l An ACL number in the range 3000 to 3999 identifies an advanced ACL. Note that 3998 and 3999 cannot be configured because they are reserved for cluster management.

l An ACL number in the range 4000 to 4999 identifies a layer 2 ACL.

l An ACL number in the range 5000 to 5999 identifies a user-defined ACL.

match-order: Specifies the match order for ACL rules. Following two match orders exist.

l auto: Specifies to match ACL rules according to the depth-first rule.

l config: Specifies to match ACL rules in the order they are defined.

Note that the match-order keyword is not available to Layer 2 ACLs or user-defined ACLs. The match order for layer 2 ACLs or user defined ACLs can only be config. For details about the two match orders, refer to the relevant description in ACL Operation.

Description

Use the acl command to define an ACL and enter the corresponding ACL view.

Use the undo acl command to remove all the rules of the specified ACL or all the ACLs.

By default, ACL rules are matched in the order they are defined.

Only after the rules in an existing ACL are fully removed can you modify the match order of the ACL.

In ACL view, you can use the rule command to add rules to the ACL.

Related commands: rule.

Examples

# Define ACL 2000 and specify “depth-first” as the match order.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] acl number 2000 match-order auto

[Sysname-acl-basic-2000]

# Add three rules with different numbers of zeros in the source wildcards.

[Sysname-acl-basic-2000] rule 1 permit source 1.1.1.1 0.255.255.255

[Sysname-acl-basic-2000] rule 2 permit source 2.2.2.2 0.0.255.255

[Sysname-acl-basic-2000] rule 3 permit source 3.3.3.3 0.0.0.255

# Use the display acl command to display the configuration information of ACL 2000.

[Sysname-acl-basic-2000] display acl 2000

Basic ACL 2000, 3 rules, match-order is auto

Acl's step is 1

rule 3 permit source 3.3.3.0 0.0.0.255

rule 2 permit source 2.2.0.0 0.0.255.255

rule 1 permit source 1.0.0.0 0.255.255.255

As shown in the output information, the switch sorts the rules of ACL 2000 in the depth-first order: a rule with more zeros in the source IP address wildcard has a higher priority.

1.1.2 description

Syntax

description text

undo description

View

Basic ACL view, advanced ACL view, Layer 2 ACL view, user-defined ACL view

Parameters

text: Description string to be assigned to an ACL, a string of 1 to 127 characters. Blank spaces and special characters are acceptable.

Description

Use the description command to assign a description string to an ACL.

Use the undo description to remove the description string of the ACL.

You can give ACLs descriptions to provide relevant information such as their application purposes and the ports they are applied to, so that you can easily identity and distinguish ACLs by their descriptions.

By default, no description string is assigned for an ACL.

Examples

# Assign description string “This ACL is used for filtering all HTTP packets” to ACL 3000.

<Sysname> system-view

[Sysname] acl number 3000

[Sysname-acl-adv-3000] description This ACL is used for filtering all HTTP packets

# Use the display acl command to view the configuration information of ACL 3000.

[Sysname-acl-adv-3000] display acl 3000

Advanced ACL 3000, 0 rule

This acl is used for filtering all HTTP packets

Acl's step is 1

# Remove the description string of ACL 3000.

[Sysname-acl-adv-3000] undo description

1.1.3 display acl

Syntax

display acl { all | acl-number }

View

Any view

Parameters

all: Displays all ACLs.

acl-number: Number of the ACL to be displayed, in the range of 2000 to 5999.

Description

Use the display acl command to display the configuration information of a specified or all ACLs.

Note that if you specify the match order of an ACL when configuring the ACL, this command will display the rules of the ACL in the specified match order.

