Syntax
display time-range
{ all | time-name }
View
Any view
Parameter
time-name:
Time range name comprising 1 to 32 characters. It is case insensitive and must
start with an English letter. To avoid confusion, this name cannot be all.
all: All
existing time ranges.
Description
Use the display time-range
command to display the configuration and state of a specified or all time
ranges.
A time range is active if the system time
falls into its range, and if otherwise, inactive.
Example
# Display the configuration and state of
time range trname.
<Sysname> display time-range trname
Current time is 10:45:15 4/14/2005
Thursday
Time-range : trname ( Inactive )
from 08:00 12/1/2005 to 23:59
12/31/2100
Table 1-1 Description on the fields of
the display time-range command
|
Field
|
Description
|
|
Current time
|
Current system time
|
|
Time-range
|
The configuration and state of time
range, such as time range name, its activated state, and start time and
ending time.
|
Syntax
time-range time-name
{ start-time to end-time days [ from time1
date1 ] [ to time2 date2 ] | from time1 date1 [
to time2 date2 ] | to time2 date2 }
undo time-range
time-name [ start-time to end-time days [ from
time1 date1 ] [ to time2 date2 ] | from time1
date1 [ to time2 date2 ] | to time2 date2
]
View
System view
Parameter
time-name:
Time range name comprising 1 to 32 characters. It is case insensitive and must
start with an English letter. To avoid confusion, this name cannot be all.
start-time:
Start time of a periodic time range, in hh:mm format as
24-hour time, where hh is hours and mm is minutes. Its value
ranges from 00:00 to 23:59.
end-time:
End time of the periodic time range, in hh:mm format as
24-hour time, where hh is hours and mm is minutes. Its value
ranges from 00:00 to 24:00. The end time must be greater than the start time.
days:
Indicates on which day or days of the week the periodic time range is valid.
You may specify multiple values, in words or in digits, separated by spaces for
this argument, but make sure that they do not overlap. These values can take
one of the following forms:
l
A digit in the range 0 to 6, respectively for
Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday.
l
Week in words, that is, Monday, Tuesday,
Wednesday, Thursday, Friday, Saturday, or Sunday.
l
working-day for
Monday through Friday.
l
off-day for
Saturday and Sunday.
l
daily for seven
days of a week.
from time1
date1: Optional, indicates the start time and date of an absolute time
range. The time1 argument specifies the time of the day in hh:mm
format as 24-hour time, where hh is hours and mm is minutes. Its
value ranges from 00:00 to 24:00. The date1 argument specifies a date in
MM/DD/YYYY or YYYY/MM/DD
format, where MM is the month of the year in the range 1 to 12, DD is
the day of the month in the range 1 to 31, and YYYY is the year in the usual
Gregorian calendar. If not specified, the start time is the earliest time
available from the system.
to time2
date2: Optional, indicates the end time and date of the absolute time
range. Their formats and value ranges are the same as those of the time1
and date1 arguments. The end time however, must be greater than the
start time. If not specified, the end time is the maximum time available from
the system.
Description
Use the time-range command to create
a time range.
Use the undo time-range
command to remove a time range.
Note that:
l
Periodic time range created using the time-range
time-name start-time to end-time days command.
A time range thus created recurs periodically on the day or days of the week.
l
Absolute time range created using the time-range
time-name { from time1 date1 [ to time2 date2
] | to time2 date2 } command. Unlike a periodic time range, a
time range thus created does not recur. For example, to create an absolute time
range that is active between January 1, 2004 00:00 and December 31, 2004 23:59,
you may use the time-range test from 00:00 01/01/2004 to 23:59 12/31/2004
command.
l
Compound time range created using the time-range
time-name start-time to end-time days { from
time1 date1 [ to time2 date2 ] | to time2 date2 }
command. A time range thus created recurs on the day or days of the week only
within the specified period. For example, to create a time range that is active
from 12:00 to 14:00 on Wednesdays between January 1, 2004 00:00 and December 31,
2004 23:59, you may use the time-range test 12:00 to 14:00 wednesday from 00:00
01/01/2004 to 23:59 12/31/2004 command.
l
You may create individual time ranges identified
with the same name. They are regarded as one time range whose active period is
the result of ORing periodic ones, ORing absolute ones, and ANDing periodic and
absolute ones.
l
If the start time is specified, the time range
starts on the current date and ends on the end date. If the end date is note
specified, the time range is from the date of configuration till the largest
date available in the system.
l
Up to 256 time ranges can be defined.
