slot slot-number: Displays the usage of ACL resources on a member device in the IRF virtual device. The slot-number argument is the member number of the device in the IRF virtual device, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF virtual device. If no IRF virtual device exists, the slot-number argument is the current device number.

Description

Use the display acl resource command to display the usage of ACL resources on a device.

If no slot is specified, the output statistics differ depending on whether the switch is an IRF member.

l If the device is an IRF member, the ACL rule usage statistics for all switches in the IRF are displayed.

l If the switch is not an IRF member, only the ACL rule usage statistics for it is displayed.

Examples

# Display the ACL resource usage on a switch.

<Sysname> display acl resource

Interface:

GE1/0/1 to GE1/0/24

--------------------------------------------------------------------------------

Type Total Reserved Configured Remaining

--------------------------------------------------------------------------------

VFP ACL 2048 0 0 2048

IFP ACL 8192 2048 21 6123

IFP Meter 4096 1024 0 3072

IFP Counter 4096 1024 21 3051

EFP ACL 1024 0 21 1003

EFP Meter 512 0 0 512

EFP Counter 512 0 21 491

Interface:

GE1/0/25 to GE1/0/48, XGE1/0/49 to XGE1/0/52

--------------------------------------------------------------------------------

Type Total Reserved Configured Remaining

--------------------------------------------------------------------------------

VFP ACL 2048 0 0 2048

IFP ACL 8192 2048 0 6144

IFP Meter 4096 1024 0 3072

IFP Counter 4096 1024 0 3072

EFP ACL 1024 0 0 1024

EFP Meter 512 0 0 512

EFP Counter 512 0 0 512

Table 1-1 display acl resource command output description

Field	Description
Interface	Interface indicated by its type and number
Type	Resource type: l ACL indicates ACL rule resources, l Meter indicates traffic policing resources, l Counter indicates traffic statistics resources, l VFP indicates the count of resources that are before Layer 2 forwarding and applied in QinQ, l IFP indicates the count of resources in the inbound direction, l EFP indicates the count of resources in the outbound direction.
Total	Total number of ACL rules supported
Reserved	Number of reserved ACL rules
Configured	Number of configured ACL rules
Remaining	Number of remaining ACL rules

display time-range

Syntax

display time-range { time-range-name | all }

View

Any view

Default Level

1: Monitor level

Parameters

time-range-name: Time range name, a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be named all to avoid confusion.

all: Specifies all existing time ranges.

Description

Use the display time-range command to display the configuration and status of a specified time range or all time ranges.

A time range is active if the system time falls into its range.

Examples

# Display the configuration and status of time range trname.

<Sysname> display time-range trname

Current time is 10:45:15 4/14/2005 Thursday

Time-range : trname ( Inactive )

from 08:00 12/1/2005 to 23:59 12/31/2100

Table 1-2 display time-range command output description

Field	Description
Current time	Current system time
Time-range	Configuration and status of the time range, including the name of the time range, its status (active or inactive), and its start time and end time.

time-range

Syntax

time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 }

undo time-range time-range-name [ start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 ]

View

System view

Default Level

2: System level

Parameters

time-range-name: Time range name, a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be named all to avoid confusion.

start-time: Start time of a periodic time range, in hh:mm format (24-hour clock), where hh is hours and mm is minutes. Its value ranges from 00:00 to 23:59.

end-time: End time of the periodic time range, in hh:mm format (24-hour clock), where hh is hours and mm is minutes. Its value ranges from 00:00 to 24:00. The end time must be greater than the start time.

days: Indicates on which day or days of the week the periodic time range is valid. You may specify multiple values, in words or in digits, separated by spaces, but make sure that they do not overlap. These values can take one of the following forms:

l A digit in the range 0 to 6, respectively for Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday.

l Week in words, that is, Mon, Tue, Wed, Thu, Fri, Sat, or Sun.

l working-day for Monday through Friday.

l off-day for Saturday and Sunday.

l daily for seven days of a week.

from time1 date1: Indicates the start time and date of an absolute time range. The time1 argument specifies the time of the day in hh:mm format (24-hour clock), where hh is hours and mm is minutes. Its value ranges from 00:00 to 23:59. The date1 argument specifies a date in MM/DD/YYYY or YYYY/MM/DD format, where MM is the month of the year in the range 1 to 12, DD is the day of the month with the range depending on MM, and YYYY is the year in the usual Gregorian calendar in the range 1970 to 2100. If not specified, the start time is the earliest time available in the system, namely, 01/01/1970 00:00:00 AM.

to time2 date2: Indicates the end time and date of the absolute time range. The format of the time2 argument is the same as that of the time1 argument, but its value ranges from 00:00 to 24:00. The end time must be greater than the start time. If not specified, the end time is the maximum time available in the system, namely, 12/31/2100 24:00:00 PM. The format and value range of the date2 argument are the same as those of the date1 argument.

Description

Use the time-range command to create a time range.

Use the undo time-range command to remove a time range.

You may create a maximum of 256 time ranges.

A time range can be one of the following:

l Periodic time range created using the time-range time-range-name start-time to end-time days command. A time range thus created recurs periodically on the day or days of the week.

l Absolute time range created using the time-range time-range-name { from time1 date1 [ to time2 date2 ] | to time2 date2 } command. Unlike a periodic time range, a time range thus created does not recur. For example, to create an absolute time range that is active between January 1, 2004 00:00 and December 31, 2004 23:59, you may use the time-range test from 00:00 01/01/2004 to 23:59 12/31/2004 command.

l Compound time range created using the time-range time-range-name start-time to end-time days { from time1 date1 [ to time2 date2 ] | to time2 date2 } command. A time range thus created recurs on the day or days of the week only within the specified period. For example, to create a time range that is active from 12:00 to 14:00 on Wednesdays between January 1, 2004 00:00 and December 31, 2004 23:59, you may use the time-range test 12:00 to 14:00 wednesday from 00:00 01/01/2004 to 23:59 12/31/2004 command.

You may create individual time ranges identified with the same name. They are regarded as one time range whose active period is the result of ORing periodic ones, ORing absolute ones, and ANDing periodic and absolute ones.

