Table of Contents

Chapter 1 ACL Commands. 1-1

1.1 ACL Configuration Commands. 1-1

1.1.1 acl 1-1

1.1.2 acl mode. 1-2

1.1.3 acl order 1-3

1.1.4 display acl config. 1-4

1.1.5 display acl config statistics. 1-5

1.1.6 display acl mode. 1-5

1.1.7 display acl order 1-6

1.1.8 display acl remaining entry. 1-6

1.1.9 display acl running-packet-filter 1-8

1.1.10 display time-range. 1-8

1.1.11 packet-filter 1-10

1.1.12 reset acl counter 1-12

1.1.13 rule (Basic ACL) 1-13

1.1.14 rule (Advanced ACL) 1-15

1.1.15 rule (Layer 2 ACL) 1-21

1.1.16 rule (user-defined ACL) 1-24

1.1.17 time-range. 1-26

 

Chapter 1  ACL Commands

 

 

1.1  ACL Configuration Commands

1.1.1  acl

Syntax

acl { number acl-number | name acl-name [ advanced | basic | link | user ] } [ match-order { config | auto } ]

undo acl { number acl-number | name acl-name | all }

View

System view

Parameters

number acl-number: Specifies the number of an access control list (ACL) in the range of:

l           2,000 to 2,999: identifies basic ACLs.

l           3,000 to 3,999: identifies advanced ACLs. Note that ACL 3998 and ACL 3999 cannot be configured because they are reserved for the cluster management.

l           4,000 to 4,999: identifies layer 2 ACLs.

l           5,000 to 5,999: identifies user-defined ACLs.

name acl-name: Specifies the ACL name, contains up to 32 characters, which is a case insensitive character string started with an English letter (i.e., a-z or A-Z), without space or quotation marks and is not allowed to use the word all (to avoid confusion with the keyword all) in it.

advanced: Advanced ACL.

basic: Basic ACL.

link: Layer 2 ACL.

user: User-defined ACL..

config: Specifies to employ the user’s configuration order when matching ACL rules.

auto: Specifies to employ the depth first order when matching ACL rules.

all: Deletes all ACLs (including those identified by a number or a name).

Description

Use the acl command to define an ACL and enter the corresponding ACL view.

Use the undo acl command to delete all entries of an ACL identified by a number or a name, or all ACLs.

By default, ACL rules are matched according to the configured order (config).

After entering the corresponding ACL view, you can use the rule command to add entries to the ACL (use the quit command to quit ACL view).

 

 

You can use the match-order keyword to specify whether to use the configured order or the “depth-first” order (rules with smaller ranges are matched first) to match rules. If neither match orders are specified, the configured match order will be adopted.

You cannot modify the match order for an ACL once you have specified it, unless you delete all the entries of the ACL, and specify the match order over again.

The ACL match order feature is effective only when the ACL is referenced by software for data filtering and traffic classification.

Related commands: rule, acl mode.

Examples

# Define rules for ACL 2000, and specify depth-first order as the rule match order.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] acl number 2000 match-order auto

1.1.2  acl mode

Syntax

acl mode { ip-based | link-based }

View

System view

Parameters

ip-based: Performs traffic classification based on Layer 3 information.

link-based: Performs traffic classification based on Layer 2 information.

Description

Use the acl mode command to set the traffic classification mode for the device.

By default, traffic classification is performed based on Layer 3 information.

Related commands: acl.

 

 

Examples

# Specify to perform traffic classification based on Layer 3 information.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] acl mode ip-based

1.1.3  acl order

Syntax

acl order { auto | first-config-first-match | last-config-first-match }

View

System view

Parameters

auto: Specifies the ACL rules applied to a port are matched according to the depth-first order.

first-config-first-match: Specifies the ACL rules applied to a port are matched according to the configuration order: first configured, first matched.

last-config-first-match: Specifies the ACL rules applied to a port are matched according to the configuration order: last configured, first matched.

Description

Use the acl order command to set the match order for the ACL rules applied on a port.

By default, the ACL rules applied to a port take effect in the depth-first order.

Use the acl match-order { config | auto } command to set the match order of ACL rules when they are configured. Use the acl order command to set the match order of ACL rules in the case that they are applied to a port.