Examples

# Display information about ACL 2000.

<Sysname> display acl 2000

Basic ACL 2000, 3 rules, match-order is auto

This acl is used in Gigabiteth 1/0/1

Acl's step is 1

rule 3 permit source 3.3.3.0 0.0.0.255

rule 2 permit source 2.2.0.0 0.0.255.255

rule 1 permit source 1.0.0.0 0.255.255.255

Table 1-1 Description on the fields of the display acl command

Field	Description
Basic ACL 2000	The displayed information is about the basic ACL 2000.
3 rules	The ACL includes three rules.
match-order is auto	The match order of the ACL is depth-first. If this field is not displayed, the match order of the ACL is config.
This acl is used in Gigabiteth 1/0/1	Description of the ACL
Acl's step is 1	The step for rules of this ACL is 1.
rule 3 permit source 3.3.3.0 0.0.0.255	Detailed information of a rule

1.1.4 display drv-module qacl qacl_resource

Syntax

display drv-module qacl qacl_resource

View

Any view

Parameters

None

Description

Use the display drv-module qacl qacl_resource to display the usage of ACL resources on a switch.

According to the output, you can view the information of the consumed ACL resources, and determine whether the exhaustion of ACL resources causes that ACL rules cannot be assigned.

Examples

# Display the usage of ACL resources on a switch.

<Sysname> display drv-module qacl qacl_resource

block used-mask used-rule spare-mask spare-rule

UNIT 0: 0 7 18 9 110

1 7 18 9 110

2 7 18 9 110

3 7 18 9 110

4 8 19 8 109

5 7 18 9 110

6 7 18 9 110

7 7 18 9 110

8 7 18 9 110

9 7 18 9 110

10 7 18 9 110

11 7 18 9 110

UNIT 1: 0 7 18 9 110

1 7 18 9 110

2 7 18 9 110

3 7 18 9 110

4 7 18 9 110

5 7 18 9 110

6 7 18 9 110

7 7 18 9 110

8 7 18 9 110

9 7 18 9 110

10 7 18 9 110

11 7 18 9 110

Table 1-2 Description on the fields of the display drv-module qacl qacl_resource command

Field	Description
UNIT	On the front panel, From left to right, every six columns of GE ports (total of twelve GE ports) represents a UNIT numbered starting from 0.
block	Every GE port represents a block numbered starting from 0.
used-mask	Number of the used masks
used-rule	Number of the used rules
spare-mask	Number of the remaining masks
spare-rule	Number of the remaining rules

# Apply ACL 2001 to port GigabitEthernet 1/0/1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] interface GigabitEthernet 1/0/1

[Sysname-GigabitEthernet1/0/1] packet-filter inbound ip-group 2001

Applying Acl 2001 rule 0 failed! Reason: Resource unavailable!(GigabitEthernet1/0/1)

The above output information shows that the application failed because there is no available rule resource on port GigabitEthernet 1/0/1.

1.1.5 display packet-filter

Syntax

display packet-filter { interface interface-type interface-num | unitid unit-id }

View

Any view

Parameters

interface interface-type interface-number: Displays information about packet filtering on the specified port.

unitid unit-id: Displays information about packet filtering on the specified unit (when the switch is in a fabric) or packet filtering on all ports of the current switch (when the switch is not in a fabric). In the former case, the unit-id argument is in the range 1 to 8; in the latter case, the unit-id argument can only be 1.

Description

Use the display packet-filter command to display information about packet filtering.

Examples

# Display information about packet filtering on all ports of a switch that is not in a fabric.

<Sysname> display packet-filter unitid 1

GigabitEthernet1/0/1

Inbound:

Acl 2000 rule 0 running

GigabitEthernet1/0/2

Outbound:

Acl 2001 rule 0 not running

Table 1-3 Description on the fields of the display packet-filter command

Field	Description
GigabitEthernet1/0/1	Port on which packet filtering is performed
Inbound	Direction of the packet filtering
Acl 2000 rule 0	ACL and its rule(s) applied
running	Status of the rule, which can be l running: The ACL rule is active. l not running: The ACL rule is inactive. Usually, this is because the current time is out of the rule’s time range.

1.1.6 display time-range

Syntax

display time-range { all | time-name }

View

Any view

Parameters

all: Displays all time ranges.

time-name: Name of a time range, a string of 1 to 32 characters that starts with a to z or A to Z.

Description

Use the display time-range command to display the configuration and status of a time range or all the time ranges. For active time ranges, this command displays “Active”; for inactive time ranges, this command displays “Inactive”.