Examples

# Create an absolute time range named test, setting it to become active from 00:00 on January 1, 2003.

<Sysname> system-view

[Sysname] time-range test from 0:0 2003/1/1

# Create a periodic time range named test, setting it to be active between 8:00 to 18:00 during working days.

<Sysname> system-view

[Sysname] time-range test 8:00 to 18:00 working-day

# Create a periodic time range named test, setting it to be active between 14:00 and 18:00 on Saturday and Sunday.

<Sysname> system-view

[Sysname] time-range test 14:00 to 18:00 off-day

IPv4 ACL Configuration Commands

acl

Syntax

acl number acl-number [ name acl-name ] [ match-order { auto | config } ]

undo acl { all | name acl-name | number acl-number }

View

System view

Default Level

2: System level

Parameters

number acl-number: Specifies the number of the IPv4 ACL, which must be in the following ranges:

l 2000 to 2999 for basic IPv4 ACLs

l 3000 to 3999 for advanced IPv4 ACLs

l 4000 to 4999 for Ethernet frame header ACLs

name acl-name: Specifies the name of the ACL, which is a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be named all to avoid confusion.

match-order: Specifies the order in which ACL rules are sorted. This keyword is not available for user-defined IPv4 ACLs.

l auto: Specifies the depth-first order.

l config: Specifies the ascending order of rule IDs.

all: Specifies to delete all IPv4 ACLs.

Description

Use the acl command to enter IPv4 ACL view. If the ACL does not exist, it is created first.

Use the undo acl command to remove a specified IPv4 ACL or all IPv4 ACLs.

By default, the rule order is config.

Note that:

l You can specify a name for an IPv4 ACL only when you create the ACL. After creating an ACL, you cannot specify a name for it, nor can you change or remove its name.

l The name of an IPv4 ACL must be unique among IPv4 ACLs. However, an IPv4 ACL and an IPv6 ACL can share the same name.

l If you specify both an ACL number and an ACL name in one command to enter the view of an existing ACL, be sure that the ACL number and ACL name identify the same ACL.

l You can also use this command to modify the rule order of an existing ACL but only when the ACL does not contain any rules.

Examples

# Create IPv4 ACL 2000.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000]

# Create IPv4 ACL 2002, naming it flow.

<Sysname> system-view

[Sysname] acl number 2002 name flow

[Sysname-acl-basic-2002-flow]

# Enter the view of an unnamed IPv4 ACL by specifying its number.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000]

# Enter the view of a named IPv4 ACL by specifying its number.

<Sysname> system-view

[Sysname] acl number 2002

[Sysname-acl-basic-2002-flow]

# Delete the IPv4 ACL numbered 2000.

<Sysname> system-view

[Sysname] undo acl number 2000

# Delete the IPv4 ACL named flow.

<Sysname> system-view

[Sysname] undo acl name flow

acl copy

Syntax

acl copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name }

View

System view

Default Level

2: System level

Parameters

source-acl-number: Number of an existing IPv4 ACL, which must be in the following ranges:

l 2000 to 2999 for basic IPv4 ACLs

l 3000 to 3999 for advanced IPv4 ACLs

l 4000 to 4999 for Ethernet frame header ACLs

source-acl-name: Name of an existing IPv4 ACL, a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be named all to avoid confusion.

dest-acl-number: Number of a non-existent IPv4 ACL, which must be of the same ACL category as the source ACL and in the following ranges:

l 2000 to 2999 for basic IPv4 ACLs

l 3000 to 3999 for advanced IPv4 ACLs

l 4000 to 4999 for Ethernet frame header ACLs

dest-acl-name: Name of a non-existent IPv4 ACL, a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be named all to avoid confusion. The system will automatically assign the new ACL a number which is the smallest among the available numbers of the same ACL category.

Description

Use the acl copy command to create an IPv4 ACL by copying an existing IPv4 ACL. The new ACL is of the same ACL category and has the same rule order, rules, rule numbering step and descriptions.

Note that:

l The new ACL does not take the name of the source IPv4 ACL.

l For WLAN ACLs, the name keyword and argument combinations are not supported.

Examples

# Copy ACL 2008 to generate ACL 2009.

<Sysname> system-view

[Sysname] acl copy 2008 to 2009

acl name

Syntax

acl name acl-name

View

System view

Default Level

2: System level

Parameters

acl-name: Name of the IPv4 ACL, a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be named all to avoid confusion.

Description

Use the acl name command to enter the view of an existing IPv4 ACL by specifying its name.

Examples

# Enter the view of the IPv4 ACL named flow.

<Sysname> system-view

[Sysname] acl name flow

[Sysname-acl-basic-2002-flow]

description (for IPv4)

Syntax

description text

undo description

View

Basic IPv4 ACL view, advanced IPv4 ACL view, Ethernet frame header ACL view,

Default Level

2: System level

Parameters

text: ACL description, a case-sensitive string of 1 to 127 characters.

Description

Use the description command to configure a description for an IPv4 ACL to, for example, describe the purpose of the ACL.

Use the undo description command to remove the ACL description.

By default, an IPv4 ACL has no ACL description.

Examples

# Configure a description for IPv4 ACL 2000.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] description This acl is used in eth 0

# Configure a description for IPv4 ACL 3000.

<Sysname> system-view

[Sysname] acl number 3000

[Sysname-acl-adv-3000] description This acl is used in eth 0

# Configure a description for ACL 4000.

<Sysname> system-view

[Sysname] acl number 4000

[Sysname-acl-ethernetframe-4000] description This acl is used in eth 0

display acl

Syntax

display acl { acl-number | all | name acl-name } [ slot slot-number ]

View

Any view

Default Level

1: Monitor level

Parameters

acl-number: IPv4 ACL number, which must be in the following ranges:

l 2000 to 2999 for basic IPv4 ACLs

l 3000 to 3999 for advanced IPv4 ACLs

l 4000 to 4999 for Ethernet frame header ACLs

all: Specifies all IPv4 ACLs.

name acl-name: Specifies the name of the ACL, which is a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be the named all to avoid confusion.

slot slot-number: Displays the matching information of the IPv4 ACLs on a member device in the IRF virtual device. The slot-number argument is the member number of the device in the IRF virtual device, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF virtual device.

Description

Use the display acl command to display information about a specified IPv4 ACL or all IPv4 ACLs.

Note that this command displays ACL rules in the rule order.

