- Table of Contents
-
- H3C S3600 Series Ethernet Switches Command Manual-Release 1510(V1.04)
- 00-1Cover
- 01-CLI Command
- 02-Login Command
- 03-Configuration File Management Command
- 04-VLAN Command
- 05-IP Address and Performance Configuration Command
- 06-Management VLAN Command
- 07-Voice VLAN Command
- 08-GVRP Command
- 09-Port Basic Configuration Command
- 10-Link Aggregation Command
- 11-Port Isolation Command
- 12-Port Security-Port Binding Command
- 13-DLDP Command
- 14-MAC Address Table Command
- 15-Auto Detect Command
- 16-MSTP Command
- 17-Routing Protocol Command
- 18-Multicast Command
- 19-802.1x Command
- 20-AAA-RADIUS-HWTACACS-EAD Command
- 21-VRRP Command
- 22-Centralized MAC Address Authentication Command
- 23-ARP Command
- 24-DHCP Command
- 25-ACL Command
- 26-QoS-QoS Profile Command
- 27-Web Cache Redirection Command
- 28-Mirroring Command
- 29-IRF Fabric Command
- 30-Cluster Command
- 31-PoE-PoE Profile Command
- 32-UDP Helper Command
- 33-SNMP-RMON Command
- 34-NTP Command
- 35-SSH Terminal Service Command
- 36-File System Management Command
- 37-FTP and TFTP Command
- 38-Information Center Command
- 39-System Maintenance and Debugging Command
- 40-VLAN-VPN Command
- 41-HWPing Command
- 42-DNS Command
- 43-Access Management Command
- 44-Appendix
- Related Documents
-
Title | Size | Download |
---|---|---|
25-ACL Command | 149 KB |
Table of Contents
Chapter 1 ACL Configuration Commands
1.1 ACL Configuration Commands
1.1.8 rule (for Advanced ACLs)
1.1.10 rule (for user-defined ACLs)
Chapter 1 ACL Configuration Commands
1.1 ACL Configuration Commands
1.1.1 acl
Syntax
acl number acl-number [ match-order { config | auto } ]
undo acl { number acl-number | all }
View
System view
Parameter
number acl-number: Specifies the number of an existing access control list (ACL) or an ACL to be defined. ACL number identifies the type of an ACL as follows.
l An ACL number in the range 2000 to 2999 identifies a basic ACL.
l An ACL number in the range 3000 to 3999 identifies an advanced ACL. Note that ACL 3998 and ACL 3999 cannot be configured because they are reserved for cluster management.
l An ACL number in the range 4000 to 4999 identifies a layer 2 ACL.
l An ACL number in the range 5000 to 5999 identifies a user-defined ACL.
match-order: Specifies the match order for the ACL rules of the ACL. This keyword is not available to Layer 2 ACLs or user-defined ACLs. Following two match orders exist.
l config: Specifies to match ACL rules in the order they are defined.
l auto: Specifies to match ACL rules according to the depth-first rule.
all: Specifies to remove all the ACLs.
Description
Use the acl command to define an ACL and enter the corresponding ACL view.
Use the undo acl command to remove all the rules of an ACL or all the ACLs.
By default, ACL rules are matched in the order they are defined.
In ACL view, you can use the rule command to add rules to the ACL.
Rules of an ACL can be matched in one of the following orders.
l Configured order: ACL rules are matched in the order they are defined.
l Automatic order: ACL rules are matched according to the “depth-first” rule.
With the depth-first rule adopted, the rules of an ACL are matched according to:
1) Protocol range. The range for IP is 1 to 255 and those of other protocols are their protocol numbers. The smaller the protocol range, the higher the priority.
2) Range of source IP address. The smaller the source IP address range (that is, the longer the mask), the higher the priority.
3) Range of destination IP address. The smaller the destination IP address range (that is, the longer the mask), the higher the priority.
4) Range of Layer 4 port number, that is, of TCP/UDP port number. The smaller the range, the higher the priority.
