Table of Contents

Related Documents

19-ACL Command

Title	Size	Download
19-ACL Command	187 KB

Chapter 1 IPv4 ACL Configuration Commands

1.1 Time Range Configuration Commands

1.1.1 display time-range

Syntax

display time-range { all | time-name }

View

Any view

Parameter

time-name: Time range name comprising 1 to 32 characters. It is case insensitive and must start with an English letter. To avoid confusion, this name cannot be all.

all: All existing time ranges.

Description

Use the display time-range command to display the configuration and state of a specified or all time ranges.

A time range is active if the system time falls into its range, and if otherwise, inactive.

Example

# Display the configuration and state of time range trname.

<Sysname> display time-range trname

Current time is 10:45:15 4/14/2005 Thursday

Time-range : trname ( Inactive )

from 08:00 12/1/2005 to 23:59 12/31/2100

Table 1-1 Description on the fields of the display time-range command

Field	Description
Current time	Current system time
Time-range	The configuration and state of time range, such as time range name, its activated state, and start time and ending time.

1.1.2 time-range

Syntax

time-range time-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 }

undo time-range time-name [ start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 ]

View

System view

Parameter

time-name: Time range name comprising 1 to 32 characters. It is case insensitive and must start with an English letter. To avoid confusion, this name cannot be all.

start-time: Start time of a periodic time range, in hh:mm format as 24-hour time, where hh is hours and mm is minutes. Its value ranges from 00:00 to 23:59.

end-time: End time of the periodic time range, in hh:mm format as 24-hour time, where hh is hours and mm is minutes. Its value ranges from 00:00 to 24:00. The end time must be greater than the start time.

days: Indicates on which day or days of the week the periodic time range is valid. You may specify multiple values, in words or in digits, separated by spaces for this argument, but make sure that they do not overlap. These values can take one of the following forms:

l A digit in the range 0 to 6, respectively for Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday.

l Week in words, that is, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, or Sunday.

l working-day for Monday through Friday.

l off-day for Saturday and Sunday.

l daily for seven days of a week.

from time1 date1: Optional, indicates the start time and date of an absolute time range. The time1 argument specifies the time of the day in hh:mm format as 24-hour time, where hh is hours and mm is minutes. Its value ranges from 00:00 to 24:00. The date1 argument specifies a date in MM/DD/YYYY or YYYY/MM/DD format, where MM is the month of the year in the range 1 to 12, DD is the day of the month in the range 1 to 31, and YYYY is the year in the usual Gregorian calendar. If not specified, the start time is the earliest time available from the system.

to time2 date2: Optional, indicates the end time and date of the absolute time range. Their formats and value ranges are the same as those of the time1 and date1 arguments. The end time however, must be greater than the start time. If not specified, the end time is the maximum time available from the system.

Description

Use the time-range command to create a time range.

Use the undo time-range command to remove a time range.

Note that:

l Periodic time range created using the time-range time-name start-time to end-time days command. A time range thus created recurs periodically on the day or days of the week.

l Absolute time range created using the time-range time-name { from time1 date1 [ to time2 date2 ] | to time2 date2 } command. Unlike a periodic time range, a time range thus created does not recur. For example, to create an absolute time range that is active between January 1, 2004 00:00 and December 31, 2004 23:59, you may use the time-range test from 00:00 01/01/2004 to 23:59 12/31/2004 command.

l Compound time range created using the time-range time-name start-time to end-time days { from time1 date1 [ to time2 date2 ] | to time2 date2 } command. A time range thus created recurs on the day or days of the week only within the specified period. For example, to create a time range that is active from 12:00 to 14:00 on Wednesdays between January 1, 2004 00:00 and December 31, 2004 23:59, you may use the time-range test 12:00 to 14:00 wednesday from 00:00 01/01/2004 to 23:59 12/31/2004 command.

l You may create individual time ranges identified with the same name. They are regarded as one time range whose active period is the result of ORing periodic ones, ORing absolute ones, and ANDing periodic and absolute ones.

l If the start time is specified, the time range starts on the current date and ends on the end date. If the end date is note specified, the time range is from the date of configuration till the largest date available in the system.

l Up to 256 time ranges can be defined.

