Syntax
acl number acl-number [ match-order { config
| auto } ]
undo acl {
number acl-number | all }
View
System view
Parameter
number acl-number: Specifies the number of an existing access control list (ACL) or
an ACL to be defined. ACL number identifies the type of an ACL as follows.
l
An ACL number in the range 2000 to 2999
identifies a basic ACL.
l
An ACL number in the range 3000 to 3999
identifies an advanced ACL. Note that ACL 3998 and ACL 3999 cannot be
configured because they are reserved for cluster management.
l
An ACL number in the range 4000 to 4999
identifies a layer 2 ACL.
l
An ACL number in the range 5000 to 5999
identifies a user-defined ACL.
match-order:
Specifies the match order for the ACL rules of the ACL. This keyword is not
available to Layer 2 ACLs or user-defined ACLs. Following two match orders
exist.
l
config: Specifies
to match ACL rules in the order they are defined.
l
auto: Specifies
to match ACL rules according to the depth-first rule.
all:
Specifies to remove all the ACLs.
Description
Use the acl command to define an ACL
and enter the corresponding ACL view.
Use the undo acl command to remove
all the rules of an ACL or all the ACLs.
By default, ACL rules are matched in the
order they are defined.
In ACL view, you can use the rule
command to add rules to the ACL.
Rules of an ACL can be matched in one of
the following orders.
l
Configured order: ACL rules are matched in the
order they are defined.
l
Automatic order: ACL rules are matched according
to the “depth-first” rule.
With the depth-first rule adopted, the
rules of an ACL are matched according to:
1)
Protocol range. The range for IP is 1 to 255 and
those of other protocols are their protocol numbers. The smaller the protocol
range, the higher the priority.
2)
Range of source IP address. The smaller the
source IP address range (that is, the longer the mask), the higher the
priority.
3)
Range of destination IP address. The smaller the
destination IP address range (that is, the longer the mask), the higher the
priority.
4)
Range of Layer 4 port number, that is, of
TCP/UDP port number. The smaller the range, the higher the priority.
If rule A and rule B are the same in all
the four ACEs (access control elements) above, and also in their numbers of
other ACEs to be considered in deciding their priority order, the weighting
principles will be used in deciding their priority order, as listed below.
l
Each ACE is given a fixed weighting value. This
weighting value and the value of the ACE itself will jointly decide the final
matching order.
l
The weighting values of ACEs rank in the
following descending order: DSCP, ToS, ICMP, established, precedence, fragment.
l
A fixed weighting value is deducted from the
weighting value of each ACE of the rule. The smaller the weighting value left,
the higher the priority.
l
If the number and type of ACEs are the same for
multiple rules, then the sum of ACE values of a rule determines its priority.
The smaller the sum, the higher the priority.
You can use the match-order keyword
to specify whether to use the configured order or “depth-first”
order (rules with smaller ranges are matched first) to match rules. If neither
match orders are specified, the configured match order will be adopted.
You cannot modify the match order for an
ACL once you have specified it, unless you remove all the rules of the ACL and
define new rules in the desired order.
The rules of an ACL are matched in a
specific order only when the ACL is referenced by software for data filtering
and traffic classification.
Related command: rule.
Example
# Define ACL 2000 and specify
“depth-first” order as the rule match order.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] acl number 2000 match-order
auto
[H3C-acl-basic-2000]
Syntax
description text
undo description
View
Basic ACL view, advanced ACL view, Layer 2
ACL view, user-defined ACL view
Parameter
text:
Description string to be assigned to an ACL, a string of up to 127 characters.
Description
Use the description command to
assign a description string to an ACL.
Use the undo description to remove
the description string of an ACL.
Example
# Assign a description string to ACL 3100.
<H3C> system-view
[H3C] acl number 3100
[H3C-acl-adv-3100] description This acl
is used in eth 0
# Remove the description string of ACL
3100.
[H3C-acl-adv-3100] undo description
Syntax
display acl
{ all | acl-number }
View
Any view
Parameter
all:
Displays all the ACLs.
acl-number:
Number of the ACL to be displayed, in the range of 2000 to 5999.
Description
Use the display acl command to
display the configuration of an ACL or all the ACL, including ACL type, ACL
number, number of the rules of an ACL, description string (if configured), ACL
rule number step, and ACL content.
