- Table of Contents
- Related Documents
-
Title | Size | Download |
---|---|---|
01-ACL Commands | 255.82 KB |
display flow-template interface
display flow-template user-defined
|
NOTE: In this documentation, SPC cards refer to the cards prefixed with SPC, for example, SPC-GT48L. SPE cards refer to the cards prefixed with SPE, for example, SPE-1020-E-II. |
acl
Syntax
acl number acl-number [ name acl-name ] [ match-order { auto | config } ]
undo acl { all | name acl-name | number acl-number }
View
System view
Default level
2: System level
Parameters
number acl-number: Specifies the number of an access control list (ACL):
· 2000 to 2999 for IPv4 basic ACLs
· 3000 to 3999 for IPv4 advanced ACLs
· 4000 to 4999 for Ethernet frame header ACLs
· 5000 to 5999 for user-defined ACLs
name acl-name: Assigns a name to the IPv4 ACL for easy identification. The acl-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter, and to avoid confusion, cannot be all.
match-order: Sets the order in which ACL rules are compared against packets:
· auto—Compares ACL rules in depth-first order. The depth-first order differs with ACL categories. For more information, see ACL and QoS Configuration Guide.
· config—Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher priority. If no match order is specified, the config order applies by default.
all: Deletes all IPv4 ACLs.
Description
Use the acl command to create an IPv4 ACL and enter its view. If the ACL has been created, you enter its view directly.
Use the undo acl command to delete the specified ACL or all ACLs.
By default, no ACL exists.
You can assign a name to an ACL only when you create it. After an ACL is created with a name, you cannot rename it or remove its name.
You can change match order only for ACLs that do not contain any rules.
The match-order keyword is not available for user-defined ACLs. They always use the config order.
To display any ACLs you have created, use the display acl command.
Examples
# Create IPv4 basic ACL 2000, and enter its view.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000]
# Create IPv4 basic ACL 2002 with the name flow, and enter its view.
<Sysname> system-view
[Sysname] acl number 2002 name flow
[Sysname-acl-basic-2002-flow]
# Enter the view of an unnamed IPv4 ACL by specifying its number.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000]
# Enter the view of a named IPv4 ACL by specifying its number.
<Sysname> system-view
[Sysname] acl number 2002
[Sysname-acl-basic-2002-flow]
# Delete the IPv4 ACL numbered 2000.
<Sysname> system-view
[Sysname] undo acl number 2000
# Delete the IPv4 ACL named flow.
<Sysname> system-view
[Sysname] undo acl name flow
acl copy
Syntax
acl copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name }
View
System view
Default level
2: System level
Parameters
source-acl-number: Specifies an existing source IPv4 ACL by its number:
· 2000 to 2999 for IPv4 basic ACLs
· 3000 to 3999 for IPv4 advanced ACLs
· 4000 to 4999 for Ethernet frame header ACLs
· 5000 to 5999 for user-defined ACLs
name source-acl-name: Specifies an existing source IPv4 ACL by its name. The source-acl-name argument takes a case-insensitive string of 1 to 63 characters.
dest-acl-number: Assigns a unique number to the IPv4 ACL you are creating. This number must be from the same ACL category as the source ACL. Available value ranges include:
· 2000 to 2999 for IPv4 basic ACLs
· 3000 to 3999 for IPv4 advanced ACLs
· 4000 to 4999 for Ethernet frame header ACLs
· 5000 to 5999 for user-defined ACLs
name dest-acl-name: Assigns a unique name to the IPv4 ACL you are creating. The dest-acl-name takes a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, cannot be all. For this ACL, the system automatically picks the smallest number from all available numbers in the same ACL category as the source ACL.
Description
Use the acl copy command to create an IPv4 ACL by copying an IPv4 ACL that already exists. Except for the number and name (if any), the new ACL has the same configuration as the source ACL.
You can assign a name to an IPv4 ACL only when you create it. After an IPv4 ACL is created with a name, you cannot rename it or remove its name.
Examples
# Create IPv4 basic ACL 2002 by copying IPv4 basic ACL 2001.
<Sysname> system-view
[Sysname] acl copy 2001 to 2002
acl ipv6
Syntax
acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto | config } ]
undo acl ipv6 { all | name acl6-name | number acl6-number }
View
System view
Default level
2: System level
Parameters
number acl6-number: Specifies the number of an IPv6 ACL:
· 2000 to 2999 for IPv6 basic ACLs
· 3000 to 3999 for IPv6 advanced ACLs
name acl6-name: Assigns a name to the IPv6 ACL for easy identification. The acl6-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter, and to avoid confusion, cannot be all.
match-order: Sets the order in which ACL rules are compared against packets:
· auto—Compares ACL rules in depth-first order. The depth-first order differs with ACL categories. For more information, see ACL and QoS Configuration Guide.
· config—Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher priority. If no match order is specified, the config order applies by default.
all: Delete all IPv6 ACLs.
Description
Use the acl ipv6 command to create an IPv6 ACL and enter its ACL view. If the ACL has been created, you enter its view directly.
Use the undo acl ipv6 command to delete the specified IPv6 ACL or all IPv6 ACLs.
By default, no ACL exists.
You can assign a name to an IPv6 ACL only when you create it. After an IPv6 ACL is created, you cannot rename it or remove its name.
You can change match order only for ACLs that do not contain any rules.
To display any ACLs you have created, use the display acl ipv6 command.
Examples
# Create IPv6 ACL 2000 and enter its view.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000]
# Create IPv6 basic ACL 2001 with the name flow, and enter its view.
<Sysname> system-view
[Sysname] acl ipv6 number 2001 name flow
[Sysname-acl6-basic-2001-flow]
acl ipv6 copy
Syntax
acl ipv6 copy { source-acl6-number | name source-acl6-name } to { dest-acl6-number | name dest-acl6-name }
View
System view
Default level
2: System level
Parameters
source-acl6-number: Specifies an existing source IPv6 ACL by its number:
· 2000 to 2999 for IPv6 basic ACLs
· 3000 to 3999 for IPv6 advanced ACLs
name source-acl6-name: Specifies an existing source IPv6 ACL by its name. The source-acl6-name argument takes a case-insensitive string of 1 to 63 characters.
dest-acl6-number: Assigns a unique number to the IPv6 ACL you are creating. This number must be from the same ACL category as the source ACL. Available value ranges include:
· 2000 to 2999 for IPv6 basic ACLs
· 3000 to 3999 for IPv6 advanced ACLs
name dest-acl6-name: Assigns a unique name to the IPv6 ACL you are creating. The dest-acl6-name takes a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, cannot be all. For this ACL, the system automatically picks the smallest number from all available numbers in the same ACL category as the source ACL.