Related commands: time-range.

Examples

# Display all time ranges.

<Sysname> display time-range all

Current time is 17:01:34 May/21/2007 Monday

Time-range : tr ( Active )

12:00 to 18:00 working-day

Time-range : tr1 ( Inactive )

From 12:00 Jan/1/2008 to 12:00 Jun/1/2008

Table 1-4 Description on the fields of the display time-range command.

Field	Description
Current time is 17:01:34 May/21/2007 Monday	Current system time
Time-range	Name of the time range
Active	Status of the time range, which can be: l Active: The time range is active currently. l Inactive: The time range is not inactive now.
12:00 to 18:00 working-day	The periodic time range is from 12:00 to 18:00 on each working day.
From 12:00 Jan/1/2008 to 12:00 Jun/1/2008	The absolute time range is from 12:00 January 1, 2008 to 12:00 June 1, 2008.

1.1.7 packet-filter

Syntax

packet-filter inbound acl-rule

undo packet-filter inbound acl-rule

View

Ethernet port view

Parameters

inbound: Filters inbound packets.

acl-rule: ACL/ACL rules to be applied. This argument can be one of those listed in Table 1-5.

Table 1-5 Combined application of ACLs

Combination mode	The acl-rule argument
Apply all the rules of an ACL that is of IP type (The ACL can be a basic ACL or an advanced ACL.)	ip-group acl-number
Apply a rule of an ACL that is of IP type	ip-group acl-number rule rule-id
Apply all the rules of a Layer 2 ACL	link-group acl-number
Apply a rule of a Layer 2 ACL	link-group acl-number rule rule-id
Apply all the rules of a user-defined ACL	user-group acl-number
Apply a rule of a user-defined ACL	user-group acl-number rule rule-id
Apply a rule of an ACL that is of IP type and a rule of a Layer 2 ACL	ip-group acl-number rule rule-id link-group acl-number rule rule-id

In Table 1-5:

l The ip-group acl-number keyword specifies a basic or an advanced ACL. The acl-number argument ranges from 2000 to 3999.

l The link-group acl-number keyword specifies a Layer 2 ACL. The acl-number argument ranges from 4000 to 4999.

l The user-group acl-number keyword specifies a user-defined ACL. The acl-number argument ranges from 5000 to 5999.

l The rule rule-id keyword specifies a rule of an ACL. The rule argument ranges from 0 to 65534. If you do not specify this argument, all the rules of the ACL are applied.

Description

Use the packet-filter command to apply ACL rules on a port to filter packets.

Use the undo packet-filter command to remove the application of ACL rules on a port.

Examples

# Apply all rules of basic ACL 2000 on GigabitEthernet 1/0/1 to filter inbound packets. Here, it is assumed that the ACL and its rules are already configured.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] interface GigabitEthernet1/0/1

[Sysname-GigabitEthernet1/0/1] packet-filter inbound ip-group 2000

[Sysname-GigabitEthernet1/0/1] quit

# Apply rule 1 of Layer 2 ACL 4000 on GigabitEthernet 1/0/2 to filter inbound packets. Here, it is assumed that the ACL and its rule numbered 1 are already configured.

[Sysname] interface GigabitEthernet 1/0/2

[Sysname-GigabitEthernet1/0/2] packet-filter inbound link-group 4000 rule 1

[Sysname-GigabitEthernet1/0/2] quit

# Apply rule 2 of user-defined ACL 5000 on GigabitEthernet 1/0/3 to filter inbound packets. Here, it is assumed that the ACL and its rule numbered 2 are already configured.

[Sysname] interface GigabitEthernet 1/0/3

[Sysname-GigabitEthernet1/0/3] packet-filter inbound user-group 5000 rule 2

[Sysname-GigabitEthernet1/0/3] quit

# Apply rule 1 of advanced ACL 3000 and rule 2 of Layer 2 ACL 4000 on GigabitEthernet 1/0/4 to filter inbound packets. Here, it is assumed that the ACLs and their rules are already configured.

