- Table of Contents
-
- H3C S7500 Series Command Manual(Release 3100 Series)-(V1.04)
- 00-1Cover
- 01-CLI Commands
- 02-Login Commands
- 03-Configuration File Management Commands
- 04-VLAN Commands
- 05-Extended VLAN Application Commands
- 06-IP Address-IP Performance-IPX Commands
- 07-GVRP Commands
- 08-QinQ Commands
- 09-Port Basic Configuration Commands
- 10-Link Aggregation Commands
- 11-Port Isolation Commands
- 12-Port Binding Commands
- 13-DLDP Commands
- 14-MAC Address Table Commands
- 15-MSTP Commands
- 16-Routing Protocol Commands
- 17-Multicast Commands
- 18-802.1x Commands
- 19-AAA-RADIUS-HWTACACS-EAD Commands
- 20-Traffic Accounting Commands
- 21-VRRP-HA Commands
- 22-ARP Commands
- 23-DHCP Commands
- 24-ACL Commands
- 25-QoS Commands
- 26-Mirroring Commands
- 27-Cluster Commands
- 28-PoE Commands
- 29-UDP-Helper Commands
- 30-SNMP-RMON Commands
- 31-NTP Commands
- 32-SSH Terminal Service Commands
- 33-File System Management Commands
- 34-FTP and TFTP Commands
- 35-Information Center Commands
- 36-DNS Commands
- 37-System Maintenance and Debugging Commands
- 38-HWPing Commands
- 39-RRPP Commands
- 40-NAT-Netstream-Policy Routing Commands
- 41-Telnet Protection Commands
- 42-Hardware-Dependent Software Configuration Commands
- 43-Appendix
- Related Documents
-
Title | Size | Download |
---|---|---|
24-ACL Commands | 178 KB |
Table of Contents
1.1 ACL Configuration Commands
1.1.5 display acl config statistics
1.1.8 display acl remaining entry
1.1.9 display acl running-packet-filter
1.1.16 rule (user-defined ACL)
Chapter 1 ACL Commands
& Note:
Type A line processing units (LPUs) include LS81FT48A, LS81FM24A, LS81FS24A, LS81GB8UA, LS81GT8UA, LS81FT48, LS81FM24, LS81FS24, LS81GB8U and LS81GT8U.
1.1 ACL Configuration Commands
1.1.1 acl
Syntax
acl { number acl-number | name acl-name [ advanced | basic | link | user ] } [ match-order { config | auto } ]
undo acl { number acl-number | name acl-name | all }
View
System view
Parameters
number acl-number: Specifies the number of an access control list (ACL) in the range of:
l 2,000 to 2,999: identifies basic ACLs.
l 3,000 to 3,999: identifies advanced ACLs. Note that ACL 3998 and ACL 3999 cannot be configured because they are reserved for the cluster management.
l 4,000 to 4,999: identifies layer 2 ACLs.
l 5,000 to 5,999: identifies user-defined ACLs.
name acl-name: Specifies the ACL name, contains up to 32 characters, which is a case insensitive character string started with an English letter (i.e., a-z or A-Z), without space or quotation marks and is not allowed to use the word all (to avoid confusion with the keyword all) in it.
advanced: Advanced ACL.
basic: Basic ACL.
link: Layer 2 ACL.
user: User-defined ACL..
config: Specifies to employ the user’s configuration order when matching ACL rules.
auto: Specifies to employ the depth first order when matching ACL rules.
all: Deletes all ACLs (including those identified by a number or a name).
Description
Use the acl command to define an ACL and enter the corresponding ACL view.
Use the undo acl command to delete all entries of an ACL identified by a number or a name, or all ACLs.
By default, ACL rules are matched according to the configured order (config).
After entering the corresponding ACL view, you can use the rule command to add entries to the ACL (use the quit command to quit ACL view).
& Note:
User-defined ACLs can only be activated on the LPUs other than Type A.
You can use the match-order keyword to specify whether to use the configured order or the “depth-first” order (rules with smaller ranges are matched first) to match rules. If neither match orders are specified, the configured match order will be adopted.
You cannot modify the match order for an ACL once you have specified it, unless you delete all the entries of the ACL, and specify the match order over again.
The ACL match order feature is effective only when the ACL is referenced by software for data filtering and traffic classification.
Related commands: rule, acl mode.
Examples
# Define rules for ACL 2000, and specify depth-first order as the rule match order.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] acl number 2000 match-order auto
1.1.2 acl mode
Syntax
acl mode { ip-based | link-based }
View
System view
Parameters
ip-based: Performs traffic classification based on Layer 3 information.
link-based: Performs traffic classification based on Layer 2 information.
Description
Use the acl mode command to set the traffic classification mode for the device.
