Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-ACL Commands | 90.46 KB |
Table of Contents
1.1.3 display acl remaining entry
1.1.4 display acl running-packet-filter
1.1.7 flow-template user-defined
1.1.8 flow-template user-defined slot
Chapter 1 ACL Commands
1.1 ACL Commands
1.1.1 acl
Syntax
acl { number acl-number | name acl-name [ advanced | basic | link ] } [ match-order { config | auto } ]
undo acl { number acl-number | name acl-name | all }
View
System view
Parameters
number acl-number: ACL number, in the range of:
2000 to 2999: Represents basic ACL.
3000 to 3999: Represents advanced ACL.
4000 to 4999: Represents Layer 2 ACL.
name acl-name: Character string, which must start with an English letter (that is, a-z or A-Z), and there should no space in it; case-insensitive; key words all and any are not allowed.
advanced: Advanced ACL.
basic: Basic ACL.
link: Layer 2 ACL.
config: In configuration order during matching ACL rules.
auto: In depth-first order during matching ACL rules.
all: Deletes all ACLs (both number- and name-identified ones).
Description
Use the acl command to define a number- or name-identified ACL and enter its view.
Use the undo acl command to delete all rules of an ACL or all ACLs.
By default, the system matches ACL rules in configuration order.
Using the acl command, you can create an ACL named “acl-name”. And the type of this ACL is decided by keywords: "advanced", "basic", or "link". After entering a corresponding ACL view, regardless of whether the ACL is identified by a number or a name, you can use the rule command to create rules of this named ACL (you can exit ACL view by using the quit command).
You can select the match-order keyword to specify whether to match ACL rules in configuration order or depth-first order (matching the rules with smaller range first). By default, the former mode is selected. You cannot modify the matching order once you specify it. To do so, you have to delete all rules of the ACL and specify a matching order for it again.
& Note:
l The user-defined ACL matching order takes effect only when multiple rules of one ACL are applied at the same time. For example, an ACL has two rules. If the two rules are not applied simultaneously, even if you configure the matching order to be depth first, the switch still matches them according to their application order.
l If one rule is a subset of another rule in an ACL, it is recommended to apply the rules according to the range of the specified packets. The rule with the smallest range of the specified data packets is applied first, and then other rules are applied based on this principle.
l If one ACL is used, you cannot use the undo acl all command to delete any ACL.
l If a certain advanced ACL has been occupied by IDS, the user cannot modify or delete it any more through commands.
Related commands: rule.
Examples
# Specify depth first order as the match order of ACL 2000.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] acl number 2000 match-order auto
1.1.2 display acl config
Syntax
display acl config { all | acl-number | acl-name }
View
Any view
Parameters
all: Displays all ACLs (both number- and name-identified ones).
acl-number: Serial number of the ACL to be displayed, in the range of 2000 to 4999.
acl-name: Name of the ACL to be displayed. String parameter which must start with an English letter ([a-z, A-Z]) and no space is allowed in it.
Description
Use the display acl config command to view the configuration details of the ACL, including all the rules, their serial numbers and quantities of matched packets.
The matched times here refer to the software matched times, that is, the matched times of the ACLs that needed to be processed by CPU. You can collect hardware matched times value by using the traffic-statistic command.
Examples
# Display contents of all ACLs.
<H3C> display acl config all
Link ACL 4000, 1 rule,
rule 0 permit ingress any egress any (0 times matched)
Basic ACL traffic-of-host, 1 rule,
rule 1 deny source 10.1.1.1 0 time-range test (0 times matched) (Active)
1.1.3 display acl remaining entry
Syntax
display acl remaining entry slot slot-id
View
Any view
Parameters
slot slot-id: Slot ID of a card.
Description
Use the display acl remaining entry command to display information about hardware resources for ACL rules on a specified card.