Examples

# Configure the match order of ACL rules applied to a port as first-config-first-match order.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] acl order first-config-first-match

1.1.4  display acl config

Syntax

display acl config { all | acl-number | acl-name }

View

Any view

Parameters

all: Displays all ACLs (including those identified by a number or a name).

acl-number: Sequence number of the ACL to be displayed. It ranges from 2,000 to 5,999.

acl-name: Name of the ACL to be displayed. It is a case insensitive character string started with an English letter (a-z or A-Z), contains up to 32 characters. And there should not be a space or quotation mark in it; the word all is not allowed to use in it (to avoid confusion with the all keyword).

Description

Use the display acl config command to view the detailed configuration information of an ACL, including every subrule of the ACL, the ACL type and sequence number, and the number of times this ACL matches packets..

The number of match times displayed by this command is software match times, namely, the number of times of ACL matches processed by switch CPU. You can use the traffic-statistic command to count the times of hardware matches during packet-forwarding, and use the display qos-interface traffic-statistic command to view the statistics. For the traffic-statistic and display qos-interface traffic-statistic commands, refer to the QoS part of the Command Manual.

Examples

# Display all ACL configuration.

<H3C> display acl config all

Basic ACL  2000, 1 rule,

 rule 0 permit source 1.1.1.1 0 (0 times matched)

1.1.5  display acl config statistics

Syntax

display acl config statistics

View

Any view

Parameters

None

Description

Use the command display acl config statistics to display the statistics of the current configured ACL rules, including the number of basic, advanced, Layer 2 and user-defined ACL rules, and the total number of ACL rules configured by the system.

Examples

# Display statistics information about the current configured ACL rules.

<H3C> display acl config statistics

 The configured rule statistics:

 Basic rule(s): 5

 Advanced rule(s): 132

 Link rule(s): 4

 User rule(s): 2

 

 Total 143 rule(s) configured

1.1.6  display acl mode

Syntax

display acl mode

View

Any view

Parameters

None

Description

Use the display acl mode command to view the ACL running mode chosen by the switch for filtering the traffic.

Examples

# Display the ACL running mode chosen by the switch.

<H3C> display acl mode

The current acl mode: ip-based.

1.1.7  display acl order

Syntax

display acl order

View

Any view

Parameters

None

Description

Use the display acl order command to display the match order of the ACL rules applied to a port.

Examples

# Display the match order of ACL rules applied to a port

<H3C> display acl order

the current order is auto

1.1.8  display acl remaining entry

Syntax

display acl remaining entry slot slot-number

View

Any view

Parameters

slot-number: Number of a slot. The number 0 indicates the SRPU.

Description

Use the display acl remaining entry slot command to display the remaining ACL entries on a specified slot. The displayed content includes the entry resource type, total entries resource number, number of reserved entries for system ACL, number of configured ACL entries, number of remaining ACL entries, and the corresponding start port number and end port number of each type of entries.

Examples

# Display the remaining ACL resource on slot 3.

<H3C> display acl remaining entry slot 3

  Slot: 3

  Resource  Total   Reserved  Configured  Remaining   Start       End

    Type    Number   Number     Number      Number   Port Name  Port Name

--------------------------------------------------------------------------

    MASK      16        6          1           9         GE3/0/1    GE3/0/1

    RULE     128       17          1         110        GE3/0/1    GE3/0/1

   METER     128       11          1         116        GE3/0/1    GE3/0/1

 COUNTER     128       14          1         113        GE3/0/1    GE3/0/1

    MASK      16        6          1           9         GE3/0/2    GE3/0/2

    RULE     128       17          1         110        GE3/0/2    GE3/0/2

   METER     128       11          1         116        GE3/0/2    GE3/0/2

 COUNTER     128       14          1         113        GE3/0/2    GE3/0/2

Table 1-1 Description on the fields of the display acl remaining entry slot command

Field	Description
ResouceType	Entry resource type
Total Number	Total entries resource number
Reserved Number	Number of entries reserved for system ACL during initiation
Configured Number	Number of entries used by the ACL configured by users
Remaining Number	Number of remaining entries
Start PortName	The corresponding start port number of each type of entry
End PortName	The corresponding end port number of each type of entry

 

1.1.9  display acl running-packet-filter

Syntax

display acl running-packet-filter { all | interface interface-type interface-number }

View

Any view

Parameters

all: Represents all the ACLs to be displayed (including those identified by a number or a name).

interface interface-type interface-number: Specifies a port of the switch.