Example

# Create an absolute time range named test, setting it to become active since 0:0 on January 1, 2003.

<Sysname> system-view

[Sysname] time-range test from 0:0 2003/1/1

# Create a periodic time range named test, setting it to be active between 8:00 to 18:00 during working days.

<Sysname> system-view

[Sysname] time-range test 8:00 to 18:00 working-day

# Create a periodic time range named test, setting it to be active between 14:00 and 18:00 on Saturday and Sunday.

<Sysname> system-view

[Sysname] time-range test 14:00 to 18:00 off-day

1.2 IPv4 ACL Configuration Commands

1.2.1 acl

Syntax

acl number acl-number [ match-order { config | auto } ]

undo acl { number acl-number | all }

View

System view

Parameter

number: Defines a numbered access control list (ACL).

acl-number: IPv4 ACL number in the range 2000 to 4999, where:

l 2000 to 2999 for basic IPv4 ACLs

l 3000 to 3999 for advanced IPv4 ACLs

l 4000 to 4999 for Ethernet frame header ACLs

match-order: Sets the order in which ACL rules are matched.

l config: Performs matching against rules in the order in which they are configured.

l auto: Performs depth-first match.

all: All IPv4 ACLs.

Description

Use the acl command to enter ACL view. If the ACL does not exist, it is created first.

Use the undo acl command to remove a specified or all IPv4 ACLs.

By default, the match order is config.

Example

# Create IPv4 ACL 2000.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000]

1.2.2 description

Syntax

description text

undo description

View

Basic IPv4 ACL view, advanced IPv4 ACL view, Ethernet frame header ACL view

Parameter

text: ACL description up to 127 characters.

Description

Use the description command to create an ACL description, to describe the purpose of the ACL for example.

Use the undo description command to remove the ACL description.

By default, no description is defined for an ACL.

Example

# Create a description for IPv4 ACL 3100.

<Sysname> system-view

[Sysname] acl number 3100

[Sysname-acl-adv-3100] description This acl is used in eth 0

# Remove the description of IPv4 ACL 3100.

[Sysname-acl-adv-3100] undo description

1.2.3 display acl

Syntax

display acl { all | acl-number }

View

Any view

Parameter

acl-number: IPv4 ACL in the range 2000 to 4999.

all: All IPv4 ACLs.

Description

Use the display acl command to display information about the specified or all IPv4 ACLs.

This command displays ACL rules in the matching order.

Example

# Display information about IPv4 ACL 2001.

<Sysname> display acl 2001

Basic acl 2001, 1 rule,

ACL's step is 5

rule 5 permit source 1.1.1.1 0 (0 times matched)

rule 5 comment This rule is used in gigabiteth 1

Table 1-2 Description on the fields of the display acl command

Field	Description
Basic acl 2001	The displayed information is about the basic IPv4 ACL 2001.
1 rule	The ACL contains one rule.
Acl's step is 5	The rules in this ACL are numbered in steps of 5.
0 times matched	No match for this rule. Only ACL matches performed by software are counted.
rule 5 comment This rule is used in gigabiteth 1	The description of ACL rule 5 is “This rule is used in gigabiteth 1.”

1.2.4 reset acl counter

Syntax

reset acl counter { all | acl-number }

View

User view

Parameter

acl-number: IPv4 ACL in the range 2000 to 4999.

all: All IPv4 ACLs.

Description

Use the reset acl counter command to clear statistics about specified or all IPv4 ACLs.

Example

# Clear statistics about IPv4 ACL 2001.

<Sysname> reset acl counter 2001

1.2.5 rule (basic IPv4 ACL)

Syntax

rule [ rule-id ] { permit | deny } [ rule-string ]

undo rule rule-id [ fragment | logging | source | time-range ]*

View

Basic IPv4 ACL view

Parameter

I. Parameters for the rule command

rule-id: ACL rule number in the range 0 to 65534.

deny: Defines a deny statement to drop matched packets.

permit: Defines a permit statement to allow matched packets to pass.

rule-string: Matching criteria and other rule information defined by combinations of the parameters described in the following table.

Table 1-3 Parameters for basic IPv4 ACL rules

Parameter	Function	Description
source { sour-addr sour-wildcard \| any }	Specifies a source address.	The sour-addr sour-wildcard argument specifies a source IP address in dotted decimal notation. Setting the wildcard to a zero indicates a host address. The any keyword indicates any source IP address.
logging	Specifies to log matched packets.	The log provides information about ACL rule number, whether packets are permitted or dropped, upper layer protocol that IP carries, source/destination address, source/destination port number, and number of packets.
fragment	Indicates that the rule applies only to non-first fragments.	––
time-range time-name	Specifies the time range in which the rule takes effect.	The time-name argument specifies a time range name with 1 to 32 characters.

