Contents

Configuring ACLs 1
Overview 1
ACL categories 1
Numbering and Naming ACLs 1
Match order 1
Rule numbering 2
Fragments filtering with ACLs 3
Configuration task list 3
Configuring a basic ACL 4
Configuring an IPv4 basic ACL 4
Configuring an IPv6 basic ACL 4
Configuring an advanced ACL 5
Configuring an IPv4 advanced ACL 5
Configuring an IPv6 advanced ACL 6
Configuring an Ethernet frame header ACL 7
Configuring a user-defined ACL 8
Copying an ACL 8
Configuring IPv6 for the ACL hardware mode 9
Configuring packet filtering with ACLs 9
Applying an ACL to filter packets globally 9 49H

Applying an ACL to an interface for packet filtering 10

20H 50H

Applying an ACL to a VLAN for packet filtering 10

21H 51H

Setting the interval for generating and outputting packet filtering logs 11
2H 52H

Setting the packet filtering default action 11

23H 53H

Enabling hardware-count for the packet filtering default action 11

24H 54H

Displaying and maintaining ACLs 11

25H 5H

ACL configuration examples 12

26H 56H

IPv4 ACL configuration example 13

27H 57H

IPv6 ACL configuration example 14

28H 58H

IPv4 packet filtering configuration example 15

29H 59H

i
Configuring ACLs

A switch can operate in standalone mode (the default) or IRF mode. For more information about the IRF
mode, see IRF Configuration Guide.

Overview
An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on
criteria such as source IP address, destination IP address, and port number.
ACLs are primarily used for packet filtering. "Configuring packet filtering with ACLs" provides an
example. You can use ACLs in QoS, security, routing, and other feature modules for identifying traffic.
The packet drop or forwarding decisions varies with the modules that use ACLs.

ACL categories
Category ACL number IP version Match criteria
IPv4 Source IPv4 address
Basic ACLs 2000 to 2999
IPv6 Source IPv6 address

Source IPv4 address, destination IPv4 address,

IPv4 packet priority, protocols over IPv4, and other
Layer 3 and Layer 4 header fields
Advanced ACLs 3000 to 3999
Source IPv6 address, destination IPv6 address,
IPv6 packet priority, protocols over IPv6, and other
Layer 3 and Layer 4 header fields

Layer 2 header fields, such as source and

Ethernet frame
4000 to 4999 IPv4 and IPv6 destination MAC addresses, 802.1p priority,
header ACLs
and link layer protocol type

User-defined User specified matching patterns in protocol

5000 to 5999 IPv4 and IPv6
ACLs headers

Numbering and Naming ACLs

Each ACL category has a unique range of ACL numbers. When creating an ACL, you must assign it a
number. In addition, you can assign the ACL a name for ease of identification. After creating an ACL with
a name, you cannot rename it or delete its name.
For an IPv4 basic or advanced ACLs, its ACL number and name must be unique in IPv4. For an IPv6 basic
or advanced ACL, its ACL number and name must be unique in IPv6.

Match order
The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops the
match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting
rules, the matching result and action to take depend on the rule order.

1
 The following ACL match orders are available:
configSorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a
rule with a higher ID. If you use this approach, carefully check the rules and their order.
autoSorts ACL rules in depth-first order. Depth-first ordering makes sure any subset of a rule is
always matched before the rule. Table 1 lists the sequence of tie breakers that depth-first ordering
uses to sort rules for each type of ACL.

NOTE:
The match order of user-defined ACLs can only be config.

