22-ACL Commands
Chapters Download (162.08 KB)
IPv4 ACL Configuration Commands
rule (Ethernet frame header ACL view)
Syntax
display acl resource
View
Any view
Default Level
1: Monitor level
Parameters
None
Description
Use the display acl resource command to display the usage of ACL resources on a device.
Examples
# Display the ACL resource usage of all cards on a distributed device.
<Sysname> display acl resource
Interface:
OLT1/0/1 to OLT1/0/2, GE1/1/1 to GE1/1/4
--------------------------------------------------------------------------------
Type Total Reserved Configured Remaining
--------------------------------------------------------------------------------
IFP ACL 2048 0 80 1968
IFP Meter 1024 0 19 1005
IFP Counter 1024 0 31 993
Table 1-1 display acl resource command output description
|
Field |
Description |
|
Interface |
Interface indicated by its type and number |
|
Type |
Resource type: l IFP indicates the count of resources in the inbound direction, l ACL indicates ACL rule resources, l Meter indicates traffic policing resources, l Counter indicates traffic statistics resources, |
|
Total |
Total number of ACLs supported |
|
Reserved |
Number of reserved ACLs |
|
Configured |
Number of configured ACLs |
|
Remaining |
Number of remaining ACLs |
Syntax
display time-range { time-range-name | all }
View
Any view
Default Level
1: Monitor level
Parameters
time-range-name: Time range name, a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion.
all: Specifies all existing time ranges.
Description
Use the display time-range command to display the configuration and status of a specified time range or all time ranges.
A time range is active if the system time falls into its range.
Examples
# Display the configuration and status of time range trname.
<Sysname> display time-range trname
Current time is 13:39:11 4/26/2000 Wednesday
Time-range : trname ( Inactive )
from 09:00 12/12/2008 to 24:00 12/31/2100
Table 1-2 display time-range command output description
|
Field |
Description |
|
Current time |
Current system time |
|
Time-range |
Configuration and status of the time range, including the name of the time range, its status (active or inactive), and its start time and end time. |
Syntax
time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 }
undo time-range time-range-name [ start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 ]
View
System view
Default Level
2: System level
Parameters
time-range-name: Time range name, a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion.
start-time: Start time of a periodic time range, in hh:mm format (24-hour clock), where hh is hours and mm is minutes. Its value ranges from 00:00 to 23:59.
end-time: End time of the periodic time range, in hh:mm format (24-hour clock), where hh is hours and mm is minutes. Its value ranges from 00:00 to 24:00. The end time must be greater than the start time.
days: Indicates on which day or days of the week the periodic time range is valid. You may specify multiple values, in words or in digits, separated by spaces, but make sure that they do not overlap. These values can take one of the following forms:
l A digit in the range 0 to 6, respectively for Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday.
l Week in words, that is, Mon, Tue, Wed, Thu, Fri, Sat, or Sun.
l working-day for Monday through Friday.
l off-day for Saturday and Sunday.
l daily for seven days of a week.
from time1 date1: Indicates the start time and date of an absolute time range. The time1 argument specifies the time of the day in hh:mm format (24-hour clock), where hh is hours and mm is minutes. Its value ranges from 00:00 to 23:59. The date1 argument specifies a date in MM/DD/YYYY or YYYY/MM/DD format, where MM is the month of the year in the range 1 to 12, DD is the day of the month in the range 1 to 31, and YYYY is the year in the usual Gregorian calendar in the range 1970 to 2100. If not specified, the start time is the earliest time available in the system, namely, 01/01/1970 00:00:00 AM.
to time2 date2: Indicates the end time and date of the absolute time range. The format of the time2 argument is the same as that of the time1 argument, but its value ranges from 00:00 to 24:00. The end time must be greater than the start time. If not specified, the end time is the maximum time available in the system, namely, 12/31/2100 24:00:00 PM. The format and value range of the date2 argument are the same as those of the date1 argument.
Description
Use the time-range command to create a time range.
Use the undo time-range command to remove a time range.
You may create a maximum of 256 time ranges.
A time range can be one of the following:
l Periodic time range created using the time-range time-range-name start-time to end-time days command. A time range thus created recurs periodically on the day or days of the week.
l Absolute time range created using the time-range time-range-name { from time1 date1 [ to time2 date2 ] | to time2 date2 } command. Unlike a periodic time range, a time range thus created does not recur. For example, to create an absolute time range that is active between January 1, 2004 00:00 and December 31, 2004 23:59, you may use the time-range test from 00:00 01/01/2004 to 23:59 12/31/2004 command.
l Compound time range created using the time-range time-range-name start-time to end-time days { from time1 date1 [ to time2 date2 ] | to time2 date2 } command. A time range thus created recurs on the day or days of the week only within the specified period. For example, to create a time range that is active from 12:00 to 14:00 on Wednesdays between January 1, 2004 00:00 and December 31, 2004 23:59, you may use the time-range test 12:00 to 14:00 wednesday from 00:00 01/01/2004 to 23:59 12/31/2004 command.
You may create individual time ranges identified with the same name. They are regarded as one time range whose active period is the result of ORing periodic ones, ORing absolute ones, and ANDing periodic and absolute ones.
