Type A line processing units (LPUs) include LS81FT48A, LS81FM24A,
LS81FS24A, LS81GB8UA and LS81GT8UA.
Syntax
acl {
number acl-number | name acl-name [ advanced |
basic | link | user ] } [ match-order { config
| auto } ]
undo acl {
number acl-number | name acl-name | all }
View
System view
Parameter
number
acl-number: Specifies the number of an access
control list (ACL) in the range of:
l
2,000 to 2,999: identifies basic ACLs.
l
3,000 to 3,999: identifies advanced ACLs. Note
that ACL 3998 and ACL 3999 cannot be configured because they are reserved for
the cluster management.
l
4,000 to 4,999: identifies layer 2 ACLs.
l
5,000 to 5,999: identifies user-defined ACLs.
name
acl-name: Specifies the ACL name, contains up to 32
characters, which is a case insensitive character string started with an
English letter (i.e., a-z or A-Z), without space or quotation marks and is not
allowed to use the word all (to avoid confusion with the keyword all) in
it.
advanced:
Advanced ACL.
basic: Basic
ACL.
link: Layer
2 ACL.
user:
User-defined ACL..
config:
Specifies to employ the user’s configuration order when matching ACL
rules.
auto: Specifies
to employ the depth first order when matching ACL rules.
all: Deletes
all ACLs (including those identified by a number or a name).
Description
Use the acl command to define an ACL
and enter the corresponding ACL view.
Use the undo acl command to delete
all entries of an ACL identified by a number or a name, or all ACLs.
By default, ACL rules are matched according
to the configured order (config).
After entering the corresponding ACL view,
you can use the rule command to add entries to the ACL (use the quit
command to quit ACL view).
User-defined ACLs
can only be activated on the LPUs other than Type A.
You can use the match-order keyword
to specify whether to use the configured order or the “depth-first”
order (rules with smaller ranges are matched first) to match rules. If neither
match orders are specified, the configured match order will be adopted.
You cannot modify the match order for an
ACL once you have specified it, unless you delete all the entries of the ACL,
and specify the match order over again.
The ACL match order feature is effective
only when the ACL is referenced by software for data filtering and traffic
classification.
Related command: rule, acl mode.
Example
# Define rules for ACL 2000, and specify
“depth-first” order as the rule match order.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] acl number 2000 match-order
auto
Syntax
acl mode { ip-based | link-based }
View
System view
Parameter
ip-based: Performs traffic classification based on Layer 3
information.
link-based: Performs traffic classification based on Layer 2
information.
Description
Use the acl mode command to set the
traffic classification mode for the device.
By default, traffic classification is
performed based on Layer 3 information.
Related command: acl.
This configuration
is only effective on Type A LPUs.
Example
# Specify to perform traffic classification
based on Layer 3 information.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] acl mode ip-based
Syntax
acl order { auto | first-config-first-match | last-config-first-match }
View
System view
Parameter
auto:
Specifies the ACL rules applied to a port are matched according to the
depth-first order.
first-config-first-match: Specifies the ACL rules applied to a port are matched according to
the configuration order: first configured, first matched.
last-config-first-match: Specifies the ACL rules applied to a port are matched according to
the configuration order: last configured, first matched.
Description
Use the acl order command to set the
match order for the ACL rules applied on a port.
By default, the ACL rules applied to a port
take effect in the depth-first order.
Use the acl match-order { config
| auto } command to set the match order of ACL rules when they are
configured. Use the acl order command to set the match order of ACL
rules in the case that they are applied to a port.
Example
# Configure the match order of ACL rules
applied to a port as first-config-first-match order.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] acl order
first-config-first-match
Syntax
display acl config { all | acl-number | acl-name }
View
Any view
Parameter
all: Displays
all ACLs (including those identified by a number or a name).
acl-number:
Sequence number of the ACL to be displayed. It ranges from 2,000 to 5,999.
acl-name:
Name of the ACL to be displayed. It is a case insensitive character string
started with an English letter (a-z or A-Z), contains up to 32 characters. And
there should not be a space or quotation mark in it; the word all is not
allowed to use in it (to avoid confusion with the all keyword).
