Table of Contents

Related Documents

01-ACL commands

Title	Size	Download
01-ACL commands	170.69 KB

ACL commands

acl

Use acl to create an ACL, and enter its view. If the ACL has already been created, you directly enter its view.

Use undo acl to delete the specified or all ACLs.

Syntax

acl [ ipv6 ] number acl-number [ name acl-name ] [ match-order { auto | config } ]

undo acl [ ipv6 ] { all | name acl-name | number acl-number }

Default

No ACL exists.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6: Specifies IPv6 ACLs.

number acl-number: Specifies the number of an ACL.

· 2000 to 2999 for basic ACLs.

· 3000 to 3999 for advanced ACLs.

· 4000 to 4999 for Ethernet frame header ACLs. You cannot create an Ethernet frame header ACL if the ipv6 keyword is specified.

· 5000 to 5999 for user-defined ACLs. You cannot create a user-defined ACL if the ipv6 keyword is specified.

name acl-name: Assigns a name to the ACL for easy identification. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.

match-order: Sets the order in which ACL rules are compared against packets.

· auto: Compares ACL rules in depth-first order. The depth-first order varies by ACL category. For more information, see ACL and QoS Configuration Guide.

· config: Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher priority. If you do not specify a match order, the config-order applies by default.

The match-order keyword is not available for user-defined ACLs. They always use the config-order.

all: Specifies all ACLs.

· If the ipv6 keyword is not specified, all ACLs refer to all IPv4 basic, IPv4 advanced, Ethernet frame header, and user-defined ACLs.

· If the ipv6 keyword is specified, all ACLs refer to all IPv6 basic and IPv6 advanced ACLs.

Usage guidelines

You can assign a name to an ACL only when you create it. After an ACL is created with a name, you cannot rename it or remove its name.

You can change the match order only for ACLs that do not contain any rules.

Examples

# Create IPv4 basic ACL 2000, and enter its view.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000]

# Create IPv4 basic ACL 2001 with the name flow, and enter its view.

<Sysname> system-view

[Sysname] acl number 2001 name flow

[Sysname-acl-basic-2001-flow]

Related commands

display acl

acl copy

Use acl copy to create an ACL by copying an ACL that already exists.

Syntax

acl [ ipv6 ] copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name }

Views

System view

Predefined user roles

network-admin

Parameters

ipv6: Specifies IPv6 ACLs.

source-acl-number: Specifies an existing source ACL by its number.

· 2000 to 2999 for basic ACLs.

· 3000 to 3999 for advanced ACLs.

· 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL if the ipv6 keyword is specified.

· 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is specified.

name source-acl-name: Specifies an existing source ACL by its name. The source-acl-name argument is a case-insensitive string of 1 to 63 characters.

dest-acl-number: Assigns a unique number to the ACL you are creating. This number must be from the same ACL category as the source ACL. If you do not specify an ACL number, the system automatically picks the smallest number from all available numbers in the same ACL category as the source ACL. Available value ranges include:

· 2000 to 2999 for basic ACLs.

· 3000 to 3999 for advanced ACLs.

· 4000 to 4999 for Ethernet frame header ACLs. You cannot create an Ethernet frame header ACL if the ipv6 keyword is specified.

· 5000 to 5999 for user-defined ACLs. You cannot create a user-defined ACL if the ipv6 keyword is specified.

name dest-acl-name: Assigns a unique name to the ACL you are creating. The dest-acl-name is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all. If you do not specify an ACL name, the system does not name the ACL.

Usage guidelines

The new ACL has the same properties and content as the source ACL, but not the same ACL number and name.

You can assign a name to an ACL only when you create it. After an ACL is created with a name, you cannot rename it or remove its name.

Examples

# Create IPv4 basic ACL 2002 by copying IPv4 basic ACL 2001.

<Sysname> system-view

[Sysname] acl copy 2001 to 2002

acl logging interval

Use acl logging interval to set the interval for generating and outputting packet filtering logs. The log information includes the number of matching packets and the matched ACL rules.

Use undo acl logging interval to restore the default.

Syntax

acl [ ipv6 ] logging interval interval

undo acl [ ipv6 ] logging interval

Default

The interval is 0. No packet filtering logs are generated.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6: Sets the interval for generating and outputting IPv6 packet filtering logs.

interval: Specifies the interval in minutes at which packet filtering logs are generated and output. It must be a multiple of 5 and in the range of 0 to 1440. To disable generating packet filtering logs, assign 0 to the argument.