By default, traffic classification is performed based on Layer 3 information.
Related commands: acl.
& Note:
This configuration is only effective on Type A LPUs.
Examples
# Specify to perform traffic classification based on Layer 3 information.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] acl mode ip-based
1.1.3 acl order
Syntax
acl order { auto | first-config-first-match | last-config-first-match }
View
System view
Parameters
auto: Specifies the ACL rules applied to a port are matched according to the depth-first order.
first-config-first-match: Specifies the ACL rules applied to a port are matched according to the configuration order: first configured, first matched.
last-config-first-match: Specifies the ACL rules applied to a port are matched according to the configuration order: last configured, first matched.
Description
Use the acl order command to set the match order for the ACL rules applied on a port.
By default, the ACL rules applied to a port take effect in the depth-first order.
Use the acl match-order { config | auto } command to set the match order of ACL rules when they are configured. Use the acl order command to set the match order of ACL rules in the case that they are applied to a port.
Examples
# Configure the match order of ACL rules applied to a port as first-config-first-match order.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] acl order first-config-first-match
1.1.4 display acl config
Syntax
display acl config { all | acl-number | acl-name }
View
Any view
Parameters
all: Displays all ACLs (including those identified by a number or a name).
acl-number: Sequence number of the ACL to be displayed. It ranges from 2,000 to 5,999.
acl-name: Name of the ACL to be displayed. It is a case insensitive character string started with an English letter (a-z or A-Z), contains up to 32 characters. And there should not be a space or quotation mark in it; the word all is not allowed to use in it (to avoid confusion with the all keyword).
Description
Use the display acl config command to view the detailed configuration information of an ACL, including every subrule of the ACL, the ACL type and sequence number, and the number of times this ACL matches packets..
The number of match times displayed by this command is software match times, namely, the number of times of ACL matches processed by switch CPU. You can use the traffic-statistic command to count the times of hardware matches during packet-forwarding, and use the display qos-interface traffic-statistic command to view the statistics. For the traffic-statistic and display qos-interface traffic-statistic commands, refer to the QoS part of the Command Manual.
Examples
# Display all ACL configuration.
<H3C> display acl config all
Basic ACL 2000, 1 rule,
rule 0 permit source 1.1.1.1 0 (0 times matched)
1.1.5 display acl config statistics
Syntax
display acl config statistics
View
Any view
Parameters
None
Description
Use the command display acl config statistics to display the statistics of the current configured ACL rules, including the number of basic, advanced, Layer 2 and user-defined ACL rules, and the total number of ACL rules configured by the system.
Examples
# Display statistics information about the current configured ACL rules.
<H3C> display acl config statistics
The configured rule statistics:
Basic rule(s): 5
Advanced rule(s): 132
Link rule(s): 4
User rule(s): 2
Total 143 rule(s) configured
1.1.6 display acl mode
Syntax
display acl mode
View
Any view
Parameters
None
Description
Use the display acl mode command to view the ACL running mode chosen by the switch for filtering the traffic.
Examples
# Display the ACL running mode chosen by the switch.
<H3C> display acl mode
The current acl mode: ip-based.
1.1.7 display acl order
Syntax
display acl order
View
Any view
Parameters
None
Description
Use the display acl order command to display the match order of the ACL rules applied to a port.
Examples
# Display the match order of ACL rules applied to a port
<H3C> display acl order
the current order is auto
1.1.8 display acl remaining entry
Syntax
display acl remaining entry slot slot-number
View
Any view
Parameters
slot-number: Number of a slot. The number 0 indicates the SRPU.
Description
Use the display acl remaining entry slot command to display the remaining ACL entries on a specified slot. The displayed content includes the entry resource type, total entries resource number, number of reserved entries for system ACL, number of configured ACL entries, number of remaining ACL entries, and the corresponding start port number and end port number of each type of entries.
Examples
# Display the remaining ACL resource on slot 3.
<H3C> display acl remaining entry slot 3
Slot: 3
Resource Total Reserved Configured Remaining Start End
Type Number Number Number Number Port Name Port Name
--------------------------------------------------------------------------
MASK 16 6 1 9 GE3/0/1 GE3/0/1
RULE 128 17 1 110 GE3/0/1 GE3/0/1
METER 128 11 1 116 GE3/0/1 GE3/0/1
COUNTER 128 14 1 113 GE3/0/1 GE3/0/1
MASK 16 6 1 9 GE3/0/2 GE3/0/2
RULE 128 17 1 110 GE3/0/2 GE3/0/2
METER 128 11 1 116 GE3/0/2 GE3/0/2
COUNTER 128 14 1 113 GE3/0/2 GE3/0/2
Table 1-1 Description on the fields of the display acl remaining entry slot command
Field |
Description |
ResouceType |
Entry resource type |
Total Number |
Total entries resource number |
Reserved Number |
Number of entries reserved for system ACL during initiation |
Configured Number |
Number of entries used by the ACL configured by users |
Remaining Number |
Number of remaining entries |
Start PortName |
The corresponding start port number of each type of entry |
End PortName |
The corresponding end port number of each type of entry |
1.1.9 display acl running-packet-filter
Syntax
display acl running-packet-filter { all | interface interface-type interface-number }
View
Any view
Parameters
all: Represents all the ACLs to be displayed (including those identified by a number or a name).