Description
Use the display acl config command
to view the detailed configuration information of an ACL, including every
subrule of the ACL, the ACL type and sequence number, and the number of times
this ACL matches packets..
The number of match times displayed by this
command is software match times, namely, the number of times of ACL matches
processed by switch CPU. You can use the traffic-statistic command to
count the times of hardware matches during packet-forwarding, and use the display
qos-interface traffic-statistic command to view the statistics. For the traffic-statistic
and display qos-interface traffic-statistic commands, refer to the QoS
part of the Command Manual.
Example
# Display all ACL configuration.
<H3C> display acl config all
Basic ACL 2000, 1 rule,
rule 0 permit source 1.1.1.1 0 (0
times matched)
Syntax
display acl config statistics
View
Any view
Parameter
None
Description
Use the command display acl config statistics to
display the statistics of the current configured ACL rules, including the
number of basic, advanced, Layer 2 and user-defined ACL rules, and the total
number of ACL rules configured by the system.
Example
# Display statistics information about the
current configured ACL rules.
<H3C> display acl config
statistics
The configured rule statistics:
Basic rule(s): 5
Advanced rule(s): 132
Link rule(s): 4
User rule(s): 2
Total 143 rule(s) configured
Syntax
display acl mode
View
Any view
Parameter
None
Description
Use the display acl mode command to
view the ACL running mode chosen by the switch for filtering the traffic.
Example
# Display the ACL running mode chosen by
the switch.
<H3C> display acl mode
The current acl mode: ip-based.
Syntax
display acl order
View
Any view
Parameter
None
Description
Use the display acl order command to
display the match order of the ACL rules applied to a port.
Example
# Display the match order of ACL rules
applied to a port
<H3C> display acl order
the current order is auto
Syntax
display acl remaining entry slot slot-number
View
Any view
Parameter
slot-number:
Number of a slot. The number 0 indicates the SRPU.
Description
Use the display acl remaining entry slot
command to display the remaining ACL entries on a specified slot. The displayed
content includes the entry resource type, total entries resource number, number
of reserved entries for system ACL, number of configured ACL entries, number of
remaining ACL entries, and the corresponding start port number and end port
number of each type of entries.
Example
# Display the remaining ACL resource on
slot 3.
<H3C> display acl remaining
entry slot 3
Slot: 3
Resource Total Reserved
Configured Remaining Start End
Type Number Number
Number Number Port Name Port Name
--------------------------------------------------------------------------
MASK 16 6
1 9 GE3/0/1 GE3/0/1
RULE 128 17
1 110 GE3/0/1 GE3/0/1
METER 128 11
1 116 GE3/0/1 GE3/0/1
COUNTER 128 14
1 113 GE3/0/1 GE3/0/1
MASK 16 6
1 9 GE3/0/2 GE3/0/2
RULE 128 17
1 110 GE3/0/2 GE3/0/2
METER
128 11 1 116 GE3/0/2 GE3/0/2
COUNTER 128 14
1 113 GE3/0/2 GE3/0/2
Table 1-1
Description on the fields of the display acl
remaining entry slot command
|
Field
|
Description
|
|
ResouceType
|
Entry resource type
|
|
Total Number
|
Total entries resource number
|
|
Reserved Number
|
Number of entries reserved for system ACL
during initiation
|
|
Configured Number
|
Number of entries used by the ACL
configured by users
|
|
Remaining Number
|
Number of remaining entries
|
|
Start PortName
|
The corresponding start port number of
each type of entry
|
|
End PortName
|
The corresponding end port number of each
type of entry
|
Syntax
display acl running-packet-filter { all | interface interface-type interface-number
}
View
Any view
Parameter
all:
Represents all the ACLs to be displayed (including those identified by a number
or a name).
interface interface-type
interface-number: Specifies a port of the switch.