Usage guidelines

The system collects packet filtering logs only for IPv4 basic, IPv4 advanced, IPv6 basic, and IPv6 advanced ACL rules that have the logging keyword.

Examples

# Enable the device to generate and output IPv4 packet filtering logs at 10-minute intervals.

<Sysname> system-view

[Sysname] acl logging interval 10

Related commands

· rule (IPv4 advanced ACL view)

· rule (IPv4 basic ACL view)

· rule (IPv6 advanced ACL view)

· rule (IPv6 basic ACL view)

acl name

Use acl name to enter the view of an ACL that has a name.

Syntax

acl [ ipv6 ] name acl-name

Views

System view

Predefined user roles

network-admin

Parameters

ipv6: Specifies IPv6 ACLs.

acl-name: Specifies the name of an ACL, a case-insensitive string of 1 to 63 characters. It must start with an English letter. The ACL must already exist.

Examples

# Enter the view of IPv4 basic ACL flow, which already exists.

<Sysname> system-view

[Sysname] acl name flow

[Sysname-acl-basic-2001-flow]

# Enter the view of IPv6 basic ACL flow, which already exists.

<Sysname> system-view

[Sysname] acl ipv6 name flow

[Sysname-acl6-basic-2001-flow]

Related commands

acl

description

Use description to configure a description for an ACL.

Use undo description to delete an ACL description.

Syntax

description text

undo description

Default

An ACL has no description.

Views

IPv4 basic/advanced ACL view

IPv6 basic/advanced ACL view

Ethernet frame header ACL view

user-defined ACL view

Predefined user roles

network-admin

Parameters

text: Configures a description for the ACL, a case-sensitive string of 1 to 127 characters.

Examples

# Configure a description for IPv4 basic ACL 2000.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] description This is an IPv4 basic ACL.

Related commands

display acl

Use display acl to display configuration and match statistics for ACLs.

Syntax

display acl [ ipv6 ] { acl-number | all | name acl-name }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv6: Specifies IPv6 ACLs.

acl-number: Specifies an ACL by its number.

· 2000 to 2999 for basic ACLs.

· 3000 to 3999 for advanced ACLs.

· 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL if the ipv6 keyword is specified.

· 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is specified.

all: Displays information about all IPv4 basic, IPv4 advanced, Ethernet frame header, and user-defined ACLs if you do not specify the ipv6 keyword, or displays information about all IPv6 basic and IPv6 advanced ACLs if you specify the ipv6 keyword.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter.

Usage guidelines

This command displays ACL rules in config or depth-first order, whichever is configured.

Examples

# Display configuration and match statistics for IPv4 basic ACL 2001.

<Sysname> display acl 2001

Basic ACL 2001, named flow, 2 rules, match-order is auto,

This is an IPv4 basic ACL.

ACL's step is 5

ACL accelerated

rule 5 permit source 1.1.1.1 0

rule 5 comment This rule is used on Ten-GigabitEthernet 1/1/1.

Table 1 Command output

Field	Description
Basic ACL 2001	Category and number of the ACL. The following field information is about IPv4 basic ACL 2000.
named flow	The name of the ACL is flow. If the ACL is not named, this field displays -none-.
2 rules	The ACL contains two rules.
match-order is auto	The match order for the ACL is auto, which sorts ACL rules in depth-first order. This field is not present when the match order is config.
This is an IPv4 basic ACL.	Description of this ACL.
ACL's step is 5	The rule numbering step is 5.
ACL accelerated	ACL acceleration is enabled for the ACL.
rule 5 permit source 1.1.1.1 0	Content of rule 5. The rule permits packets sourced from the IP address 1.1.1.1.
rule 5 comment This rule is used on Ten-GigabitEthernet 1/1/1.	Comment of ACL rule 5.

display packet-filter

Use display packet-filter to display ACL application information for packet filtering.

Syntax

display packet-filter interface [ interface-type interface-number ] [ inbound | outbound ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface [ interface-type interface-number ]: Specifies an interface by its type and number. VLAN interfaces are not supported. If you do not specify an interface, this command displays ACL application information on all interfaces except VLAN interfaces for packet filtering.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

slot slot-number: Specifies an IRF member device by its member ID or specifies a PEX by its virtual slot number. If you do not specify a member device or PEX, this command displays ACL application information for packet filtering for the master device.

