time-name: Time range name comprising 1 to 32 characters. It is case insensitive and must start with an English letter. To avoid confusion, this name cannot be all.

all: All existing time ranges.

Description

Use the display time-range command to display the configuration and state of a specified or all time ranges.

A time range is active if the system time falls into its range, and if otherwise, inactive.

Examples

# Display the configuration and state of time range trname.

<Sysname> display time-range trname

Current time is 22:20:18 1/5/2006 Thursday

Time-range : trname ( Inactive )

from 15:00 1/28/2006 to 15:00 1/28/2008

Table 1-1 Description on the fields of the display time-range command

Field	Description
Current time	Current system time
Time-range	The configuration and state of time range, such as time range name, its activated state, and start time and ending time.

1.1.2 time-range

Syntax

time-range time-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 }

undo time-range time-name [ start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 ]

View

System view

Parameters

time-name: Time range name comprising 1 to 32 characters. It is case insensitive and must start with an English letter. To avoid confusion, this name cannot be all.

start-time: Start time of a periodic time range, in hh:mm format as 24-hour time, where hh is hours and mm is minutes. Its value ranges from 00:00 to 23:59.

end-time: End time of the periodic time range, in hh:mm format as 24-hour time, where hh is hours and mm is minutes. Its value ranges from 00:00 to 24:00. The end time must be greater than the start time.

days: Indicates on which day or days of the week the periodic time range is valid. You may specify multiple values, in words or in digits, separated by spaces, for this argument, but make sure that they do not overlap. These values can take one of the following forms:

l A digit in the range 0 to 6, respectively for Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday.

l Week in words, that is, Mon, Tue, Wed, Thu, Fri, Sat, or Sun.

l working-day for Monday through Friday.

l off-day for Saturday and Sunday.

l daily for seven days of a week.

from time1 date1: Indicates the start time and date of an absolute time range. The time1 argument specifies the time of the day in hh:mm format as 24-hour time, where hh is hours and mm is minutes. Its value ranges from 00:00 to 23:59. The date1 argument specifies a date in MM/DD/YYYY or YYYY/MM/DD format, where MM is the month of the year in the range 1 to 12, DD is the day of the month in the range 1 to 31, and YYYY is the year in the usual Gregorian calendar in the range 1970 to 2100. If not specified, the start time is the earliest time available from the system, namely, 01/01/1970 00:00:00 AM.

to time2 date2: Indicates the end time and date of the absolute time range. The format of the time2 argument is the same as that of the time1 argument, but its value ranges from 00:00 to 24:00. The end time must be greater than the start time. If not specified, the end time is the maximum time available from the system, namely, 12/31/2100 24:00:00 PM. The format and value range of the date2 argument are the same as those of the date1 argument.

Description

Use the time-range command to create a time range.

Use the undo time-range command to remove a time range.

A time range can be one of the following:

l Periodic time range created using the time-range time-name start-time to end-time days command. A time range thus created recurs periodically on the day or days of the week.

l Absolute time range created using the time-range time-name { from time1 date1 [ to time2 date2 ] | to time2 date2 } command. Unlike a periodic time range, a time range thus created does not recur. For example, to create an absolute time range that is active between January 1, 2004 00:00 and December 31, 2004 23:59, you may use the time-range test from 00:00 01/01/2004 to 23:59 12/31/2004 command.

l Compound time range created using the time-range time-name start-time to end-time days { from time1 date1 [ to time2 date2 ] | to time2 date2 } command. A time range thus created recurs on the day or days of the week only within the specified period. For example, to create a time range that is active from 12:00 to 14:00 on Wednesdays between January 1, 2004 00:00 and December 31, 2004 23:59, you may use the time-range test 12:00 to 14:00 wednesday from 00:00 01/01/2004 to 23:59 12/31/2004 command.

Note that:

l You may create individual time ranges identified with the same name. They are regarded as one time range whose active period is the result of ORing periodic ones, ORing absolute ones, and ANDing periodic and absolute ones.

l Up to 256 time ranges can be defined.

Examples

# Create an absolute time range named test, setting it to become active from 00:00 on January 1, 2003.

<Sysname> system-view

[Sysname] time-range test from 0:0 2003/1/1

# Create a periodic time range named test, setting it to be active between 14:00 and 18:00 on Saturday and Sunday.

<Sysname> system-view

[Sysname] time-range test 14:00 to 18:00 off-day

1.2 IPv4 ACL Configuration Commands

1.2.1 acl

Syntax

acl number acl-number [ name acl-name ] [ match-order { auto | config } ]

undo acl { all | name acl-name | number acl-number }

View

System view

Parameters

number: Defines a numbered access control list (ACL).

acl-number: IPv4 ACL number, which must be in the following ranges:

l 2000 to 2999 for basic IPv4 ACLs

l 3000 to 3999 for advanced IPv4 ACLs

l 4000 to 4999 for Ethernet frame header ACLs

l 5000 to 5999 for user-defined ACLs

name acl-name: Specifies the name of the ACL, which is a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion.

match-order: Sets the order in which ACL rules are matched. This keyword is not available for user-defined IPv4 ACLs.

l auto: Performs depth-first match.

l config: Performs matching against rules in the order in which they are configured.

all: All IPv4 ACLs.

Description

Use the acl command to enter IPv4 ACL view. If the ACL does not exist, it is created first.

Use the undo acl command to remove a specified or all IPv4 ACLs.

By default, the match order is config.

Note that:

l You can specify a name for an IPv4 ACL only when you create the ACL. After creating an ACL, you cannot specify a name for it, nor can you change or remove the name of the ACL.

l The name of an IPv4 ACL must be unique among IPv4 ACLs. However, an IPv4 ACL and an IPv6 ACL can share the same name.

l If you specify both an ACL number and an ACL name in one command to enter the view of an existing ACL, be sure that the ACL number and ACL name identify the same ACL.

l The match order for user-defined ACLs can only be config.

l You can also use this command to modify the match order of an existing ACL but only when it is empty.