Table 1 Sort ACL rules in depth-first order

ACL category Sequence of tie breakers

1. VPN instance
2. More 0s in the source IP address wildcard (more 0s means a narrower IP
IPv4 basic ACL
address range)
3. Rule configured earlier
1. VPN instance
2. Specific protocol type rather than IP (IP represents any protocol over IP)
3. More 0s in the source IP address wildcard mask
IPv4 advanced ACL
4. More 0s in the destination IP address wildcard
5. Narrower TCP/UDP service port number range
6. Rule configured earlier
1. VPN instance
2. Longer prefix for the source IP address (a longer prefix means a narrower IP
IPv6 basic ACL
address range)
3. Rule configured earlier
1. VPN instance
2. Specific protocol type rather than IP (IP represents any protocol over IPv6)
3. Longer prefix for the source IPv6 address
IPv6 advanced ACL
4. Longer prefix for the destination IPv6 address
5. Narrower TCP/UDP service port number range
6. Rule configured earlier
1. More 1s in the source MAC address mask (more 1s means a smaller MAC
address)
Ethernet frame header ACL
2. More 1s in the destination MAC address mask
3. Rule configured earlier

A wildcard mask, also called an inverse mask, is a 32-bit binary number represented in dotted decimal
notation. In contrast to a network mask, the 0 bits in a wildcard mask represent "do care" bits, and the
1 bits represent "don't care" bits. If the "do care" bits in an IP address are identical to the "do care" bits
in an IP address criterion, the IP address matches the criterion. All "don't care" bits are ignored. The 0s
and 1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a valid wildcard mask.

Rule numbering
ACL rules can be manually numbered or automatically numbered. This section describes how automatic
ACL rule numbering works.

2
Rule numbering step
If you do not assign an ID to the rule you are creating, the system automatically assigns it a rule ID. The
rule numbering step sets the increment by which the system automatically numbers rules. For example, the
default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are
automatically numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can
insert between two rules.
By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of
inserting rules in an ACL. This feature is important for a config-order ACL, where ACL rules are matched
in ascending order of rule ID.

Automatic rule numbering and renumbering

The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to
the current highest rule ID, starting with 0.
For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10,
and 12, the newly defined rule is numbered 15. If the ACL does not contain any rule, the first rule is
numbered 0.
Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules
numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0,
2, 4, 6, and 8.

Fragments filtering with ACLs

Traditional packet filtering matches only first fragments of packets, and allows all subsequent non-first
fragments to pass through. Attackers can fabricate non-first fragments to attack networks.
To avoid the risks, the H3C ACL implementation does the follows:
Filters all fragments by default, including non-first fragments.
Allows for matching criteria modification, for example, filters fragments only.

Configuration task list

Tasks at a glance

(Required.) Perform at least one of the following tasks:

Configuring a basic ACL
{ Configuring an IPv4 basic ACL
{ Configuring an IPv6 basic ACL
Configuring an advanced ACL
{ Configuring an IPv4 advanced ACL
{ Configuring an IPv6 advanced ACL
Configuring an Ethernet frame header ACL
Configuring a user-defined ACL

(Optional.) Copying an ACL

(Optional.) Configuring IPv6 for the ACL hardware mode

(Optional.) Configuring packet filtering with ACLs

3
Configuring a basic ACL
This section describes procedures for configuring IPv4 and IPv6 basic ACLs.

Configuring an IPv4 basic ACL

IPv4 basic ACLs match packets based only on source IP addresses.
To configure an IPv4 basic ACL:

Step Command Remarks

1. Enter system view. system-view N/A

By default, no ACL exists.

IPv4 basic ACLs are numbered in
acl number acl-number [ name
2. Create an IPv4 basic ACL and the range of 2000 to 2999.
acl-name ] [ match-order { auto |
enter its view.
config } ] You can use the acl name acl-name
command to enter the view of a
named ACL.
3. (Optional.) Configure a
By default, an IPv4 basic ACL has
description for the IPv4 basic description text
no ACL description.
ACL.
4. (Optional.) Set the rule
step step-value The default setting is 5.
numbering step.

