Table of Contents

Chapter 1 ACL Configuration Commands. 1-1

1.1 ACL Configuration Commands. 1-1

1.1.1 acl 1-1

1.1.2 description. 1-2

1.1.3 display acl 1-3

1.1.4 display acl remaining entry. 1-4

1.1.5 display ipv6-acl-template. 1-5

1.1.6 display packet-filter 1-6

1.1.7 display time-range. 1-7

1.1.8 ipv6-acl-template. 1-8

1.1.9 packet-filter 1-9

1.1.10 packet-filter vlan. 1-10

1.1.11 rule (for Basic ACLs) 1-11

1.1.12 rule (for Advanced ACLs) 1-14

1.1.13 rule (for Layer 2 ACLs) 1-22

1.1.14 rule (for IPv6 ACLs) 1-25

1.1.15 rule comment 1-27

1.1.16 time-range. 1-28

 

Chapter 1  ACL Configuration Commands

 

 

1.1  ACL Configuration Commands

1.1.1  acl

Syntax

acl number acl-number [ match-order { auto | config } ]

undo acl { all | number acl-number }

View

System view

Parameters

all: Specifies to remove all access control lists (ACLs).

number acl-number: Specifies the number of an existing ACL or an ACL to be defined. ACL number identifies the type of an ACL as follows.

l           An ACL number in the range 2000 to 2999 identifies a basic ACL.

l           An ACL number in the range 3000 to 3999 identifies an advanced ACL. Note that 3998 and 3999 cannot be configured because they are reserved for cluster management.

l           An ACL number in the range 4000 to 4999 identifies a layer 2 ACL.

l           An ACL number in the range 5000 to 5999 identifies an IPv6 ACL.

match-order: Specifies the match order for ACL rules. Following two match orders exist.

l           auto: Specifies to match ACL rules according to the depth-first rule.

l           config: Specifies to match ACL rules in the order they are defined.

Note that the match-order keyword is not available to Layer 2 ACLs and IPv6 ACLs. The match order for layer 2 ACLs and IPv6 ACLs can only be config. For details about the two match orders, refer to the relevant description in ACL Operation.

Description

Use the acl command to define an ACL and enter the corresponding ACL view.

Use the undo acl command to remove all the rules of the specified ACL or all the ACLs.

By default, ACL rules are matched in the order they are defined.

Only after the rules in an existing ACL are fully removed can you modify the match order of the ACL.

In ACL view, you can use the rule command to add rules to the ACL.

Related commands: rule.

Examples

# Define ACL 2000 and specify “depth-first” as the match order.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] acl number 2000 match-order auto

[Sysname-acl-basic-2000]

# Add three rules with different numbers of zeros in the source wildcards.

[Sysname-acl-basic-2000] rule 1 permit source 1.1.1.1 0.255.255.255

[Sysname-acl-basic-2000] rule 2 permit source 2.2.2.2 0.0.255.255

[Sysname-acl-basic-2000] rule 3 permit source 3.3.3.3 0.0.0.255

# Use the display acl command to display the configuration information of ACL 2000.

[Sysname-acl-basic-2000] display acl 2000

Basic ACL  2000, 3 rules, match-order is auto

Acl's step is 1

 rule 3 permit source 3.3.3.0 0.0.0.255

 rule 2 permit source 2.2.0.0 0.0.255.255

 rule 1 permit source 1.0.0.0 0.255.255.255

As shown in the output information, the switch sorts the rules of ACL 2000 in the depth-first order: a rule with more zeros in the source IP address wildcard has a higher priority.

1.1.2  description

Syntax

description text

undo description

View

Basic ACL view, advanced ACL view, Layer 2 ACL view, IPv6 ACL view

Parameters

text: Description string to be assigned to an ACL, a string of 1 to 127 characters. Blank spaces and special characters are acceptable.

Description

Use the description command to assign a description string to an ACL.

Use the undo description to remove the description string of the ACL.

You can give ACLs descriptions to provide relevant information such as their application purposes and the ports they are applied to, so that you can easily identity and distinguish ACLs by their descriptions.

By default, no description string is assigned for an ACL.

Examples

# Assign description string “This ACL is used for filtering all HTTP packets” to ACL 3000.

<Sysname> system-view

[Sysname] acl number 3000

[Sysname-acl-adv-3000] description This ACL is used for filtering all HTTP packets

# Use the display acl command to view the configuration information of ACL 3000.

[Sysname-acl-adv-3000] display acl 3000

Advanced ACL  3000, 0 rule

This acl is used for filtering all HTTP packets

Acl's step is 1

# Remove the description string of ACL 3000.

[Sysname-acl-adv-3000] undo description

1.1.3  display acl

Syntax

display acl { all | acl-number }

View

Any view

Parameters

all: Displays all ACLs.

acl-number: Number of the ACL to be displayed, in the range of 2000 to 5999.

Description

Use the display acl command to display the configuration information of a specified or all ACLs.