Description
Use the acl ipv6 copy command to create an IPv6 ACL by copying an IPv6 ACL that already exists. Except for the number and name (if any), the new ACL has the same configuration as the source ACL.
You can assign a name to an IPv6 ACL only when you create it. After an ACL is created with a name, you cannot rename it or remove its name.
Examples
# Create IPv6 basic ACL 2002 by copying IPv6 basic ACL 2001.
<Sysname> system-view
[Sysname] acl ipv6 copy 2001 to 2002
acl ipv6 logging frequence
Syntax
acl ipv6 logging frequence frequence
undo acl ipv6 logging frequence
View
System view
Default level
2: System level
Parameters
frequence: Specifies the interval in minutes at which IPv6 packet filtering logs are generated and output. It must be a multiple of 5, in the range of 0 to 1440. To disable generating IPv6 logs, assign 0 to the argument.
Description
Use the acl ipv6 logging frequence command to set the interval for generating and outputting IPv6 packet filtering logs. The log information includes the number of matching IPv6 packets and the matching IPv6 ACL rules. This command logs only for IPv6 basic and advanced ACL rules that have the logging keyword.
Use the undo acl ipv6 logging frequence command to restore the default.
By default, the interval is 0. No IPv6 packet filtering logs are generated.
Related commands: rule (IPv6 advanced ACL view), and rule (IPv6 basic ACL view).
Examples
# Enable the device to generate and output IPv6 packet filtering logs at 10-minute intervals.
<Sysname> system-view
[Sysname] acl ipv6 logging frequence 10
acl ipv6 name
Syntax
acl ipv6 name acl6-name
View
System view
Default level
2: System level
Parameters
acl6-name: Specifies the name of an existing IPv6 ACL, a case-insensitive string of 1 to 63 characters. It must start with an English letter.
Description
Use the acl ipv6 name command to enter the view of an IPv6 ACL that has a name.
Related commands: acl ipv6.
Examples
# Enter the view of IPv6 ACL flow.
<Sysname> system-view
[Sysname] acl ipv6 name flow
[Sysname-acl6-basic-2001-flow]
acl logging frequence
Syntax
acl logging frequence frequence
undo acl logging frequence
View
System view
Default level
2: System level
Parameters
frequence: Specifies the interval in minutes at which IPv4 packet filtering logs are generated and output. It must be a multiple of 5, in the range of 0 to 1440. To disable generating IPv4 logs, assign 0 to the argument.
Description
Use the acl logging frequence command to set the interval for generating and outputting IPv4 packet filtering logs. The log information includes the number of matching IPv4 packets and the matching IPv4 ACL rules. This command logs only for IPv4 basic and advanced ACL rules that have the logging keyword.
Use the undo acl logging frequence command to restore the default.
By default, the interval is 0. No IPv4 packet filtering logs are generated.
Related commands: rule (IPv4 advanced ACL view), and rule (IPv4 basic ACL view).
Examples
# Enable the device to generate and output IPv4 packet filtering logs at 10-minute intervals.
<Sysname> system-view
[Sysname] acl logging frequence 10
acl mode
Syntax
acl mode { 1 | 2 | 3 | 4 }
View
System view
Default Level
2: System level
Parameters
1: 18 bytes for an SPE card and 40 bytes for an SPC card.
2: 36 bytes for an SPE card and 40 bytes for an SPC card.
3: 18 bytes for an SPE card and 80 bytes for an SPC card.
4: 36 bytes for an SPE card and 80 bytes for an SPC card.
Description
Use the acl mode command to set the ACL rule length limit mode. The length limit mode takes effect after you restart the router.
By default, the ACL rule length limit mode is 2.
Examples
# Set the ACL rule length limit mode to 1 so that the length limit for an SPE card is set to 18 bytes and that for an SPC card is set to 40 bytes.
<Sysname> system-view
[Sysname] acl mode 1
ACL has been set to mode 1, and will take effect after the next system reboot.
acl name
Syntax
acl name acl-name
View
System view
Default level
2: System level
Parameters
acl-name: Specifies the name of an existing IPv4 ACL, which is a case-insensitive string of 1 to 63 characters. It must start with an English letter.
Description
Use the acl name command to enter the view of an IPv4 ACL that has a name.
Related commands: acl.
Examples
# Enter the view of IPv4 ACL flow.
<Sysname> system-view
[Sysname] acl name flow
[Sysname-acl-basic-2001-flow]
description
Syntax
description text
undo description
View
IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view, user-defined ACL view
Default level
2: System level
Parameters
text: ACL description, a case-sensitive string of 1 to 127 characters.
Description
Use the description command to configure a description for an ACL.
Use the undo description command to remove the ACL description.
By default, an ACL has no ACL description.
Related commands: display acl and display acl ipv6.
Examples
# Configure a description for IPv4 basic ACL 2000.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] description This is an IPv4 basic ACL.
# Configure a description for IPv6 basic ACL 2000.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000] description This is an IPv6 basic ACL.
display acl
Syntax
display acl { acl-number | all | name acl-name } [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
acl-number: Specifies an ACL by its number:
· 2000 to 2999 for basic ACLs
· 3000 to 3999 for advanced ACLs
· 4000 to 4999 for Ethernet frame header ACLs
· 5000 to 5999 for user-defined ACLs
all: Displays information for all IPv4 ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter.
slot slot-number: Displays the match statistics for ACLs on a card. The slot-number argument specifies a card by its slot number. If no slot is provided, the command displays the configurations of ACLs on the device.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display acl command to display configuration and match statistics for the specified or all ACLs.
This command displays ACL rules in config or depth-first order, whichever is configured.
Examples
# Display the configuration and match statistics for IPv4 ACL 2001.
<Sysname> display acl 2001
Basic ACL 2001, named flow, 1 rule,
ACL's step is 5
rule 5 permit source 1.1.1.1 0 (5 times matched)
rule 5 comment This rule is used in GE3/1/1
Basic ACL 2002, named -none-, 1 rule,
ACL's step is 5
rule 0 permit source 10.110.0.0 0.0.0.255
Table 1 Output description
Field |
Description |
Basic ACL 2001 |
Category and number of the ACL. The following field information is about IPv4 basic ACL 2001. |
named flow |
The name of the ACL is flow. "-none-" means the ACL is not named. |
1 rule |
The ACL contains one rule. |
ACL's step is 5 |
The rule numbering step is 5. |
5 times matched |
There have been five matches for the rule. The statistic counts only ACL matches performed by software. This field is not displayed when no packets have matched the rule. |
Uncompleted |
Applying the rule to hardware failed because no sufficient resources were available or the hardware does not support the rule. This event might occur when you modify a rule in an ACL that has been applied. |
rule 5 comment This rule is used in GE3/1/1. |
The description of ACL rule 10 is ”This rule is used in GE3/1/1.” |
display acl ipv6
Syntax
display acl ipv6 { acl6-number | all | name acl6-name } [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
acl6-number: Specifies an IPv6 ACL by its number:
· 2000 to 2999 for IPv6 basic ACLs
· 3000 to 3999 for IPv6 advanced ACLs
all: Displays information for all IPv6 ACLs.
name acl6-name: Specifies an IPv6 ACL by its name. The acl6-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter.
slot slot-number: Displays the match statistics for IPv6 ACLs on a card. The slot-number argument represents the slot number of the card. If no slot number is provided, the command displays configuration information about all IPv6 ACLs on the device.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display acl ipv6 command to display the configuration and match statistics for the specified IPv6 ACL or all IPv6 ACLs.