By default, an IPv4 basic ACL does

rule [ rule-id ] { deny | permit }
[ counting | fragment | logging |
source { source-address
5. Create or edit a rule.
source-wildcard | any } |
time-range time-range-name |
vpn-instance vpn-instance-name ] *
6. (Optional.) Add or edit a rule
rule rule-id comment text
comment.
not contain any rule.
The logging keyword takes effect
only when the module (for
example, packet filtering) that uses
the ACL supports logging.
On a PE or MCE, this option does
not apply to packets received from
a VPN site. For more information
about PE and MCE, see MPLS
Configuration Guide.
By default, no rule comments are
configured.

Configuring an IPv6 basic ACL

IPv6 basic ACLs match packets based only on source IP addresses.
To configure an IPv6 basic ACL:

Step Command Remarks

1. Enter system view. system-view N/A

4
 Step
2. Create an IPv6 basic ACL
view and enter its view.
3. (Optional.) Configure a
description for the IPv6 basic
ACL.
4. (Optional.) Set the rule
numbering step.
5. Create or edit a rule.
6. (Optional.) Add or edit a rule
comment.
Configuring an advanced ACL
This section describes procedures for configuring IPv4 and IPv6 advanced ACLs.
Configuring an IPv4 advanced ACL
IPv4 advanced ACLs match packets based on source IP addresses, destination IP addresses, packet
priorities, protocols over IP, and other protocol header information, such as TCP/UDP source and
destination port numbers, TCP flags, ICMP message types, and ICMP message codes.
Compared to IPv4 basic ACLs, IPv4 advanced ACLs allow more flexible and accurate filtering.
To configure an IPv4 advanced ACL:
Step
1. Enter system view.
2. Create an IPv4 advanced ACL
and enter its view.
Command
acl ipv6 number acl-number
[ name acl-name ] [ match-order
{ auto | config } ]
description text
step step-value
rule [ rule-id ] { deny | permit }
[ counting | fragment | logging |
routing [ type routing-type ] |
source { source-address
source-prefix |
source-address/source-prefix |
any } | time-range
time-range-name | vpn-instance
vpn-instance-name ] *
rule rule-id comment text
Command
system-view
acl number acl-number [ name
acl-name ] [ match-order { auto |
config } ]
5
Remarks
By default, no ACL exists.
IPv6 basic ACLs are numbered in
the range of 2000 to 2999.
You can use the acl ipv6 name
acl-name command to enter the
view of a named ACL.
By default, an IPv6 basic ACL has
no ACL description.
The default setting is 5.
By default, an IPv6 basic ACL does
not contain any rule.
The logging keyword takes effect
only when the module (for
example, packet filtering) that uses
the ACL supports logging.
The vpn-instance keyword is
option is not supported in the
current software version. The
option is reserved for future
support.
By default, no rule comments are
configured.
Remarks
N/A
By default, no ACL exists.
IPv4 advanced ACLs are
numbered in the range of 3000 to
3999.
You can use the acl name acl-name
command to enter the view of a
named ACL.
 Step Command Remarks
3. (Optional.) Configure a
By default, an IPv4 advanced ACL
description for the IPv4 description text
has no ACL description.
advanced ACL.
4. (Optional.) Set the rule
step step-value The default setting is 5.
numbering step.

rule [ rule-id ] { deny | permit }

protocol [ { { ack ack-value | fin
fin-value | psh psh-value | rst
rst-value | syn syn-value | urg By default, an IPv4 advanced ACL
urg-value } * | established } | does not contain any rule.
counting | destination
The logging keyword takes effect
{ dest-address dest-wildcard |
only when the module (for
any } | destination-port operator
example, packet filtering) that uses
port1 [ port2 ] | { dscp dscp |
5. Create or edit a rule. the ACL supports logging.
{ precedence precedence | tos tos }
* } | fragment | icmp-type On a PE or MCE, this option does
{ icmp-type [ icmp-code ] | not apply to packets received from
icmp-message } | logging | source a VPN site. For more information
{ source-address source-wildcard | about PE and MCE, see MPLS
any } | source-port operator port1 Configuration Guide.
[ port2 ] | time-range
time-range-name | vpn-instance
vpn-instance-name ] *
6. (Optional.) Add or edit a rule By default, no rule comments are
rule rule-id comment text
comment. configured.