Examples
# Display the number of ACL rules applied on the card in slot 5.
<H3C> display acl remaining entry slot 5
Slot: 5
Resource Total Reserved Configured Remaining Start End
Type Number Number Number Number Port Name Port Name
--------------------------------------------------------------------------
METER 256 0 0 256 GE5/1/1 GE5/1/12
METER 256 0 0 256 GE5/1/13 GE5/1/24
RULE 1024 0 0 1024 GE5/1/1 GE5/1/12
RULE 1024 0 0 1024 GE5/1/13 GE5/1/24
ACTION 1024 0 0 1024 GE5/1/1 GE5/1/12
ACTION 1024 0 0 1024 GE5/1/13 GE5/1/24
Table 1-1 Description on the fields of the display acl remaining entry command
|
Field |
Description |
|
Resource Type |
Resource type METER: the resource is the flow meter
resource; |
|
Total Number |
The total number of ACL rules that are supported by the hardware |
|
Reserved Number |
The number of the reserved ACL rules |
|
Configured Number |
The number of the ACL rules that have been configured |
|
Remaining Number |
The number of the remaining ACL rules |
|
Start Port Name, End Port Name |
The names of the start port and the end port |
1.1.4 display acl running-packet-filter
Syntax
display acl running-packet-filter { all | interface interface-type interface-number | vlan vlan-id }
View
Any view
Parameters
all: Displays all the ACLs that have been applied (including the number-identified ones and name-identified ones)
interface interface-type interface-number: Specifies a port by its type and number. The ACL application information on the specified port will be displayed.
vlan: Displays the ACL application information under the VLAN configured through the service process card.
vlan-id: the ID of the VLAN, in the range of 1-4094.
Description
Use the display acl running-packet-filter command to display the ACL application information, including the name of the ACL, the name of the sub items and the application state.
Examples
# Display the ACL application information of port Ethernet3/1/1.
<H3C> display acl running-packet-filter interface ethernet3/1/1
Ethernet3/1/1
Inbound:
Acl 4000 rule 0 running
# Display the ACL application information of VLAN2
<H3C> display acl running-packet-filter vlan 2
Vlan 2
Inbound:
Acl 2000 rule 1 slot 6 running
1.1.5 display flow-template
Syntax
display flow-template [ default | interface interface-type interface-number | slot slot-id | user-defined ]
View
Any view
Parameters
default: Displays the default flow template of the system.
interface interface-type interface-number: Specifies a port by its type and number. The flow template applied on the specified port will be displayed.
slot slot-id: Displays the flow template applied on the specified card.
user-defined: Displays the user-defined flow template.
Description
Use the display flow-template command to view the detailed configuration of flow template. The configuration includes which parameters the flow template defines and which ports/cards is the flow template applied on.
H3C S9500 Series Routing Switches (hereinafter referred to as S9500 series) support two flow templates: one is user-defined; the other is the default one. If you do not input any parameter for this command, the detailed configuration of all flow templates will be displayed.
Related commands: flow-template user-defined.
Examples
# Display information about the default flow-template.
<H3C> display flow-template default
default flow template : ip-protocol tcp-flag sport dport icmp-type icmp-code sip 0.0.0.0 dip 0.0.0.0 vlanid
1.1.6 display time-range
Syntax
display time-range { all | name }
View
Any view
Parameters
all: Displays all time ranges.
name: Time range name, string starting with an English letter ([a-z, A-Z]) and in the range of 1 to 32 characters.
Description
Use the display time-range command to view the current configuration and status of time ranges. At the current time, the status of a time range can be Active or Inactive. If a time range is in the active state, it is displayed as Active, and if it is in the inactive state, it is displayed as Inactive.
Note that it takes about one minute for the system to update the ACL status, and the display time-range command determines the time range status based on the current time. Therefore, you may find that although a time range is displayed as Active in the output of the display time-range command, the ACL referencing the time range is still inactive.
Related commands: time-range.