This command displays ACL rules in config or depth-first order, whichever is configured.
Examples
# Display the configuration and match statistics for IPv6 ACL 2001.
<Sysname> display acl ipv6 2001
Basic IPv6 ACL 2001, named flow, 1 rule,
ACL's step is 5
rule 0 permit source 1::2/128 (5 times matched)
rule 0 comment This rule is used in GE3/1/1
Basic IPv6 ACL 2002, named -none-, 1 rule,
ACL's step is 5
rule 0 permit source FF1E::101:101/128
Table 2 Output description
Field |
Description |
Basic IPv6 ACL 2001 |
Category and number of the ACL. The following field information is about this IPv6 basic ACL 2001. |
named flow |
The name of the ACL is flow. "-none-" means the ACL is not named. |
1 rule |
The ACL contains one rule. |
ACL's step is 5 |
The rule numbering step is 5. |
5 times matched |
There have been five matches for the rule. The statistic counts only IPv6 ACL matches performed by software. This field is not displayed when no packets have matched the rule. |
Uncompleted |
Applying the rule to hardware failed because no sufficient resources were available or the hardware does not support the rule. This event might occur when you modify a rule in an ACL that has been applied. |
rule 0 comment This rule is used in GE3/1/1. |
The description of ACL rule 10 is ”This rule is used in GE3/1/1.” |
display acl mode
Syntax
display acl mode [ | { begin | exclude | include } regular-expression ]
View
Any view
Default Level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display acl mode command to display the ACL rule length limit mode.
Examples
# Display the ACL rule length limit mode.
<Sysname> display acl mode
Current ACL mode : mode 3 (SPE ACL key short, SPC ACL key long)
Acl mode after system restart : mode 3 (SPE ACL key short, SPC ACL key long)
Notice: Changing ACL mode will take effect only after system restart.
Table 3 Output description
Field |
Description |
Current acl mode |
ACL rule length limit mode that is currently effective |
Acl mode after system restart |
ACL rule length limit mode that is to be effective after system restart |
display acl resource
Syntax
display acl resource [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
slot slot-number: Displays the usage of ACL rules on a card. The slot-number argument specifies the slot number of the card. If no slot number is specified, the usage of ACL rules on the main board is displayed.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display acl resource command to display the usage of ACL rules.
If a card does not support counting for ACL rules, the command displays only the slot number of the card.
Examples
# Display the usage of ACL resources on all cards.
<Sysname> display acl resource
Slot: 2
Resource Total Reserved Configured Remaining Start End
Type Number Number Number Number Interface Interface
------------------------------------------------------------------------------
IPV4-ACL 16384 0 0 16384 GE2/1/1 GE2/1/8
IPV6-ACL 1024 0 0 1024 GE2/1/1 GE2/1/8
Table 4 Output description
Field |
Description |
Slot |
Slot number of a card |
Resource Type |
Resource type |
Total Number |
Total number of ACL rules supported |
Reserved Number |
Number of reserved ACL rules |
Configured Number |
Number of ACL rules that have been applied |
Remaining Number |
Number of ACL rules that you can apply |
Start Interface |
Name of the start interface on the card |
End Interface |
Name of the end interface on the card |
display flow-template interface
Syntax
display flow-template interface [ interface-type interface-number ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
interface-type interface-number: Specifies an interface by its type and number. If no interface is specified, information about all user-defined flow templates applied to interfaces is displayed.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display flow-template interface command to display information about user-defined flow templates applied to interfaces.
Examples
# Display information about all user-defined flow templates applied to interfaces.
<Sysname> display flow-template interface
Interface: GigabitEthernet2/1/1
user-defined flow template: basic
name:1, index:2, total reference counts:1
fields: service-cos
Table 5 Output description
Field |
Description |
Interface |
Interface where the user-defined flow template is referenced |
user-defined flow template |
Type of the user-defined flow template |
name |
Name of the user-defined flow template |
index |
Index of the user-defined flow template |
total reference counts |
Total number of times that the user-defined flow template has been referenced |
fields |
Fields included in the user-defined flow template |
display flow-template user-defined
Syntax
display flow-template user-defined [ flow-template-name ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
flow-template-name: Name of a user-defined flow template, a case-insensitive string of 1 to 31 characters. If no user-defined flow template name is specified, information about all user-defined flow templates is displayed.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display flow-template user-defined command to display information about user-defined flow templates.
Examples
# Display information about all user-defined flow templates.
<Sysname> display flow-template user-defined
user-defined flow template: basic
name:f1, index:1, total reference counts:1
fields: ip-protocol fragments ip-precedence
user-defined flow template: basic
name:f3, index:3, total reference counts:1
fields: tos
Table 6 Output description
Field |
Description |
user-defined flow template |
Type of the user-defined flow template |
name |
Name of the user-defined flow template |
index |
Index of the user-defined flow template |
total reference counts |
Total number of times that the user-defined flow template has been referenced by switching chips |
fields |
Fields included in the user-defined flow template |
display time-range
Syntax
display time-range { time-range-name | all } [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
time-range-name: Specifies a time range name, which is a case-insensitive string of 1 to 32 characters. It must start with an English letter.
all: Displays the configuration and status of all existing time ranges.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display time-range command to display the configuration and status of the specified time range or all time ranges.
Examples
# Display the configuration and status of time range t4.
<Sysname> display time-range test
Current time is 15:45:29 2/8/2007 Thursday
Time-range : test ( Active )
08:00 to 18:00 working-day
Table 7 Output description
Field |
Description |
Current time |
Current system time. |
Time-range |
Configuration and status of the time range, including its name, status (active or inactive), and start time and end time. |
flow-template
Syntax
flow-template flow-template-name
undo flow-template
View
Interface view, port group view
Default level
2: System level
Parameters
flow-template-name: Specifies the name of the user-defined flow template, a case-insensitive string of 1 to 31 characters.