[Sysname] interface GigabitEthernet 1/0/4

[Sysname-GigabitEthernet1/0/4] packet-filter inbound ip-group 3000 rule 1 link-group 4000 rule 2

After completing the above configuration, you can use the display packet-filter command to view information about packet filtering.

1.1.8 packet-filter vlan

Syntax

packet-filter vlan vlan-id inbound acl-rule

undo packet-filter vlan vlan-id inbound acl-rule

View

System view

Parameters

vlan-id: VLAN ID.

inbound: Specifies to filter packets received by the ports in the VLAN.

acl-rule: ACL rules to be applied, which can be a combination of the rules of multiple ACLs, as described in Table 1-5.

Description

Use the packet-filter vlan command to apply ACL rules to a VLAN to filter packets.

Use the undo packet-filter vlan command to remove the application of ACL rules to a VLAN.

When you need to apply an ACL to all ports in a VLAN, you can use the packet-filter vlan command to achieve the goal in one operation.

Examples

# Apply all rules of basic ACL 2000 to VLAN 10 to make all ports in VLAN 10 filter inbound packets. Here, it is assumed that the ACL and its rules and the VLAN are already configured.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] packet-filter vlan 10 inbound ip-group 2000

# Apply rule 1 of Layer 2 ACL 4000 to VLAN 20 to make all ports in VLAN 20 filter inbound packets. Here, it is assumed that the ACL and its rule numbered 1 and the VLAN are already configured.

[Sysname] packet-filter vlan 20 inbound link-group 4000 rule 1

# Apply rule 2 of user-defined ACL 5000 to VLAN 30 to make all ports in VLAN 30 filter inbound packets. Here, it is assumed that the ACL and its rule numbered 2 and the VLAN are already configured.

[Sysname] packet-filter vlan 30 inbound user-group 5000 rule 2

# Apply rule 1 of advanced ACL 3000 and rule 2 of Layer 2 ACL 4000 to VLAN 40 to make all ports in VLAN 40 filter inbound packets. Here, it is assumed that the ACLs and their rules and the VLAN are already configured.

[Sysname] packet-filter vlan 40 inbound ip-group 3000 rule 1 link-group 4000 rule 2

After completing the above configuration, you can use the display packet-filter command to view information about packet filtering.

1.1.9 rule (for Basic ACLs)

Syntax

rule [ rule-id ] { deny | permit} [ rule-string ]

undo rule rule-id [ fragment | source | time-range ]*

View

Basic ACL view

Parameters

I. Parameters of the rule command

rule-id: ACL rule ID, in the range of 0 to 65534.

deny: Drops the matched packets.

permit: Permits the matched packets.

rule-string: ACL rule information, which can be a combination of the parameters described in Table 1-6.

Table 1-6 Parameters for basic IPv4 ACL rules

Parameters	Function	Description
source { sour-addr sour-wildcard \| any }	Specifies a source address.	The sour-addr sour-wildcard argument specifies a source IP address in dotted decimal notation. Setting the wildcard to a zero indicates a host address. The any keyword indicates any source IP address.
fragment	Indicates that the rule applies only to non-tail fragments.	––
time-range time-name	Specifies the time range in which the rule takes effect.	time-name: specifies the name of the time range in which the rule is active; a string comprising 1 to 32 characters.

& Note:

sour-wildcard is the complement of the wildcard mask of the source subnet mask. For example, you need to input 0.0.255.255 to specify the subnet mask 255.255.0.0.

II. Parameters of the undo rule command

rule-id: Rule ID, which must the ID of an existing ACL rule. You can obtain the ID of an ACL rule by using the display acl command.

fragment: Removes the settings concerning non-tail fragments in the ACL rule.

source: Removes the settings concerning source address in the ACL rule.

time-range: Removes the settings concerning time range in the ACL rule.

Description

Use the rule command to define an ACL rule.

Use the undo rule command to remove an ACL rule or specified settings of an ACL rule.

To remove an ACL rule using the undo rule command, you need to provide the ID of the ACL rule. If no other arguments are specified, the entire ACL rule is removed. Otherwise, only the specified information of the ACL rule is removed.

