time-name: Time range name comprising 1 to 32 characters. It is case insensitive and must start with an English letter. To avoid confusion, this name cannot be all.

all: All existing time ranges.

Description

Use the display time-range command to display the configuration and state of a specified or all time ranges.

A time range is active if the system time falls into its range, and if otherwise, inactive.

Example

# Display the configuration and state of time range trname.

<Sysname> display time-range trname

Current time is 10:45:15 4/14/2005 Thursday

Time-range : trname ( Inactive )

from 08:00 12/1/2005 to 23:59 12/31/2100

Table 1-1 Description on the fields of the display time-range command

Field	Description
Current time	Current system time
Time-range	The configuration and state of time range, such as time range name, its activated state, and start time and ending time.

1.1.2 time-range

Syntax

time-range time-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 }

undo time-range time-name [ start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 ]

View

System view

Parameter

time-name: Time range name comprising 1 to 32 characters. It is case insensitive and must start with an English letter. To avoid confusion, this name cannot be all.

start-time: Start time of a periodic time range, in hh:mm format as 24-hour time, where hh is hours and mm is minutes. Its value ranges from 00:00 to 23:59.

end-time: End time of the periodic time range, in hh:mm format as 24-hour time, where hh is hours and mm is minutes. Its value ranges from 00:00 to 24:00. The end time must be greater than the start time.

days: Indicates on which day or days of the week the periodic time range is valid. You may specify multiple values, in words or in digits, separated by spaces, for this argument, but make sure that they do not overlap. These values can take one of the following forms:

l A digit in the range 0 to 6, respectively for Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday.

l Week in words, that is, Mon, Tue, Wed, Thu, Fri, Sat, or Sun.

l working-day for Monday through Friday.

l off-day for Saturday and Sunday.

l daily for seven days of a week.

from time1 date1: Indicates the start time and date of an absolute time range. The time1 argument specifies the time of the day in hh:mm format as 24-hour time, where hh is hours and mm is minutes. Its value ranges from 00:00 to 23:59. The date1 argument specifies a date in MM/DD/YYYY or YYYY/MM/DD format, where MM is the month of the year in the range 1 to 12, DD is the day of the month in the range 1 to 31, and YYYY is the year in the usual Gregorian calendar in the range 1970 to 2100. If not specified, the start time is the earliest time available from the system.

to time2 date2: Indicates the end time and date of the absolute time range. The format of the time2 argument is the same as that of the time1 argument, but its value ranges from 00:00 to 24:00. The format and value range of the date2 argument are the same as those of the date1 argument. The end time must be greater than the start time. If not specified, the end time is the maximum time available from the system.

Description

Use the time-range command to create a time range.

Use the undo time-range command to remove a time range.

Note that:

l Periodic time range created using the time-range time-name start-time to end-time days command. A time range thus created recurs periodically on the day or days of the week.

l Absolute time range created using the time-range time-name { from time1 date1 [ to time2 date2 ] | to time2 date2 } command. Unlike a periodic time range, a time range thus created does not recur. For example, to create an absolute time range that is active between January 1, 2004 00:00 and December 31, 2004 23:59, you may use the time-range test from 00:00 01/01/2004 to 23:59 12/31/2004 command.

l Compound time range created using the time-range time-name start-time to end-time days { from time1 date1 [ to time2 date2 ] | to time2 date2 } command. A time range thus created recurs on the day or days of the week only within the specified period. For example, to create a time range that is active from 12:00 to 14:00 on Wednesdays between January 1, 2004 00:00 and December 31, 2004 23:59, you may use the time-range test 12:00 to 14:00 wednesday from 00:00 01/01/2004 to 23:59 12/31/2004 command.

l You may create individual time ranges identified with the same name. They are regarded as one time range whose active period is the result of ORing periodic ones, ORing absolute ones, and ANDing periodic and absolute ones.

l If the start time is not specified, the time range starts on the earliest time available from the system and ends on the end date. If the end date is note specified, the time range is from the date of configuration till the largest time available from the system.

l Up to 256 time ranges can be defined.

Example

# Create an absolute time range named test, setting it to become active since 00:00 on January 1, 2003.

<Sysname> system-view

[Sysname] time-range test from 0:0 2003/1/1

# Create a periodic time range named test, setting it to be active between 8:00 to 18:00 during working days.

<Sysname> system-view

[Sysname] time-range test 8:00 to 18:00 working-day

1.2 IPv4 ACL Configuration Commands

1.2.1 acl

Syntax

acl number acl-number [ match-order { config | auto } ]

undo acl { number acl-number | all }

View

System view

Parameter

number: Defines a numbered access control list (ACL).

acl-number: IPv4 ACL number in the range 2000 to 5999, where:

l 2000 to 2999 for basic IPv4 ACLs

l 3000 to 3999 for advanced IPv4 ACLs

l 4000 to 4999 for Ethernet frame header ACLs

l 5000 to 5999 for user-defined IPv4 ACLs

match-order: Sets the order in which ACL rules are matched. This keyword is not available for user-defined IPv4 ACLs.

l config: Performs matching against rules in the order in which they are configured.

l auto: Performs depth-first match.

all: All IPv4 ACLs.

Description

Use the acl command to enter ACL view. If the ACL does not exist, it is created first.

Use the undo acl command to remove a specified or all IPv4 ACLs.

By default, the match order is config.

You can also use this command to modify the match order of an existing ACL but only before rules are added into it.

The match-order argument is unavailable for user-defined ACLs. Their match order can only be config.

Example

# Create IPv4 ACL 2000.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000]

1.2.2 description (for IPv4)

Syntax

description text

undo description

View

Basic IPv4 ACL view, advanced IPv4 ACL view, Ethernet frame header ACL view, user-defined IPv4 ACL view

Parameter

text: ACL description with up to 127 case-sensitive characters.

Description

Use the description command to create an ACL description, to describe the purpose of the ACL for example.

Use the undo description command to remove the ACL description.

By default, no description is defined for an ACL.