Description
Use the flow-template command to apply a user-defined flow template to an interface or port group.
Use the undo flow-template command to remove the application.
The user-defined flow template applied to a port group takes effect on all interfaces in the group.
This command is available only on SPE cards.
You can apply only one user-defined flow template on an interface.
Examples
# Apply user-defined flow template f1 to GigabitEthernet 3/1/1.
<Sysname> system-view
[Sysname] interface GigabitEthernet 3/1/1
[Sysname-GigabitEthernet3/1/1] flow-template f1
# Apply user-defined flow template f1 to port group 1.
<Sysname> system-view
[Sysname] port-group manual 1
[Sysname-port-group-manual-1] group-member GigabitEthernet 3/1/1 to GigabitEthernet 3/1/6
[Sysname-port-group-manual-1] flow-template f1
flow-template basic
Syntax
flow-template flow-template-name basic { customer-vlan-id | dip | dmac | dport | dscp | ethernet-protocol | fragments | icmp-code | icmp-type | ip-precedence | ip-protocol | mpls-exp | service-cos | sip | smac | sport | tcp-flag | tos } *
undo flow-template { all | name flow-template-name }
View
System view
Default level
2: System level
Parameters
flow-template-name: Assigns a name to a user-defined flow template, a case-insensitive string of 1 to 31 characters.
basic: Sets the type of the user-defined flow template to basic.
customer-vlan-id: Customer VLAN ID.
dip: Destination IP address.
dmac: Destination MAC address.
dport: Destination port.
dscp: Differentiated service code point (DSCP) field in the IP header.
ethernet-protocol: Protocol type field in the Ethernet frame header.
fragments: Fragments field in the IP header.
icmp-code: ICMP code field.
icmp-type: ICMP type field.
ip-precedence: Precedence field in the IP header.
ip-protocol: Protocol type field in the IP header.
mpls-exp: EXP field in the MPLS label.
service-cos: Service provider 802.1p COS field.
sip: Source IP address.
smac: Source MAC address.
sport: Source port.
tcp-flag: Flags field in the TCP header.
tos: ToS field in the IP header.
all: Deletes all user-defined flow templates.
Description
Use the flow-template basic command to create a basic user-defined flow template.
Use the undo flow-template command to delete one or all user-defined flow templates. To guarantee a successful removal, check that the template you are deleting has not applied to any interface.
Examples
# Create a basic user-defined flow template.
<Sysname> system-view
[Sysname] flow-template f1 basic dip smac ip-protocol tcp-flag
hardware-count enable
Syntax
hardware-count enable
undo hardware-count enable
View
IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view, user-defined ACL view
Default level
2: System level
Parameters
None
Description
Use the hardware-count enable command to enable counting ACL rule matches performed in hardware. The device automatically counts the rule match counting performed in software.
Use the undo hardware-count enable command to disable counting ACL rule matches performed in hardware. This command also resets the hardware match counters for all rules in the ACL. For a rule configured with the counting keyword, this command only resets the rule’s hardware match counter.
By default, ACL rule matches performed in hardware are not counted.
The hardware-count enable command enables match counting for all rules in an ACL, and the counting keyword in the rule command enables match counting specific to rules. For an individual rule, rule match counting works as long as either the hardware-count enable command or the counting keyword is configured.
Related commands: display acl, display acl ipv6, and rule.
Examples
# Enable rule match counting for IPv4 ACL 2000.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] hardware-count enable
# Enable rule match counting for IPv6 ACL 2000.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000] hardware-count enable
reset acl counter
Syntax
reset acl counter { acl-number | all | name acl-name }
View
User view
Default level
2: System level
Parameters
acl-number: Specifies an ACL by its number:
· 2000 to 2999 for IPv4 basic ACLs
· 3000 to 3999 for IPv4 advanced ACLs
· 4000 to 4999 for Ethernet frame header ACLs
· 5000 to 5999 for user-defined ACLs
all: Clears statistics for all ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter.
Description
Use the reset acl counter command to clear statistics for the specified ACL or all ACLs.
Related commands: display acl.
Examples
# Clear statistics for IPv4 basic ACL 2001.
<Sysname> reset acl counter 2001
# Clear statistics for IPv4 ACL flow.
<Sysname> reset acl counter name flow
reset acl ipv6 counter
Syntax
reset acl ipv6 counter { acl6-number | all | name acl6-name }
View
User view
Default level
2: System level
Parameters
acl6-number: Specifies an IPv6 ACL by its number:
· 2000 to 2999 for IPv6 basic ACLs
· 3000 to 3999 for IPv6 advanced ACLs
all: Clears statistics for all IPv6 basic and advanced ACLs.
name acl6-name: Specifies an IPv6 ACL by its name. The acl6-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter.
Description
Use the reset acl ipv6 counter command to clear statistics for the specified IPv6 ACL or all IPv6 basic and IPv6 advanced ACLs.
Related commands: display acl ipv6.
Examples
# Clear statistics for IPv6 basic ACL 2001.
<Sysname> reset acl ipv6 counter 2001
# Clear statistics for IPv6 ACL flow.
<Sysname> reset acl ipv6 counter name flow
rule (Ethernet frame header ACL view)
Syntax
rule [ rule-id ] { deny | permit } [ cos vlan-pri | counting | dest-mac dest-addr dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac source-address source-mask | time-range time-range-name ] *
undo rule rule-id [ counting | time-range ] *
View
Ethernet frame header ACL view
Default level
2: System level
Parameters
rule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
cos vlan-pri: Matches an 802.1p priority. The vlan-pri argument can be a number in the range of 0 to 7, or in words, best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5), voice (6), or network-management (7).
counting: Counts the number of times the IPv4 ACL rule has been matched. This keyword is valid when the rule applied to the packet filtering firewall. For more information, see Security Configuration Guide.
dest-mac dest-addr dest-mask: Matches a destination MAC address range. The dest-addr and dest-mask arguments represent a destination MAC address and mask in H-H-H format.
lsap lsap-type lsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The lsap-type argument is a 16-bit hexadecimal number that represents the encapsulation format. The lsap-type-mask argument is a 16-bit hexadecimal number that represents the LSAP mask.
type protocol-type protocol-type-mask: Matches one or more protocols in the Ethernet frame header. The protocol-type argument is a 16-bit hexadecimal number that represents a protocol type in Ethernet_II and Ethernet_SNAP frames. The protocol-type-mask argument is a 16-bit hexadecimal number that represents a protocol type mask.
source-mac source-address source-mask: Matches a source MAC address range. The source-address argument represents a source MAC address, and the sour-mask argument represents a mask in H-H-H format.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter.