If rule A and rule B are the same in all the four ACEs (access control elements) above, and also in their numbers of other ACEs to be considered in deciding their priority order, the weighting principles will be used in deciding their priority order, as listed below.
l Each ACE is given a fixed weighting value. This weighting value and the value of the ACE itself will jointly decide the final matching order.
l The weighting values of ACEs rank in the following descending order: DSCP, ToS, ICMP, established, precedence, fragment.
l A fixed weighting value is deducted from the weighting value of each ACE of the rule. The smaller the weighting value left, the higher the priority.
l If the number and type of ACEs are the same for multiple rules, then the sum of ACE values of a rule determines its priority. The smaller the sum, the higher the priority.
You can use the match-order keyword to specify whether to use the configured order or “depth-first” order (rules with smaller ranges are matched first) to match rules. If neither match orders are specified, the configured match order will be adopted.
You cannot modify the match order for an ACL once you have specified it, unless you remove all the rules of the ACL and define new rules in the desired order.
The rules of an ACL are matched in a specific order only when the ACL is referenced by software for data filtering and traffic classification.
Related command: rule.
Example
# Define ACL 2000 and specify “depth-first” order as the rule match order.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] acl number 2000 match-order auto
[H3C-acl-basic-2000]
1.1.2 description
Syntax
description text
undo description
View
Basic ACL view, advanced ACL view, Layer 2 ACL view, user-defined ACL view
Parameter
text: Description string to be assigned to an ACL, a string of up to 127 characters.
Description
Use the description command to assign a description string to an ACL.
Use the undo description to remove the description string of an ACL.
Example
# Assign a description string to ACL 3100.
<H3C> system-view
[H3C] acl number 3100
[H3C-acl-adv-3100] description This acl is used in eth 0
# Remove the description string of ACL 3100.
[H3C-acl-adv-3100] undo description
1.1.3 display acl
Syntax
display acl { all | acl-number }
View
Any view
Parameter
all: Displays all the ACLs.
acl-number: Number of the ACL to be displayed, in the range of 2000 to 5999.
Description
Use the display acl command to display the configuration of an ACL or all the ACL, including ACL type, ACL number, number of the rules of an ACL, description string (if configured), ACL rule number step, and ACL content.
Example
# Display the information about all the ACLs.
<H3C> display acl all
Total ACL Number: 2
Basic ACL 2000, 1 rule
Acl's step is 1
rule 0 permit
Advanced ACL 3000, 0 rule
Acl's step is 1
1.1.4 display packet-filter
Syntax
display packet-filter { interface interface-type interface-num | unitid unit-id }
View
Any view
Parameter
interface-type interface-num: Port index.
unit-id: ID of the unit the information about which is to be displayed.
Description
Use the display packet-filter command to display the information about packet filtering, including the ACL name, rule number, and ACL status.
Example
# Display the packet filtering information about Unit 1.
<H3C> display packet-filter unitid 1
Ethernet1/0/1
Inbound:
Acl 2000 rule 0 running
1.1.5 display time-range
Syntax
display time-range { all | time-name }
View
Any view
Parameter
all: Displays all the time ranges.
time-name: Name of a time range, a string that starts with [a-z, A-Z] and can contain up to 32 characters.
Description
Use the display time-range command to display the configuration and status of a time range or all the time ranges. For active time ranges, this command displays “active”; for inactive time ranges, this command displays “inactive”.
Related command: time-range.
Example
# Display all the time ranges.
<H3C> display time-range all
Current time is 14:36:36 Apr/2/2003 Thursday
Time-range : hhy ( Active )
12:00 to 18:00 working-day
Time-range : hhy1 ( Inactive )
from 08:30 2/5/2003 to 18:00 2/19/2003
Table 1-1 Description on the fields of the display time-range command
Field |
Description |
Current time is 14:36:36 Apr/3/2003 Thursday |
Current system time |
Time-range : hhy |
Name of the time range |
Active |
The time range is active currently (inactive means the time range is inactive) |
12:00 to 18:00 working-day |
The periodic time range is from 12:00 to 18:00 on each working day. |
from 08:30 2/5/2005 to 18:00 2-19-2005 |
The absolute time range is from 08:30 2/5/2005 to 18:00 2-19-2005. |
1.1.6 packet-filter
Syntax
packet-filter { inbound | outbound } acl-rule
undo packet-filter { inbound | outbound } acl-rule
View
Ethernet port view
Parameter
inbound: Filters inbound packets.
outbound: Filters outbound packets.
acl-rule: Specified ACL/ACL rules to be applied. This argument can be one of those listed in Table 1-2.