Usage guidelines

If neither the inbound keyword nor the outbound keyword is specified, this command displays the ACL application information for packet filtering in both directions on interfaces.

Examples

# Display ACL application information for inbound packet filtering on interface Ten-GigabitEthernet 1/1/1.

<Sysname> display packet-filter interface ten-gigabitethernet 1/1/1 inbound

Interface: Ten-GigabitEthernet1/1/1

In-bound policy:

ACL 2001, Hardware-count

IPv4 default action: Deny

Table 2 Command output

Field	Description
Interface	Interface to which the ACL applies.
In-bound policy	ACL used for filtering incoming traffic.
Out-bound policy	ACL used for filtering outgoing traffic.
ACL 2001	IPv4 basic ACL 2001 has been successfully applied.
Hardware-count	Successfully enables counting ACL rule matches.
IPv4 default action	Packet filter default action for packets that do not match any IPv4 ACLs. This field is not displayed if the default action is permit.
IPv6 default action	Packet filter default action for packets that do not match any IPv6 ACLs. This field is not displayed if the default action is permit.

display packet-filter statistics

Use display packet-filter statistics to display match statistics of ACLs for packet filtering.

Syntax

display packet-filter statistics interface interface-type interface-number { inbound | outbound } [ [ ipv6 ] { acl-number | name acl-name } ] [ brief ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Displays the statistics of an interface specified by its type and number.

inbound: Displays the statistics in the inbound direction.

outbound: Displays the statistics in the outbound direction.

ipv6: Specifies IPv6 ACLs.

acl-number: Specifies an ACL by its number.

· 2000 to 2999 for basic ACLs.

· 3000 to 3999 for advanced ACLs.

· 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL if the ipv6 keyword is specified.

· 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is specified.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter.

brief: Displays brief statistics.

Usage guidelines

When neither acl-number nor name acl-name is specified, this command displays match statistics of all ACLs for packet filtering.

Examples

# Display match statistics of all ACLs for inbound packet filtering on Ten-GigabitEthernet 1/1/1.

<Sysname> display packet-filter statistics interface ten-gigabitethernet 1/1/1 inbound

Interface: Ten-GigabitEthernet1/1/1

In-bound policy:

ACL 3000, Hardware-count

From 2014-07-25 15:33:06 to 2014-07-25 15:38:42

rule 0 permit ip counting

Totally 0 packets permitted, 0 packets denied

Totally 0% permitted, 0% denied

IPv4 default action: Deny

Table 3 Command output

Field	Description
Interface	Interface to which the ACL applies.
In-bound policy	ACL used for filtering incoming traffic.
Out-bound policy	ACL used for filtering outgoing traffic.
ACL 3000	IPv4 advanced ACL 3000 has been successfully applied.
Hardware-count	Successfully enables counting ACL rule matches.
From 2014-07-25 15:33:06 to 2014-07-25 15:38:42	Start time and end time of the statistics.
2 packets	Two packets matched the rule. This field is not displayed when no packets matched the rule.
Totally 0 packets permitted, 0 packets denied	Number of packets permitted and denied by the ACL.
Totally 0% permitted, 0% denied	Ratios of permitted and denied packets to all packets.
IPv4 default action	Packet filter default action for packets that do not match any IPv4 ACLs. This field is not displayed if the default action is permit.
IPv6 default action	Packet filter default action for packets that do not match any IPv6 ACLs. This field is not displayed if the default action is permit.

Related commands

reset packet-filter statistics

display packet-filter statistics sum

Use display packet-filter statistics sum to display accumulated packet filtering ACL statistics.

Syntax

display packet-filter statistics sum { inbound | outbound } [ ipv6 ] { acl-number | name acl-name } [ brief ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

inbound: Displays the statistics in the inbound direction.

outbound: Displays the statistics in the outbound direction.

ipv6: Specifies IPv6 ACLs.

acl-number: Specifies an ACL by its number.

· 2000 to 2999 for basic ACLs.

· 3000 to 3999 for advanced ACLs.

· 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL if the ipv6 keyword is specified.

· 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is specified.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter.

brief: Displays brief accumulated packet filtering ACL statistics.