Description
Use the rule command to create or edit an Ethernet frame header ACL rule. You can edit ACL rules only when the match order is config.
Use the undo rule command to delete an Ethernet frame header ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specified attributes.
By default, an Ethernet frame header ACL does not contain any rule.
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail.
To view rules in an ACL and their rule IDs, use the display acl all command.
Related commands: acl, display acl, and step.
Examples
# # Create a rule in ACL 4000 to permit ARP packets and deny RARP packets.
<Sysname> system-view
[Sysname] acl number 4000
[Sysname-acl-ethernetframe-4000] rule permit type 0806 ffff
[Sysname-acl-ethernetframe-4000] rule deny type 8035 ffff
rule (IPv4 advanced ACL view)
Syntax
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { dest-addr dest-wildcard | any } | destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmp-type { icmp-type [ icmp-code ] | icmp-message } | logging | precedence precedence | reflective | source { source-address sour-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name | tos tos | vpn-instance vpn-instance-name ] *
undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | dscp | fragment | icmp-type | logging | precedence | reflective | source | source-port | time-range | tos | vpn-instance ] *
View
IPv4 advanced ACL view
Default level
2: System level
Parameters
rule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
protocol: Protocol carried by IPv4. It can be a number in the range of 0 to 255, or in words, gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17). Table 8 describes the parameters that you can specify regardless of the value that the protocol argument takes.
Table 8 Match criteria and other rule information for IPv4 advanced ACL rules
Parameters |
Function |
Description |
source { source-address sour-wildcard | any } |
Specifies a source address |
The source-address sour-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address. The any keyword specifies any source IP address. |
destination { dest-addr dest-wildcard | any } |
Specifies a destination address |
The dest-addr dest-wildcard arguments represent a destination IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address. The any keyword represents any destination IP address. |
counting |
Counts the number of times the IPv4 ACL rule has been matched |
This keyword is valid when the rule applied to the packet filtering firewall. |
precedence precedence |
Specifies an IP precedence value |
The precedence argument can be a number in the range of 0 to 7, or in words, routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), or network (7). |
tos tos |
Specifies a ToS preference |
The tos argument can be a number in the range of 0 to 15, or in words, max-reliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1), or normal (0). |
dscp dscp |
Specifies a DSCP priority |
The dscp argument can be a number in the range of 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46). |
logging |
Logs matching packets |
This function requires that the module using the ACL supports logging. If an ACL has been applied to both the packet filtering firewall and policy-based routing modules, do not add or modify a rule that has the logging keyword in the ACL. Doing so can cause rule application failure on both modules. For information about packet filtering firewall, see Security Configuration Guide. For information about packet filtering firewall, see Layer 3—IP Routing Configuration Guide. |
reflective |
Specifies that the rule be reflective |
A rule with the reflective keyword can be defined only for TCP, UDP, or ICMP packets and can only be a permit statement. |
vpn-instance vpn-instance-name |
Applies the rule to packets in a VPN instance |
The vpn-instance-name argument takes a case-sensitive string of 1 to 31 characters. If no VPN instance is specified, the rule applies only to non-VPN packets. |
fragment |
Applies the rule to only fragments |
Without this keyword, the rule applies to all fragments and non-fragments. |
time-range time-range-name |
Specifies a time range for the rule |
The time-range-name argument takes a case-insensitive string of 1 to 32 characters. It must start with an English letter. |
|
NOTE: If you provide the precedence or tos keyword in addition to the dscp keyword, only the dscp keyword takes effect. |
If the protocol argument takes tcp (6) or udp (7), you can set the parameters shown in Table 9.
Table 9 TCP/UDP-specific parameters for IPv4 advanced ACL rules
Parameters |
Function |
Description |
source-port operator port1 [ port2 ] |
Specifies one or more UDP or TCP source ports |
The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. port2 is needed only when the operator argument is range. TCP port numbers can be represented in these words: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented in these words: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177). |
destination-port operator port1 [ port2 ] |
Specifies one or more UDP or TCP destination ports |
|
{ ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * |
Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG |
Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The relationship between the TCP flags in a rule is AND. |
established |
Specifies the flags for indicating the established status of a TCP connection |
Parameter specific to TCP. The rule matches TCP connection packets with the ACK or RST flag bit set. |
If the protocol argument takes icmp (1), you can set the parameters shown in Table 10.
Table 10 ICMP-specific parameters for IPv4 advanced ACL rules
Parameters |
Function |
Description |
icmp-type { icmp-type [ icmp-code ] | icmp-message } |
Specifies the ICMP message type and code |
The icmp-type argument is in the range of 0 to 255. The icmp-code argument is in the range of 0 to 255. The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 11. |
Table 11 ICMP message names supported in IPv4 advanced ACL rules
ICMP message name |
ICMP message type |
ICMP message code |
echo |
8 |
0 |
echo-reply |
0 |
0 |
fragmentneed-DFset |
3 |
4 |
host-redirect |
5 |
1 |
host-tos-redirect |
5 |
3 |
host-unreachable |
3 |
1 |
information-reply |
16 |
0 |
information-request |
15 |
0 |
net-redirect |
5 |
0 |
net-tos-redirect |
5 |
2 |
net-unreachable |
3 |
0 |
parameter-problem |
12 |
0 |
port-unreachable |
3 |
3 |
protocol-unreachable |
3 |
2 |
reassembly-timeout |
11 |
1 |
source-quench |
4 |
0 |
source-route-failed |
3 |
5 |
timestamp-reply |
14 |
0 |
timestamp-request |
13 |
0 |
ttl-exceeded |
11 |
0 |
Description
Use the rule command to create or edit an IPv4 advanced ACL rule. You can edit ACL rules only when the match order is config.
Use the undo rule command to delete an entire IPv4 advanced ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specified attributes.
By default, an IPv4 advanced ACL does not contain any rule.
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail.
To view rules in an ACL and their rule IDs, use the display acl all command.
Related commands: acl, display acl, and step.
Examples
# Create an IPv4 advanced ACL rule to permit TCP packets with the destination port 80 from 129.9.0.0/16 to 202.38.160.0/24, and enable logging matching packets.