Table 1-2 Combined application of ACLs
Combination mode |
The acl-rule argument |
Apply all the rules of an ACL that is of IP type (The ACL can be a basic ACL or an advanced ACL.) |
ip-group acl-number |
Apply a rule of an ACL that is of IP type |
ip-group acl-number rule rule-id |
Apply all the rules of a Layer 2 ACL |
link-group acl-number |
Apply a rule of a Layer 2 ACL |
link-group acl-number rule rule-id |
Apply all the rules of a user-defined ACL |
user-group acl-number |
Apply a rule of a user-defined ACL |
user-group acl-number rule rule-id |
Apply a rule of an ACL that is of IP type and a rule of a Layer 2 ACL |
ip-group acl-number rule rule-id link-group acl-number rule rule-id |
In Table 1-2:
l The ip-group acl-number keyword specifies a basic or an advanced ACL. The acl-number argument ranges from 2000 to 3999.
l The link-group acl-number keyword specifies a Layer 2 ACL. The acl-number argument ranges from 4000 to 4999.
l The user-group acl-number keyword specifies a user-defined ACL. The acl-number argument ranges from 5000 to 5999.
l The rule rule-id keyword specifies a rule of an ACL. The rule argument ranges from 0 to 65534. If you do not specify this argument, all the rules of the ACL are applied.
Description
Use the packet-filter command to apply ACL rules on a port to filter packets.
Use the undo packet-filter command to remove the ACL rules applied on a port.
Example
# Apply ACL 2000 on GigabitEthernet1/1/1 to filter inbound packets.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] interface GigabitEthernet1/1/1
[H3C-GigabitEthernet1/1/1] packet-filter inbound ip-group 2000
1.1.7 rule (for Basic ACLs)
Syntax
rule [ rule-id ] { permit | deny } [ fragment | source { sour-addr sour-wildcard | any } | time-range time-name ]*
undo rule rule-id [ fragment | source | time-range ]*
View
Basic ACL view
Parameter
I. Parameters of the rule command
rule-id: ACL rule ID, in the range of 0 to 65534.
deny: Drops the matched packets.
permit: Permits the matched packets.
fragment: Specifies that the rule only applies to the packets that are not the first fragments.
source { sour-addr sour-wildcard | any }: Specifies the source address for the rule. The sour-addr argument is the source IP address in dotted decimal notation. The sour-wildcard argument is the wildcard mask for the source subnet mask of the packet, expressed in dotted decimal notation. For example, you need to input 0.0.255.255 for the subnet mask 255.255.0.0. You can set sour-wildcard to 0 to represent the host IP address. any is used to represent any arbitrary IP address.
time-range time-name: Specifies a time range within which the rule is valid.
II. Parameters of the undo rule command
rule-id: Rule ID, which must the ID of an existing ACL rule. If no other arguments are specified, the entire ACL rule is removed. Otherwise, only the specified information of the ACL rule is removed.
fragment: Specifies that the ACL rule applies to other types of packets besides those that are not the first fragments.
source: Removes the settings concerning the source address in the ACL rule.
time-range: Deletes the settings concerning time range in the ACL rule.
Description
Use the rule command to define an ACL rule.
Use the undo rule command to remove an ACL rule or specified settings of an ACL rule.
To remove an ACL rule using the undo rule command, you need to provide the ID of the ACL rule. You can obtain the ID of an ACL rule by using the display acl command.