Description
Use the display acl running
-packet-filter command to view the ACL application information on a port or
all ports, including the port to which an ACL is applied, the ACL active
direction, ACL name, ACL rule number, and ACL running status.
Example
# Display the ACL application information
on all ports.
<H3C> display acl
running-packet-filter all
Ethernet3/0/1
Inbound:
Acl 2000 rule 0 running
1.1.10 display time-range
Syntax
display time-range { all | time-name }
View
Any view
Parameter
all: Specifies to display all time ranges.
name: Name
of a time range, a string that starts with an English letter [a-z, A-Z] and
contains up to 32 characters.
Description
Use the display time-range command
to view the configuration and status of the current time range. For an active
time range, the status is displayed as “active”; for an inactive
time range, the status is displayed as “inactive”.
Note that there is a delay (about 1 minute)
when the system updates the ACL status, and the display time-range command
displays the status of a time range according to the current time. Therefore,
sometimes you may find that a time range is active by using the display
time-range command, while the ACL referencing the time range is not
activated. This is natural.
Related command: time-range.
Example
# Display all time ranges.
<H3C> display time-range all
Current time is 14:36:36 4-3-2003 Thursday
Time-range : hhy ( Inactive )
from 08:30 2-5-2005 to 18:00 2-19-2005
Time-range : hhy1 ( Inactive )
from 08:30 2-5-2003 to 18:00 2-19-2003
Table 1-2
Description on the fields of the display time-range command
|
Field
|
Description
|
|
Current time is 14:36:36 4-3-2003 Thursday
|
System time
|
|
Time-range : hhy ( Inactive )
from 08:30 2-5-2005 to 18:00 2-19-2005
|
Time range hhy. “Inactive”
indicates that this time range is currently in the inactive state (while
“Active” indicates that the time range is in the active state),
and the time range is from 8:30 February 5, 2005 to 18:00 February 19, 2005.
|
# Display the time range named
“tm1”.
<H3C> display time-range tm1
Current time is 14:37:31 4-3-2003 Thursday
Time-range : tm1 ( Inactive )
from 08:30 2-5-2005 to 18:00 2-19-2005
Table 1-3
Description on the fields of the display time-range command
|
Field
|
Description
|
|
Current time is 14:36:36 4-3-2003 Thursday
|
The current time of the system.
|
|
Time-range : tm1 ( Inactive )
from 08:30 2-5-2005 to 18:00 2-19-2005
|
Time range tm1. “Inactive”
indicates that this time range is currently in the inactive state (while
“Active” indicates that the time range is in the active state),
and the time range is from 8:30 February 5, 2005 to 18:00 February 19, 2005.
|
Syntax
I. The command line format for
Type A LPUs
packet-filter { inbound | outbound } acl-rule [ system-index
] [ not-care-for-interface ]
undo packet-filter
{ inbound | outbound } acl-rule [ not-care-for-interface
]
II. The command line format for
the LPUs other than Type A
packet-filter inbound acl-rule [ system-index ]
undo packet-filter
inbound acl-rule
Combined activating of IP ACL and Link ACL is supported by the LPUs.
But the total number of the characters of the fields defined by IP ACL and Link
ACL can not exceed 32 characters; otherwise the ACLs can not be activated.
View
QoS view
Parameter
inbound: Specifies to filter packets received on the port.
outbound:
Specifies to filter packets sent through the port.
acl-rule:
Applied ACL rule, which can be a combination of different types of ACL rules. Table 1-4and Table 1-6
describe the ACL rule combinations on Type A LPUs and the corresponding
parameter description. Table 1-5 and Table 1-6 describe the ACL rule combinations on LPUs
other than Type A and the corresponding parameter description.