Note that if you specify the match order of an ACL when configuring the ACL, this command will display the rules of the ACL in the specified match order.

Examples

# Display information about ACL 2000.

<Sysname> display acl 2000

Basic ACL  2000, 1 rule

Acl's step is 1

 rule 0 permit source 1.1.1.1 0

Table 1-1 Description on the fields of the display acl command

Field	Description
Basic ACL 2000	The displayed information is about the basic ACL 2000.
1 rule	The ACL includes one rule.
Acl's step is 1	The step for rules of this ACL is 1.

 

1.1.4  display acl remaining entry

Syntax

display acl remaining entry

View

Any view

Parameter

None

Description

Use the display acl remaning entry command to display information about the remaining ACL resources.

According to the output, you can determine the number of resources consumed by a certain type of ACL rules and whether the exhaustion of resources causes the failure to assign ACL rules.

Example

# Display information about the remaining ACL resources.

<Sysname> display acl remaining entry

  Resource  Total   Reserved  Configured  Remaining   Start     End

   Type      Number  Number    Number       Number   Port Name  Port Name

--------------------------------------------------------------------------

      Rule    1024       13          1         1010     Eth1/0/1   GE1/2/1

Table 1-2 Description on the fields of the display acl remaining entry command

Field	Description
Resource Type	Resource type, Rule: number of rule resources that the switch can assign
Total Number	Total number of ACL resources
Reserved Number	Number of resources reserved for system ACLs
Configured Number	Number of resources configured for user-defined ACLs
Remaining Number	Number of remaining resources
Start Port Name End Port Name	Start port number and end port number corresponding to the entry

 

1.1.5  display ipv6-acl-template

Syntax

display ipv6-acl-template

View

Any view

Parameter

None

Description

Use the display ipv6-acl-template command to display the IPv6 ACL template configuration information.

Example

# Display the IPv6 ACL template configuration information.

<Sysname> display ipv6-acl-template

  Ipv6 acl template : src-ip dest-ip

1.1.6  display packet-filter

Syntax

display packet-filter { global | interface interface-type interface-number | port-group [ group-id ] | unitid unit-id | vlan [ vlan-id ] }

View

Any view

Parameter

global: Displays information about global packet filtering.

interface interface-type interface-number: Displays information about packet filtering on the port specified by interface-type and interface-number.

port-group group-id: Displays information about packet filtering on the port group specified by group-id.

unitid unit-id: Displays information about packet filtering on the unit specified by unit-id. The unit ID can be set only to 1.

vlan vlan-id: Displays information about packet filtering on the VLAN specified by vlan-id.

Description

Use the display packet-filter command to display information about packet filtering.

Example

# Display information about packet filtering on the switch.

<Sysname> display packet-filter unitid 1

Ethernet1/0/1

 Inbound:

 Acl 2000 rule 0  running

Table 1-3 Description on the fields of the display packet-filter command

Field	Description
Ethernet1/0/1	Packet filtering is performed on Ethernet1/0/1.
Inbound	Packet filtering is performed in the inbound direction.
Acl 2000 rule 0	The rule 0 of ACL 2000 is used.
running	Status of the rule, which can be l      running: The ACL rule is active. l      not running: The ACL rule is inactive. Usually, this is because the current time is out of the rule’s time range.

 

1.1.7  display time-range

Syntax

display time-range { all | time-name }

View

Any view

Parameters

all: Displays all time ranges.

time-name: Name of a time range, a string of 1 to 32 characters that starts with a to z or A to Z.

Description

Use the display time-range command to display the configuration and status of a time range or all the time ranges. For active time ranges, this command displays “Active”; for inactive time ranges, this command displays “Inactive”.

Related commands: time-range.

Examples

# Display all time ranges.

<Sysname> display time-range all

Current time is 17:01:34 May/21/2007 Monday

Time-range : tr ( Active )

 12:00 to 18:00 working-day

Time-range : tr1 ( Inactive )

 From 12:00 Jan/1/2008 to 12:00 Jun/1/2008

Table 1-4 Description on the fields of the display time-range command.

Field	Description
Current time is 17:01:34 May/21/2007 Monday	Current system time
Time-range	Name of the time range
Active	Status of the time range, which can be: l      Active: The time range is active currently. l      Inactive: The time range is not inactive now.
12:00 to 18:00 working-day	The periodic time range is from 12:00 to 18:00 on each working day.
From 12:00 Jan/1/2008 to 12:00 Jun/1/2008	The absolute time range is from 12:00 January 1, 2008 to 12:00 June 1, 2008.

