name acl-name: Assigns a name to the ACL for easy identification. The acl-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter, and to avoid confusion, cannot be all.

match-order: Sets the order in which ACL rules are compared against packets:

· auto: Compares ACL rules in depth-first order. The depth-first order differs with ACL categories. For more information, see ACL and QoS Configuration Guide.

· config: Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher priority. If no match order is specified, the config order applies by default.

The match-order keyword is not available for user-defined ACLs. They always use the config order.

all: Deletes all IPv4 ACLs, including IPv4 basic, IPv4 advanced, Ethernet frame header, and user-defined ACLs.

Description

Use acl to create an IPv4 basic, IPv4 advanced, Ethernet frame header, or user-defined ACL and enter its view. If the ACL has been created, you enter its view directly.

Use undo acl to delete the specified IPv4 ACL or all IPv4 ACLs (including IPv4 basic, IPv4 advanced, Ethernet frame header, and user-defined ACLs).

By default, no ACL exists.

You can assign a name to an IPv4 ACL only when you create it. After an ACL is created with a name, you cannot rename it or remove its name.

You can change match order only for ACLs that do not contain any rules.

To display any ACLs you have created, use the display acl command.

Examples

# Create IPv4 basic ACL 2000, and enter its view.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000]

# Create IPv4 basic ACL 2001 with the name flow, and enter its view.

<Sysname> system-view

[Sysname] acl number 2001 name flow

[Sysname-acl-basic-2001-flow]

acl copy

Syntax

acl copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name }

View

System view

Default level

2: System level

Parameters

source-acl-number: Specifies a source IPv4 ACL that already exists by its number:

· 2000 to 2999 for IPv4 basic ACLs

· 3000 to 3999 for IPv4 advanced ACLs

· 4000 to 4999 for Ethernet frame header ACLs

· 5000 to 5999 for user-defined ACLs

name source-acl-name: Specifies a source IPv4 ACL that already exists by its name. The source-acl-name argument takes a case-insensitive string of 1 to 63 characters.

dest-acl-number: Assigns a unique number to the IPv4 ACL you are creating. This number must be from the same ACL category as the source ACL. Available value ranges include:

· 2000 to 2999 for IPv4 basic ACLs

· 3000 to 3999 for IPv4 advanced ACLs

· 4000 to 4999 for Ethernet frame header ACLs

· 5000 to 5999 for user-defined ACLs

name dest-acl-name: Assigns a unique name to the IPv4 ACL you are creating. The dest-acl-name takes a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, cannot be all. For this ACL, the system automatically picks the smallest number from all available numbers in the same ACL category as the source ACL.

Description

Use acl copy to create an IPv4 ACL by copying an IPv4 ACL that already exists. The new ACL has the same properties and content as the source ACL, but not the same ACL number and name.

You can assign a name to an IPv4 ACL only when you create it. After an IPv4 ACL is created with a name, you cannot rename it or remove its name.

Examples

# Create IPv4 basic ACL 2002 by copying IPv4 basic ACL 2001.

<Sysname> system-view

[Sysname] acl copy 2001 to 2002

acl ipv6

Syntax

acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto | config } ]

undo acl ipv6 { all | name acl6-name | number acl6-number }

View

System view

Default level

2: System level

Parameters

number acl6-number: Specifies the number of an IPv6 ACL:

· 2000 to 2999 for IPv6 basic ACLs

· 3000 to 3999 for IPv6 advanced ACLs

name acl6-name: Assigns a name to the IPv6 ACL for easy identification. The acl6-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter, and to avoid confusion, cannot be all.

match-order: Sets the order in which ACL rules are compared against packets:

· auto: Compares ACL rules in depth-first order. The depth-first order differs with ACL categories. For more information, see ACL and QoS Configuration Guide.

· config: Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher priority. If no match order is specified, the config order applies by default.

all: Delete all IPv6 ACLs.

Description

Use acl ipv6 to create an IPv6 ACL and enter its ACL view. If the ACL has been created, you enter its view directly.

Use undo acl ipv6 to delete the specified IPv6 ACL or all IPv6 ACLs.

By default, no ACL exists.

You can assign a name to an IPv6 ACL only when you create it. After an IPv6 ACL is created, you cannot rename it or remove its name.

You can change match order only for ACLs that do not contain any rules.

To display any ACLs you have created, use the display acl ipv6 command.

Examples

# Create IPv6 ACL 2000 and enter its view.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000]

# Create IPv6 basic ACL 2001 with the name flow, and enter its view.

<Sysname> system-view

[Sysname] acl ipv6 number 2001 name flow

[Sysname-acl6-basic-2001-flow]

acl ipv6 copy

Syntax

acl ipv6 copy { source-acl6-number | name source-acl6-name } to { dest-acl6-number | name dest-acl6-name }

View

System view

Default level

2: System level

Parameters

source-acl6-number: Specifies a source IPv6 ACL that already exists by its number:

· 2000 to 2999 for IPv6 basic ACLs

· 3000 to 3999 for IPv6 advanced ACLs

name source-acl6-name: Specifies a source IPv6 ACL that already exists by its name. The source-acl6-name argument takes a case-insensitive string of 1 to 63 characters.

dest-acl6-number: Assigns a unique number to the IPv6 ACL you are creating. This number must be from the same ACL category as the source ACL. Available value ranges include:

· 2000 to 2999 for IPv6 basic ACLs

· 3000 to 3999 for IPv6 advanced ACLs

name dest-acl6-name: Assigns a unique name to the IPv6 ACL you are creating. The dest-acl6-name takes a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, cannot be all. For this ACL, the system automatically picks the smallest number from all available numbers in the same ACL category as the source ACL.

Description

Use acl ipv6 copy to create an IPv6 ACL by copying an IPv6 ACL that already exists. The new ACL has the same properties and content as the source ACL, but not the same ACL number and name.

You can assign a name to an IPv6 ACL only when you create it. After an ACL is created with a name, you cannot rename it or remove its name.

Examples

# Create IPv6 basic ACL 2002 by copying IPv6 basic ACL 2001.

<Sysname> system-view

[Sysname] acl ipv6 copy 2001 to 2002

acl ipv6 { enable | disable }

Syntax

acl ipv6 enable

acl ipv6 disable

View

System view

Default level

3: Manage level

Parameters

None

Description

Use acl ipv6 enable to enable 80-byte ACL rule match mode on an EC1 or EF card. This command sets the length limit for the match criteria in each ACL rule to 80 bytes. You must restart the switch to validate the command.

Use acl ipv6 disable to restore the default.

By default, the 40-byte ACL rule match mode applies to an EC1 or EF card. The length limit for the match criteria in each ACL rule is 40 bytes.

The acl ipv6 enable command is valid only for an EC1 or EF card. To support user-defined, IPv6 basic, and IPv6 advanced ACLs on an EC1 or EF card, you must configure the acl ipv6 enable command first.

Make sure all member switches of an IRF fabric use the same ACL rule match mode. For more information about IRF, see IRF Configuration Guide.

Examples

# Enable 80-byte ACL rule match mode.

<Sysname> system-view

[Sysname] acl ipv6 enable

acl ipv6 logging frequence

Syntax

acl ipv6 logging frequence frequence

undo acl ipv6 logging frequence

View

System view

Default level

2: System level

Parameters

frequence: Specifies the interval in minutes at which IPv6 packet filtering logs are generated and output. It must be a multiple of 5, in the range of 0 to 1440. To disable generating IPv6 logs, assign 0 to the argument.

Description

Use acl ipv6 logging frequence to set the interval for generating and outputting IPv6 packet filtering logs. The log information includes the number of matching IPv6 packets and the matching IPv6 ACL rules. This command logs only for IPv6 basic and advanced ACL rules that have the logging keyword.

Use undo acl ipv6 logging frequence to restore the default.

By default, the interval is 0. No IPv6 packet filtering logs are generated.

Related commands: packet-filter ipv6, rule (IPv6 advanced ACL view), and rule (IPv6 basic ACL view).

Examples

# Enable the device to generate and output IPv6 packet filtering logs at 10-minute intervals.

<Sysname> system-view

[Sysname] acl ipv6 logging frequence 10

acl ipv6 name

Syntax

acl ipv6 name acl6-name

View

System view

Default level

2: System level

Parameters

acl6-name: Specifies the name of an existing IPv6 ACL, a case-insensitive string of 1 to 63 characters. It must start with an English letter.

Description

Use acl ipv6 name to enter the view of an IPv6 ACL that has a name.

Related commands: acl ipv6.