Configuring an IPv6 advanced ACL

IPv6 advanced ACLs match packets based on the source IPv6 addresses, destination IPv6 addresses,
packet priorities, protocols carried over IPv6, and other protocol header fields such as the TCP/UDP
source port number, TCP/UDP destination port number, ICMPv6 message type, and ICMPv6 message
code.
Compared to IPv6 basic ACLs, IPv6 advanced ACLs allow more flexible and accurate filtering.
To configure an IPv6 advanced ACL:

Step Command Remarks

1. Enter system view. system-view N/A

By default, no ACL exists.

2. Create an IPv6 advanced ACL
and enter its view.
3. (Optional.) Configure a
description for the IPv6
advanced ACL.
acl ipv6 number acl-number
[ name acl-name ] [ match-order
{ auto | config } ]
description text
IPv6 advanced ACLs are
numbered in the range of 3000 to
3999.
You can use the acl ipv6 name
acl-name command to enter the
view of a named ACL.
By default, an IPv6 advanced ACL
has no ACL description.

6
 Step Command Remarks
4. (Optional.) Set the rule
step step-value The default setting is 5.
numbering step.

rule [ rule-id ] { deny | permit }

protocol [ { { ack ack-value | fin
fin-value | psh psh-value | rst
rst-value | syn syn-value | urg
urg-value } * | established } |
counting | destination By default, IPv6 advanced ACL
{ dest-address dest-prefix | does not contain any rule.
dest-address/dest-prefix | any } | The logging keyword takes effect
destination-port operator port1 only when the module (for
[ port2 ] | dscp dscp | flow-label example, packet filtering) that uses
5. Create or edit a rule. flow-label-value | fragment | the ACL supports logging.
icmp6-type { icmp6-type The vpn-instance keyword is
icmp6-code | icmp6-message } | option is not supported in the
logging | routing [ type current software version. The
routing-type ] | source option is reserved for future
{ source-address source-prefix | support.
source-address/source-prefix |
any } | source-port operator port1
[ port2 ] | time-range
time-range-name | vpn-instance
vpn-instance-name ] *
6. (Optional.) Add or edit a rule By default, no rule comments are
rule rule-id comment text
comment. configured.

Configuring an Ethernet frame header ACL

Ethernet frame header ACLs, also called "Layer 2 ACLs," match packets based on Layer 2 protocol
header fields, such as source MAC address, destination MAC address, 802.1p priority (VLAN priority),
and link layer protocol type.
To configure an Ethernet frame header ACL:

Step Command Remarks

1. Enter system view. system-view N/A

By default, no ACL exists.

2. Create an Ethernet frame
header ACL and enter its
view.
3. (Optional.) Configure a
description for the Ethernet
frame header ACL.
4. (Optional.) Set the rule
numbering step.
Ethernet frame header ACLs are
acl number acl-number [ name numbered in the range of 4000 to
acl-name ] [ match-order { auto | 4999.
config } ] You can use the acl name acl-name
command to enter the view of a
named ACL.
By default, an Ethernet frame
description text header ACL has no ACL
description.
step step-value The default setting is 5.

7
 Step Command
rule [ rule-id ] { deny | permit } [ cos
vlan-pri | counting | dest-mac
dest-address dest-mask | { lsap
lsap-type lsap-type-mask | type
5. Create or edit a rule.
protocol-type protocol-type-mask }
| source-mac source-address
source-mask | time-range
time-range-name ] *
Remarks
By default, an Ethernet frame
header ACL does not contain any
rule.
The lsap keyword is not supported
in the current software version. The
keyword is reserved for future
support.

6. (Optional.) Add or edit a rule By default, no rule comments are

rule rule-id comment text
comment. configured.