 

1.1.8  ipv6-acl-template

Syntax

ipv6-acl-template { dscp | ip-protocol | src-ip | dest-ip | src-port | dest-port | icmpv6-type | icmpv6-code } *

undo ipv6-acl-template

View

System view

Parameter

dscp: Matches the traffic class field in IPv6 packets.

ip-protocol: Matches the next header field in IPv6 packets.

src-ip: Matches the source address field in IPv6 packets.

dest-ip: Matches the destination address field in IPv6 packets.

src-port: Matches the TCP/UDP source port field in IPv6 packets.

dest-port: Matches the TCP/UDP destination port field in IPv6 packets.

icmpv6-type: Matches the ICMPv6 type field in IPv6 packets.

icmpv6-code: Matches the ICMPv6 code field in IPv6 packets.

Description

Use the ipv6-acl-template command to configure an IPv6 ACL template.

Use the undo ipv6-acl-template command to remove the configuration.

By default, no IPv6 ACL template is configured.

Note that:

l           Only one IPv6 ACL is supported on an H3C S3100 switch.

l           To specify the src-port, dest-port, icmpv6-type or icmpv6-code keyword in the command, you need to specify the ip-protocol keyword at first.

l           If there is already a template, you need to remove it to configure a new one. If the template is referenced by an IPv6 ACL rule that has been applied, you cannot remove it.

Example

# Configure an IPv6 ACL template to match the source address and destination address fields in IPv6 packets.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] ipv6-acl-template src-ip dest-ip

1.1.9  packet-filter

Syntax

packet-filter inbound acl-rule

undo packet-filter inbound acl-rule

View

System view, Ethernet port view, Port group view

Parameters

inbound: Filters inbound packets.

acl-rule: ACL/ACL rules to be applied. This argument can be one of those listed in Table 1-5.

Table 1-5 Combined application of ACLs

Combination mode	The acl-rule argument
Apply all the rules of an ACL that is of IP type (The ACL can be a basic ACL or an advanced ACL.)	ip-group acl-number
Apply a rule of an ACL that is of IP type (The ACL can be a basic ACL or an advanced ACL.)	ip-group acl-number rule rule-id
Apply all the rules of a Layer 2 ACL	link-group acl-number
Apply a rule of a Layer 2 ACL	link-group acl-number rule rule-id
Apply all rules of an IPv6 ACL	user-group acl-number
Apply a rule of an IPv6 ACL	user-group acl-number rule rule-id
Apply a rule of an ACL that is of IP type and a rule of a Layer 2 ACL	ip-group acl-number rule rule-id link-group acl-number rule rule-id

 

In Table 1-5:

l           The ip-group acl-number keyword specifies a basic or an advanced ACL. The acl-number argument ranges from 2000 to 3999.

l           The link-group acl-number keyword specifies a Layer 2 ACL. The acl-number argument ranges from 4000 to 4999.

l           The user-group acl-number keyword specifies an IPv6 ACL. The acl-number  argument ranges from 5000 to 5999.

l           The rule rule-id keyword specifies a rule of an ACL. The rule argument ranges from 0 to 65534. If you do not specify this argument, all the rules of the ACL are applied.

Description

Use the packet-filter command to assign an ACL globally, to a port, or in a port group to filter inbound packets.

Use the undo packet-filter command to cancel the assignment of an ACL.

Examples

# Apply all rules of basic ACL 2000 on Ethernet 1/0/1 to filter inbound packets. Here, it is assumed that the ACL and its rules are already configured.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] interface Ethernet1/0/1

[Sysname-Ethernet1/0/1] packet-filter inbound ip-group 2000

[Sysname-Ethernet1/0/1] quit

# Apply rule 1 of advanced ACL 3000 and rule 2 of Layer 2 ACL 4000 on Ethernet 1/0/4 to filter inbound packets. Here, it is assumed that the ACLs and their rules are already configured.

[Sysname] interface Ethernet 1/0/4

[Sysname-Ethernet1/0/4] packet-filter inbound ip-group 3000 rule 1 link-group 4000 rule 2

After completing the above configuration, you can use the display packet-filter command to view information about packet filtering.

1.1.10  packet-filter vlan

Syntax

packet-filter vlan vlan-id inbound acl-rule

undo packet-filter vlan vlan-id inbound acl-rule

View

System view

Parameters

vlan-id: VLAN ID.

inbound: Specifies to filter packets received by the ports in the VLAN.

acl-rule: ACL rules to be applied, which can be a combination of the rules of multiple ACLs, as described in Table 1-5.

Description

Use the packet-filter vlan command to apply ACL rules to a VLAN to filter packets.

Use the undo packet-filter vlan command to remove the application of ACL rules to a VLAN.

When you need to apply an ACL to all ports in a VLAN, you can use the packet-filter vlan command to achieve the goal in one operation.

 

 

Examples

# Apply all rules of basic ACL 2000 to VLAN 10 to make all ports in VLAN 10 filter inbound packets. Here, it is assumed that the ACL and its rules and the VLAN are already configured.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] packet-filter vlan 10 inbound ip-group 2000

After completing the above configuration, you can use the display packet-filter command to view information about packet filtering.

