- Table of Contents
-
- H3C S3600 Command Manual-Release 1602(V1.02)
- 00-1Cover
- 01-CLI Command
- 02-Login Command
- 03-Configuration File Management Command
- 04-VLAN Command
- 05-IP Address and Performance Command
- 06-Voice VLAN Command
- 07-GVRP Command
- 08-Port Basic Configuration Command
- 09-Link Aggregation Command
- 10-Port Isolation Command
- 11-Port Security-Port Binding Command
- 12-DLDP Command
- 13-MAC Address Table Management Command
- 14-Auto Detect Command
- 15-MSTP Command
- 16-Routing Protocol Command
- 17-Multicast Command
- 18-802.1x and System Guard Command
- 19-AAA Command
- 20-Web Authentication Command
- 21-MAC Address Authentication Command
- 22-VRRP Command
- 23-ARP Command
- 24-DHCP Command
- 25-ACL Command
- 26-QoS-QoS Profile Command
- 27-Web Cache Redirection Command
- 28-Mirroring Command
- 29-IRF Fabric Command
- 30-Cluster Command
- 31-PoE-PoE Profile Command
- 32-UDP Helper Command
- 33-SNMP-RMON Command
- 34-NTP Command
- 35-SSH Command
- 36-File System Management Command
- 37-FTP-SFTP-TFTP Command
- 38-Information Center Command
- 39-System Maintenance and Debugging Command
- 40-VLAN-VPN Command
- 41-HWPing Command
- 42-IPv6 Management Command
- 43-DNS Command
- 44-Smart Link-Monitor Link Command
- 45-Access Management Command
- 46-Appendix
- Related Documents
-
Title | Size | Download |
---|---|---|
25-ACL Command | 127.67 KB |
Table of Contents
l The command used to apply ACL rules to a VLAN is newly added, which is described in packet-filter vlan.
l The command used to configure VLAN information for Layer 2 ACLs is newly added, which is described in rule (for Layer 2 ACLs).
ACL Configuration Commands
acl
Syntax
acl number acl-number [ match-order { auto | config } ]
undo acl { all | number acl-number }
View
System view
Parameters
all: Specifies to remove all access control lists (ACLs).
number acl-number: Specifies the number of an existing ACL or an ACL to be defined. ACL number identifies the type of an ACL as follows.
l An ACL number in the range 2000 to 2999 identifies a basic ACL.
l An ACL number in the range 3000 to 3999 identifies an advanced ACL. Note that 3998 and 3999 cannot be configured because they are reserved for cluster management.
l An ACL number in the range 4000 to 4999 identifies a layer 2 ACL.
l An ACL number in the range 5000 to 5999 identifies a user-defined ACL.
match-order: Specifies the match order for ACL rules. Following two match orders exist.
l auto: Specifies to match ACL rules according to the depth-first rule.
l config: Specifies to match ACL rules in the order they are defined.
Note that the match-order keyword is not available to Layer 2 ACLs or user-defined ACLs. The match order for layer 2 ACLs or user defined ACLs can only be config. For details about the two match orders, refer to the relevant description in ACL Operation.
Description
Use the acl command to define an ACL and enter the corresponding ACL view.
Use the undo acl command to remove all the rules of the specified ACL or all the ACLs.
By default, ACL rules are matched in the order they are defined.
Only after the rules in an existing ACL are fully removed can you modify the match order of the ACL.
In ACL view, you can use the rule command to add rules to the ACL.
Related commands: rule.
Examples
# Define ACL 2000 and specify “depth-first” as the match order.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] acl number 2000 match-order auto
[Sysname-acl-basic-2000]
# Add three rules with different numbers of zeros in the source wildcards.
[Sysname-acl-basic-2000] rule 1 permit source 1.1.1.1 0.255.255.255
[Sysname-acl-basic-2000] rule 2 permit source 2.2.2.2 0.0.255.255
[Sysname-acl-basic-2000] rule 3 permit source 3.3.3.3 0.0.0.255
# Use the display acl command to display the configuration information of ACL 2000.
[Sysname-acl-basic-2000] display acl 2000
Basic ACL 2000, 3 rules, match-order is auto
Acl's step is 1
rule 3 permit source 3.3.3.0 0.0.0.255
rule 2 permit source 2.2.0.0 0.0.255.255
rule 1 permit source 1.0.0.0 0.255.255.255
As shown in the output information, the switch sorts the rules of ACL 2000 in the depth-first order: a rule with more zeros in the source IP address wildcard has a higher priority.
description
Syntax
description text
undo description
View
Basic ACL view, advanced ACL view, Layer 2 ACL view, user-defined ACL view
Parameters
text: Description string to be assigned to an ACL, a string of 1 to 127 characters. Blank spaces and special characters are acceptable.
Description
Use the description command to assign a description string to an ACL.
Use the undo description to remove the description string of the ACL.
You can give ACLs descriptions to provide relevant information such as their application purposes and the ports they are applied to, so that you can easily identity and distinguish ACLs by their descriptions.
By default, no description string is assigned for an ACL.
Examples
# Assign description string “This ACL is used for filtering all HTTP packets” to ACL 3000.
<Sysname> system-view
[Sysname] acl number 3000
[Sysname-acl-adv-3000] description This ACL is used for filtering all HTTP packets
# Use the display acl command to view the configuration information of ACL 3000.
[Sysname-acl-adv-3000] display acl 3000
Advanced ACL 3000, 0 rule
This acl is used for filtering all HTTP packets
Acl's step is 1
# Remove the description string of ACL 3000.
[Sysname-acl-adv-3000] undo description
display acl
Syntax
display acl { all | acl-number }
View
Any view
Parameters
all: Displays all ACLs.
acl-number: Number of the ACL to be displayed, in the range of 2000 to 5999.
