Operation Manual – ACL
H3C S3610&S5510 Series Ethernet Switches
Chapter 2 IPv4 ACL Configuration
2-10
Note:
A user-defined ACL requires the cooperation of a user-defined extended flow template.
The offset range of a user-defined ACL must be within the offset range of the
cooperating extended flow template; otherwise, the user-defined ACL cannot be
applied successfully.
Note that:
z
You will fail to create a user-defined ACL rule if its permit or deny statement is
exactly the same as another rule.
z
Unlike other types of IPv4 ACLs, a user-defined ACL rule cannot be modified.
However, you can create a new one to override the old one.
z
When defining user-defined ACL rules, you need not assign them IDs. The system
can automatically assign rule IDs starting with 0 and increasing in rule numbering
steps of five. A rule ID thus assigned is greater than the current highest rule ID. For
example, if the current highest rule ID is 28, the next rule will be numbered 30. For
detailed information about step, refer to the
step
command.
z
For a user-defined ACL, the match order can only be
config
.
Caution:
The rule specified in the
rule comment
command must have existed.
2.5.3 Configuration Examples
# Configure user-defined ACL 5500, permitting any packet with the 13th and 14th bytes
starting from the Layer 2 header are 0x0806 (that is, ARP packets) in the time range of
t1.
<Sysname> system-view
[Sysname] acl number 5500
[Sysname-acl-user-5500] rule 0 permit l2 0806 ffff 12 time-range t1
# Verify the configuration.
[Sysname-acl-user-5500] display acl 5500
User defined ACL 5500, named -none-, 1 rule,
ACL's step is 5
rule 0 permit l2 0806 ffff 12 time-range t1 (Active)