1.1.11  rule (for Basic ACLs)

Syntax

rule [ rule-id ] { deny | permit} [ rule-string ]

undo rule rule-id [ fragment | source | time-range ]*

View

Basic ACL view

Parameters

I. Parameters of the rule command

rule-id: ACL rule ID, in the range of 0 to 65534.

deny: Drops the matched packets.

permit: Permits the matched packets.

rule-string: ACL rule information, which can be a combination of the parameters described in Table 1-6.

Table 1-6 Parameters for basic IPv4 ACL rules

Parameters	Function	Description
source { sour-addr sour-wildcard | any }	Specifies a source address.	The sour-addr sour-wildcard argument specifies a source IP address in dotted decimal notation. Setting the wildcard to a zero indicates a host address. The any keyword indicates any source IP address.
fragment	Indicates that the rule applies only to non-tail fragments.	––
time-range time-name	Specifies the time range in which the rule takes effect.	time-name: specifies the name of the time range in which the rule is active; a string comprising 1 to 32 characters.

 

 

II. Parameters of the undo rule command

rule-id: Rule ID, which must the ID of an existing ACL rule. You can obtain the ID of an ACL rule by using the display acl command.

fragment: Removes the settings concerning non-tail fragments in the ACL rule.

source: Removes the settings concerning source address in the ACL rule.

time-range: Removes the settings concerning time range in the ACL rule.

 

 

Description

Use the rule command to define an ACL rule.

Use the undo rule command to remove an ACL rule or specified settings of an ACL rule.

To remove an ACL rule using the undo rule command, you need to provide the ID of the ACL rule. If no other arguments are specified, the entire ACL rule is removed. Otherwise, only the specified information of the ACL rule is removed.

Note that:

l           With the config match order specified for the basic ACL, you can modify any existent rule. The unmodified part of the rule remains. With the auto match order specified for the basic ACL, you cannot modify any existent rule; otherwise the system prompts error information.

l           If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; otherwise, the number of the rule will be the greatest rule number plus one. If the current greatest rule number is 65534, however, the system will display an error message and you need to specify a number for the rule.

l           The content of a modified or created rule cannot be identical with the content of any existing rule; otherwise the rule modification or creation will fail, and the system prompts that the rule already exists.

l           With the auto match order specified, the newly created rules will be inserted in the existent ones by depth-first principle, but the numbers of the existent rules are unaltered.

Examples

# Create basic ACL 2000 and define rule 1 to deny packets whose source IP addresses are 192.168.0.1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] acl number 2000

[Sysname-acl-basic-2000] rule 1 deny source 192.168.0.1 0

[Sysname-acl-basic-2000] quit

# Create basic ACL 2001 and define rule 1 to deny packets that are non-tail fragments.

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule 1 deny fragment

[Sysname-acl-basic-2001] quit

# Create basic ACL 2002 and define rule 1 to deny all packets during the period specified by time range trname.

[Sysname] acl number 2002

[Sysname-acl-basic-2002] rule 1 deny time-range trname

After completing the above configuration, you can use the display acl command to view the configuration information of the ACLs.

1.1.12  rule (for Advanced ACLs)

Syntax

rule [ rule-id ] { deny | permit } protocol [ rule-string ]

undo rule rule-id [ destination | destination-port | dscp | fragment | icmp-type | precedence | source | source-port | time-range | tos ]*

View

Advanced ACL view

Parameters

I. Parameters of the rule command

rule-id: ACL rule ID, in the range of 0 to 65534.

deny: Drops the matched packets.

permit: Permits the matched packets.

protocol: Protocol carried by IP. When the protocol is represented by numeral, it ranges from 1 to 255; when the protocol is represented by name, it can be gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), and udp (17).

rule-string: ACL rule information, which can be a combination of the parameters described in Table 1-7.

Table 1-7 Arguments/keywords available to the rule-string argument

Arguments/Keywords	Type	Function	Description
source { sour-addr sour-wildcard | any }	Source address	Specifies the source address information for the ACL rule	The sour-addr sour-wildcard arguments specify the source address of the packets, expressed in dotted decimal notation. You can specify the IP address of a host as the source address by providing 0 for the sour-wildcard argument. The any keyword specifies any source address.
destination { dest-addr dest-wildcard | any }	Destination address	Specifies the destination address information for the ACL rule	The dest-addr dest-wildcard arguments specify the destination address of the packets, expressed in dotted decimal notation. You can specify the IP address of a host as the destination address by providing 0 for the dest-wildcard argument. The any keyword specifies any destination address.
precedence precedence	Packet priority	Specifies an IP precedence.	The precedence argument can be a number in the range 0 to 7.
tos tos	Packet priority	Specifies a ToS preference.	The tos argument can be a number in the range 0 to 15.
dscp dscp	Packet priority	Specifies a DSCP priority.	The dscp argument can be a number in the range 0 to 63.
fragment	Fragment information	Indicates that the rule applies only to non-tail fragments.	—
ttl	TTL information	Specifies the TTL for the ACL rule.	The ttl argument can be a number in the range 0 to 255.
time-range time-name	Time range information	Specifies the time range in which the rule takes effect.	time-name: specifies the name of the time range in which the rule is active; a string comprising 1 to 32 characters.