interface interface-type interface-number: Specifies a port of the switch.
Description
Use the display acl running -packet-filter command to view the ACL application information on a port or all ports, including the port to which an ACL is applied, the ACL active direction, ACL name, ACL rule number, and ACL running status.
Examples
# Display the ACL application information on all ports.
<H3C> display acl running-packet-filter all
Ethernet3/0/1
Inbound:
Acl 2000 rule 0 running
1.1.10 display time-range
Syntax
display time-range { all | time-name }
View
Any view
Parameters
all: Specifies to display all time ranges.
name: Name of a time range, a string that starts with an English letter [a-z, A-Z] and contains up to 32 characters.
Description
Use the display time-range command to view the configuration and status of the current time range. For an active time range, the status is displayed as active; for an inactive time range, the status is displayed as inactive.
Note that there is a delay (about 1 minute) when the system updates the ACL status, and the display time-range command displays the status of a time range according to the current time. Therefore, sometimes you may find that a time range is active by using the display time-range command, while the ACL referencing the time range is not activated. This is natural.
Related commands: time-range.
Examples
# Display all time ranges.
<H3C> display time-range all
Current time is 14:36:36 4-3-2003 Thursday
Time-range : hhy ( Inactive )
from 08:30 2-5-2005 to 18:00 2-19-2005
Time-range : hhy1 ( Inactive )
from 08:30 2-5-2003 to 18:00 2-19-2003
Table 1-2 Description on the fields of the display time-range command
Field |
Description |
Current time is 14:36:36 4-3-2003 Thursday |
System time |
Time-range : hhy ( Inactive ) from 08:30 2-5-2005 to 18:00 2-19-2005 |
Time range hhy. Inactive indicates that this time range is currently in the inactive state (while Active indicates that the time range is in the active state), and the time range is from 8:30 February 5, 2005 to 18:00 February 19, 2005. |
# Display the time range named tm1.
<H3C> display time-range tm1
Current time is 14:37:31 4-3-2003 Thursday
Time-range : tm1 ( Inactive )
from 08:30 2-5-2005 to 18:00 2-19-2005
Table 1-3 Description on the fields of the display time-range command
Field |
Description |
Current time is 14:36:36 4-3-2003 Thursday |
The current time of the system. |
Time-range : tm1 ( Inactive ) from 08:30 2-5-2005 to 18:00 2-19-2005 |
Time range tm1. Inactive indicates that this time range is currently in the inactive state (while Active indicates that the time range is in the active state), and the time range is from 8:30 February 5, 2005 to 18:00 February 19, 2005. |
1.1.11 packet-filter
Syntax
The command line format for Type A LPUs:
packet-filter { inbound | outbound } acl-rule [ system-index ] [ not-care-for-interface ]
undo packet-filter { inbound | outbound } acl-rule [ not-care-for-interface ]
The command line format for non-Type-A LPUs:
packet-filter inbound acl-rule [ system-index ]
undo packet-filter inbound acl-rule
& Note:
Combined activating of IP ACL and Link ACL is supported by non-Type-A LPUs . But the total number of the characters of the fields defined by IP ACL and Link ACL can not exceed 32 characters; otherwise the ACLs can not be activated.
View
QoS view
Parameters
inbound: Specifies to filter packets received on the port.
outbound: Specifies to filter packets sent through the port.
acl-rule: Applied ACL rule, which can be a combination of different types of ACL rules. Table 1-4 and Table 1-6 describe the ACL rule combinations on Type A LPUs and the corresponding parameter description. Table 1-5 and Table 1-6 describe the ACL rule combinations on LPUs other than Type A and the corresponding parameter description.
Table 1-4 Combined application of ACL rules on Type A LPUs
Combination mode |
Form of acl-rule |
Apply all rules in an IP type ACL |
ip-group { acl-number | acl-name } |
Apply one rule in an IP type ACL |
ip-group { acl-number | acl-name } rule rule-id |
Apply all rules in a link type ACL |
link-group { acl-number | acl-name } |
Apply one rule in a link type ACL |
link-group { acl-number | acl-name } rule rule-id |
Table 1-5 Combined application of ACL rules on LPUs other than Type A.