Examples

# Display information about IPv4 ACL 2001.

<Sysname> display acl 2001

Basic ACL 2001, named flow, 1 rule,

test acl

ACL's step is 5

rule 5 permit source 1.1.1.1 0 (5 times matched)

rule 5 comment This rule is used in GE 1/0/1

Table 1-3 display acl command output description

Field	Description
Basic ACL 2001	The displayed information is about basic IPv4 ACL 2001.
named flow	The name of the ACL is flow.
1 rule	The ACL contains one rule.
test acl	The description for the ACL is "test acl". This field is not displayed when the ACL has no description or the slot slot-number combination is provided in the command.
ACL's step is 5	The rule numbering step is 5.
5 times matched	There have been five matches for the rule. Only ACL matches performed by software are counted. This field is not displayed when no match is found.
rule 5 comment This rule is used in GE 1/0/1	The description of ACL rule 5 is "This rule is used in GE 1/0/1." This field is not displayed when the rule has no description or the slot slot-number combination is provided in the command.

reset acl counter

Syntax

reset acl counter { acl-number | all | name acl-name }

View

User view

Default Level

2: System level

Parameters

acl-number: IPv4 ACL number, which must be in the following ranges:

l 2000 to 2999 for basic IPv4 ACLs

l 3000 to 3999 for advanced IPv4 ACLs

l 4000 to 4999 for Ethernet frame header ACLs

all: Specifies all IPv4 ACLs except for user-defined ACLs.

name acl-name: Specifies the name of the ACL, which is a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be named all to avoid confusion.

Description

Use the reset acl counter command to clear statistics on a specified IPv4 ACL or all IPv4 ACLs except for user-defined ACLs.

Examples

# Clear statistics on IPv4 ACL 2001.

<Sysname> reset acl counter 2001

# Clear statistics on IPv4 ACL flow.

<Sysname> reset acl counter name flow

rule (basic IPv4 ACL view)

Syntax

rule [ rule-id ] { deny | permit } [ fragment | logging | source { sour-addr sour-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *

undo rule rule-id [ fragment | logging | source | time-range | vpn-instance ] *

View

Basic IPv4 ACL view

Default Level

2: System level

Parameters

rule-id: Basic IPv4 ACL rule number, in the range 0 to 65534.

deny: Drops matched packets.

permit: Allows matched packets to pass.

fragment: Indicates that the rule applies to only non-first fragments. A rule without this keyword applies to all fragments and non-fragments.

logging: Generates log entries for matched packets.

source { sour-addr sour-wildcard | any }: Specifies a source address. The sour-addr sour-wildcard argument combination specifies a source IP address in dotted decimal notation. A wildcard of zero indicates a host address. The any keyword indicates any source IP address.

time-range time-range-name: Specifies the time range in which the rule takes effect. The time-range-name argument is a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be named all to avoid confusion.

vpn-instance vpn-instance-name: Specifies a VPN instance. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Without this combination, the rule applies to only non-VPN packets.

Description

Use the rule command to create a basic IPv4 ACL rule or modify an existing basic IPv4 ACL rule.

Use the undo rule command to remove a basic IPv4 ACL rule or remove some criteria from the rule.

If you specify no optional keywords, the undo rule command removes the entire ACL rule; otherwise, the command removes only the specified criteria. Before performing the undo rule command, you may use the display acl command to view the ID of the rule.

When defining ACL rules, you do not need to assign them IDs; the system can automatically assign rule IDs starting with 0 and increasing in certain rule numbering steps. A rule ID thus assigned is the smallest multiple of the step that is bigger than the current biggest number. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the next rule will be numbered 30.

You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.

You can only modify the existing rules of an ACL that uses the rule order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same.

When the ACL rule order is auto, a newly created rule will be inserted among the existing rules in the depth-first order. Note that the IDs of the rules still remain the same.

For a basic IPv4 ACL rule to be referenced by a QoS policy for traffic classification, the logging keyword is not supported.

Related commands: display acl.

Examples

# Create a rule to deny packets with the source IP address 1.1.1.1.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] rule deny source 1.1.1.1 0

rule (advanced IPv4 ACL view)

Syntax

rule [ rule-id ] { deny | permit } protocol [ { established | { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * } | destination { dest-addr dest-wildcard | any } | destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmp-type { icmp-type icmp-code | icmp-message } | logging | precedence precedence | reflective | source { sour-addr sour-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name | tos tos | vpn-instance vpn-instance-name ] *

undo rule rule-id [ { established | { ack | fin | psh | rst | syn | urg } * } | destination | destination-port | dscp | fragment | icmp-type | logging | precedence | reflective | source | source-port | time-range | tos | vpn-instance ] *

View

Advanced IPv4 ACL view

Default Level

2: System level

Parameters

rule-id: Advanced IPv4 ACL rule number, in the range 0 to 65534.

deny: Drops matched packets.

permit: Allows matched packets to pass.

protocol: Protocol carried by IP. It can be a number in the range 0 to 255, or in words, gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17). Table 1-4 shows the parameters that can be specified after the protocol argument.

Table 1-4 Match criteria and other rule information for advanced IPv4 ACL rules

Parameters	Function	Description
source { sour-addr sour-wildcard \| any }	Specifies a source address.	The sour-addr sour-wildcard argument combination specifies a source IP address in dotted decimal notation. A wildcard of zero indicates a host address. The any keyword indicates any source IP address.
destination { dest-addr dest-wildcard \| any }	Specifies a destination address.	The dest-addr dest-wildcard argument combination specifies a destination IP address in dotted decimal notation. A wildcard of zero indicates a host address. The any keyword indicates any destination IP address.
precedence precedence	Specifies an IP precedence value.	The precedence argument can be a number in the range 0 to 7, or in words, routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), or network (7).
tos tos	Specifies a ToS preference.	The tos argument can be a number in the range 0 to 15, or in words, max-reliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1), or normal (0).
dscp dscp	Specifies a DSCP priority.	The dscp argument can be a number in the range 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46).
logging	Specifies to log matched packets.	This function requires that the module using the ACL support logging.
reflective	Specifies that the rule be reflective.	Not supported
vpn-instance vpn-instance-name	Specifies a VPN instance.	The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Without this combination, the rule applies to only non-VPN packets.
fragment	Indicates that the rule applies to only non-first fragments.	Without this keyword, the rule applies to all fragments and non-fragments.
time-range time-range-name	Specifies the time range in which the rule takes effect.	The time-range-name argument is a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be named all to avoid confusion.

If you provide the precedence or tos keyword in addition to the dscp keyword, only the dscp keyword takes effect.

Setting the protocol argument to tcp or udp, you may define the parameters shown in Table 1-5.