When you define an ACL rule using the rule command with the rule-id argument provided,
l If the ACL is created with the config keyword specified and the rule identified by the rule-id argument exists, the settings specified in the rule command overwrite the counterparts of the existing rule (other settings of the rule remain unchanged). If the ACL is created with the auto keyword specified, the rules cannot be edited. In this case, the system prompts errors when you execute the rule command.
l If the ACL rule identified by the rule-id argument does not exist, you will create a new ACL rule.
If you do not specify the rule-id argument when creating an ACL rule, the ACL rule will be numbered automatically.
Example
# Create an ACL rule to deny the packets whose source IP addresses are 1.1.1.1.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] acl number 2000
[H3C-acl-basic-2000] rule deny source 1.1.1.1 0
1.1.8 rule (for Advanced ACLs)
Syntax
rule [ rule-id ] { permit | deny } rule-string
undo rule rule-id [ destination | destination-port | dscp | fragment | icmp-type | precedence | source | source-port | time-range | tos ]*
View
Advanced ACL view
Parameter
I. Parameters of the rule command
rule-id: ACL rule ID, in the range of 0 to 65534.
deny: Drops the matched packets.
permit: Permits the matched packets.
rule-string: ACL rule information, which can be a combination of the parameters described in Table 1-3. Note that this argument must begin with the protocol argument.
Table 1-3 Arguments/keywords available to the rule-string argument
Arguments/Keywords |
Type |
Function |
Description |
protocol |
Protocol type |
Type of the protocols carried by IP |
When expressed in numerals, this argument ranges from 1 to 255. When expressed with a name, the value can be GRE, ICMP, IGMP, IP, IPinIP, OSPF, TCP, and UDP. |
source { sour-addr sour-wildcard | any } |
Source address |
Specifies the source address information for the ACL rule |
The sour-addr sour-wildcard arguments specify the source address of the packets, expressed in dotted decimal notation. You can specify the IP address of a host as the source address by providing 0 for the sour-wildcard argument. The any keyword specifies any source address. |
destination { dest-addr dest-wildcard | any } |
Destination address |
Specifies the destination address information for the ACL rule |
The dest-addr dest-wildcard arguments specify the destination address of the packets, expressed in dotted decimal notation. You can specify the IP address of a host as the destination address by providing 0 for the dest-wildcard argument. The any keyword specifies any destination address. |
precedence precedence |
Packet priority |
Packet precedence |
The precedence argument ranges from 0 to 7. |
tos tos |
Packet priority |
ToS |
The tos argument ranges from 0 to 15. |
dscp dscp |
Packet priority |
DSCP |
The dscp argument ranges from 0 to 63. |
fragment |
Fragment information |
Specifies that the rule is effective for the packets that are not the first fragments. |
— |
time-range time-name |
Time range information |
Specifies the time range in which the ACL rule is active. |
— |
& Note:
The sour-wildcard/dest-wildcard argument is the complement of the wildcard mask of the source/destination subnet mask. For example, you need to input 0.0.255.255 to specify the subnet mask 255.255.0.0. The arguments can be set as 0 to represent a host IP address.
If you specify the dscp keyword, you can directly input a value ranging from 0 to 63 or input one of the keywords listed in Table 1-4 as the DSCP.
Table 1-4 DSCP values and the corresponding keywords
Keyword |
DSCP value in decimal |
DSCP value in binary |
ef |
46 |
101110 |
af11 |
10 |
001010 |
af12 |
12 |
001100 |
af13 |
14 |
001110 |
af21 |
18 |
010010 |
af22 |
20 |
010100 |
af23 |
22 |
010110 |
af31 |
26 |
011010 |
af32 |
28 |
011100 |
af33 |
30 |
011110 |
af41 |
34 |
100010 |
af42 |
36 |
100100 |
af43 |
38 |
100110 |
cs1 |
8 |
001000 |
cs2 |
16 |
010000 |
cs3 |
24 |
011000 |
cs4 |
32 |
100000 |
cs5 |
40 |
101000 |
cs6 |
48 |
110000 |
cs7 |
56 |
111000 |
be (default) |
0 |
000000 |
If you specify the precedence keyword, you can directly input a value ranging from 0 to 7 or input one of the keywords listed in Table 1-5 as the IP precedence.