Example
# Display the information about all the ACLs.
<H3C> display acl all
Total ACL Number: 2
Basic ACL 2000, 1 rule
Acl's step is 1
rule 0 permit
Advanced ACL 3000, 0 rule
Acl's step is 1
Syntax
display packet-filter { interface interface-type interface-num | unitid unit-id
}
View
Any view
Parameter
interface-type interface-num: Port index.
unit-id: ID of the unit the information about which is to be displayed.
Description
Use the display packet-filter
command to display the information about packet filtering, including the ACL
name, rule number, and ACL status.
Example
# Display the packet filtering information
about Unit 1.
<H3C> display packet-filter unitid
1
Ethernet1/0/1
Inbound:
Acl 2000 rule 0 running
Syntax
display time-range { all | time-name }
View
Any view
Parameter
all: Displays all the time ranges.
time-name:
Name of a time range, a string that starts with [a-z, A-Z] and can contain up
to 32 characters.
Description
Use the display time-range command
to display the configuration and status of a time range or all the time ranges.
For active time ranges, this command displays “active”; for
inactive time ranges, this command displays “inactive”.
Related command: time-range.
Example
# Display all the time ranges.
<H3C> display time-range all
Current time is 14:36:36 Apr/2/2003
Thursday
Time-range : hhy ( Active )
12:00 to 18:00 working-day
Time-range : hhy1 ( Inactive )
from 08:30 2/5/2003 to 18:00
2/19/2003
Table 1-1 Description on the fields of
the display time-range command
|
Field
|
Description
|
|
Current time is 14:36:36 Apr/3/2003
Thursday
|
Current system time
|
|
Time-range : hhy
|
Name of the time range
|
|
Active
|
The time range is active currently (inactive
means the time range is inactive)
|
|
12:00 to 18:00 working-day
|
The periodic time range is from 12:00 to
18:00 on each working day.
|
|
from 08:30 2/5/2005 to 18:00 2-19-2005
|
The absolute time range is from 08:30
2/5/2005 to 18:00 2-19-2005.
|
Syntax
packet-filter { inbound | outbound } acl-rule
undo packet-filter
{ inbound | outbound } acl-rule
View
Ethernet port view
Parameter
inbound: Filters inbound packets.
outbound:
Filters outbound packets.
acl-rule:
Specified ACL/ACL rules to be applied. This argument can be one of those listed
in Table 1-2.
Table 1-2 Combined
application of ACLs
|
Combination mode
|
The acl-rule argument
|
|
Apply all the rules of an ACL that is of
IP type (The ACL can be a basic ACL or an advanced ACL.)
|
ip-group acl-number
|
|
Apply a rule of an ACL that is of IP type
|
ip-group acl-number
rule rule-id
|
|
Apply all the rules of a Layer 2 ACL
|
link-group
acl-number
|
|
Apply a rule of a Layer 2 ACL
|
link-group acl-number rule rule-id
|
|
Apply all the rules of a user-defined ACL
|
user-group
acl-number
|
|
Apply a rule of a user-defined ACL
|
user-group
acl-number rule rule-id
|
|
Apply a rule of an ACL that is of IP type
and a rule of a Layer 2 ACL
|
ip-group acl-number
rule rule-id link-group acl-number rule rule-id
|
In Table 1-2:
l
The ip-group acl-number keyword
specifies a basic or an advanced ACL. The acl-number argument ranges
from 2000 to 3999.
l
The link-group acl-number keyword
specifies a Layer 2 ACL. The acl-number argument ranges from 4000 to
4999.
l
The user-group acl-number keyword
specifies a user-defined ACL. The acl-number argument ranges from 5000
to 5999.
l
The rule rule-id keyword specifies
a rule of an ACL. The rule argument ranges from 0 to 65534. If you do not
specify this argument, all the rules of the ACL are applied.
Description
Use the packet-filter command to
apply ACL rules on a port to filter packets.
Use the undo packet-filter command
to remove the ACL rules applied on a port.