Table 1-5 TCP/UDP-specific parameters for advanced IPv4 ACL rules

Parameters	Function	Description
source-port operator port1 [ port2 ]	Specifies one or more UDP or TCP source ports.	The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range 0 to 65535. port2 is needed only when the operator argument is range. TCP port numbers can be represented in these words: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented in these words: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177).
destination-port operator port1 [ port2 ]	Specifies one or more UDP or TCP destination ports.
{ ack ack-value \| fin fin-value \| psh psh-value \| rst rst-value \| syn syn-value \| urg urg-value } *	Specifies one or more TCP flags	Parameters specific to TCP. The value for each argument can be 0 or 1. The TCP flags in one rule are ANDed.
established	Specifies the TCP flags ACK and RST	Parameter specific to TCP.

Setting the protocol argument to icmp, you may define the parameters shown in Table 1-6.

Table 1-6 ICMP-specific parameters for advanced IPv4 ACL rules

Parameters	Function	Description
icmp-type { icmp-type icmp-code \| icmp-message }	Specifies the ICMP message type and code.	The icmp-type argument ranges from 0 to 255. The icmp-code argument ranges from 0 to 255. The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 1-7.

Parameters

Function

Description

icmp-type { icmp-type icmp-code | icmp-message }

Specifies the ICMP message type and code.

The icmp-type argument ranges from 0 to 255.

The icmp-code argument ranges from 0 to 255.

The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 1-7.

Table 1-7 ICMP message names supported in advanced IPv4 ACL rules

ICMP message name	Type	Code
echo	8	0
echo-reply	0	0
fragmentneed-DFset	3	4
host-redirect	5	1
host-tos-redirect	5	3
host-unreachable	3	1
information-reply	16	0
information-request	15	0
net-redirect	5	0
net-tos-redirect	5	2
net-unreachable	3	0
parameter-problem	12	0
port-unreachable	3	3
protocol-unreachable	3	2
reassembly-timeout	11	1
source-quench	4	0
source-route-failed	3	5
timestamp-reply	14	0
timestamp-request	13	0
ttl-exceeded	11	0

Description

Use the rule command to create an advanced IPv4 ACL rule or modify an existing advanced IPv4 ACL rule.

Use the undo rule command to remove an advanced IPv4 ACL rule or remove some criteria from the rule.

You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.

When the ACL rule order is auto, a newly created rule will be inserted among the existing rules in the depth-first order. Note that the IDs of the rules still remain the same.

If the ACL rule order is auto, rules are displayed in the depth-first order rather than by rule number.

For an advanced IPv4 ACL to be referenced by a QoS policy for traffic classification:

l The logging and vpn-instance keywords are not supported.

l The operator cannot be neq if the ACL is for the inbound traffic.

l The operator cannot be gt, lt, neq, or range if the ACL is for the outbound traffic.

Related commands: display acl.

Examples

# Define a rule to permit TCP packets with the destination port of 80 from 129.9.0.0 to 202.38.160.0.

<Sysname> system-view

[Sysname] acl number 3101

[Sysname-acl-adv-3101] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80

rule (Ethernet frame header ACL view)

Syntax

rule [ rule-id ] { deny | permit } [ cos vlan-pri | dest-mac dest-addr dest-mask | lsap lsap-type lsap-type-mask | source-mac sour-addr source-mask | time-range time-range-name | type protocol-type protocol-type-mask ] *

undo rule rule-id

View

Ethernet frame header ACL view

Default Level

2: System level

Parameters

rule-id: Ethernet frame header ACL rule number, in the range 0 to 65534.

deny: Drops matched packets.

permit: Allows matched packets to pass.

cos vlan-pri: Defines an 802.1p priority. The vlan-pri argument can be a number in the range 0 to 7 or in words, best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5), voice (6), or network-management (7).

dest-mac dest-addr dest-mask: Specifies a destination MAC address range. The dest-addr and dest-mask arguments indicate a destination MAC address and mask in H-H-H format.

lsap lsap-type lsap-type-mask: Defines the DSAP and SSAP fields in the LLC encapsulation. The lsap-type argument is a 16-bit hexadecimal number indicating the frame encapsulation. The lsap-type-mask argument is a 16-bit hexadecimal number indicating the mask of the LSAP type.

source-mac sour-addr source-mask: Specifies a source MAC address range. The sour-addr and sour-mask arguments indicate a source MAC address and mask in H-H-H format.

type protocol-type protocol-type-mask: Defines a link layer protocol. The protocol-type argument is a 16-bit hexadecimal number indicating the frame type. It corresponds to the type field in Ethernet_II and Ethernet_SNAP frames. The protocol-type-mask argument is a 16-bit hexadecimal number indicating the mask.

Description

Use the rule command to create an Ethernet frame header ACL rule or modify an existing Ethernet frame header ACL rule.

Use the undo rule command to remove an Ethernet frame header ACL rule.

Before performing the undo rule command to remove an Ethernet frame header ACL rule, you may use the display acl command to view the ID of the rule.

You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.

When the ACL rule order is auto, a newly created rule will be inserted among the existing rules in the depth-first order. Note that the IDs of the rules still remain the same.

If the ACL rule order is auto, rules are displayed in the depth-first order rather than by rule number.

For an Ethernet frame header ACL to be referenced by a QoS policy for traffic classification, the lsap keyword is not supported.

Related commands: display acl.

Examples

# Create a rule to deny packets with the 802.1p priority of 3.

<Sysname> system-view

[Sysname] acl number 4000

[Sysname-acl-ethernetframe-4000] rule deny cos 3

rule comment (for IPv4)

Syntax

rule rule-id comment text

undo rule rule-id comment

View

Basic IPv4 ACL view, advanced IPv4 ACL view, Ethernet frame header ACL view

Default Level

2: System level

Parameters

rule-id: IPv4 ACL rule number, in the range 0 to 65534.

text: IPv4 ACL rule description, a case-sensitive string of 1 to 127 characters.

Description

Use the rule comment command to configure a description for an existing IPv4 ACL rule or modify the description of an IPv4 ACL rule. You may use the rule description to, for example, describe the purpose of the ACL rule or the parameters it contains.

Use the undo rule comment command to remove the ACL rule description.

By default, an IPv4 ACL rule has no rule description.