Examples

# Create IPv4 ACL 2000.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000]

# Create IPv4 ACL 2002, giving the ACL a name of flow.

<Sysname> system-view

[Sysname] acl number 2002 name flow

[Sysname-acl-basic-2002-flow]

# Enter the view of an IPv4 ACL that has no name by specifying its number.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000]

# Enter the view of an IPv4 ACL that has a name by specifying its number.

<Sysname> system-view

[Sysname] acl number 2002

[Sysname-acl-basic-2002-flow]

# Delete the IPv4 ACL with the number of 2000.

<Sysname> system-view

[Sysname] undo acl number 2000

# Delete the IPv4 ACL named flow.

<Sysname> system-view

[Sysname] undo acl name flow

1.2.2 acl copy

Syntax

acl copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name }

View

System view

Parameters

source-acl-number: Number of an existing IPv4 ACL, which must be in the following ranges:

l 2000 to 2999 for basic IPv4 ACLs

l 3000 to 3999 for advanced IPv4 ACLs

l 4000 to 4999 for Ethernet frame header ACLs

l 5000 to 5999 for user-defined ACLs

source-acl-name: Name of an existing IPv4 ACL, a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion.

dest-acl-number: Number of a non-existent IPv4 ACL, which must be in the following ranges:

l 2000 to 2999 for basic IPv4 ACLs

l 3000 to 3999 for advanced IPv4 ACLs

l 4000 to 4999 for Ethernet frame header ACLs

l 5000 to 5999 for user-defined ACLs

dest-acl-name: Name for the new IPv4 ACL, a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion. The system will automatically assign the new ACL a sequence number which is the smallest one among the available ones in the ACL range for the ACL type.

Description

Use the acl copy command to copy an existent IPv4 ACL (namely, the source IPv4 ACL) to generate a new one (namely, the destination IPv4 ACL). The new ACL is of the same type and has the same match order, match rules, rule numbering step and descriptions.

Note that:

l The source IPv4 ACL and the destination IPv4 ACL must be of the same type.

l The generated ACL does not take the name of the source IPv4 ACL.

Examples

# Copy IPv4 ACL 2008 to generate IPv4 ACL 2009.

<Sysname> system-view

[Sysname] acl copy 2008 to 2009

1.2.3 acl name

Syntax

acl name acl-name

View

System view

Parameters

acl-name: Name of the IPv4 ACL, a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion.

Description

Use the acl name command to enter the view of an existing IPv4 ACL by specifying its name.

Examples

# Enter the view of the IPv4 ACL named flow.

<Sysname> system-view

[Sysname] acl name flow

[Sysname-acl-basic-2002-flow]

1.2.4 description (for IPv4)

Syntax

description text

undo description

View

Basic IPv4 ACL view, advanced IPv4 ACL view, Ethernet frame header ACL view, user-defined ACL view

Parameters

text: ACL description, a case-sensitive string of 1 to 127 characters.

Description

Use the description command to create an IPv4 ACL description, to describe the purpose of the ACL for example.

Use the undo description command to remove the ACL description.

By default, no IPv4 ACL description is present.

Examples

# Create a description for IPv4 ACL 2000.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] description This acl is used in eth 1/0/1

# Define the description of IPv4 ACL 3000.

<Sysname> system-view

[Sysname] acl number 3000

[Sysname-acl-adv-3000] description This acl is used in eth 1/0/1

# Define the description of ACL 4000.

<Sysname> system-view

[Sysname] acl number 4000

[Sysname-acl-ethernetframe-4000] description This acl is used in eth 1/0/1

# Define the description of ACL 5000.

<Sysname> system-view

[Sysname] acl number 5000

[Sysname-acl-user-5000] description This acl is used in eth 1/0/1

1.2.5 display acl

Syntax

display acl { acl-number | all | name acl-name }

View

Any view

Parameters

acl-number: IPv4 ACL number, which must be in the following ranges:

l 2000 to 2999 for basic IPv4 ACLs

l 3000 to 3999 for advanced IPv4 ACLs

l 4000 to 4999 for Ethernet frame header ACLs

l 5000 to 5999 for user-defined ACLs

all: All IPv4 ACLs.

Description

Use the display acl command to display information about the specified or all IPv4 ACLs.

This command displays ACL rules in the order in which the system compares a packet against them.

Examples

# Display information about IPv4 ACL 2001.

<Sysname> display acl 2001

Basic ACL 2001, named flow, 1 rule,

ACL's step is 5

rule 5 permit source 1.1.1.1 0 (5 times matched)

rule 5 comment This rule is used in eth 1/0/1

Table 1-2 Description on the fields of the display acl command

Field	Description
Basic acl 2001	The displayed information is about the basic IPv4 ACL 2001.
named flow	The name of the ACL is flow.
1 rule	The ACL contains one rule.
ACL's step is 5	The rules in this ACL are numbered in steps of 5.
5 times matched	Five matches for the rule. Only ACL matches performed by software are counted. This field appears as long as one match is found.
rule 5 comment This rule is used in eth 1/0/1	The description of ACL rule 5 is “This rule is used in eth 1/0/1.”

1.2.6 reset acl counter

Syntax

reset acl counter { acl-number | all | name acl-name }

View

User view

Parameters

acl-number: IPv4 ACL number, which must be in the following ranges:

l 2000 to 2999 for basic IPv4 ACLs

l 3000 to 3999 for advanced IPv4 ACLs

l 4000 to 4999 for Ethernet frame header ACLs

all: All IPv4 ACLs except for user-defined ACLs.

Description

Use the reset acl counter command to clear statistics about a specified or all IPv4 ACLs that are referenced by upper layer software.

Examples

# Clear statistics about IPv4 ACL 2001, which is referenced by upper layer software.

<Sysname> reset acl counter 2001

# Clear statistics about the IPv4 ACL named flow, which is referenced by upper layer software.

<Sysname> reset acl counter name flow

1.2.7 rule (basic IPv4 ACL view)

Syntax

rule [ rule-id ] { deny | permit } [ fragment | logging | source { sour-addr sour-wildcard | any } | time-range time-name ] *

undo rule rule-id [ fragment | logging | source | time-range ] *

View

Basic IPv4 ACL view

Parameters

rule-id: Basic IPv4 ACL rule number in the range 0 to 65534.

deny: Defines a deny statement to drop matched packets.

permit: Defines a permit statement to allow matched packets to pass.

fragment: Indicates that the rule applies only to non-tail fragments. With this keyword not provided, the rule is effective to both non-fragments and fragments.

logging: Specifies to log matched packets. The log provides information about ACL rule number, whether packets are permitted or dropped, upper layer protocol that IP carries, source/destination address, source/destination port number, and number of packets.

source { sour-addr sour-wildcard | any }: Specifies a source address. The sour-addr sour-wildcard argument specifies a source IP address in dotted decimal notation. Setting the wildcard to a zero indicates a host address. The any keyword indicates any source IP address.

time-range time-name: Specifies the time range in which the rule takes effect. The time-name argument specifies a time range name with 1 to 32 characters. It is case insensitive and must start with an English letter. To avoid confusion, this name cannot be all.

Description

Use the rule command to create a basic IPv4 ACL rule or modify the rule if it has existed.

Use the undo rule command to remove a basic IPv4 ACL rule or parameters from the rule.

With the undo rule command, if no parameters are specified, the entire ACL rule is removed; if other parameters are specified, only the involved information is removed.