& Note:

sour-wildcard is the complement of the wildcard mask of the source subnet mask. For example, you need to input 0.0.255.255 to specify the subnet mask 255.255.0.0.

II. Parameters for the undo rule command

rule-id: Number of an existing ACL rule. If no other parameters are specified, the entire ACL rule is removed; if other parameters are specified, only the involved information is removed.

fragment: Removes the non-first fragment setting.

logging: Removes the logging setting.

source: Removes the source address setting.

time-range: Removes the time range setting.

& Note:

S5500-SI Series Ethernet Switches do not support logging parameter currently.

Description

Use the rule command to create an IPv4 ACL rule or modify the rule if it has existed.

Use the undo rule command to remove an ACL rule or parameters from the rule.

Before you can delete a rule, you need to specify the rule ID. If you do not know the rule ID, you can view it by the display acl command.

When configuring a rule, note that:

l You will fail to create or modify a rule if its permit/deny statement is exactly the same as another rule. In addition, if the ACL match order is set to auto rather than config, you cannot modify ACL rules.

l When defining ACL rules, you are not necessarily to assign them IDs. The system can automatically assign rule IDs starting with 0 and increasing in certain rule numbering steps. A rule ID thus assigned is greater than the current highest rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the next rule will be numbered 30.

l A newly defined rule cannot be identical with any existing rule, otherwise the rule cannot be successfully created (the system will prompt the rule already exists)

l Rules created with the auto keyword specified are sorted according to the “depth first” principle regardless of the order they are created. However, the ID of each rule does not change.

Example

# Create a rule to deny packets with the source IP address 1.1.1.1.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] rule deny source 1.1.1.1 0

1.2.6 rule (advanced IPv4 ACL)

Syntax

rule [ rule-id ] { permit | deny } protocol [ rule-string ]

View

Advanced IPv4 ACL view

Parameter

I. Parameters for the rule command

rule-id: ACL rule number in the range 0 to 65534.

deny: Defines a deny statement to drop matched packets.

permit: Defines a permit statement to allow matched packets to pass.

protocol: Upper layer protocol carried by IP. It can be a number in the range 0 to 255, or in words, gre, icmp, igmp, ip, ipinip, ospf, tcp, or udp.

rule-string: Match criteria and other rule information defined by combinations of the parameters described in the following table.

Table 1-4 Parameters for advanced IPv4 ACL rules

Parameter	Function	Description
source { sour-addr sour-wildcard \| any }	Specifies a source address.	The sour-addr sour-wildcard argument specifies a source IP address in dotted decimal notation. Setting the wildcard to a zero indicates a host address. The any keyword indicates any source IP address.
destination { dest-addr dest-wildcard \| any }	Specifies a destination address.	The dest-addr dest-wildcard argument specifies a destination IP address in dotted decimal notation. Setting the dest-wildcard to a zero indicates a host address. The any keyword indicates any destination IP address.
precedence precedence	Specifies an IP precedence.	The precedence argument can be a number in the range 0 to 7, or in words, routine, priority, immediate, flash, flash-override, critical, internet, or network.
tos tos	Specifies a ToS preference.	The tos argument can be a number in the range 0 to 15, or in words, max-reliability, max-throughput, min-delay, min-monetary-cost, or normal.
dscp dscp	Specifies a DSCP priority.	The dscp argument can be a number in the range 0 to 63, or in words,af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, default, or ef.
logging	Specifies to log matched packets.	The log provides information about ACL rule number, whether packets are permitted or dropped, upper layer protocol that IP carries, source/destination address, source/destination port number, and number of packets.
reflective	Specifies the rule to be reflective.	A rule with the reflective keyword can be defined only for TCP, UDP, or ICMP packets and its statement can only be permit.
fragment	Indicates that the rule applies only to non-first fragments.	––
time-range time-name	Specifies the time range in which the rule can take effect.	The time-name argument comprises 1 to 32 characters.

& Note:

sour-wildcard/dest-wildcard is the complement of the wildcard mask of the source/destination subnet mask. For example, you need to input 0.0.255.255 to specify the subnet mask 255.255.0.0.