Example
# Create an absolute time range named test,
setting it to become active since 0:0 on January 1, 2003.
<Sysname> system-view
[Sysname] time-range test from 0:0
2003/1/1
# Create a periodic time range named test,
setting it to be active between 8:00 to 18:00 during working days.
<Sysname> system-view
[Sysname] time-range test 8:00 to
18:00 working-day
# Create a periodic time range named test,
setting it to be active between 14:00 and 18:00 on Saturday and Sunday.
<Sysname> system-view
[Sysname] time-range test 14:00 to
18:00 off-day
Syntax
acl number
acl-number [ match-order { config | auto } ]
undo acl
{ number acl-number | all }
View
System view
Parameter
number:
Defines a numbered access control list (ACL).
acl-number: IPv4
ACL number in the range 2000 to 4999, where:
l
2000 to 2999 for basic IPv4 ACLs
l
3000 to 3999 for advanced IPv4 ACLs
l
4000 to 4999 for Ethernet frame header ACLs
match-order:
Sets the order in which ACL rules are matched.
l
config: Performs
matching against rules in the order in which they are configured.
l
auto: Performs
depth-first match.
all: All
IPv4 ACLs.
Description
Use the acl command to enter ACL
view. If the ACL does not exist, it is created first.
Use the undo acl command to
remove a specified or all IPv4 ACLs.
By default, the match order is config.
Example
# Create IPv4 ACL 2000.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000]
1.2.2 description
Syntax
description text
undo description
View
Basic IPv4 ACL view, advanced IPv4 ACL
view, Ethernet frame header ACL view
Parameter
text: ACL
description up to 127 characters.
Description
Use the description command to
create an ACL description, to describe the purpose of the ACL for example.
Use the undo description command to
remove the ACL description.
By default, no description is defined for
an ACL.
Example
# Create a description for IPv4 ACL 3100.
<Sysname> system-view
[Sysname] acl number 3100
[Sysname-acl-adv-3100] description
This acl is used in eth 0
# Remove the description of IPv4 ACL 3100.
[Sysname-acl-adv-3100] undo
description
Syntax
display acl
{ all | acl-number }
View
Any view
Parameter
acl-number: IPv4
ACL in the range 2000 to 4999.
all: All
IPv4 ACLs.
Description
Use the display acl command
to display information about the specified or all IPv4 ACLs.
This command displays ACL rules in the matching
order.
Example
# Display information about IPv4 ACL 2001.
<Sysname> display acl 2001
Basic acl 2001, 1 rule,
ACL's step is 5
rule 5 permit source 1.1.1.1 0 (0
times matched)
rule 5 comment This rule is used in gigabiteth
1
Table 1-2 Description on the fields of
the display acl command
|
Field
|
Description
|
|
Basic acl 2001
|
The displayed information is about the
basic IPv4 ACL 2001.
|
|
1 rule
|
The ACL contains one rule.
|
|
Acl's step is 5
|
The rules in this ACL are numbered in
steps of 5.
|
|
0 times matched
|
No match for this rule. Only ACL matches
performed by software are counted.
|
|
rule 5 comment This rule is used in gigabiteth
1
|
The description of ACL rule 5 is
“This rule is used in gigabiteth 1.”
|
1.2.4 reset acl counter
Syntax
reset acl
counter { all | acl-number }
View
User view
Parameter
acl-number: IPv4
ACL in the range 2000 to 4999.
all: All
IPv4 ACLs.
Description
Use the reset acl counter
command to clear statistics about specified or all IPv4 ACLs.