Note that:

l You will fail to create or modify a rule if its permit/deny statement is exactly the same as another rule. In addition, if the ACL match order is set to auto rather than config, you cannot modify ACL rules.

l When defining ACL rules, you need not always assign them IDs. The system can automatically assign rule IDs starting with 0 and increasing in certain rule numbering steps. A rule ID thus assigned is greater than the current highest rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the next rule will be numbered 30. For detailed information about step, refer to the step command.

l You may use the display acl command to verify rules configured in an ACL. If the match order for this ACL is auto, rules are displayed in the depth-first match order rather than by rule number.

& Note:

For a basic IPv4 ACL rule to be referenced by a QoS policy for traffic classification, the logging keyword is not supported. You can use the display qos policy interface command to view the application of QoS polices. For detailed information, refer to QoS Commands.

Examples

# Create a rule to deny packets with the source IP address 1.1.1.1.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] rule deny source 1.1.1.1 0

1.2.8 rule (advanced IPv4 ACL view)

Syntax

rule [ rule-id ] { deny | permit } protocol [ destination { dest-addr dest-wildcard | any } | destination-port operator port1 [ port2 ] | dscp dscp | established | fragment | icmp-type { icmp-type icmp-code | icmp-message } | logging | precedence precedence | reflective | source { sour-addr sour-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-name | tos tos ] *

View

Advanced IPv4 ACL view

Parameters

rule-id: Advanced IPv4 ACL rule number in the range 0 to 65534.

deny: Defines a deny statement to drop matched packets.

permit: Defines a permit statement to allow matched packets to pass.

protocol: Protocol carried by IP. It can be a number in the range 0 to 255, or in words, gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), udp (17).

Table 1-3 Parameters for advanced IPv4 ACL rules

Parameters	Function	Description
source { sour-addr sour-wildcard \| any }	Specifies a source address.	The sour-addr sour-wildcard argument specifies a source IP address in dotted decimal notation. Setting the wildcard to a zero indicates a host address. The any keyword indicates any source IP address.
destination { dest-addr dest-wildcard \| any }	Specifies a destination address.	The dest-addr dest-wildcard argument specifies a destination IP address in dotted decimal notation. Setting the dest-wildcard to a zero indicates a host address. The any keyword indicates any destination IP address.
precedence precedence	Specifies an IP precedence value.	The precedence argument can be a number in the range 0 to 7, or in words, routine(0), priority(1), immediate(2), flash(3), flash-override(4), critical(5), internet(6), or network(7).
tos tos	Specifies a ToS preference.	The tos argument can be a number in the range 0 to 15, or in words, max-reliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1), or normal (0).
dscp dscp	Specifies a DSCP priority.	The dscp argument can be a number in the range 0 to 63, or in words, af11(10), af12(12), af13(14), af21(18), af22(20), af23(22), af31(26), af32(28), af33(30), af41(34), af42(36), af43(38), cs1(8), cs2(16), cs3(24), cs4(32), cs5(40), cs6(48), cs7(56), default(0), or ef(46).
logging	Specifies to log matched packets.	The log provides information about ACL rule number, whether packets are permitted or dropped, upper layer protocol that IP carries, source/destination address, source/destination port number, and number of packets.
fragment	Indicates that the rule applies only to non-tail fragments.	With this keyword not provided, the rule is effective to both non-fragments and fragments.
time-range time-name	Specifies the time range in which the rule can take effect.	The time-name argument comprises 1 to 32 characters. It is case insensitive and must start with an English letter. To avoid confusion, this name cannot be all.

If the protocol argument is set to tcp or udp, you may define the parameters in the following table.

Table 1-4 TCP/UDP-specific parameters for advanced IPv4 ACL rules

Parameters	Function	Description
source-port operator port1 [ port2 ]	Defines a UDP or TCP source port against which UDP or TCP packets are matched.	The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), and range (inclusive range). port1, port2: TCP or UDP port number, represented by a number in the range 0 to 65535. TCP port number can be represented in words as follows: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), or www (80). UDP port number can be represented in words as follows: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), xdmcp (177).
destination-port operator port1 [ port2 ]	Defines a UDP or TCP destination port against which UDP or TCP packets are matched.
established	Defines the rule for TCP connection packets.	A keyword specific to TCP.
reflective	Specifies the rule to be reflective.	––

If the protocol argument is set to icmp, you may define the parameters in the following table.

Table 1-5 Parameters for advanced IPv4 ACL rules

Parameters	Function	Description
icmp-type { icmp-type icmp-code \| icmp-message }	Specifies the ICMP message type and code.	The icmp-type argument ranges from 0 to 255. The icmp-code argument ranges from 0 to 255. The icmp-message argument specifies a message name. For available ICMP messages, see Table 1-6.
reflective	Specifies the rule to be reflective.	––

Parameters

Function

Description

icmp-type { icmp-type icmp-code | icmp-message }

Specifies the ICMP message type and code.

The icmp-type argument ranges from 0 to 255.

The icmp-code argument ranges from 0 to 255.

The icmp-message argument specifies a message name. For available ICMP messages, see Table 1-6.

reflective

Specifies the rule to be reflective.

––

The following table provides the ICMP messages that you can specify in advanced IPv4 ACL rules.

Table 1-6 ICMP messages and their codes

ICMP message	Type	Code
echo	8	0
echo-reply	0	0
fragmentneed-DFset	3	4
host-redirect	5	1
host-tos-redirect	5	3
host-unreachable	3	1
information-reply	16	0
information-request	15	0
net-redirect	5	0
net-tos-redirect	5	2
net-unreachable	3	0
parameter-problem	12	0
port-unreachable	3	3
protocol-unreachable	3	2
reassembly-timeout	11	1
source-quench	4	0
source-route-failed	3	5
timestamp-reply	14	0
timestamp-request	13	0
ttl-exceeded	11	0

Description

Use the rule command to define or modify an advanced IPv4 ACL rule. If the rule does not exist, it is created first.

Use the undo rule command to remove an advanced IPv4 ACL rule or parameters from the rule.

With the undo rule command, if no parameters are specified, the entire ACL rule is removed; if other parameters are specified, only the involved information is removed.

Note that:

& Note:

For an advanced IPv4 ACL rule to be referenced by a QoS policy for traffic classification, the logging, reflective and established keyword is not supported. You can use the display qos policy interface command to view the application of QoS polices. For detailed information, refer to QoS Commands.