Description

Use the display acl running -packet-filter command to view the ACL application information on a port or all ports, including the port to which an ACL is applied, the ACL active direction, ACL name, ACL rule number, and ACL running status.

Examples

# Display the ACL application information on all ports.

<H3C> display acl running-packet-filter all

Ethernet3/0/1

 Inbound:

 Acl 2000 rule 0  running

1.1.10  display time-range

Syntax

display time-range { all | time-name }

View

Any view

Parameters

all: Specifies to display all time ranges.

name: Name of a time range, a string that starts with an English letter [a-z, A-Z] and contains up to 32 characters.

Description

Use the display time-range command to view the configuration and status of the current time range. For an active time range, the status is displayed as active; for an inactive time range, the status is displayed as inactive.

Note that there is a delay (about 1 minute) when the system updates the ACL status, and the display time-range command displays the status of a time range according to the current time. Therefore, sometimes you may find that a time range is active by using the display time-range command, while the ACL referencing the time range is not activated. This is natural.

Related commands: time-range.

Examples

# Display all time ranges.

<H3C> display time-range all

Current time is 14:36:36 4-3-2003 Thursday

 

Time-range : hhy ( Inactive )

 from 08:30 2-5-2005 to 18:00 2-19-2005

 

Time-range : hhy1 ( Inactive )

 from 08:30 2-5-2003 to 18:00 2-19-2003

Table 1-2 Description on the fields of the display time-range command

Field	Description
Current time is 14:36:36 4-3-2003 Thursday	System time
Time-range : hhy ( Inactive )  from 08:30 2-5-2005 to 18:00 2-19-2005	Time range hhy. Inactive indicates that this time range is currently in the inactive state (while Active indicates that the time range is in the active state), and the time range is from 8:30 February 5, 2005 to 18:00 February 19, 2005.

 

# Display the time range named tm1.

<H3C> display time-range tm1

Current time is 14:37:31 4-3-2003 Thursday

 

Time-range : tm1 ( Inactive )

 from 08:30 2-5-2005 to 18:00 2-19-2005

Table 1-3 Description on the fields of the display time-range command

Field	Description
Current time is 14:36:36 4-3-2003 Thursday	The current time of the system.
Time-range : tm1 ( Inactive )  from 08:30 2-5-2005 to 18:00 2-19-2005	Time range tm1. Inactive indicates that this time range is currently in the inactive state (while Active indicates that the time range is in the active state), and the time range is from 8:30 February 5, 2005 to 18:00 February 19, 2005.

 

1.1.11  packet-filter

Syntax

The command line format for Type A LPUs:

packet-filter { inbound | outbound } acl-rule [ system-index ] [ not-care-for-interface ]

undo packet-filter { inbound | outbound } acl-rule [ not-care-for-interface ]

The command line format for non-Type-A LPUs:

packet-filter inbound acl-rule [ system-index ]

undo packet-filter inbound acl-rule

 

 

View

QoS view

Parameters

inbound: Specifies to filter packets received on the port.

outbound: Specifies to filter packets sent through the port.

acl-rule: Applied ACL rule, which can be a combination of different types of ACL rules. Table 1-4 and Table 1-6 describe the ACL rule combinations on Type A LPUs and the corresponding parameter description. Table 1-5 and Table 1-6 describe the ACL rule combinations on LPUs other than Type A and the corresponding parameter description.

Table 1-4 Combined application of ACL rules on Type A LPUs

Combination mode	Form of acl-rule
Apply all rules in an IP type ACL	ip-group { acl-number | acl-name }
Apply one rule in an IP type ACL	ip-group { acl-number | acl-name } rule rule-id
Apply all rules in a link type ACL	link-group { acl-number | acl-name }
Apply one rule in a link type ACL	link-group { acl-number | acl-name } rule rule-id

 

Table 1-5 Combined application of ACL rules on LPUs other than Type A.