Example
# Clear statistics about IPv4 ACL 2001.
<Sysname> reset acl counter 2001
Syntax
rule [ rule-id
] { permit | deny } [ rule-string ]
undo rule
rule-id [ fragment | logging | source |
time-range ]*
View
Basic IPv4 ACL view
Parameter
I. Parameters for the rule command
rule-id: ACL
rule number in the range 0 to 65534.
deny:
Defines a deny statement to drop matched packets.
permit:
Defines a permit statement to allow matched packets to pass.
rule-string:
Matching criteria and other rule information defined by combinations of the
parameters described in the following table.
Table 1-3 Parameters for basic IPv4 ACL
rules
|
Parameter
|
Function
|
Description
|
|
source { sour-addr
sour-wildcard | any }
|
Specifies a source address.
|
The sour-addr sour-wildcard argument
specifies a source IP address in dotted decimal notation. Setting the
wildcard to a zero indicates a host address. The any keyword indicates
any source IP address.
|
|
logging
|
Specifies to log matched packets.
|
The log provides information about ACL
rule number, whether packets are permitted or dropped, upper layer protocol
that IP carries, source/destination address, source/destination port number,
and number of packets.
|
|
fragment
|
Indicates that the rule applies only to
non-first fragments.
|
––
|
|
time-range
time-name
|
Specifies the time range in which the
rule takes effect.
|
The time-name argument specifies a
time range name with 1 to 32 characters.
|
sour-wildcard is the complement of the wildcard mask of the source subnet mask.
For example, you need to input 0.0.255.255 to specify the subnet mask
255.255.0.0.
II. Parameters for the undo rule
command
rule-id: Number
of an existing ACL rule. If no other parameters are specified, the entire ACL
rule is removed; if other parameters are specified, only the involved information
is removed.
fragment:
Removes the non-first fragment setting.
logging:
Removes the logging setting.
source:
Removes the source address setting.
time-range:
Removes the time range setting.
S5500-SI Series
Ethernet Switches do not support logging parameter currently.
Description
Use the rule command to create an
IPv4 ACL rule or modify the rule if it has existed.
Use the undo rule command to
remove an ACL rule or parameters from the rule.
Before you can delete a rule, you need to
specify the rule ID. If you do not know the rule ID, you can view it by the
display acl command.
When configuring a rule, note that:
l
You will fail to create or modify a rule if its
permit/deny statement is exactly the same as another rule. In addition, if the
ACL match order is set to auto rather than config, you cannot
modify ACL rules.
l
When defining ACL rules, you are not necessarily
to assign them IDs. The system can automatically assign rule IDs starting with
0 and increasing in certain rule numbering steps. A rule ID thus assigned is
greater than the current highest rule ID. For example, if the rule numbering
step is 5 and the current highest rule ID is 28, the next rule will be numbered
30.
l
A newly defined rule cannot be identical with
any existing rule, otherwise the rule cannot be successfully created (the system
will prompt the rule already exists)
l
Rules created with the auto keyword
specified are sorted according to the “depth first” principle
regardless of the order they are created. However, the ID of each rule does not
change.
Example
# Create a rule to deny packets with the
source IP address 1.1.1.1.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule deny source
1.1.1.1 0
Syntax
rule [ rule-id
] { permit | deny } protocol [ rule-string ]
undo rule
rule-id [ destination | destination-port | dscp |
fragment | icmp-type | logging | precedence |
reflective | source | source-port | time-range | tos
]*
View
Advanced IPv4 ACL view
Parameter
I. Parameters for the rule command
rule-id: ACL
rule number in the range 0 to 65534.
deny:
Defines a deny statement to drop matched packets.
permit:
Defines a permit statement to allow matched packets to pass.
protocol:
Upper layer protocol carried by IP. It can be a number in the range 0 to 255,
or in words, gre, icmp, igmp, ip, ipinip, ospf,
tcp, or udp.
rule-string:
Match criteria and other rule information defined by combinations of the
parameters described in the following table.
Table 1-4 Parameters for advanced IPv4
ACL rules
|
Parameter
|
Function
|
Description
|
|
source { sour-addr sour-wildcard | any }
|
Specifies a source address.
|
The sour-addr sour-wildcard
argument specifies a source IP address in dotted decimal notation. Setting
the wildcard to a zero indicates a host address. The any keyword
indicates any source IP address.
|
|
destination { dest-addr dest-wildcard | any }
|
Specifies a destination address.
|
The dest-addr dest-wildcard
argument specifies a destination IP address in dotted decimal notation.
