Note that:

z

z

z

You can modify any existent rule of the Layer 2 ACL and the unmodified part of the ACL remains. If you do not specify the rule-idargument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; otherwise, it is the maximum rule number plus one.

The content of a modified or created rule cannot be identical with the content of any existing rules; otherwise the rule modification or creation will fail, and the system prompts that the rule already exists.

Configuration Example

#Configure ACL 4000 to deny packets sourced from the MAC address 000d-88f5-97ed, destined for the MAC address 0011-4301-991e, and with their 802.1p priority being 3.

<device> system-view [device] acl number 4000

[device-acl-ethernetframe-4000] rule deny cos 3 source 000d-88f5-97ed ffff-ffff-ffff dest 0011-4301-991e ffff-ffff-ffff

# Display the configuration information of ACL 4000.

[device-acl-ethernetframe-4000] display acl 4000 Ethernet frame ACL 4000, 1 rule

Acl's step is 1

rule 0 deny cos excellent-effort source 000d-88f5-97ed ffff-ffff-ffff dest 0011-4301-991e ffff-ffff-ffff

ACL Assignment

On a device, you can assign ACLs to the hardware for packet filtering.

As for ACL assignment, the following four ways are available.

z z

z

z

Assigning ACLs globally, for filtering the inbound packets on all the ports.

Assigning ACLs to a VLAN, for filtering the inbound packets on all the ports and belonging to a VLAN.

Assigning ACLs to a port group, for filtering the inbound packets on all the ports in a port group. For information about port group, refer to Basic Port Operation.

Assigning ACLs to a port, for filtering the inbound packets on a port.

You can assign ACLs in the above-mentioned ways as required.

1-8

Page 351
Image 351
3Com WX3000 operation manual ACL Assignment