Combination mode |
Form of acl-rule |
Apply all rules in an IP type ACL |
ip-group { acl-number | acl-name } |
Apply one rule in an IP type ACL |
ip-group { acl-number | acl-name } rule rule-id |
Apply all rules in a link type ACL |
link-group { acl-number | acl-name } |
Apply one rule in a link type ACL |
link-group { acl-number | acl-name } rule rule-id |
Apply all rules in a user-defined ACL |
user-group { acl-number | acl-name } |
Apply one rule in a user-defined ACL |
user-group { acl-number | acl-name } rule rule-id |
Apply one rule in an IP type ACL and one rule in a Link type ACL simultaneously |
ip-group { acl-number | acl-name } rule rule-id link-group { acl-number | acl-name } rule rule-id |
Table 1-6 Parameters description of ACL rule combinations
Parameter |
Description |
ip-group { acl-number | acl-name } |
Basic and advanced ACL. acl-number: ACL number of a basic or an advanced ACL, ranging from 2,000 to 3,999. acl-name: ACL name, case insensitive string, up to 32 characters long, beginning with an English letter (a to z or A to Z), without space or quotation mark. |
link-group { acl-number | acl-name } |
Layer 2 ACL acl-number: ACL number of a Layer 2 ACL, ranging from 4,000 to 4,999. acl-name: ACL name, case insensitive string, up to 32 characters long, beginning with an English letter (a to z or A to Z), without space or quotation mark. |
user-group { acl-number | acl-name } |
User-defined ACL acl-number: ACL number of a user-defined ACL, ranging from 5,000 to 5,999. acl-name: ACL name, case insensitive string, up to 32 characters long, beginning with an English letter (a to z or A to Z), without space or quotation mark. |
rule-id |
ACL rule number, ranging from 0 to 127. If this argument is not specified, all rules in the specified ACL will be applied. |
system-index: Specifies an interior index value which is used when an ACL rule is applied to the port. The index value ranges from 0 to 4,294,967,295. This keyword is only available when the ACL rule number is specified in the command.
not-care-for-interface: As for a non-48-port Type A LPU, the packet-filtering function will take place on the LPU where the current port resides after this keyword is chosen. As for a 48-port Type A LPU, if the current port number is in the range of 1 to 24, the packet filtering will take effect on port 1 through port 24 after the keyword is chosen; if the current port number is in the range of 25 to 48, the packet filtering will take effect on port 25 through port 48 after the keyword is chosen.
Description
Use the packet-filter command to activate ACL on a port to filter packets.
Use the undo packet-filter command to cancel the configuration.
Examples
# Apply ACL 2000 on Ethernet 3/0/1 to filter packets.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] interface Ethernet3/0/1
[H3C-Ethernet3/0/1] qos
[H3C-qoss-Ethernet3/0/1] packet-filter inbound ip-group 2000
1.1.12 reset acl counter
Syntax
reset acl counter { all | acl-number | acl-name }
View
User view
Parameters
all: All ACLs (including those identified by a number or a name).
acl-number: ACL number, ranging from 2000 to 3999.
acl-name: ACL name, contains up to 32 characters, a case insensitive string, which must start with an English letter (a-z or A-Z), and there should not be a space or quotation mark in it; the word all is not allowed to use in it (to avoid confusion with the keyword all).
Description
Use the reset acl counter command to clear ACL statistics.
Table 1-7 The comparison between reset commands of statistics information
Command |
Function |
reset acl counter |
Reset the statistics information counted by the ACL which is referenced by software to filter packets or classify traffic flows. The case includes: ACL referenced by route policy function, ACL used for controlling login user, etc. |
reset traffic-statistic |
Reset statistic information of traffic. This command is applicable to the ACL which is applied to the hardware of a switch to filter packets or classify traffic flows. Normally, this command is used to clear the statistics counted by the traffic-statistic command. For details about the reset traffic-statistic and traffic-statistic commands, refer to the QoS module of the manual. |
Examples
# Clear the statistic information of ACL 2000.
<H3C> reset acl counter 2000
1.1.13 rule (Basic ACL)
Syntax
rule [ rule-id ] { permit | deny } [ source { source-addr wildcard | any } | fragment | time-range time-name ]*
undo rule rule-id [ source | fragment | time-range ]*
View
Basic ACL view
Parameters
rule-id: ACL rule ID, in the range of 0 to 127.
deny: Drops packets that satisfy the condition.
permit: Permits packets that satisfy the condition to pass.
fragment: Specifies that the rule takes effect on non-initial fragment packets only. If you do not specify this keyword, the ACL will not filter packets by packet fragment information.
source { sour-addr sour-wildcard | any }: Specifies the source address information in the rule. sour-addr is used to specify the source IP address of the packet, expressed in dotted decimal notation. sour-wildcard is used to specify the wildcard mask for the source subnet mask of the packet, expressed in dotted decimal notation. For example, you need to input 0.0.255.255 for the subnet mask 255.255.0.0. You can set sour-wildcard to 0 to represent the host IP address. any is used to represent any arbitrary IP address.
time-range time-name: Specifies a time range within which the rule is valid. If you do not specify time-range time-name, the ACL will not filter packets by time range information.