Setting the dest-wildcard to a zero indicates a host address. The any
keyword indicates any destination IP address.
|
|
precedence
precedence
|
Specifies an IP precedence.
|
The precedence argument can be a
number in the range 0 to 7, or in words, routine, priority, immediate,
flash, flash-override, critical, internet, or network.
|
|
tos tos
|
Specifies a ToS preference.
|
The tos argument can be a number
in the range 0 to 15, or in words, max-reliability, max-throughput,
min-delay, min-monetary-cost, or normal.
|
|
dscp dscp
|
Specifies a DSCP priority.
|
The dscp argument can be a number
in the range 0 to 63, or in words,af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, default,
or ef.
|
|
logging
|
Specifies to log matched packets.
|
The log provides information about ACL
rule number, whether packets are permitted or dropped, upper layer protocol
that IP carries, source/destination address, source/destination port number,
and number of packets.
|
|
reflective
|
Specifies the rule to be reflective.
|
A rule with the reflective keyword
can be defined only for TCP, UDP, or ICMP packets and its statement can only
be permit.
|
|
fragment
|
Indicates that the rule applies only to
non-first fragments.
|
––
|
|
time-range
time-name
|
Specifies the time range in which the
rule can take effect.
|
The time-name argument comprises 1
to 32 characters.
|
sour-wildcard/dest-wildcard is the complement of the wildcard mask
of the source/destination subnet mask. For example, you need to input
0.0.255.255 to specify the subnet mask 255.255.0.0.
If the protocol argument is set to
TCP or UDP, you may define the parameters in the following table.
Table 1-5 TCP/UDP-specific parameters
for advanced IPv4 ACL rules
|
Parameter
|
Function
|
Description
|
|
source-port operator port1 [ port2 ]
|
Defines
information on the source port in the UDP/TCP packet.
|
The operator
argument can be lt (lower than), gt (greater than), eq
(equal to), neq (not equal to), and range (inclusive range).
port1, port2: TCP or UDP port number, represented by a number in the
range 0 to 65535 or represented in words. You need to define the port2
argument only when the range keyword is used.
|
|
destination-port operator port1 [ port2 ]
|
Defines
information on the destination port in the UDP/TCP packet.
|
|
established
|
Defines
the rule for TCP connection packets.
|
A keyword
specific to TCP.
|
When using
port name to specify TCP/UDP ports, you can define the following information.
Table 1-6 TCP/UDP port values
|
Protocol type
|
Value
|
|
TCP
|
CHARgen
(19), bgp (179), cmd (514), daytime (13), discard
(9), domain (53), echo (7), exec (512), finger
(79), ftp (21), ftp-data (20), gopher (70), hostname
(101), irc (194), klogin (543), kshell (544), login
(513), lpd (515), nntp (119), pop2 (109), pop3
(110), smtp (25), sunrpc (111), tacacs (49), talk
(517), telnet (23), time (37), uucp (540), whois
(43), www (80)
|
|
UDP
|
biff (512),
bootpc (68), bootps (67), discard (9), dns (53), dnsix
(90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver
(42), netbios-dgm (138), netbios-ns (139), netbios-ssn (139),
ntp (123), rip (520), snmp (161), snmptrap (162),
sunrpc (111), syslog (514), tacacs-ds (65), talk
(517), tftp (69), time (37), who (513), xdmcp (177)
|
If the protocol argument is set to
ICMP, you may define the parameters in the following table.
Table 1-7 Parameters for advanced IPv4
ACL rules
|
Parameter
|
Function
|
Description
|
|
icmp-type
icmp-type icmp-code
|
Specifies the ICMP message type and code.
|
The icmp-type argument ranges from 0 to
255.
The icmp-code argument ranges from 0 to
255.
|
The following table provides the ICMP
messages in common use.