If the protocol argument is set to TCP or UDP, you may define the parameters in the following table.

Table 1-5 TCP/UDP-specific parameters for advanced IPv4 ACL rules

Parameter	Function	Description
source-port operator port1 [ port2 ]	Defines information on the source port in the UDP/TCP packet.	The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), and range (inclusive range). port1, port2: TCP or UDP port number, represented by a number in the range 0 to 65535 or represented in words. You need to define the port2 argument only when the range keyword is used.
destination-port operator port1 [ port2 ]	Defines information on the destination port in the UDP/TCP packet.
established	Defines the rule for TCP connection packets.	A keyword specific to TCP.

When using port name to specify TCP/UDP ports, you can define the following information.

Table 1-6 TCP/UDP port values

Protocol type	Value
TCP	CHARgen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), www (80)
UDP	biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (139), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), xdmcp (177)

If the protocol argument is set to ICMP, you may define the parameters in the following table.

Table 1-7 Parameters for advanced IPv4 ACL rules

Parameter

Function

Description

icmp-type icmp-type icmp-code

Specifies the ICMP message type and code.

The icmp-type argument ranges from 0 to 255.

The icmp-code argument ranges from 0 to 255.

The following table provides the ICMP messages in common use.

Table 1-8 ICMP messages in common use

ICMP message	Type	Code
echo	8	0
echo-reply	0	0
fragmentneed-DFset	3	4
host-redirect	5	1
host-tos-redirect	5	3
host-unreachable	3	1
information-reply	16	0
information-request	15	0
net-redirect	5	0
net-tos-redirect	5	2
net-unreachable	3	0
parameter-problem	12	0
port-unreachable	3	3
protocol-unreachable	3	2
reassembly-timeout	11	1
source-quench	4	0
source-route-failed	3	5
timestamp-reply	14	0
timestamp-request	13	0
ttl-exceeded	11	0

II. Parameters for the undo rule command

rule-id: Number of an existing ACL rule. If no other parameters are specified, the entire ACL rule is removed; if other parameters are specified, only the involved information is removed.

destination: Removes the destination address setting.

destination-port: Removes the destination port setting. This keyword is available only for TCP and UDP.

dscp: Removes the DSCP setting.

fragment: Removes the non-first fragment setting.

icmp-type: Removes the ICMP type and code settings. This keyword is available only for ICMP.

logging: Removes the logging setting.

precedence: Removes the precedence setting.

reflective: Removes the reflective attribute of the rule.

source: Removes the source address setting.

source-port: Removes the source port setting. This keyword is available only for TCP and UDP.

time-range: Removes the time range setting.

tos: Removes the ToS setting.

& Note:

Currently on S5500-SI Series Ethernet Switches,

l The established, logging and reflective parameters are unavailable.

l The operator cannot be neq when TCP or UDP protocol is selected.

Description

Use the rule command to define or modify an ACL rule. If the rule does not exist, it is created first.

Use the undo rule command to remove an ACL rule or parameters from the rule.

Before you can delete a rule, you need to specify the rule ID. If you do not know the rule ID, you can view it by the display acl command.

When configuring a rule, note that:

l A newly defined rule cannot be identical with any existing rule, otherwise the rule cannot be successfully created (the system will prompt the rule already exists)

l Rules created with the auto keyword specified are sorted according to the “depth first” principle regardless of the order they are created. However, the ID of each rule does not change.

Example

# Define a rule to permit the TCP packets with the destination port 80 sent from 129.9.0.0 to 202.38.160.0.

<Sysname> system-view

[Sysname] acl number 3101

[Sysname-acl-adv-3101] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80

1.2.7 rule (Ethernet frame header ACL)

Syntax

rule [ rule-id ] { permit | deny } [ rule-string ]

undo rule rule-id

View

Ethernet frame header ACL view

Parameter

rule-id: ACL rule number in the range 0 to 65534.

deny: Defines a deny statement to drop matched packets.

permit: Defines a permit statement to allow matched packets to pass.

rule-string: Match criteria and other rule information defined by combinations of the parameters described in the following table.