Description
Use the rule command to define an ACL rule.
Use the undo rule command to delete an ACL rule or the attribute information of an ACL rule.
Before you can delete a rule, you need to specify the rule ID. If you do not know the rule ID, you can view it by the display acl config command.
In the case that you specify the rule ID when defining a rule:
l If the ACL is created with the config keyword specified and the rule identified by the rule-id argument exists, the settings specified in the rule command overwrite the counterparts of the existing rule (other settings of the rule remain unchanged). If the ACL is created with the auto keyword specified, the rules of the ACL cannot be edited. In this case, the system prompts errors when you execute the rule command.
l If the rule corresponding to the specified rule ID does not exist, you will create and define a new rule.
l The content of a modified or created rule must not be identical with the content of any existing rule; otherwise the rule modification or creation will be failed, and the system will prompt that the rule already exists.
If you do not specify a rule ID, you will create and define a new rule, and the system will assign an ID for the rule automatically.
& Note:
Type A LPUs do not support to apply ACL rules configured with fragment to hardware.
Examples
# Define a rule to deny the packets whose source IP addresses are 1.1.1.1.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] acl number 2000
[H3C-acl-basic-2000] rule deny source 1.1.1.1 0
1.1.14 rule (Advanced ACL)
Syntax
rule [ rule-id ] { permit | deny } rule-string
undo rule rule-id [ source | destination | source-port | destination-port | icmp-type | precedence | tos | dscp | fragment | time-range ]*
View
Advanced ACL view
Parameters
rule-id: ACL rule ID, in the range of 0 to 127.
deny: Drops packets that satisfy the condition.
permit: Permits packets that satisfy the condition to pass.
rule-string: Rule information, which can be combination of the parameters described in Table 1-8. You need to configure the protocol argument in the rule information before you can configure other arguments.
Parameter |
Type |
Function |
Description |
protocol |
Protocol type |
Type of the protocols carried by IP |
When expressed in numerals, the value range is 1 to 255. When expressed with a name, the value can be GRE, ICMP, IGMP, IP, IPinIP, OSPF, TCP, and UDP. |
source { sour-addr sour-wildcard | any } |
Source address information |
Specifies the source address information in the rule |
sour-addr sour-wildcard is used to specify the source address of the packet, expressed in dotted decimal notation. any represents any source address. |
destination { dest-addr dest-wildcard | any } |
Destination address information |
Specifies the destination address information in the rule |
dest-addr dest-wildcard is used to specify the destination address of the packet, expressed in dotted decimal notation. any represents any destination address. |
precedence precedence |
Packet precedence |
IP priority |
Value range: 0 to 7 |
tos tos |
Packet precedence |
ToS priority |
Value range: 0 to 15 |
dscp dscp |
Packet precedence |
DSCP priority |
Value range: 0 to 63 |
fragment |
Fragment information |
Specifies that the rule is effective for non-initial fragment packets |
— |
time-range time-name |
Time range information |
Specifies the time range in which the rule is active |
— |
& Note:
sour-wildcard/dest-wildcard is the wildcard mask of the source/destination subnet mask. For example, you need to input 0.0.255.255 to specify the subnet mask 255.255.0.0. The arguments can be set as 0 to represent the host IP address.
To define DSCP priority, you can directly input a value ranging from 0 to 63, or input a keyword listed in Table 1-9.