Examples
# Display all time ranges.
<H3C> display time-range all
Current time is 14:36:36 4-3-2003 Thursday
Time-range : hhy ( Inactive )
from 08:30 2-5-2005 to 18:00 2-19-2005
Time-range : hhy1 ( Inactive )
from 08:30 2-5-2003 to 18:00 2-19-2003
Table 1-2 Description on the fields of the display time-range all command
|
Field |
Description |
|
Current time is 14:36:36 4-3-2003 Thursday |
The current time of the system |
|
Time-range : hhy ( Inactive ) from 08:30 2-5-2005 to 18:00 2-19-2005 |
Time range hhy. “Inactive” means that the time range is currently inactive ("active” means the time range is active); the time range is from 08:30 2-5-2005 to 18:00 2-19-2005. The displayed information below is similar. |
# Display time range tm1.
<H3C> display time-range tm1
Current time is 14:37:31 4-3-2003 Thursday
Time-range : tm1 ( Inactive )
from 08:30 2-5-2005 to 18:00 2-19-2005
Table 1-3 Description on the fields of the display time-range tm1 command
|
Filed |
Description |
|
Current time is 14:36:36 4-3-2003 Thursday |
The current time of the system. |
|
Time-range : tm1 ( Inactive ) from 08:30 2-5-2005 to 18:00 2-19-2005 |
Time range tml. “Inactive” means that the time range is currently inactive (active means the time range is active); the time range is from 08:30 2-5-2005 to 18:00 2-19-2005. |
1.1.7 flow-template user-defined
Syntax
flow-template user-defined
undo flow-template user-defined
View
Ethernet port view
Parameters
None
Description
Use the flow-template user-defined command to apply the user-defined flow template to the current port.
Use the undo flow-template user-defined command to cancel the application of the user-defined flow template on the current port.
Related commands: display flow-template, flow-template user-defined slot.
Examples
# Apply the user-defined flow template to current port Ethernet4/1/1.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] interface Ethernet2/1/1
[H3C-Ethernet4/1/1] flow-template user-defined
1.1.8 flow-template user-defined slot
Syntax
flow-template user-defined slot slot-id template-info
undo flow-template user-defined slot slot-id
View
System view
Parameters
template-info: Information available in defining a traffic template, its value can be:
l bt-flag: BT flag bit, in the length of 6 bytes.
l c-tag-cos: 802.1p priority in the internal 802.1Q Tag of the packet. This field and the c-tag-vlan jointly take 6 bytes in the flow template.
l c-tag-vlan: the VLAN ID in the internal 802.1Q Tag of the packet. This field and the c-tag-cos jointly take 6 bytes in the flow template.
l cos: 802.1p priority in the most external 802.1Q Tag of the packet. For a card with the suffix of DA/DB/DC, the cos field takes 1 byte, and this field and the s-tag-vlan field jointly take 3 bytes in the flow template; for other types of cards, the s-tag-vlan and cos fields take 2 bytes in the flow template, no matter no matter you define one or both of them.
l dip wildcard: Destination IP domain in the IP packet header, in the length of 4 bytes.
l dmac wildcard: Destination MAC domain in the Ethernet packet header, in the length of 6 bytes.
l dport: Destination port domain, in the length of 2 bytes.
l dscp: DSCP domain in the IP packet header. dscp, exp, ip-precedence and tos altogether occupy 1 byte.
l ethernet-protocol: Protocol type domain in the Ethernet packet header, in the length of 6 bytes.
l exp: EXP field in MPLS packet. dscp, exp, ip-precedence and tos altogether occupy 1 byte.
l fragment-flags: Flag field of fragment in IP packed header, no bytes in flow template.
l icmp-code: ICMP code domain, in the length of 1 byte.
l icmp-type: ICMP type domain, in the length of 1 byte.
l ip-precedence: IP priority domain in the IP packet header. dscp, exp, ip-precedence and tos altogether occupy 1 byte.
l ip-protocol: Protocol type domain in the IP packet header, in the length of 1 byte.
l Mac-type: MAC-TYPE field of a specified packet, no bytes in the flow template.
l s-tag-vlan: The VLAN ID in the most external 802.1Q Tag of the packet. For a card with the suffix of DA/DB/DC, the s-tag-vlan field takes 2 bytes, and this field and the cos field jointly take 3 bytes in the flow template; for other types of cards, the s-tag-vlan and cos fields take 2 bytes in the flow template, no matter no matter you define one or both of them.