Example

# Define the description of IPv4 ACL 2000.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] description This acl is used in eth 0

# Define the description of IPv4 ACL 3000.

<Sysname> system-view

[Sysname] acl number 3000

[Sysname-acl-adv-3000] description This acl is used in eth 0

# Define the description of IPv4 ACL 4000.

<Sysname> system-view

[Sysname] acl number 4000

[Sysname-acl-ethernetframe-4000] description This acl is used in eth 0

# Define the description of IPv4 ACL 5000.

<Sysname> system-view

[Sysname] acl number 5000

[Sysname-acl-user-5000] description This acl is used in eth 0

1.2.3 display acl

Syntax

display acl { all | acl-number }

View

Any view

Parameter

all: All IPv4 ACLs.

acl-number: IPv4 ACL number in the range 2000 to 5999, where:

l 2000 to 2999 for basic IPv4 ACLs

l 3000 to 3999 for advanced IPv4 ACLs

l 4000 to 4999 for Ethernet frame header ACLs

l 5000 to 5999 for user-defined IPv4 ACLs

Description

Use the display acl command to display information about the specified or all IPv4 ACLs.

This command displays ACL rules in the order in which the system compares a packet against them.

Example

# Display information about IPv4 ACL 2001.

<Sysname> display acl 2001

Basic ACL 2001, 1 rule,

ACL's step is 5

rule 5 permit source 1.1.1.1 0 (0 times matched)

rule 5 comment This rule is used in eth 1

Table 1-2 Description on the fields of the display acl command

Field	Description
Basic ACL 2001	The displayed information is about the basic IPv4 ACL 2001.
1 rule	The ACL contains one rule.
ACLs step is 5	The rules in this ACL are numbered in steps of 5.
0 times matched	No match for this rule. Only ACL matches performed by software are counted.
rule 5 comment This rule is used in eth 1	The description of ACL rule 5 is “This rule is used in eth 1.”

1.2.4 reset acl counter

Syntax

reset acl counter { all | acl-number }

View

User view

Parameter

all: All IPv4 ACLs except for user-defined IPv4 ACLs.

acl-number: IPv4 ACL number in the range 2000 to 4999, where:

l 2000 to 2999 for basic IPv4 ACLs

l 3000 to 3999 for advanced IPv4 ACLs

l 4000 to 4999 for Ethernet frame header ACLs

Description

Use the reset acl counter command to clear statistics about specified or all IPv4 ACLs except for user-defined ACLs.

Example

# Clear statistics about IPv4 ACL 2001.

<Sysname> reset acl counter 2001

1.2.5 rule (basic ACL view)

Syntax

rule [ rule-id ] { permit | deny } [ rule-string ]

undo rule rule-id [ fragment | logging | source | time-range ] *

View

Basic IPv4 ACL view

Parameter

I. Parameters for the rule command

rule-id: ACL rule number in the range 0 to 65534.

deny: Defines a deny statement to drop matched packets.

permit: Defines a permit statement to allow matched packets to pass.

rule-string: Matching criteria and other rule information defined by combinations of the parameters described in the following table.

Table 1-3 Parameters for basic IPv4 ACL rules

Parameter	Function	Description
source { sour-addr sour-wildcard \| any }	Specifies a source address.	The sour-addr sour-wildcard argument specifies a source IP address in dotted decimal notation. Setting the wildcard to a zero indicates a host address. The any keyword indicates any source IP address.
logging	Specifies to log matched packets.	The log provides information about ACL rule number, whether packets are permitted or dropped, upper layer protocol that IP carries, source/destination address, source/destination port number, and number of packets.
fragment	Indicates that the rule applies only to non-tail fragments.	––
time-range time-name	Specifies the time range in which the rule takes effect.	The time-name argument specifies a time range name with 1 to 32 characters.

& Note:

sour-wildcard is the complement of the wildcard mask of the source subnet mask. For example, you need to input 0.0.255.255 to specify the subnet mask 255.255.0.0.

II. Parameters for the undo rule command

rule-id: Number of an existing ACL rule. If no other parameters are specified, the entire ACL rule is removed; if other parameters are specified, only the involved information is removed.

fragment: Removes the settings that take effect on non-first fragments from the rule.

logging: Removes the logging setting.

source: Removes the source address setting.

time-range: Removes the time range setting.

& Note:

Currently, the logging argument is not supported on H3C S3610 and S5510 Series Ethernet Switches.

Description

Use the rule command to create an IPv4 ACL rule or modify the rule if it has existed.

Use the undo rule command to remove an ACL rule or parameters from the rule.

Before you can delete a rule, you need to specify the rule ID. If you do not know the rule ID, you can view it by the display acl command.

When configuring a rule, note that:

l You will fail to create or modify a rule if its permit/deny statement is exactly the same as another rule. In addition, if the ACL match order is set to auto rather than config, you cannot modify ACL rules.

l When defining ACL rules, you are not necessarily to assign them IDs. The system can automatically assign rule IDs starting with 0 and increasing in certain rule numbering steps. A rule ID thus assigned is greater than the current highest rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the next rule will be numbered 30.

l A newly defined rule cannot be identical with any existing rule, otherwise the rule cannot be successfully created (the system will prompt the rule already exists)

l Rules created with the auto keyword specified are sorted according to the “depth first” principle regardless of the order they are created. However, the ID of each rule does not change.

Example

# Create a rule to deny packets with the source IP address 1.1.1.1.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] rule deny source 1.1.1.1 0

1.2.6 rule (advanced IPv4 ACL view)

Syntax

rule [ rule-id ] { permit | deny } protocol [ rule-string ]

View

Advanced IPv4 ACL view

Parameter

I. Parameters for the rule command

rule-id: ACL rule number in the range 0 to 65534.

deny: Defines a deny statement to drop matched packets.

permit: Defines a permit statement to allow matched packets to pass.

protocol: Protocol carried by IP. It can be a number in the range 1 to 255, or in words, gre, icmp, igmp, ip, ipinip, ospf, tcp, or udp.

rule-string: Match criteria and other rule information defined by combinations of the parameters described in the following table.