<Sysname> system-view
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80 logging
# Create IPv4 advanced ACL rules to permit all IP packets but the ICMP packets destined for 192.168.1.0/24.
<Sysname> system-view
[Sysname] acl number 3001
[Sysname-acl-adv-3001] rule permit ip
[Sysname-acl-adv-3001] rule deny icmp destination 192.168.1.0 0.0.0.255
# Create IPv4 advanced ACL rules to permit inbound and outbound FTP packets.
<Sysname> system-view
[Sysname] acl number 3002
[Sysname-acl-adv-3002] rule permit tcp source-port eq ftp
[Sysname-acl-adv-3002] rule permit tcp source-port eq ftp-data
[Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp
[Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp-data
# Create IPv4 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.
<Sysname> system-view
[Sysname] acl number 3003
[Sysname-acl-adv-3003] rule permit udp source-port eq snmp
[Sysname-acl-adv-3003] rule permit udp source-port eq snmptrap
[Sysname-acl-adv-3003] rule permit udp destination-port eq snmp
[Sysname-acl-adv-3003] rule permit udp destination-port eq snmptrap
rule (IPv4 basic ACL view)
Syntax
rule [ rule-id ] { deny | permit } [ counting | fragment | logging | source { source-address sour-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *
undo rule rule-id [ counting | fragment | logging | source | time-range | vpn-instance ] *
View
IPv4 basic ACL view
Default level
2: System level
Parameters
rule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
counting: Counts the number of times the IPv4 ACL rule has been matched. This keyword is valid when the rule applied to the packet filtering firewall. For information about packet filtering firewall, see Security Configuration Guide.
fragment: Applies the rule only to fragments. A rule without this keyword applies to both fragments and non-fragments.
logging: Logs matching packets. This function requires that the module (for example, a firewall) using the ACL supports logging. If an ACL has been applied to both the packet filtering firewall and policy-based routing modules, do not add or modify a rule that has the logging keyword in the ACL. Doing so can cause rule application failure on both modules. For information about packet filtering firewall, see Security Configuration Guide. For information about policy-based routing, see Layer 3—IP Routing Configuration Guide.
source { source-address sour-wildcard | any }: Matches a source address. The source-address sour-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation. A wildcard mask of zeros specifies a host address. The any keyword represents any source IP address.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter.
vpn-instance vpn-instance-name: Applies the rule to packets in a VPN instance. The vpn-instance-name argument takes a case-sensitive string of 1 to 31 characters. If no VPN instance is specified, the rule applies only to non-VPN packets.
Description
Use the rule command to create or edit an IPv4 basic ACL rule. You can edit ACL rules only when the match order is config.
Use the undo rule command to delete an entire IPv4 basic ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specified attributes.
By default, an IPv4 basic ACL does not contain any rule.
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail.
To view rules in an ACL and their rule IDs, use the display acl all command.
Related commands: acl, display acl, and step.
Examples
# Create a rule in IPv4 basic ACL 2000 to deny the packets from any source IP segment but 10.0.0.0/8, 172.17.0.0/16, or 192.168.1.0/24.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule permit source 10.0.0.0 0.255.255.255
[Sysname-acl-basic-2000] rule permit source 172.17.0.0 0.0.255.255
[Sysname-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255
[Sysname-acl-basic-2000] rule deny source any
rule (IPv6 advanced ACL view)
Syntax
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { dest dest-prefix | dest/dest-prefix | any } | destination-port operator port1 [ port2 ] | dscp dscp | flow-label flow-label-value | fragment | icmp6-type { icmp6-type icmp6-code | icmp6-message } | logging | source { source source-prefix | source/source-prefix | any } | source-port operator port1 [ port2 ] | time-range time-range-name | vpn-instance vpn-instance-name ] *
undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | dscp | flow-label | fragment | icmp6-type | logging | source | source-port | time-range | vpn-instance ] *
View
IPv6 advanced ACL view
Default level
2: System level
Parameters
rule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
protocol: Matches protocol carried over IPv6. It can be a number in the range of 0 to 255, or in words, gre (47), icmpv6 (58), ipv6, ipv6-ah (51), ipv6-esp (50), ospf (89), tcp (6), or udp (17). Table 12 describes the parameters that you can specify regardless of the value that the protocol argument takes.
Table 12 Match criteria and other rule information for IPv6 advanced ACL rules
Parameters |
Function |
Description |
source { source source-prefix | source/source-prefix | any } |
Specifies a source IPv6 address |
The source and source-prefix arguments represent an IPv6 source address, and prefix length in the range of 1 to 128. The any keyword represents any IPv6 source address. |
destination { dest dest-prefix | dest/dest-prefix | any } |
Specifies a destination IPv6 address |
The dest and dest-prefix arguments represent a destination IPv6 address, and prefix length in the range of 1 to 128. The any keyword specifies any IPv6 destination address. |
counting |
Counts the number of times the IPv6 ACL rule has been matched |
This keyword is valid when the rule applied to the packet filtering firewall. |
dscp dscp |
Specifies a DSCP preference |
The dscp argument can be a number in the range of 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46). |
flow-label flow-label-value |
Specifies a flow label value in an IPv6 packet header |
The flow-label-value argument is in the range of 0 to 1048575. |
logging |
Logs matching packets |
This function requires that the module using the ACL supports logging. If an ACL has been applied to both the packet filtering firewall and policy-based routing modules, do not add or modify a rule that has the logging keyword in the ACL. Doing so can cause rule application failure on both modules. For information about packet filtering firewall, see Security Configuration Guide. For information about packet filtering firewall, see Layer 3—IP Routing Configuration Guide. |
fragment |
Applies the rule to only fragments |
Without this keyword, the rule applies to all fragments and non-fragments. |
time-range time-range-name |
Specifies a time range for the rule |
The time-range-name argument takes a case-insensitive string of 1 to 32 characters. It must start with an English letter. |
vpn-instance vpn-instance-name |
Applies the rule to packets in a VPN instance |
The vpn-instance-name argument takes a case-sensitive string of 1 to 31 characters. If no VPN instance is specified, the rule applies to non-VPN packets. |
If the protocol argument takes tcp (6) or udp (17), you can set the parameters shown in Table 13.
Table 13 TCP/UDP-specific parameters for IPv6 advanced ACL rules
Parameters |
Function |
Description |
source-port operator port1 [ port2 ] |
Specifies one or more UDP or TCP source ports |
The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. port2 is needed only when the operator argument is range. TCP port numbers can be represented in these words: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented in these words: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177). |
destination-port operator port1 [ port2 ] |
Specifies one or more UDP or TCP destination ports |
|
{ ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * |
Specifies one or more TCP flags, including ACK, FIN, PSH, RST, SYN, and URG |
Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The relationship between the TCP flags in a rule is AND. |
established |
Specifies the flags for indicating the established status of a TCP connection |
Parameter specific to TCP. A rule with this keyword matches TCP connection packets with the ACK or RST flag bit set. |
If the protocol argument takes icmpv6 (58), you can set the parameters shown in Table 14.