Table 1-9 Description of DSCP values
Keyword |
DSCP value in decimal |
DSCP value in binary |
ef |
46 |
101110 |
af11 |
10 |
001010 |
af12 |
12 |
001100 |
af13 |
14 |
001110 |
af21 |
18 |
010010 |
af22 |
20 |
010100 |
af23 |
22 |
010110 |
af31 |
26 |
011010 |
af32 |
28 |
011100 |
af33 |
30 |
011110 |
af41 |
34 |
100010 |
af42 |
36 |
100100 |
af43 |
38 |
100110 |
cs1 |
8 |
001000 |
cs2 |
16 |
010000 |
cs3 |
24 |
011000 |
cs4 |
32 |
100000 |
cs5 |
40 |
101000 |
cs6 |
48 |
110000 |
cs7 |
56 |
111000 |
be (default) |
0 |
000000 |
Table 1-10 Description of IP precedence value
Keyword |
IP Precedence value in decimal |
IP Precedence value in binary |
routine |
0 |
000 |
priority |
1 |
001 |
immediate |
2 |
010 |
flash |
3 |
011 |
flash-override |
4 |
100 |
critical |
5 |
101 |
internet |
6 |
110 |
network |
7 |
111 |
Table 1-11 Description of ToS value
Keyword |
ToS value in decimal |
ToS value in binary |
normal |
0 |
0000 |
min-monetary-cost |
1 |
0001 |
max-reliability |
2 |
0010 |
max-throughput |
4 |
0100 |
min-delay |
8 |
1000 |
If the protocol type is TCP or UDP, you can also define the following information:
Table 1-12 TCP/UDP-specific rule information
Parameter |
Type |
Function |
Description |
source-port operator port1 [ port2 ] |
Source port(s) |
Defines the source port information of UDP/TCP packets |
The value of operator can be lt (less than), gt (greater than), eq (equal to), neq (not equal to) or range (within the range of) Only the range requires two port numbers as the operands, and other operators require only one port number as the operand. port1 and port2: TCP/UDP port number(s), expressed with name(s) or numerals; when expressed with numerals, the value range is 0 to 65,535. |
destination-port operator port1 [ port2 ] |
Destination port(s) |
Defines the destination port information of UDP/TCP packets |
|
established |
“TCP connection established” flag |
Specifies that the rule is applicable only to the first SYN segment for establishing a TCP connection |
TCP-specific argument |
& Note:
Only the Type A LPUs support the “range” operation on the TCP/UDP port.
If the protocol type is ICMP, you can also define the following information:
Table 1-13 ICMP-specific rule information
Parameter |
Type |
Function |
Description |
icmp-type icmp-type icmp-code |
Type and message code information of ICMP packets |
Specifies the type and message code information of ICMP packets in the rule |
icmp-type: ICMP message type, ranging 0 to 255 icmp-code: ICMP message code, ranging 0 to 255 |
If the protocol type is ICMP, you can also directly input the ICMP message name after the icmp-type argument. Table 1-14 describes some common ICMP messages.
Name |
ICMP TYPE |
ICMP CODE |
echo |
Type=8 |
Code=0 |
echo-reply |
Type=0 |
Code=0 |
fragmentneed-DFset |
Type=3 |
Code=4 |
host-redirect |
Type=5 |
Code=1 |
host-tos-redirect |
Type=5 |
Code=3 |
host-unreachable |
Type=3 |
Code=1 |
information-reply |
Type=16 |
Code=0 |
information-request |
Type=15 |
Code=0 |
net-redirect |
Type=5 |
Code=0 |
net-tos-redirect |
Type=5 |
Code=2 |
net-unreachable |
Type=3 |
Code=0 |
parameter-problem |
Type=12 |
Code=0 |
port-unreachable |
Type=3 |
Code=3 |
protocol-unreachable |
Type=3 |
Code=2 |
reassembly-timeout |
Type=11 |
Code=1 |
source-quench |
Type=4 |
Code=0 |
source-route-failed |
Type=3 |
Code=5 |
timestamp-reply |
Type=14 |
Code=0 |
timestamp-request |
Type=13 |
Code=0 |
ttl-exceeded |
Type=11 |
Code=0 |
Description
Use the rule command to define an ACL rule.
Use the undo rule command to delete an ACL rule or the attribute information of an ACL rule.
Before you can delete a rule, you need to specify the rule ID. If you do not know the rule ID, you can view it by the display acl config command.
In the case that you specify the rule ID when defining a rule:
l If the ACL is created with the config keyword specified and the rule identified by the rule-id argument exists, the settings specified in the rule command overwrite the counterparts of the existing rule (other settings of the rule remain unchanged). If the ACL is created with the auto keyword specified, the rules of the ACL cannot be edited. In this case, the system prompts errors when you execute the rule command.
l If the rule corresponding to the specified rule ID does not exist, you will create and define a new rule.
l The content of a modified or created rule must not be identical with the content of any existing rule; otherwise the rule modification or creation will be failed, and the system will prompt that the rule already exists.
If you do not specify a rule ID, you will create and define a new rule, and the system will assign an ID for the rule automatically.
& Note:
Type A LPUs do not support to apply ACL rules configured with tos tos or fragment to hardware.
