range, if the policy is
for the outbound traffic.
Set the rule
numbering step
step step-value
Optional
5 by default
Configure a
description for the
advanced IPv6 ACL
description text
Optional
By default, an advanced IPv6 ACL has
no ACL description.
Configure a rule
description
rule rule-id comment text
Optional
By default, an IPv6 ACL rule has no
rule description.
Note that:
z
You can only modify the existing rules of an ACL that uses the match order of config. When
modifying a rule of such an ACL, you may choose to change just some of the settings, in which
case the other settings remain the same.
z
You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an
existing rule in the ACL.