 

 

If you specify the dscp keyword, you can directly input a value ranging from 0 to 63 or input one of the keywords listed in Table 1-8 as DSCP.

Table 1-8 DSCP values and the corresponding keywords

Keyword	DSCP value in decimal	DSCP value in binary
af11	10	001010
af12	12	001100
af13	14	001110
af21	18	010010
af22	20	010100
af23	22	010110
af31	26	011010
af32	28	011100
af33	30	011110
af41	34	100010
af42	36	100100
af43	38	100110
be	0	000000
cs1	8	001000
cs2	16	010000
cs3	24	011000
cs4	32	100000
cs5	40	101000
cs6	48	110000
cs7	56	111000
ef	46	101110

 

If you specify the precedence keyword, you can directly input a value ranging from 0 to 7 or input one of the keywords listed in Table 1-9 as IP precedence.

Table 1-9 IP Precedence values and the corresponding keywords

Keyword	IP Precedence in decimal	IP Precedence in binary
routine	0	000
priority	1	001
immediate	2	010
flash	3	011
flash-override	4	100
critical	5	101
internet	6	110
network	7	111

 

If you specify the tos keyword, you can directly input a value ranging from 0 to 15 or input one of the keywords listed in Table 1-10 as the ToS value.

Table 1-10 ToS value and the corresponding keywords

Keyword	ToS in decimal	ToS in binary
normal	0	0000
min-monetary-cost	1	0001
max-reliability	2	0010
max-throughput	4	0100
min-delay	8	1000

 

If the protocol type is TCP or UDP, you can also define the information listed in Table 1-11.

Table 1-11 TCP/UDP-specific ACL rule information

Parameters	Type	Function	Description
source-port operator port1 [ port2 ]	Source port	Defines the source port information of UDP/TCP packets	The value of operator can be lt (less than), gt (greater than), eq (equal to), neq (not equal to) or range (within the range of). Only the range operator requires two port numbers as the operands. The other operators require only one port number as the operand. port1 and port2: TCP/UDP port number(s), expressed as port names or port numbers. When expressed as numerals, the value range is 0 to 65535. With the range operator, the value of port2 does not need to be greater than that of port1 because the switch can automatically judge the value range. If the value of port1 is the same as that of port2, the switch will convert the operator range to eq. Note that if you specify a combination of lt 1 or gt 65534, the switch will convert it to eq 0 or eq 65535.
destination-port operator port1 [ port2 ]	Destination port	Defines the destination port information of UDP/TCP packets
established	TCP connection flag	Specifies that the rule is applicable only to the first SYN segment for establishing a TCP connection	TCP-specific argument

 

If TCP or UDP port number is represented by name, you can also define the information listed in Table 1-12.

Table 1-12 TCP or UDP port values

Type	Value
TCP	CHARgen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), www (80)
UDP	biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), xdmcp (177)

 

If the protocol type is ICMP, you can also define the information listed in Table 1-13.

Table 1-13 ICMP-specific ACL rule information

Parameters	Type	Function	Description
icmp-type icmp-type icmp-code	Type and message code information of ICMP packets	Specifies the type and message code information of ICMP packets in the ACL rule	icmp-type: ICMP message type, ranging from 0 to 255 icmp-code: ICMP message code, ranging from 0 to 255

 

If the protocol type is ICMP, you can also just input the ICMP message name after the icmp-type keyword. See Table 1-14 for ICMP messages.

Table 1-14 ICMP messages

Name	ICMP type	ICMP code
echo	Type=8	Code=0
echo-reply	Type=0	Code=0
fragmentneed-DFset	Type=3	Code=4
host-redirect	Type=5	Code=1
host-tos-redirect	Type=5	Code=3
host-unreachable	Type=3	Code=1
information-reply	Type=16	Code=0
information-request	Type=15	Code=0
net-redirect	Type=5	Code=0
net-tos-redirect	Type=5	Code=2
net-unreachable	Type=3	Code=0
parameter-problem	Type=12	Code=0
port-unreachable	Type=3	Code=3
protocol-unreachable	Type=3	Code=2
reassembly-timeout	Type=11	Code=1
source-quench	Type=4	Code=0
source-route-failed	Type=3	Code=5
timestamp-reply	Type=14	Code=0
timestamp-request	Type=13	Code=0
ttl-exceeded	Type=11	Code=0

 

II. Parameters of the undo rule command

rule-id: Rule ID, which must the ID of an existing ACL rule. You can obtain the ID of an ACL rule by using the display acl command.

source: Removes the settings concerning the source address in the ACL rule.