Examples
# Define a rule to permit TCP packets sent from hosts in the network segment of 129.9.0.0 to hosts in the network of 202.38.160.0 and with the port number of 80 to pass.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] acl number 3101
[H3C-acl-adv-3101] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80
1.1.15 rule (Layer 2 ACL)
Syntax
rule [ rule-id ] { permit | deny } [ rule-string ]
undo rule rule-id
View
Layer 2 ACL view
Parameters
rule-id: ACL rule ID, in the range of 0 to 127.
deny: Drops packets that satisfy the condition.
permit: Permits packets that satisfy the condition to pass.
rule-string: ACL rule information, which can be combination of the parameters described in Table 1-15.
Parameters |
Type |
Function |
Description |
protocol-type |
Protocol type |
Defines the protocol type over Ethernet frames |
protocol-type: the value can be arp, rarp, ipx, nbx, pppoe-control, or pppoe-data. When the protocol type is arp, the rules cannot match the ARP packets with the destination MAC address as the MAC address of Layer 3 interface or with the destination MAC address being all Fs. |
format-type |
Link layer encapsulation type |
Defines the link layer encapsulation type in the rule |
format-type: the value can be 802.3/802.2, 802.3, ether_ii, or snap. |
ingress { { source-vlan-id | source-mac-addr [ source-mac-mask ] }* | any } |
Source MAC address information |
Specifies the source MAC address range in the rule |
source-mac-addr: source MAC address, in the format of H-H-H source-mac-mask: source MAC address mask, in the format of H-H-H, defaults to ffff-ffff-ffff.. source-vlan-id: source VLAN ID, in the range of 1 to 4,094 any indicates all packets received from all ports. |
egress { dest-mac-addr [ dest-mac-mask ] | any } |
Destination MAC address information |
Specifies the destination MAC address range in the rule |
dest-mac-addr: destination MAC address, in the format of H-H-H dest-mac-mask: destination MAC address mask, in the format of H-H-H, defaults to ffff-ffff-ffff. any indicates all packets forwarded by all ports. |
cos cos |
Priority |
Defines the 802.1p priority of the rule |
cos: ranges from 0 to 7 |
time-range time-name |
Time range information |
Specifies the time range in which the rule is active |
time-name: specifies the name of the time range in which the rule is active; a string of 1 to 32 characters |
& Note:
source-mac-mask and dest-mac-mask represent the MAC address masks. For example, if you want to specify a MAC address range from 0011-0011-0000 to 0011-0011-00ff, you can specify ffff-ffff-ff00 as the MAC address mask. The mask can be all Fs, representing the host address.
To define the CoS value, you can directly input a value ranging from 0 to 7, or input a keyword listed in the following table.
Table 1-16 Description of CoS value
Keyword |
CoS value in decimal |
CoS value in binary |
best-effort |
0 |
000 |
background |
1 |
001 |
spare |
2 |
010 |
excellent-effort |
3 |
011 |
controlled-load |
4 |
100 |
video |
5 |
101 |
voice |
6 |
110 |
network-management |
7 |
111 |
Description
Use the rule command to define an ACL rule.
Use the undo rule command to delete an ACL rule.
Before you can delete a rule, you must specify the rule ID. If you do not know the rule ID, you can view it by using the display acl config command.
In the case that you specify the rule ID when defining a rule:
l If the ACL is created with the config keyword specified and the rule identified by the rule-id argument exists, the settings specified in the rule command overwrite the counterparts of the existing rule (other settings of the rule remain unchanged). If the ACL is created with the auto keyword specified, the rules of the ACL cannot be edited. In this case, the system prompts errors when you execute the rule command.
l If the rule corresponding to the specified rule ID does not exist, you will create and define a new rule.
l The content of a modified or created rule must not be identical with the content of any existing rule; otherwise the rule modification or creation will be failed, and the system will prompt that the rule already exists.
If you do not specify a rule ID, you will create and define a new rule, and the system will assign an ID for the rule automatically.
Examples
# Define an ACL to deny the packets with the source MAC address being 000d-88f5-97ed, the destination MAC address being 011-4301-991e, and the 802.1p priority being 3 to pass.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] acl number 4000
[H3C-acl-ethernetframe-4000] rule deny cos 3 source 000d-88f5-97ed ffff-ffff-ffff dest 0011-4301-991e ffff-ffff-ffff
1.1.16 rule (user-defined ACL)
Syntax
rule [ rule-id ] { permit | deny } { rule-string rule-mask offset } &<1-8> [ time-range time-name ]
undo rule rule-id
View
User-defined ACL view
Parameters
rule-id: ACL rule ID, in the range of 0 to 127.
deny: Drops packets that satisfy the condition.
permit: Permits packets that satisfy the condition to pass.
rule-string: User-defined string of the rule. It must be an even number containing 2 to 20 hexadecimal characters.