Examples

# Define a rule to permit the TCP packets to pass with the destination port 80 sent from 129.9.0.0 to 202.38.160.0.

<Sysname> system-view

[Sysname] acl number 3101

[Sysname-acl-adv-3101] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80

1.2.9 rule (Ethernet frame header ACL view)

Syntax

rule [ rule-id ] { deny | permit } [ cos vlan-pri | dest-mac dest-addr dest-mask | lsap lsap-code lsap-wildcard | source-mac sour-addr source-mask | time-range time-name | type type-code type-wildcard ] *

undo rule rule-id

View

Ethernet frame header ACL view

Parameters

rule-id: Ethernet frame header ACL rule number in the range 0 to 65534.

deny: Defines a deny statement to drop matched packets.

permit: Defines a permit statement to allow matched packets to pass.

cos vlan-pri: Defines an 802.1p priority. The vlan-pri argument takes a value in the range 0 to 7; or its equivalent in words, best-effort, background, spare, excellent-effort, controlled-load, video, voice, or network-management.

dest-mac dest-addr dest-mask: Specifies a destination MAC address range. The dest-addr and dest-mask arguments indicate a destination MAC address and mask in xxxx-xxxx-xxxx format.

lsap lsap-code lsap-wildcard: Defines the DSAP and SSAP fields in the LLC encapsulation. The lsap-code argument is a 16-bit hexadecimal number indicating frame encapsulation. The lsap-wildcard argument is a 16-bit hexadecimal number indicating the wildcard of the LSAP code.

source-mac sour-addr source-mask: Specifies a source MAC address range. The sour-addr and sour-mask arguments indicate a source MAC address and mask in xxxx-xxxx-xxxx format.

time-range time-name: Specifies the time range in which the rule can take effect. The time-name argument comprises 1 to 32 characters. It is case insensitive and must start with an English letter. To avoid confusion, this name cannot be all.

type type-code type-wildcard: Defines a link layer protocol. The type-code argument is a 16-bit hexadecimal number indicating frame type. It is corresponding to the type-code field in Ethernet_II and Ethernet_SNAP frames. The type-wildcard argument is a 16-bit hexadecimal number indicating the wildcard.

Description

Use the rule command to create an Ethernet frame header ACL rule or modify the rule if it has existed.

Use the undo rule command to remove an Ethernet frame header ACL rule.

Note that:

& Note:

l For an Ethernet frame header ACL rule to be referenced by a QoS policy for traffic classification, the lsap keyword is not supported. You can use the display qos policy interface command to view the application of QoS polices. For detailed information, refer to QoS Commands.

l When the type argument is used in defining a rule, if the result of ANDing the type-code and type-wildcard is the same as that of ADNing 0x8100 and type-wildcard, tagged packets will match this rule.

Examples

# Create a rule to deny packets with the 802.1p priority of 3.

<Sysname> system-view

[Sysname] acl number 4000

[Sysname-acl-ethernetframe-4000] rule deny cos 3

1.2.10 rule (user-defined ACL view)

Syntax

rule [ rule-id ] { deny | permit } [ { { ipv4 | ipv6 | l2 | l4 | start } rule-string rule-mask offset }&<1-8> ] [ time-range time-name ]

undo rule rule-id

View

User-defined ACL view

Parameters

rule-id: User-defined ACL rule number in the range 0 to 65534.

deny: Defines a deny statement to drop matched packets.

permit: Defines a permit statement to allow matched packets to pass.

ipv4: Sets the offset from the beginning of the IPv4 header.

ipv6: Sets the offset from the beginning of the IPv6 header.

l2: Sets the offset from the beginning of the Layer 2 frame header.

l4: Sets the offset from the beginning of the Layer 4 header.

start: Sets the offset from the beginning of the outmost header.

rule-string: Defines a match pattern in hexadecimal format. Its length must be a multiple of two.

rule-mask: Defines a match pattern mask in hexadecimal format. Its length must be the same as that of the match pattern.

offset: Offset in bytes at which the match operation begins.

&<1-8>: Indicates that up to eight match patterns can be defined in the rule.

time-range time-name: Specifies the time range in which the rule can take effect. The time-name argument is a case-insensitive string of 1 to 32 characters. The name must begin with an English letter and cannot be all to avoid confusion.

Description

Use the rule command to create a user-defined ACL rule.

Use the undo rule command to remove a user-defined ACL rule.

Note that:

l A user-defined ACL requires the cooperation of a user-defined extended flow template. The offset range of a user-defined ACL must be within the offset range of the cooperating extended flow template; otherwise, the user-defined ACL cannot be applied successfully.

l You will fail to create a user-defined ACL rule if its permit or deny statement is exactly the same as another rule.

l Unlike other types of IPv4 ACLs, a user-defined ACL rule cannot be modified. However, you can create a new one to override the old one.

l When defining user-defined ACL rules, you need not assign them IDs. The system can automatically assign rule IDs starting with 0 and increasing in rule numbering steps of five. A rule ID thus assigned is greater than the current highest rule ID. For example, if the current highest rule ID is 28, the next rule will be numbered 30. For detailed information about step, refer to the step command.

l For a user-defined ACL, the match order can only be config.

Examples

# Configure user-defined ACL 5000, permitting any packet with the 13th and 14th bytes starting from the Layer 2 header are 0x0806 (that is, ARP packets).

<Sysname> system-view

[Sysname] acl number 5000

[Sysname-acl-user-5000] rule 0 permit l2 0806 ffff 12

1.2.11 rule comment (for IPv4)

Syntax

rule rule-id comment text

undo rule rule-id comment

View

Basic IPv4 ACL view, advanced IPv4 ACL view, Ethernet frame header ACL view, user-defined ACL view

Parameters

rule-id: IPv4 ACL rule number in the range 0 to 65534.

text: IPv4 ACL rule description, a case-sensitive string of 1 to 127 characters.

Description

Use the rule comment command to create or modify an ACL rule description, for example to describe the purpose of the ACL rule or the parameters it contains.

You will fail to do that if the specified rule does not exist.

Use the undo rule comment command to remove the ACL rule description.

By default, no rule description is created.

Examples

# Create a rule in ACL 2000 and define the rule description.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] rule 0 deny source 1.1.1.1 0

[Sysname-acl-basic-2000] rule 0 comment This rule is used in eth 1/0/1

# Create a rule in ACL 3000 and define the rule description.

<Sysname> system-view

[Sysname] acl number 3000

[Sysname-acl-adv-3000] rule 0 permit ip source 1.1.1.1 0

[Sysname-acl-adv-3000] rule 0 comment This rule is used in eth 1/0/1

# Create a rule in ACL 4000 and define the rule description.

<Sysname> system-view

[Sysname] acl number 4000

[Sysname-acl-ethernetframe-4000] rule 0 deny cos 3

[Sysname-acl-ethernetframe-4000] rule 0 comment This rule is used in eth 1/0/1

# Create a rule in ACL 5000 and define the rule description.

<Sysname> system-view

[Sysname] acl number 5000

[Sysname-acl-user-5000] rule 0 permit l2 06 ff 10

[Sysname-acl-user-5000] rule 0 comment This rule is used in eth 1/0/1

1.2.12 step (for IPv4)

Syntax

step step-value

undo step

View

Basic IPv4 ACL view, advanced IPv4 ACL view, Ethernet frame header ACL view

Parameters

step-value: IPv4 ACL rule numbering step, in the range 1 to 20.