Table 1-9 Parameters for Ethernet frame header ACL rules

Parameter	Function	Description
type type-code type-wildcard	Defines the link layer protocol.	The type-code argument is a 16-bit hexadecimal number indicating frame type. It is corresponding to the type-code field in Ethernet_II and Ethernet_SNAP frames. The type-wildcard argument is a 16-bit hexadecimal number indicating the wildcard.
lsap lsap-code lsap-wildcard	Defines the DSAP and SSAP fields in the LLC encapsulation.	The lsap-code argument is a 16-bit hexadecimal number indicating frame encapsulation. The lsap-wildcard argument is a 16-bit hexadecimal number indicating the wildcard of the LSAP code.
source-mac sour-addr source-mask	Specifies a source MAC address range.	The sour-addr and sour-mask arguments indicate a source MAC address and mask in xxxx-xxxx-xxxx format.
dest-mac dest-addr dest-mask	Specifies a destination MAC address range.	The dest-addr and dest-mask arguments indicate a destination MAC address and mask in xxxx-xxxx-xxxx format.
cos vlan-pri	Defines a 802.1p priority	The vlan-pri argument ranges from 0 to 7.
time-range time-name	Specifies the time range in which the rule can take effect.	The time-name argument comprises 1 to 32 characters.

& Note:

S5500-SI Series Ethernet Switches do not support the lsap parameter currently.

Description

Use the rule command to create an ACL rule or modify the rule if it has existed.

Use the undo rule command to remove an ACL rule.

Before you can delete a rule, you need to specify the rule ID. If you do not know the rule ID, you can view it by the display acl command.

When configuring a rule, note that:

l A newly defined rule cannot be identical with any existing rule, otherwise the rule cannot be successfully created (the system will prompt the rule already exists)

l Rules created with the auto keyword specified are sorted according to the “depth first” principle regardless of the order they are created. However, the ID of each rule does not change.

Example

# Create a rule to deny packets with the 802.1p priority of 3.

<Sysname> system-view

[Sysname] acl number 4000

[Sysname-acl-ethernetframe-4000] rule deny cos 3

1.2.8 rule comment

Syntax

rule rule-id comment text

undo rule rule-id comment

View

Basic IPv4 ACL view, advanced IPv4 ACL view, Ethernet frame header ACL view

Parameter

rule-id: ACL rule number in the range 0 to 65534.

text: ACL rule description, up to 127 characters.

Description

Use the rule comment command to create or modify an ACL rule description, for example to describe the purpose of the ACL rule or its attributes.

You may fail to do that if the specified rule does not exist.

Use the undo rule comment command to remove the ACL rule description.

By default, no rule description is created.

Example

# Define rule 3101 and create a description for it.

<Sysname> system-view

[Sysname] acl number 3101

[Sysname-acl-adv-3101] rule 0 permit source 1.1.1.1 0

[Sysname-acl-adv-3101] rule 0 comment This rule is used in gigabieth 1

1.2.9 step

Syntax

step step-value

undo step

View

Basic IPv4 ACL view, advanced IPv4 ACL view, Ethernet frame header ACL view

Parameter

step-value: ACL rule numbering step. The default is 5.

Description

Use the step command to set a rule numbering step.

Use the undo step command to restore the default.

When defining rules in an ACL, you do not necessarily assign them numbers. The system can do this automatically in steps. For example, if the default step applies, rules you created are automatically numbered 0, 5, 10, 15, and so on. One benefit of rule numbering step is that it allows you to insert new rules between existing ones as needed. For example, after creating four rules numbered 0, 5, 10, 15 in an ACL configured with the step of 5, you can still insert a rule numbered 1.

Any step change can result in renumbering. For example, after you change the step in the above example from 5 to 2, the rules are renumbered 0, 2, 4, 6, and 8.

Note that if the current step is the default, performing the undo step command can still result in rule renumbering.

Example

# Set the rule numbering step to 2 for IPv4 ACL 3101.

<Sysname> system-view

[Sysname] acl number 3101

[Sysname-acl-adv-3101] step 2

Chapter 2 IPv6 ACL Configuration Commands

2.1 IPv6 ACL Configuration Commands

2.1.1 acl ipv6 (basic or advanced IPv6 ACL)

Syntax

acl ipv6 number acl-number [ match-order { config | auto } ]

undo acl ipv6 { number acl-number | all }

View

System view

Parameter

number: Defines a numbered IPv6 ACL.

acl-number: ACL number in the range 2000 to 3999, where

l 2000 to 2999 for basic IPv6 ACLs

l 3000 to 3999 for advanced IPv6 ACLs

match-order: Sets the order in which ACL rules are matched.

l config: Performs matching against rules in the order in which they are configured.

l auto: Performs depth-first match.

all: All IPv6 ACLs.