Examples

# Enter the view of IPv6 ACL flow.

<Sysname> system-view

[Sysname] acl ipv6 name flow

[Sysname-acl6-basic-2001-flow]

acl logging frequence

Syntax

acl logging frequence frequence

undo acl logging frequence

View

System view

Default level

2: System level

Parameters

frequence: Specifies the interval in minutes at which IPv4 packet filtering logs are generated and output. It must be a multiple of 5, in the range of 0 to 1440. To disable generating IPv4 logs, assign 0 to the argument.

Description

Use acl logging frequence to set the interval for generating and outputting IPv4 packet filtering logs. The log information includes the number of matching IPv4 packets and the matching IPv4 ACL rules. This command logs only for IPv4 basic and advanced ACL rules that have the logging keyword.

Use undo acl logging frequence to restore the default.

By default, the interval is 0. No IPv4 packet filtering logs are generated.

Related commands: packet-filter, rule (IPv4 advanced ACL view), and rule (IPv4 basic ACL view).

Examples

# Enable the device to generate and output IPv4 packet filtering logs at 10-minute intervals.

<Sysname> system-view

[Sysname] acl logging frequence 10

acl mode

Syntax

acl mode { standard | advanced }

View

System view

Default level

3: Manage level

Parameters

standard: Specifies the standard ACL mode. In this mode, the ACL rule length is 24 bytes on EB and EC2 cards.

advanced: Specifies the advanced ACL mode. In this mode, the ACL rule length is 48 bytes on EB and EC2 cards.

Description

Use acl mode command to configure the ACL operating mode on EB and EC2 cards.

By default, EB and EC2 cards operate in advanced ACL mode.

The command is valid on only EB and EC2 cards.

After you configure this command, you must save the configuration and then restart the switch to make the configuration take effect.

When an EB or EC2 card is operating in advanced ACL mode, the card supports Ethernet frame header, IPv4 basic, IPv4 advanced, IPv6 basic, IPv6 advanced, and user-defined ACLs. When an EB or EC2 card is operating in standard ACL mode, the card supports only Ethernet frame header, IPv4 basic, and IPv4 advanced ACLs.

Make sure all member switches of an IRF fabric use the same ACL operating mode. For more information about IRF, see IRF Configuration Guide.

Switching the ACL operating mode changes the ACL rule length and the number of ACL rules supported on EB or EC2 cards. This might invalidate ACL-related configurations. Use this feature with caution. The number of ACL rules supported in standard ACL mode is twice the number of ACL rules supported in advanced ACL mode.

Related commands: display acl mode.

Examples

# Configure EB and EC2 cards to operate in standard ACL mode.

<Sysname> system-view

[Sysname] acl mode standard

ACL mode has been changed, need be saved and will take effect after system res

tart.

acl name

Syntax

acl name acl-name

View

System view

Default level

2: System level

Parameters

acl-name: Specifies the name of an existing IPv4 ACL, a case-insensitive string of 1 to 63 characters. It must start with an English letter.

Description

Use acl name to enter the view of an IPv4 ACL that has a name.

Related commands: acl.

Examples

# Enter the view of IPv4 ACL flow.

<Sysname> system-view

[Sysname] acl name flow

[Sysname-acl-basic-2002-flow]

description

Syntax

description text

undo description

View

IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view, user-defined ACL view

Default level

2: System level

Parameters

text: Specifies an ACL description, a case-sensitive string of 1 to 127 characters.

Description

Use description to configure a description for an ACL.

Use undo description to remove the ACL description.

By default, an ACL has no ACL description.

Related commands: display acl and display acl ipv6.

Examples

# Configure a description for IPv4 basic ACL 2000.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] description This is an IPv4 basic ACL.

# Configure a description for IPv6 basic ACL 2000.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000] description This is an IPv6 basic ACL.

display acl

Syntax

Standalone mode:

display acl { acl-number | all | name acl-name } [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

IRF mode:

display acl { acl-number | all | name acl-name } [ chassis chassis-number slot slot-number ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

acl-number: Specifies an IPv4 ACL by its number:

· 2000 to 2999 for basic ACLs

· 3000 to 3999 for advanced ACLs

· 4000 to 4999 for Ethernet frame header ACLs

· 5000 to 5999 for user-defined ACLs

all: Displays information for all IPv4 ACLs.

name acl-name: Specifies an IPv4 ACL by its name. The acl-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter.

slot slot-number: Displays the match statistics for IPv4 ACLs on a card. The slot-number argument specifies a card by its slot number. Use this option when your switch is operating in standalone (the default) mode. If no slot is provided, the command displays configuration information about IPv4 ACLs on the device.

chassis chassis-number slot slot-number: Displays the match statistics for IPv4 ACLs on an IRF member device. The chassis-number argument represents the member ID of the device in the IRF fabric, and the slot-number argument represents the number of the slot that holds the card. Use this option when your switch is operating in IRF mode. For the IRF member ID of a switch, use the display device command. If no IRF member switch is specified, the command displays configuration information about all IPv4 ACLs on the IRF fabric.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display acl to display configuration and match statistics for the specified or all IPv4 ACLs.

This command displays ACL rules in config or depth-first order, whichever is configured.

Examples

# Display the configuration and match statistics for all IPv4 ACLs.

<Sysname> display acl 2001

Basic ACL 2001, named –flow-, 2 rules,

Statistics is enabled

ACL's step is 5

rule 1 permit source 1.1.1.1 0 (5 times matched)

rule 2 permit source 1.1.1.2 0 (No statistics resource)

Table 1 Command output

Field	Description
Basic ACL 2001	Category and number of the ACL. The following field information is about IPv4 basic ACL 2001.
named flow	The name of the ACL is flow. "-none-" means the ACL is not named.
2 rules	The ACL contains two rules.
Statistics is enabled	The rule match counting is enabled for this ACL.
ACL's step is 5	The rule numbering step is 5.
5 times matched	There have been five matches for the rule. The statistic counts only ACL matches in the packet filter. This field is not displayed when no packets have matched the rule.
No statistics resource	Resources are not enough for counting matches for the IPv4 rules. This information indicates that the switch failed to allocate resources for counting matches for the rule when you applied the packet-filter command to an interface. Even if resources have become available after that, the switch does not change the information or count matches for the rule. To count matches for the rule, you must delete and then add the rule.
Uncompleted	Applying the rule to hardware failed because no sufficient resources were available or the hardware does not support the rule. This event might occur when you modify a rule in an ACL that has been applied.

display acl ipv6

Syntax

Standalone mode:

display acl ipv6 { acl6-number | all | name acl6-name } [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

IRF mode:

display acl ipv6 { acl6-number | all | name acl6-name } [ chassis chassis-number slot slot-number ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

acl6-number: Specifies an IPv6 ACL by its number:

· 2000 to 2999 for IPv6 basic ACLs

· 3000 to 3999 for IPv6 advanced ACLs

all: Displays information for all IPv6 ACLs.

name acl6-name: Specifies an IPv6 ACL by its name. The acl6-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter.

slot slot-number: Displays the match statistics for IPv6 ACLs on a card. The slot-number argument represents the slot number of the card. Use this option when your switch is operating in standalone (the default) mode. If no slot number is provided, the command displays configuration information about all IPv6 ACLs on the device.

chassis chassis-number slot slot-number: Displays the match statistics for IPv6 ACLs on an IRF member device. The chassis-number argument represents the member ID of the device in an IRF fabric, and the slot-number argument represents the number of the slot that holds the card. Use this option when your switch is operating in IRF mode. For the IRF member ID of a switch, use the display device command. If no IRF member device is specified, the command displays configuration information about all IPv6 ACLs on the device.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display acl ipv6 to display the configuration and match statistics for the specified IPv6 ACL or all IPv6 ACLs.

This command displays ACL rules in config or depth-first order, whichever is configured.