Examples

# Display accumulated packet filtering ACL statistics of IPv4 basic ACL 2001 for incoming packets.

<Sysname> display packet-filter statistics sum inbound 2001

Sum:

In-bound policy:

ACL 2001

rule 0 permit source 2.2.2.2 0 (2 packets)

rule 5 permit source 1.1.1.1 0

rule 10 permit vpn-instance test

Totally 2 packets permitted, 0 packets denied

Totally 100% permitted, 0% denied

Table 4 Command output

Field	Description
Sum	Accumulated packet filtering ACL statistics.
In-bound policy	Accumulated ACL statistics used for filtering incoming traffic.
Out-bound policy	Accumulated ACL statistics used for filtering outgoing traffic.
ACL 2001	Accumulated ACL statistics used for IPv4 basic ACL 2001.
2 packets	Two packets matched the rule. This field is not displayed when no packets matched the rule.
Totally 2 packets permitted, 0 packets denied	Number of packets permitted and denied by the ACL.
Totally 100% permitted, 0% denied	Ratios of permitted and denied packets to all packets.

Related commands

reset packet-filter statistics

display packet-filter verbose

Use display packet-filter verbose to display application details of ACLs for packet filtering.

Syntax

display packet-filter verbose interface interface-type interface-number { inbound | outbound } [ [ ipv6 ] { acl-number | name acl-name } ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

ipv6: Specifies IPv6 ACLs.

acl-number: Specifies the number of an ACL.

· 2000 to 2999 for basic ACLs.

· 3000 to 3999 for advanced ACLs.

· 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL if the ipv6 keyword is specified.

· 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is specified.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter.

slot slot-number: Specifies an IRF member device by its member ID or specifies a PEX by its virtual slot number. If you do not specify a member device or PEX, this command displays ACL application details for packet filtering for the master device.

Usage guidelines

When neither acl-number nor name acl-name is specified, this command displays application details of all ACLs for packet filtering.

Examples

# Display application details of all ACLs for inbound packet filtering on Ten-GigabitEthernet 1/1/1.

<Sysname> display packet-filter verbose interface ten-gigabitethernet 1/1/1 inbound

Interface: Ten-GigabitEthernet1/1/1

In-bound policy:

ACL 2001, Hardware-count

rule 0 permit source 2.2.2.2 0

rule 5 permit source 1.1.1.1 0

rule 10 permit vpn-instance test

IPv4 default action: Deny

Table 5 Command output

Field	Description
Interface	Interface to which the ACL applies.
In-bound policy	ACL used for filtering incoming traffic.
Out-bound policy	ACL used for filtering outgoing traffic.
ACL 2001	IPv4 basic ACL 2001 has been successfully applied.
ACL 2002 (Failed)	The device has failed to apply IPv4 basic ACL 2002.
Hardware-count	Successfully enables counting ACL rule matches.
IPv4 default action	Packet filter default action for packets that do not match any IPv4 ACLs. This field is not displayed if the default action is permit.
IPv6 default action	Packet filter default action for packets that do not match any IPv6 ACLs. This field is not displayed if the default action is permit.

display qos-acl resource

Use display qos-acl resource to display QoS and ACL resource usage.

Syntax

display qos-acl resource [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID or specifies a PEX by its virtual slot number. On an IRF fabric, this command displays QoS and ACL resource usage for all member devices if you do not specify a member device. On an IRF 3 system, this command displays QoS and ACL resource usage for all IRF member devices and PEXs if you do not specify an IRF member device or PEX.

Usage guidelines

This command does not display any usage data if the specified IRF member device or PEX does not support counting QoS and ACL resources.

Examples

# Display QoS and ACL resource usage.

<Sysname> display qos-acl resource

Interfaces: FGE1/0/1, FGE1/0/2

XGE1/2/1 to XGE1/2/24, FGE1/2/25

FGE1/2/26

---------------------------------------------------------------------

Type Total Reserved Configured Remaining Usage

---------------------------------------------------------------------

VFP ACL 1024 768 3 253 75%

IFP ACL 4096 1792 1 2303 43%

IFP Meter 2048 896 0 1152 43%

IFP Counter 2048 896 1 1151 43%

EFP ACL 1024 0 0 1024 0%

EFP Meter 512 0 0 512 0%

EFP Counter 512 0 0 512 0%

Table 6 Command output

Field	Description
Interfaces	Interface range for the resource.
Type	Resource type.
Total	Total number of resource.
Reserved	Number of reserved resource.
Configured	Number of resource that has been applied.
Remaining	Number of resource that you can apply.
Usage	Configured and reserved resources as a percentage of total resources. If the percentage is not an integer, this field displays the integer part. For example, if the actual usage is 50.8%, this field displays 50%.

packet-filter (interface view)

Use packet-filter to apply an ACL to an interface to filter packets.