Description

Use the acl ipv6 command to enter IPv6 ACL view. If the ACL does not exist, it is created first.

Use the undo acl ipv6 command to remove a specified or all IPv6 ACLs.

By default, the match order is config.

Example

# Create IPv6 ACL 2000.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000]

2.1.2 description

Syntax

description text

undo description

View

Basic IPv6 ACL view, advanced IPv6 ACL view

Parameter

text: ACL description up to 127 characters.

Description

Use the description command to create an IPv6 ACL description, to describe the purpose of the ACL for example.

Use the undo description command to remove the IPv6 ACL description.

Example

# Create a description for IPv6 ACL 3100.

<Sysname> system-view

[Sysname] acl ipv6 number 3100

[Sysname-acl6-adv-3100] description This acl is used in eth 0

# Remove the description of IPv6 ACL 3100.

[Sysname-acl6-adv-3100] undo description

2.1.3 display acl ipv6

Syntax

display acl ipv6 { all | acl-number }

View

Any view

Parameter

acl-number: IPv6 ACL number in the range 2000 to 3999.

all: All IPv6 ACLs.

Description

Use the display acl ipv6 command to display information about specified or all IPv6 ACLs.

Example

# Display information about IPv6 ACL 2001.

<Sysname> display acl ipv6 2001

Basic IPv6 ACL 2001, 1 rule,

ACL's step is 5

rule 0 permit source 1::2/128 (0 times matched)

rule 0 comment This rule is used in gigabiteth 1

Table 2-1 Description on the fields of the display acl ipv6 command

Field	Description
Basic IPv6 ACL 2001	The displayed information is about the basic IPv4 ACL 2001.
1 rule	The ACL contains one rule.
ACL's step is 5	The rules in this ACL are numbered in steps of 5.
0 times matched	No match for this rule. Only ACL matches performed by software are counted.
rule 0 comment This rule is used in gigabiteth 1	The description of ACL rule 0 is “This rule is used in gigabiteth 1.”

2.1.4 reset acl ipv6 counter

Syntax

reset acl ipv6 counter { all | acl-number }

View

User view

Parameter

acl-number: IPv6 ACL number in the range 2000 to 3999.

all: All basic and advanced IPv6 ACLs.

Description

Use the reset acl ipv6 counter command to clear statistics about specified or all IPv6 ACLs.

Example

# Clear the statistics about IPv6 ACL 2001.

<Sysname> reset acl ipv6 counter 2001

2.1.5 rule (basic IPv6 ACL)

Syntax

rule [ rule-id ] { permit | deny } [ rule-string ]

undo rule rule-id [ fragment | logging | source | time-range ] *

View

Basic IPv6 ACL view

Parameter

I. Parameters for the rule command

rule-id: IPv6 ACL rule number in the range 0 to 65534.

deny: Defines a deny statement to drop matched packets.

permit: Defines a permit statement to allow matched packets to pass.

rule-string: Match criteria and other rule information defined by combinations of the parameters described in the following table.

Table 2-2 Match criteria and rule information for basic IPv6 ACL rules

Parameter	Function	Description
source { ipv6-address prefix-length \| ipv6-address/prefix-length \| any }	Specifies a source address.	The ipv6-address and prefix-length arguments specify an IPv6 source address, and its address prefix length in the range 1 to 128. The any keyword indicates any source address.
logging	Specifies to log matched packets	The log provides information about ACL rule number, whether packets are permitted or denied, upper layer protocol that IP carries, source/destination address, source/destination port number, and number of packets.
fragment	Indicates that the rule applies only to non-first fragments	––
time-range time-name	Specifies the time range in which the rule can take effect.	The time-name argument comprises 1 to 32 characters.

II. Parameters for the undo rule command

rule-id: Number of an existing IPv6 ACL rule. If no other parameters are specified, the entire ACL rule is removed; if other parameters are specified, only the involved information is removed.

fragment: Removes the non-first fragment setting.

logging: Removes the logging setting.

source: Removes the source address setting.

time-range: Removes the time range setting.

& Note:

S5500-SI Series Ethernet Switches do not support logging and fragment parameter currently.

Description

Use the rule command to create an IPv6 ACL rule or modify the rule if it has existed.

Use the undo rule command to remove an IPv6 ACL rule or parameters from the rule.