Examples

# Display the configuration and match statistics for IPv6 ACL 2001.

<Sysname> display acl ipv6 2001

Basic IPv6 ACL 2001, named flow, 1 rule,

Statistics is enabled

ACL's step is 5

rule 0 permit source ::1/128 (No statistics resource)

Table 2 Command output

Field	Description
Basic IPv6 ACL 2001	Category and number of the ACL. The following field information is about this IPv6 basic ACL 2001.
named flow	The name of the ACL is flow. "-none-" means the ACL is not named.
1 rule	The ACL contains one rule.
Statistics is enabled	The rule match counting is enabled for this ACL.
ACL's step is 5	The rule numbering step is 5.
5 times matched	There have been five matches for the rule. The statistic counts only IPv6 ACL matches in the packet filter. This field is not displayed when no packets have matched the rule.
No statistics resource	Resources are not enough for counting matches for the IPv6 ACL rules. This information shows that the switch failed to allocate resources for counting matches for the rule when you applied the packet-filter command to an interface. Even if resources have become available after that, the switch does not change the information or count matches for the rule. To count matches for the rule, you must delete and then add the rule.
Uncompleted	Applying the rule to hardware failed because no sufficient resources were available or the hardware does not support the rule. This event might occur when you modify a rule in an ACL that has been applied.

display acl ipv6 { inbound | outbound }

Syntax

display acl ipv6 { inbound | outbound } [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

inbound: Displays the status of the ACL rule match mode in the inbound direction, namely, the length limit for the match criteria in each ACL rule applied in the inbound direction.

outbound: Displays the status of the ACL rule match mode in the outbound direction, namely, the length limit for the match criteria in each ACL rule applied in the outbound direction.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display acl ipv6 { inbound | outbound } to display the status of the ACL rule match mode.

When the switch operates in standard mode, this command does not take effect.

Related command: acl ipv6 enable.

Examples

# Display the status of the ACL rule match mode in the inbound direction.

<Sysname> display acl ipv6 inbound

Current ACL IPv6 inbound mode : Disable

ACL IPv6 inbound mode after system restart: Enable

Notice: Changing ACL IPv6 mode will take effect only after system restart.

Table 3 Command output

Field	Description
Current ACL IPv6 inbound mode	Status of the current ACL rule match mode in the inbound direction. Disable means that 40-byte ACL rule match mode is adopted.
ACL IPv6 inbound mode after system restart	Status of the ACL rule match mode in the inbound direction after system restart. Enable means that 80-byte ACL rule match mode is adopted.

display acl mode

Syntax

display acl mode [ | { begin | exclude | include } regular-expression ]

View

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display acl mode command to display the ACL operating mode of EB and EC2 cards.

Related commands: acl mode.

Examples

# Display the ACL operating mode of EB and EC2 cards.

<Sysname> display acl mode

Current ACL mode : advanced

ACL mode after system restart: standard

Notice: Changing ACL mode will take effect only after system restart.

Table 4 Command output

Field	Description
Current ACL mode	Operating mode of EB and EC2 cards: · advanced—Advanced ACL mode. · standard—Standard ACL mode.
ACL mode after system restart	Operating mode of EB and EC2 cards after the system is restarted: · advanced—Advanced ACL mode. · standard—Standard ACL mode.
Changing ACL mode will take effect only after system restart.	Indicates that you must restart the switch to make the ACL operating mode configuration take effect.

display acl resource

Syntax

Standalone mode:

display acl resource [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

IRF mode:

display acl resource [ chassis chassis-number slot slot-number ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

slot slot-number: Displays the usage of ACL rules on a card. The slot-number argument specifies the slot number of the card. If no slot number is specified, the usage of ACL rules on the main board is displayed. Use this option when your switch is operating in standalone (the default) mode.

chassis chassis-number slot slot-number: Displays the usage of ACL resources of a card on an IRF member device. The chassis-number argument represents the member ID of the device in an IRF fabric, and the slot-number argument represents the number of the slot that holds the card. If no IRF member device is specified, the usage of ACL resources of all main boards in the IRF fabric is displayed. Use this option when your switch is operating in IRF mode. For more information about IRF, see IRF Configuration Guide.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display acl resource to display the usage of ACL rules.

If a card does not support counting for ACL rules, the command displays only the slot number of the card.

Examples

# Display the usage of ACL rules for slot 3 on a device.

<Sysname> display acl resource slot 3

Interface:

GE3/0/1 to GE3/0/24

---------------------------------------------------------------------

Type Total Reserved Configured Remaining Usage

---------------------------------------------------------------------

ACL rule 8192 96 3 8093 1%

Inbound ACL 8192 96 3 8093 1%

Outbound ACL 8192 0 0 8093 0%

Table 5 Command output

Field	Description
Interface	Name of the start and end interfaces on the card.
Type	Resource type.
Total	Total number of ACL rules supported.
Reserved	Number of reserved ACL rules.
Configured	Number of ACL rules that have been applied.
Remaining	Number of ACL rules that you can apply.
Usage	The percentage of the reserved and configured ACL rules in the total number of ACL rules.

display packet-filter

Syntax

Standalone mode:

display packet-filter { { all | interface interface-type interface-number } [ inbound | outbound ] | interface vlan-interface vlan-interface-number [ inbound | outbound ] [ slot slot-number ] } [ | { begin | exclude | include } regular-expression ]

IRF mode:

display packet-filter { { all | interface interface-type interface-number } [ inbound | outbound ] | interface vlan-interface vlan-interface-number [ inbound | outbound ] [ chassis chassis-number slot slot-number ] } [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

all: Specifies all interfaces.

interface interface-type interface-number: Specifies an interface by its type and number. VLAN interfaces are not supported.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

interface vlan-interface vlan-interface-number: Specifies a VLAN interface by its number.

slot slot-number: Specifies a card by its slot number. If no slot number is specified, the command displays application information of ACLs for packet filtering on VLAN interfaces of the device. Use this option when your switch is operating in standalone (the default) mode.

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the device in an IRF fabric, which you can display with the display device command. The slot-number argument represents the number of the slot that holds the card. If no IRF member device is specified, the command displays application information of ACLs for packet filtering on VLAN interfaces of the IRF fabric. Use this option when your switch is operating in IRF mode.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display packet-filter to display whether an ACL has been successfully applied to an interface for packet filtering.

If you specify neither the inbound keyword nor the outbound keyword, the command displays the application status of both incoming and outgoing packet filtering ACLs.

Examples

# Display the application status of inbound and outbound packet filtering ACLs for interface GigabitEthernet 3/0/1.

<Sysname> display packet-filter interface GigabitEthernet 3/0/1

Interface: GigabitEthernet 3/0/1

In-bound Policy:

acl 2001, Successful

Out-bound Policy:

acl6 2500, Fail

Table 6 Command output

Field	Description
Interface	Interface to which the ACL applies.
In-bound Policy	The ACL used for filtering incoming traffic on the interface.
Out-bound Policy	The ACL used for filtering outgoing traffic on the interface.
acl 2001, Successful	IPv4 ACL 2001 has been applied to the interface.
acl6 2500, Fail	The device has failed to apply IPv6 ACL 2500 to the interface.

# Display the application status of the inbound and outbound packet filtering ACLs for interface VLAN-interface 4094.

[Sysname-Vlan-interface4094] display packet-filter interface Vlan-interface 4094

Interface: Vlan-interface4094

In-bound Policy:

acl 3000, Successful

Out-bound Policy:

Table 7 Command output

Field	Description
acl 3000, Successful	IPv4 ACL 3000 has been applied to the main processing unit and all or some of the cards for the VLAN interface. When an application failure occurs on an interface card, an error message appears. You can specify the slot number in the display command to check the ACL application status on the card.

Field

Description

acl 3000, Successful

IPv4 ACL 3000 has been applied to the main processing unit and all or some of the cards for the VLAN interface.

When an application failure occurs on an interface card, an error message appears. You can specify the slot number in the display command to check the ACL application status on the card.

# Display the application status of inbound and outbound packet filtering ACLs for the card in slot 3.

[Sysname-Vlan-interface4094] display packet-filter interface Vlan-interface 4094 slot 3

Interface: Vlan-interface4094

In-bound Policy:

acl 3000, Fail

Out-bound Policy:

Table 8 Command output

Field	Description
acl 3000, Fail	The device has failed to apply IPv6 ACL 3000 to the specified card.

NOTE:

· The switch applies the packet filtering ACL configured on a VLAN interface to the main processing unit and all interface cards. If the switch fails to apply the ACL on one interface card, you must use the undo packet-filter command to remove the packet filter from the VLAN interface, because the switch cannot automatically remove the ACL that has been applied to the main processing unit and other cards.

· You must also use the undo packet-filter command to remove the packet filter from the VLAN interface if the switch fails to update the packet filter on an interface card after you edit the ACL rules, for example, because of hardware resource insufficiency. If you do not remove the packet filter, the old ACL rules continue to take effect and the display packet-filter command shows the initial ACL application status.

display time-range

Syntax

display time-range { time-range-name | all } [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

time-range-name: Specifies a time range name, a case-insensitive string of 1 to 32 characters. It must start with an English letter.

all: Displays the configuration and status of all existing time ranges.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display time-range to display the configuration and status of the specified time range or all time ranges.