Table 1-4 Combined application of ACL rules on Type A LPUs
|
Combination mode
|
Form of acl-rule
|
|
Apply all rules in an IP type ACL
|
ip-group {
acl-number | acl-name }
|
|
Apply one rule in an IP type ACL
|
ip-group {
acl-number | acl-name } rule rule-id
|
|
Apply all rules in a link type ACL
|
link-group { acl-number | acl-name }
|
|
Apply one rule in a link type ACL
|
link-group { acl-number | acl-name } rule rule-id
|
|
Apply one rule in an IP type ACL and one
rule in a link type ACL simultaneously
|
ip-group {
acl-number | acl-name } rule rule-id
link-group { acl-number | acl-name } rule rule-id
|
Table 1-5 Combined
application of ACL rules on LPUs other than Type A.
|
Combination mode
|
Form of acl-rule
|
|
Apply all rules in an IP type ACL
|
ip-group {
acl-number | acl-name }
|
|
Apply one rule in an IP type ACL
|
ip-group {
acl-number | acl-name } rule rule-id
|
|
Apply all rules in a link type ACL
|
link-group { acl-number | acl-name }
|
|
Apply one rule in a link type ACL
|
link-group { acl-number | acl-name } rule rule-id
|
|
Apply all rules in a user-defined ACL
|
user-group { acl-number | acl-name }
|
|
Apply one rule in a user-defined ACL
|
user-group { acl-number | acl-name } rule rule-id
|
|
Apply one rule in an IP type ACL and one
rule in a Link type ACL simultaneously
|
ip-group {
acl-number | acl-name } rule rule-id
link-group { acl-number | acl-name } rule rule-id
|
Table 1-6 Parameters
description of ACL rule combinations
|
Parameter
|
Description
|
|
ip-group {
acl-number | acl-name }
|
Basic and advanced ACL.
acl-number:
ACL number of a basic or an advanced ACL, ranging from 2,000 to 3,999.
acl-name:
ACL name, case insensitive string, up to 32 characters long, beginning with
an English letter (a to z or A to Z), without space or quotation mark.
|
|
link-group { acl-number | acl-name }
|
Layer 2 ACL
acl-number:
ACL number of a Layer 2 ACL, ranging from 4,000 to 4,999.
acl-name:
ACL name, case insensitive string, up to 32 characters long, beginning with
an English letter (a to z or A to Z), without space or quotation mark.
|
|
user-group { acl-number | acl-name }
|
User-defined ACL
acl-number:
ACL number of a user-defined ACL, ranging from 5,000 to 5,999.
acl-name:
ACL name, case insensitive string, up to 32 characters long, beginning with
an English letter (a to z or A to Z), without space or quotation mark.
|
|
rule-id
|
ACL rule number, ranging from 0 to 127.
If this argument is not specified, all rules in the specified ACL will be
applied.
|
system-index:
Specifies an interior index value which is used when an ACL rule is applied to
the port. The index value ranges from 0 to 4,294,967,295. This keyword is only
available when the ACL rule number is specified in the command. After the
specified ACL rule takes effect, there are three scenarios when you input the
index value:
l
If you do not input an index value or the index
value you input is 0, the system will automatically assign an index whose value
is greater than 0;
l
If the input index value is not 0 and does not
conflict with the interior index used by the system, the system will adopt the
index value input by you;
l
If the input index value is not 0 but conflicts
with the interior index used by the system, the system will reassign an index
value.
When the specified ACL rule is not
effective, the system will adopt the index value input by you.
not-care-for-interface: As for a non-48-port LPU, the packet-filtering function will take
place on the LPU where the current port resides after this keyword is chosen.
As for a 48-port LPU, if the current port number is in the range of 1 to 24,
the packet filtering will take effect on port 1 through port 24 after the
keyword is chosen; if the current port number is in the range of 25 to 48, the
packet filtering will take effect on port 25 through port 48 after the keyword
is chosen.
Description
Use the packet-filter command to
activate ACL on a port to filter packets.
Use the undo packet-filter command
to cancel the configuration.
ARP packets are allowed to pass by default on S7500 Series Ethernet
Switches. You cannot use the packet-filter command to filter ARP
packets, even if you have defined a Layer 2 ACL by using the rule
command, in which the argument protocol is defined as ARP.