Table 1-4 Parameters for advanced IPv4 ACL rules

Parameter	Function	Description
source { sour-addr sour-wildcard \| any }	Specifies a source address.	The sour-addr sour-wildcard argument specifies a source IP address in dotted decimal notation. Setting the wildcard to a zero indicates a host address. The any keyword indicates any source IP address.
destination { dest-addr dest-wildcard \| any }	Specifies a destination address.	The dest-addr dest-wildcard argument specifies a destination IP address in dotted decimal notation. Setting the dest-wildcard to a zero indicates a host address. The any keyword indicates any destination IP address.
precedence precedence	Specifies an IP precedence value.	The precedence argument can be a number in the range 0 to 7, or in words, routine, priority, immediate, flash, flash-override, critical, internet, or network.
tos tos	Specifies a ToS preference.	The tos argument can be a number in the range 0 to 15, or in words, max-reliability, max-throughput, min-delay, min-monetary-cost, or normal.
dscp dscp	Specifies a DSCP priority.	The dscp argument can be a number in the range 0 to 63, or in words, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, default, or ef.
logging	Specifies to log matched packets.	The log provides information about ACL rule number, whether packets are permitted or dropped, upper layer protocol that IP carries, source/destination address, source/destination port number, and number of packets.
reflective	Specifies the rule to be reflective.	A rule with the reflective keyword can be defined only for TCP, UDP, or ICMP packets and its statement can only be permit.
fragment	Indicates that the rule applies only to non-tail fragments.	––
time-range time-name	Specifies the time range in which the rule can take effect.	The time-name argument comprises 1 to 32 characters.

& Note:

The sour-wildcard/dest-wildcard argument is the complement of the wildcard mask of the source/destination subnet mask. For example, you need to input 0.0.255.255 to specify the subnet mask 255.255.0.0.

If the protocol argument is set to TCP or UDP, you may define the parameters in the following table in addition.

Table 1-5 TCP/UDP-specific parameters for advanced IPv4 ACL rules

Parameter	Function	Description
source-port operator port1 [ port2 ]	Defines a UDP or TCP source port against which UDP or TCP packets are matched.	The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), and range (inclusive range). port1, port2: TCP or UDP port number, represented by a number in the range 0 to 65535 or represented in words. You need to define the port2 argument only when the range keyword is used.
destination-port operator port1 [ port2 ]	Defines a UDP or TCP source port against which UDP or TCP packets are matched.
established	Defines the rule for TCP connection packets.	A keyword specific to TCP.

When using port name to specify TCP/UDP ports, you can define the following information.

Table 1-6 TCP/UDP port values

Protocol type	Value
TCP	CHARgen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), www (80)
UDP	biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (139), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), xdmcp (177)

If the protocol argument is set to ICMP, you may define the parameters in the following table.

Table 1-7 Parameters for advanced IPv4 ACL rules

Parameter	Function	Description
icmp-type { icmp-type icmp-code \| icmp-message }	Specifies the ICMP message type and code.	The icmp-type argument ranges from 0 to 255. The icmp-code argument ranges from 0 to 255. The icmp-message argument specifies a message name. For available ICMP messages, see Table 1-8.

Parameter

Function

Description

icmp-type { icmp-type icmp-code | icmp-message }

Specifies the ICMP message type and code.

The icmp-type argument ranges from 0 to 255.

The icmp-code argument ranges from 0 to 255.

The icmp-message argument specifies a message name. For available ICMP messages, see Table 1-8.

The following table provides the ICMP messages that you can specify in advanced IPv4 ACL rules.

Table 1-8 ICMP messages and their codes

ICMP message	Type	Code
echo	8	0
echo-reply	0	0
fragmentneed-DFset	3	4
host-redirect	5	1
host-tos-redirect	5	3
host-unreachable	3	1
information-reply	16	0
information-request	15	0
net-redirect	5	0
net-tos-redirect	5	2
net-unreachable	3	0
parameter-problem	12	0
port-unreachable	3	3
protocol-unreachable	3	2
reassembly-timeout	11	1
source-quench	4	0
source-route-failed	3	5
timestamp-reply	14	0
timestamp-request	13	0
ttl-exceeded	11	0

II. Parameters for the undo rule command

rule-id: Number of an existing ACL rule. If no other parameters are specified, the entire ACL rule is removed; if other parameters are specified, only the involved information is removed.

destination: Removes the destination address setting.

destination-port: Removes the destination port setting. This keyword is available only for TCP and UDP.

dscp: Removes the DSCP setting.

fragment: Removes the settings that take effect on non-first fragments from the rule.

icmp-type: Removes the ICMP type and code settings. This keyword is available only for ICMP.

logging: Removes the logging setting.

precedence: Removes the precedence setting.

reflective: Removes the reflective attribute of the rule. This keyword is only valid for TCP, UDP, and ICMP.

source: Removes the source address setting.

source-port: Removes the source port setting. This keyword is only valid for TCP and UDP.

time-range: Removes the time range setting.

tos: Removes the ToS setting.

& Note:

Currently, the logging, reflective and established arguments are not supported on H3C S3610 and S5510 Series Ethernet Switches.

Description

Use the rule command to define or modify an ACL rule. If the rule does not exist, it is created first.

Use the undo rule command to remove an ACL rule or parameters from the rule.

Before you can delete a rule, you need to specify the rule ID. If you do not know the rule ID, you can view it by the display acl command.

When configuring a rule, note that:

l A newly defined rule cannot be identical with any existing rule, otherwise the rule cannot be successfully created (the system will prompt the rule already exists)

l Rules created with the auto keyword specified are sorted according to the “depth first” principle regardless of the order they are created. However, the ID of each rule does not change.

Example

# Define a rule to permit the TCP packets to pass with the destination port 80 sent from 129.9.0.0 to 202.38.160.0.

<Sysname> system-view

[Sysname] acl number 3101

[Sysname-acl-adv-3101] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80

1.2.7 rule (Ethernet frame header ACL view)

Syntax

rule [ rule-id ] { permit | deny } [ rule-string ]

undo rule rule-id

View

Ethernet frame header ACL view

Parameter

rule-id: ACL rule number in the range 0 to 65534.

deny: Defines a deny statement to drop matched packets.

permit: Defines a permit statement to allow matched packets to pass.

rule-string: Match criteria and other rule information defined by combinations of the parameters described in the following table.