Examples

# Display the configuration and status of time range trname.

<Sysname> display time-range trname

Current time is 10:45:15 1/26/2010 Tuesday

Time-range : trname ( Inactive )

from 08:00 1/2/2010 to 23:59 1/3/2010

Table 9 Command output

Field	Description
Current time	Current system time.
Time-range	Configuration and status of the time range, including its name, status (active or inactive), and start time and end time.

hardware-count enable

Syntax

hardware-count enable

undo hardware-count enable

View

IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view, user-defined ACL view

Default level

2: System level

Parameters

None

Description

Use hardware-count enable to enable counting ACL rule matches performed in hardware. The device automatically counts the rule match counting performed in software.

Use undo hardware-count enable to disable counting ACL rule matches performed in hardware. This command also resets the hardware match counters for all rules in the ACL. For a rule configured with the counting keyword, this command only resets the rule’s hardware match counter.

By default, ACL rule matches performed in hardware are not counted.

The hardware-count enable command enables match counting for all rules in an ACL, and the counting keyword in the rule command enables match counting specific to rules. For an individual rule, rule match counting works as long as either the hardware-count enable command or the counting keyword is configured.

The switch does not count ACL rule matches for the outbound ACL deny rules.

Related commands: display acl, display acl ipv6, and rule.

Examples

# Enable rule match counting for IPv4 ACL 2000.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] hardware-count enable

# Enable rule match counting for IPv6 ACL 2000.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000] hardware-count enable

packet-filter

Syntax

packet-filter { acl-number | name acl-name } { inbound | outbound }

undo packet-filter { acl-number | name acl-name } { inbound | outbound }

View

Interface view

Default level

2: System level

Parameters

acl-number: Specifies an IPv4 ACL by its number:

· 2000 to 2999 for IPv4 basic ACLs

· 3000 to 3999 for IPv4 advanced ACLs

· 4000 to 4999 for Ethernet frame header ACLs

· 5000 to 5999 for user-defined ACLs

name acl-name: Specifies an IPv4 ACL by its name. The acl-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter.

inbound: Filters incoming packets.

outbound: Filters outgoing packets.

Description

Use packet-filter to apply an IPv4 basic, IPv4 advanced, Ethernet frame header, or user-defined ACL to an interface to filter packets.

Use undo packet-filter to restore the default.

By default, an interface does not filter Layer 2 or IPv4 packets.

The rule you add to an ACL that has been used by a packet filter cannot take effect if hardware resources are insufficient or the packet filter does not support the rule. Such rules are marked as uncompleted in the output from the display acl { acl-number | all | name acl-name } slot slot-number command. To successfully apply the rule, you must delete the rule and reconfigure it when hardware resources are sufficient.

Follow these guidelines when you configure a packet filter on a VLAN interface:

· Use the undo packet-filter command to remove the packet filter from the VLAN interface if the ACL application fails on an interface card, for example, because of hardware resource insufficiency. The switch applies the packet filter configured on a VLAN interface to the main processing unit and all interface cards. When an application failure occurs on an interface card, the switch cannot automatically remove the ACL that has been applied to the main processing unit or any other interface card.

· You must also use the undo packet-filter command to remove the packet filter if the switch fails to update the packet filter on an interface card after you edit the ACL rules. If you do not remove the packet filter, the old ACL rules continue to take effect and the display packet-filter command shows the initial ACL application status.

· Avoid the case that multiple users configure the packet-filter command at the same time. Otherwise, the configuration might fail.

· When EB and EC2 cards are operating in standard ACL mode, the interfaces of these cards do not support applying a user-defined ACL to filter packets.

· On an EB or EC2 card operating in standard ACL mode, if you apply an Ethernet frame header ACL to filter packets on the interfaces of the card, the ACL matches IPv6 packets by only the destination MAC address field (for incoming packets only) and 802.1p priority of the Ethernet frame header ACL.

Related commands: display packet-filter.

Examples

# Apply IPv4 ACL 2001 to filter incoming traffic on GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] packet-filter 2001 inbound

packet-filter ipv6

Syntax

packet-filter ipv6 { acl6-number | name acl6-name } { inbound | outbound }

undo packet-filter ipv6 { acl6-number | name acl6-name } { inbound | outbound }

View

Interface view

Default level

2: System level

Parameters

acl6-number: Specifies an IPv6 ACL by its number:

· 2000 to 2999 for IPv6 basic ACLs

· 3000 to 3999 for IPv6 advanced ACLs

name acl6-name: Specifies an IPv6 ACL by its name. The acl6-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter.

inbound: Filters incoming IPv6 packets.

outbound: Filters outgoing IPv6 packets.

Description

Use packet-filter ipv6 to apply an IPv6 basic or IPv6 advanced ACL to an interface to filter IPv6 packets.

Use undo packet-filter ipv6 to restore the default.

By default, an interface does not filter IPv6 packets.

The rule you add to an ACL that has been used by a packet filter cannot take effect if hardware resources are insufficient or the packet filter does not support the rule. Such rules are marked as uncompleted in the output from the display acl ipv6 { acl-number | all | name acl-name } slot slot-number command. To successfully apply the rule, you must delete the rule and reconfigure it when hardware resources are sufficient.

Follow these guidelines when you configure a packet filter on a VLAN interface:

· EB and EC2 cards operating in standard ACL mode do not support this command.

· Use the undo packet-filter ipv6 to remove the packet filter from the VLAN interface if the ACL application fails on an interface card, for example, because of hardware resource insufficiency. The switch applies the packet filter configured on a VLAN interface to the main processing unit and all interface cards. When an application failure occurs on an interface card, the switch cannot automatically remove the ACL that has been applied to the main processing unit or any other interface card.

· You must also use the undo packet-filter ipv6 to remove the packet filter if the switch fails to update the packet filter on an interface card after you edit the ACL rules. If you do not remove the packet filter, the old ACL rules continue to take effect and the display packet-filter ipv6 command shows the initial ACL application status.

· Avoid the case that multiple users configure the packet-filter ipv6 command at the same time. Otherwise, the configuration might fail.

Related commands: display packet-filter.

Examples

# Apply IPv6 ACL 2500 to filter incoming packets on GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] packet-filter ipv6 2500 outbound

packet-filter forwarding-layer route outbound

Syntax

packet-filter forwarding-layer route outbound

undo packet-filter forwarding-layer route outbound

View

System view

Default level

2: System level

Parameters

None

Description

Use packet-filter forwarding-layer route outbound to set the outbound packet filters on VLAN interfaces to filter only Layer 3 (routed) unicast packets. After you execute this command, the packet-filter outbound command on a VLAN interface filters only Layer 3 unicast packets.

Use undo packet-filter forwarding-layer route outbound to restore the default.

By default, an outbound packet filter on a VLAN interface filters all packets, including Layer 2 packets.

When you use the packet-filter forwarding-layer route outbound command or its undo form to specify the outbound packet filter on a VLAN interface to filter only Layer 3 unicast packets or all packets, follow these guidelines:

· The packet-filter forwarding-layer route outbound command is available only for Ethernet interface cards.

· The packet-filter forwarding-layer route outbound command does not take effect on EB and EC2 cards operating in standard ACL mode.

· The packet-filter forwarding-layer route outbound or its undo form must be configured before the packet-filter { acl-number | name acl-name } outbound command. If you have configured the packet-filter { acl-number | name acl-name } outbound command on a VLAN interface, you must remove the packet filter setting, configure the packet-filter forwarding-layer route outbound or its undo form, and then re-configure the packet-filter { acl-number | name acl-name } outbound command on the VLAN interface. The packet-filter forwarding-layer route outbound command can cause the switch to discard BFD packets. To avoid this problem, configure an advanced ACL rule by using the rule [ rule-id ] permit udp destination-port range 3784 3785 command to permit BFD packets.

· In IRF mode, the packet-filter forwarding-layer route outbound command can cause the switch to discard sFlow packets. To avoid this problem, configure an advanced ACL rule by using the rule [ rule-id ] permit udp destination-port range eq udp-port command to permit sFlow packets. The udp-port is the port number of the sFlow collector and defaults to 6343. For information about sFlow, see Network Management and Monitoring Configuration Guide.

Examples

# Apply IPv4 ACL 2001 to filter only outbound Layer 3 unicast packets on VLAN-interface 2.

<Sysname> system-view

[Sysname] packet-filter forwarding-layer route outbound

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] packet-filter 2001 outbound

reset acl counter

Syntax

reset acl counter { acl-number | all | name acl-name }

View

User view

Default level

2: System level

Parameters

acl-number: Specifies an IPv4 ACL by its number:

· 2000 to 2999 for IPv4 basic ACLs

· 3000 to 3999 for IPv4 advanced ACLs

· 4000 to 4999 for Ethernet frame header ACLs

· 5000 to 5999 for user-defined ACLs

all: Clears statistics for all IPv4 ACLs.

name acl-name: Specifies an IPv4 ACL by its name. The acl-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter.