Configuring a user-defined ACL

User-defined ACLs allow you to customize rules based on information in protocol headers. You can
define a user-defined ACL to match packets in which a specific number of bytes after the specified offset
(relative to the specified header), matches the specified match pattern after being ANDed with a match
pattern mask.
To configure a user-defined ACL:

Step Command Remarks

1. Enter system view. system-view N/A

By default, no ACL exists.

2. Create a user-defined ACL
and enter its view.
3. (Optional.) Configure a
description for the
user-defined ACL.
User-defined ACLs are numbered
acl number acl-number [ name in the range of 5000 to 5999.
acl-name ] You can use the acl name acl-name
command to enter the view of a
named ACL.
By default, a user-defined ACL has
description text
no ACL description.

rule [ rule-id ] { deny | permit }

[ { { ipv4 | ipv6 | l2 | l4 }
By default, a user-defined ACL
4. Create or edit a rule. rule-string rule-mask
does not contain any rule.
offset }&<1-8> ] [ counting |
time-range time-range-name ] *
5. (Optional.) Add or edit a rule By default, no rule comments are
rule rule-id comment text
comment. configured.

Copying an ACL
You can create an ACL by copying an existing ACL (source ACL). The new ACL (destination ACL) has the
same properties and content as the source ACL, but not the same ACL number and name.
To successfully copy an ACL, make sure:
The destination ACL number is from the same category as the source ACL number.
The source ACL already exists, but the destination ACL does not.

8
 To copy an ACL:

Step Command
1. Enter system view. system-view

acl [ ipv6 ] copy { source-acl-number | name

2. Copy an existing ACL to create a new ACL. source-acl-name } to { dest-acl-number | name
dest-acl-name }

Configuring IPv6 for the ACL hardware mode

IMPORTANT:
After you configure this feature, to make the configuration take effect, you must save the configuration and
then restart the device.

Devices with different IPv6 states for ACL hardware mode cannot form an IRF fabric. For more information
about IRF, see IRF Configuration Guide.
When the switch has EF or EF cards, you can enable or disable IPv6 for the ACL hardware mode as
needed:
When IPv6 is disabled for the ACL hardware mode, the EC or EF card supports only IPv4 basic,
IPv4 advanced, and Ethernet frame header ACLs.
When IPv6 is enabled for the ACL hardware mode, the EC or EF card supports IPv4 basic, IPv4
advanced, Ethernet frame header, IPv6 basic, IPv6 advanced, and user-defined ACLs.
Enabling or disabling IPv6 for the ACL hardware mode changes the ACL rule length and the maximum
number of ACL rules supported on EC and EF cards, and might invalidate the ACL configurations. Use
this feature with caution.
To enable or disable IPv6 for the ACL hardware mode:

Step Command Remarks

1. Enter system view. system-view N/A

By default, IPv6 is disabled

2. Enable or disable IPv6 for the ACL acl hardware-mode ipv6 { disable
for the ACL hardware
hardware mode. | enable }
mode.

Configuring packet filtering with ACLs

This section describes procedures for applying an ACL to filter incoming or outgoing IPv4 or IPv6 packets
on the specified interface. When ACLs are applied to filter packets, the ACL applied globally, the ACL
applied to an interface, and the ACL applied to a VLAN are in the descending priority order.

NOTE:
User-defined ACLs cannot be used to filter outgoing packets.

Applying an ACL to filter packets globally

9
 Step Command Remarks
1. Enter system view. system-view N/A

2. Apply an ACL to all By default, physical

packet-filter [ ipv6 ] { acl-number | name acl-name }
physical interfaces interfaces do not filter
global { inbound | outbound } [ hardware-count ]
to filter packets. packets.

NOTE:
You can apply up to 32 ACLs to the same direction of all physical interfaces.

