Acl assignment – H3C Technologies H3C WX3000 Series Unified Switches User Manual

36-8

Note that:

z

You can modify any existent rule of the Layer 2 ACL and the unmodified part of the ACL remains.

z

If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered
automatically. If the ACL has no rules, the rule is numbered 0; otherwise, it is the maximum rule
number plus one.

z

The content of a modified or created rule cannot be identical with the content of any existing rules;
otherwise the rule modification or creation will fail, and the system prompts that the rule already
exists.

Configuration Example

# Configure ACL 4000 to deny packets sourced from the MAC address 000d-88f5-97ed, destined for
the MAC address 0011-4301-991e, and with their 802.1p priority being 3.

<device> system-view

[device] acl number 4000

[device-acl-ethernetframe-4000] rule deny cos 3 source 000d-88f5-97ed ffff-ffff-ffff dest

0011-4301-991e ffff-ffff-ffff

# Display the configuration information of ACL 4000.

[device-acl-ethernetframe-4000] display acl 4000

Ethernet frame ACL 4000, 1 rule

Acl's step is 1

rule 0 deny cos excellent-effort source 000d-88f5-97ed ffff-ffff-ffff dest 0011-4301-991e

ffff-ffff-ffff

ACL Assignment

On a device, you can assign ACLs to the hardware for packet filtering.

As for ACL assignment, the following four ways are available.

z

Assigning ACLs globally, for filtering the inbound packets on all the ports.

z

Assigning ACLs to a VLAN, for filtering the inbound packets on all the ports and belonging to a
VLAN.

z

Assigning ACLs to a port group, for filtering the inbound packets on all the ports in a port group. For
information about port group, refer to Basic Port Configuration in H3C WX3000 Series Unified

Switches Switching Engine Configuration Guide

.

z

Assigning ACLs to a port, for filtering the inbound packets on a port.

You can assign ACLs in the above-mentioned ways as required.