Examples
# Create an absolute time range named test, setting it to become active from 00:00 on January 1, 2003.
<Sysname> system-view
[Sysname] time-range test from 0:0 2003/1/1
# Create a periodic time range named test, setting it to be active between 8:00 to 18:00 during working days.
<Sysname> system-view
[Sysname] time-range test 8:00 to 18:00 working-day
# Create a periodic time range named test, setting it to be active between 14:00 and 18:00 on Saturday and Sunday.
<Sysname> system-view
[Sysname] time-range test 14:00 to 18:00 off-day
Syntax
acl number acl-number [ name acl-name ] [ match-order { auto | config } ]
undo acl { all | name acl-name | number acl-number }
View
System view
Default Level
2: System level
Parameters
number acl-number: Specifies the number of the IPv4 ACL, which must be in the following ranges:
l 2000 to 2999 for basic IPv4 ACLs
l 3000 to 3999 for advanced IPv4 ACLs
l 4000 to 4999 for Ethernet frame header ACLs
name acl-name: Specifies the name of the ACL, which is a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion.
match-order: Specifies the order in which ACL rules are matched. This keyword is not available for user-defined IPv4 ACLs.
l auto: Performs depth-first match.
l config: Performs matching against rules in the order in which they are configured.
all: Specifies all IPv4 ACLs.
Description
Use the acl command to enter IPv4 ACL view. If the ACL does not exist, it is created first.
Use the undo acl command to remove a specified IPv4 ACL or all IPv4 ACLs.
By default, the match order is config.
Note that:
l You can specify a name for an IPv4 ACL only when you create the ACL. After creating an ACL, you cannot specify a name for it, nor can you change or remove its name.
l The name of an IPv4 ACL must be unique among IPv4 ACLs. However, an IPv4 ACL and an IPv6 ACL can share the same name.
l If you specify both an ACL number and an ACL name in one command to enter the view of an existing ACL, be sure that the ACL number and ACL name identify the same ACL.
l You can also use this command to modify the match order of an existing ACL but only when the ACL does not contain any rules.
Examples
# Create IPv4 ACL 2000.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000]
# Create IPv4 ACL 2002, naming it flow.
<Sysname> system-view
[Sysname] acl number 2002 name flow
[Sysname-acl-basic-2002-flow]
# Enter the view of an unnamed IPv4 ACL by specifying its number.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000]
# Enter the view of a named IPv4 ACL by specifying its number.
<Sysname> system-view
[Sysname] acl number 2002
[Sysname-acl-basic-2002-flow]
# Delete the IPv4 ACL numbered 2000.
<Sysname> system-view
[Sysname] undo acl number 2000
# Delete the IPv4 ACL named flow.
<Sysname> system-view
[Sysname] undo acl name flow
Syntax
acl copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name }
View
System view
Default Level
2: System level
Parameters
source-acl-number: Number of an existing IPv4 ACL, which must be in the following ranges:
l 2000 to 2999 for basic IPv4 ACLs
l 3000 to 3999 for advanced IPv4 ACLs
l 4000 to 4999 for Ethernet frame header ACLs
source-acl-name: Name of an existing IPv4 ACL, a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion.
dest-acl-number: Number of a non-existent IPv4 ACL, which must be of the same ACL type as the source ACL and in the following ranges:
l 2000 to 2999 for basic IPv4 ACLs
l 3000 to 3999 for advanced IPv4 ACLs
l 4000 to 4999 for Ethernet frame header ACLs
dest-acl-name: Name of a non-existent IPv4 ACL, a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion. The system will automatically assign the new ACL a number which is the smallest among the available numbers of the same ACL type.
Description
Use the acl copy command to create an IPv4 ACL by copying an existing IPv4 ACL. The new ACL is of the same ACL type and has the same match order, rules, rule numbering step and descriptions.
Note that the new ACL does not take the name of the source IPv4 ACL.
Examples
# Copy ACL 2008 to generate ACL 2009.
<Sysname> system-view
[Sysname] acl copy 2008 to 2009
Syntax
acl name acl-name
View
System view
Default Level
2: System level
Parameters
acl-name: Name of the IPv4 ACL, a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion.
Description
Use the acl name command to enter the view of an existing IPv4 ACL by specifying its name.
Examples
# Enter the view of the IPv4 ACL named flow.
<Sysname> system-view
[Sysname] acl name flow
[Sysname-acl-basic-2002-flow]
Syntax
description text
undo description
View
Basic IPv4 ACL view, advanced IPv4 ACL view, Ethernet frame header ACL view,
Default Level
2: System level
Parameters
text: ACL description, a case-sensitive string of 1 to 127 characters.
Description
Use the description command to configure a description for an IPv4 ACL to, for example, describe the purpose of the ACL.
Use the undo description command to remove the ACL description.
By default, an IPv4 ACL has no ACL description.
Examples
# Configure a description for IPv4 ACL 2000.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] description This acl is used in eth 0
# Configure a description for IPv4 ACL 3000.
<Sysname> system-view
[Sysname] acl number 3000
[Sysname-acl-adv-3000] description This acl is used in eth 0
# Configure a description for ACL 4000.
<Sysname> system-view
[Sysname] acl number 4000
[Sysname-acl-ethernetframe-4000] description This acl is used in eth 0
Syntax
display acl { acl-number | all | name acl-name }
View
Any view
Default Level
1: Monitor level
Parameters
acl-number: IPv4 ACL number, which must be in the following ranges:
l 2000 to 2999 for basic IPv4 ACLs
l 3000 to 3999 for advanced IPv4 ACLs
l 4000 to 4999 for Ethernet frame header ACLs
all: Specifies all IPv4 ACLs.
name acl-name: Specifies the name of the ACL, which is a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion.