Examples

# Create a rule in ACL 2000 and define the rule description.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] rule 0 deny source 1.1.1.1 0

[Sysname-acl-basic-2000] rule 0 comment This rule is used in eth 1/1

# Create a rule in ACL 3000 and define the rule description.

<Sysname> system-view

[Sysname] acl number 3000

[Sysname-acl-adv-3000] rule 0 permit ip source 1.1.1.1 0

[Sysname-acl-adv-3000] rule 0 comment This rule is used in eth 1/1

# Create a rule in ACL 4000 and define the rule description.

<Sysname> system-view

[Sysname] acl number 4000

[Sysname-acl-ethernetframe-4000] rule 0 deny cos 3

[Sysname-acl-ethernetframe-4000] rule 0 comment This rule is used in eth 1/1

step (for IPv4)

Syntax

step step-value

undo step

View

Basic IPv4 ACL view, advanced IPv4 ACL view, Ethernet frame header ACL view

Default Level

2: System level

Parameters

step-value: IPv4 ACL rule numbering step, in the range 1 to 20.

Description

Use the step command to set a rule numbering step for an ACL.

Use the undo step command to restore the default.

By default, the rule numbering step is five.

Examples

# Set the rule numbering step to 2 for ACL 2000.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] step 2

# Set the rule numbering step to 2 for ACL 3000.

<Sysname> system-view

[Sysname] acl number 3000

[Sysname-acl-adv-3000] step 2

# Set the rule numbering step to 2 for ACL 4000.

<Sysname> system-view

[Sysname] acl number 4000

[Sysname-acl-ethernetframe-4000] step 2

IPv6 ACL Configuration Commands

acl ipv6

Syntax

acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto | config } ]

undo acl ipv6 { all | name acl6-name | number acl6-number }

View

System view

Default Level

2: System level

Parameters

number acl6-number: Specifies the number of the IPv6 ACL, which must be in the following ranges:

l 2000 to 2999 for basic IPv6 ACLs

l 3000 to 3999 for advanced IPv6 ACLs

name acl6-name: Specifies the name of the ACL, which is a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be named all to avoid confusion.

match-order: Specifies the order in which ACL rules are sorted.

auto: Specifies the depth-first order.

config: Specifies the ascending order of the rule IDs.

all: Specifies all IPv6 ACLs.

Description

Use the acl ipv6 command to enter IPv6 ACL view. If the ACL does not exist, it is created first.

Use the undo acl ipv6 command to remove a specified IPv6 ACL or all IPv6 ACLs.

By default, the rule order is config.

Note that:

l You can specify a name for an IPv6 ACL only when you create the ACL. After creating an ACL, you cannot specify a name for it, nor can you change or remove its name.

l The name of an IPv6 ACL must be unique among IPv6 ACLs. However, an IPv4 ACL and an IPv6 ACL can share the same name.

l If you specify both an ACL number and an ACL name in one command to enter the view of an existing ACL, be sure that the ACL number and ACL name identify the same ACL.

l You can also use this command to modify the rule order of an existing IPv6 ACL, but only when the ACL does not contain any rules.

Examples

# Create IPv6 ACL 2000.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000]

# Create IPv6 ACL 2002, giving the ACL a name of flow.

<Sysname> system-view

[Sysname] acl ipv6 number 2002 name flow

[Sysname-acl6-basic-2002-flow]

# Enter the view of an IPv6 ACL that has no name by specifying its number.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000]

# Enter the view of an IPv6 ACL that has a name by specifying its number.

<Sysname> system-view

[Sysname] acl ipv6 number 2002

[Sysname-acl6-basic-2002-flow]

# Delete the IPv6 ACL with the number of 2000.

<Sysname> system-view

[Sysname] undo acl ipv6 number 2000

# Delete the IPv6 ACL named flow.

<Sysname> system-view

[Sysname] undo acl ipv6 name flow

acl ipv6 copy

Syntax

acl ipv6 copy { source-acl6-number | name source-acl6-name } to { dest-acl6-number | name dest-acl6-name }

View

System view

Default Level

2: System level

Parameters

source-acl6-number: Number of an existing IPv6 ACL, which must be in the following ranges:

l 2000 to 2999 for basic IPv6 ACLs,

l 3000 to 3999 for advanced IPv6 ACLs.

source-acl6-name: Name of an existing IPv6 ACL, a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be named all to avoid confusion.

dest-acl6-number: Number of a non-existent IPv6 ACL, which must be in the following ranges:

l 2000 to 2999 for basic IPv6 ACLs

l 3000 to 3999 for advanced IPv6 ACLs

dest-acl6-name: Name for the new IPv6 ACL, a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be named all to avoid confusion. The system will automatically assign the new ACL a number which is the smallest one among the available numbers of the same ACL category.

Description

Use the acl ipv6 copy command to create an IPv6 ACL by copying an existing IPv6 ACL. The new ACL is of the same ACL category and has the same rule order, rules, rule numbering step and descriptions.

Note that:

l The source IPv6 ACL and the destination IPv6 ACL must be of the same category.

l The new ACL does not take the name of the source IPv6 ACL.

Examples

# Copy ACL 2008 to generate ACL 2009.

<Sysname> system-view

[Sysname] acl ipv6 copy 2008 to 2009

acl ipv6 name

Syntax

acl ipv6 name acl6-name

View

System view

Default Level

2: System level

Parameters

acl6-name: Name of the IPv6 ACL, a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be named all to avoid confusion.

Description

Use the acl ipv6 name command to enter the view of an existing IPv6 ACL by specifying its name.

Examples

# Enter the view of the IPv6 ACL named flow.

<Sysname> system-view

[Sysname] acl ipv6 name flow

[Sysname-acl6-basic-2002-flow]

description (for IPv6)

Syntax

description text

undo description

View

Basic IPv6 ACL view, advanced IPv6 ACL view

Default Level

2: System level

Parameters

text: ACL description, a case-sensitive string of 1 to 127 characters.

Description

Use the description command to configure a description for an IPv6 ACL to, for example, describe the purpose of the ACL.

Use the undo description command to remove the IPv6 ACL description.

By default, an IPv6 ACL has no ACL description.