Description

Use the step command to set a rule numbering step.

Use the undo step command to restore the default.

By default, rule numbering step is five.

When defining rules in an IPv4 ACL, you do not necessarily assign them numbers. The system can do this automatically in steps. For example, if the default step applies, rules you created are automatically numbered 0, 5, 10, 15, and so on. One benefit of rule numbering step is that it allows you to insert new rules between existing ones as needed. For example, after creating four rules numbered 0, 5, 10, 15 in an ACL configured with the step of five, you can still insert a rule numbered 1.

Any step change can result in renumbering. For example, after you change the step in the above example from five to two, the rules are renumbered 0, 2, 4, 6, and 8.

Note that even if the current step is the default, performing the undo step command can still result in rule renumbering. Suppose that ACL 3001 adopts the default numbering step and contains two rules numbered 0 and 5. After you insert rule 1 and rule 3, the rules are numbered 0, 1, 3, and 5. If you perform the undo step command, they will be renumbered 0, 5, 10, and 15.

Examples

# Set the rule numbering step to 2 for ACL 2000.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] step 2

# Set the rule numbering step to 2 for ACL 3000.

<Sysname> system-view

[Sysname] acl number 3000

[Sysname-acl-adv-3000] step 2

# Set the rule numbering step to 2 for ACL 4000.

<Sysname> system-view

[Sysname] acl number 4000

[Sysname-acl-ethernetframe-4000] step 2

1.3 IPv6 ACL Configuration Commands

1.3.1 acl ipv6

Syntax

acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto | config } ]

undo acl ipv6 { all | name acl6-name | number acl6-number }

View

System view

Parameters

number: Defines a numbered IPv6 ACL.

acl6-number: IPv6 ACL number, which must be in the following ranges:

l 2000 to 2999 for basic IPv6 ACLs

l 3000 to 3999 for advanced IPv6 ACLs

name acl6-name: Specifies the name of the ACL, which is a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion.

match-order: Sets the order in which ACL rules are matched.

l auto: Performs depth-first match. For how depth-first match works, refer to the “IPv6 ACL Match Order” section in accompanied ACL Configuration.

l config: Performs matching against rules in the order in which they are configured.

all: All IPv6 ACLs.

Description

Use the acl ipv6 command to enter IPv6 ACL view. If the ACL does not exist, it is created first.

Use the undo acl ipv6 command to remove a specified or all IPv6 ACLs.

By default, the match order is config.

Note that:

l You can specify a name for an IPv6 ACL only when you create the ACL. After creating an ACL, you cannot specify a name for it, nor can you change or remove the name of the ACL.

l The name of an IPv6 ACL must be unique among IPv6 ACLs. However, an IPv4 ACL and an IPv6 ACL can share the same name.

l If you specify both an ACL number and an ACL name in one command to enter the view of an existing ACL, be sure that the ACL number and ACL name identify the same ACL.

l You can also use this command to modify the match order of an existing IPv6 ACL but only when it is empty.

Examples

# Create IPv6 ACL 2000.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000]

# Create IPv6 ACL 2002, giving the ACL a name of flow.

<Sysname> system-view

[Sysname] acl ipv6 number 2002 name flow

[Sysname-acl6-basic-2002-flow]

# Enter the view of an IPv6 ACL that has no name by specifying its number.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000]

# Enter the view of an IPv6 ACL that has a name by specifying its number.

<Sysname> system-view

[Sysname] acl ipv6 number 2002

[Sysname-acl6-basic-2002-flow]

# Delete the IPv6 ACL with the number of 2000.

<Sysname> system-view

[Sysname] undo acl ipv6 number 2000

# Delete the IPv6 ACL named flow.

<Sysname> system-view

[Sysname] undo acl ipv6 name flow

1.3.2 acl ipv6 copy

Syntax

acl ipv6 copy { source-acl6-number | name source-acl6-name } to { dest-acl6-number | name dest-acl6-name }

View

System view

Parameters

source-acl6-number: Number of an existing IPv6 ACL, which must be in the following ranges:

l 2000 to 2999 for basic IPv6 ACLs

l 3000 to 3999 for advanced IPv6 ACLs

source-acl6-name: Name of an existing IPv6 ACL, a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion.

dest-acl6-number: Number of a non-existent IPv6 ACL, which must be in the following ranges:

l 2000 to 2999 for basic IPv6 ACLs

l 3000 to 3999 for advanced IPv6 ACLs

dest-acl6-name: Name for the new IPv6 ACL, a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion. The system will automatically assign the new ACL a sequence number which is the smallest one among the available ones in the ACL range for the ACL type.

Description

Use the acl ipv6 copy command to copy an existent IPv6 ACL (namely, the source IPv6 ACL) to generate a new one (namely, the destination IPv6 ACL), which is of the same type and has the same match order, match rules, rule numbering step and descriptions.

Note that:

l The source IPv6 ACL and the destination IPv6 ACL must be of the same type.

l The generated ACL does not take the name of the source IPv4 ACL.

Examples

# Copy IPv6 ACL 2008 to generate IPv6 ACL 2009.

<Sysname> system-view

[Sysname] acl ipv6 copy 2008 to 2009

1.3.3 acl ipv6 name

Syntax

acl ipv6 name acl6-name

View

System view

Parameters

acl6-name: Name of the IPv6 ACL, a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion.

Description

Use the acl ipv6 name command to enter the view of an existing IPv6 ACL by specifying its name.

Examples

# Enter the view of the IPv6 ACL named flow.

<Sysname> system-view

[Sysname] acl ipv6 name flow

[Sysname-acl6-basic-2002-flow]

1.3.4 description (for IPv6)

Syntax

description text

undo description

View

Basic IPv6 ACL view, advanced IPv6 ACL view

Parameters

text: ACL description, a case-sensitive string of 1 to 127 characters.

Description

Use the description command to create an IPv6 ACL description, to describe the purpose of the ACL for example.

Use the undo description command to remove the IPv6 ACL description.

By default, no IPv6 ACL description is present.

Examples

# Create a description for IPv6 ACL 2000.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000] description This acl is used in eth 1/0/1

# Create a description for IPv6 ACL 3000.

<Sysname> system-view

[Sysname] acl ipv6 number 3000

[Sysname-acl6-adv-3000] description This acl is used in eth 1/0/1

1.3.5 display acl ipv6

Syntax

display acl ipv6 { acl6-number | all | name acl6-name }

View

Any view

Parameters

acl6-number: IPv6 ACL number, which must be in the following ranges (the available ACL number ranges varies by device):

l 2000 to 2999 for basic IPv6 ACLs

l 3000 to 3999 for advanced IPv6 ACLs

all: All IPv6 ACLs.

