H3C Technologies H3C S12500 Series Switches User Manual
Page 23
14
Step Command
Remarks
4.
Apply an IPv4 basic, IPv4
advanced, Ethernet frame
header, or user-defined ACL
to the interface to filter
packets.
packet-filter { acl-number | name
acl-name } { inbound | outbound }
By default, no ACL is applied to
any interface.
On a VLAN interface:
•
The inbound packet filter
handles only Layer 3 unicast
packets.
•
If the packet-filter
forwarding-layer route
outbound command is
configured, the outbound
packet filter handles only Layer
3 unicast packets; if not, the
outbound packet filter handles
all packets.
When EB or EC2 cards are
operating in standard ACL mode,
the interfaces on these cards do not
support applying a user-defined
ACL to filter packets.
On an Ethernet interface, the
packet filter handles all packets.
Avoid the case that multiple users
configure the packet-filter
command at the same time.
Otherwise, the configuration might
fail.
5.
Exit to system view.
quit
N/A
6.
Set the interval for generating
and outputting IPv4 packet
filtering logs.
acl logging frequence frequence
By default, the interval is 0. No
IPv4 packet filtering logs are
generated.
The rule you add to an ACL that has been used by a packet filter cannot take effect if hardware resources
are insufficient or the packet filter does not support the rule. Such rules are marked as uncompleted in the
output from the display acl { acl-number | all | name acl-name } slot slot-number command. To
successfully apply the rule, you must delete the rule and reconfigure it when hardware resources are
sufficient.
Follow these guidelines when you configure a packet filter on a VLAN interface:
•
Use the undo packet-filter command to remove the packet filter from the VLAN interface if the ACL
application fails on an interface card, for example, because of hardware resource insufficiency. The
switch applies the packet filter configured on a VLAN interface to the main processing unit and all
interface cards. When an application failure occurs on an interface card, the switch cannot
automatically remove the ACL that has been applied to the main processing unit or any other
interface card.
•
You must also use the undo packet-filter to remove the packet filter if the switch fails to update the
packet filter on an interface card after you edit the ACL rules. If you do not remove the packet filter,
the old ACL rules continue to take effect and the display packet-filter command shows the initial
ACL application status.