Combination mode	Form of acl-rule
Apply all rules in an IP type ACL	ip-group { acl-number | acl-name }
Apply one rule in an IP type ACL	ip-group { acl-number | acl-name } rule rule-id
Apply all rules in a link type ACL	link-group { acl-number | acl-name }
Apply one rule in a link type ACL	link-group { acl-number | acl-name } rule rule-id
Apply all rules in a user-defined ACL	user-group { acl-number | acl-name }
Apply one rule in a user-defined ACL	user-group { acl-number | acl-name } rule rule-id
Apply one rule in an IP type ACL and one rule in a Link type ACL simultaneously	ip-group { acl-number | acl-name } rule rule-id link-group { acl-number | acl-name } rule rule-id

 

Table 1-6 Parameters description of ACL rule combinations

Parameter	Description
ip-group { acl-number | acl-name }	Basic and advanced ACL. acl-number: ACL number of a basic or an advanced ACL, ranging from 2,000 to 3,999. acl-name: ACL name, case insensitive string, up to 32 characters long, beginning with an English letter (a to z or A to Z), without space or quotation mark.
link-group { acl-number | acl-name }	Layer 2 ACL acl-number: ACL number of a Layer 2 ACL, ranging from 4,000 to 4,999. acl-name: ACL name, case insensitive string, up to 32 characters long, beginning with an English letter (a to z or A to Z), without space or quotation mark.
user-group { acl-number | acl-name }	User-defined ACL acl-number: ACL number of a user-defined ACL, ranging from 5,000 to 5,999. acl-name: ACL name, case insensitive string, up to 32 characters long, beginning with an English letter (a to z or A to Z), without space or quotation mark.
rule-id	ACL rule number, ranging from 0 to 127. If this argument is not specified, all rules in the specified ACL will be applied.

 

system-index: Specifies an interior index value which is used when an ACL rule is applied to the port. The index value ranges from 0 to 4,294,967,295. This keyword is only available when the ACL rule number is specified in the command.

not-care-for-interface: As for a non-48-port Type A LPU, the packet-filtering function will take place on the LPU where the current port resides after this keyword is chosen. As for a 48-port Type A LPU, if the current port number is in the range of 1 to 24, the packet filtering will take effect on port 1 through port 24 after the keyword is chosen; if the current port number is in the range of 25 to 48, the packet filtering will take effect on port 25 through port 48 after the keyword is chosen.

Description

Use the packet-filter command to activate ACL on a port to filter packets.

Use the undo packet-filter command to cancel the configuration.

Examples

# Apply ACL 2000 on Ethernet 3/0/1 to filter packets.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface Ethernet3/0/1

[H3C-Ethernet3/0/1] qos

[H3C-qoss-Ethernet3/0/1] packet-filter inbound ip-group 2000

1.1.12  reset acl counter

Syntax

reset acl counter { all | acl-number | acl-name }

View

User view

Parameters

all: All ACLs (including those identified by a number or a name).

acl-number: ACL number, ranging from 2000 to 3999.

acl-name: ACL name, contains up to 32 characters, a case insensitive string, which must start with an English letter (a-z or A-Z), and there should not be a space or quotation mark in it; the word all is not allowed to use in it (to avoid confusion with the keyword all).

Description

Use the reset acl counter command to clear ACL statistics.

Table 1-7 The comparison between reset commands of statistics information

Command	Function
reset acl counter	Reset the statistics information counted by the ACL which is referenced by software to filter packets or classify traffic flows. The case includes: ACL referenced by route policy function, ACL used for controlling login user, etc.
reset traffic-statistic	Reset statistic information of traffic. This command is applicable to the ACL which is applied to the hardware of a switch to filter packets or classify traffic flows. Normally, this command is used to clear the statistics counted by the traffic-statistic command. For details about the reset traffic-statistic and traffic-statistic commands, refer to the QoS module of the manual.

 

Examples

# Clear the statistic information of ACL 2000.

<H3C> reset acl counter 2000

1.1.13  rule (Basic ACL)

Syntax

rule [ rule-id ] { permit | deny } [ source { source-addr wildcard | any } | fragment | time-range time-name ]*

undo rule rule-id [ source | fragment | time-range ]*

View

Basic ACL view

Parameters

rule-id: ACL rule ID, in the range of 0 to 127.

deny: Drops packets that satisfy the condition.

permit: Permits packets that satisfy the condition to pass.

fragment: Specifies that the rule takes effect on non-initial fragment packets only. If you do not specify this keyword, the ACL will not filter packets by packet fragment information.

source { sour-addr sour-wildcard | any }: Specifies the source address information in the rule. sour-addr is used to specify the source IP address of the packet, expressed in dotted decimal notation. sour-wildcard is used to specify the wildcard mask for the source subnet mask of the packet, expressed in dotted decimal notation. For example, you need to input 0.0.255.255 for the subnet mask 255.255.0.0. You can set sour-wildcard to 0 to represent the host IP address. any is used to represent any arbitrary IP address.

time-range time-name: Specifies a time range within which the rule is valid. If you do not specify time-range time-name, the ACL will not filter packets by time range information.