Examples

# Configure a description for IPv6 ACL 2000.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000] description This acl is used in eth 0

# Configure a description for IPv6 ACL 3000.

<Sysname> system-view

[Sysname] acl ipv6 number 3000

[Sysname-acl6-adv-3000] description This acl is used in eth 0

display acl ipv6

Syntax

display acl ipv6 { acl6-number | all | name acl6-name } [ slot slot-number ]

View

Any view

Default Level

1: Monitor level

Parameters

acl6-number: IPv6 ACL number, which must be in the following ranges:

l 2000 to 2999 for basic IPv6 ACLs

l 3000 to 3999 for advanced IPv6 ACLs

all: Specifies all IPv6 ACLs.

name acl6-name: Specifies the name of the ACL, which is a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be named all to avoid confusion.

slot slot-number: Displays the matching information of the IPv6 ACLs on a member device in the IRF virtual device. The slot-number argument is the member number of the device in the IRF virtual device, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF virtual device.

Description

Use the display acl ipv6 command to display information about a specified IPv6 ACL or all IPv6 ACLs.

Note that this command displays ACL rules in the rule order.

Examples

# Display information about IPv6 ACL 2001.

<Sysname> display acl ipv6 2001

Basic IPv6 ACL 2001, named flow, 1 rule,

test acl

ACL's step is 5

rule 0 permit source 1::2/128 (5 times matched)

rule 0 comment This rule is used in GE 1/0/1

Table 1-8 display acl ipv6 command output description

Field	Description
Basic IPv6 ACL 2001	The displayed information is about basic IPv6 ACL 2001.
named flow	The name of the ACL is flow.
1 rule	The ACL contains one rule.
test acl	The description for the ACL is "test acl". This field is not displayed when the ACL has no description or the slot slot-number combination is provided in the command.
ACL's step is 5	The rules in this ACL are numbered in steps of 5.
5 times matched	There have been five matches for the rule. Only IPv6 ACL matches performed by software are counted. This field is not displayed when no match is found.
rule 0 comment This rule is used in GE 1/0/1	The description of ACL rule 0 is "This rule is used in GE 1/0/1." This field is not displayed when the rule has no description or the slot slot-number combination is provided in the command.

reset acl ipv6 counter

Syntax

reset acl ipv6 counter { acl6-number | all | name acl6-name }

View

User view

Default Level

2: System level

Parameters

acl6-number: IPv6 ACL number, which must be in the following ranges:

l 2000 to 2999 for basic IPv6 ACLs,

l 3000 to 3999 for advanced IPv6 ACLs.

all: Specifies all basic and advanced IPv6 ACLs.

name acl6-name: Specifies the name of the ACL, which is a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be named all to avoid confusion.

Description

Use the reset acl ipv6 counter command to clear statistics on a specified IPv6 ACL or all basic and advanced IPv6 ACLs.

Examples

# Clear the statistics on IPv6 ACL 2001.

<Sysname> reset acl ipv6 counter 2001

# Clear the statistics on IPv6 ACL flow.

<Sysname> reset acl ipv6 counter name flow

rule (basic IPv6 ACL view)

Syntax

rule [ rule-id ] { deny | permit } [ fragment | logging | source { ipv6-address prefix-length | ipv6-address/prefix-length | any } | time-range time-range-name ] *

undo rule rule-id [ fragment | logging | source | time-range ] *

View

Basic IPv6 ACL view

Default Level

2: System level

Parameters

rule-id: IPv6 ACL rule number, in the range 0 to 65534.

deny: Drops matched packets.

permit: Allows matched packets to pass.

fragment: Indicates that the rule applies to only non-first fragments. A rule without this keyword applies to all fragments and non-fragments.

logging: Logs matched packets. This function requires that the module using the ACL support logging.

source { ipv6-address prefix-length | ipv6-address/prefix-length | any }: Specifies a source address. The ipv6-address and prefix-length arguments specify a source IPv6 address and its address prefix length in the range 1 to 128. The any keyword indicates any IPv6 source address.

Description

Use the rule command to create a basic IPv6 ACL rule or modify an existing basic IPv6 ACL rule.

Use the undo rule command to remove a basic IPv6 ACL rule or remove some criteria from the rule.

If you specify no optional keywords, the undo rule command removes the entire ACL rule; otherwise, the command removes only the specified criteria. Before performing the undo rule command, you may need to use the display acl ipv6 command to view the ID of the rule.

You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.

When the ACL rule order is auto, a newly created rule will be inserted among the existing rules in the depth-first rule order. Note that the IDs of the rules still remain the same.

For a basic IPv6 ACL to be referenced by a QoS policy for traffic classification, the logging and fragment keywords are not supported.

Related commands: display acl ipv6.

Examples

# Create IPv6 ACL 2000 and add two rules.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000] rule permit source 2030:5060::9050/64

[Sysname-acl6-basic-2000] rule 8 deny source fe80:5060::8050/96

rule (advanced IPv6 ACL view)

Syntax

rule [ rule-id ] { deny | permit } protocol [ { established | { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * } | destination { dest dest-prefix | dest/dest-prefix | any } | destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmp6-type { icmp6-type icmp6-code | icmp6-message } | logging | source { source source-prefix | source/source-prefix | any } | source-port operator port1 [ port2 ] | time-range time-range-name ] *

undo rule rule-id [ { established | { ack | fin | psh | rst | syn | urg } * } | destination | destination-port | dscp | fragment | icmpv6-type | logging | source | source-port | time-range ] *

View

Advanced IPv6 ACL view

Default Level

2: System level

Parameters

rule-id: IPv6 ACL rule number, in the range 0 to 65534.

deny: Drops matched packets.

permit: Allows matched packets to pass.

protocol: Protocol carried over IPv6. It can be a number in the range 0 to 255, or in words, gre (47), icmpv6 (58), ipv6, ipv6-ah (51), ipv6-esp (50), ospf (89), tcp (6), or udp (17). Table 1-9 shows the parameters that can be specified after the protocol argument.

Table 1-9 Match criteria and other rule information for advanced IPv6 ACL rules

Parameters	Function	Description
source { source source-prefix \| source/source-prefix \| any }	Specifies a source IPv6 address.	The source and source-prefix arguments specify an IPv6 source address and its prefix length in the range 1 to 128. The any keyword indicates any IPv6 source address.
destination { dest dest-prefix \| dest/dest-prefix \| any }	Specifies a destination IPv6 address.	The dest and dest-prefix arguments specify a destination IPv6 address, and its prefix length in the range 1 to 128. The any keyword indicates any IPv6 destination address.
dscp dscp	Specifies a DSCP preference	The dscp argument can be a number in the range 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46).
logging	Specifies to log matched packets	This function requires that the module using the ACL (for example, a firewall using the ACL) support logging.
fragment	Indicates that the rule applies to only non-first fragments.	Without this keyword, the rule applies to all fragments and non-fragments.
time-range time-range-name	Specifies the time range in which the rule takes effect.	The time-range-name argument is a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be named all to avoid confusion.