Before you can delete a rule, you need to specify the rule ID. If you do not know the rule ID, you can view it by the display acl command. If no parameter is specified for the undo rule command, the whole IPv6 ACL will be removed. Otherwise, only the attribute information corresponding to the IPv6 ACL is removed.

When configuring a rule, note that:

l A newly defined rule cannot be identical with any existing rule, otherwise the rule cannot be successfully created (the system will prompt the rule already exists)

l Rules created with the auto keyword specified are sorted according to the “depth first” principle regardless of the order they are created. However, the ID of each rule does not change.

Example

# Create rules in IPv6 ACL 2000.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000] rule permit source 2030:5060::9050/64

[Sysname-acl6-basic-2000] rule deny source fe80:5060::8050/96

2.1.6 rule (advanced IPv6 ACL)

Syntax

rule [ rule-id ] { permit | deny } protocol [ rule-string ]

View

Advanced IPv6 ACL view

Parameter

I. Parameters for the rule command

rule-id: IPv6 ACL rule number in the range 0 to 65534.

deny: Defines a deny statement to drop matched packets.

permit: Defines a permit statement to allow matched packets to pass.

protocol: Upper layer protocol carried on IP. It can be a number in the range 1 to 255, or in words, gre, icmpv6, ipv6, ipv6-ah, ipv6-esp, ospf, tcp, or udp.

rule-string: Match criteria and other rule information defined by combinations of the parameters described in the following table.

Table 2-3 Match criteria and other rule information for advanced IPv6 ACL rules

Parameter	Function	Description
source { source source-prefix \| source/source-prefix \| any }	Specifies a source IPv6 address.	The source and source-prefix arguments specify an IPv6 source address and its prefix length in the range 1 to 128. The any keyword indicates any IPv6 source address.
destination { dest dest-prefix \| dest/dest-prefix \| any }	Specifies a destination IPv6 address.	The dest and dest-prefix arguments specify a destination IPv6 address, and its prefix length in the range 1 to 128. The any keyword indicates any IPv6 destination address.
dscp dscp	Specifies a DSCP preference	The dscp argument can be a number in the range 0 to 63 or in words, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, default, or ef.
logging	Specifies to log matched packets	The log provides information about ACL rule number, whether packets are permitted or denied, upper layer protocol that IP carries, source/destination address, source/destination port number, and number of packets.
fragment	Indicates that the rule applies only to non-first fragments	––
time-range time-name	Specifies the time range in which the rule can take effect.	The time-name argument comprises 1 to 32 characters.

If the protocol argument is set to TCP or UDP, you may define the parameters in the following table.

Table 2-4 TCP/UDP-specific match criteria for advanced IPv6 ACL rules

Parameter

Function

Description

source-port operator port1 [ port2 ]

Defines the source port in the UDP/TCP packet.

The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), and range (inclusive range).

The port1 and port2 arguments each specify a TCP or UDP port, represented by a number in the range 0 to 65535 or represented in words. You need to define the port2 argument only when the range keyword is used.

destination-port operator port1 [ port2 ]

Defines the destination port in the UDP/TCP packet.

When using port name to specify TCP/UDP ports, you can define the following information.

Table 2-5 TCP/UDP port values

Protocol type	Value
TCP	CHARgen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), www (80)
UDP	biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (139), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), xdmcp (177)

If the protocol argument is set to ICMP, you may define the parameters in the following table.

Table 2-6 ICMP-specific match criteria for advanced IPv6 ACL rules

Parameter

Function

Description

icmpv6-type icmp-type icmp-code

Specifies the ICMP message type and code

The icmp-type argument ranges from 0 to 255.

The icmp-code argument ranges from 0 to 255.

The following table provides the ICMP messages in common use.