Table 1-5 IP precedence values and the corresponding keywords
Keyword |
IP Precedence in decimal |
IP Precedence in binary |
routine |
0 |
000 |
priority |
1 |
001 |
immediate |
2 |
010 |
flash |
3 |
011 |
flash-override |
4 |
100 |
critical |
5 |
101 |
internet |
6 |
110 |
network |
7 |
111 |
If you specify the tos keyword, you can directly input a value ranging from 0 to 15 or input one of the keywords listed in Table 1-6 as the ToS value.
Table 1-6 ToS value and the corresponding keywords
Keyword |
ToS in decimal |
ToS in binary |
normal |
0 |
0000 |
min-monetary-cost |
1 |
0001 |
max-reliability |
2 |
0010 |
max-throughput |
4 |
0100 |
min-delay |
8 |
1000 |
If the protocol type is TCP or UDP, you can also define the information listed in Table 1-7.
Table 1-7 TCP/UDP-specific ACL rule information
Parameter |
Type |
Function |
Description |
source-port operator port1 [ port2 ] |
Source port |
Defines the source port information of UDP/TCP packets |
The value of operator can be lt (less than), gt (greater than), eq (equal to), neq (not equal to) or range (within the range of). Only the range operator requires two port numbers as the operands. Other operators require only one port number as the operand. port1 and port2: TCP/UDP port number(s), expressed as port names or port numbers. When expressed as numerals, the value range is 0 to 65535. |
destination-port operator port1 [ port2 ] |
Destination port |
Defines the destination port information of UDP/TCP packets |
|
established |
TCP connection flag |
Specifies that the rule is applicable only to the first SYN segment for establishing a TCP connection |
TCP-specific argument |
When using port name to specify TCP/UDP ports, you can define the following information.
Table 1-8 TCP/UDP port values
Protocol type |
Value |
TCP |
CHARgen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), www (80) |
UDP |
biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (139), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), xdmcp (177) |
& Note:
When advanced ACLs are applied to ports of the H3C S3600 series Ethernet switches, only the rules configured with the operator argument specified as eq are valid.
If the protocol type is ICMP, you can also define the information listed in Table 1-9.
Table 1-9 ICMP-specific ACL rule information
Parameter |
Type |
Function |
Description |
icmp-type icmp-type icmp-code |
Type and message code information of ICMP packets |
Specifies the type and message code information of ICMP packets in the ACL rule |
icmp-type: ICMP message type, ranging from 0 to 255 icmp-code: ICMP message code, ranging from 0 to 255 |
If the protocol type is ICMP, you can also just input the ICMP message name after the icmp-type keyword. Table 1-10 lists some common ICMP messages.
Name |
ICMP type |
ICMP code |
echo |
Type=8 |
Code=0 |
echo-reply |
Type=0 |
Code=0 |
fragmentneed-DFset |
Type=3 |
Code=4 |
host-redirect |
Type=5 |
Code=1 |
host-tos-redirect |
Type=5 |
Code=3 |
host-unreachable |
Type=3 |
Code=1 |
information-reply |
Type=16 |
Code=0 |
information-request |
Type=15 |
Code=0 |
net-redirect |
Type=5 |
Code=0 |
net-tos-redirect |
Type=5 |
Code=2 |
net-unreachable |
Type=3 |
Code=0 |
parameter-problem |
Type=12 |
Code=0 |
port-unreachable |
Type=3 |
Code=3 |
protocol-unreachable |
Type=3 |
Code=2 |
reassembly-timeout |
Type=11 |
Code=1 |
source-quench |
Type=4 |
Code=0 |
source-route-failed |
Type=3 |
Code=5 |
timestamp-reply |
Type=14 |
Code=0 |
timestamp-request |
Type=13 |
Code=0 |
ttl-exceeded |
Type=11 |
Code=0 |
II. Parameters of the undo rule command
rule-id: ID of an existing ACL rule. If no other arguments are specified, the entire ACL rule is removed. Otherwise, only the specified information of the ACL rule is removed.