l sip wildcard : Source IP domain in the IP packet header, in the length of 4 bytes.
l smac wildcard: Source MAC domain in the Ethernet packet header, in the length of 6 bytes.
l sport: Source port domain, in the length of 2 bytes.
l tcp-flag: Flag domain in the TCP packet header, in the length of 1 byte.
l tos: TOS (type of service) domain in the IP packet header. dscp, exp, ip-precedence and tos altogether occupy 1 byte.
l vlanid: VLAN ID which the switch assigns to the packet , in the length of 2 bytes.
l vpn: the flow template which is pre-defined for the MPLS L2VPN, in the length of 2 bytes.
& Note:
l The above mentioned information about how many bytes a field occupies applies to traffic templates instead of IP packets. For example, DSCP field occupies one byte in flow template, but six bits in IP packets. You can determine whether the total length of template elements exceeds 16 bytes using these numbers.
l The dscp, exp, ip-precedence and tos fields jointly occupy one byte no matter you define any one of these four fields or the ip-precedence and tos field simultaneously.
l For a card with the suffix of DA/DB/DC, the cos field takes 1 byte and the s-tag-vlan filed takes 2 bytes, and the two fields, if both defined, take 3 bytes in the flow template; for other types of cards, the s-tag-vlan and cos fields take 2 bytes in the flow template, no matter no matter you define one or both of them.
l The c-tag-cos and c-tag-vlanid fields occupy 6 bytes in the flow template, no matter you define one or both of them.
l The fragment-flags and mac-type fields occupy no byte in the flow template, so just ignore them when you determine whether the total length of template elements exceeds 16 bytes.
slot slot-id: Specifies the slot on which the flow template applied.
Description
Use the flow-template user-defined slot command to define a flow template.
Use the undo flow-template user-defined slot command to delete a flow template.
In defining a flow template, the total length of all elements should be no more than 16 bytes.
& Note:
Currently, the default flow template is as follows:
ip-protocol tcp-flag sport dport icmp-type icmp-code sip 0.0.0.0 dip 0.0.0.0 ethernet-protocol vlanid exp
You cannot modify or delete the default flow template but those you have defined.
Related commands: display flow-template, flow-template user-defined.
Examples
# Define a flow template which classifies traffic on the ports of Slot 3 by source and destination IP addresses, source and destination TCP/UDP ports, DSCP domain in the IP packet header.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] flow-template user-defined slot 3 sip 0.0.0.0 dip 0.0.0.0 sport dport dscp
1.1.9 packet-filter
Syntax
I. Command Format Which Only Applies IP Group ACL
packet-filter inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ]
undo packet-filter inbound ip-group { acl-number | acl-name } [ rule rule ]
II. Command Format Which Applies IP Group and Link Group ACL at Same time
packet-filter inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] | link-group { acl-number | acl-name } rule rule }
undo packet-filter inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } rule rule }
III. Command Format Which Only Applies Link Group ACL
packet-filter inbound link-group { acl-number | acl-name } [ rule rule [ system-index index ] ]
undo packet-filter inbound link-group { acl-number | acl-name } [ rule rule ]
View
Ethernet port view
Parameters
inbound: Performs filtering to the packets received by the interface.
ip-group { acl-number | acl-name }: Activates IP ACLs, including basic and advanced ACLs. acl-number: Sequence number of ACL, ranging from 2000 to 3999. acl-name: Name of the ACL, which must be a character string starting with an English letter (a-z or A-Z), and without any space in it.
link-group { acl-number | acl-name }: Activates Layer 2 ACLs. acl-number: Sequence number of ACL, ranging from 4000 to 4999. acl-name: Name of ACL, which must be a character string started with an English letter (a-z or A-Z), and without any space in it.
rule rule: Specifies the rule of an active ACL, ranging from 0 to 127; if it is not specified, all rules of ACL will be activated.
system-index index here is the system index for an ACL rule. When delivering a rule, the system assigns a globally unique index to it, for convenience of later retrieval. You can also assign a system index for it when delivering an ACL rule with this command, but this value may change in the system operation process. However, you are not recommended to manually assign a system index if not urgently necessary.