Applying an ACL to an interface for packet filtering

Step Command Remarks
1. Enter system view. system-view N/A

interface interface-type
2. Enter interface view. N/A
interface-number

packet-filter [ ipv6 ] { acl-number |

3. Apply an ACL to the interface By default, an interface does not
name acl-name } { inbound |
to filter packets. filter packets.
outbound } [ hardware-count ]

NOTE:
You can apply up to 32 ACLs to the same direction of an interface.
When you use the packet-filter command in VLAN interface view to filter the outgoing IPv4 packets, the
command takes effect on only Layer 3 unicast packets.

Applying an ACL to a VLAN for packet filtering

Step Command Remarks
1. Enter system view. system-view N/A

packet-filter [ ipv6 ] { acl-number |

2. Apply an ACL to a VLAN to name acl-name } vlan vlan-list By default, the system does not
filter packets. { inbound | outbound } filter packets in a VLAN.
[ hardware-count ]

NOTE:
You can apply up to 32 ACLs to the same direction of an interface.

10
Setting the interval for generating and outputting packet
filtering logs
After you set the interval, the device periodically generates packet filtering logs and sends them to the
information center, including the number of matching packets and the matched ACL rules. For more
information about information center, see Network Management Configuration Guide.
To set the interval for generating and outputting packet filtering logs:

Step Command Remarks

1. Enter system view. system-view N/A
2. Set the interval for generating The default setting is 0 minutes,
and outputting packet filtering acl [ ipv6 ] logging interval interval which mean that no packet filtering
logs. logs are generated.

Setting the packet filtering default action

Step Command Remarks
1. Enter system view. system-view N/A

By default, the packet filter permits

2. Set the packet filtering default
packet-filter default deny packets that do not match any ACL
action to deny.
rule to pass.

Enabling hardware-count for the packet filtering default action

When you enable the hardware-count feature for the packet filtering default action on an interface, the
interface counts how many times the packet filtering default action has been performed.
To enable the hardware-count feature for the packet filtering default action on an interface, make sure
you have applied ACLs to the interface for packet filtering.
To enable hardware-count for the packet filtering default action:

Step Command Remarks

1. Enter system view. system-view N/A

interface interface-type
2. Enter interface view N/A
interface-number
3. Enable hardware-count for the By default, hardware-count is
packet-filter default { inbound |
packet filtering default action disabled for the packet filtering
outbound } hardware-count
on the interface. default action.

Displaying and maintaining ACLs

Execute display commands in any view and reset commands in user view.

11
 Task Command
display acl [ ipv6 ] { acl-number | all | name
Display ACL configuration and match statistics.
acl-name }

Display the IPv6 status for the ACL hardware mode on

display acl hardware-mode
EC and EF cards.

display packet-filter { interface [ interface-type

Display whether an ACL has been successfully applied
interface-number ] [ inbound | outbound ] | { global |
to an interface for packet filtering (in standalone
interface vlan-interface vlan-interface-number | vlan
mode).
[ vlan-id ] } [ inbound | outbound ] [ slot slot-number ] }

display packet-filter { interface [ interface-type

interface-number ] [ inbound | outbound ] | { global |
Display whether an ACL has been successfully applied
interface vlan-interface vlan-interface-number | vlan
to an interface for packet filtering (in IRF mode).
[ vlan-id ] } [ inbound | outbound ] [ chassis
chassis-number slot slot-number ] }

display packet-filter statistics { global | interface

Display match statistics and default action statistics for interface-type interface-number | vlan vlan-id }
packet filtering ACLs. { inbound | outbound } [ default | [ ipv6 ] { acl-number
| name acl-name } ] [ brief ]

display packet-filter statistics sum { inbound |

Display the accumulated statistics for packet filtering
outbound } [ ipv6 ] { acl-number | name acl-name }
ACLs.
[ brief ]

display packet-filter verbose { global | interface

Display detailed ACL packet filtering information (in interface-type interface-number | vlan vlan-id }
standalone mode). { inbound | outbound } [ [ ipv6 ] { acl-number | name
acl-name } ] [ slot slot-number ]

display packet-filter verbose { global | interface

Display detailed ACL packet filtering information (in interface-type interface-number | vlan vlan-id }
IRF mode). { inbound | outbound } [ [ ipv6 ] { acl-number | name
acl-name } ] [ chassis chassis-number slot slot-number ]