Description

Use the rule command to define an ACL rule.

Use the undo rule command to delete an ACL rule or the attribute information of an ACL rule.

Before you can delete a rule, you need to specify the rule ID. If you do not know the rule ID, you can view it by the display acl config command.

In the case that you specify the rule ID when defining a rule:

l           If the ACL is created with the config keyword specified and the rule identified by the rule-id argument exists, the settings specified in the rule command overwrite the counterparts of the existing rule (other settings of the rule remain unchanged). If the ACL is created with the auto keyword specified, the rules of the ACL cannot be edited. In this case, the system prompts errors when you execute the rule command.

l           If the rule corresponding to the specified rule ID does not exist, you will create and define a new rule.

l           The content of a modified or created rule must not be identical with the content of any existing rule; otherwise the rule modification or creation will be failed, and the system will prompt that the rule already exists.

If you do not specify a rule ID, you will create and define a new rule, and the system will assign an ID for the rule automatically.

 

 

Examples

# Define a rule to deny the packets whose source IP addresses are 1.1.1.1.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] acl number 2000

[H3C-acl-basic-2000] rule deny source 1.1.1.1 0

1.1.14  rule (Advanced ACL)

Syntax

rule [ rule-id ] { permit | deny } rule-string

undo rule rule-id [ source | destination | source-port | destination-port | icmp-type | precedence | tos | dscp | fragment | time-range ]*

View

Advanced ACL view

Parameters

rule-id: ACL rule ID, in the range of 0 to 127.

deny: Drops packets that satisfy the condition.

permit: Permits packets that satisfy the condition to pass.

rule-string: Rule information, which can be combination of the parameters described in Table 1-8. You need to configure the protocol argument in the rule information before you can configure other arguments.

Table 1-8 Rule information

Parameter	Type	Function	Description
protocol	Protocol type	Type of the protocols carried by IP	When expressed in numerals, the value range is 1 to 255. When expressed with a name, the value can be GRE, ICMP, IGMP, IP, IPinIP, OSPF, TCP, and UDP.
source { sour-addr sour-wildcard | any }	Source address information	Specifies the source address information in the rule	sour-addr sour-wildcard is used to specify the source address of the packet, expressed in dotted decimal notation. any represents any source address.
destination { dest-addr dest-wildcard | any }	Destination address information	Specifies the destination address information in the rule	dest-addr dest-wildcard is used to specify the destination address of the packet, expressed in dotted decimal notation. any represents any destination address.
precedence precedence	Packet precedence	IP priority	Value range: 0 to 7
tos tos	Packet precedence	ToS priority	Value range: 0 to 15
dscp dscp	Packet precedence	DSCP priority	Value range: 0 to 63
fragment	Fragment information	Specifies that the rule is effective for non-initial fragment packets	—
time-range time-name	Time range information	Specifies the time range in which the rule is active	—

 

 

To define DSCP priority, you can directly input a value ranging from 0 to 63, or input a keyword listed in Table 1-9.

Table 1-9 Description of DSCP values

Keyword	DSCP value in decimal	DSCP value in binary
ef	46	101110
af11	10	001010
af12	12	001100
af13	14	001110
af21	18	010010
af22	20	010100
af23	22	010110
af31	26	011010
af32	28	011100
af33	30	011110
af41	34	100010
af42	36	100100
af43	38	100110
cs1	8	001000
cs2	16	010000
cs3	24	011000
cs4	32	100000
cs5	40	101000
cs6	48	110000
cs7	56	111000
be (default)	0	000000

 

To define the IP precedence, you can directly input a value ranging from 0 to 7, or input a keyword listed in the following table.