Description
Use the display acl command to display information about a specified IPv4 ACL or all IPv4 ACLs.
Note that this command displays ACL rules in the match order.
Examples
# Display information about IPv4 ACL 2001.
<Sysname> display acl 2001
Basic ACL 2001, named flow, 1 rule,
ACL's step is 5
rule 5 permit source 1.1.1.1 0 (5 times matched)
rule 5 comment This rule is used in olt 1/0/1
Table 1-3 display acl command output description
|
Field |
Description |
|
Basic ACL 2001 |
The displayed information is about basic IPv4 ACL 2001. |
|
named flow |
The name of the ACL is flow. |
|
1 rule |
The ACL contains one rule. |
|
ACL's step is 5 |
The rule numbering step is 5. |
|
5 times matched |
There have been five matches for the rule. Only ACL matches performed by software are counted. This field is not displayed when no match is found. |
|
rule 5 comment This rule is used in olt 1/0/1 |
The description of ACL rule 5 is “This rule is used in olt 1/0/1.” |
Syntax
reset acl counter { acl-number | all | name acl-name }
View
User view
Default Level
2: System level
Parameters
acl-number: IPv4 ACL number, which must be in the following ranges:
l 2000 to 2999 for basic IPv4 ACLs
l 3000 to 3999 for advanced IPv4 ACLs
l 4000 to 4999 for Ethernet frame header ACLs
all: Specifies all IPv4 ACLs except for user-defined ACLs.
name acl-name: Specifies the name of the ACL, which is a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion.
Description
Use the reset acl counter command to clear statistics on a specified IPv4 ACL or all IPv4 ACLs except for user-defined ACLs.
Examples
# Clear statistics on IPv4 ACL 2001.
<Sysname> reset acl counter 2001
# Clear statistics on IPv4 ACL flow.
<Sysname> reset acl counter name flow
Syntax
rule [ rule-id ] { deny | permit } [ fragment | logging | source { sour-addr sour-wildcard | any } | time-range time-range-name ] *
undo rule rule-id [ fragment | logging | source | time-range ] *
View
Basic IPv4 ACL view
Default Level
2: System level
Parameters
rule-id: Basic IPv4 ACL rule number, in the range 0 to 65534.
deny: Drops matched packets.
permit: Allows matched packets to pass.
fragment: Indicates that the rule applies to only non-first fragments. A rule without this keyword applies to all fragments and non-fragments.
logging: Generates log entries for matched packets. This function requires that the module using the ACL support logging.
source { sour-addr sour-wildcard | any }: Specifies a source address. The sour-addr sour-wildcard argument combination specifies a source IP address in dotted decimal notation. A wildcard of zero indicates a host address. The any keyword indicates any source IP address.
time-range time-range-name: Specifies the time range in which the rule takes effect. The time-range-name argument is a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion.
Description
Use the rule command to create a basic IPv4 ACL rule or modify an existing basic IPv4 ACL rule.
Use the undo rule command to remove a basic IPv4 ACL rule or remove some criteria from the rule.
If you specify no optional keywords, the undo rule command removes the entire ACL rule; otherwise, the command removes only the specified criteria. Before performing the undo rule command, you may use the display acl command to view the ID of the rule.
When defining ACL rules, you do not need to assign them IDs; the system can automatically assign rule IDs starting with 0 and increasing in certain rule numbering steps. A rule ID thus assigned is the smallest multiple of the step that is bigger than the current biggest number. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the next rule will be numbered 30.
You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.
You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same.
When the ACL match order is auto, a newly created rule will be inserted among the existing rules in the depth-first match order. Note that the IDs of the rules still remain the same.
Currently, the logging keyword is not supported on the S3600 series EPON OLT switches.
Related commands: display acl.
Examples
# Create a rule to deny packets with the source IP address 1.1.1.1.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule deny source 1.1.1.1 0
Syntax
rule [ rule-id ] { deny | permit } protocol [ { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | destination { dest-addr dest-wildcard | any } | destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmp-type { icmp-type icmp-code | icmp-message } | logging | precedence precedence | reflective | source { sour-addr sour-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name ] *
undo rule rule-id [ { ack | fin | psh | rst | syn | urg } * | destination | destination-port | dscp | fragment | icmp-type | logging | precedence | reflective | source | source-port | time-range | tos ] *
View
Advanced IPv4 ACL view
Default Level
2: System level
Parameters
rule-id: Advanced IPv4 ACL rule number, in the range 0 to 65534.
deny: Drops matched packets.
permit: Allows matched packets to pass.
protocol: Protocol carried by IP. It can be a number in the range 0 to 255, or in words, gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17). Table 1-4 shows the parameters that can be specified after the protocol argument.