Description

Use reset acl counter to clear statistics for the specified IPv4 ACL or all IPv4 ACLs.

Related commands: display acl.

Examples

# Clear statistics for IPv4 basic ACL 2001.

<Sysname> reset acl counter 2001

# Clear statistics for IPv4 ACL flow.

<Sysname> reset acl counter name flow

reset acl ipv6 counter

Syntax

reset acl ipv6 counter { acl6-number | all | name acl6-name }

View

User view

Default level

2: System level

Parameters

acl6-number: Specifies an IPv6 ACL by its number:

· 2000 to 2999 for IPv6 basic ACLs

· 3000 to 3999 for IPv6 advanced ACLs

all: Clears statistics for all IPv6 basic and advanced ACLs.

name acl6-name: Specifies an IPv6 ACL by its name. The acl6-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter.

Description

Use reset acl ipv6 counter to clear statistics for the specified IPv6 ACL or all IPv6 basic and IPv6 advanced ACLs.

Related commands: display acl ipv6.

Examples

# Clear statistics for IPv6 basic ACL 2001.

<Sysname> reset acl ipv6 counter 2001

# Clear statistics for IPv6 ACL flow.

<Sysname> reset acl ipv6 counter name flow

rule (Ethernet frame header ACL view)

Syntax

rule [ rule-id ] { deny | permit } [ cos vlan-pri | counting | dest-mac dest-addr dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac sour-addr source-mask | time-range time-range-name ] *

undo rule rule-id [ counting | time-range ] *

View

Ethernet frame header ACL view

Default level

2: System level

Parameters

rule-id: Specifies a rule ID in the range of 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.

deny: Drops matching packets.

permit: Allows matching packets to pass.

cos vlan-pri: Matches an 802.1p priority. The vlan-pri argument can be a number in the range of 0 to 7, or in words, best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5), voice (6), or network-management (7).

counting: Counts the number of times the IPv4 ACL rule has been matched.

dest-mac dest-addr dest-mask: Matches a destination MAC address range. The dest-addr and dest-mask arguments represent a destination MAC address and mask in H-H-H format.

lsap lsap-type lsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The lsap-type argument is a 16-bit hexadecimal number that represents the encapsulation format. The lsap-type-mask argument is a 16-bit hexadecimal number that represents the LSAP mask. The switch does not support this keyword in the current software version. The keyword is reserved for future support.

type protocol-type protocol-type-mask: Matches one or more protocols in the Ethernet frame header. The protocol-type argument is a 16-bit hexadecimal number that represents a protocol type in Ethernet_II and Ethernet_SNAP frames. The protocol-type-mask argument is a 16-bit hexadecimal number that represents a protocol type mask. For example, to match ARP, IPv4, or IPv6 packets, specify protocol-type protocol-type-mask as 0x0806 0xFFFF, 0x0800 0xFFFF, or 0x86DD 0xFFFF. On an EB or EC2 card operating in standard ACL mode, the protocol-type protocol-type-mask argument cannot be set to 0x86DD 0xFFFF, which matches IPv6 packets.

source-mac sour-addr source-mask: Matches a source MAC address range. The sour-addr argument represents a source MAC address, and the sour-mask argument represents a mask in H-H-H format.

time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule; however, the rule using the time range can take effect only after you configure the timer range.

Description

Use rule to create or edit an Ethernet frame header ACL rule. You can edit ACL rules only when the match order is config.

Use undo rule to delete an Ethernet frame header ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specified attributes.

By default, an Ethernet frame header ACL does not contain any rule.

On an EB or EC2 card operating in standard ACL mode, an Ethernet frame header ACL does not take effect on IPv4 packets.

On an EB or EC2 card operating in standard ACL mode, if you use the packet-filter command to apply an Ethernet frame header ACL to filter packets, the ACL can match IPv6 packets by only the destination MAC address (for incoming packets only) and the 802.1p priority fields. If you use other commands to apply an Ethernet frame header ACL, the ACL can match IPv6 packets by the source MAC address (for incoming packets only), the destination MAC address (for incoming packets only), and the 802.1p priority fields.

Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt fails.

To view rules in an ACL and their rule IDs, use the display acl all command.

Related commands: acl, display acl, step, and time-range.

Examples

# Create a rule in ACL 4000 to permit ARP packets and deny RARP packets.

<Sysname> system-view

[Sysname] acl number 4000

[Sysname-acl-ethernetframe-4000] rule permit type 0806 ffff

[Sysname-acl-ethernetframe-4000] rule deny type 8035 ffff

rule (IPv4 advanced ACL view)

Syntax

rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { dest-addr dest-wildcard | any } | destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmp-type { icmp-type [ icmp-code ] | icmp-message } | logging | precedence precedence | reflective | source { sour-addr sour-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name | tos tos | vpn-instance vpn-instance-name ] *

undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | dscp | fragment | icmp-type | logging | precedence | source | source-port | time-range | tos | vpn-instance ] *

View

IPv4 advanced ACL view

Default level

2: System level

Parameters

deny: Drops matching packets.

permit: Allows matching packets to pass.

protocol: Specifies a protocol number in the range of 0 to 255, or specifies a protocol by its name, gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17). The ip keyword specifies all protocols. Table 10 describes the parameters that you can specify regardless of the value that the protocol argument takes.

Table 10 Match criteria and other rule information for IPv4 advanced ACL rules

Parameters	Function	Description
source { sour-addr sour-wildcard \| any }	Specifies a source address	The sour-addr sour-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address. The any keyword specifies any source IP address.
destination { dest-addr dest-wildcard \| any }	Specifies a destination address	The dest-addr dest-wildcard arguments represent a destination IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address. The any keyword represents any destination IP address.
counting	Counts the number of times the IPv4 ACL rule has been matched	If a rule has the counting keyword while the hardware-count enable command is not configured for the ACL, the counting function is enabled for this rule.
precedence precedence	Specifies an IP precedence value	The precedence argument can be a number in the range of 0 to 7, or in words, routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), or network (7).
tos tos	Specifies a ToS preference	The tos argument can be a number in the range of 0 to 15, or in words, max-reliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1), or normal (0). On an EB or EC2 card operating in standard ACL mode, the tos tos option is not supported in the outbound direction for an IPv4 advanced ACL.
dscp dscp	Specifies a DSCP priority	The dscp argument can be a number in the range of 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46).
logging	Logs matching packets	This keyword supports only the packet filter function.
reflective	Specifies that the rule be reflective	A rule with the reflective keyword can be defined only for TCP, UDP, or ICMP packets and can only be a permit statement. This keyword is not supported in the current software version. The keyword is reserved for future support.
vpn-instance vpn-instance-name	Applies the rule to a VPN instance	The vpn-instance-name argument takes a case-sensitive string of 1 to 31 characters. If no VPN instance is specified, the rule applies to all packets. On an EB or EC2 card operating in standard ACL mode, the vpn-instance vpn-instance-name option is not supported for an IPv4 advanced ACL. When the device is a PE device, the packets at the private network side of a VPN cannot match the option. When the device is an MCE device, packets of a VPN cannot match the option. For more information about PE devices and MCE devices, see MPLS Configuration Guide.
fragment	Applies the rule to fragments	Without this keyword, the rule applies to all fragments and non-fragments.
time-range time-range-name	Specifies a time range for the rule	The time-range-name argument takes a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule; however, the rule using the time range can take effect only after you configure the timer range.

NOTE:

If you provide the precedence or tos keyword in addition to the dscp keyword, only the dscp keyword takes effect.

If the protocol argument takes tcp (6) or udp (7), set the parameters shown in Table 11.

Table 11 TCP/UDP-specific parameters for IPv4 advanced ACL rules

Parameters	Function	Description
source-port operator port1 [ port2 ]	Specifies one or more UDP or TCP source ports	The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. port2 is needed only when the operator argument is range. TCP port numbers can be represented in these words: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented in these words: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177).
destination-port operator port1 [ port2 ]	Specifies one or more UDP or TCP destination ports
{ ack ack-value \| fin fin-value \| psh psh-value \| rst rst-value \| syn syn-value \| urg urg-value } *	Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG	Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The TCP flags in a rule are ANDed.
established	Specifies the flags for indicating the established status of a TCP connection	Parameter specific to TCP.

If the protocol argument takes icmp (1), you can set the parameters shown in Table 12.