Description

Use the display acl ipv6 command to display information about specified or all IPv6 ACLs.

The output will be displayed in matching order.

Examples

# Display information about IPv6 ACL 2001.

<Sysname> display acl ipv6 2001

Basic IPv6 ACL 2001, named flow, 1 rule,

ACL's step is 5

rule 0 permit source 1::2/128 (5 times matched)

rule 0 comment This rule is used in eth 1/0/1

Table 1-7 Description on the fields of the display acl ipv6 command

Field	Description
Basic IPv6 ACL 2001	The displayed information is about the basic IPv4 ACL 2001.
named flow	The name of the ACL is flow.
1 rule	The ACL contains one rule.
ACL's step is 5	The rules in this ACL are numbered in steps of 5.
5 times matched	Five matches for the rule. Only ACL matches performed by software are counted. The field appears as long as one match is found.
rule 0 comment This rule is used in eth 1/0/1	The description of ACL rule 5 is “This rule is used in eth 1/0/1.”

1.3.6 reset acl ipv6 counter

Syntax

reset acl ipv6 counter { acl6-number | all | name acl6-name }

View

User view

Parameters

all: All basic and advanced IPv6 ACLs.

acl6-number: IPv6 ACL number, which must be in the following ranges:

l 2000 to 2999 for basic IPv6 ACLs

l 3000 to 3999 for advanced IPv6 ACLs

Description

Use the reset acl ipv6 counter command to clear statistics about a specified or all IPv6 ACLs that are referenced by upper layer software.

Examples

# Clear statistics about IPv6 ACL 2001, which is referenced by upper layer software.

<Sysname> reset acl ipv6 counter 2001

# Clear statistics about the IPv6 ACL named flow, which is referenced by upper layer software.

<Sysname> reset acl ipv6 counter name flow

1.3.7 rule (basic IPv6 ACL view)

Syntax

rule [ rule-id ] { deny | permit } [ fragment | logging | source { ipv6-address prefix-length | ipv6-address/prefix-length | any } | time-range time-name ] *

undo rule rule-id [ fragment | logging | source | time-range ] *

View

Basic IPv6 ACL view

Parameters

rule-id: IPv6 ACL rule number in the range 0 to 65534.

deny: Defines a deny statement to drop matched packets.

permit: Defines a permit statement to allow matched packets to pass.

fragment: Indicates that the rule applies only to non-tail fragments. The rule applies to both fragments and non-fragments without this keyword.

source { ipv6-address prefix-length | ipv6-address/prefix-length | any }: Specifies a source address. The ipv6-address and prefix-length arguments specify a source IPv6 address, and its address prefix length in the range 1 to 128. The any keyword indicates any IPv6 source address.

Description

Use the rule command to create an IPv6 ACL rule or modify the rule if it has existed.

Use the undo rule command to remove an IPv6 ACL rule or parameters from the rule.

With the undo rule command, if no parameters are specified, the entire ACL rule is removed; if other parameters are specified, only the involved information is removed.

Note that:

l When defining ACL rules, you need not assign them IDs. The system can automatically assign rule IDs starting with 0 and increasing in certain rule numbering steps. A rule ID thus assigned is greater than the current highest rule ID. For example, if the rule numbering step is five and the current highest rule ID is 28, the next rule will be numbered 30. For detailed information about step, refer to the step command.

& Note:

For a basic IPv6 ACL to be referenced by a QoS policy for traffic classification, the logging keywords are not supported. You can use the display qos policy interface command to view the application of QoS polices. For detailed information, refer to QoS Commands.

Examples

# Create rules in IPv6 ACL 2000, to permit packets with source address being 2030:5060::9050/64 to pass.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000] rule permit source 2030:5060::9050/64

1.3.8 rule (advanced IPv6 ACL view)

Syntax

rule [ rule-id ] { deny | permit } protocol [ destination { dest dest-prefix | dest/dest-prefix | any } | destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmpv6-type { icmpv6-type icmpv6-code | icmpv6-message } | logging | source { source source-prefix | source/source-prefix | any } | source-port operator port1 [ port2 ] | time-range time-name ] *

View

Advanced IPv6 ACL view

Parameters

rule-id: IPv6 ACL rule number in the range 0 to 65534.

deny: Defines a deny statement to drop matched packets.

permit: Defines a permit statement to allow matched packets to pass.

protocol: Protocol carried on IPv6. It can be a number in the range 0 to 255, or in words, gre (47), icmpv6 (58), ipv6, ipv6-ah (51), ipv6-esp (50), ospf (89), tcp (6), udp (17).

Table 1-8 Match criteria and other rule information for advanced IPv6 ACL rules

Parameters	Function	Description
source { source source-prefix \| source/source-prefix \| any }	Specifies a source IPv6 address.	The source and source-prefix arguments specify an IPv6 source address and its prefix length in the range 1 to 128. The any keyword indicates any IPv6 source address.
destination { dest dest-prefix \| dest/dest-prefix \| any }	Specifies a destination IPv6 address.	The dest and dest-prefix arguments specify a destination IPv6 address, and its prefix length in the range 1 to 128. The any keyword indicates any IPv6 destination address.
dscp dscp	Specifies a DSCP preference	The dscp argument can be a number in the range 0 to 63, or in words, af11(10), af12(12), af13(14), af21(18), af22(20), af23(22), af31(26), af32(28), af33(30), af41(34), af42(36), af43(38), cs1(8), cs2(16), cs3(24), cs4(32), cs5(40), cs6(48), cs7(56), default(0), or ef(46).
logging	Specifies to log matched packets	The log provides information about ACL rule number, whether packets are permitted or denied, protocol that IP carries, source/destination IPv6 address, source/destination port number, and number of packets.
fragment	Indicates that the rule applies only to non-tail fragments	With this keyword not provided, the rule is effective to both non-fragments and fragments.
time-range time-name	Specifies the time range in which the rule can take effect.	The time-name argument comprises 1 to 32 characters. It is case insensitive and must start with an English letter. To avoid confusion, this name cannot be all.

If the protocol argument is set to tcp or udp, you may define the parameters in the following table.

Table 1-9 TCP/UDP-specific match criteria for advanced IPv6 ACL rules

Parameters	Function	Description
source-port operator port1 [ port2 ]	Defines the source port in the UDP/TCP packet.	The operator argument can be lt (lower than), gt (greater than), eq (equal to), or range (inclusive range). The port1 and port2 arguments each specify a TCP or UDP port, represented by a number in the range 0 to 65535. TCP port number can be represented in words as follows: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), or www (80). UDP port number can be represented in words as follows: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), xdmcp (177).
destination-port operator port1 [ port2 ]	Defines the destination port in the UDP/TCP packet.