Note that:

l With the config match order specified for the basic ACL, you can modify any existent rule. The unmodified part of the rule remains. With the auto match order specified for the basic ACL, you cannot modify any existent rule; otherwise the system prompts error information.

l If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; otherwise, the number of the rule will be the greatest rule number plus one. If the current greatest rule number is 65534, however, the system will display an error message and you need to specify a number for the rule.

l The content of a modified or created rule cannot be identical with the content of any existing rule; otherwise the rule modification or creation will fail, and the system prompts that the rule already exists.

l With the auto match order specified, the newly created rules will be inserted in the existent ones by depth-first principle, but the numbers of the existent rules are unaltered.

Examples

# Create basic ACL 2000 and define rule 1 to deny packets whose source IP addresses are 192.168.0.1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] acl number 2000

[Sysname-acl-basic-2000] rule 1 deny source 192.168.0.1 0

[Sysname-acl-basic-2000] quit

# Create basic ACL 2001 and define rule 1 to deny packets that are non-tail fragments.

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule 1 deny fragment

[Sysname-acl-basic-2001] quit

# Create basic ACL 2002 and define rule 1 to deny all packets during the period specified by time range trname.

[Sysname] acl number 2002

[Sysname-acl-basic-2002] rule 1 deny time-range trname

After completing the above configuration, you can use the display acl command to view the configuration information of the ACLs.

1.1.10 rule (for Advanced ACLs)

Syntax

rule [ rule-id ] { deny | permit } protocol [ rule-string ]

View

Advanced ACL view

Parameters

I. Parameters of the rule command

rule-id: ACL rule ID, in the range of 0 to 65534.

deny: Drops the matched packets.

permit: Permits the matched packets.

protocol: Protocol carried by IP. When the protocol is represented by numeral, it ranges from 1 to 255; when the protocol is represented by name, it can be gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), and udp (17).

rule-string: ACL rule information, which can be a combination of the parameters described in Table 1-7.

Table 1-7 Arguments/keywords available to the rule-string argument

Arguments/Keywords	Type	Function	Description
source { sour-addr sour-wildcard \| any }	Source address	Specifies the source address information for the ACL rule	The sour-addr sour-wildcard arguments specify the source address of the packets, expressed in dotted decimal notation. You can specify the IP address of a host as the source address by providing 0 for the sour-wildcard argument. The any keyword specifies any source address.
destination { dest-addr dest-wildcard \| any }	Destination address	Specifies the destination address information for the ACL rule	The dest-addr dest-wildcard arguments specify the destination address of the packets, expressed in dotted decimal notation. You can specify the IP address of a host as the destination address by providing 0 for the dest-wildcard argument. The any keyword specifies any destination address.
precedence precedence	Packet priority	Specifies an IP precedence.	The precedence argument can be a number in the range 0 to 7.
tos tos	Packet priority	Specifies a ToS preference.	The tos argument can be a number in the range 0 to 15.
dscp dscp	Packet priority	Specifies a DSCP priority.	The dscp argument can be a number in the range 0 to 63.
fragment	Fragment information	Indicates that the rule applies only to non-tail fragments.	—
time-range time-name	Time range information	Specifies the time range in which the rule takes effect.	time-name: specifies the name of the time range in which the rule is active; a string comprising 1 to 32 characters.

& Note:

The sour-wildcard/dest-wildcard argument is the complement of the wildcard mask of the source/destination subnet mask. For example, you need to input 0.0.255.255 to specify the subnet mask 255.255.0.0.

If you specify the dscp keyword, you can directly input a value ranging from 0 to 63 or input one of the keywords listed in Table 1-8 as DSCP.

Table 1-8 DSCP values and the corresponding keywords

Keyword	DSCP value in decimal	DSCP value in binary
af11	10	001010
af12	12	001100
af13	14	001110
af21	18	010010
af22

Table of Contents

25-ACL Command

I. Parameters of the rule command

II. Parameters of the undo rule command

1.1.10 rule (for Advanced ACLs)

I. Parameters of the rule command