Table 12 ICMP-specific parameters for IPv4 advanced ACL rules

Parameters	Function	Description
icmp-type { icmp-type [ icmp-code ] \| icmp-message }	Specifies the ICMP message type and code	The icmp-type argument is in the range of 0 to 255. The icmp-code argument is in the range of 0 to 255. The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 13.

Parameters

Function

Description

icmp-type { icmp-type [ icmp-code ] | icmp-message }

Specifies the ICMP message type and code

The icmp-type argument is in the range of 0 to 255.

The icmp-code argument is in the range of 0 to 255.

The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 13.

Table 13 ICMP message names supported in IPv4 advanced ACL rules

ICMP message name	ICMP message type	ICMP message code
echo	8	0
echo-reply	0	0
fragmentneed-DFset	3	4
host-redirect	5	1
host-tos-redirect	5	3
host-unreachable	3	1
information-reply	16	0
information-request	15	0
net-redirect	5	0
net-tos-redirect	5	2
net-unreachable	3	0
parameter-problem	12	0
port-unreachable	3	3
protocol-unreachable	3	2
reassembly-timeout	11	1
source-quench	4	0
source-route-failed	3	5
timestamp-reply	14	0
timestamp-request	13	0
ttl-exceeded	11	0

Description

Use rule to create or edit an IPv4 advanced ACL rule. You can edit ACL rules only when the match order is config.

Use undo rule to delete an entire IPv4 advanced ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specified attributes.

By default, an IPv4 advanced ACL does not contain any rule.

To view rules in an ACL and their rule IDs, use the display acl all command.

Related commands: acl, display acl, step, and time-range.

Examples

# Create an IPv4 advanced ACL rule to permit TCP packets with the destination port 80 from 129.9.0.0/16 to 202.38.160.0/24, and enable logging matching packets.

<Sysname> system-view

[Sysname] acl number 3000

[Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80 logging

# Create IPv4 advanced ACL rules to permit all IP packets but the ICMP packets destined for 192.168.1.0/24.

<Sysname> system-view

[Sysname] acl number 3001

[Sysname-acl-adv-3001] rule deny icmp destination 192.168.1.0 0.0.0.255

[Sysname-acl-adv-3001] rule permit ip

# Create IPv4 advanced ACL rules to permit inbound and outbound FTP packets.

<Sysname> system-view

[Sysname] acl number 3002

[Sysname-acl-adv-3002] rule permit tcp source-port eq ftp

[Sysname-acl-adv-3002] rule permit tcp source-port eq ftp-data

[Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp

[Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp-data

# Create IPv4 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.

<Sysname> system-view

[Sysname] acl number 3003

[Sysname-acl-adv-3003] rule permit udp source-port eq snmp

[Sysname-acl-adv-3003] rule permit udp source-port eq snmptrap

[Sysname-acl-adv-3003] rule permit udp destination-port eq snmp

[Sysname-acl-adv-3003] rule permit udp destination-port eq snmptrap

rule (IPv4 basic ACL view)

Syntax

rule [ rule-id ] { deny | permit } [ counting | fragment | logging | source { sour-addr sour-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *

View

IPv4 basic ACL view

Default level

2: System level

Parameters

deny: Drops matching packets.

permit: Allows matching packets to pass.

counting: Counts the number of times the IPv4 ACL rule has been matched.

fragment: Applies the rule only to non-first fragments. A rule without this keyword applies to both fragments and non-fragments.

logging: Logs matching packets. The keyword supports only the packet filter function.

source { sour-addr sour-wildcard | any }: Matches a source address. The sour-addr sour-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation. A wildcard mask of zeros specifies a host address. The any keyword represents any source IP address.

vpn-instance vpn-instance-name: Applies the rule to a VPN instance. The vpn-instance-name argument takes a case-sensitive string of 1 to 31 characters. If no VPN instance is specified, the rule applies only to all packets. The vpn-instance vpn-instance-name option is not supported for an IPv4 basic ACL on an EB or EC2 card operating in standard ACL mode. When the device is a PE device, the packets at the private network side of a VPN cannot match the option. When the device is an MCE device, packets of a VPN cannot match the option. For more information about PE devices and MCE devices, see MPLS Configuration Guide.

Description

Use rule to create or edit an IPv4 basic ACL rule. You can edit ACL rules only when the match order is config.

Use undo rule to delete an entire IPv4 basic ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specified attributes.

By default, an IPv4 basic ACL does not contain any rule.

To view rules in an ACL and their rule IDs, use the display acl all command.

Related commands: acl, display acl, step, and time-range.

Examples

# Create a rule in IPv4 basic ACL 2000 to deny the packets from any source IP segment but 10.0.0.0/8, 172.17.0.0/16, or 192.168.1.0/24.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] rule permit source 10.0.0.0 0.255.255.255

[Sysname-acl-basic-2000] rule permit source 172.17.0.0 0.0.255.255

[Sysname-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255

[Sysname-acl-basic-2000] rule deny source any

rule (IPv6 advanced ACL view)

Syntax

rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { dest dest-prefix | dest/dest-prefix | any } | destination-port operator port1 [ port2 ] | dscp dscp | flow-label flow-label-value | fragment | icmp6-type { icmp6-type icmp6-code | icmp6-message } | logging | source { source source-prefix | source/source-prefix | any } | source-port operator port1 [ port2 ] | time-range time-range-name | vpn-instance vpn-instance-name ] *

undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | dscp | flow-label | fragment | icmp6-type | logging | source | source-port | time-range | vpn-instance ] *

View

IPv6 advanced ACL view

Default level

2: System level

Parameters

deny: Drops matching packets.

permit: Allows matching packets to pass.

protocol: Specifies a protocol number in the range of 0 to 255, or specifies a protocol by its name, gre (47), icmpv6 (58), ipv6, ipv6-ah (51), ipv6-esp (50), ospf (89), tcp (6), or udp (17). The ipv6 keyword specifies all protocols. Table 14 describes the parameters that you can specify regardless of the value that the protocol argument takes.

Table 14 Match criteria and other rule information for IPv6 advanced ACL rules

Parameters	Function	Description
source { source source-prefix \| source/source-prefix \| any }	Specifies a source IPv6 address	The source and source-prefix arguments represent an IPv6 source address, and prefix length in the range of 1 to 128. The any keyword represents any IPv6 source address.
destination { dest dest-prefix \| dest/dest-prefix \| any }	Specifies a destination IPv6 address	The dest and dest-prefix arguments represent a destination IPv6 address, and prefix length in the range of 1 to 128. The any keyword specifies any IPv6 destination address.
counting	Counts the number of times the IPv6 ACL rule has been matched	If a rule has the counting keyword while the hardware-count enable command is not configured for the ACL, the counting function is enabled for this rule.
dscp dscp	Specifies a DSCP preference	The dscp argument can be a number in the range of 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46).
flow-label flow-label-value	Specifies a flow label value in an IPv6 packet header	The flow-label-value argument is in the range of 0 to 1048575.
logging	Logs matching packets	The keyword supports only the packet filter function.
fragment	Applies the rule to only non-first fragments	Without this keyword, the rule applies to all fragments and non-fragments.
time-range time-range-name	Specifies a time range for the rule	The time-range-name argument takes a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule; however, the rule using the time range can take effect only after you configure the timer range.
vpn-instance vpn-instance-name	Applies the rule to a VPN instance	The vpn-instance-name argument takes a case-sensitive string of 1 to 31 characters. The switch does not support this option in the current software version. The option is reserved for future support.

If the protocol argument takes tcp (6) or udp (17), set the parameters shown in Table 15.

Table 15 TCP/UDP-specific parameters for IPv6 advanced ACL rules

Parameters	Function	Description
source-port operator port1 [ port2 ]	Specifies one or more UDP or TCP source ports	The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. port2 is needed only when the operator argument is range. TCP port numbers can be represented in these words: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented in these words: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177).
destination-port operator port1 [ port2 ]	Specifies one or more UDP or TCP destination ports
{ ack ack-value \| fin fin-value \| psh psh-value \| rst rst-value \| syn syn-value \| urg urg-value } *	Specifies one or more TCP flags, including ACK, FIN, PSH, RST, SYN, and URG	Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The TCP flags in a rule are ANDed. The switch does not support these options in the current software version. These options are reserved for future support.
established	Specifies the flags for indicating the established status of a TCP connection	Parameter specific to TCP.

If the protocol argument takes icmpv6 (58), set the parameters shown in Table 16.