Table 1-10 Description of IP precedence value

Keyword	IP Precedence value in decimal	IP Precedence value in binary
routine	0	000
priority	1	001
immediate	2	010
flash	3	011
flash-override	4	100
critical	5	101
internet	6	110
network	7	111

 

To define the ToS value, you can directly input a value ranging from 0 to 15, or input a keyword listed in the following table.

Table 1-11 Description of ToS value

Keyword	ToS value in decimal	ToS value in binary
normal	0	0000
min-monetary-cost	1	0001
max-reliability	2	0010
max-throughput	4	0100
min-delay	8	1000

 

If the protocol type is TCP or UDP, you can also define the following information:

Table 1-12 TCP/UDP-specific rule information

Parameter	Type	Function	Description
source-port operator port1 [ port2 ]	Source port(s)	Defines the source port information of UDP/TCP packets	The value of operator can be lt (less than), gt (greater than), eq (equal to), neq (not equal to) or range (within the range of) Only the range requires two port numbers as the operands, and other operators require only one port number as the operand. port1 and port2: TCP/UDP port number(s), expressed with name(s) or numerals; when expressed with numerals, the value range is 0 to 65,535.
destination-port operator port1 [ port2 ]	Destination port(s)	Defines the destination port information of UDP/TCP packets
established	“TCP connection established” flag	Specifies that the rule is applicable only to the first SYN segment for establishing a TCP connection	TCP-specific argument

 

 

If the protocol type is ICMP, you can also define the following information:

Table 1-13 ICMP-specific rule information

Parameter	Type	Function	Description
icmp-type icmp-type icmp-code	Type and message code information of ICMP packets	Specifies the type and message code information of ICMP packets in the rule	icmp-type: ICMP message type, ranging 0 to 255 icmp-code: ICMP message code, ranging 0 to 255

 

If the protocol type is ICMP, you can also directly input the ICMP message name after the icmp-type argument. Table 1-14 describes some common ICMP messages.

Table 1-14 ICMP messages

Name	ICMP TYPE	ICMP CODE
echo	Type=8	Code=0
echo-reply	Type=0	Code=0
fragmentneed-DFset	Type=3	Code=4
host-redirect	Type=5	Code=1
host-tos-redirect	Type=5	Code=3
host-unreachable	Type=3	Code=1
information-reply	Type=16	Code=0
information-request	Type=15	Code=0
net-redirect	Type=5	Code=0
net-tos-redirect	Type=5	Code=2
net-unreachable	Type=3	Code=0
parameter-problem	Type=12	Code=0
port-unreachable	Type=3	Code=3
protocol-unreachable	Type=3	Code=2
reassembly-timeout	Type=11	Code=1
source-quench	Type=4	Code=0
source-route-failed	Type=3	Code=5
timestamp-reply	Type=14	Code=0
timestamp-request	Type=13	Code=0
ttl-exceeded	Type=11	Code=0

 

Description

Use the rule command to define an ACL rule.

Use the undo rule command to delete an ACL rule or the attribute information of an ACL rule.

Before you can delete a rule, you need to specify the rule ID. If you do not know the rule ID, you can view it by the display acl config command.

In the case that you specify the rule ID when defining a rule:

l           If the ACL is created with the config keyword specified and the rule identified by the rule-id argument exists, the settings specified in the rule command overwrite the counterparts of the existing rule (other settings of the rule remain unchanged). If the ACL is created with the auto keyword specified, the rules of the ACL cannot be edited. In this case, the system prompts errors when you execute the rule command.

l           If the rule corresponding to the specified rule ID does not exist, you will create and define a new rule.

l           The content of a modified or created rule must not be identical with the content of any existing rule; otherwise the rule modification or creation will be failed, and the system will prompt that the rule already exists.

If you do not specify a rule ID, you will create and define a new rule, and the system will assign an ID for the rule automatically.

 

 

Examples

# Define a rule to permit TCP packets sent from hosts in the network segment of 129.9.0.0 to hosts in the network of 202.38.160.0 and with the port number of 80 to pass.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] acl number 3101

[H3C-acl-adv-3101] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80

1.1.15  rule (Layer 2 ACL)

Syntax

rule [ rule-id ] { permit | deny } [ rule-string ]

undo rule rule-id

View

Layer 2 ACL view

Parameters

rule-id: ACL rule ID, in the range of 0 to 127.

deny: Drops packets that satisfy the condition.

permit: Permits packets that satisfy the condition to pass.

rule-string: ACL rule information, which can be combination of the parameters described in Table 1-15.