source: Removes the settings concerning the source address in the ACL rule.
source-port: Removes the settings concerning the source port in the ACL rule. This keyword is only available to the ACL rules with their protocol types set to TCP or UDP.
destination: Removes the settings concerning the destination address in the ACL rule.
destination-port: Removes the settings concerning the destination port in the ACL rule. This keyword is only available to the ACL rules with their protocol types set to TCP or UDP.
icmp-type: Removes the settings concerning the ICMP type and message code in the ACL rule. This keyword is only available to the ACL rules with their protocol type set to ICMP.
precedence: Removes the precedence-related settings in the ACL rule.
tos: Removes the ToS-related settings in the ACL rule.
dscp: Removes the DSCP-related settings in the ACL rule.
time-range: Removes the time range settings in the ACL rule.
fragment: Specifies that the ACL rule applies to other types of packets besides those that are not the first fragments.
Description
Use the rule command to define an ACL rule.
Use the undo rule command to remove an ACL rule or specified settings of an ACL rule.
To remove an ACL rule using the undo rule command, you need to provide the ID of the ACL rule. You can obtain the ID of an ACL rule by using the display acl command.
When you define an ACL rule using the rule command with the rule-id argument provided,
l If the ACL is created with the config keyword specified and the rule identified by the rule-id argument exists, the settings specified in the rule command overwrite the counterparts of the existing rule (other settings of the rule remain unchanged). If the ACL is created with the auto keyword specified, the rules of the ACL cannot be edited. In this case, the system prompts errors when you execute the rule command.
l If the ACL rule identified by the rule-id argument does not exist, you will create a new ACL rule.
l The content of a modified or created ACL rule cannot be identical with the content of any existing ACL rules; otherwise the ACL rule modification or creation will fail, and the system prompts that the rule already exists.
If you do not specify the rule-id argument when creating an ACL rule, the ACL rule will be numbered automatically.
Example
# Define an ACL rule to permit packets sourced from hosts in the network segment of 129.9.0.0 and destined for hosts in the network segment of 202.38.160.0 and with the destination port number of 80.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] acl number 3101
[H3C-acl-adv-3101] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80
1.1.9 rule (for Layer 2 ACLs)
Syntax
rule [ rule-id ] { permit | deny } [ rule-string ]
undo rule rule-id
View
Layer 2 ACL view
Parameter
I. Parameters of the rule command
rule-id: ACL rule ID, in the range of 0 to 65534.
deny: Drops the matched packets.
permit: Permits the matched packets.
rule-string: ACL rule information, which can be a combination of the arguments/keywords described in Table 1-11.
Table 1-11 Layer 2 ACL rule information
Parameter |
Type |
Function |
Description |
format-type |
Link layer encapsulation type |
Specifies the link layer encapsulation type in the rule |
This argument can be 802.3/802.2, 802.3, ether_ii, or snap. |
lsap lsap-code lsap-wildcard |
lsap field |
Specifies the lsap field for the ACL rule |
lsap-code: Encapsulation format of data frames, a 16-bit hexadecimal number. lsap-wildcard: Mask of the lsap value, a 16-bit hexadecimal number used to specify the mask bits. |
source { source-addr source-mask | vlan-id }* |
Source MAC address information |
Specifies the source MAC address range for the ACL rule |
source-addr: Source MAC address, in the format of H-H-H. source-mask: Mask of the source MAC address, in the format of H-H-H. vlan-id: Source VLAN ID, in the range of 1 to 4,094. |
dest dest-addr dest-mask |
Destination MAC address information |
Specifies the destination MAC address range for the ACL rule |
dest-addr: Destination MAC address, in the format of H-H-H. dest- mask: Mask of the destination MAC address, in the format of H-H-H. |
cos cos |
Priority |
Specifies the 802.1p priority of the rule |
cos: VLAN priority, in the range of 0 to 7. |
time-range time-name |
Time range information |
Specifies the time range in which the ACL rule is active |
time-name: specifies the name of the time range in which the rule is active; a string comprising 1 to 32 characters. |
type protocol-type protocol-mask |
Protocol type of Ethernet frames |
Specifies the protocol type of Ethernet frames for the ACL rule |
protocol-type: Protocol type. protocol-mask: Protocol type mask. |
& Note:
l An H3C S3600 Ethernet switch does not support the format-type argument for a layer 2 ACL.