Table 1-9 Parameters for Ethernet frame header ACL rules

Parameter	Function	Description
type type-code type-wildcard	Defines a link layer protocol.	The type-code argument is a 16-bit hexadecimal number indicating frame type. It is corresponding to the type-code field in Ethernet_II and Ethernet_SNAP frames. The type-wildcard argument is a 16-bit hexadecimal number indicating the wildcard.
lsap lsap-code lsap-wildcard	Defines the DSAP and SSAP fields in the LLC encapsulation.	The lsap-code argument is a 16-bit hexadecimal number indicating frame encapsulation. The lsap-wildcard argument is a 16-bit hexadecimal number indicating the wildcard of the LSAP code.
source-mac sour-addr source-mask	Specifies a source MAC address range.	The sour-addr and sour-mask arguments indicate a source MAC address and mask in xxxx-xxxx-xxxx format.
dest-mac dest-addr dest-mask	Specifies a destination MAC address range.	The dest-addr and dest-mask arguments indicate a destination MAC address and mask in xxxx-xxxx-xxxx format.
cos vlan-pri	Defines a 802.1p priority	The vlan-pri argument take a value in the range 0 to 7; or its equivalent in words, best-effort, background, spare, excellent-effort, controlled-load, video, voice, or network-management.
time-range time-name	Specifies the time range in which the rule can take effect.	The time-name argument comprises 1 to 32 characters.

& Note:

l Currently, the lsap argument is not supported on H3C S3610 and S5510 Series Ethernet Switches.

l When the type argument is used in defining a rule, if the result of ANDing the type-code and type-wildcard is the same as that of ADNing 8100 and type-wildcard, tagged packets will match this rule.

Description

Use the rule command to create an ACL rule or modify the rule if it has existed.

Use the undo rule command to remove an ACL rule.

Before you can delete a rule, you need to specify the rule ID. If you do not know the rule ID, you can view it by the display acl command.

When configuring a rule, note that:

l A newly defined rule cannot be identical with any existing rule, otherwise the rule cannot be successfully created (the system will prompt the rule already exists)

l Rules created with the auto keyword specified are sorted according to the “depth first” principle regardless of the order they are created. However, the ID of each rule does not change.

Example

# Create a rule to deny packets with the 802.1p priority of 3.

<Sysname> system-view

[Sysname] acl number 4000

[Sysname-acl-ethernetframe-4000] rule deny cos 3

1.2.8 rule (user-defined IPv4 ACL view)

Syntax

rule [ rule-id ] { permit | deny } [ [ start | ipv4 | ipv6 | l2 | l4 ] { rule-string rule-mask offset }&<1-8> ] [ time-range time-name ]

undo rule rule-id

View

User-defined IPv4 ACL view

Parameter

rule-id: ACL rule number in the range 0 to 65534.

deny: Defines a deny statement to drop matched packets.

permit: Defines a permit statement to allow matched packets to pass.

start: Sets the offset from the beginning of the outmost header.

ipv4: Sets the offset from the beginning of the IPv4 header.

ipv6: Sets the offset from the beginning of the IPv6 header.

l2: Sets the offset from the beginning of the Layer 2 frame header.

l4: Sets the offset from the beginning of the Layer 4 header.

rule-string: Defines a match pattern in hexadecimal format. Its length must be a multiple of two.

rule-mask: Defines a match pattern mask in hexadecimal format. Its length must be the same as that of the match pattern.

offset: The offset in bytes at which the match operation begins.

&<1-8>: Indicates that up to eight match patterns can be defined in the rule.

time-range time-name: References the time range in which the rule can take effect. The time-name argument comprises 1 to 32 characters.

Description

Use the rule command to create an ACL rule.

Use the undo rule command to remove an ACL rule.

Before you can delete a rule, you need to specify the rule ID. If you do not know the rule ID, you can view it by the display acl command.

If you do not specify the offset type, start is adopted by default. That is, the offset begins from the outmost header.

When configuring a rule, note that:

l If the ACL rule identified by the rule-id argument already exists, the settings specified in the rule command overwrite the corresponding settings of the existing rule. And the existing settings remain unchanged if the corresponding settings are not specified in the command.

l If the ACL rule identified by the rule-id argument does not exist, you will create a new ACL rule.

l The content of a modified or created ACL rule cannot be identical with the content of any existing ACL rules; otherwise the ACL rule modification or creation will fail, and the system prompts that the rule already exists.

l If you do not specify a rule ID, a new rule will be defined and created, and the system will automatically assign the following ID to the rule: the smallest multiple of step-value that is greater than the largest ID of existing rules. For example, suppose the step-value is 5 and the largest ID of existing rules is 28; if you do not specify an ID when defining a rule, the system will automatically assign ID 30 to the rule.

l For user-defined IPv4 ACLs, the match order can only be config.

Example

# Create a user-defined IPv4 ACL rule, to match ARP packets.

<Sysname> system-view

[Sysname] acl number 5005

[Sysname-acl-user-5005] rule permit l2 0806 ffff 12

1.2.9 rule comment (for IPv4)

Syntax

rule rule-id comment text

undo rule rule-id comment

View

Basic IPv4 ACL view, advanced IPv4 ACL view, Ethernet frame header ACL view, user-defined IPv4 ACL view

Parameter

rule-id: ACL rule number in the range 0 to 65534.

text: ACL rule description with up to 127 case sensitive characters.

Description

Use the rule comment command to create or modify an ACL rule description, for example to describe the purpose of the ACL rule or the parameters it contains.

Use the undo rule comment command to remove the ACL rule description.

By default, no rule description is created.

You will fail to do that if the specified rule does not exist.

For a rule without any description information, the rule comment command adds description information; for a rule already having description information, the rule comment command modifies its description information with the new one.

Example

# Create a rule in ACL 2000 and define the rule description.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] rule 0 deny source 1.1.1.1 0

[Sysname-acl-basic-2000] rule 0 comment This rule is used in eth 1

1.2.10 step (for IPv4)

Syntax

step step-value

undo step

View

Basic IPv4 ACL view, advanced IPv4 ACL view, Ethernet frame header ACL view

Parameter

step-value: ACL rule numbering step, in the range 1 to 20.