Description
Use the display acl command to display the configuration information of a specified or all ACLs.
Note that if you specify the match order of an ACL when configuring the ACL, this command will display the rules of the ACL in the specified match order.
Examples
# Display information about ACL 2000.
<Sysname> display acl 2000
Basic ACL 2000, 3 rules, match-order is auto
This acl is used in eth 1/0/1
Acl's step is 1
rule 3 permit source 3.3.3.0 0.0.0.255
rule 2 permit source 2.2.0.0 0.0.255.255
rule 1 permit source 1.0.0.0 0.255.255.255
Table 1-1 Description on the fields of the display acl command
Field |
Description |
Basic ACL 2000 |
The displayed information is about the basic ACL 2000. |
3 rules |
The ACL includes three rules. |
match-order is auto |
The match order of the ACL is depth-first. If this field is not displayed, the match order of the ACL is config. |
This acl is used in eth 1/0/1 |
Description of the ACL |
Acl's step is 1 |
The step for rules of this ACL is 1. |
rule 3 permit source 3.3.3.0 0.0.0.255 |
Detailed information of a rule |
display drv qacl_resource
Syntax
display drv qacl_resource
View
Any view
Parameters
None
Description
Use the display drv qacl_resource to display the usage of ACL resources on a switch.
According to the output, you can view the information of the consumed ACL resources, and determine whether the exhaustion of ACL resources causes that ACL rules cannot be assigned.
Examples
# Display the usage of ACL resources on a switch.
<Sysname> display drv qacl_resource
block used-mask used-rule spare-mask spare-rule
0 7 45 9 211
1 7 45 9 211
2 7 45 9 211
6 8 128 8 0
7 7 17 9 111
8 7 17 9 111
9 7 17 9 111
Table 1-2 Description on the fields of the display drv qacl_resource command
Field |
Description |
block |
On the front panel, l From left to right, every four columns of FE ports (total of eight FE ports) represents a block numbered starting from 0. That is, 0 indicates Ethernet 1/0/1 to Ethernet 1/0/8, 1 indicates Ethernet 1/0/9 to Ethernet 1/0/16, and 2 indicates Ethernet 1/0/17 to Ethernet 1/0/24. l Every GE port represents a block numbered starting from 6. That is, 6 indicates GigabitEthernet 1/1/1, 7 indicates GigabitEthernet 1/1/2, 8 indicates GigabitEthernet 1/1/3, and 9 indicates GigabitEthernet 1/1/4. |
used-mask |
Number of the used masks |
used-rule |
Number of the used rules |
spare-mask |
Number of the remaining masks |
spare-rule |
Number of the remaining rules |
# Apply ACL 2001 to port GigabitEthernet 1/1/1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface GigabitEthernet 1/1/1
[Sysname-GigabitEthernet1/1/1] packet-filter inbound ip-group 2001
Applying Acl 2001 rule 0 failed! Reason: Resource unavailable!(GigabitEthernet1/1/1)
The above output information shows that the application failed because there is no available rule resource on port GigabitEthernet 1/1/1.
display packet-filter
Syntax
display packet-filter { interface interface-type interface-num | unitid unit-id }
View
Any view
Parameters
interface interface-type interface-number: Displays information about packet filtering on the specified port.
unitid unit-id: Displays information about packet filtering on the specified unit (when the switch is in a fabric) or packet filtering on all ports of the current switch (when the switch is not in a fabric). In the former case, the unit-id argument is in the range 1 to 8; in the latter case, the unit-id argument can only be 1.
Description
Use the display packet-filter command to display information about packet filtering.
Examples
# Display information about packet filtering on all ports of a switch that is not in a fabric.
<Sysname> display packet-filter unitid 1
Ethernet1/0/1
Inbound:
Acl 2000 rule 0 running
Ethernet1/0/2
Outbound:
Acl 2001 rule 0 not running
Table 1-3 Description on the fields of the display packet-filter command
Field |
Description |
Ethernet1/0/1 |
Port on which packet filtering is performed |
Inbound |
Direction of the packet filtering, Inbound or Outbound. |
Acl 2000 rule 0 |
ACL and its rule(s) applied |
running |
Status of the rule, which can be l running: The ACL rule is active. l not running: The ACL rule is inactive. Usually, this is because the current time is out of the rule’s time range. |
display time-range
Syntax
display time-range { all | time-name }
View
Any view
Parameters
all: Displays all time ranges.
time-name: Name of a time range, a string of 1 to 32 characters that starts with a to z or A to Z.
Description
Use the display time-range command to display the configuration and status of a time range or all the time ranges. For active time ranges, this command displays “Active”; for inactive time ranges, this command displays “Inactive”.
Related commands: time-range.
Examples
# Display all time ranges.
<Sysname> display time-range all
Current time is 17:01:34 May/21/2007 Monday
Time-range : tr ( Active )
12:00 to 18:00 working-day
Time-range : tr1 ( Inactive )
From 12:00 Jan/1/2008 to 12:00 Jun/1/2008
Table 1-4 Description on the fields of the display time-range command.
Field |
Description |
Current time is 17:01:34 May/21/2007 Monday |
Current system time |
Time-range |
Name of the time range |
Active |
Status of the time range, which can be: l Active: The time range is active currently. l Inactive: The time range is not inactive now. |
12:00 to 18:00 working-day |
The periodic time range is from 12:00 to 18:00 on each working day. |
From 12:00 Jan/1/2008 to 12:00 Jun/1/2008 |
The absolute time range is from 12:00 January 1, 2008 to 12:00 June 1, 2008. |
packet-filter
Syntax
packet-filter { inbound | outbound } acl-rule
undo packet-filter { inbound | outbound } acl-rule
View
Ethernet port view
Parameters
inbound: Filters inbound packets.
outbound: Filters outbound packets.
acl-rule: ACL/ACL rules to be applied. This argument can be one of those listed in Table 1-5.