Setting the protocol argument to tcp or udp, you may define the parameters shown in Table 1-10.

Table 1-10 TCP/UDP-specific parameters for advanced IPv6 ACL rules

Parameters	Function	Description
source-port operator port1 [ port2 ]	Specifies one or more UDP or TCP source ports.	The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range 0 to 65535. port2 is needed only when the operator argument is range. TCP port numbers can be represented in these words: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented in these words: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177).
destination-port operator port1 [ port2 ]	Specifies one or more UDP or TCP destination ports.
{ ack ack-value \| fin fin-value \| psh psh-value \| rst rst-value \| syn syn-value \| urg urg-value } *	Specifies one or more TCP flags.	Parameters specific to TCP. The value for each argument can be 0 or 1. The TCP flags in one rule are ANDed.
established	Specifies the TCP flags ACK and RST	Parameter specific to TCP.

Setting the protocol argument to icmpv6, you may define the parameters shown in Table 1-11.

Table 1-11 ICMPv6-specific parameters for advanced IPv6 ACL rules

Parameters	Function	Description
icmpv6-type { icmpv6-type icmpv6-code \| icmpv6-message }	Specifies the ICMPv6 message type and code.	The icmpv6-type argument ranges from 0 to 255. The icmpv6-code argument ranges from 0 to 255. The icmpv6-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 1-12.

Parameters

Function

Description

icmpv6-type { icmpv6-type icmpv6-code | icmpv6-message }

Specifies the ICMPv6 message type and code.

The icmpv6-type argument ranges from 0 to 255.

The icmpv6-code argument ranges from 0 to 255.

The icmpv6-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 1-12.

Table 1-12 ICMPv6 message names supported in advanced IPv6 ACL rules

ICMPv6 message name	Type	Code
redirect	137	0
echo-request	128	0
echo-reply	129	0
err-Header-field	4	0
frag-time-exceeded	3	1
hop-limit-exceeded	3	0
host-admin-prohib	1	1
host-unreachable	1	3
neighbor-advertisement	136	0
neighbor-solicitation	135	0
network-unreachable	1	0
packet-too-big	2	0
port-unreachable	1	4
router-advertisement	134	0
router-solicitation	133	0
unknown-ipv6-opt	4	2
unknown-next-hdr	4	1

Description

Use the rule command to create an advanced IPv6 ACL rule or modify an existing advanced IPv6 ACL rule.

Use the undo rule command to remove an advanced IPv6 ACL rule or remove some criteria from the rule.

If you specify no optional keywords, the undo rule command removes the entire ACL rule; otherwise, the command removes only the specified criteria. Before performing the undo rule command, you may need to use the display acl ipv6 command to view the ID of the rule.

You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.

When the ACL rule order is auto, a newly created rule will be inserted among the existing rules in the depth-first order. Note that the IDs of the rules still remain the same.

For an advanced IPv6 ACL to be referenced by a QoS policy for traffic classification,

l The logging and fragment keywords are not supported.

l The operator cannot be neq if the ACL is for the inbound traffic.

l The operator cannot be gt, lt, neq, or range if the ACL is for the outbound traffic.

Related commands: display acl ipv6.

Examples

# Configure IPv6 ACL 3000 to permit TCP packets with the source address of 2030:5060::9050/64.

<Sysname> system-view

[Sysname] acl ipv6 number 3000

[Sysname-acl6-adv-3000] rule permit tcp source 2030:5060::9050/64

rule comment (for IPv6)

Syntax

rule rule-id comment text

undo rule rule-id comment

View

Basic IPv6 ACL view, advanced IPv6 ACL view

Default Level

2: System level

Parameters

rule-id: IPv6 ACL rule number, in the range 0 to 65534.

text: IPv6 ACL rule description, a case-sensitive string of 1 to 127 characters.

Description

Use the rule comment command to configure a description for an existing IPv6 ACL rule or modify the description of an IPv6 ACL rule. You may use the rule description to, for example, describe the purpose of the ACL rule.

Use the undo rule comment command to remove the IPv6 ACL rule description.

By default, an IPv6 ACL rule has no rule description.

Examples

# Define a rule in IPv6 ACL 2000 and create a description for the rule.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000] rule 0 permit source 2030:5060::9050/64

[Sysname-acl6-basic-2000] rule 0 comment This rule is used in eth 1/1

# Define a rule in IPv6 ACL 3000 and create a description for the rule.

<Sysname> system-view

[Sysname] acl ipv6 number 3000

[Sysname-acl6-adv-3000] rule 0 permit tcp source 2030:5060::9050/64

[Sysname-acl6-adv-3000] rule 0 comment This rule is used in eth 1/1

step (for IPv6)

Syntax

step step-value

undo step

View

Basic IPv6 ACL view, advanced IPv6 ACL view

Default Level

2: System level

Parameters

step-value: IPv6 ACL rule numbering step, in the range 1 to 20.

Description

Use the step command to set a rule numbering step for an IPv6 ACL.

Use the undo step command to restore the default.

By default, the rule numbering step is five.

Examples

# Set the rule numbering step to 2 for IPv6 ACL 2000.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000] step 2

# Set the rule numbering step to 2 for IPv6 ACL 3000.

<Sysname> system-view

[Sysname] acl ipv6 number 3000

[Sysname-acl6-adv-3000] step 2

ACL Application Commands

acl logging frequence

Syntax

acl logging frequence frequence

undo acl logging frequence

View

System view

Default Level

2: System level

Parameters

frequence: Specifies the interval in minutes at which the IPv4 packet filtering logs are collected and output. It must be a multiple of 5 and be in the range 0 to 1440. The value of 0 means no IPv4 packet filtering logs are output.

Description

Use the acl logging frequence command to set the interval for collecting and outputting IPv4 packet filtering logs. The log information includes the number of matching IPv4 packets and the IPv4 ACL rules used. The command only logs traffic filtered by basic and advanced IPv4 ACL rules with the logging keyword configured.

Use the undo acl logging frequence command to restore the default.

By default, the interval is 0, that is, no IPv4 packet filtering logs are output.

Related commands: packet-filter, rule (basic IPv4 ACL view), rule (advanced IPv4 ACL view).