Description

Use the step command to set a rule numbering step.

Use the undo step command to restore the default.

By default, rule numbering step is five.

When defining rules in an ACL, you do not necessarily assign them numbers. The system can do this automatically in steps. For example, if the default step applies, rules you created are automatically numbered 0, 5, 10, 15, and so on. One benefit of rule numbering step is that it allows you to insert new rules between existing ones as needed. For example, after creating four rules numbered 0, 5, 10, 15 in an ACL configured with the step of five, you can still insert a rule numbered 1.

Any step change can result in renumbering. For example, after you change the step in the above example from five to two, the rules are renumbered 0, 2, 4, 6, and 8.

Note that even if the current step is the default, performing the undo step command can still result in rule renumbering. Suppose that ACL 3001 adopts the default numbering step and contains two rules numbered 0 and 5. After you insert rule 1 and rule 3, the rules are numbered 0, 1, 3, and 5. If you perform the undo step command, they will be renumbered 0, 5, 10, and 15.

Example

# Set the rule numbering step to 2 for IPv4 ACL 2000.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] step 2

# Set the rule numbering step to 2 for IPv4 ACL 3000.

<Sysname> system-view

[Sysname] acl number 3000

[Sysname-acl-adv-3000] step 2

# Set the rule numbering step to 2 for IPv4 ACL 4000.

<Sysname> system-view

[Sysname] acl number 4000

[Sysname-acl-ethernetframe-4000] step 2

Chapter 2 IPv6 ACL Configuration Commands

2.1 IPv6 ACL Configuration Commands

2.1.1 acl ipv6

Syntax

acl ipv6 number acl6-number [ match-order { config | auto } ]

undo acl ipv6 { number acl6-number | all }

View

System view

Parameter

acl6-number: IPv6 ACL number. It is a value in one of the following ranges:

l 2000 to 2999 for basic IPv6 ACLs

l 3000 to 3999 for advanced IPv6 ACLs

match-order: Sets the order in which ACL rules are matched.

l config: Performs matching against rules in the order in which they are configured.

l auto: Performs depth-first match.

all: All IPv6 ACLs.

Description

Use the acl ipv6 command to enter IPv6 ACL view. If the ACL does not exist, it is created first.

Use the undo acl ipv6 command to remove a specified or all IPv6 ACLs.

By default, the match order is config.

You can also use this command to modify the match order of an existing IPv6 ACL but only before rules are added into it.

Example

# Create IPv6 ACL 2000.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000]

2.1.2 description (for IPv6)

Syntax

description text

undo description

View

Basic IPv6 ACL view, advanced IPv6 ACL view

Parameter

text: ACL description with up to case sensitive 127 characters.

Description

Use the description command to create an IPv6 ACL description, to describe the purpose of the ACL for example.

Use the undo description command to remove the IPv6 ACL description.

Example

# Create a description for IPv6 ACL 2000.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000] description This acl is used in eth 0

# Create a description for IPv6 ACL 3000.

<Sysname> system-view

[Sysname] acl ipv6 number 3000

[Sysname-acl6-adv-3000] description This acl is used in eth 0

2.1.3 display acl ipv6

Syntax

display acl ipv6 { all | acl6-number }

View

Any view

Parameter

all: All IPv6 ACLs.

acl6-number: IPv6 ACL number. It is a value in one of the following ranges:

l 2000 to 2999 for basic IPv6 ACLs

l 3000 to 3999 for advanced IPv6 ACLs

Description

Use the display acl ipv6 command to display information about specified or all IPv6 ACLs.

Example

# Display information about IPv6 ACL 2001.

<Sysname> display acl ipv6 2001

Basic IPv6 ACL 2001, 1 rule,

ACL's step is 5

rule 0 permit source 1::2/128 (0 times matched)

rule 0 comment This rule is used in eth 1

Table 2-1 Description on the fields of the display acl ipv6 command

Field	Description
Basic IPv6 ACL 2001	The displayed information is about the basic IPv4 ACL 2001.
1 rule	The ACL contains one rule.
ACL's step is 5	The rules in this ACL are numbered in steps of 5.
0 times matched	No match for this rule. Only ACL matches performed by software are counted.
rule 0 comment This rule is used in eth 1	The description of ACL rule 5 is “This rule is used in eth 1.”

2.1.4 reset acl ipv6 counter

Syntax

reset acl ipv6 counter { all | acl6-number }

View

User view

Parameter

all: All basic and advanced IPv6 ACLs.

acl6-number: IPv6 ACL number. It is a value in one of the following ranges:

l 2000 to 2999 for basic IPv6 ACLs

l 3000 to 3999 for advanced IPv6 ACLs

Description

Use the reset acl ipv6 counter command to clear statistics about specified or all basic and advanced IPv6 ACLs.

Example

# Clear the statistics about IPv6 ACL 2001.

<Sysname> reset acl ipv6 counter 2001

2.1.5 rule (basic IPv6 ACL view)

Syntax

rule [ rule-id ] { permit | deny } [ rule-string ]

undo rule rule-id [ fragment | logging | source | time-range ]*

View

Basic IPv6 ACL view

Parameter

I. Parameters for the rule command

rule-id: IPv6 ACL rule number in the range 0 to 65534.

deny: Defines a deny statement to drop matched packets.

permit: Defines a permit statement to allow matched packets to pass.

rule-string: Match criteria and other rule information defined by combinations of the parameters described in the following table.

Table 2-2 Match criteria and rule information for basic IPv6 ACL rules

Parameter	Function	Description
source { ipv6-address prefix-length \| ipv6-address/prefix-length \| any }	Specifies a source IPv6 address.	The ipv6-address and prefix-length arguments specify a source IPv6 address, and its address prefix length in the range 1 to 128. The any keyword indicates any IPv6 source address.
logging	Specifies to log matched packets.	The log provides information about ACL rule number, whether packets are permitted or denied, upper layer protocol that IP carries, source/destination address, source/destination port number, and number of packets.
fragment	Indicates that the rule applies only to non-tail fragments.	––
time-range time-name	Specifies the time range in which the rule can take effect.	The time-name argument comprises 1 to 32 characters.