Table 1-5 Combined application of ACLs
Combination mode |
The acl-rule argument |
Apply all the rules of an ACL that is of IP type (The ACL can be a basic ACL or an advanced ACL.) |
ip-group acl-number |
Apply a rule of an ACL that is of IP type |
ip-group acl-number rule rule-id |
Apply all the rules of a Layer 2 ACL |
link-group acl-number |
Apply a rule of a Layer 2 ACL |
link-group acl-number rule rule-id |
Apply all the rules of a user-defined ACL |
user-group acl-number |
Apply a rule of a user-defined ACL |
user-group acl-number rule rule-id |
Apply a rule of an ACL that is of IP type and a rule of a Layer 2 ACL |
ip-group acl-number rule rule-id link-group acl-number rule rule-id |
In Table 1-5:
l The ip-group acl-number keyword specifies a basic or an advanced ACL. The acl-number argument ranges from 2000 to 3999.
l The link-group acl-number keyword specifies a Layer 2 ACL. The acl-number argument ranges from 4000 to 4999.
l The user-group acl-number keyword specifies a user-defined ACL. The acl-number argument ranges from 5000 to 5999.
l The rule rule-id keyword specifies a rule of an ACL. The rule argument ranges from 0 to 65534. If you do not specify this argument, all the rules of the ACL are applied.
Description
Use the packet-filter command to apply ACL rules on a port to filter packets.
Use the undo packet-filter command to remove the application of ACL rules on a port.
Examples
# Apply all rules of basic ACL 2000 on Ethernet 1/0/1 to filter inbound packets. Here, it is assumed that the ACL and its rules are already configured.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet1/0/1
[Sysname-Ethernet1/0/1] packet-filter inbound ip-group 2000
[Sysname-Ethernet1/0/1] quit
# Apply rule 1 of Layer 2 ACL 4000 on Ethernet 1/0/2 to filter outbound packets. Here, it is assumed that the ACL and its rule numbered 1 are already configured.
[Sysname] interface Ethernet 1/0/2
[Sysname-Ethernet1/0/2] packet-filter outbound link-group 4000 rule 1
[Sysname-Ethernet1/0/2] quit
# Apply rule 2 of user-defined ACL 5000 on Ethernet 1/0/3 to filter inbound packets. Here, it is assumed that the ACL and its rule numbered 2 are already configured.
[Sysname] interface Ethernet 1/0/3
[Sysname-Ethernet1/0/3] packet-filter inbound user-group 5000 rule 2
[Sysname-Ethernet1/0/3] quit
# Apply rule 1 of advanced ACL 3000 and rule 2 of Layer 2 ACL 4000 on Ethernet 1/0/4 to filter inbound packets. Here, it is assumed that the ACLs and their rules are already configured.
[Sysname] interface Ethernet 1/0/4
[Sysname-Ethernet1/0/4] packet-filter inbound ip-group 3000 rule 1 link-group 4000 rule 2
After completing the above configuration, you can use the display packet-filter command to view information about packet filtering.
packet-filter vlan
Syntax
packet-filter vlan vlan-id { inbound | outbound } acl-rule
undo packet-filter vlan vlan-id { inbound | outbound } acl-rule
View
System view
Parameters
vlan-id: VLAN ID.
inbound: Specifies to filter packets received by the ports in the VLAN.
outbound: Specifies to filter packets to be transmitted by the ports in the VLAN.
acl-rule: ACL rules to be applied, which can be a combination of the rules of multiple ACLs, as described in Table 1-5.
Description
Use the packet-filter vlan command to apply ACL rules on ports in a VLAN to filter packets.
Use the undo packet-filter vlan command to remove the application of ACL rules on ports of a VLAN.
Note that the packet-filter vlan command applies the ACL rules on all ports in a VLAN, allowing you to apply ACL rules to multiple ports in one operation.
Examples
# Apply all rules of basic ACL 2000 on all ports in VLAN 10 to filter inbound packets. Here, it is assumed that the ACL and its rules and the VLAN are already configured.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] packet-filter vlan 10 inbound ip-group 2000
# Apply rule 1 of Layer 2 ACL 4000 on all ports in VLAN 20 to filter outbound packets. Here, it is assumed that the ACL and its rule numbered 1 and the VLAN are already configured.
[Sysname] packet-filter vlan 20 outbound link-group 4000 rule 1
# Apply rule 2 of user-defined ACL 5000 on all ports in VLAN 30 to filter inbound packets. Here, it is assumed that the ACL and its rule numbered 2 and the VLAN are already configured.
[Sysname] packet-filter vlan 30 inbound user-group 5000 rule 2
# Apply rule 1 of advanced ACL 3000 and rule 2 of Layer 2 ACL 4000 on all ports in VLAN 40 to filter inbound packets. Here, it is assumed that the ACLs and their rules and the VLAN are already configured.
[Sysname] packet-filter vlan 40 inbound ip-group 3000 rule 1 link-group 4000 rule 2
After completing the above configuration, you can use the display packet-filter command to view information about packet filtering.
rule (for Basic ACLs)
Syntax
rule [ rule-id ] { deny | permit} [ rule-string ]
undo rule rule-id [ fragment | source | time-range ]*
View
Basic ACL view
Parameters
Parameters of the rule command
rule-id: ACL rule ID, in the range of 0 to 65534.
deny: Drops the matched packets.
permit: Permits the matched packets.
rule-string: ACL rule information, which can be a combination of the parameters described in Table 1-6.