l A rule with the lsap keyword specified can be applied to a port but does not take effect.
II. Parameters of the undo rule command
rule-id: ID of an existing ACL rule.
Description
Use the rule command to define an ACL rule.
Use the undo rule command to remove an ACL rule.
To remove an ACL rule using the undo rule command, you need to provide the ID of the ACL rule. You can obtain the ID of an ACL rule by using the display acl command.
When you define an ACL rule using the rule command with the rule-id argument provided,
l If the ACL rule identified by the rule-id argument already exists, the settings specified in the rule command overwrite the corresponding settings of the existing rule. And the existing settings remain unchanged if the corresponding settings are not specified in the command.
l If the ACL rule identified by the rule-id argument does not exist, you will create a new ACL rule.
l The content of a modified or created ACL rule cannot be identical with the content of any existing ACL rules; otherwise the ACL rule modification or creation will fail, and the system prompts that the rule already exists.
If you do not specify the rule-id argument when creating an ACL rule, the ACL rule will be numbered automatically.
Example
# Define a rule to deny the packets sourced from the MAC address 000d-88f5-97ed, destined for the MAC address 011-4301-991e, and with their 802.1p priorities set to 3.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] acl number 4000
[H3C-acl-ethernetframe-4000] rule deny cos 3 source 000d-88f5-97ed ffff-ffff-ffff dest 0011-4301-991e ffff-ffff-ffff
1.1.10 rule (for user-defined ACLs)
Syntax
rule [ rule-id ] { permit | deny } [ rule-string rule-mask offset ] &<1-8> [ time-range time-name ]
undo rule rule-id
View
User-defined ACL view
Parameter
rule-id: ID of an ACL rule.
rule-string: User-defined ACL rule string. It must be an even hexadecimal number comprising 2 to 160 characters.
rule-mask: User-defined mask of the ACL rule. It must be an even hexadecimal number containing 2 to 160 hexadecimal characters and be of the same length as that of the rule-string argument. This argument is used to perform the logical AND operations with packets.
offset: Mask offset of the rule. It specifies a position in packets, from which the logical AND operation is to be performed. It ranges from 0 to 79 (in bytes). Note that the maximum value becomes one byte less when the rule-string (and rule-mask) argument has two more characters. For example, when rule-string and rule-mask contains two characters respectively, the maximum value of offset is 79 bytes; when the former contains four characters respectively, the maximum value of offset is 78 bytes, and so on.
&<1-8>: At most eight rules can be defined at one time.
time-range time-name: Specifies a time range within which the ACL rule is valid.
& Note:
Note the following when setting the offset argument.
l All the packets processed internally in a switch carry VLAN tags with them. A VLAN tag occupies four bytes of space.
l With the VLAN VPN function not enabled, a packet processed internally in a switch carries only one VLAN tag.
l With the VLAN VPN function enabled, a switch inserts another VLAN tag to the packets it processed, making the packets traveling across the network with two VLAN tags carried.
Description
Use the rule command to define an ACL rule.
Use the undo rule command to remove an ACL rule.
To remove an ACL rule using the undo rule command, you need to provide the ID of the ACL rule. You can obtain the ID of an ACL rule by using the display acl command.