Use undo packet-filter to remove an ACL application from an interface.

Syntax

packet-filter [ ipv6 ] { acl-number | name acl-name } { inbound | outbound } [ hardware-count ]

undo packet-filter [ ipv6 ] { acl-number | name acl-name } { inbound | outbound }

Default

An interface does not filter packets.

Views

Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, VLAN interface view

Predefined user roles

network-admin

Parameters

ipv6: Specifies IPv6 ACLs.

acl-number: Specifies an ACL by its number.

· 2000 to 2999 for basic ACLs.

· 3000 to 3999 for advanced ACLs.

· 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL if the ipv6 keyword is specified.

· 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is specified.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter.

inbound: Filters incoming packets.

outbound: Filters outgoing packets.

hardware-count: Enables counting ACL rule matches performed in hardware. This keyword enables match counting for all rules in an ACL, and the counting keyword in the rule command enables match counting specific to rules. If the hardware-count keyword is not specified, rule matches for the ACL are not counted.

Examples

# Apply IPv4 basic ACL 2001 to filter incoming traffic on Ten-GigabitEthernet 1/1/1, and enable counting ACL rule matches performed in hardware.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/1/1

[Sysname-Ten-GigabitEthernet1/1/1] packet-filter 2001 inbound hardware-count

Related commands

· display packet-filter

· display packet-filter statistics

· display packet-filter verbose

packet-filter default deny

Use packet-filter default deny to set the packet filtering default action to deny. The packet filter denies packets that do not match any ACL rule.

Use undo packet-filter default deny to restore the default.

Syntax

packet-filter default deny

undo packet-filter default deny

Default

The packet filter permits packets that do not match any ACL rule.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The packet filter applies the default action to all ACL applications for packet filtering. The default action appears in the display command output for packet filtering.

Examples

# Set the packet filter default action to deny.

<Sysname> system-view

[Sysname] packet-filter default deny

Related commands

· display packet-filter

· display packet-filter statistics

· display packet-filter verbose

packet-filter filter

Use packet-filter filter to specify the applicable scope of packet filtering on a VLAN interface.

Use undo packet-filter filter to restore the default.

Syntax

packet-filter filter [ all | route ]

undo packet-filter filter

Default

The packet filtering filters matching packets forwarded at Layer 3.

The packet filtering filters all matching packets.

Views

VLAN interface view

Predefined user roles

network-admin

Parameters

route: Filters matching packets forwarded at Layer 3.

all: Filters all matching packets, including matching packets forwarded at Layer 3 and matching packets forwarded at Layer 2.

Usage guidelines

For this command to take effect, you must configure packet filtering on the VLAN interface by using the packet-filter command.

Examples

# Configure packet filtering on VLAN-interface 2 and specify the packet filtering to filter matching packets forwarded at Layer 3.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] packet-filter 3000 inbound

[Sysname-Vlan-interface2] packet-filter filter route

reset acl counter

Use reset acl counter to clear statistics for ACLs.

Syntax

reset acl counter [ ipv6 ] { acl-number | all | name acl-name }

Views

User view

Predefined user roles

network-admin

Parameters

ipv6: Specifies IPv6 ACLs.

acl-number: Specifies an ACL by its number.

· 2000 to 2999 for basic ACLs.

· 3000 to 3999 for advanced ACLs.

· 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL if the ipv6 keyword is specified.

· 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is specified.

all: Clears statistics for all IPv4 basic, IPv4 advanced, Ethernet frame header, and user-defined ACLs if you do not specify the ipv6 keyword, or clears statistics for all IPv6 basic and IPv6 advanced ACLs if you specify the ipv6 keyword.

name acl-name: Clears statistics of an ACL specified by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter.

Examples

# Clear statistics for IPv4 basic ACL 2001.

<Sysname> reset acl counter 2001

Related commands

display acl

reset packet-filter statistics

Use reset packet-filter statistics to clear the match statistics (including the accumulated statistics) of ACLs for packet filtering.