Example
# Apply ACL 2000 on Ethernet 3/0/1 to
filter packets.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] interface Ethernet3/0/1
[H3C-Ethernet3/0/1] qos
[H3C-qoss-Ethernet3/0/1]
packet-filter inbound ip-group 2000
Syntax
reset acl counter { all | acl-number | acl-name }
View
User view
Parameter
all: All
ACLs (including those identified by a number or a name).
acl-number:
ACL number, ranging from 2000 to 3999.
acl-name:
ACL name, contains up to 32 characters, a case insensitive string, which must
start with an English letter (a-z or A-Z), and there should not be a space or
quotation mark in it; the word all is not allowed to use in it (to avoid
confusion with the keyword all).
Description
Use the reset acl counter command to
clear ACL statistics.
Table 1-7 The comparison between reset commands of statistics
information
|
Command
|
Function
|
|
reset acl counter
|
Reset the statistics information counted
by the ACL which is referenced by software to filter packets or classify
traffic flows. The case includes: ACL referenced by route policy function,
ACL used for controlling login user, etc.
|
|
reset traffic-statistic
|
Reset statistic information of traffic.
This command is applicable to the ACL which is applied to the hardware of a
switch to filter packets or classify traffic flows. Normally, this command is
used to clear the statistics counted by the traffic-statistic
command.
For details about the reset
traffic-statistic and traffic-statistic commands, refer to the QoS
module of the manual.
|
Example
# Clear the statistic information of ACL
2000.
<H3C> reset acl counter 2000
Syntax
rule [ rule-id
] { permit | deny } [ source { source-addr wildcard
| any } | fragment | time-range time-name ]*
undo rule rule-id [
source | fragment | time-range ]*
View
Basic ACL view
Parameter
rule-id: ACL
rule ID, in the range of 0 to 127.
deny: Drops
packets that satisfy the condition.
permit:
Permits packets that satisfy the condition to pass.
fragment: Specifies
that the rule takes effect on non-initial fragment packets only. If you do not
specify this keyword, the ACL will not filter packets by packet fragment
information.
source { sour-addr sour-wildcard | any }: Specifies the
source address information in the rule. sour-addr is used to specify the
source IP address of the packet, expressed in dotted decimal notation. sour-wildcard
is used to specify the wildcard mask for the source subnet mask of the
packet, expressed in dotted decimal notation. For example, you need to input
0.0.255.255 for the subnet mask 255.255.0.0. You can set sour-wildcard
to 0 to represent the host IP address. any is used to represent any
arbitrary IP address.
time-range time-name:
Specifies a time range within which the rule is valid. If you do not specify time-range
time-name, the ACL will not filter packets by time range information.
Description
Use the rule command to define an
ACL rule.
Use the undo rule command to delete
an ACL rule or the attribute information of an ACL rule.
Before you can delete a rule, you need to
specify the rule ID. If you do not know the rule ID, you can view it by the
display acl command.
In the case that you specify the rule ID
when defining a rule:
l
If the ACL is created with the config
keyword specified and the rule identified by the rule-id argument
exists, the settings specified in the rule command overwrite the
counterparts of the existing rule (other settings of the rule remain
unchanged). If the ACL is created with the auto keyword specified, the
rules of the ACL cannot be edited. In this case, the system prompts errors when
you execute the rule command.
l
If the rule corresponding to the specified rule
ID does not exist, you will create and define a new rule.
l
The content of a modified or created rule must
not be identical with the content of any existing rule; otherwise the rule
modification or creation will be failed, and the system will prompt that the
rule already exists.
If you do not specify a rule ID, you will
create and define a new rule, and the system will assign an ID for the rule
automatically.
Type A LPUs do not
support to apply ACL rules configured with fragment to hardware.
Example
# Define a rule to deny the packets whose
source IP addresses are 1.1.1.1.
<H3C> system-view
System View: return to User View with
Ctrl+Z.