Table 1-15 Rule information

Parameters	Type	Function	Description
protocol-type	Protocol type	Defines the protocol type over Ethernet frames	protocol-type: the value can be arp, rarp, ipx, nbx, pppoe-control, or pppoe-data. When the protocol type is arp, the rules cannot match the ARP packets with the destination MAC address as the MAC address of Layer 3 interface or with the destination MAC address being all Fs.
format-type	Link layer encapsulation type	Defines the link layer encapsulation type in the rule	format-type: the value can be 802.3/802.2, 802.3, ether_ii, or snap.
ingress { { source-vlan-id | source-mac-addr [ source-mac-mask ] }* | any }	Source MAC address information	Specifies the source MAC address range in the rule	source-mac-addr: source MAC address, in the format of H-H-H source-mac-mask: source MAC address mask, in the format of H-H-H, defaults to ffff-ffff-ffff.. source-vlan-id: source VLAN ID, in the range of 1 to 4,094 any indicates all packets received from all ports.
egress { dest-mac-addr [ dest-mac-mask ] | any }	Destination MAC address information	Specifies the destination MAC address range in the rule	dest-mac-addr: destination MAC address, in the format of H-H-H dest-mac-mask: destination MAC address mask, in the format of H-H-H, defaults to ffff-ffff-ffff. any indicates all packets forwarded by all ports.
cos cos	Priority	Defines the 802.1p priority of the rule	cos: ranges from 0 to 7
time-range time-name	Time range information	Specifies the time range in which the rule is active	time-name: specifies the name of the time range in which the rule is active; a string of 1 to 32 characters

 

 

To define the CoS value, you can directly input a value ranging from 0 to 7, or input a keyword listed in the following table.

Table 1-16 Description of CoS value

Keyword	CoS value in decimal	CoS value in binary
best-effort	0	000
background	1	001
spare	2	010
excellent-effort	3	011
controlled-load	4	100
video	5	101
voice	6	110
network-management	7	111

 

Description

Use the rule command to define an ACL rule.

Use the undo rule command to delete an ACL rule.

Before you can delete a rule, you must specify the rule ID. If you do not know the rule ID, you can view it by using the display acl config command.

In the case that you specify the rule ID when defining a rule:

l           If the ACL is created with the config keyword specified and the rule identified by the rule-id argument exists, the settings specified in the rule command overwrite the counterparts of the existing rule (other settings of the rule remain unchanged). If the ACL is created with the auto keyword specified, the rules of the ACL cannot be edited. In this case, the system prompts errors when you execute the rule command.

l           If the rule corresponding to the specified rule ID does not exist, you will create and define a new rule.

l           The content of a modified or created rule must not be identical with the content of any existing rule; otherwise the rule modification or creation will be failed, and the system will prompt that the rule already exists.

If you do not specify a rule ID, you will create and define a new rule, and the system will assign an ID for the rule automatically.

Examples

# Define an ACL to deny the packets with the source MAC address being 000d-88f5-97ed, the destination MAC address being 011-4301-991e, and the 802.1p priority being 3 to pass.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] acl number 4000

[H3C-acl-ethernetframe-4000] rule deny cos 3 source 000d-88f5-97ed ffff-ffff-ffff dest 0011-4301-991e ffff-ffff-ffff

1.1.16  rule (user-defined ACL)

Syntax

rule [ rule-id ] { permit | deny } { rule-string rule-mask offset } &<1-8> [ time-range time-name ]

undo rule rule-id

View

User-defined ACL view

Parameters

rule-id: ACL rule ID, in the range of 0 to 127.

deny: Drops packets that satisfy the condition.

permit: Permits packets that satisfy the condition to pass.

rule-string: User-defined string of the rule. It must be an even number containing 2 to 20 hexadecimal characters.

rule-mask: User-defined mask of the rule. It is used to perform the logical AND operations with packets and must be an even number containing 2 to 20 hexadecimal characters. Note that its length must be the same with that of rule-string.

offset: Mask offset of the rule. It specifies a byte, through its offset from the packet header, in the packet as the starting point to perform logical AND operations. It ranges from 0 to 79 bytes, and the maximum value becomes one byte less when the value of rule-string (and rule-mask) has two more characters. For example, when rule-string and rule-mask contains two characters respectively, the maximum value of offset is 79 bytes; when the former contains four characters respectively, the maximum value of offset is 78 bytes, and so on. The rule-mask argument works in conjunction with the offset argument to extract a string from the packets, compare the string with the user-defined rule-string, find out the matched packets, and then process the matched packets accordingly.