Description
Use the packet-filter command to activate an ACL.
Use the undo packet-filter command to deactivate an active ACL.
Examples
# Activate ACL 2000.
<H3C>system-view
System View: return to User View with Ctrl+Z.
[H3C]interface ethernet5/1/1
[H3C-Ethernet5/1/1] packet-filter inbound ip-group 2000
1.1.10 reset acl counter
Syntax
reset acl counter { all | acl-number | acl-name }
View
User view
Parameters
all: Displays all ACLs (both number- and name-identified ones).
acl-number: Serial number of the ACL, in the range of 2000 to 3999.
acl-name: ACL name, string parameter ranging from 1 to 32 bytes. It must start with an English letter ([a-z, A-Z]). No space is allowed in it. It is case insensitive. The all keyword cannot be used to specify an ACL name.
Description
Use the reset acl counter command to clear ACL statistics to zero.
Examples
# Clear the statistics of ACL 2000.
<H3C> reset acl counter 2000
1.1.11 rule
Syntax
I. Define or delete the subrules of a basic ACL
rule [ rule-id ] { permit | deny } [ packet-level { bridge | route } | source { source-addr wildcard | any } | fragment | time-range name | vpn-instance instance-name ] *
undo rule rule-id [ packet-level | source | fragment | time-range | vpn-instance instance-name ] *
II. Define or delete the subrules of an advanced ACL
rule [ rule-id ] { permit | deny } protocol [ packet-level { bridge | route } | source { source-addr wildcard | any } | destination { dest-addr wildcard | any } | source-port operator port1 [ port2 ] | destination-port operator port1 [ port2 ] | icmp-type type code | established | { match-any | match-all } { urg | ack| psh | rst | syn | fin } | precedence precedence | tos tos | dscp dscp | fragment | bt-flag | time-range name | vpn-instance instance-name | ttl ttl-value ] *
undo rule rule-id [ packet-level | source | destination | source-port | destination-port | icmp-type | precedence | tos | dscp | fragment | bt-flag | time-range | vpn-instance | ttl ] *
III. Define or delete the rules of a Layer 2 ACL
rule [ rule-id ] { permit | deny } [ packet-level { bridge | route } | cos cos-value | c-tag-cos c-cos-value | exp exp-value | protocol-type | mac-type { any-broadcast-packet | arp-broadcast-packet | non-arp-broadcast-packet | { { unicast-packet | multicast-packet } [ known | unknown ] } } | ingress { { source-vlan-id [ to source-vlan-id-end ] | source-mac-addr source-mac-wildcard | c-tag-vlan c-tag-vlan } * | any } | egress { dest-mac-addr dest-mac-wildcard | any } | s-tag-vlan s-tag-vlanid | time-range name ] *
undo rule rule-id
View
Corresponding ACL view
Parameters
rule-id: Specifies a rule number of the ACL, in the range of 0 to 127
permit: Allows qualified packets to pass.
deny: Forbids qualified packets to pass.
Caution:
If the rule command includes the deny keyword, the rule created can be used for the packet-filter command and the traffic-statistic command only.
time-range name: Time range name, optional parameter. It means the rule takes effect in this time range.
packet-level: Specifies to match only Layer 2 packets or only Layer 3 packets. Without this keyword specified, the rule matches both Layer 2 and Layer 3 packets.
bridge: Specifies to match only Layer 2 packets.
route: Specifies to match only Layer 3 packets.