Table 1-6 Parameters for basic IPv4 ACL rules
Parameters |
Function |
Description |
source { sour-addr sour-wildcard | any } |
Specifies a source address. |
The sour-addr sour-wildcard argument specifies a source IP address in dotted decimal notation. Setting the wildcard to a zero indicates a host address. The any keyword indicates any source IP address. |
fragment |
Indicates that the rule applies only to non-tail fragments. |
–– |
time-range time-name |
Specifies the time range in which the rule takes effect. |
time-name: specifies the name of the time range in which the rule is active; a string comprising 1 to 32 characters. |
sour-wildcard is the complement of the wildcard mask of the source subnet mask. For example, you need to input 0.0.255.255 to specify the subnet mask 255.255.0.0.
Parameters of the undo rule command
rule-id: Rule ID, which must the ID of an existing ACL rule. You can obtain the ID of an ACL rule by using the display acl command.
fragment: Removes the settings concerning non-tail fragments in the ACL rule.
source: Removes the settings concerning source address in the ACL rule.
time-range: Removes the settings concerning time range in the ACL rule.
Description
Use the rule command to define an ACL rule.
Use the undo rule command to remove an ACL rule or specified settings of an ACL rule.
To remove an ACL rule using the undo rule command, you need to provide the ID of the ACL rule. If no other arguments are specified, the entire ACL rule is removed. Otherwise, only the specified information of the ACL rule is removed.
Note that:
l If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; otherwise, the number of the rule will be the greatest rule number plus one. If the current greatest rule number is 65534, however, the system will display an error message and you need to specify a number for the rule.
l The content of a modified or created rule cannot be identical with the content of any existing rule; otherwise the rule modification or creation will fail, and the system prompts that the rule already exists.
l With the auto match order specified, the newly created rules will be inserted in the existent ones by depth-first principle, but the numbers of the existent rules are unaltered.
Examples
# Create basic ACL 2000 and define rule 1 to deny packets whose source IP addresses are 192.168.0.1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule 1 deny source 192.168.0.1 0
[Sysname-acl-basic-2000] quit
# Create basic ACL 2001 and define rule 1 to deny packets that are non-tail fragments.
[Sysname] acl number 2001
[Sysname-acl-basic-2001] rule 1 deny fragment
[Sysname-acl-basic-2001] quit
# Create basic ACL 2002 and define rule 1 to deny all packets during the period specified by time range trname.
[Sysname] acl number 2002
[Sysname-acl-basic-2002] rule 1 deny time-range trname
After completing the above configuration, you can use the display acl command to view the configuration information of the ACLs.
rule (for Advanced ACLs)
Syntax
rule [ rule-id ] { deny | permit } protocol [ rule-string ]
undo rule rule-id [ destination | destination-port | dscp | fragment | icmp-type | precedence | source | source-port | time-range | tos ]*
View
Advanced ACL view
Parameters
Parameters of the rule command
rule-id: ACL rule ID, in the range of 0 to 65534.
deny: Drops the matched packets.
permit: Permits the matched packets.
protocol: Protocol carried by IP. When the protocol is represented by numeral, it ranges from 1 to 255; when the protocol is represented by name, it can be gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), and udp (17).
rule-string: ACL rule information, which can be a combination of the parameters described in Table 1-7.
Table 1-7 Arguments/keywords available to the rule-string argument
Arguments/Keywords |
Type |
Function |
Description |
source { sour-addr sour-wildcard | any } |
Source address |
Specifies the source address information for the ACL rule |
The sour-addr sour-wildcard arguments specify the source address of the packets, expressed in dotted decimal notation. You can specify the IP address of a host as the source address by providing 0 for the sour-wildcard argument. The any keyword specifies any source address. |
destination { dest-addr dest-wildcard | any } |
Destination address |
Specifies the destination address information for the ACL rule |
The dest-addr dest-wildcard arguments specify the destination address of the packets, expressed in dotted decimal notation. You can specify the IP address of a host as the destination address by providing 0 for the dest-wildcard argument. The any keyword specifies any destination address. |
precedence precedence |
Packet priority |
Specifies an IP precedence. |
The precedence argument can be a number in the range 0 to 7. |
tos tos |
Packet priority |
Specifies a ToS preference. |
The tos argument can be a number in the range 0 to 15. |
dscp dscp |
Packet priority |
Specifies a DSCP priority. |
The dscp argument can be a number in the range 0 to 63. |
fragment |
Fragment information |
Indicates that the rule applies only to non-tail fragments. |
— |
time-range time-name |
Time range information |
Specifies the time range in which the rule takes effect. |
time-name: specifies the name of the time range in which the rule is active; a string comprising 1 to 32 characters. |
The sour-wildcard/dest-wildcard argument is the complement of the wildcard mask of the source/destination subnet mask. For example, you need to input 0.0.255.255 to specify the subnet mask 255.255.0.0.
If you specify the dscp keyword, you can directly input a value ranging from 0 to 63 or input one of the keywords listed in Table 1-8 as DSCP.
Table 1-8 DSCP values and the corresponding keywords
Keyword |
DSCP value in decimal |
DSCP value in binary |
af11 |
10 |
001010 |
af12 |
12 |
001100 |
af13 |
14 |
001110 |
af21 |
18 |
010010 |
af22 |
20 |
010100 |
af23 |
22 |
010110 |
af31 |
26 |
011010 |
af32 |
28 |
011100 |
af33 |
30 |
011110 |
af41 |
34 |
100010 |
af42 |
36 |
100100 |
af43 |
38 |
100110 |
be |
0 |
000000 |
cs1 |
8 |
001000 |
cs2 |
16 |
010000 |
cs3 |
24 |
011000 |
cs4 |
32 |
100000 |
cs5 |
40 |
101000 |
cs6 |
48 |
110000 |
cs7 |
56 |
111000 |
ef |
46 |
101110 |
If you specify the precedence keyword, you can directly input a value ranging from 0 to 7 or input one of the keywords listed in Table 1-9 as IP precedence.