Table 1-4 Match criteria and other rule information for advanced IPv4 ACL rules
|
Parameters |
Function |
Description |
|
source { sour-addr sour-wildcard | any } |
Specifies a source address. |
The sour-addr sour-wildcard argument combination specifies a source IP address in dotted decimal notation. A wildcard of zero indicates a host address. The any keyword indicates any source IP address. |
|
destination { dest-addr dest-wildcard | any } |
Specifies a destination address. |
The dest-addr dest-wildcard argument combination specifies a destination IP address in dotted decimal notation. A wildcard of zero indicates a host address. The any keyword indicates any destination IP address. |
|
precedence precedence |
Specifies an IP precedence value. |
The precedence argument can be a number in the range 0 to 7, or in words, routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), or network (7). |
|
tos tos |
Specifies a ToS preference. |
The tos argument can be a number in the range 0 to 15, or in words, max-reliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1), or normal (0). |
|
dscp dscp |
Specifies a DSCP priority. |
The dscp argument can be a number in the range 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46). |
|
logging |
Specifies to log matched packets. |
This function requires that the module using the ACL support logging. |
|
reflective |
Specifies that the rule be reflective. |
A rule with the reflective keyword can be defined only for TCP, UDP, or ICMP packets and can only be a permit statement. |
|
fragment |
Indicates that the rule applies to only non-first fragments. |
Without this keyword, the rule applies to all fragments and non-fragments. |
|
time-range time-range-name |
Specifies the time range in which the rule takes effect. |
The time-range-name argument is a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion. |
Setting the protocol argument to tcp or udp, you may define the parameters shown in Table 1-5.
Table 1-5 TCP/UDP-specific parameters for advanced IPv4 ACL rules
|
Parameters |
Function |
Description |
|
source-port operator port1 [ port2 ] |
Specifies one or more UDP or TCP source ports. |
The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range 0 to 65535. port2 is needed only when the operator argument is range. TCP port numbers can be represented in these words: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented in these words: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177). |
|
destination-port operator port1 [ port2 ] |
Specifies one or more UDP or TCP destination ports. |
|
|
{ ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * |
Specifies one or more TCP flags |
Parameters specific to TCP. The value for each argument can be 0 or 1. |
Setting the protocol argument to icmp, you may define the parameters shown in Table 1-6.
Table 1-6 ICMP-specific parameters for advanced IPv4 ACL rules
|
Parameters |
Function |
Description |
|
icmp-type { icmp-type icmp-code | icmp-message } |
Specifies the ICMP message type and code. |
The icmp-type argument ranges from 0 to 255. The icmp-code argument ranges from 0 to 255. The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 1-7. |
Table 1-7 ICMP message names supported in advanced IPv4 ACL rules
|
ICMP message name |
Type |
Code |
|
echo |
8 |
0 |
|
echo-reply |
0 |
0 |
|
fragmentneed-DFset |
3 |
4 |
|
host-redirect |
5 |
1 |
|
host-tos-redirect |
5 |
3 |
|
host-unreachable |
3 |
1 |
|
information-reply |
16 |
0 |
|
information-request |
15 |
0 |
|
net-redirect |
5 |
0 |
|
net-tos-redirect |
5 |
2 |
|
net-unreachable |
3 |
0 |
|
parameter-problem |
12 |
0 |
|
port-unreachable |
3 |
3 |
|
protocol-unreachable |
3 |
2 |
|
reassembly-timeout |
11 |
1 |
|
source-quench |
4 |
0 |
|
source-route-failed |
3 |
5 |
|
timestamp-reply |
14 |
0 |
|
timestamp-request |
13 |
0 |
|
ttl-exceeded |
11 |
0 |
Description
Use the rule command to create an advanced IPv4 ACL rule or modify an existing advanced IPv4 ACL rule.
Use the undo rule command to remove an advanced IPv4 ACL rule or remove some criteria from the rule.
If you specify no optional keywords, the undo rule command removes the entire ACL rule; otherwise, the command removes only the specified criteria. Before performing the undo rule command, you may use the display acl command to view the ID of the rule.
When defining ACL rules, you do not need to assign them IDs; the system can automatically assign rule IDs starting with 0 and increasing in certain rule numbering steps. A rule ID thus assigned is the smallest multiple of the step that is bigger than the current biggest number. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the next rule will be numbered 30.
You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.
You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same.
When the ACL match order is auto, a newly created rule will be inserted among the existing rules in the depth-first match order. Note that the IDs of the rules still remain the same.
If the ACL match order is auto, rules are displayed in the depth-first match order rather than by rule number.
Currently, the logging keyword is not supported on the S3600 series EPON OLT switches
Related commands: display acl.