rule-mask: User-defined mask of the rule. It is used to perform the logical AND operations with packets and must be an even number containing 2 to 20 hexadecimal characters. Note that its length must be the same with that of rule-string.
offset: Mask offset of the rule. It specifies a byte, through its offset from the packet header, in the packet as the starting point to perform logical AND operations. It ranges from 0 to 79 bytes, and the maximum value becomes one byte less when the value of rule-string (and rule-mask) has two more characters. For example, when rule-string and rule-mask contains two characters respectively, the maximum value of offset is 79 bytes; when the former contains four characters respectively, the maximum value of offset is 78 bytes, and so on. The rule-mask argument works in conjunction with the offset argument to extract a string from the packets, compare the string with the user-defined rule-string, find out the matched packets, and then process the matched packets accordingly.
&<1-8>: At most eight rules can be defined at one time.
time-range time-name: Specifies a time range within which the rule is valid.
Description
Use the rule command to define an ACL rule.
Use the undo rule command to delete an ACL rule or the attribute information of an ACL rule.
Before you can delete a rule, you need to specify the rule ID. If you do not know the rule ID, you can view it by the display acl config command.
In the case that you specify the rule ID when defining a rule:
l If the ACL is created with the config keyword specified and the rule identified by the rule-id argument exists, the settings specified in the rule command overwrite the counterparts of the existing rule (other settings of the rule remain unchanged). If the ACL is created with the auto keyword specified, the rules of the ACL cannot be edited. In this case, the system prompts errors when you execute the rule command.
l If the rule corresponding to the specified rule ID does not exist, you will create and define a new rule.
l The content of a modified or created rule must not be identical with the content of any existing rule; otherwise the rule modification or creation will be failed, and the system will prompt that the rule already exists.
If you do not specify a rule ID, you will create and define a new rule, and the system will assign an ID for the rule automatically.
& Note:
Examples
# Define a user-defined rule to forbid all TCP packets to pass through.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] time-range t1 18:00 to 23:00 sat
[H3C] acl number 5001
[H3C-acl-user-5001] rule 25 deny 06 ff 27 time-range t1
1.1.17 time-range
Syntax
time-range time-name { start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] | to end-time end-date }
undo time-range { time-name [ start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] | to end-time end-date ] | all }
View
System view
Parameters
time-name: Name of a time range, up to 32 characters long, starting with an English letter(a to z, or A to Z).
start-time: Start time of a periodic time range, in the form of hh:mm.
end-time: End time of a periodic time range, in the form of hh:mm.
days-of-the-week: Day of the week when the periodic time range is active. You can provide this argument in one of the following forms.
l Numeral (0 to 6)
l Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, and Sunday
l Working days (Monday through Friday)
l Off days (Saturday and Sunday)
l Daily, namely everyday of the week
from start-time start-date: Specifies the start date of an absolute time range, in the form of hh:mm YYYY/MM/DD. The start-time start-date and end-time end-date argument jointly define a period in which the absolute time range takes effect. If the start date is not specified, the time range starts from the earliest time that the system can represent.
to end-time end-date: Specifies the end date of an absolute time range, in the form of hh:mm YYYY/MM/DD. The start-time start-date and end-time end-date argument jointly define a period in which the absolute time range takes effect. If the end date is not specified, the time range ends at 2100/12/31 23:59.
all: Deletes all time ranges.
Description
Use the time-range command to define a time range.
Use the undo time-range command to delete a time range.
Use the undo time-range all command to delete all time ranges.
The time range defined by means of the time-range command can include absolute time sections and periodic time sections. start-time and end-time days-of-the-week jointly define a periodic time section, while start-time start-date and end-time end-date jointly define an absolute time section.
If only a periodic time section is defined in a time range, the time range is active only when the system time is within the defined periodic time section. If multiple periodic time sections are defined in a time range, the time range is active only when the system time is within one of the periodic time sections.
If only an absolute time section is defined in a time range, the time range is active only when the system time is within the defined absolute time section. If multiple absolute time sections are defined in a time range, the time range is active only when the system time is within one of the absolute time sections.
If both a periodic time section and an absolute time section are defined in a time range, the time range is active only when the periodic time range and the absolute time range are both matched. Assume that a time range defines an absolute time section from 00:00 January 1, 2004 to 23:59 December 31, 2004, and a periodic time section from 12:00 to 14:00 every Wednesday. This time range is active only when the system time is within 12:00 to 14:00 every Wednesday in 2004.
If you include any argument of the undo time-range command, the system will delete only the content defined by the argument from the time range.
Examples
# Define an absolute time range that is active from 12:00 January 1, 2000 to 12:00 January 1, 2001.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] time-range test from 12:00 1/1/2000 to 12:00 1/1/2001