source-port: Removes the settings concerning the source port in the ACL rule. This keyword is only available to the ACL rules with their protocol types set to TCP or UDP.

destination: Removes the settings concerning the destination address in the ACL rule.

destination-port: Removes the settings concerning the destination port in the ACL rule. This keyword is only available to the ACL rules with their protocol types set to TCP or UDP.

icmp-type: Removes the settings concerning the ICMP type and message code in the ACL rule. This keyword is only available to the ACL rules with their protocol type set to ICMP.

precedence: Removes the precedence-related settings in the ACL rule.

tos: Removes the ToS-related settings in the ACL rule.

dscp: Removes the DSCP-related settings in the ACL rule.

ttl: Removes the TTL-related settings in the ACL rule.

time-range: Removes the time range settings in the ACL rule.

fragment: Removes the settings concerning non-tail fragments in the ACL rule.

 

 

Description

Use the rule command to define an ACL rule.

Use the undo rule command to remove an ACL rule or specified settings of an ACL rule.

To remove an ACL rule using the undo rule command, you need to provide the ID of the ACL rule. If no other arguments are specified, the entire ACL rule is removed. Otherwise, only the specified information of the ACL rule is removed.

Note that:

l           With the config match order specified for the advanced ACL, you can modify any existent rule. The unmodified part of the rule remains. With the auto match order specified for the ACL, you cannot modify any existent rule; otherwise the system prompts error information.

l           If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; otherwise, the number of the rule will be the greatest rule number plus one. If the current greatest rule number is 65534, however, the system will display an error message and you need to specify a number for the rule.

l           The content of a modified or created rule cannot be identical with the content of any existing rules; otherwise the rule modification or creation will fail, and the system prompts that the rule already exists.

l           If the ACL is created with the auto keyword specified, the newly created rules will be inserted in the existent ones by depth-first principle, but the numbers of the existent rules are unaltered.

Examples

# Create advanced ACL 3000 and define rule 1 to deny packets with the source IP address of 192.168.0.1 and DSCP priority of 46.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] acl number 3000

[Sysname-acl-adv-3000] rule 1 deny ip source 192.168.0.1 0 dscp 46

[Sysname-acl-adv-3000] quit

# Create advanced ACL 3001 and define rule 1 to permit TCP packets that are sourced from network 129.9.0.0/16, destined for network 202.38.160.0/24, and using the destination port number of 80.

[Sysname] acl number 3001

[Sysname-acl-adv-3001] rule 1 permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80

After completing the above configuration, you can use the display acl command to view the configuration information of the ACLs.

1.1.13  rule (for Layer 2 ACLs)

Syntax

rule [ rule-id ] { deny | permit } [ rule-string ]

undo rule rule-id

View

Layer 2 ACL view

Parameters

rule-id: ACL rule ID, in the range of 0 to 65534.

deny: Drops the matched packets.

permit: Permits the matched packets.

rule-string: ACL rule information, which can be a combination of the arguments/keywords described in Table 1-15.

Table 1-15 Layer 2 ACL rule information

Parameters	Type	Function	Description
format-type	Link layer encapsulation type	Specifies the link layer encapsulation type in the rule	This argument can be 802.3/802.2, 802.3, ether_ii, or snap.
lsap lsap-code lsap-wildcard	lsap field	Specifies the lsap field for the ACL rule	lsap-code: Encapsulation format of data frames, a 16-bit hexadecimal number. lsap-wildcard: Mask of the lsap value, a 16-bit hexadecimal number used to specify the mask bits.
source { source-addr source-mask | vlan-id | vlan operator vlan-id1 [ vlan-id2 ] }*	Source MAC address information or source VLAN information	Specifies the source MAC address range or source VLAN range for the ACL rule	source-mac-addr: Source MAC address, in the format of H-H-H. source-mac-mask: Mask of the source MAC address, in the format of H-H-H. vlan-id, vlan-id1, vlan-id2: Source VLAN ID, in the range of 1 to 4,094. The value of operator can be lt (less than), gt (greater than), eq (equal to), neq (not equal to) or range (within the range of). Only the range operator requires two port numbers as the operands. Other operators require only one port number as the operand. With the range operator, the value of vlan-id2 does not need to be greater than that of vlan-id1 because the device can automatically judge the value range. Note that if you specify a combination of lt 1 or gt 4093, the device will convert it to eq 0 or eq 4094.
dest dest-mac-addr dest-mac-mask	Destination MAC address information	Specifies the destination MAC address range for the ACL rule	dest-mac-addr: Destination MAC address, in the format of H-H-H. dest-mac-mask: Mask of the destination MAC address, in the format of H-H-H.
cos cos	Priority	Specifies the 802.1p priority of the rule	cos: VLAN priority, in the range of 0 to 7.
time-range time-name	Time range information	Specifies the time range in which the rule takes effect.	time-name: specifies the name of the time range in which the rule is active; a string comprising 1 to 32 characters.
type protocol-type protocol-mask	Protocol type of Ethernet frames	Specifies the protocol type of Ethernet frames for the ACL rule	protocol-type: Protocol type. protocol-mask: Protocol type mask.