II. Parameters for the undo rule command

rule-id: Number of an existing IPv6 ACL rule. If no other parameters are specified, the entire ACL rule is removed; if other parameters are specified, only the involved information is removed.

fragment: Removes the settings that take effect on non-first fragments from the rule.

logging: Removes the logging setting.

source: Removes the source address setting.

time-range: Removes the time range setting.

& Note:

Currently, the logging argument is not supported on H3C S3610 and S5510 Series Ethernet Switches.

Description

Use the rule command to create an IPv6 ACL rule or modify the rule if it has existed.

Use the undo rule command to remove an IPv6 ACL rule or parameters from the rule.

Before you can delete a rule, you need to specify the rule ID. If you do not know the rule ID, you can view it by the display acl command.

When configuring a rule, note that:

l A newly defined rule cannot be identical with any existing rule, otherwise the rule cannot be successfully created (the system will prompt the rule already exists)

l Rules created with the auto keyword specified are sorted according to the “depth first” principle regardless of the order they are created. However, the ID of each rule does not change.

Example

# Create rules in IPv6 ACL 2000, to permit packets with source address being 2030:5060::9050/64 to pass.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000] rule permit source 2030:5060::9050/64

2.1.6 rule (advanced IPv6 ACL view)

Syntax

rule [ rule-id ] { permit | deny } protocol [ rule-string ]

View

Advanced IPv6 ACL view

Parameter

I. Parameters for the rule command

rule-id: IPv6 ACL rule number in the range 0 to 65534.

deny: Defines a deny statement to drop matched packets.

permit: Defines a permit statement to allow matched packets to pass.

protocol: Protocol carried on IP. It can be a number in the range 1 to 255, or in words, gre, icmpv6, ipv6, ipv6-ah, ipv6-esp, ospf, tcp, or udp.

rule-string: Match criteria and other rule information defined by combinations of the parameters described in the following table.

Table 2-3 Match criteria and other rule information for advanced IPv6 ACL rules

Parameter	Function	Description
source { source source-prefix \| source/source-prefix \| any }	Specifies a source IPv6 address.	The source and source-prefix arguments specify an IPv6 source address and its prefix length in the range 1 to 128. The any keyword indicates any IPv6 source address.
destination { dest dest-prefix \| dest/dest-prefix \| any }	Specifies a destination IPv6 address.	The dest and dest-prefix arguments specify a destination IPv6 address, and its prefix length in the range 1 to 128. The any keyword indicates any IPv6 destination address.
dscp dscp	Specifies a DSCP preference	The dscp argument can be a number in the range 0 to 63, or in words, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, default, or ef.
logging	Specifies to log matched packets	The log provides information about ACL rule number, whether packets are permitted or denied, protocol that IP carries, source/destination IPv6 address, source/destination port number, and number of packets.
fragment	Indicates that the rule applies only to non-tail fragments	––
time-range time-name	Specifies the time range in which the rule can take effect.	The time-name argument comprises 1 to 32 characters.

If the protocol argument is set to TCP or UDP, you may define the parameters in the following table.

Table 2-4 TCP/UDP-specific match criteria for advanced IPv6 ACL rules

Parameter	Function	Description
source-port operator port1 [ port2 ]	Defines the source port in the UDP/TCP packet.	The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), and range (inclusive range). The port1 and port2 arguments each specify a TCP or UDP port, represented by a number in the range 0 to 65535 or represented in words. You need to define the port2 argument only when the range keyword is used.
destination-port operator port1 [ port2 ]	Defines the destination port in the UDP/TCP packet.

Parameter

Function

Description

source-port operator port1 [ port2 ]

Defines the source port in the UDP/TCP packet.

The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), and range (inclusive range).

The port1 and port2 arguments each specify a TCP or UDP port, represented by a number in the range 0 to 65535 or represented in words.

You need to define the port2 argument only when the range keyword is used.

destination-port operator port1 [ port2 ]

Defines the destination port in the UDP/TCP packet.

When using port name to specify TCP/UDP ports, you can define the following information.

Table 2-5 TCP/UDP port values

Protocol type	Value
TCP	CHARgen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), www (80)
UDP	biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (139), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), xdmcp (177)

If the protocol argument is set to ICMPv6, you may define the parameters in the following table.

Table 2-6 ICMPv6-specific match criteria for advanced IPv6 ACL rules

Parameter	Function	Description
icmpv6-type { icmpv6-type icmpv6-code \| icmpv6-message }	Specifies the ICMPv6 message type and code	The icmpv6-type argument ranges from 0 to 255. The icmpv6-code argument ranges from 0 to 255. The icmpv6-message argument specifies a message name. For available ICMPv6 messages, see Table 2-7.

Parameter

Function

Description

icmpv6-type { icmpv6-type icmpv6-code | icmpv6-message }

Specifies the ICMPv6 message type and code

The icmpv6-type argument ranges from 0 to 255.

The icmpv6-code argument ranges from 0 to 255.

The icmpv6-message argument specifies a message name. For available ICMPv6 messages, see Table 2-7.

The following table provides the ICMPv6 messages that you can specify in advanced IPv6 ACL rules.

Table 2-7 Available ICMPv6 messages

ICMPv6 message	Type	Code
redirect	137	0
echo-request	128	0
echo-reply	129	0
err-Header-field	4	0
frag-time-exceeded	3	1
hop-limit-exceeded	3	0
host-admin-prohib	1	1
host-unreachable	1	3
neighbor-advertisement	136	0
neighbor-solicitation	135	0
network-unreachable	1	0
packet-too-big	2	0
port-unreachable	1	4
router-advertisement	134	0
router-solicitation	133	0
unknown-ipv6-opt	4	2
unknown-next-hdr	4	1

II. Parameters for the undo rule command

rule-id: Number of an existing IPv6 ACL rule. If no other parameters are specified, the entire ACL rule is removed; if other parameters are specified, only the involved information is removed.

destination: Removes the destination address setting from the rule.

destination-port: Removes the destination port setting from the rule. This keyword is available only for TCP and UDP.

dscp: Removes the DSCP setting from the rule.

fragment: Removes the settings that take effect on non-first fragments from the rule.

icmpv6-type: Removes the ICMPv6 type and code settings from the rule. This keyword is available only for ICMPv6.

logging: Removes the logging setting from the rule.

source: Removes the source IPv6 address setting from the rule.

source-port: Removes the source port setting from the rule. This keyword is available only for TCP and UDP.

time-range: Removes the time range setting from the rule.