Example
# Apply ACL 2000 on GigabitEthernet1/1/1 to
filter inbound packets.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] interface GigabitEthernet1/1/1
[H3C-GigabitEthernet1/1/1]
packet-filter inbound ip-group 2000
Syntax
rule [ rule-id
] { permit | deny } [ fragment | source {
sour-addr sour-wildcard | any } | time-range time-name ]*
undo rule
rule-id [ fragment | source | time-range ]*
View
Basic ACL view
Parameter
I. Parameters of the rule command
rule-id: ACL
rule ID, in the range of 0 to 65534.
deny: Drops
the matched packets.
permit:
Permits the matched packets.
fragment:
Specifies that the rule only applies to the packets that are not the first
fragments.
source { sour-addr sour-wildcard | any }: Specifies the
source address for the rule. The sour-addr argument is the source IP
address in dotted decimal notation. The sour-wildcard argument is the
wildcard mask for the source subnet mask of the packet, expressed in dotted
decimal notation. For example, you need to input 0.0.255.255 for the
subnet mask 255.255.0.0. You can set sour-wildcard to 0 to represent the
host IP address. any is used to represent any arbitrary IP address.
time-range time-name:
Specifies a time range within which the rule is valid.
II. Parameters of the undo rule
command
rule-id:
Rule ID, which must the ID of an existing ACL rule. If no other arguments are
specified, the entire ACL rule is removed. Otherwise, only the specified
information of the ACL rule is removed.
fragment:
Specifies that the ACL rule applies to other types of packets besides those
that are not the first fragments.
source:
Removes the settings concerning the source address in the ACL rule.
time-range:
Deletes the settings concerning time range in the ACL rule.
Description
Use the rule command to define an
ACL rule.
Use the undo rule command to remove
an ACL rule or specified settings of an ACL rule.
To remove an ACL rule using the undo
rule command, you need to provide the ID of the ACL rule. You can obtain
the ID of an ACL rule by using the display acl command.
When you define an ACL rule using the rule
command with the rule-id argument provided,
l
If the ACL is created with the config
keyword specified and the rule identified by the rule-id argument
exists, the settings specified in the rule command overwrite the
counterparts of the existing rule (other settings of the rule remain
unchanged). If the ACL is created with the auto keyword specified, the
rules cannot be edited. In this case, the system prompts errors when you
execute the rule command.
l
If the ACL rule identified by the rule-id
argument does not exist, you will create a new ACL rule.
l
The content of a modified or created ACL rule
cannot be identical with the content of any existing ACL rules; otherwise the
ACL rule modification or creation will fail, and the system prompts that the
rule already exists.
If you do not specify the rule-id
argument when creating an ACL rule, the ACL rule will be numbered
automatically.
Example
# Create an ACL rule to deny the packets
whose source IP addresses are 1.1.1.1.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] acl number 2000
[H3C-acl-basic-2000] rule deny source
1.1.1.1 0
Syntax
rule [ rule-id
] { permit | deny } rule-string
undo rule
rule-id [ destination | destination-port | dscp |
fragment | icmp-type | precedence | source | source-port
| time-range | tos ]*
View
Advanced ACL view
Parameter
I. Parameters of the rule command
rule-id: ACL rule ID, in the range of 0 to 65534.
deny: Drops
the matched packets.
permit:
Permits the matched packets.
rule-string:
ACL rule information, which can be a combination of the parameters described in
Table 1-3. Note that this argument must begin with the protocol argument.
Table 1-3 Arguments/keywords
available to the rule-string argument
|
Arguments/Keywords
|
Type
|
Function
|
Description
|
|
protocol
|
Protocol type
|
Type of the protocols carried by IP
|
When expressed in numerals, this argument
ranges from 1 to 255.
When expressed with a name, the value can
be GRE, ICMP, IGMP, IP, IPinIP, OSPF, TCP, and UDP.
|
|
source {
sour-addr sour-wildcard | any }
|
Source address
|
Specifies the source address information
for the ACL rule
|
The sour-addr sour-wildcard arguments
specify the source address of the packets, expressed in dotted decimal
notation. You can specify the IP address of a host as the source address by
providing 0 for the sour-wildcard argument.
The any keyword specifies any
source address.
|
|
destination { dest-addr dest-wildcard | any }
|
Destination address
|
Specifies the destination address
information for the ACL rule
|
The dest-addr dest-wildcard arguments
specify the destination address of the packets, expressed in dotted decimal
notation. You can specify the IP address of a host as the destination address
by providing 0 for the dest-wildcard argument.