 

 

Description

Use the rule command to define an ACL rule.

Use the undo rule command to remove an ACL rule.

To remove an ACL rule using the undo rule command, you need to provide the ID of the ACL rule. You can obtain the ID of an ACL rule by using the display acl command.

Note that:

l           You can modify any existent rule of the Layer 2 ACL and the unmodified part of the ACL remains.

l           If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; otherwise, the number of the rule will be the greatest rule number plus one. If the current greatest rule number is 65534, however, the system will display an error message and you need to specify a number for the rule.

l           The content of a modified or created rule cannot be identical with the content of any existing rules; otherwise the rule modification or creation will fail, and the system prompts that the rule already exists.

Examples

# Create Layer 2 ACL 4000 and define rule 1 to deny packets that are sourced from MAC address 000d-88f5-97ed, destined for MAC address 0011-4301-991e, and using the 802.1p priority of 3.

<Sysname> system-view

[Sysname] acl number 4000

[Sysname-acl-ethernetframe-4000] rule 1 deny cos 3 source 000d-88f5-97ed ffff-ffff-ffff dest 0011-4301-991e ffff-ffff-ffff

[Sysname-acl-ethernetframe-4000] quit

After completing the above configuration, you can use the display acl command to view the configuration information of the ACLs.

1.1.14  rule (for IPv6 ACLs)

Syntax

rule [ rule-id ] { deny | permit } [ dscp rule-string  rule-mask ] [ ip-protocol rule-string  rule-mask ] [ src-ip ipv6-address prefix-length ] [ dest-ip ipv6-address prefix-length ] [ [ src-port rule-string  rule-mask | dest-port rule-string  rule-mask ] * | [ icmpv6-type rule-string  rule-mask | icmpv6-code rule-string  rule-mask ] * ] [ time-range time-name ]

undo rule rule-id

View

IPv6 ACL view

Parameter

rule-id: ACL rule ID, in the range of 0 to 65534.

deny: Drops the matched packets.

permit: Permits the matched packets.

dscp rule-string rule-mask: Specifies the traffic class information. Arguments rule-string and rule-mask indicate the content string and mask and consist of two hexadecimal numbers respectively.

ip-protocol rule-string rule-mask: Specifies the next header information. Arguments rule-string and rule-mask indicate the content string and mask and consist of two hexadecimal numbers respectively.

src-ip ipv6-address prefix-length: Specifies the source IPv6 address information. Arguments ipv6-address and prefix-length indicate the IPv6 address and prefix length respectively, where prefix-length must be in the range 1 to 128.

dest-ip ipv6-address prefix-length: Specifies the destination IPv6 address information. Arguments ipv6-address and prefix-length indicate the IPv6 address and prefix length respectively, where prefix-length must be in the range 1 to 128.

src-port rule-string rule-mask: Specifies the source TCP/UDP port information. Arguments rule-string and rule-mask indicate the content string and mask and consist of four hexadecimal numbers respectively.

dest-port rule-string rule-mask: Specifies the destination TCP/UDP port information. Arguments rule-string and rule-mask indicate the content string and mask and consist of four hexadecimal numbers respectively.

icmpv6-type rule-string rule-mask: Specifies the ICMPv6 type information. Arguments rule-string and rule-mask indicate the content string and mask and consist of two hexadecimal numbers respectively.

icmpv6-code rule-string rule-mask: Specifies the ICMPv6 code information. Arguments rule-string and rule-mask indicate the content string and mask and consist of two hexadecimal numbers respectively.

time-range time-name: Specifies the time range in which the rule takes effect. time-name indicates the name of a time range and must be a case-insensitive string of 1 to 32 characters that starts with an English letter. To avoid confusion, it cannot be all.

Description

Use the rule command to define an ACL rule.

Use the undo rule command to remove an ACL rule.

To remove an ACL rule, you need to specify the number of the ACL rule. You can use the display acl command to view the number of an ACL rule.

Note that:

l           You can modify any existent rule of an IPv6 ACL. If you modify only the action to be taken or the time range, the unmodified part of the rule remains the same. If you modify the contents of a user-defined string, the new string overwrites the original one.

l           If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; otherwise, the number of the rule will be the greatest rule number plus one. If the current greatest rule number is 65534, however, the system will display an error message and you need to specify a number for the rule.

l           The content of a modified or created rule cannot be identical with the content of any existing rule of the ACL; otherwise the rule modification or creation will fail, and the system prompts that the rule already exists.

l           To specify the src-port or dest-port keyword for a rule, you need to specify the ip-protocol rule-string rule-mask combination as TCP or UDP, that is, 0x06 or 0x11. To specify the icmpv6-type or icmpv6-code keyword for a rule, you need to specify the ip-protocol rule-string rule-mask combination as ICMPv6, that is, 0x3a.