& Note:

l The protocol number you specified is only used to match the Next Header field of an IPv6 header instead of the real Layer 4 protocol number.

l Currently, the logging argument is not supported on H3C S3610 and S5510 Series Ethernet Switches.

Description

Use the rule command to create an IPv6 ACL rule or modify the rule if it has existed.

Use the undo rule command to remove an IPv6 ACL rule or parameters from the rule.

Before you can delete a rule, you need to specify the rule ID. If you do not know the rule ID, you can view it by the display acl command.

When configuring a rule, note that:

l A newly defined rule cannot be identical with any existing rule, otherwise the rule cannot be successfully created (the system will prompt the rule already exists)

l Rules created with the auto keyword specified are sorted according to the “depth first” principle regardless of the order they are created. However, the ID of each rule does not change.

Example

# Create a rule in IPv6 ACL 3000 to permit the TCP packets with the source address 2030:5060::9050/64 to pass.

<Sysname> system-view

[Sysname] acl ipv6 number 3000

[Sysname-acl6-adv-3000] rule permit tcp source 2030:5060::9050/64

2.1.7 rule comment (for IPv6)

Syntax

rule rule-id comment text

undo rule rule-id comment

View

Basic IPv6 ACL view, advanced IPv6 ACL view

Parameter

rule-id: IPv6 ACL rule number in the range 0 to 65534.

text: IPv6 ACL rule description with up to 127 case sensitive characters.

Description

Use the rule comment command to create or modify a description for an existing IPv6 ACL rule, for example to describe the purpose of the ACL rule or its attributes.

Use the undo rule comment command to remove the IPv6 ACL rule description.

By default, no rule description is created.

You will fail to do that if the specified rule does not exist.

Example

# Define a rule in IPv6 ACL 2000 and create a description for the rule.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000] rule 0 permit source 2030:5060::9050/64

[Sysname-acl6-basic-2000] rule 0 comment This rule is used in eth 1

# Define a rule in IPv6 ACL 3000 and create a description for the rule.

<Sysname> system-view

[Sysname] acl ipv6 number 3000

[Sysname-acl6-adv-3000] rule 0 permit tcp source 2030:5060::9050/64

[Sysname-acl6-adv-3000] rule 0 comment This rule is used in eth 1

2.1.8 step (for IPv6)

Syntax

step step-value

undo step

View

Basic IPv6 ACL view, advanced IPv6 ACL view

Parameter

step-value: The step in which the rules in the IPv6 ACL is numbered, in the range 1 to 20.

Description

Use the step command to set a rule numbering step for the IPv6 ACL.

Use the undo step command to restore the default.

By default, the rule numbering step is five.

When defining rules in an IPv6 ACL, you do not necessarily assign them numbers. The system can do this automatically in steps. For example, if the default step applies, rules you created are numbered 0, 5, 10, 15, and so on automatically.

One benefit of rule numbering step is that it allows you to insert new rules between existing ones as needed. For example, after creating four rules numbered 0, 5, 10, 15 in an ACL configured with the step of 5, you can still insert a rule numbered 1.

Any step change can result in renumbering. For example, after you change the step in the above example from 5 to 2, the rules are renumbered 0, 2, 4, 6, and 8.

Note that even if the current step is the default, performing the undo step command can still result in rule renumbering. Suppose that IPv6 ACL 3001 adopts the default numbering step and contains two rules numbered 0 and 5. After you insert rule 1 and rule 3, the rules are numbered 0, 1, 3, and 5. If you perform the undo step command, they will be renumbered 0, 5, 10, and 15.

Example

# Set the rule numbering step to 2 for IPv6 ACL 2000.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000] step 2

# Set the rule numbering step to 2 for IPv6 ACL 3000.

<Sysname> system-view

[Sysname] acl ipv6 number 3000

[Sysname-acl6-adv-3000] step 2

Chapter 3 Flow Template Configuration Commands

3.1 Flow Template Configuration Commands

3.1.1 display flow-template

Syntax

display flow-template { user-defined [ flow-template-name ] | interface [ interface-type interface-number ] }

View

Any view

Parameter

flow-template-name: Flow template name that comprises 1 to 31 characters.

interface-type interface-number: Specifies a port by its type and number.

Description

Use the display flow-template command to display the configuration of the specified or all user-defined flow templates.

Executing the command without the flow-template-name argument will display configuration information about all user-defined flow templates. Executing the command without interface-type interface-number will display configuration information about flow templates on all ports.

Example

# Display the configuration of all user-defined flow templates.

<Sysname> display flow-template user-defined

user-defined flow template: basic

name:f1, index:1, total reference counts:1

fields: ip-protocol fragments ip-precedence

user-defined flow template: extend

name:f2, index:2, total reference counts:0

fields: start 22 33 l2 55 66

Table 3-1 Description on the fields of display flow-template

Field	Description
user-defined flow template	Type of the user-defined flow template: basic or extend
name	Name of the flow template
index	Index of the flow template
total reference counts	Total number of the times that the flow template is referenced.
fields	Fields included in the flow template

# Display information about the flow templates applied to all ports.

<Sysname> display flow-template interface

Interface: Ethernet1/0/1

user-defined flow template: basic

name:f1, index:1, total reference counts:1

fields: ip-protocol fragments ip-precedence

Interface: Ethernet1/0/2

user-defined flow template: basic

name:f3, index:3, total reference counts:1

fields: tos

Table 3-2 Description on the fields of display flow-template interface

Field	Description
Interface	Port where the flow template is referenced
user-defined flow template	Type of the user-defined flow template: basic or extend
name	Name of the flow template
index	Index of the flow template
total reference counts	Reference count for the flow templates
fields	Fields included in the flow template

3.1.2 flow-template

Syntax

flow-template flow-template-name

undo flow-template

View

Ethernet port view, port group view

Parameter

flow-template-name: Flow template name that comprises 1 to 31 characters.