The any keyword specifies any
destination address.
|
|
precedence
precedence
|
Packet priority
|
Packet precedence
|
The precedence argument ranges from 0 to
7.
|
|
tos tos
|
Packet priority
|
ToS
|
The tos argument ranges from 0 to 15.
|
|
dscp dscp
|
Packet priority
|
DSCP
|
The dscp argument ranges from 0 to 63.
|
|
fragment
|
Fragment information
|
Specifies that the rule is effective for
the packets that are not the first fragments.
|
—
|
|
time-range
time-name
|
Time range information
|
Specifies the time range in which the ACL
rule is active.
|
—
|
The sour-wildcard/dest-wildcard
argument is the complement of the wildcard mask of the source/destination
subnet mask. For example, you need to input 0.0.255.255 to specify the subnet
mask 255.255.0.0. The arguments can be set as 0 to represent a host IP address.
If you specify the dscp keyword, you
can directly input a value ranging from 0 to 63 or input one of the keywords
listed in Table 1-4 as the DSCP.
Table 1-4 DSCP values and the corresponding keywords
|
Keyword
|
DSCP value in decimal
|
DSCP value in binary
|
|
ef
|
46
|
101110
|
|
af11
|
10
|
001010
|
|
af12
|
12
|
001100
|
|
af13
|
14
|
001110
|
|
af21
|
18
|
010010
|
|
af22
|
20
|
010100
|
|
af23
|
22
|
010110
|
|
af31
|
26
|
011010
|
|
af32
|
28
|
011100
|
|
af33
|
30
|
011110
|
|
af41
|
34
|
100010
|
|
af42
|
36
|
100100
|
|
af43
|
38
|
100110
|
|
cs1
|
8
|
001000
|
|
cs2
|
16
|
010000
|
|
cs3
|
24
|
011000
|
|
cs4
|
32
|
100000
|
|
cs5
|
40
|
101000
|
|
cs6
|
48
|
110000
|
|
cs7
|
56
|
111000
|
|
be (default)
|
0
|
000000
|
If you specify the precedence
keyword, you can directly input a value ranging from 0 to 7 or input one of the
keywords listed in Table 1-5 as the IP precedence.
Table 1-5 IP
precedence values and the corresponding keywords
|
Keyword
|
IP Precedence in decimal
|
IP Precedence in binary
|
|
routine
|
0
|
000
|
|
priority
|
1
|
001
|
|
immediate
|
2
|
010
|
|
flash
|
3
|
011
|
|
flash-override
|
4
|
100
|
|
critical
|
5
|
101
|
|
internet
|
6
|
110
|
|
network
|
7
|
111
|
If you specify the tos keyword, you
can directly input a value ranging from 0 to 15 or input one of the keywords
listed in Table 1-6 as the ToS value.
Table 1-6 ToS
value and the corresponding keywords
|
Keyword
|
ToS in decimal
|
ToS in binary
|
|
normal
|
0
|
0000
|
|
min-monetary-cost
|
1
|
0001
|
|
max-reliability
|
2
|
0010
|
|
max-throughput
|
4
|
0100
|
|
min-delay
|
8
|
1000
|
If the protocol
type is TCP or UDP, you can also define the information listed in Table 1-7.
Table 1-7 TCP/UDP-specific
ACL rule information
|
Parameter
|
Type
|
Function
|
Description
|
|
source-port operator port1 [ port2 ]
|
Source port
|
Defines the source port information of
UDP/TCP packets
|
The value of operator can be lt (less
than), gt (greater than), eq (equal to), neq (not equal to) or range (within
the range of). Only the range operator requires two port numbers as the
operands. Other operators require only one port number as the operand.
port1 and port2:
TCP/UDP port number(s), expressed as port names or port numbers. When
expressed as numerals, the value range is 0 to 65535.
|
|
destination-port operator port1 [ port2 ]
|
Destination port
|
Defines the destination port information
of UDP/TCP packets
|
|
established
|
TCP connection flag
|
Specifies that the rule is applicable
only to the first SYN segment for establishing a TCP connection
|
TCP-specific argument
|
When using port name to specify TCP/UDP
ports, you can define the following information.