Table 16 ICMPv6-specific parameters for IPv6 advanced ACL rules

Parameters	Function	Description
icmp6-type { icmp6-type icmp6-code \| icmp6-message }	Specifies the ICMPv6 message type and code	The icmp6-type argument is in the range of 0 to 255. The icmp6-code argument is in the range of 0 to 255. The icmp6-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 17.

Parameters

Function

Description

icmp6-type { icmp6-type icmp6-code | icmp6-message }

Specifies the ICMPv6 message type and code

The icmp6-type argument is in the range of 0 to 255.

The icmp6-code argument is in the range of 0 to 255.

The icmp6-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 17.

Table 17 ICMPv6 message names supported in IPv6 advanced ACL rules

ICMPv6 message name	ICMPv6 message type	ICMPv6 message code
echo-reply	129	0
echo-request	128	0
err-Header-field	4	0
frag-time-exceeded	3	1
hop-limit-exceeded	3	0
host-admin-prohib	1	1
host-unreachable	1	3
neighbor-advertisement	136	0
neighbor-solicitation	135	0
network-unreachable	1	0
packet-too-big	2	0
port-unreachable	1	4
redirect	137	0
router-advertisement	134	0
router-solicitation	133	0
unknown-ipv6-opt	4	2
unknown-next-hdr	4	1

Description

Use rule to create or edit an IPv6 advanced ACL rule. You can edit ACL rules only when the match order is config.

Use undo rule to delete an entire IPv6 advanced ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specified attributes.

By default, an IPv6 advanced ACL does not contain any rule.

On an EB or EC2 card operating in standard ACL mode, IPv6 advanced ACLs are not supported.

To view rules in an ACL and their rule IDs, use the display acl ipv6 all command.

Related commands: acl ipv6, display ipv6 acl, step, and time-range.

Examples

# Create an IPv6 ACL rule to permit TCP packets with the destination port 80 from 2030:5060::/64 to FE80:5060::/96, and enable logging matching packets.

<Sysname> system-view

[Sysname] acl ipv6 number 3000

[Sysname-acl6-adv-3000] rule permit tcp source 2030:5060::/64 destination fe80:5060::/96 destination-port eq 80 logging

# Create IPv6 advanced ACL rules to permit all IPv6 packets but the ICMPv6 packets destined for FE80:5060:1001::/48.

<Sysname> system-view

[Sysname] acl ipv6 number 3001

[Sysname-acl6-adv-3001] rule deny icmpv6 destination fe80:5060:1001:: 48

[Sysname-acl6-adv-3001] rule permit ipv6

# Create IPv6 advanced ACL rules to permit inbound and outbound FTP packets.

<Sysname> system-view

[Sysname] acl ipv6 number 3002

[Sysname-acl6-adv-3002] rule permit tcp source-port eq ftp

[Sysname-acl6-adv-3002] rule permit tcp source-port eq ftp-data

[Sysname-acl6-adv-3002] rule permit tcp destination-port eq ftp

[Sysname-acl6-adv-3002] rule permit tcp destination-port eq ftp-data

# Create IPv6 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.

<Sysname> system-view

[Sysname] acl ipv6 number 3003

[Sysname-acl6-adv-3003] rule permit udp source-port eq snmp

[Sysname-acl6-adv-3003] rule permit udp source-port eq snmptrap

[Sysname-acl6-adv-3003] rule permit udp destination-port eq snmp

[Sysname-acl6-adv-3003] rule permit udp destination-port eq snmptrap

rule (IPv6 basic ACL view)

Syntax

rule [ rule-id ] { deny | permit } [ counting | fragment | logging | source { ipv6-address prefix-length | ipv6-address/prefix-length | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *

View

IPv6 basic ACL view

Default level

2: System level

Parameters

deny: Drops matching packets.

permit: Allows matching packets to pass.

counting: Counts the number of times the IPv6 ACL rule has been matched.

fragment: Applies the rule only to non-first fragments. A rule without this keyword applies to both fragments and non-fragments.

logging: Logs matching packets. The keyword supports only the packet filter function.

source { ipv6-address prefix-length | ipv6-address/prefix-length | any }: Matches a source IP address. The ipv6-address and prefix-length arguments represent a source IPv6 address and address prefix length in the range of 1 to 128. The any keyword represents any IPv6 source address.

time-range time-range-name: Specifies a time range for the rule. The time-range-name argument takes a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule; however, the rule using the time range can take effect only after you configure the timer range.

vpn-instance vpn-instance-name: Applies the rule to packets in a VPN. The vpn-instance-name argument takes a case-sensitive string of 1 to 31 characters. If no VPN instance is specified, the rule applies to non-VPN packets. This keyword is not supported in the current software version. The keyword is reserved for future support.

Description

Use rule to create or edit an IPv6 basic ACL rule. You can edit ACL rules only when the match order is config.

Use undo rule to delete an entire IPv6 basic ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specified attributes.

By default, an IPv6 basic ACL does not contain any rule.

On an EB or EC2 card operating in standard ACL mode, IPv6 basic ACLs are not supported.

To view rules in an ACL and their rule IDs, use the display acl ipv6 all command.

Related commands: acl ipv6, display ipv6 acl, step, and time-range.

Examples

# Create an IPv6 basic ACL rule to deny the packets from any source IP segment but 1001::/16, 3124:1123::/32, or FE80:5060:1001::/48.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000] rule permit source 1001:: 16

[Sysname-acl6-basic-2000] rule permit source 3124:1123:: 32

[Sysname-acl6-basic-2000] rule permit source fe80:5060:1001:: 48

[Sysname-acl6-basic-2000] rule deny source any

rule (user-defined ACL view)

Syntax

rule [ rule-id ] { deny | permit } [ { { ipv4 | ipv6 | l2 | l4 } rule-string rule-mask offset }&<1-8> ] [ counting | time-range time-range-name ] *

undo rule rule-id

View

User-defined ACL view

Default level

2: System level

Parameters

deny: Drops matching packets.

permit: Allows matching packets to pass.

ipv4: Specifies that the offset starts 20 bytes after the beginning of the IPv4 header.

ipv6: Specifies that the offset starts 40 bytes after the beginning of the IPv6 header.

l2: Specifies that the offset starts two bytes before the Layer 3 header.

l4: Specifies that the offset starts 20 bytes after the Layer 4 header.

rule-string: Defines a match pattern in hexadecimal format. Its length must be a multiple of two.

rule-mask: Defines a match pattern mask in hexadecimal format. Its length must be the same as that of the match pattern. A match pattern mask is used for ANDing the selected string of a packet.

offset: Offset in bytes after which the match operation begins.

&<1-8>: Specifies that up to eight match patterns can be defined in the ACL rule.

counting: Counts the number of times the IPv4 ACL rule has been matched.

Description

Use rule to create a user-defined ACL rule. You cannot edit a user-defined ACL rule. If you number the ACL rule the same as an existing rule in the ACL, the new rule overwrites the old one.

Use undo rule to delete an entire user-defined ACL rule.

By default, a user-defined ACL does not contain any rule.

On an EB or EC2 card operating in standard ACL mode, user-defined ACLs are not supported.

To view rules in an ACL and their rule IDs, use the display acl all command.

Table 18 User-defined ACL usage description

Keyword	Start offset	Configurable offset length (in bytes)			Packets to be matched
Keyword	Start offset	40-byte ACL rule match mode	48-byte ACL rule match mode	80-byte ACL rule match mode	Packets to be matched
ipv4	Beginning of the IPv4 header + 20 bytes	Not supported	9	12	IPv4 packets except IPv4 UDP/TCP packets
ipv6	Beginning of the IPv6 header + 40 bytes	Not supported	Not supported	14	IPv6 packets
l2	Layer 3 header – 2 bytes	Not supported	10	13	Non-IPv4 packets, non-IPv6 packets, and non-MPLS packets
l4	Beginning of the Layer 4 header + 20 bytes	Not supported	4	12	IPv4 UDP/TCP packets

EC1 and EF cards support user-defined ACLs only after you configure the acl ipv6 enable command. For more information about the command, see “acl ipv6 { enable | disable }.” EB and EC2 cards support user-defined ACLs only when they are operating in advanced ACL mode. For more information about the ACL operating modes, see "acl mode." The other cards support user-defined ACLs by default.

Related commands: acl, display acl, step, and time-range.

Examples

# Create a rule for user-defined ACL 5005 to permit packets that carry 0x0808 for the two bytes that are 22 bytes from the beginning of the Layer 2 header.