Examples
# Define a rule to permit TCP packets with the destination port of 80 from 129.9.0.0 to 202.38.160.0.
<Sysname> system-view
[Sysname] acl number 3101
[Sysname-acl-adv-3101] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80
Syntax
rule [ rule-id ] { deny | permit } [ cos vlan-pri | dest-mac dest-addr dest-mask | lsap lsap-code lsap-wildcard | source-mac sour-addr source-mask | time-range time-range-name | type type-code type-wildcard ] *
undo rule rule-id
View
Ethernet frame header ACL view
Default Level
2: System level
Parameters
rule-id: Ethernet frame header ACL rule number, in the range 0 to 65534.
deny: Drops matched packets.
permit: Allows matched packets to pass.
cos vlan-pri: Defines an 802.1p priority. The vlan-pri argument can be a number in the range 0 to 7 or in words, best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5), voice (6), or network-management (7).
dest-mac dest-addr dest-mask: Specifies a destination MAC address range. The dest-addr and dest-mask arguments indicate a destination MAC address and mask in xxxx-xxxx-xxxx format.
lsap lsap-code lsap-wildcard: Defines the DSAP and SSAP fields in the LLC encapsulation. The lsap-code argument is a 16-bit hexadecimal number indicating the frame encapsulation. The lsap-wildcard argument is a 16-bit hexadecimal number indicating the wildcard of the LSAP code.
source-mac sour-addr source-mask: Specifies a source MAC address range. The sour-addr and sour-mask arguments indicate a source MAC address and mask in xxxx-xxxx-xxxx format.
time-range time-range-name: Specifies the time range in which the rule takes effect. The time-range-name argument is a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion.
type type-code type-wildcard: Defines a link layer protocol. The type-code argument is a 16-bit hexadecimal number indicating the frame type. It corresponds to the type-code field in Ethernet_II and Ethernet_SNAP frames. The type-wildcard argument is a 16-bit hexadecimal number indicating the wildcard.
Description
Use the rule command to create an Ethernet frame header ACL rule or modify an existing Ethernet frame header ACL rule.
Use the undo rule command to remove an Ethernet frame header ACL rule.
When defining ACL rules, you do not need to assign them IDs; the system can automatically assign rule IDs starting with 0 and increasing in certain rule numbering steps. A rule ID thus assigned is the smallest multiple of the step that is bigger than the current biggest number. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the next rule will be numbered 30.
Before performing the undo rule command to remove an Ethernet frame header ACL rule, you may use the display acl command to view the ID of the rule.
You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.
You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same.
When the ACL match order is auto, a newly created rule will be inserted among the existing rules in the depth-first match order. Note that the IDs of the rules still remain the same.
If the ACL match order is auto, rules are displayed in the depth-first match order rather than by rule number.
For an Ethernet frame header ACL to be referenced by a QoS policy for traffic classification, you cannot configure the lsap keyword.
Related commands: display acl.
Examples
# Create a rule to deny packets with the 802.1p priority of 3.
<Sysname> system-view
[Sysname] acl number 4000
[Sysname-acl-ethernetframe-4000] rule deny cos 3
Syntax
rule rule-id comment text
undo rule rule-id comment
View
Basic IPv4 ACL view, advanced IPv4 ACL view, Ethernet frame header ACL view
Default Level
2: System level
Parameters
rule-id: IPv4 ACL rule number, in the range 0 to 65534.
text: IPv4 ACL rule description, a case-sensitive string of 1 to 127 characters.
Description
Use the rule comment command to configure a description for an existing IPv4 ACL rule or modify the description of an IPv4 ACL rule. You may use the rule description to, for example, describe the purpose of the ACL rule or the parameters it contains.
Use the undo rule comment command to remove the ACL rule description.
By default, an IPv4 ACL rule has no rule description.
Examples
# Create a rule in ACL 2000 and define the rule description.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule 0 deny source 1.1.1.1 0
[Sysname-acl-basic-2000] rule 0 comment This rule is used in olt 1/0/1
# Create a rule in ACL 3000 and define the rule description.
<Sysname> system-view
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule 0 permit ip source 1.1.1.1 0
[Sysname-acl-adv-3000] rule 0 comment This rule is used in olt 1/0/1
# Create a rule in ACL 4000 and define the rule description.
<Sysname> system-view
[Sysname] acl number 4000
[Sysname-acl-ethernetframe-4000] rule 0 deny cos 3
[Sysname-acl-ethernetframe-4000] rule 0 comment This rule is used in olt 1/0/1
Syntax
step step-value
undo step
View
Basic IPv4 ACL view, advanced IPv4 ACL view, Ethernet frame header ACL view
Default Level
2: System level
Parameters
step-value: IPv4 ACL rule numbering step, in the range 1 to 20.
Description
Use the step command to set a rule numbering step for an ACL.
Use the undo step command to restore the default.
By default, the rule numbering step is five.
Examples
# Set the rule numbering step to 2 for ACL 2000.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] step 2
# Set the rule numbering step to 2 for ACL 3000.
<Sysname> system-view
[Sysname] acl number 3000
[Sysname-acl-adv-3000] step 2
# Set the rule numbering step to 2 for ACL 4000.
<Sysname> system-view
[Sysname] acl number 4000
[Sysname-acl-ethernetframe-4000] step 2
Syntax
acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto | config } ]
undo acl ipv6 { all | name acl6-name | number acl6-number }
View
System view
Default Level
2: System level
Parameters
number acl6-number: Specifies the number of the IPv6 ACL, which must be in the following ranges:
l 2000 to 2999 for basic IPv6 ACLs
l 3000 to 3999 for advanced IPv6 ACLs
name acl6-name: Specifies the name of the ACL, which is a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion.
match-order: Specifies the order in which ACL rules are matched.
auto: Performs depth-first match.
config: Performs matching against rules in the order in which they are configured.
all: Specifies all IPv6 ACLs.
Description
Use the acl ipv6 command to enter IPv6 ACL view. If the ACL does not exist, it is created first.