& Note:
l The following parameters are for the attributes of the packet. The ACL generates rules according to these attribute parameters.
l The packet-level field does not occupy any flow template field, and is supported by both the default and user-defined flow templates.
l Parameters specific to basic ACLs:
source { source-addr wildcard | any }: source-addr wildcard specifies the source IP address and wildcard digit of source address represented in dotted decimal notation. any represents all source addresses.
fragment: It is only effective to fragmented messages and is ignored by non-fragmented messages.
vpn-instance instance-name: VPN instance name. The specified MPLS VPN packets will be identified if this parameter is selected.
l Parameters specific to advanced ACLs:
protocol: Specifies the protocol type which is represented by a name or a number. For name format, the options include icmp, igmp, tcp, udp, ip, gre, ospf, ipinip etc. The IP parameter represents all IP protocols. For number format, the value ranges from 1 to 255.
source { source-addr wildcard | any }: source-addr wildcard specifies the source IP address and wildcard digit of source address represented, in dotted decimal notation. any represents all source addresses.
destination { dest-addr wildcard | any }: dest-addr wildcard specifies the destination IP address and wildcard digit of destination address represented, in dotted decimal notation. any represents all destination addresses.
source-port operator port1 [ port2 ]: Source TCP or UDP port ID of the packet. operator means port operator, with options including eq (equal to), gt (greater than), lt (less than), neq (not equal to) and range (in the range of). Note that it appears only when the protocol parameter is set as TCP or UDP. port1 [ port2 ] stands for source TCP or UDP port ID of the packet, in characters or digits. Digital value ranges from 0 to 65535. For character options, see the port ID mnemonic symbol list. Only for the range operator, both port1 and port2 are active. For the rest operators, only port1 is required.
destination-port operator port1 [ port2 ]: Destination TCP or UDP port ID of the packet. See source-port operator port1 [ port2 ] for detailed description.
icmp-type type code: It is active when the protocol is set as icmp. type code specifies an ICMP packet. type indicates ICMP packet type, in characters or digits. The digital value ranges from 0 to 255. code is ICMP code, which is active when ICMP is selected and the ICMP packet type is expressed in the numeral format. It ranges from 0 to 255. This parameter is used to define an EACL.
Table 1-4 Relationship of type and code
|
ICMP packet type (TYPE) |
ICMP packet type (TYPE) |
ICMP code (CODE) |
|
echo |
8 |
0 |
|
echo |
0 |
0 |
|
fragmentneed-DFset |
3 |
4 |
|
host-redirect |
5 |
1 |
|
host-tos-redirect |
5 |
3 |
|
host-unreachable |
3 |
1 |
|
information-reply |
16 |
0 |
|
information-request |
15 |
0 |
|
net-redirect |
5 |
0 |
|
net-tos-redirect |
5 |
2 |
|
net-unreachable |
3 |
0 |
|
parameter-problem |
12 |
0 |
|
port-unreachable |
3 |
3 |
|
protocol-unreachable |
3 |
2 |
|
reassembly-timeout |
11 |
1 |
|
source-quench |
4 |
0 |
|
source-route-failed |
3 |
5 |
|
timestamp-reply |
14 |
0 |
|
timestamp-request |
13 |
0 |
|
ttl-exceeded |
11 |
0 |
established: (Optional) It is effective only to the first SYN packet established by TCP and active when protocol is set as tcp.
match-any: Specifies fuzzy matching. With this keyword provided, a TCP packet is a matching packet as long as its flag fields include the specified flag fields.
match-all: Specifies exact matching. With this keyword provided, a TCP packet is a matching packet only when its flag fields are consistent with the specified flag fields.
urg: URG flag.
ack: ACK flag.
psh: PSH flag.
rst: RST flag.
syn: SYN flag.
fin: FIN flag.
precedence precedence: (Optional) IP priority level, in a number (ranging from 0 to 7) or a name.
tos tos: (Optional) Indicating packets are classified by TOS value, in a number (ranging 0 to 15) or a name.
dscp dscp: (Optional) Indicating packets are classified by DSCP value, in a number (ranging from 0 to 63) or a name.
fragment: It is only effective to fragmented messages and is ignored by non-fragmented messages.
bt-flag: It indicates that the rule is effective to BT data messages only. If you use this key word, the protocol in the rule must be tcp. The parameter is applicable to defining the advanced ACLs.
vpn-instance instance-name: VPN instance name. The specified MPLS VPN packets will be identified if this parameter is selected.
l Parameters specific to Layer 2 ACLs:
cos: Specifies 802.1p priority in the most external 802.1Q Tag carried by the packet.
cos-value: In number format (ranging 0 to 7) or just entering the priority name. See Table 1-5 for their correspondence.