Table 2-7 ICMP messages in common use

ICMP message	Type	Code
redirect	137	0
echo	128	0
echo-reply	129	0
err-Header-field	4	0
frag-time-exceeded	3	1
hop-limit-exceeded	3	0
host-admin-prohib	1	1
host-unreachable	1	3
neighbor-advertisement	136	0
neighbor-solicitation	135	0
network-unreachable	1	0
packet-too-big	2	0
port-unreachable	1	4
router-advertisement	134	0
router-solicitation	133	0
unknown-ipv6-opt	4	2
unknown-next-hdr	4	1

II. Parameters for the undo rule command

rule-id: Number of an existing IPv6 ACL rule. If no other parameters are specified, the entire ACL rule is removed; if other parameters are specified, only the involved information is removed.

destination: Removes the destination address setting from the rule.

destination-port: Removes the destination port setting from the rule. This keyword is available only for TCP and UDP.

fragment: Removes the non-first fragment setting from the rule.

icmp-type: Removes the ICMP type and code settings from the rule. This keyword is available only for ICMP.

logging: Removes the logging setting from the rule.

source: Removes the source address setting from the rule.

source-port: Removes the source port setting from the rule. This keyword is available only for TCP and UDP.

time-range: Removes the time range setting from the rule.

dscp: Removes the DSCP setting from the rule.

& Note:

l Currently, S5500-SI Series Ethernet Switches do not support the dscp, logging and fragment parameters.

l When the TCP or UDP protocol is selected, the operator’s option only can be eq.

Description

Use the rule command to create an IPv6 ACL rule or modify the rule if it has existed.

Use the undo rule command to remove an IPv6 ACL rule or parameters from the rule.

When configuring a rule, note that:

l A newly defined rule cannot be identical with any existing rule, otherwise the rule cannot be successfully created (the system will prompt the rule already exists)

l Rules created with the auto keyword specified are sorted according to the “depth first” principle regardless of the order they are created. However, the ID of each rule does not change.

Example

# Create a rule in IPv6 ACL 3000 to permit the TCP packets with the source address 2030:5060::9050/64.

<Sysname> system-view

[Sysname] acl ipv6 number 3000

[Sysname-acl6-adv-3000] rule permit tcp source 2030:5060::9050/64

2.1.7 rule comment

Syntax

rule rule-id comment text

undo rule rule-id comment

View

Basic IPv6 ACL view, advanced IPv6 ACL view

Parameter

rule-id: IPv6 ACL rule number in the range 0 to 65534.

text: IPv6 ACL rule description up to 127 characters.

Description

Use the rule comment command to create or modify a description for an existing IPv6 ACL rule, for example to describe the purpose of the ACL rule or its attributes.

Use the undo rule comment command to remove the IPv6 ACL rule description.

By default, no rule description is created.

Example

# Define an IPv6 ACL rule and create a description for it.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000] rule 0 permit source 2030:5060::9050/64

[Sysname-acl6-basic-2000] rule 0 comment This rule is used in gigabiteth 1

2.1.8 step

Syntax

step step-value

undo step

View

Basic IPv6 ACL view, advanced IPv6 ACL view

Parameter

step-value: The step in which the rules in the IPv6 ACL is numbered. The default step is 5.

Description

Use the step command to set a rule numbering step for the IPv6 ACL.

Use the undo step command to restore the default.

When defining rules in an IPv6 ACL, you do not necessarily assign them numbers. The system can do this automatically in steps. For example, if the default step applies, rules you created are numbered 0, 5, 10, 15, and so on automatically.

One benefit of rule numbering step is that it allows you to insert new rules between existing ones as needed. For example, after creating four rules numbered 0, 5, 10, 15 in an ACL configured with the step of 5, you can still insert a rule numbered 1.

Any step change can result in renumbering. For example, after you change the step in the above example from 5 to 2, the rules are renumbered 0, 2, 4, 6, and 8.

Note that if the current step is the default, performing the undo step command can still result in rule renumbering. Suppose you currently have four rules numbered 0, 1, 3, and 5 in an ACL with the rule numbering step of 5. After you perform the undo step command, the rule will be renumbered 0, 5, 10, and 15.

Example

# Set the rule numbering step to 2 for IPv6 ACL 3101.

<Sysname> system-view

[Sysname] acl ipv6 number 3101

[Sysname-acl6-adv-3101] step 2

H3C S5500-SI Series Ethernet Switches Command Manual-Release 1205-(V1.03)

1.2.2 description

1.2.4 reset acl counter

I. Parameters for the rule command

II. Parameters for the undo rule command

I. Parameters for the rule command

II. Parameters for the undo rule command

2.1.2 description

2.1.3 display acl ipv6

2.1.4 reset acl ipv6 counter

I. Parameters for the rule command

II. Parameters for the undo rule command

2.1.6 rule (advanced IPv6 ACL)

I. Parameters for the rule command

II. Parameters for the undo rule command

2.1.7 rule comment

2.1.8 step

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us