Parameters

Function

Description

source-port operator port1 [ port2 ]

Defines the source port in the UDP/TCP packet.

The operator argument can be lt (lower than), gt (greater than), eq (equal to), or range (inclusive range).

The port1 and port2 arguments each specify a TCP or UDP port, represented by a number in the range 0 to 65535. TCP port number can be represented in words as follows:

chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), or www (80).

UDP port number can be represented in words as follows: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), xdmcp (177).

destination-port operator port1 [ port2 ]

Defines the destination port in the UDP/TCP packet.

If the protocol argument is set to ICMPv6, you may define the parameters in the following table.

Table 1-10 ICMPv6-specific match criteria for advanced IPv6 ACL rules

Parameters	Function	Description
icmpv6-type { icmpv6-type icmpv6-code \| icmpv6-message }	Specifies the ICMPv6 message type and code	The icmpv6-type argument ranges from 0 to 255. The icmpv6-code argument ranges from 0 to 255. The icmpv6-message argument specifies a message name. For available ICMPv6 messages, see Table 1-11

Parameters

Function

Description

icmpv6-type { icmpv6-type icmpv6-code | icmpv6-message }

Specifies the ICMPv6 message type and code

The icmpv6-type argument ranges from 0 to 255.

The icmpv6-code argument ranges from 0 to 255.

The icmpv6-message argument specifies a message name. For available ICMPv6 messages, see Table 1-11

The following table provides the ICMPv6 messages that you can specify in advanced IPv6 ACL rules.

Table 1-11 Available ICMPv6 messages

ICMPv6 message	Type	Code
redirect	137	0
echo-request	128	0
echo-reply	129	0
err-Header-field	4	0
frag-time-exceeded	3	1
hop-limit-exceeded	3	0
host-admin-prohib	1	1
host-unreachable	1	3
neighbor-advertisement	136	0
neighbor-solicitation	135	0
network-unreachable	1	0
packet-too-big	2	0
port-unreachable	1	4
router-advertisement	134	0
router-solicitation	133	0
unknown-ipv6-opt	4	2
unknown-next-hdr	4	1

Description

Use the rule command to create an IPv6 ACL rule or modify the rule if it has existed.

Use the undo rule command to remove an IPv6 ACL rule or parameters from the rule.

With the undo rule command, if no parameters are specified, the entire ACL rule is removed; if other parameters are specified, only the involved information is removed.

Note that:

& Note:

For a QoS policy referencing an advanced IPv6 ACL for traffic classification to be applied successfully, observe these rules when configuring the advanced IPv6 ACL:

l Do not specify the logging keyword.

l Do not specify the fragment keyword when the protocol argument is not ipv6.

You can use the display qos policy interface command to view the application of QoS polices. For detailed information, refer to QoS Commands.

Examples

# Create a rule in IPv6 ACL 3000 to permit the TCP packets with the source address 2030:5060::9050/64 to pass.

<Sysname> system-view

[Sysname] acl ipv6 number 3000

[Sysname-acl6-adv-3000] rule permit tcp source 2030:5060::9050/64

1.3.9 rule comment (for IPv6)

Syntax

rule rule-id comment text

undo rule rule-id comment

View

Basic IPv6 ACL view, advanced IPv6 ACL view

Parameters

rule-id: IPv6 ACL rule number in the range 0 to 65534.

text: IPv6 ACL rule description, a case-sensitive string of 1 to 127 characters.

Description

Use the rule comment command to create or modify a description for an existing IPv6 ACL rule, for example to describe the purpose of the ACL rule or its attributes.

Use the undo rule comment command to remove the IPv6 ACL rule description.

By default, no rule description is created.

Examples

# Define a rule in IPv6 ACL 2000 and create a description for the rule.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000] rule 0 permit source 2030:5060::9050/64

[Sysname-acl6-basic-2000] rule 0 comment This rule is used in eth 1/0/1

# Define a rule in IPv6 ACL 3000 and create a description for the rule.

<Sysname> system-view

[Sysname] acl ipv6 number 3000

[Sysname-acl6-adv-3000] rule 0 permit tcp source 2030:5060::9050/64

[Sysname-acl6-adv-3000] rule 0 comment This rule is used in eth 1/0/1

1.3.10 step (for IPv6)

Syntax

step step-value

undo step

View

Basic IPv6 ACL view, advanced IPv6 ACL view

Parameters

step-value: The step in which the rules in the IPv6 ACL is numbered, in the range 1 to 20.

Description

Use the step command to set a rule numbering step for the IPv6 ACL.

Use the undo step command to restore the default.

By default, the rule numbering step is five.

When defining rules in an IPv6 ACL, you do not necessarily assign them numbers. The system can do this automatically in steps. For example, if the default step applies, rules you created are numbered 0, 5, 10, 15, and so on automatically.

One benefit of rule numbering step is that it allows you to insert new rules between existing ones as needed. For example, after creating four rules numbered 0, 5, 10, 15 in an ACL configured with the step of 5, you can still insert a rule numbered 1.

Any step change can result in renumbering. For example, after you change the step in the above example from 5 to 2, the rules are renumbered 0, 2, 4, 6, and 8.

Note that even if the current step is the default, performing the undo step command can still result in rule renumbering. Suppose that IPv6 ACL 3001 adopts the default numbering step and contains two rules numbered 0 and 5. After you insert rule 1 and rule 3, the rules are numbered 0, 1, 3, and 5. If you perform the undo step command, they will be renumbered 0, 5, 10, and 15.

Examples

# Set the rule numbering step to 2 for IPv6 ACL 2000.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000] step 2

# Set the rule numbering step to 2 for IPv6 ACL 3000.

<Sysname> system-view

[Sysname] acl ipv6 number 3000

[Sysname-acl6-adv-3000] step 2

1.4 Flow Template Configuration Commands

1.4.1 display flow-template user-defined

Syntax

display flow-template user-defined [ flow-template-name ]

View

Any view

Parameters

flow-template-name: Name of a user-defined flow template, a case-insensitive string of 1 to 31 characters.

Description

Use the display flow-template user-defined command to display the configuration of the specified or all user-defined flow templates.

Examples

# Display the configuration of all user-defined flow templates.

<Sysname> display flow-template user-defined

user-defined flow template: basic

name:f1, index:1, total reference counts:0

fields: sip smac dmac

user-defined flow template: extend

name:f2, index:2, total reference counts:0

fields: l2 12 4

Table 1-12 Description on the fields of display flow-template user-defined

Field	Description
user-defined flow template	Type of the user-defined flow template: basic or extend
name	Name of the user-defined flow template
index	Index of the user-defined flow template
total reference counts	Total number of the times that the user-defined flow template is referenced
fields	Fields included in the user-defined flow template

1.4.2 display flow-template interface

Syntax

display flow-template interface [ interface-type interface-number ]

View

Any view

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Description

Use the display flow-template interface command to display information about the user-defined flow template applied to the specified interface or the user-defined flow templates applied to all the interfaces.