Table 1-9 IP precedence values and the corresponding keywords
Keyword |
IP Precedence in decimal |
IP Precedence in binary |
routine |
0 |
000 |
priority |
1 |
001 |
immediate |
2 |
010 |
flash |
3 |
011 |
flash-override |
4 |
100 |
critical |
5 |
101 |
internet |
6 |
110 |
network |
7 |
111 |
If you specify the tos keyword, you can directly input a value ranging from 0 to 15 or input one of the keywords listed in Table 1-10 as the ToS value.
Table 1-10 ToS value and the corresponding keywords
Keyword |
ToS in decimal |
ToS in binary |
normal |
0 |
0000 |
min-monetary-cost |
1 |
0001 |
max-reliability |
2 |
0010 |
max-throughput |
4 |
0100 |
min-delay |
8 |
1000 |
If the protocol type is TCP or UDP, you can also define the information listed in Table 1-11.
Table 1-11 TCP/UDP-specific ACL rule information
Parameters |
Type |
Function |
Description |
source-port operator port1 [ port2 ] |
Source port |
Defines the source port information of UDP/TCP packets |
The value of operator can be lt (less than), gt (greater than), eq (equal to), neq (not equal to) or range (within the range of). Only the range operator requires two port numbers as the operands. The other operators require only one port number as the operand. port1 and port2: TCP/UDP port number(s), expressed as port names or port numbers. When expressed as numerals, the value range is 0 to 65535. With the range operator, the value of port2 does not need to be greater than that of port1 because the switch can automatically judge the value range. If the value of port1 is the same as that of port2, the switch will convert the operator range to eq. Note that if you specify a combination of lt 1 or gt 65534, the switch will convert it to eq 0 or eq 65535. |
destination-port operator port1 [ port2 ] |
Destination port |
Defines the destination port information of UDP/TCP packets |
|
established |
TCP connection flag |
Specifies that the rule is applicable only to the first SYN segment for establishing a TCP connection |
TCP-specific argument |
For a rule of an advanced ACL that is applied to ports or VLANs of the H3C S3600 series Ethernet switches, if it contains TCP or UDP port information, the operator argument can only be eq.
If TCP or UDP port number is represented by name, you can also define the information listed in Table 1-12.
Table 1-12 TCP or UDP port values
Type |
Value |
TCP |
CHARgen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), www (80) |
UDP |
biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), xdmcp (177) |
If the protocol type is ICMP, you can also define the information listed in Table 1-13.
Table 1-13 ICMP-specific ACL rule information
Parameters |
Type |
Function |
Description |
icmp-type icmp-type icmp-code |
Type and message code information of ICMP packets |
Specifies the type and message code information of ICMP packets in the ACL rule |
icmp-type: ICMP message type, ranging from 0 to 255 icmp-code: ICMP message code, ranging from 0 to 255 |
If the protocol type is ICMP, you can also just input the ICMP message name after the icmp-type keyword. See Table 1-14 for ICMP messages.
Name |
ICMP type |
ICMP code |
echo |
Type=8 |
Code=0 |
echo-reply |
Type=0 |
Code=0 |
fragmentneed-DFset |
Type=3 |
Code=4 |
host-redirect |
Type=5 |
Code=1 |
host-tos-redirect |
Type=5 |
Code=3 |
host-unreachable |
Type=3 |
Code=1 |
information-reply |
Type=16 |
Code=0 |
information-request |
Type=15 |
Code=0 |
net-redirect |
Type=5 |
Code=0 |
net-tos-redirect |
Type=5 |
Code=2 |
net-unreachable |
Type=3 |
Code=0 |
parameter-problem |
Type=12 |
Code=0 |
port-unreachable |
Type=3 |
Code=3 |
protocol-unreachable |
Type=3 |
Code=2 |
reassembly-timeout |
Type=11 |
Code=1 |
source-quench |
Type=4 |
Code=0 |
source-route-failed |
Type=3 |
Code=5 |
timestamp-reply |
Type=14 |
Code=0 |
timestamp-request |
Type=13 |
Code=0 |
ttl-exceeded |
Type=11 |
Code=0 |
Parameters of the undo rule command
rule-id: Rule ID, which must the ID of an existing ACL rule. You can obtain the ID of an ACL rule by using the display acl command.
source: Removes the settings concerning the source address in the ACL rule.
source-port: Removes the settings concerning the source port in the ACL rule. This keyword is only available to the ACL rules with their protocol types set to TCP or UDP.
destination: Removes the settings concerning the destination address in the ACL rule.
destination-port: Removes the settings concerning the destination port in the ACL rule. This keyword is only available to the ACL rules with their protocol types set to TCP or UDP.
icmp-type: Removes the settings concerning the ICMP type and message code in the ACL rule. This keyword is only available to the ACL rules with their protocol type set to ICMP.
precedence: Removes the precedence-related settings in the ACL rule.
tos: Removes the ToS-related settings in the ACL rule.
dscp: Removes the DSCP-related settings in the ACL rule.
time-range: Removes the time range settings in the ACL rule.
fragment: Removes the settings concerning non-tail fragments in the ACL rule.
Description
Use the rule command to define an ACL rule.
Use the undo rule command to remove an ACL rule or specified settings of an ACL rule.
To remove an ACL rule using the undo rule command, you need to provide the ID of the ACL rule. If no other arguments are specified, the entire ACL rule is removed. Otherwise, only the specified information of the ACL rule is removed.
Note that:
l If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; otherwise, the number of the rule will be the greatest rule number plus one. If the current greatest rule number is 65534, however, the system will display an error message and you need to specify a number for the rule.
l The content of a modified or created rule cannot be identical with the content of any existing rules; otherwise the rule modification or creation will fail, and the system prompts that the rule already exists.
l If the ACL is created with the auto keyword specified, the newly created rules will be inserted in the existent ones by depth-first principle, but the numbers of the existent rules are unaltered.