&<1-8>: At most eight rules can be defined at one time.

time-range time-name: Specifies a time range within which the rule is valid.

Description

Use the rule command to define an ACL rule.

Use the undo rule command to delete an ACL rule or the attribute information of an ACL rule.

Before you can delete a rule, you need to specify the rule ID. If you do not know the rule ID, you can view it by the display acl config command.

In the case that you specify the rule ID when defining a rule:

l           If the ACL is created with the config keyword specified and the rule identified by the rule-id argument exists, the settings specified in the rule command overwrite the counterparts of the existing rule (other settings of the rule remain unchanged). If the ACL is created with the auto keyword specified, the rules of the ACL cannot be edited. In this case, the system prompts errors when you execute the rule command.

l           If the rule corresponding to the specified rule ID does not exist, you will create and define a new rule.

l           The content of a modified or created rule must not be identical with the content of any existing rule; otherwise the rule modification or creation will be failed, and the system will prompt that the rule already exists.

If you do not specify a rule ID, you will create and define a new rule, and the system will assign an ID for the rule automatically.

 

 

Examples

# Define a user-defined rule to forbid all TCP packets to pass through.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] time-range t1 18:00 to 23:00 sat

[H3C] acl number 5001

[H3C-acl-user-5001] rule 25 deny 06 ff 27 time-range t1

1.1.17  time-range

Syntax

time-range time-name { start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] | to end-time end-date }

undo time-range { time-name [ start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] | to end-time end-date ] | all }

View

System view

Parameters

time-name: Name of a time range, up to 32 characters long, starting with an English letter(a to z, or A to Z).

start-time: Start time of a periodic time range, in the form of hh:mm.

end-time: End time of a periodic time range, in the form of hh:mm.

days-of-the-week: Day of the week when the periodic time range is active. You can provide this argument in one of the following forms.

l           Numeral (0 to 6)

l           Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, and Sunday

l           Working days (Monday through Friday)

l           Off days (Saturday and Sunday)

l           Daily, namely everyday of the week

from start-time start-date: Specifies the start date of an absolute time range, in the form of hh:mm YYYY/MM/DD. The start-time start-date and end-time end-date argument jointly define a period in which the absolute time range takes effect. If the start date is not specified, the time range starts from the earliest time that the system can represent.

to end-time end-date: Specifies the end date of an absolute time range, in the form of hh:mm YYYY/MM/DD. The start-time start-date and end-time end-date argument jointly define a period in which the absolute time range takes effect. If the end date is not specified, the time range ends at 2100/12/31 23:59.

all: Deletes all time ranges.

Description

Use the time-range command to define a time range.

Use the undo time-range command to delete a time range.

Use the undo time-range all command to delete all time ranges.

The time range defined by means of the time-range command can include absolute time sections and periodic time sections. start-time and end-time days-of-the-week jointly define a periodic time section, while start-time start-date and end-time end-date jointly define an absolute time section.

If only a periodic time section is defined in a time range, the time range is active only when the system time is within the defined periodic time section. If multiple periodic time sections are defined in a time range, the time range is active only when the system time is within one of the periodic time sections.

If only an absolute time section is defined in a time range, the time range is active only when the system time is within the defined absolute time section. If multiple absolute time sections are defined in a time range, the time range is active only when the system time is within one of the absolute time sections.

If both a periodic time section and an absolute time section are defined in a time range, the time range is active only when the periodic time range and the absolute time range are both matched. Assume that a time range defines an absolute time section from 00:00 January 1, 2004 to 23:59 December 31, 2004, and a periodic time section from 12:00 to 14:00 every Wednesday. This time range is active only when the system time is within 12:00 to 14:00 every Wednesday in 2004.

If you include any argument of the undo time-range command, the system will delete only the content defined by the argument from the time range.

Examples

# Define an absolute time range that is active from 12:00 January 1, 2000 to 12:00 January 1, 2001.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] time-range test from 12:00 1/1/2000 to 12:00 1/1/2001