When you define an ACL rule using the rule command with the rule-id argument provided,
l If the ACL rule identified by the rule-id argument already exists, the settings specified in the rule command overwrite the corresponding settings of the existing rule. And the existing settings remain unchanged if the corresponding settings are not specified in the command.
l If the ACL rule identified by the rule-id argument does not exist, you will create a new ACL rule.
l The content of a modified or created ACL rule cannot be identical with the content of any existing ACL rules; otherwise the ACL rule modification or creation will fail, and the system prompts that the rule already exists.
If you do not specify the rule-id argument when creating an ACL rule, the ACL rule will be numbered automatically.
Example
# Define a user-defined ACL rule to deny all TCP packets (The VLAN VPN function not enabled).
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] time-range t1 18:00 to 23:00 sat
[H3C] acl number 5001
[H3C-acl-user-5001] rule 25 deny 06 ff 27 time-range t1
1.1.11 rule comment
Syntax
rule rule-id comment text
undo rule rule-id comment
View
Advanced ACL view, Layer 2 ACL view, user-defined ACL view
Parameter
comment text: Specifies the description string, a string comprising up to 127 characters.
Description
Use the rule comment command to assign a description string to an ACL rule.
Use the undo rule comment command to remove the description string assigned to an ACL rule.
Before assigning a description string to an ACL rule, make sure that the ACL rule exists.
Example
# Assign the string “test” to rule 0 of ACL 3000 as the description string.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] acl number 3000
[H3C-acl-adv-3000] rule 0 comment test
1.1.12 time-range
Syntax
time-range time-name { start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] | to end-time end-date }
undo time-range { name time-name [ start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] | to end-time end-date ] | all }
View
System view
Parameter
time-name: Name of a time range, used as the identifier of a time range.
start-time: Start time of a periodic time range, in the form of hh:mm.
end-time: End time of a periodic time range, in the form of hh:mm.
days-of-the-week: Day of the week when the periodic time range is active. You can provide this argument in one of the following forms.
l Numeral (0 to 6)
l Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, and Sunday
l Working days (Monday through Friday)
l Off days (Saturday and Sunday)
l Daily, namely everyday of the week
from start-time start-date: Specifies the start date of an absolute time range, in the form of hh:mm MM/DD/YYYY or hh:mm YYYY/MM/DD. The start-time start-date and end-time end-date argument jointly define a period in which the absolute time range takes effect. If the start date is not specified, the time range starts from the earliest time that the system can represent.
to end-time end-date: Specifies the end date of an absolute time range, in the form of hh:mm MM/DD/YYYY or hh:mm YYYY/MM/DD. The start-time start-date and end-time end-date argument jointly define a period in which the absolute time range takes effect. If the end date is not specified, the time range ends at 2100/12/31 23:59.
all: Removes all the time ranges.
Description
Use the time-range command to define a time range.
Use the undo time-range command to remove a time range.
The time range defined by using the time-range command can include absolute time sections and periodic time sections. The start-time and end-time days-of-the-week argument jointly define a periodic time section, while the start-time start-date and end-time end-date argument jointly define an absolute time section.
If only a periodic time section is defined in a time range, the time range is active only when the system time is within the defined periodic time section. If multiple periodic time sections are defined in a time range, the time range is active only when the system time is within one of the periodic time sections.
If only an absolute time section is defined in a time range, the time range is active only when the system time is within the defined absolute time section. If multiple absolute time sections are defined in a time range, the time range is active only when the system time is within one of the absolute time sections.
If both a periodic time section and an absolute time section are defined in a time range, the time range is active only when the periodic time range and the absolute time range are both matched. Assume that a time range defines an absolute time section from 00:00 January 1, 2004 to 23:59 December 31, 2004, and a periodic time section from 12:00 to 14:00 every Wednesday. This time range is active only when the system time is within 12:00 to 14:00 every Wednesday in 2004.
If you include any argument undo time-range command, the system will removes only the content specified by the argument from the time range.
Example
# Define an absolute time range that is active from 12:00 January 1, 2000 to 12:00 January 1, 2001.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] time-range test from 12:00 1/1/2000 to 12:00 1/1/2001