Use the undo acl ipv6 command to remove a specified IPv6 ACL or all IPv6 ACLs.
By default, the match order is config.
Note that:
l You can specify a name for an IPv6 ACL only when you create the ACL. After creating an ACL, you cannot specify a name for it, nor can you change or remove its name.
l The name of an IPv6 ACL must be unique among IPv6 ACLs. However, an IPv4 ACL and an IPv6 ACL can share the same name.
l If you specify both an ACL number and an ACL name in one command to enter the view of an existing ACL, be sure that the ACL number and ACL name identify the same ACL.
l You can also use this command to modify the match order of an existing IPv6 ACL, but only when the ACL does not contain any rules.
Examples
# Create IPv6 ACL 2000.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000]
# Create IPv6 ACL 2002, giving the ACL a name of flow.
<Sysname> system-view
[Sysname] acl ipv6 number 2002 name flow
[Sysname-acl6-basic-2002-flow]
# Enter the view of an IPv6 ACL that has no name by specifying its number.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000]
# Enter the view of an IPv6 ACL that has a name by specifying its number.
<Sysname> system-view
[Sysname] acl ipv6 number 2002
[Sysname-acl6-basic-2002-flow]
# Delete the IPv6 ACL with the number of 2000.
<Sysname> system-view
[Sysname] undo acl ipv6 number 2000
# Delete the IPv6 ACL named flow.
<Sysname> system-view
[Sysname] undo acl ipv6 name flow
Syntax
acl ipv6 copy { source-acl6-number | name source-acl6-name } to { dest-acl6-number | name dest-acl6-name }
View
System view
Default Level
2: System level
Parameters
source-acl6-number: Number of an existing IPv6 ACL, which must be in the following ranges:
l 2000 to 2999 for basic IPv6 ACLs,
l 3000 to 3999 for advanced IPv6 ACLs.
source-acl6-name: Name of an existing IPv6 ACL, a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion.
dest-acl6-number: Number of a non-existent IPv6 ACL, which must be in the following ranges:
l 2000 to 2999 for basic IPv6 ACLs
l 3000 to 3999 for advanced IPv6 ACLs
dest-acl6-name: Name for the new IPv6 ACL, a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion. The system will automatically assign the new ACL a number which is the smallest one among the available numbers of the same ACL type.
Description
Use the acl ipv6 copy command to create an IPv6 ACL by copying an existing IPv6 ACL. The new ACL is of the same ACL type and has the same match order, rules, rule numbering step and descriptions.
Note that:
l The new ACL does not take the name of the source IPv6 ACL.
l This feature is not available for simple IPv6 ACLs.
Examples
# Copy ACL 2008 to generate ACL 2009.
<Sysname> system-view
[Sysname] acl ipv6 copy 2008 to 2009
Syntax
acl ipv6 name acl6-name
View
System view
Default Level
2: System level
Parameters
acl6-name: Name of the IPv6 ACL, a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion.
Description
Use the acl ipv6 name command to enter the view of an existing IPv6 ACL by specifying its name.
Examples
# Enter the view of the IPv6 ACL named flow.
<Sysname> system-view
[Sysname] acl ipv6 name flow
[Sysname-acl6-basic-2002-flow]
Syntax
description text
undo description
View
Basic IPv6 ACL view, advanced IPv6 ACL view
Default Level
2: System level
Parameters
text: ACL description, a case-sensitive string of 1 to 127 characters.
Description
Use the description command to configure a description for an IPv6 ACL to, for example, describe the purpose of the ACL.
Use the undo description command to remove the IPv6 ACL description.
By default, an IPv6 ACL has no ACL description.
Examples
# Configure a description for IPv6 ACL 2000.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000] description This acl is used in eth 0
# Configure a description for IPv6 ACL 3000.
<Sysname> system-view
[Sysname] acl ipv6 number 3000
[Sysname-acl6-adv-3000] description This acl is used in eth 0
Syntax
display acl ipv6 { acl6-number | all | name acl6-name }
View
Any view
Default Level
1: Monitor level
Parameters
acl6-number: IPv6 ACL number, which must be in the following ranges:
l 2000 to 2999 for basic IPv6 ACLs
l 3000 to 3999 for advanced IPv6 ACLs
all: Specifies all IPv6 ACLs.
name acl6-name: Specifies the name of the ACL, which is a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion.
Description
Use the display acl ipv6 command to display information about a specified IPv6 ACL or all IPv6 ACLs.
Note that this command displays ACL rules in the match order.
Examples
# Display information about IPv6 ACL 2001.
<Sysname> display acl ipv6 2001
Basic IPv6 ACL 2001, named flow, 1 rule,
ACL's step is 5
rule 0 permit source 1::2/128 (5 times matched)
rule 0 comment This rule is used in olt 1/0/1
Table 1-8 display acl ipv6 command output description
|
Field |
Description |
|
Basic IPv6 ACL 2001 |
The displayed information is about basic IPv6 ACL 2001. |
|
named flow |
The name of the ACL is flow. |
|
1 rule |
The ACL contains one rule. |
|
ACL's step is 5 |
The rules in this ACL are numbered in steps of 5. |
|
5 times matched |
There have been five matches for the rule. Only ACL matches performed by software are counted. This field is not displayed when no match is found. |
|
rule 0 comment This rule is used in olt 1/0/1 |
The description of ACL rule 0 is “This rule is used in olt 1/0/1.” |
Syntax
reset acl ipv6 counter { acl6-number | all | name acl6-name }
View
User view
Default Level
2: System level
Parameters
acl6-number: IPv6 ACL number, which must be in the following ranges:
l 2000 to 2999 for basic IPv6 ACLs,
l 3000 to 3999 for advanced IPv6 ACLs.
all: Specifies all basic and advanced IPv6 ACLs.
name acl6-name: Specifies the name of the ACL, which is a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion.