Display QoS and ACL resource usage (in standalone

display qos-acl resource [ slot slot-number ]
mode).

display qos-acl resource [ chassis chassis-number slot

Display QoS and ACL resource usage (in IRF mode).
slot-number ]

reset acl [ ipv6 ] counter { acl-number | all | name

Clear ACL statistics.
acl-name }

reset packet-filter statistics { global | interface

Clear match statistics (including the accumulated
[ interface-type interface-number ] | vlan [ vlan-id ] }
statistics) and default action statistics for packet
{ inbound | outbound } [ default | [ ipv6 ] { acl-number
filtering ACLs.
| name acl-name } ]

ACL configuration examples

IMPORTANT:
By default, Ethernet, VLAN, and aggregate interfaces are down. To configure these interfaces, use the
undo shutdown command to bring them up first.

12
IPv4 ACL configuration example
Network requirements
A company interconnects its departments through a switch A. Configure an ACL to:
Permit access from the President's office at any time to the salary server.
Deny access from any other department to the salary server during office hours (from 8:00 to 18:00)
on working days.
Figure 1 Network diagram

Configuration procedure
1. Create a periodic time range from 8:00 to 18:00 on working days.
<Switch> system-view
[Switch] time-range trname 8:00 to 18:00 working-day
2. Define ACLs:
# Create ACL 3000, and configure an ACL rule for it.
[Switch] acl number 3000
[Switch-acl-adv-3000] rule 1 permit ip source 129.111.1.2 0.0.0.0 destination
129.110.1.2 0.0.0.0
[Switch-acl-adv-3000] quit
# Create ACL 3001, and configure an ACL rule for it.
[Switch] acl number 3001
[Switch-acl-adv-3001] rule 1 permit ip source any destination 129.110.1.2 0.0.0.0
time-range trname
[Switch-acl-adv-3001] quit
3. Define a QoS policy and apply the policy to ports:
# Create traffic classes and define traffic behaviors.
[Switch] traffic classifier test_permit
[Switch-classifier-test_permit] if-match acl 3000
[Switch-classifier-test_permit] quit
[Switch] traffic behavior test_permit

13
 [Switch-behavior-test_permit] filter permit
[Switch-behavior-test_permit] quit
[Switch] traffic classifier test_deny
[Switch-classifier-test_deny] if-match acl 3001
[Switch-classifier-test_deny] quit
[Switch] traffic behavior test_deny
[Switch-behavior-test_deny] filter deny
[Switch-behavior-test_deny] quit
# Create a QoS policy.
[Switch] qos policy test
[Switch-qospolicy-test] classifier test_permit behavior test_permit
[Switch-qospolicy-test] classifier test_deny behavior test_deny
[Switch-qospolicy-test] quit
# Apply the QoS policy to ports GigabitEthernet 4/0/1 through GigabitEthernet 4/0/3 in the
inbound direction.
[Switch] interface gigabitethernet 4/0/1
[Switch-GigabitEthernet4/0/1] qos apply policy test inbound
[Switch-GigabitEthernet4/0/1] quit
[Switch] interface gigabitethernet 4/0/2
[Switch-GigabitEthernet4/0/2] qos apply policy test inbound
[Switch-GigabitEthernet4/0/2] quit
[Switch] interface gigabitethernet 4/0/3
[Switch-GigabitEthernet4/0/3] qos apply policy test inbound
[Switch-GigabitEthernet4/0/3] quit

IPv6 ACL configuration example

Network requirements
Perform packet filtering in the inbound direction of interface GigabitEthernet 4/0/1 to deny all IPv6
packets but those with source addresses in the range 4050::9000 to 4050::90FF.