Table 1-5 COS priority definition
|
Number |
Priority name |
|
0 |
best-effort |
|
1 |
background |
|
2 |
spare |
|
3 |
excellent-effort |
|
4 |
controlled-load |
|
5 |
video |
|
6 |
voice |
|
7 |
network-management |
c-tag-cos c-cos-value: Specified 802.1p priority in the internal 802.1Q Tag carried by the packet. Specify the same value for the c-cos-value and cos-value parameters.
protocol-type: This parameter is used to specify the protocol type carried by the Ethernet frame. The protocol type can be expressed by either a name or a hexadecimal number. When the protocol type is expressed by a name, the value can be arp, ip, ipv6, mpls, nbx, pppoe-control, pppoedata and rarp. When the protocol type is expressed by a hexadecimal number, the range is 1-FFFF.
ingress { { source-vlan-id [ to source-vlan-id-end ] | source-mac-addr source-mac-wildcard | c-tag-vlan c-tag-vlan } * | any }: Source information of the packet. source-vlan-id [ to source-vlan-id-end ] shows its source VLAN or source VLAN range (identified by the external VLAN Tag of the packet ). source-mac-addr source-mac-wildcard shows source MAC address and wildcard of the source address. The two parameters jointly determine the range of the source MAC addresses in which the user is interested. The smaller the wildcard, the smaller the range of the MAC addresses. For example, 00e0-fc01-0101 0-0-0 specifies a MAC address: 00e0-fc01-0101, but 00e0-fc01-0101-0-0-fff specifies an address range: 00e0-fc01-0000 to 00e0-fc01-ffff.
c-tag-vlan c-tag-vlan: Indicates the system identifies the source VLAN according to the information about VLAN ID in the internal 802.1Q Tag carried by the packet. any represents all packets received from all the ports.
egress { dest-mac-addr dest-mac-wildcard | any }: Destination information of the packet. dest-mac-addr dest-mac-wildcard shows destination MAC address and wildcard of the destination address. The two parameters work together to determine the range of the destination MAC addresses in which the user is interested. The smaller the wildcard, the smaller the range of the MAC addresses. For example, 00e0-fc01-0101 0-0-0 specifies a MAC address: 00e0-fc01-0101, but 00e0-fc01-0101-0-0-fff specifies an address range: 00e0-fc01-0000 to 00e0-fc01-ffff. any represents all packets transferred at all the ports.
s-tag-vlanid s-tag-vlanid: VLAN ID in the most exterior 802.1Q Tag carried by the specified packets.
mac-type { any-broadcast-packet | arp-broadcast-packet | non-arp-broadcast-packet | { { unicast-packet | multicast-packet } [ known | unknown ] } }: Specifies the packet type, such as unicast, multicast, ARP broadcast, and non-ARP broadcast. Unicast and multicast packets can be divided into known and unknown packets.
ttl ttl-value: Sets TTL (time to live) value. The ttl-value argument ranges from 0 to 255.
Description
Use the rule command to add a rule to the ACL.
Use the undo rule command to delete a rule from the ACL.
You can define multiple rules for an ACL. Only the specified rules will be deleted if you select parameters in the undo rule command.
If you redefine an existing rule, the newly configured option automatically overwrites the corresponding option of the original rule, and the option not being redefined remains. For example:
With the original rule 0:
[acl number 2000] rule 0 permit source 10.1.1.1 0 time-range Test
when you redefine it as follows:
[acl number 2000] rule 0 permit source 10.1.1.2 0 fragment
it becomes:
rule 0 permit source 10.1.1.2 0 fragment time-range Test
That is, the source option is replaced with 10.1.1.2, the fragment option which the original rule does not contain is added, and the time-range Test option which the original rule contains is reserved.