Examples
# Create advanced ACL 3000 and define rule 1 to deny packets with the source IP address of 192.168.0.1 and DSCP priority of 46.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule 1 deny ip source 192.168.0.1 0 dscp 46
[Sysname-acl-adv-3000] quit
# Create advanced ACL 3001 and define rule 1 to permit TCP packets that are sourced from network 129.9.0.0/16, destined for network 202.38.160.0/24, and using the destination port number of 80.
[Sysname] acl number 3001
[Sysname-acl-adv-3001] rule 1 permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80
After completing the above configuration, you can use the display acl command to view the configuration information of the ACLs.
rule (for Layer 2 ACLs)
Syntax
rule [ rule-id ] { deny | permit } [ rule-string ]
undo rule rule-id
View
Layer 2 ACL view
Parameters
rule-id: ACL rule ID, in the range of 0 to 65534.
deny: Drops the matched packets.
permit: Permits the matched packets.
rule-string: ACL rule information, which can be a combination of the arguments/keywords described in Table 1-15.
Table 1-15 Layer 2 ACL rule information
Parameters |
Type |
Function |
Description |
format-type |
Link layer encapsulation type |
Specifies the link layer encapsulation type in the rule |
This argument can be 802.3/802.2, 802.3, ether_ii, or snap. |
lsap lsap-code lsap-wildcard |
lsap field |
Specifies the lsap field for the ACL rule |
lsap-code: Encapsulation format of data frames, a 16-bit hexadecimal number. lsap-wildcard: Mask of the lsap value, a 16-bit hexadecimal number used to specify the mask bits. |
source { source-mac-addr source-mac-mask | vlan-id }* |
Source MAC address information or source VLAN information |
Specifies the source MAC address range or source VLAN ID for the ACL rule |
source-mac-addr: Source MAC address, in the format of H-H-H. source-mac-mask: Mask of the source MAC address, in the format of H-H-H. vlan-id: Source VLAN ID, in the range of 1 to 4,094. |
dest dest-mac-addr dest-mac-mask |
Destination MAC address information |
Specifies the destination MAC address range for the ACL rule |
dest-mac-addr: Destination MAC address, in the format of H-H-H. dest-mac-mask: Mask of the destination MAC address, in the format of H-H-H. |
cos cos |
Priority |
Specifies the 802.1p priority of the rule |
cos: VLAN priority, in the range of 0 to 7. |
c-tag-vlan c-tag-vlan-begin [ to c-tag-vlan-end ] |
Inner VLAN information |
Specifies information about inner VLAN of the rule |
c-tag-vlan-begin, c-tag-vlan-end: VLAN ID, in the range of 1 to 4094. This keyword and argument combination is usually used in cooperation with the QinQ function. For information about QinQ, refer to VLAN-VPN Operation. |
time-range time-name |
Time range information |
Specifies the time range in which the rule takes effect. |
time-name: specifies the name of the time range in which the rule is active; a string comprising 1 to 32 characters. |
type protocol-type protocol-mask |
Protocol type of Ethernet frames |
Specifies the protocol type of Ethernet frames for the ACL rule |
protocol-type: Protocol type. protocol-mask: Protocol type mask. |
When layer 2 ACLs are applied to ports or VLANs of the H3C S3600 series Ethernet switches, rules configured with the format-type argument and the lsap keyword are invalid.
Description
Use the rule command to define an ACL rule.
Use the undo rule command to remove an ACL rule.
To remove an ACL rule using the undo rule command, you need to provide the ID of the ACL rule. You can obtain the ID of an ACL rule by using the display acl command.
Note that:
l You can modify any existent rule of the Layer 2 ACL and the unmodified part of the ACL remains.
l If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; otherwise, the number of the rule will be the greatest rule number plus one. If the current greatest rule number is 65534, however, the system will display an error message and you need to specify a number for the rule.
l The content of a modified or created rule cannot be identical with the content of any existing rules; otherwise the rule modification or creation will fail, and the system prompts that the rule already exists.
Examples
# Create Layer 2 ACL 4000 and define rule 1 to deny packets that are sourced from MAC address 000d-88f5-97ed, destined for MAC address 0011-4301-991e, and using the 802.1p priority of 3.
<Sysname> system-view
[Sysname] acl number 4000
[Sysname-acl-ethernetframe-4000] rule 1 deny cos 3 source 000d-88f5-97ed ffff-ffff-ffff dest 0011-4301-991e ffff-ffff-ffff
[Sysname-acl-ethernetframe-4000] quit
# Create Layer 2 ACL 4001 and define rule 1 to permit packets whose inner VLAN IDs are in the range 2 to 10.
[Sysname] acl number 4001
[Sysname-acl-ethernetframe-4001] rule 1 permit c-tag-vlan 2 to 10
After completing the above configuration, you can use the display acl command to view the configuration information of the ACLs.
rule (for user-defined ACLs)
Syntax
rule [ rule-id ] { deny | permit } [ rule-string rule-mask offset ] &<1-8> [ time-range time-name ]
undo rule rule-id
View
User-defined ACL view
Parameters
rule-id: ID of an ACL rule, in the range of 0 to 65534.
rule-string: User-defined ACL rule string. It must be an even hexadecimal number comprising 2 to 160 hexadecimal numerals.
rule-mask: User-defined mask of the ACL rule. It must be an even hexadecimal number containing 2 to 160 hexadecimal numerals and be of the same length as that of the rule-string argument. This argument is used to perform the logical AND operations with packets.
offset: Mask offset of the rule. It specifies a position in packets, from which the logical AND operation is to be performed. It ranges from 0 to 79 (in bytes).