Examples

# Configure the device to collect and output IPv4 packet filtering logs at an interval of 10 minutes.

<Sysname> system-view

[Sysname] acl logging frequence 10

acl ipv6 logging frequence

Syntax

acl ipv6 logging frequence frequence

undo acl ipv6 logging frequence

View

System view

Default Level

2: System level

Parameters

frequence: Specifies the interval in minutes at which IPv6 packet filtering logs are collected and output. It must be a multiple of 5 and be in the range 0 to 1440. The value of 0 means no IPv6 packet filtering logs are output.

Description

Use the acl ipv6 logging frequence command to set the interval for collecting and outputting IPv6 packet filtering logs. The log information includes the number of matching IPv6 packets and the IPv6 ACL rules used. The command only logs traffic filtered by basic and advanced IPv6 ACL rules with the logging keyword configured.

Use the undo acl ipv6 logging frequence command to restore the default.

By default, the interval is 0, that is, no IPv6 packet filtering logs are output.

Related commands: packet-filter ipv6, rule (basic IPv6 ACL view), rule (advanced IPv6 ACL view).

Examples

# Configure the device to collect and output IPv6 packet filtering logs at an interval of 10 minutes.

<Sysname> system-view

[Sysname] acl ipv6 logging frequence 10

display packet-filter

Syntax

display packet-filter { { all | interface interface-type interface-number } [ inbound | outbound ] | interface vlan-interface vlan-interface-number [ inbound | outbound ] [ slot slot-number ] }

View

Any view

Default Level

1: Monitor level

Parameters

all: Specifies all interfaces.

interface interface-type interface-number: Specifies an interface by its type and number. VLAN interfaces are not included here.

inbound: Specifies the inbound direction.

outbound: Specifies outbound direction.

interface vlan-interface vlan-interface-number: Specifies a VLAN interface by its number.

slot slot-number: Specifies a member device in the IRF virtual device by its member number. The slot-number argument is the member number of the device in the IRF virtual device, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF virtual device.

Description

Use the display packet-filter command to display application information of ACLs for packet filtering in the inbound, outbound, or both directions of the interface.

Note that if both the inbound and outbound keywords are not provided, the command displays application information of ACLs for packet filtering in both the inbound and outbound directions of the interface.

Examples

# Display the application information of ACLs for packet filtering in the inbound and outbound directions of interface GigabitEthernet 1/0/1.

<Sysname> display packet-filter interface gigabitethernet 1/0/1

Interface: GigabitEthernet1/0/1

In-bound Policy:

acl 2001, Successful

Out-bound Policy:

acl6 2500, Fail

Table 1-13 display packet-filter command output description

Field	Description
Interface	Interface to which the ACL applies.
In-bound Policy	ACL application in the inbound direction
Out-bound Policy	ACL application in the outbound direction
acl 2001, Successful	IPv4 ACL 2001 was applied successfully.
acl6 2500, Fail	Failed to apply IPv6 ACL 2500.

packet-filter

Syntax

packet-filter { acl-number | name acl-name } { inbound | outbound }

undo packet-filter { acl-number | name acl-name } { inbound | outbound }

View

Ethernet interface view, VLAN interface view

Default Level

2: System level

Parameters

acl-number: Specifies the number of an ACL, which must be in the following ranges:

l 2000 to 2999 for basic IPv4 ACLs

l 3000 to 3999 for advanced IPv4 ACLs

l 4000 to 4999 for Ethernet frame header ACLs

name acl-name: Specifies the name of the ACL, which is a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be named all to avoid confusion.

inbound: Specifies to filter the packets received by the interface.

outbound: Specifies to filter the packets that are to be sent out of the interface.

Description

Use the packet-filter command to apply an ACL to an interface to filter IPv4 packets or Ethernet frames.

Use the undo packet-filter command to restore the default.

By default, an interface does not filter packets and Ethernet frames.

Note that you can apply only one IPv4 ACL or one Ethernet frame header ACL on an interface. To modify the ACL configured on an interface, you need to remove the previous configuration first and then configure a new ACL.

Examples

# Apply basic IPv4 ACL 2001 to the inbound direction of interface GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEtherhet1/0/1] ethernet-frame-filter 2001 inbound

# Apply advanced IPv4 ACL 3001 to the inbound direction of VLAN interface 10.

<Sysname> system-view

[Sysname] interface Vlan-interface 10

[Sysname-Vlan-interface10] ethernet-frame-filter 3001 inbound

packet-filter ipv6

Syntax

packet-filter ipv6 { acl6-number | name acl6-name } { inbound | outbound }

undo packet-filter ipv6 { inbound | outbound }

View

Interface view

Default Level

2: System level

Parameters

acl6-number: Specifies the number of a basic or advanced IPv6 ACL, which must be in the range of 2000 to 3999.

name acl6-name: Specifies the name of the basic or advanced IPv6 ACL, which is a case insensitive string of 1 to 32 characters. It must start with an English letter and cannot be named all to avoid confusion.

inbound: Specifies to filter the IPv6 packets received by the interface

outbound: Specifies to filter the IPv6 packets that are to be sent out of the interface

Description

Use the packet-filter ipv6 command to apply a basic or advanced IPv6 ACL to an interface to filter IPv6 packets.

Use the undo packet-filter ipv6 command to restore the default.

By default, an interface does not filter IPv6 packets.

Note that you can apply only one IPv6 ACL on an interface. To modify the ACL configured on an interface, you need to remove the previous configuration first and then configure a new ACL.

Examples

# Apply basic IPv6 ACL 2500 to the outbound direction of interface GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] packet-filter ipv6 2500 outbound

# Apply advanced IPv6 ACL 3000 to the outbound direction of interface VLAN interface 20

<Sysname> system-view

[Sysname] interface Vlan-interface 20

[Sysname-Vlan-interface20] packet-filter ipv6 3000 outbound

TOP

H3C reserves the right to modify its collaterals without any prior notice. For the latest information of the collaterals, please consult H3C sales or call 400 hotline.

Part 7 - ACL - QoS

Table of Content

01-ACL Commands

description (for IPv4)

display acl

reset acl counter

step (for IPv4)

IPv6 ACL Configuration Commands

description (for IPv6)

display acl ipv6

reset acl ipv6 counter

rule (advanced IPv6 ACL view)

rule comment (for IPv6)

step (for IPv6)

ACL Application Commands