Caution:
l If you want to replace an existing rule, you are recommended to use the undo command to delete the original rule fist, and then reconfigure the rule. This makes sure the unwanted options are completely removed.
l If you configure a rule without providing the rule number, the system will automatically generate a new rule if the rule is not identical to any existing rules.
l A rule with the bt-flag keyword cannot be used in the command that redirects traffic to the CPU.
Related commands: acl.
Examples
# Add a rule to an advanced ACL.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C]acl number 3000
[H3C-acl-adv-3000] rule 1 permit tcp established source 1.1.1.1 0 destination 2.2.2.2 0
# Add a TTL-matching rule to an advanced ACL.
<H3C> system-view
[H3C] acl number 3000
[H3C-acl-adv-3000] rule 1 permit tcp ttl 2
1.1.12 time-range
Syntax
time-range time-name { { start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] } | { from start-time start-date [ to end-time end-date ] } | { to end-time end-date } }
undo time-range { { time-name [ { start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] } | { from start-time start-date [ to end-time end-date ] } | { to end-time end-date } ] } | all }
View
System view
Parameters
time-name: Name of a particular time range, used as an import identifier.
start-time: (Optional) Starting time of the particular time range, in the format of hh:mm.
end-time: (Optional), End time of the particular time range, in the format of hh:mm.
days-of-the-week: (Optional) Indicating the particular time range takes effect on which day in a week. You can type these values:
l Number (ranging from 0 to 6);
l Monday, Tuesday, Wednesday, Thursday, Friday, Saturday or Sunday;
l Working-day: Monday through Friday inclusive;
l Off-day: Saturday and Sunday;
l daily: Every day of a week.
from start-time start-date: (Optional) Starting date of the particular time range, in the format of hh:mm YYYY/MM/DD.
to end-time end-date: (Optional) End date of the particular time range, in the format of hh:mm YYYY/MM/DD.
all: All time ranges.
Description
Use the time-range command to define a time range.
Use the undo time-range command to cancel a time range.
The defined time range includes absolute time range and period time range. start-time and end-time days-of-the-week define period time range together. from start-time start-date and end-time end-date define absolute time range together.
If a time range only defines the period time range, the time range is only active within the period time range.
If a time range only defines the period time range and multiple ranges of this time range are available (if repeating this time range name, you can configure multiple period time ranges of the same name), the time range is active only within these period time ranges.
If a time range only defines the absolute time range, the time range is only active within the absolute time range.
If a time range only defines the absolute time range and multiple ranges of this time range are available (repeating this time range name can configure multiple absolute time ranges of the same name), the time range is active only within these absolute time ranges.
If a time range defines the period time range and the absolute time range, the time range is only active when the period time range and the absolute time range are both matched. For example, a time range defines a period time range which is from 12:00 to 14:00 every Wednesday, and defines an absolute time range which is from 00:00 2004/1/1 to 23:59 2004/12/31. This time range is only active from 12:00 to 14:00 every Wednesday in 2004.
If a time range defines multiple absolute time ranges and multiple period time ranges, the time range is active only when period time ranges and absolute time ranges are both matched, that is, take the union set of multiple absolute time ranges and multiple period time ranges, and then take the intersection set of the union set of multiple absolute time ranges and that of multiple period time ranges.
If the start time and end time are not configured, the time range is one day (00:00-24:00).
If the end time is not configured, the time range is from the day when the configuration takes effect to the biggest time supported by the system. The maximum time range supported by the system currently is from 1970/01/01 to 2100/12/31.
& Note:
l If you include any argument in the undo time-range command, the system will delete only the content defined by the argument from the time range.
l When you configure a time range, avoid naming the time range with “a”, “al”, or “all” to prevent conflict with the all keyword.
If you input parameters in the undo time-range command, only the content corresponding to the specified time range will be canceled.
Examples
# Define a time range starting from 00:00, Jan. 1, 2007.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] time-range test from 00:00 2007/1/1