Description
Use the reset acl ipv6 counter command to clear statistics on a specified IPv6 ACL or all basic and advanced IPv6 ACLs.
Examples
# Clear the statistics on IPv6 ACL 2001.
<Sysname> reset acl ipv6 counter 2001
# Clear the statistics on IPv6 ACL flow.
<Sysname> reset acl ipv6 counter name flow
Syntax
rule [ rule-id ] { deny | permit } [ fragment | logging | source { ipv6-address prefix-length | ipv6-address/prefix-length | any } | time-range time-range-name ] *
undo rule rule-id [ fragment | logging | source | time-range ] *
View
Basic IPv6 ACL view
Default Level
2: System level
Parameters
rule-id: IPv6 ACL rule number, in the range 0 to 65534.
deny: Drops matched packets.
permit: Allows matched packets to pass.
fragment: Indicates that the rule applies to only non-first fragments. A rule without this keyword applies to all fragments and non-fragments.
logging: Logs matched packets. This function requires that the module using the ACL support logging.
source { ipv6-address prefix-length | ipv6-address/prefix-length | any }: Specifies a source address. The ipv6-address and prefix-length arguments specify a source IPv6 address and its address prefix length in the range 1 to 128. The any keyword indicates any IPv6 source address.
time-range time-range-name: Specifies the time range in which the rule takes effect. The time-range-name argument is a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion.
Description
Use the rule command to create a basic IPv6 ACL rule or modify an existing basic IPv6 ACL rule.
Use the undo rule command to remove a basic IPv6 ACL rule or remove some criteria from the rule.
If you specify no optional keywords, the undo rule command removes the entire ACL rule; otherwise, the command removes only the specified criteria. Before performing the undo rule command, you may need to use the display acl ipv6 command to view the ID of the rule.
When defining ACL rules, you do not need to assign them IDs; the system can automatically assign rule IDs starting with 0 and increasing in certain rule numbering steps. A rule ID thus assigned is the smallest multiple of the step that is bigger than the current biggest number. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the next rule will be numbered 30.
You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.
You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same.
When the ACL match order is auto, a newly created rule will be inserted among the existing rules in the depth-first match order. Note that the IDs of the rules still remain the same.
For a basic IPv6 ACL to be referenced by a QoS policy for traffic classification, you cannot configure the fragment keywords.
Related commands: display acl ipv6.
Examples
# Create IPv6 ACL 2000 and add two rules.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000] rule permit source 2030:5060::9050/64
[Sysname-acl6-basic-2000] rule 8 deny source fe80:5060::8050/96
Syntax
rule [ rule-id ] { deny | permit } protocol [ { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | destination { dest dest-prefix | dest/dest-prefix | any } | destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmpv6-type { icmpv6-type icmpv6-code | icmpv6-message } | logging | source { source source-prefix | source/source-prefix | any } | source-port operator port1 [ port2 ] | time-range time-range-name ] *
undo rule rule-id [ { ack | fin | psh | rst | syn | urg } * | destination | destination-port | dscp | fragment | icmpv6-type | logging | source | source-port | time-range ] *
View
Advanced IPv6 ACL view
Default Level
2: System level
Parameters
rule-id: IPv6 ACL rule number, in the range 0 to 65534.
deny: Drops matched packets.
permit: Allows matched packets to pass.
protocol: Protocol carried over IPv6. It can be a number in the range 0 to 255, or in words, gre (47), icmpv6 (58), ipv6, ipv6-ah (51), ipv6-esp (50), ospf (89), tcp (6), or udp (17). Table 1-9 shows the parameters that can be specified after the protocol argument.
Table 1-9 Match criteria and other rule information for advanced IPv6 ACL rules
|
Parameters |
Function |
Description |
|
source { source source-prefix | source/source-prefix | any } |
Specifies a source IPv6 address. |
The source and source-prefix arguments specify an IPv6 source address and its prefix length in the range 1 to 128. The any keyword indicates any IPv6 source address. |
|
destination { dest dest-prefix | dest/dest-prefix | any } |
Specifies a destination IPv6 address. |
The dest and dest-prefix arguments specify a destination IPv6 address, and its prefix length in the range 1 to 128. The any keyword indicates any IPv6 destination address. |
|
dscp dscp |
Specifies a DSCP preference |
The dscp argument can be a number in the range 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46). |
|
logging |
Specifies to log matched packets |
This function requires that the module using the ACL support logging. |
|
fragment |
Indicates that the rule applies to only non-first fragments. |
Without this keyword, the rule applies to all fragments and non-fragments. |
|
time-range time-range-name |
Specifies the time range in which the rule takes effect. |
The time-range-name argument is a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the English word of all to avoid confusion. |
Setting the protocol argument to tcp or udp, you may define the parameters shown in Table 1-10.