Table 14 ICMPv6-specific parameters for IPv6 advanced ACL rules
Parameters |
Function |
Description |
icmp6-type { icmp6-type icmp6-code | icmp6-message } |
Specifies the ICMPv6 message type and code |
The icmp6-type argument is in the range of 0 to 255. The icmp6-code argument is in the range of 0 to 255. The icmp6-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 15. |
Table 15 ICMPv6 message names supported in IPv6 advanced ACL rules
ICMPv6 message name |
ICMPv6 message type |
ICMPv6 message code |
echo-reply |
129 |
0 |
echo-request |
128 |
0 |
err-Header-field |
4 |
0 |
frag-time-exceeded |
3 |
1 |
hop-limit-exceeded |
3 |
0 |
host-admin-prohib |
1 |
1 |
host-unreachable |
1 |
3 |
neighbor-advertisement |
136 |
0 |
neighbor-solicitation |
135 |
0 |
network-unreachable |
1 |
0 |
packet-too-big |
2 |
0 |
port-unreachable |
1 |
4 |
redirect |
137 |
0 |
router-advertisement |
134 |
0 |
router-solicitation |
133 |
0 |
unknown-ipv6-opt |
4 |
2 |
unknown-next-hdr |
4 |
1 |
Description
Use the rule command to create or edit an IPv6 advanced ACL rule. You can edit ACL rules only when the match order is config.
Use the undo rule command to delete an entire IPv6 advanced ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specified attributes.
By default, an IPv6 advanced ACL does not contain any rule.
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail.
To view rules in an ACL and their rule IDs, use the display acl ipv6 all command.
Related commands: acl ipv6, display ipv6 acl, and step.
Examples
# Create an IPv6 ACL rule to permit TCP packets with the destination port 80 from 2030:5060::/64 to FE80:5060::/96, and enable logging matching packets.
<Sysname> system-view
[Sysname] acl ipv6 number 3000
[Sysname-acl6-adv-3000] rule permit tcp source 2030:5060::/64 destination fe80:5060::/96 destination-port eq 80 logging
# Create IPv6 advanced ACL rules to permit all IPv6 packets but the ICMPv6 packets destined for FE80:5060:1001::/48.
<Sysname> system-view
[Sysname] acl ipv6 number 3001
[Sysname-acl6-adv-3001] rule permit ipv6
[Sysname-acl6-adv-3001] rule deny icmpv6 destination fe80:5060:1001:: 48
# Create IPv6 advanced ACL rules to permit inbound and outbound FTP packets.
<Sysname> system-view
[Sysname] acl ipv6 number 3002
[Sysname-acl6-adv-3002] rule permit tcp source-port eq ftp
[Sysname-acl6-adv-3002] rule permit tcp source-port eq ftp-data
[Sysname-acl6-adv-3002] rule permit tcp destination-port eq ftp
[Sysname-acl6-adv-3002] rule permit tcp destination-port eq ftp-data
# Create IPv6 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.
<Sysname> system-view
[Sysname] acl ipv6 number 3003
[Sysname-acl6-adv-3003] rule permit udp source-port eq snmp
[Sysname-acl6-adv-3003] rule permit udp source-port eq snmptrap
[Sysname-acl6-adv-3003] rule permit udp destination-port eq snmp
[Sysname-acl6-adv-3003] rule permit udp destination-port eq snmptrap
rule (IPv6 basic ACL view)
Syntax
rule [ rule-id ] { deny | permit } [ counting | fragment | logging | source { ipv6-address prefix-length | ipv6-address/prefix-length | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *
undo rule rule-id [ counting | fragment | logging | source | time-range | vpn-instance ] *
View
IPv6 basic ACL view
Default level
2: System level
Parameters
rule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
counting: Counts the number of times the IPv6 ACL rule has been matched. This keyword is valid when the rule applied to the packet filtering firewall. For information about packet filtering firewall, see Security Configuration Guide.
fragment: Applies the rule only to fragments. A rule without this keyword applies to both fragments and non-fragments.
logging: Logs matching packets. This function requires that the module (for example, a firewall) using the ACL supports logging. If an ACL has been applied to both the packet filtering firewall and policy-based routing modules, do not add or modify a rule that has the logging keyword in the ACL. Doing so can cause rule application failure on both modules. For information about packet filtering firewall, see Security Configuration Guide. For information about packet filtering firewall, see Layer 3—IP Routing Configuration Guide.
source { ipv6-address prefix-length | ipv6-address/prefix-length | any }: Matches a source IP address. The ipv6-address and prefix-length arguments represent a source IPv6 address and address prefix length in the range of1 to 128. The any keyword represents any IPv6 source address.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument takes a case-insensitive string of 1 to 32 characters. It must start with an English letter.
vpn-instance vpn-instance-name: Applies the rule to packets in a VPN. The vpn-instance-name argument takes a case-sensitive string of 1 to 31 characters. If no VPN instance is specified, the rule applies to non-VPN packets.
Description
Use the rule command to create or edit an IPv6 basic ACL rule. You can edit ACL rules only when the match order is config.
Use the undo rule command to delete an entire IPv6 basic ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specified attributes.
By default, an IPv6 basic ACL does not contain any rule.
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail.
To view rules in an ACL and their rule IDs, use the display acl ipv6 all command.
Related commands: acl ipv6, display ipv6 acl, and step.
Examples
# Create an IPv6 basic ACL rule to deny the packets from any source IP segment but 1001::/16, 3124:1123::/32, or FE80:5060:1001::/48.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000] rule permit source 1001:: 16
[Sysname-acl6-basic-2000] rule permit source 3124:1123:: 32
[Sysname-acl6-basic-2000] rule permit source fe80:5060:1001:: 48
[Sysname-acl6-basic-2000] rule deny source any
rule (user-defined ACL view)
Syntax
rule [ rule-id ] { deny | permit } [ { { ipv4 | ipv6 | l2 | l4 } rule-string rule-mask offset }&<1-8> ] [ counting | time-range time-range-name ] *
undo rule rule-id
View
User-defined ACL view
Default level
2: System level
Parameters
rule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
ipv4: Specifies that the offset starts 20 bytes after the beginning of the IPv4 header.
ipv6: Specifies that the offset starts 40 bytes after the beginning of the IPv6 header.
l2: Specifies that the offset starts two bytes before the Layer 3 header.
l4: Specifies that the offset starts 20 bytes after the Layer 4 header.
rule-string: Defines a match pattern in hexadecimal format. Its length must be a multiple of two.
rule-mask: Defines a match pattern mask in hexadecimal format. Its length must be the same as that of the match pattern. A match pattern mask is used for ANDing the selected string of a packet.
offset: Offset in bytes after which the match operation begins.