Table 1-8
TCP/UDP port values
|
Protocol type
|
Value
|
|
TCP
|
CHARgen
(19), bgp (179), cmd (514), daytime (13), discard
(9), domain (53), echo (7), exec (512), finger
(79), ftp (21), ftp-data (20), gopher (70), hostname
(101), irc (194), klogin (543), kshell (544), login
(513), lpd (515), nntp (119), pop2 (109), pop3
(110), smtp (25), sunrpc (111), tacacs (49), talk
(517), telnet (23), time (37), uucp (540), whois
(43), www (80)
|
|
UDP
|
biff (512),
bootpc (68), bootps (67), discard (9), dns (53), dnsix
(90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver
(42), netbios-dgm (138), netbios-ns (139), netbios-ssn (139),
ntp (123), rip (520), snmp (161), snmptrap (162),
sunrpc (111), syslog (514), tacacs-ds (65), talk
(517), tftp (69), time (37), who (513), xdmcp (177)
|
When advanced ACLs are applied to ports of the H3C S3600 series
Ethernet switches, only the rules configured with the operator argument specified
as eq are valid.
If the protocol
type is ICMP, you can also define the information listed in Table 1-9.
Table 1-9 ICMP-specific
ACL rule information
|
Parameter
|
Type
|
Function
|
Description
|
|
icmp-type icmp-type
icmp-code
|
Type and message code information of ICMP
packets
|
Specifies the type and message code
information of ICMP packets in the ACL rule
|
icmp-type: ICMP
message type, ranging from 0 to 255
icmp-code: ICMP
message code, ranging from 0 to 255
|
If the protocol
type is ICMP, you can also just input the ICMP message name after the icmp-type
keyword. Table 1-10 lists some common ICMP messages.
Table 1-10 ICMP messages
|
Name
|
ICMP type
|
ICMP code
|
|
echo
|
Type=8
|
Code=0
|
|
echo-reply
|
Type=0
|
Code=0
|
|
fragmentneed-DFset
|
Type=3
|
Code=4
|
|
host-redirect
|
Type=5
|
Code=1
|
|
host-tos-redirect
|
Type=5
|
Code=3
|
|
host-unreachable
|
Type=3
|
Code=1
|
|
information-reply
|
Type=16
|
Code=0
|
|
information-request
|
Type=15
|
Code=0
|
|
net-redirect
|
Type=5
|
Code=0
|
|
net-tos-redirect
|
Type=5
|
Code=2
|
|
net-unreachable
|
Type=3
|
Code=0
|
|
parameter-problem
|
Type=12
|
Code=0
|
|
port-unreachable
|
Type=3
|
Code=3
|
|
protocol-unreachable
|
Type=3
|
Code=2
|
|
reassembly-timeout
|
Type=11
|
Code=1
|
|
source-quench
|
Type=4
|
Code=0
|
|
source-route-failed
|
Type=3
|
Code=5
|
|
timestamp-reply
|
Type=14
|
Code=0
|
|
timestamp-request
|
Type=13
|
Code=0
|
|
ttl-exceeded
|
Type=11
|
Code=0
|
II. Parameters of the undo rule
command
rule-id: ID
of an existing ACL rule. If no other arguments are specified, the entire ACL
rule is removed. Otherwise, only the specified information of the ACL rule is
removed.
source:
Removes the settings concerning the source address in the ACL rule.
source-port:
Removes the settings concerning the source port in the ACL rule. This keyword
is only available to the ACL rules with their protocol types set to TCP or UDP.
destination:
Removes the settings concerning the destination address in the ACL rule.
destination-port: Removes the settings concerning the destination port in the ACL
rule. This keyword is only available to the ACL rules with their protocol types
set to TCP or UDP.
icmp-type:
Removes the settings concerning the ICMP type and message code in the ACL rule.
This keyword is only available to the ACL rules with their protocol type set to
ICMP.
precedence:
Removes the precedence-related settings in the ACL rule.
tos: Removes
the ToS-related settings in the ACL rule.
dscp:
Removes the DSCP-related settings in the ACL rule.
time-range:
Removes the time range settings in the ACL rule.
fragment:
Specifies that the ACL rule applies to other types of packets besides those
that are not the first fragments.
Description