Table 1-10 TCP/UDP-specific parameters for advanced IPv6 ACL rules
|
Parameters |
Function |
Description |
|
source-port operator port1 [ port2 ] |
Specifies one or more UDP or TCP source ports. |
The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range 0 to 65535. port2 is needed only when the operator argument is range. TCP port numbers can be represented in these words: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented in these words: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177). |
|
destination-port operator port1 [ port2 ] |
Specifies one or more UDP or TCP destination ports. |
|
|
{ ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * |
Specifies one or more TCP flags. |
Parameters specific to TCP. The value for each argument can be 0 or 1. |
Setting the protocol argument to icmpv6, you may define the parameters shown in Table 1-11.
Table 1-11 ICMPv6-specific parameters for advanced IPv6 ACL rules
|
Parameters |
Function |
Description |
|
icmpv6-type { icmpv6-type icmpv6-code | icmpv6-message } |
Specifies the ICMPv6 message type and code. |
The icmpv6-type argument ranges from 0 to 255. The icmpv6-code argument ranges from 0 to 255. The icmpv6-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 1-12. |
Table 1-12 ICMPv6 message names supported in advanced IPv6 ACL rules
|
ICMPv6 message name |
Type |
Code |
|
redirect |
137 |
0 |
|
echo-request |
128 |
0 |
|
echo-reply |
129 |
0 |
|
err-Header-field |
4 |
0 |
|
frag-time-exceeded |
3 |
1 |
|
hop-limit-exceeded |
3 |
0 |
|
host-admin-prohib |
1 |
1 |
|
host-unreachable |
1 |
3 |
|
neighbor-advertisement |
136 |
0 |
|
neighbor-solicitation |
135 |
0 |
|
network-unreachable |
1 |
0 |
|
packet-too-big |
2 |
0 |
|
port-unreachable |
1 |
4 |
|
router-advertisement |
134 |
0 |
|
router-solicitation |
133 |
0 |
|
unknown-ipv6-opt |
4 |
2 |
|
unknown-next-hdr |
4 |
1 |
Description
Use the rule command to create an advanced IPv6 ACL rule or modify an existing advanced IPv6 ACL rule.
Use the undo rule command to remove an advanced IPv6 ACL rule or remove some criteria from the rule.
If you specify no optional keywords, the undo rule command removes the entire ACL rule; otherwise, the command removes only the specified criteria. Before performing the undo rule command, you may need to use the display acl ipv6 command to view the ID of the rule.
When defining ACL rules, you do not need to assign them IDs; the system can automatically assign rule IDs starting with 0 and increasing in certain rule numbering steps. A rule ID thus assigned is the smallest multiple of the step that is bigger than the current biggest number. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the next rule will be numbered 30.
You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.
You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same.
When the ACL match order is auto, a newly created rule will be inserted among the existing rules in the depth-first match order. Note that the IDs of the rules still remain the same.
For an advanced IPv6 ACL to be referenced by a QoS policy for traffic classification, you cannot configure the neq, fragment, and reflective keywords..
Related commands: display acl ipv6.
Examples
# Configure IPv6 ACL 3000 to permit TCP packets with the source address of 2030:5060::9050/64.
<Sysname> system-view
[Sysname] acl ipv6 number 3000
[Sysname-acl6-adv-3000] rule permit tcp source 2030:5060::9050/64
Syntax
rule rule-id comment text
undo rule rule-id comment
View
Basic IPv6 ACL view, advanced IPv6 ACL view
Default Level
2: System level
Parameters
rule-id: IPv6 ACL rule number, in the range 0 to 65534.
text: IPv6 ACL rule description, a case-sensitive string of 1 to 127 characters.
Description
Use the rule comment command to configure a description for an existing IPv6 ACL rule or modify the description of an IPv6 ACL rule. You may use the rule description to, for example, describe the purpose of the ACL rule.
Use the undo rule comment command to remove the IPv6 ACL rule description.
By default, an IPv6 ACL rule has no rule description.
Examples
# Define a rule in IPv6 ACL 2000 and create a description for the rule.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000] rule 0 permit source 2030:5060::9050/64
[Sysname-acl6-basic-2000] rule 0 comment This rule is used in olt 1/0/1
# Define a rule in IPv6 ACL 3000 and create a description for the rule.
<Sysname> system-view
[Sysname] acl ipv6 number 3000
[Sysname-acl6-adv-3000] rule 0 permit tcp source 2030:5060::9050/64
[Sysname-acl6-adv-3000] rule 0 comment This rule is used in olt 1/0/1
Syntax
step step-value
undo step
View
Basic IPv6 ACL view, advanced IPv6 ACL view
Default Level
2: System level
Parameters
step-value: IPv6 ACL rule numbering step, in the range 1 to 20.
Description
Use the step command to set a rule numbering step for an IPv6 ACL.
Use the undo step command to restore the default.
By default, the rule numbering step is five.
Examples
# Set the rule numbering step to 2 for IPv6 ACL 2000.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000] step 2
# Set the rule numbering step to 2 for IPv6 ACL 3000.
<Sysname> system-view
[Sysname] acl ipv6 number 3000
[Sysname-acl6-adv-3000] step 2