Table 1-8 ICMP messages in common use
|
ICMP message
|
Type
|
Code
|
|
echo
|
8
|
0
|
|
echo-reply
|
0
|
0
|
|
fragmentneed-DFset
|
3
|
4
|
|
host-redirect
|
5
|
1
|
|
host-tos-redirect
|
5
|
3
|
|
host-unreachable
|
3
|
1
|
|
information-reply
|
16
|
0
|
|
information-request
|
15
|
0
|
|
net-redirect
|
5
|
0
|
|
net-tos-redirect
|
5
|
2
|
|
net-unreachable
|
3
|
0
|
|
parameter-problem
|
12
|
0
|
|
port-unreachable
|
3
|
3
|
|
protocol-unreachable
|
3
|
2
|
|
reassembly-timeout
|
11
|
1
|
|
source-quench
|
4
|
0
|
|
source-route-failed
|
3
|
5
|
|
timestamp-reply
|
14
|
0
|
|
timestamp-request
|
13
|
0
|
|
ttl-exceeded
|
11
|
0
|
II. Parameters for the undo rule
command
rule-id: Number
of an existing ACL rule. If no other parameters are specified, the entire ACL
rule is removed; if other parameters are specified, only the involved information
is removed.
destination:
Removes the destination address setting.
destination-port: Removes the destination port setting. This keyword is available
only for TCP and UDP.
dscp:
Removes the DSCP setting.
fragment:
Removes the non-first fragment setting.
icmp-type:
Removes the ICMP type and code settings. This keyword is available only for
ICMP.
logging:
Removes the logging setting.
precedence:
Removes the precedence setting.
reflective:
Removes the reflective attribute of the rule.
source: Removes
the source address setting.
source-port:
Removes the source port setting. This keyword is available only for TCP and
UDP.
time-range:
Removes the time range setting.
tos: Removes
the ToS setting.
Currently on S5500-SI
Series Ethernet Switches,
l
The established, logging and reflective
parameters are unavailable.
l
The operator cannot be neq when TCP or UDP
protocol is selected.
Description
Use the rule command to define or
modify an ACL rule. If the rule does not exist, it is created first.
Use the undo rule command to
remove an ACL rule or parameters from the rule.
Before you can delete a rule, you need to
specify the rule ID. If you do not know the rule ID, you can view it by the
display acl command.
When configuring a rule, note that:
l
You will fail to create or modify a rule if its
permit/deny statement is exactly the same as another rule. In addition, if the
ACL match order is set to auto rather than config, you cannot
modify ACL rules.
l
When defining ACL rules, you are not necessarily
to assign them IDs. The system can automatically assign rule IDs starting with
0 and increasing in certain rule numbering steps. A rule ID thus assigned is
greater than the current highest rule ID. For example, if the rule numbering
step is 5 and the current highest rule ID is 28, the next rule will be numbered
30.
l
A newly defined rule cannot be identical with
any existing rule, otherwise the rule cannot be successfully created (the system
will prompt the rule already exists)
l
Rules created with the auto keyword
specified are sorted according to the “depth first” principle
regardless of the order they are created. However, the ID of each rule does not
change.
Example
# Define a rule to permit the TCP packets
with the destination port 80 sent from 129.9.0.0 to 202.38.160.0.
<Sysname> system-view
[Sysname] acl number 3101
[Sysname-acl-adv-3101] rule permit tcp
source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255
destination-port eq 80
Syntax
rule [ rule-id
] { permit | deny } [ rule-string ]
undo rule
rule-id
View
Ethernet frame
header ACL view
Parameter
rule-id: ACL
rule number in the range 0 to 65534.
deny:
Defines a deny statement to drop matched packets.
permit:
Defines a permit statement to allow matched packets to pass.
rule-string:
Match criteria and other rule information defined by combinations of the
parameters described in the following table.
Table 1-9 Parameters for Ethernet frame
header ACL rules
|
Parameter
|
Function
|
Description
|
|
type
type-code type-wildcard
|
Defines the link layer protocol.
|
The type-code argument is a 16-bit
hexadecimal number indicating frame type. It is corresponding to the
type-code field in Ethernet_II and Ethernet_SNAP frames.
The type-wildcard argument is a 16-bit
hexadecimal number indicating the wildcard.
|
|
lsap lsap-code
lsap-wildcard
|
Defines the DSAP and SSAP fields in the
LLC encapsulation.
|
The lsap-code argument is a 16-bit
hexadecimal number indicating frame encapsulation.