Description

Use the flow-template command to reference a flow template on current port.

Use the undo flow-template command to remove the referenced flow template from the port.

Note that on a port you can reference only one flow template.

& Note:

l The user-defined ACLs are used in conjunction with the extended user-defined flow template. When a port applies the extended flow template, you cannot apply policies including the basic and advanced ACLs on the port.

l Before applying a user-defined template on a port, make sure the user-defined template is already configured. A port can be configured with only one flow template.

l Before you can apply a flow template on a port, make sure the following functions are disabled on the port: 802.1x, cluster (NDP, NTDP, HABP, and Cluster), DHCP Snooping, port isolation, MAC+IP+port binding, selective Q-in-Q, and voice VLAN. And also, you are not recommended to use these functions after you apply a flow template on the port.

Example

# Reference flow template f1 on port Ethernet 1/0/1.

<Sysname> system-view

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] flow-template f1

# Remove the referenced flow template from port Ethernet 1/0/1.

[Sysname-Ethernet1/0/1] undo flow-template

3.1.3 flow-template basic

Syntax

flow-template flow-template-name basic { customer-cos | customer-vlan-id | dip | dipv6 | dmac | dport | dscp | ethernet-protocol | fragments | icmp-code | icmp-type | icmpv6-code | icmpv6-type | ip-precedence | ip-protocol | ipv6-dscp | ipv6-fragment | ipv6-protocol |service-cos | service-vlan-id | sip | sipv6 | smac | sport | tcp-flag | tos } *

undo flow-template { all | name flow-template-name }

View

System view

Parameter

flow-template-name: Flow template name that comprises 1 to 31 characters.

basic: Sets the type of the flow template to basic.

customer-cos: Customer 802.1p COS field, that is, VLAN priority.

customer-vlan-id: Customer VLAN ID.

dip: Destination IP address.

dipv6: Destination IPv6 address.

dmac: Destination MAC address.

dport: Destination service port.

dscp: Differentiated service code point (DSCP) field in the IP header.

ethernet-protocol: Protocol type field in the Ethernet frame header.

fragments: Fragments field in the IP header.

icmp-code: ICMP code field.

icmp-type: ICMP type field.

icmpv6-code: ICMPv6 code field.

Icmpv6-type: ICMPv6 type field.

ip-precedence: Specifies the precedence field in the IP header.

ip-protocol: Protocol type field in the IP header.

ipv6-dscp: Specifies the DSCP field in the IPv6 header.

ipv6-fragments: IPv6 fragments flag.

ipv6-protocol: Next header field in the IPv6 header.

service-cos: Specifies the service provider 802.1p COS field.

service-vlan-id: Service provider VLAN ID.

sip: Specifies the source IP address.

sipv6: Specifies the source IPv6 address.

smac: Specifies the source MAC address.

sport: Specifies the source service port.

tcp-flag: Specifies the flags field in the TCP header.

tos: Specifies the ToS field in the IP header.

all: Specifies to removes all flow templates.

Description

Use the flow-template basic command to create a basic flow template.

Use the undo flow-template command to remove the specified or all flow templates.

When removing templates, make sure that they are not referenced on ports. Otherwise, your removing attempt will fail.

Example

# Create a basic flow template.

<Sysname> system-view

[Sysname] flow-template f1 basic dip smac

# Remove the flow template named f1.

[Sysname] undo flow-template name f1

# Remove all flow templates.

[Sysname] undo flow-template all

3.1.4 flow-template extend

Syntax

flow-template flow-template-name extend { [ start ] offset-max-value length-max-value | ipv4 offset-max-value length-max-value | ipv6 offset-max-value length-max-value | l2 offset-max-value length-max-value | l4 offset-max-value length-max-value } *

undo flow-template { all | name flow-template-name }

View

System view

Parameter

flow-template-name: Flow template name that comprises 1 to 31 characters.

extend: Sets the type of the flow template to extend.

start: Sets the offset from the beginning of the outmost header.

ipv4: Sets the offset from the beginning of the IPv4 header.

ipv6: Sets the offset from the beginning of the IPv6 header.

l2: Sets the offset from the beginning of the Layer 2 frame header.

l4: Sets the offset from the beginning of the Layer 4 header.

offset-max-value: The maximum offset relative to the referential location, in the range of 0 to 79.

length-max-value: The maximum comparing length. This maximum value of this argument is 16, that is, the maximum comparing length is 16 bytes.

all: Specifies to remove all flow templates.

Description

Use the flow-template extend command to create an extended flow template.

Use the undo flow-template command to remove the specified or all flow templates.

For the extended flow template, the offset type is start by default if you do not specify any.

When removing templates, make sure that they are not referenced on ports. Otherwise, your removing attempt will fail.

Example

# Create an extended flow template.

<Sysname> system-view

[Sysname] flow-template f2 extend l2 3 10 ipv4 5 8

H3C S3610[S5510] Series Ethernet Switches Command Manual-Release 0001-(V1.02)

1.2.2 description (for IPv4)

1.2.3 display acl

1.2.4 reset acl counter

I. Parameters for the rule command

II. Parameters for the undo rule command

I. Parameters for the rule command

II. Parameters for the undo rule command

1.2.10 step (for IPv4)

2.1 IPv6 ACL Configuration Commands

2.1.2 description (for IPv6)

2.1.3 display acl ipv6

2.1.4 reset acl ipv6 counter

I. Parameters for the rule command

II. Parameters for the undo rule command

2.1.6 rule (advanced IPv6 ACL view)

I. Parameters for the rule command

II. Parameters for the undo rule command

2.1.7 rule comment (for IPv6)

2.1.8 step (for IPv6)

3.1.2 flow-template

3.1.3 flow-template basic

3.1.4 flow-template extend

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us