[H3C] acl number 2000
[H3C-acl-basic-2000] rule deny source
1.1.1.1 0
Syntax
rule [ rule-id
] { permit | deny } rule-string
undo rule rule-id [
source | destination | source-port | destination-port |
icmp-type | precedence | tos | dscp | fragment
| time-range ]*
View
Advanced ACL view
Parameter
rule-id: ACL rule ID, in the range of 0 to 127.
deny: Drops
packets that satisfy the condition.
permit:
Permits packets that satisfy the condition to pass.
rule-string:
Rule information, which can be combination of the parameters described in Table 1-8. You need to configure the protocol
argument in the rule information before you can configure other arguments.
Table 1-8 Rule information
|
Parameter
|
Type
|
Function
|
Description
|
|
protocol
|
Protocol type
|
Type of the protocols carried by IP
|
When expressed in numerals, the value
range is 1 to 255.
When expressed with a name, the value can
be GRE, ICMP, IGMP, IP, IPinIP, OSPF, TCP, and UDP.
|
|
source { sour-addr
sour-wildcard | any }
|
Source address information
|
Specifies the source address information
in the rule
|
sour-addr sour-wildcard is used to specify the source address of the packet, expressed in
dotted decimal notation.
any
represents any source address.
|
|
destination { dest-addr dest-wildcard | any }
|
Destination address information
|
Specifies the destination address
information in the rule
|
dest-addr dest-wildcard is used to specify the destination address of the packet,
expressed in dotted decimal notation.
any
represents any destination address.
|
|
precedence
precedence
|
Packet precedence
|
IP priority
|
Value range: 0 to 7
|
|
tos tos
|
Packet precedence
|
ToS priority
|
Value range: 0 to 15
|
|
dscp dscp
|
Packet precedence
|
DSCP priority
|
Value range: 0 to 63
|
|
fragment
|
Fragment information
|
Specifies that the rule is effective for
non-initial fragment packets
|
—
|
|
time-range
time-name
|
Time range information
|
Specifies the time range in which the
rule is active
|
—
|
sour-wildcard/dest-wildcard is the wildcard mask of the
source/destination subnet mask. For example, you need to input 0.0.255.255 to
specify the subnet mask 255.255.0.0. The arguments can be set as 0 to represent
the host IP address.
To define DSCP priority, you can directly
input a value ranging from 0 to 63, or input a keyword listed in Table 1-9.
Table 1-9 Description of DSCP values
|
Keyword
|
DSCP value in decimal
|
DSCP value in binary
|
|
ef
|
46
|
101110
|
|
af11
|
10
|
001010
|
|
af12
|
12
|
001100
|
|
af13
|
14
|
001110
|
|
af21
|
18
|
010010
|
|
af22
|
20
|
010100
|
|
af23
|
22
|
010110
|
|
af31
|
26
|
011010
|
|
af32
|
28
|
011100
|
|
af33
|
30
|
011110
|
|
af41
|
34
|
100010
|
|
af42
|
36
|
100100
|
|
af43
|
38
|
100110
|
|
cs1
|
8
|
001000
|
|
cs2
|
16
|
010000
|
|
cs3
|
24
|
011000
|
|
cs4
|
32
|
100000
|
|
cs5
|
40
|
101000
|
|
cs6
|
48
|
110000
|
|
cs7
|
56
|
111000
|
|
be (default)
|
0
|
000000
|
To define the IP
precedence, you can directly input a value ranging from 0 to 7, or input a
keyword listed in the following table.
Table
1-10 Description of IP precedence value
|
Keyword
|
IP Precedence value in decimal
|
IP Precedence value in binary
|
|
routine
|
0
|
000
|
|
priority
|
1
|
001
|
|
immediate
|
2
|
010
|
|
flash
|
3
|
011
|
|
flash-override
|
4
|
100
|
|
critical
|
5
|
101
|
|
internet
|
6
|
110
|
|
network
|
7
|
111
|
To define the ToS
value, you can directly input a value ranging from 0 to 15, or input a keyword
listed in the following table.
Table
1-11 Description of ToS value
|
Keyword
|
ToS value in decimal
|
ToS value in binary
|
|
normal
|
0
|
0000
|
|
min-monetary-cost
|
1
|
