Configuration examples – H3C Technologies H3C WX6000 Series Access Controllers User Manual

41-6

To do…

Use the command…

Remarks

Create or modify a rule

rule

[ rule-id ] { deny | permit }

[ cos vlan-pri | dest-mac dest-addr
dest-mask

| lsap lsap-code

lsap-wildcard

| source-mac

sour-addr

source-mask |

time-range

time-name | type

type-code

type-wildcard ] *

Required
To create multiple rules, repeat this
step.
Note that the lsap keyword is not
supported if the ACL is to be
referenced by a QoS policy for
traffic classification.

Set a rule numbering step

step

step-value

Optional
The default step is 5.

Create an ACL description

description

text

Optional
By default, no IPv4 ACL
description is present.

Create a rule description

rule rule-id comment text

Optional
By default, no rule description is
present.

Note that:

z

You will fail to create or modify a rule if its permit/deny statement is exactly the same as another
rule. In addition, if the ACL match order is set to auto rather than config, you cannot modify ACL
rules.

z

You may use the display acl command to verify rules configured in an ACL. If the match order for
this ACL is auto, rules are displayed in the depth-first match order rather than by rule number.

z

You can modify the match order of an ACL with the acl number acl-number [ name acl-name ]

match-order

{ auto | config } command but only when it does not contain any rules.

z

The rule specified in the rule comment command must have existed.

Configuration Examples

# Create ACL 4000 to deny frames with the 802.1p priority of 3.

<Sysname> system-view

[Sysname] acl number 4000

[Sysname-acl-ethernetframe-4000] rule deny cos 3

# Verify the configuration.

[Sysname-acl-ethernetframe-4000] display acl 4000

Ethernet frame ACL 4000, named -none-, 1 rule,

ACL's step is 5

rule 0 deny cos excellent-effort