Configuration procedure
# Create ACL 2000, and define an ACL rule for it.
<Switch> system-view
[Switch] acl ipv6 number 2000
[Switch-acl6-basic-2000] rule permit source 4050::9000/120
[Switch-acl6-basic-2000] quit

# Create ACL 2001, and define an ACL rule for it.

[Switch] acl ipv6 number 2001
[Switch-acl6-basic-2001] rule permit source any
[Switch-acl6-basic-2001] quit

# Define a class and a traffic behavior to permit packets with source addresses in the range 4050::9000
to 4050::90FF.
[Switch] traffic classifier c_permit
[Switch-classifier-c_permit] if-match acl ipv6 2000
[Switch-classifier-c_permit] quit
[Switch] traffic behavior b_permit

14
 [Switch-behavior-b_permit] filter permit
[Switch-behavior-b_permit] quit

# Define a class and a traffic behavior to deny other packets.

[Switch] traffic classifier c_deny
[Switch-classifier-c_deny] if-match acl ipv6 2001
[Switch-classifier-c_deny] quit
[Switch] traffic behavior b_deny
[Switch-behavior-b_deny] filter deny
[Switch-behavior-b_deny] quit

# Configure a QoS policy.

[Switch] qos policy test
[Switch-qospolicy-test] classifier c_permit behavior b_permit
[Switch-qospolicy-test] classifier c_deny behavior b_deny
[Switch-qospolicy-test] quit

# Apply the QoS policy to port GigabitEthernet 4/0/1 in the inbound direction.
[Switch] interface gigabitethernet 4/0/1
[Switch-GigabitEthernet4/0/1] qos apply policy test inbound
[Switch-GigabitEthernet4/0/1] quit

IPv4 packet filtering configuration example

Network requirements
As shown in Figure 2, Host A and Host B connect to the switch to access the Internet.
Configure packet filtering on the VLAN interface of the switch so that everyday from 8:00 to 18:00, the
VLAN-interface denies only IPv4 packets sourced from Host A. Configure the switch to output IPv4 packet
filtering logs to the console at 10-minute intervals.
As actual requirements change, edit the ACL so that the VLAN interface denies only IPv4 packets sourced
from Host B.
Figure 2 Network diagram

Configuration procedure
# Create a time range named study; set it to be active from 08:00 to 18:00 everyday.
<Switch> system-view
[Switch] time-range study 8:00 to 18:00 daily

# Configure VLAN 2, and assign interface GigabitEthernet 3/0/1 to this VLAN.

[Switch] vlan 2
[Switch-vlan2] port GigabitEthernet 3/0/1

15
[Switch-vlan2] quit

# Configure a basic IPv4 ACL 2009.

[Switch] acl number 2009

# Create an ACL rule to deny IPv4 packets sourced from 192.168.1.2/32, and configure the rule to log
packet filtering events and count rule matches.
[Switch-acl-basic-2009] rule 5 deny source 192.168.1.2 0 time-range study logging counting
[Switch-acl-basic-2009] quit

# Enable the switch to generate and output IPv4 packet filtering logs at 10-minute intervals.
[Switch] acl logging frequence 10

# Apply ACL 2009 to filter incoming packets on VLAN-interface 2.

[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ip address 192.168.1.1 24
[Switch-Vlan-interface2] packet-filter 2009 inbound
[Switch-Vlan-interface2] quit

# Configure the switch to output informational log messages to the console.

[Switch] info-center source default channel 0 log level informational

# Edit ACL rule 5 in ACL 2009 to deny IPv4 packets sourced from 192.168.1.3/32. The rule takes effect
on VLAN-interface 2 immediately after the modification. (The switch supports dynamic modification of
ACLs in use.)
[Switch] acl number 2009
[Switch-acl-basic-2009] rule 5 deny source 192.168.1.3 0

16