 

 

Example

# Configure an rule for IPv6 ACL 5000, denying packets from 3001::1/64 to 3002::1/64.

<Sysname> system-view

[Sysname] acl number 5000

[Sysname-acl-user-5000] rule deny src-ip 3001::1 64 dest-ip 3002::1 64

1.1.15  rule comment

Syntax

rule rule-id comment text

undo rule rule-id comment

View

Advanced ACL view, Layer 2 ACL view, IPv6 ACL view

Parameters

rule-id: ID of the ACL rule, in the range of 0 to 65534.

text: Comment for the ACL rule, a string of 1 to 127 characters. Blank spaces and special characters are acceptable.

Description

Use the rule comment command to define a comment for the ACL rule.

Use the undo rule comment command to remove the comment defined for the ACL rule.

You can give rules comments to provide relevant information such as their application purposes and the ports they are applied to, so that you can easily identity and distinguish ACL rules by their comments.

By default, an ACL rule has no comment.

Before defining a comment for an ACL rule, make sure that the ACL rule exists.

Examples

# Define the comment “This rule is to be applied to Ethernet 1/0/1” for rule 0 of advanced ACL 3001.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] acl number 3001

[Sysname-acl-adv-3001] rule 0 comment This rule is to be applied to Ethernet 1/0/1

# Use the display acl command to view the configuration information of advanced ACL 3001.

[Sysname-acl-adv-3001] display acl 3001

Advanced ACL  3001, 1 rule

Acl's step is 1

 rule 0 deny IP source 1.1.1.1 0 destination 2.2.2.2 0

 rule 0 comment This rule is to be applied to Ethernet 1/0/1

1.1.16  time-range

Syntax

time-range time-name { start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] | to end-time end-date }

undo time-range { all | name time-name [ start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] | to end-time end-date ] }

View

System view

Parameters

all: Removes all the time ranges.

time-name: Name of a time range, a case insensitive string of 1 to 32 characters that starts with a to z or A to Z. To avoid confusion, it cannot be all.

start-time: Start time of a periodic time range, in the form of hh:mm.

end-time: End time of a periodic time range, in the form of hh:mm. The end time must be greater than the start time.

days-of-the-week: Day of the week when the periodic time range is active. You can provide this argument in one of the following forms.

l           Numeral (0 to 6)

l           Mon, Tue, Wed, Thu, Fri, Sat, and Sun

l           Working days (Monday through Friday)

l           Off days (Saturday and Sunday)

l           Daily, namely everyday of the week

from start-time start-date: Specifies the start date of an absolute time range, in the form of hh:mm MM/DD/YYYY or hh:mm YYYY/MM/DD. The start-time start-date and end-time end-date argument jointly define a period in which the absolute time range takes effect. If the start date is not specified, the time range starts from 1970/01/01 00:00.

to end-time end-date: Specifies the end date of an absolute time range, in the form of hh:mm MM/DD/YYYY or hh:mm YYYY/MM/DD. The start-time start-date and end-time end-date argument jointly define a period in which the absolute time range takes effect. If the end date is not specified, the time range ends at 2100/12/31 23:59.

Description

Use the time-range command to define a time range.

Use the undo time-range command to remove the specified or all time ranges.

Note that:

l           The switch supports up to 256 time ranges, each of which can have up to 32 periodic time ranges and 12 absolute time ranges.

l           If only a periodic time section is defined in a time range, the time range is active only when the system time is within the defined periodic time section. If multiple periodic time sections are defined in a time range, the time range is active only when the system time is within one of the periodic time sections.

l           If only an absolute time section is defined in a time range, the time range is active only when the system time is within the defined absolute time section. If multiple absolute time sections are defined in a time range, the time range is active only when the system time is within one of the absolute time sections.

l           If both a periodic time section and an absolute time section are defined in a time range, the time range is active only when the periodic time range and the absolute time range are both matched. Assume that a time range defines an absolute time section from 00:00 January 1, 2004 to 23:59 December 31, 2004, and a periodic time section from 12:00 to 14:00 every Wednesday. This time range is active only when the system time is within 12:00 to 14:00 every Wednesday in 2004.

Examples

# Define a periodic time range that is active from 08:00 to 12:00 every working day.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] time-range tr1 08:00 to 12:00 working-day

# Define an absolute time range that is active from 12:00 January 1, 2008 to 12:00 June 1, 2008.

[Sysname] time-range tr2 from 12:00 1/1/2008 to 12:00 6/1/2008

# Display the configuration information of the time ranges.

[Sysname] display time-range all

Current time is 17:37:23 Nov/27/2007 Tuesday

 

Time-range : tr1 ( Inactive )

 08:00 to 12:00 working-day

 

Time-range : tr2 ( Inactive )

 From 12:00 Jan/1/2008 to 12:00 Jun/1/2008