Examples

# Display information about the user-defined flow templates applied to all interfaces.

<Sysname> display flow-template interface

Interface: Ethernet1/0

user-defined flow template: basic

name:f1, index:1, total reference counts:1

fields: sip smac dmac

Table 1-13 Description on the fields of display flow-template interface

Field	Description
Interface	Interface where the user-defined flow template is referenced
user-defined flow template	Type of the user-defined flow template: basic or extend
name	Name of the user-defined flow template
index	Index of the user-defined flow template
total reference counts	Reference count for the user-defined flow templates
fields	Fields included in the user-defined flow template

1.4.3 flow-template

Syntax

flow-template flow-template-name

undo flow-template

View

Interface view, port group view

Parameters

flow-template-name: Name of the user-defined flow template, a case-insensitive string of 1 to 31 characters

Description

Use the flow-template command to reference a user-defined flow template on current interface or port group.

Use the undo flow-template command to remove the referenced user-defined flow template from the interface or port group.

By referencing a flow template on a port group, you may apply the user-defined flow template to all interfaces in the group.

Note that on an interface you can reference only one user-defined flow template.

& Note:

l Before applying a user-defined template on a port, make sure the user-defined template is already configured. A port can be configured with only one flow template.

l Before you can apply a flow template on a port, make sure the following functions are disabled on the port: 802.1x, cluster (NDP, NTDP, HABP, and Cluster), DHCP Snooping, port isolation, MAC+IP+port binding, selective QinQ, and voice VLAN. And also, you are not recommended to use these functions after you apply a flow template on the port.

Examples

# Reference flow template f1 on port Ethernet 1/0/1.

<Sysname> system-view

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] flow-template f1

# Remove the referenced flow template from port Ethernet 1/0/1.

[Sysname-Ethernet1/0/1] undo flow-template

1.4.4 flow-template basic

Syntax

flow-template flow-template-name basic { customer-cos | customer-vlan-id | dip | dipv6 | dmac | dport | dscp | ethernet-protocol | fragments | icmp-code | icmp-type | icmpv6-code | icmpv6-type | ip-precedence | ip-protocol | ipv6-dscp | ipv6-fragment | ipv6-protocol | service-cos | service-vlan-id | sip | sipv6 | smac | sport | tcp-flag | tos }*

undo flow-template { all | name flow-template-name }

View

System view

Parameters

flow-template-name: Name of the user-defined flow template, a case-insensitive string of 1 to 31 characters.

basic: Sets the type of the user-defined flow template to basic.

customer-cos: Customer 802.1p COS field, that is, 802.1p priority.

customer-vlan-id: Customer VLAN ID.

dip: Destination IP address.

dipv6: Destination IPv6 address.

dmac: Destination MAC address.

dport: Destination port.

dscp: Differentiated service code point (DSCP) field in the IP header.

ethernet-protocol: Protocol type field in the Ethernet frame header.

fragments: Fragments field in the IP header.

icmp-code: ICMP code field.

icmp-type: ICMP type field.

icmpv6-code: ICMPv6 code field.

Icmpv6-type: ICMPv6 type field.

ip-precedence: Specifies the precedence field in the IP header.

ip-protocol: Protocol type field in the IP header.

ipv6-dscp: Specifies the DSCP field in the IPv6 header.

ipv6-fragments: IPv6 fragments flag.

ipv6-protocol: Next header field in the IPv6 header.

ipv6-tos: Specifies the IPv6 type of service (ToS).

service-cos: Specifies the service provider 802.1p COS field.

service-vlan-id: Service provider VLAN ID.

sip: Specifies the source IP address.

sipv6: Specifies the source IPv6 address.

smac: Specifies the source MAC address.

sport: Specifies the source port.

tcp-flag: Specifies the flags field in the TCP header.

tos: Specifies the ToS field in the IP header.

all: Removes all user-defined flow templates.

Description

Use the flow-template basic command to create a basic user-defined flow template.

Use the undo flow-template command to remove the specified or all user-defined flow templates.

When removing user-defined templates, make sure that they are not referenced on interfaces. Otherwise, your removing attempt will fail.

Examples

# Create a basic user-defined flow template.

<Sysname> system-view

[Sysname] flow-template f1 basic dip smac ip-protocol tcp-flag

1.4.5 flow-template extend

Syntax

flow-template flow-template-name extend { [ start ] offset-max-value length-max-value | ipv4 offset-max-value length-max-value | ipv6 offset-max-value length-max-value | l2 offset-max-value length-max-value | l4 offset-max-value length-max-value } *

undo flow-template { all | name flow-template-name }

View

System view

Parameters

flow-template-name: Name of the user-defined flow template, a case-insensitive string of 1 to 31 characters.

extend: Sets the type of the user-defined flow template to extend.

start: Sets the offset from the beginning of the outmost header.

ipv4: Sets the offset from the beginning of the IPv4 header.

ipv6: Sets the offset from the beginning of the IPv6 header.

l2: Sets the offset from the beginning of the Layer 2 frame header.

l4: Sets the offset from the beginning of the Layer 4 header.

offset-max-value: The maximum offset relative to the referential location, in the range of 0 to 79.

length-max-value: The maximum comparing length, in the range of 1 to 16.

all: Specifies to remove all flow templates.

Description

Use the flow-template extend command to create an extended user-defined flow template. If no offset type is specified, the start keyword applies.

Use the undo flow-template command to remove the specified or all user-defined flow templates.

Note that:

l The user-defined ACLs are used in conjunction with the extended user-defined flow template. When a port applies the extended flow template, you cannot apply policies including the basic and advanced ACLs on the port.

l The offset range of a user-defined extended flow template must cover the offset range of the cooperating user-defined ACL; otherwise, the user-defined ACL cannot be applied successfully.

l When removing user-defined templates, make sure that they are not referenced on interfaces. Otherwise, your removing attempt will fail.

Examples

# Create an extended user-defined flow template.

<Sysname> system-view

[Sysname] flow-template f2 extend l2 3 10 ipv4 5 8

H3C S3610[S5510] Series Ethernet Switches Command Manual-Release 5303(V1.01)

1.2.4 description (for IPv4)

1.2.5 display acl

1.2.6 reset acl counter

1.2.12 step (for IPv4)

1.3 IPv6 ACL Configuration Commands

1.3.4 description (for IPv6)

1.3.5 display acl ipv6

1.3.6 reset acl ipv6 counter

1.3.8 rule (advanced IPv6 ACL view)

1.3.9 rule comment (for IPv6)

1.3.10 step (for IPv6)

1.4.3 flow-template

1.4.4 flow-template basic

1.4.5 flow-template extend

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us