The lsap-wildcard argument is a 16-bit
hexadecimal number indicating the wildcard of the LSAP code.
|
|
source-mac
sour-addr source-mask
|
Specifies a source MAC address range.
|
The sour-addr and sour-mask arguments
indicate a source MAC address and mask in xxxx-xxxx-xxxx format.
|
|
dest-mac
dest-addr dest-mask
|
Specifies a destination MAC address
range.
|
The dest-addr and dest-mask arguments
indicate a destination MAC address and mask in xxxx-xxxx-xxxx format.
|
|
cos vlan-pri
|
Defines a 802.1p priority
|
The vlan-pri argument ranges from 0 to 7.
|
|
time-range
time-name
|
Specifies the time range in which the
rule can take effect.
|
The time-name argument comprises 1 to 32
characters.
|
S5500-SI Series
Ethernet Switches do not support the lsap parameter currently.
Description
Use the rule command to create an
ACL rule or modify the rule if it has existed.
Use the undo rule command to
remove an ACL rule.
Before you can delete a rule, you need to
specify the rule ID. If you do not know the rule ID, you can view it by the
display acl command.
When configuring a rule, note that:
l
You will fail to create or modify a rule if its
permit/deny statement is exactly the same as another rule. In addition, if the
ACL match order is set to auto rather than config, you cannot
modify ACL rules.
l
When defining ACL rules, you are not necessarily
to assign them IDs. The system can automatically assign rule IDs starting with
0 and increasing in certain rule numbering steps. A rule ID thus assigned is
greater than the current highest rule ID. For example, if the rule numbering
step is 5 and the current highest rule ID is 28, the next rule will be numbered
30.
l
A newly defined rule cannot be identical with
any existing rule, otherwise the rule cannot be successfully created (the system
will prompt the rule already exists)
l
Rules created with the auto keyword
specified are sorted according to the “depth first” principle
regardless of the order they are created. However, the ID of each rule does not
change.
Example
# Create a rule to deny packets with the
802.1p priority of 3.
<Sysname> system-view
[Sysname] acl number 4000
[Sysname-acl-ethernetframe-4000] rule
deny cos 3
Syntax
rule rule-id
comment text
undo rule
rule-id comment
View
Basic IPv4 ACL view, advanced IPv4 ACL
view, Ethernet frame header ACL view
Parameter
rule-id: ACL
rule number in the range 0 to 65534.
text: ACL
rule description, up to 127 characters.
Description
Use the rule comment command to
create or modify an ACL rule description, for example to describe the purpose
of the ACL rule or its attributes.
You may fail to do that if the specified rule
does not exist.
Use the undo rule comment command to
remove the ACL rule description.
By default, no rule description is created.
Example
# Define rule 3101 and create a description
for it.
<Sysname> system-view
[Sysname] acl number 3101
[Sysname-acl-adv-3101] rule 0 permit
source 1.1.1.1 0
[Sysname-acl-adv-3101] rule 0 comment
This rule is used in gigabieth 1
Syntax
step step-value
undo step
View
Basic IPv4 ACL view, advanced IPv4 ACL
view, Ethernet frame header ACL view
Parameter
step-value:
ACL rule numbering step. The default is 5.
Description
Use the step command to set a rule
numbering step.
Use the undo step command to restore
the default.
When defining rules in an ACL, you do not
necessarily assign them numbers. The system can do this automatically in steps.
For example, if the default step applies, rules you created are automatically numbered
0, 5, 10, 15, and so on. One benefit of rule numbering step is that it allows
you to insert new rules between existing ones as needed. For example, after
creating four rules numbered 0, 5, 10, 15 in an ACL configured with the step of
5, you can still insert a rule numbered 1.
Any step change can result in renumbering.
For example, after you change the step in the above example from 5 to 2, the
rules are renumbered 0, 2, 4, 6, and 8.
Note that if the current step is the
default, performing the undo step command can still result in rule
renumbering.
Example
# Set the rule numbering step to 2 for IPv4
ACL 3101.
<Sysname> system-view
[Sysname] acl number 3101
[Sysname-acl-adv-3101] step 2