Note that:
l The maximum value of the mask offset of the rule becomes one byte less when the rule-string argument has two more hexadecimal numerals. For example, when the rule-string contains two hexadecimal numerals, the maximum value of offset is 79 bytes; when the rule-string contains four hexadecimal numerals, the maximum value of offset is 78 bytes, and so on.
l The valid length of the mask offset is 128 hexadecimal numerals (64 bytes). For example, assume that you specify a rule string of aa and set its offset to 2. If you continue to specify a rule string of bb, its offset must be in the range from 3 to 65 bytes. If you set the offset of the rule string aa to 3, the offset of the rule string bb must be in the range of 4 to 66 bytes, and so on. However, the offset of the rule string bb cannot be greater than 79 bytes.
l As shown in Table 1-16, the hardware rule of the S3600 series logically divides the rule mask offset of a user-defined string into multiple offset units, each of which is 4–byte long. Available offset units fall into eight groups, which are numbered from Offset1 to Offset8.
l With the S3600 series, a user-defined rule string may or may not contain spaces and can be up to 32 bytes in length. It can occupy up to eight mask offset units and any two of the offset units cannot belong to the same offset group. Otherwise, the ACL cannot be applied successfully.
Table 1-16 Offset units of a user-defined rule string
Offset unit |
|||||||
Offset1 |
Offset2 |
Offset3 |
Offset4 |
Offset5 |
Offset6 |
Offset7 |
Offset8 |
0 to 3 |
4 to 7 |
8 to 11 |
12 to 15 |
16 to 19 |
20 to 23 |
24 to 27 |
28 to 31 |
2 to 5 |
6 to 9 |
10 to 13 |
14 to 17 |
18 to 21 |
22 to 25 |
26 to 29 |
30 to 33 |
6 to 9 |
10 to 13 |
14 to 17 |
18 to 21 |
22 to 25 |
26 to 29 |
30 to 33 |
34 to 37 |
12 to 15 |
16 to 19 |
20 to 23 |
24 to 27 |
28 to 31 |
32 to 35 |
36 to 39 |
40 to 43 |
20 to 23 |
24 to 27 |
28 to 31 |
32 to 35 |
36 to 39 |
40 to 43 |
44 to 47 |
48 to 51 |
30 to 33 |
34 to 37 |
38 to 41 |
42 to 45 |
46 to 49 |
50 to 53 |
54 to 57 |
58 to 61 |
42 to 45 |
46 to 49 |
50 to 53 |
54 to 57 |
58 to 61 |
62 to 65 |
66 to 69 |
70 to 73 |
56 to 59 |
60 to 63 |
64 to 67 |
68 to 71 |
72 to 75 |
76 to 79 |
0 to 3 |
4 to 7 |
&<1-8>: At most eight rules can be defined at one time.
time-range time-name: Specifies a time range within which the ACL rule is valid.
Description
Use the rule command to define an ACL rule.
Use the undo rule command to remove an ACL rule.
To remove an ACL rule using the undo rule command, you need to provide the ID of the ACL rule. You can obtain the ID of an ACL rule by using the display acl command.
Note that:
l You can modify any existent rule of a user-defined ACL. If you modify only the time range and/or action, the unmodified parts of the rule remain the same. If you modify the rule-string rule-mask offset combinations, however, the new combinations will replace all of the original ones.
l If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; otherwise, the number of the rule will be the greatest rule number plus one. If the current greatest rule number is 65534, however, the system will display an error message and you need to specify a number for the rule.
l The content of a modified or created rule cannot be identical with the content of any existing rules; otherwise the rule modification or creation will fail, and the system prompts that the rule already exists.
When specifying the offset, take the following two items into account:
l If VLAN-VPN is not enabled on any port, each packet in the switch carries one VLAN tag, which is four bytes long.
l If VLAN-VPN is enabled on a port, each packet in the switch carries two VLAN tags, which occupy eight bytes.
Frequently used protocol types and offsets are listed in the following table.
Table 1-17 Frequently used protocol types and offsets
Protocol |
Protocol number in hexadecimal |
Offset when VLAN-VPN is not enabled on any port |
Offset when VLAN-VPN is enabled on a port |
ARP |
0x0806 |
16 |
20 |
RARP |
0x8035 |
16 |
20 |
IP |
0x0800 |
16 |
20 |
IPX |
0x8137 |
16 |
20 |
AppleTalk |
0x809B |
16 |
20 |
ICMP |
0x01 |
27 |
31 |
IGMP |
0x02 |
27 |
31 |
TCP |
0x06 |
27 |
31 |
UDP |
0x11 |
27 |
31 |
Examples
# Create user-defined ACL 5000 and define rule 1 to deny all TCP packets (it is assumed that no port is enabled with the VLAN-VPN function). In the following rule command line, 06 is the protocol number of TCP, ff is the rule mask, and 27 is the offset of the protocol field in an IP packet that the switch processes internally.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] acl number 5000
[Sysname-acl-user-5000] rule 1 deny 06 ff 27
[Sysname-acl-user-5000] quit
# Create user-defined ACL 5001 and define rule 1 to deny ARP packets sourced from 192.168.0.1 (it is assumed that no port is enabled with the VLAN-VPN function). In the following rule command line, 0806 is the protocol number of ARP, 16 is the offset of the protocol field in an Ethernet packet that the switch processes internally, c0a80001 is the representation of 192.168.0.1 in hexadecimal, and 32 is the offset of the source IP address field in an ARP packet that the switch processes internally.
[Sysname] acl number 5001
[Sysname-acl-user-5001] rule 1 deny 0806 ffff 16 c0a80001 ffffffff 32
[Sysname-acl-user-5001] quit
# Create user-defined ACL 5002 and define rule 1, specifying a 32-byte rule string, a rule mask of all Fs, and an offset of 4. Then, apply the ACL to Ethernet 1/0/1.