&<1-8>: Specifies that up to eight match patterns can be defined in the ACL rule.
counting: Counts the number of times the IPv4 ACL rule has been matched.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument takes a case-insensitive string of 1 to 32 characters. It must start with an English letter.
Description
Use the rule command to create a user-defined ACL rule. You cannot edit a user-defined ACL rule. If you number the ACL rule the same as an existing rule in the ACL, the new rule overwrites the old one.
Use the undo rule command to delete an entire user-defined ACL rule.
By default, a user-defined ACL does not contain any rule.
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail.
To view rules in an ACL and their rule IDs, use the display acl all command.
Related commands: acl, display acl, and step.
Examples
# Create a rule for user-defined ACL 5005 to permit ARP packets.
<Sysname> system-view
[Sysname] acl number 5005
[Sysname-acl-user-5005] rule permit l2 0806 ffff 0
rule comment
Syntax
rule rule-id comment text
undo rule rule-id comment
View
IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view, user-defined ACL view
Default level
2: System level
Parameters
rule-id: Specifies the ID of an existing ACL rule. The ID is in the range of 0 to 65534.
text: Provides a description for the ACL rule, a case-sensitive string of 1 to 127 characters.
Description
Use the rule comment command to configure a description for an existing ACL rule or edit its description for easy identification.
Use the undo rule comment command to delete the ACL rule description.
By default, an IPv4 ACL rule has no rule description.
Related commands: display acl and display acl ipv6.
Examples
# Create a rule in IPv4 basic ACL 2000 and configure a description for this rule.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule 0 deny source 1.1.1.1 0
[Sysname-acl-basic-2000] rule 0 comment This rule is used on GE3/1/2.
# Create a rule in IPv6 basic ACL 3000 and configure a description for this rule.
<Sysname> system-view
[Sysname] acl ipv6 number 3000
[Sysname-acl6-adv-3000] rule 0 permit tcp source 2030:5060::9050/64
[Sysname-acl6-adv-3000] rule 0 comment This rule is used in GE3/1/1
step
Syntax
step step-value
undo step
View
IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view
Default level
2: System level
Parameters
step-value: ACL rule numbering step, in the range of 1 to 20.
Description
Use the step command to set a rule numbering step for an ACL. The rule numbering step sets the increment by which the system numbers rules automatically. For example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between two rules. Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6 and 8.
Use the undo step command to restore the default.
The default rule numbering step is 5. After you restore the default numbering step by the undo step command, the rules are renumbered in steps of 5.
Related commands: display acl and display acl ipv6.
Examples
# Set the rule numbering step to 2 for IPv4 basic ACL 2000.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] step 2
# Set the rule numbering step to 2 for IPv6 basic ACL 2000.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000] step 2
time-range
Syntax
time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 }
undo time-range time-range-name [ start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 ]
View
System view
Default level
2: System level
Parameters
time-range-name: Specifies a time range name. The name is a case-insensitive string of 1 to 32 characters. It must start with an English letter and to avoid confusion, cannot be all.
start-time to end-time: Specifies a periodic statement. Both start-time and end-time are in hh:mm format (24-hour clock), and each value is in the range of 00:00 to 23:59. The end time must be greater than the start time.
days: Specifies the day or days of the week (in words or digits) on which the periodic statement is valid. If you specify multiple values, separate each value with a space, and make sure that they do not overlap. These values can take one of the following forms:
· A digit in the range of 0 to 6, respectively for Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday.
· A day of a week in words, sun, mon, tue, wed, thu, fri, and sat.
· working-day for Monday through Friday.
· off-day for Saturday and Sunday.
· daily for the whole week.
from time1 date1: Specifies the start time and date of an absolute statement. The time1 argument specifies the time of the day in hh:mm format (24-hour clock). Its value is in the range of 00:00 to 23:59. The date1 argument specifies a date in MM/DD/YYYY or YYYY/MM/DD format, where MM is the month of the year in the range 1 to 12, DD is the day of the month with the range depending on MM, and YYYY is the year in the calendar in the range of 1970 to 2100. If not specified, the start time is 01/01/1970 00:00 AM, the earliest time available in the system.
to time2 date2: Specifies the end time and date of the absolute time statement. The time2 argument has the same format as the time1 argument, but its value is in the range of 00:00 to 24:00. The date2 argument has the same format and value range as the date1 argument. The end time must be greater than the start time. If not specified, the end time is 12/31/2100 24:00 PM, the maximum time available in the system.
Description
Use the time-range command to configure a time range.
Use the undo time-range command to delete a time range or a statement in the time range.
By default, no time range exists.
You can create multiple statements in a time range. Each time statement can take one of the following forms:
· Periodic statement in the start-time to end-time days format. A periodic statement recurs periodically on a day or days of the week.
· Absolute statement in the from time1 date1 to time2 date2 format. An absolute statement does not recur.
· Compound statement in the start-time to end-time days from time1 date1 to time2 date2 format. A compound statement recurs on a day or days of the week only within the specified period. For example, to create a time range that is active from 08:00 to 12:00 on Monday between January 1, 2010 00:00 and December 31, 2010 23:59, use the time-range test 08:00 to 12:00 mon from 00:00 01/01/2010 to 23:59 12/31/2010 command.
The active period of a time range is calculated as follows:
1. Combining all periodic statements
2. Combining all absolute statements
3. Taking the intersection of the two statement sets as the active period of the time range
You can create a maximum of 256 time ranges, each with 32 periodic statements and 12 absolute statements at most.
Related commands: display time-range.
Examples
# Create a periodic time range t1, setting it to be active between 8:00 to 18:00 during working days.
<Sysname> system-view
[Sysname] time-range t1 8:0 to 18:0 working-day
# Create an absolute time range t2, setting it to be active in the whole year of 2010.
<Sysname> system-view
[Sysname] time-range t2 from 0:0 1/1/2010 to 23:59 12/31/2010
# Create a compound time range t3, setting it to be active from 08:00 to 12:00 on Saturdays and Sundays of the year 2010.
<Sysname> system-view
[Sysname] time-range t3 8:0 to 12:0 off-day from 0:0 1/1/2010 to 23:59 12/31/2010
# Create a compound time range t4, setting it to be active from 10:00 to 12:00 on Mondays and from 14:00 to 16:00 on Wednesdays in the period of January through June of the year 2010.
<Sysname> system-view
[Sysname] time-range t4 10:0 to 12:0 1 from 0:0 1/1/2010 to 23:59 1/31/2010
[Sysname] time-range t4 14:0 to 16:0 3 from 0:0 6/1/2010 to 23:59 6/30/2010