<Sysname> system-view

[Sysname] acl number 5005

[Sysname-acl-user-5005] rule 0 permit ipv4 0808 ffff 2

rule comment

Syntax

rule rule-id comment text

undo rule rule-id comment

View

IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view, user-defined ACL view

Default level

2: System level

Parameters

rule-id: Specifies the ID of an existing ACL rule. The ID is in the range of 0 to 65534.

text: Adds a comment about the ACL rule, a case-sensitive string of 1 to 127 characters.

Description

Use rule comment to add a comment about an existing ACL rule or edit its comment to make the rule easy to understand.

Use undo rule comment to delete the ACL rule comment.

By default, an IPv4 ACL rule has no rule comment.

Related commands: display acl and display acl ipv6.

Examples

# Create a rule in IPv4 basic ACL 2000 and add a comment about the rule.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] rule 0 deny source 1.1.1.1 0

[Sysname-acl-basic-2000] rule 0 comment This rule is used in vlan 2

# Create a rule in IPv6 basic ACL 2000 and add a comment about the rule.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000] rule 0 permit source 2030:5060::9050/64

[Sysname-acl6-basic-2000] rule 0 comment This rule is used in vlan 2

rule remark

Syntax

rule [ rule-id ] remark text

undo rule [ rule-id ] remark [ text ]

View

IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view, user-defined ACL view

Default level

2: System level

Parameters

rule-id: Specifies a rule number in the range of 0 to 65534. The specified rule can be one that has been created or not. If you specify no rule ID when adding a remark, the system automatically picks the rule ID that is the nearest higher multiple of the numbering step to the current highest rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the system picks rule 30.

text: Specifies a remark, a case-sensitive string of 1 to 63 characters.

Description

Use rule remark to add a start or end remark for a range of rules that are created for the same purpose.

Use undo rule remark to delete the specified or all rule range remarks.

By default, no rule range remarks are configured.

A rule range remark always appears immediately above the specified rule. If the specified rule has not been created yet, the position of the comment in the ACL is as follows:

· If the match order is config, the remark is inserted into the ACL in descending order of rule ID.

· If the match order is auto, the remark is placed at the end of the ACL. After you create the rule, the remark appears above the rule.

To display rule range remarks in an ACL, use the display this or display current-configuration.

When you delete rule range remarks, follow these guidelines:

· If neither rule-id nor text is specified, all rule range remarks are removed.

· Use the undo rule remark text command to remove all remarks that are the same as the text argument.

· Use the undo rule rule-id remark command to delete a specific rule range remark. If you also specify the text argument, you must type in the remark the same as was specified to successfully remove the remark.

TIP:

When adding an end remark for a rule range, you can specify the end rule number plus 1 for the rule-id argument so all rules in this range appears between the two remarks. You can also specify the end rule number for the rule-id argument. In this approach, the end rule appears below the end remark. Whichever approach you use, be consistent.

Related commands: display this, display current-configuration (Fundamentals Configuration Commands).

Examples

# Display the running configuration of IPv4 basic ACL 2000.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] display this

acl number 2000

rule 0 permit source 14.1.1.0 0.0.0.255

rule 5 permit source 10.1.1.1 0 time-range work-time

rule 10 permit source 192.168.0.0 0.0.0.255

rule 15 permit source 1.1.1.1 0

rule 20 permit source 10.1.1.1 0

rule 25 permit counting

return

# Add a start comment “Rules for VIP_start” and an end comment “Rules for VIP_end” for the rule range 10 to 25.

[Sysname-acl-basic-2000] rule 10 remark Rules for VIP_start

[Sysname-acl-basic-2000] rule 26 remark Rules for VIP_end

# Verify the configuration.

[Sysname-acl-basic-2000] display this

acl number 2000

rule 0 permit source 14.1.1.0 0.0.0.255

rule 5 permit source 10.1.1.1 0 time-range work-time

rule 10 remark Rules for VIP_start

rule 10 permit source 192.168.0.0 0.0.0.255

rule 15 permit source 1.1.1.1 0

rule 20 permit source 10.1.1.1 0

rule 25 permit counting

rule 26 remark Rules for VIP_end

return

step

Syntax

step step-value

undo step

View

IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view

Default level

2: System level

Parameters

step-value: Specifies the ACL rule numbering step in the range of 1 to 20.

Description

Use step to set a rule numbering step for an ACL. The rule numbering step sets the increment by which the system numbers rules automatically. For example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between two rules. Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6 and 8.

Use undo step to restore the default.

The default rule numbering step is 5. After you restore the default numbering step by the undo step command, the rules are renumbered in steps of 5.

Related commands: display acl and display acl ipv6.

Examples

# Set the rule numbering step to 2 for IPv4 basic ACL 2000.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] step 2

# Set the rule numbering step to 2 for IPv6 basic ACL 2000.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000] step 2

time-range

Syntax

time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 }

undo time-range time-range-name [ start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 ]

View

System view

Default level

2: System level

Parameters

time-range-name: Specifies a time range name. The name is a case-insensitive string of 1 to 32 characters. It must start with an English letter and to avoid confusion, cannot be all.

start-time to end-time: Specifies a periodic statement. Both start-time and end-time are in hh:mm format (24-hour clock), and each value is in the range of 00:00 to 23:59. The end time must be greater than the start time.

days: Specifies the day or days of the week (in words or digits) on which the periodic statement is valid. If you specify multiple values, separate each value with a space, and make sure they do not overlap. These values can take one of the following forms:

· A digit in the range of 0 to 6, for Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday.

· A day of a week in words, sun, mon, tue, wed, thu, fri, and sat.

· working-day for Monday through Friday.

· off-day for Saturday and Sunday.

· daily for the whole week.

from time1 date1: Specifies the start time and date of an absolute statement. The time1 argument specifies the time of the day in hh:mm format (24-hour clock). Its value is in the range of 00:00 to 23:59. The date1 argument specifies a date in MM/DD/YYYY or YYYY/MM/DD format, where MM is the month of the year in the range of 1 to 12, DD is the day of the month with the range depending on MM, and YYYY is the year in the calendar in the range of 1970 to 2100. If not specified, the start time is 01/01/1970 00:00 AM, the earliest time available in the system.

to time2 date2: Specifies the end time and date of the absolute time statement. The time2 argument has the same format as the time1 argument, but its value is in the range of 00:00 to 24:00. The date2 argument has the same format and value range as the date1 argument. The end time must be greater than the start time. If not specified, the end time is 12/31/2100 24:00 PM, the maximum time available in the system.

Description

Use time-range to configure a time range.

Use undo time-range to delete a time range or a statement in the time range.

By default, no time range exists.

You can create multiple statements in a time range. Each time statement can take one of the following forms:

· Periodic statement in the start-time to end-time days format. A periodic statement recurs periodically on a day or days of the week.

· Absolute statement in the from time1 date1 to time2 date2 format. An absolute statement does not recur.

· Compound statement in the start-time to end-time days from time1 date1 to time2 date2 format. A compound statement recurs on a day or days of the week only within the specified period. For example, to create a time range that is active from 08:00 to 12:00 on Monday between January 1, 2010 00:00 and December 31, 2010 23:59, use the time-range test 08:00 to 12:00 mon from 00:00 01/01/2010 to 23:59 12/31/2010 command.

The active period of a time range is calculated as follows:

1. Combining all periodic statements

2. Combining all absolute statements

3. Taking the intersection of the two statement sets as the active period of the time range

You can create a maximum of 256 time ranges, each with a maximum of 32 periodic statements and 12 absolute statements.

Related commands: display time-range.

Examples

# Create a periodic time range t1, setting it to be active between 8:00 to 18:00 during working days.

<Sysname> system-view

[Sysname] time-range t1 8:0 to 18:0 working-day

# Create an absolute time range t2, setting it to be active in the whole year of 2010.

<Sysname> system-view

[Sysname] time-range t2 from 0:0 1/1/2010 to 23:59 12/31/2010

# Create a compound time range t3, setting it to be active from 08:00 to 12:00 on Saturdays and Sundays of the year 2010.

<Sysname> system-view

[Sysname] time-range t3 8:0 to 12:0 off-day from 0:0 1/1/2010 to 23:59 12/31/2010

# Create a compound time range t4, setting it to be active from 10:00 to 12:00 on Mondays and from 14:00 to 16:00 on Wednesdays in the period of January through June of the year 2010.

<Sysname> system-view

[Sysname] time-range t4 10:0 to 12:0 1 from 0:0 1/1/2010 to 23:59 1/31/2010

[Sysname] time-range t4 14:0 to 16:0 3 from 0:0 6/1/2010 to 23:59 6/30/2010

10-ACL and QoS Command Reference

display acl

display acl ipv6

display acl mode

hardware-count enable

packet-filter ipv6

rule remark

time-range

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us