[Sysname] acl number 5002
[Sysname-acl-user-5002] rule 1 deny 1234567890123456789012345678901234567890123456789012345678901234 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 4
[Sysname-acl-user-5002] quit
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] packet-filter inbound user-group 5002
In this example, the 32-byte rule string occupies eight offset units: 4 to 7 (Offset2), 8 to 11 (Offset3), 12 to 15 (Offset4), 16 to 19 (Offset5), 20 to 23 (Offset1), 24 to 27 (Offset7), 28 to 31 (Offset8), and 32 to 35 (Offset6), as shown in Table 1-16. The rule can be assigned successfully.
# Create user-defined ACL 5003 and define rule 1, specifying a 32-byte rule string, a rule mask of all Fs, and an offset of 24. Then, apply the ACL to Ethernet 1/0/2.
[Sysname] acl number 5003
[Sysname-acl-user-5003] rule 1 deny 1234567890123456789012345678901234567890123456789012345678901234 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 24
[Sysname-acl-user-5003] quit
[Sysname] interface Ethernet 1/0/2
[Sysname-Ethernet1/0/2] packet-filter inbound user-group 5003
Applying Acl 5003 rule 1 failed!
Reason: This type of ACL rule is not supported by the command which is attempting to use the ACL!(Ethernet1/0/2)
In this example, the 32-byte rule string does not comply with the rule that a user-defined rule string can contain up to eight mask offset units, and any two offset units cannot belong to the same offset group. The ACL cannot be assigned.
rule comment
Syntax
rule rule-id comment text
undo rule rule-id comment
View
Advanced ACL view, Layer 2 ACL view, user-defined ACL view
Parameters
rule-id: ID of the ACL rule, in the range of 0 to 65534.
text: Comment for the ACL rule, a string of 1 to 127 characters. Blank spaces and special characters are acceptable.
Description
Use the rule comment command to define a comment for the ACL rule.
Use the undo rule comment command to remove the comment defined for the ACL rule.
You can give rules comments to provide relevant information such as their application purposes and the ports they are applied to, so that you can easily identity and distinguish ACL rules by their comments.
By default, an ACL rule has no comment.
Before defining a comment for an ACL rule, make sure that the ACL rule exists.
Examples
# Define the comment “This rule is to be applied to Ethernet 1/0/1” for rule 0 of advanced ACL 3001.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] acl number 3001
[Sysname-acl-adv-3001] rule 0 comment This rule is to be applied to Ethernet 1/0/1
# Use the display acl command to view the configuration information of advanced ACL 3001.
[Sysname-acl-adv-3001] display acl 3001
Advanced ACL 3001, 1 rule
Acl's step is 1
rule 0 deny IP source 1.1.1.1 0 destination 2.2.2.2 0
rule 0 comment This rule is to be applied to Ethernet 1/0/1
time-range
Syntax
time-range time-name { start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] | to end-time end-date }
undo time-range { all | name time-name [ start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] | to end-time end-date ] }
View
System view
Parameters
all: Removes all the time ranges.
time-name: Name of a time range, a case insensitive string of 1 to 32 characters that starts with a to z or A to Z. To avoid confusion, it cannot be all.
start-time: Start time of a periodic time range, in the form of hh:mm.
end-time: End time of a periodic time range, in the form of hh:mm. The end time must be greater than the start time.
days-of-the-week: Day of the week when the periodic time range is active. You can provide this argument in one of the following forms.
l Numeral (0 to 6)
l Mon, Tue, Wed, Thu, Fri, Sat, and Sun
l Working days (Monday through Friday)
l Off days (Saturday and Sunday)
l Daily, namely everyday of the week
from start-time start-date: Specifies the start date of an absolute time range, in the form of hh:mm MM/DD/YYYY or hh:mm YYYY/MM/DD. The start-time start-date and end-time end-date argument jointly define a period in which the absolute time range takes effect. If the start date is not specified, the time range starts from 1970/01/01 00:00.
to end-time end-date: Specifies the end date of an absolute time range, in the form of hh:mm MM/DD/YYYY or hh:mm YYYY/MM/DD. The start-time start-date and end-time end-date argument jointly define a period in which the absolute time range takes effect. If the end date is not specified, the time range ends at 2100/12/31 23:59.
Description
Use the time-range command to define a time range.
Use the undo time-range command to remove the specified or all time ranges.
Note that:
l The switch supports up to 256 time ranges, each of which can have up to 32 periodic time ranges and 12 absolute time ranges.
l If only a periodic time section is defined in a time range, the time range is active only when the system time is within the defined periodic time section. If multiple periodic time sections are defined in a time range, the time range is active only when the system time is within one of the periodic time sections.
l If only an absolute time section is defined in a time range, the time range is active only when the system time is within the defined absolute time section. If multiple absolute time sections are defined in a time range, the time range is active only when the system time is within one of the absolute time sections.
l If both a periodic time section and an absolute time section are defined in a time range, the time range is active only when the periodic time range and the absolute time range are both matched. Assume that a time range defines an absolute time section from 00:00 January 1, 2004 to 23:59 December 31, 2004, and a periodic time section from 12:00 to 14:00 every Wednesday. This time range is active only when the system time is within 12:00 to 14:00 every Wednesday in 2004.
Examples
# Define a periodic time range that is active from 08:00 to 12:00 every working day.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] time-range tr1 08:00 to 12:00 working-day
# Define an absolute time range that is active from 12:00 January 1, 2008 to 12:00 June 1, 2008.
[Sysname] time-range tr2 from 12:00 1/1/2008 to 12:00 6/1/2008
# Display the configuration information of the time ranges.
[Sysname] display time-range all
Current time is 17:37:23 Nov/27/2007 Tuesday
Time-range : tr1 ( Inactive )
08:00 to 12:00 working-day
Time-range : tr2 ( Inactive )
From 12:00 Jan/1/2008 to 12:00 Jun/1/2008