Syntax

reset packet-filter statistics interface [ interface-type interface-number ] { inbound | outbound } [ [ ipv6 ] { acl-number | name acl-name } ]

Views

User view

Predefined user roles

network-admin

Parameters

interface [ interface-type interface-number ]: Specifies an interface by its type and number. If you do not specify an interface, this command clears packet filtering ACL statistics on all interfaces.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

ipv6: Specifies IPv6 ACLs.

acl-number: Specifies an ACL by its number.

· 2000 to 2999 for basic ACLs.

· 3000 to 3999 for advanced ACLs.

· 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL if the ipv6 keyword is specified.

· 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is specified.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter.

Usage guidelines

When neither acl-number nor name acl-name is specified, this command clears the match statistics of all ACLs for packet filtering.

Examples

# Clear IPv4 basic ACL 2001 statistics for incoming packet filtering on VLAN-interface 2.

<Sysname> reset packet-filter statistics interface Vlan-interface 2 inbound 2001

Related commands

· display packet-filter statistics

· display packet-filter statistics sum

rule (Ethernet frame header ACL view)

Use rule to create or edit an Ethernet frame header ACL rule.

Use undo rule to delete an Ethernet frame header ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } [ cos vlan-pri | counting | dest-mac dest-address dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac source-address source-mask | time-range time-range-name ] *

undo rule rule-id [ counting | time-range ] *

undo rule { deny | permit } [ cos vlan-pri | counting | dest-mac dest-address dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac source-address source-mask | time-range time-range-name ] *

Default

An Ethernet frame header ACL does not contain any rule.

Views

Ethernet frame header ACL view

Predefined user roles

network-admin

Parameters

rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.

deny: Denies matching packets.

permit: Allows matching packets to pass.

cos vlan-pri: Matches an 802.1p priority. The vlan-pri argument can be a number in the range of 0 to 7, or in words, best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5), voice (6), or network-management (7).

counting: Counts the number of times the Ethernet frame header ACL rule has been matched. The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted.

dest-mac dest-address dest-mask: Matches a destination MAC address range. The dest-address and dest-mask arguments represent a destination MAC address and mask in the H-H-H format.

lsap lsap-type lsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The lsap-type argument is a 16-bit hexadecimal number that represents the encapsulation format. The lsap-type-mask argument is a 16-bit hexadecimal number that represents the LSAP mask.

type protocol-type protocol-type-mask: Matches one or more protocols in the Ethernet frame header. The protocol-type argument is a 16-bit hexadecimal number that represents a protocol type in Ethernet_II and Ethernet_SNAP frames. The protocol-type-mask argument is a 16-bit hexadecimal number that represents a protocol type mask.

source-mac source-address source-mask: Matches a source MAC address range. The source-address argument represents a source MAC address, and the sour-mask argument represents a mask in the H-H-H format.

time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide.

Usage guidelines

Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.

You can edit ACL rules only when the match order is config.

The undo rule rule-id command deletes the entire rule if you do not specify any optional parameters. It deletes the specified attributes if you specify optional parameters.

The undo rule { deny | permit } command can only be used to delete the entire rule. You must specify all the attributes of the rule for the command.

Use the display acl all command to display the rules in Ethernet frame header, IPv4 advanced, IPv4 basic, and user-defined ACLs.

Examples

# Create a rule in Ethernet frame header ACL 4000 to permit ARP packets and deny RARP packets.

<Sysname> system-view

[Sysname] acl number 4000

[Sysname-acl-ethernetframe-4000] rule permit type 0806 ffff

[Sysname-acl-ethernetframe-4000] rule deny type 8035 ffff

Related commands

· acl

· display acl

· step

· time-range

rule (IPv4 advanced ACL view)

Use rule to create or edit an IPv4 advanced ACL rule.

Use undo rule to delete an entire IPv4 advanced ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { dest-address dest-wildcard | any } | destination-port operator port1 [ port2 ] | { dscp dscp | { precedence precedence | tos tos } * } | fragment | icmp-type { icmp-type [ icmp-code ] | icmp-message } | logging | source { source-address source-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name | vpn-instance vpn-instance-name ] *

undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | { dscp | { precedence | tos } * } | fragment | icmp-type | logging | source | source-port | time-range | vpn-instance ] *

undo rule { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { dest-address dest-wildcard | any } | destination-port operator port1 [ port2 ] | { dscp dscp | { precedence precedence | tos tos } * } | fragment | icmp-type { icmp-type [ icmp-code ] | icmp-message } | logging | source { source-address source-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name | vpn-instance vpn-instance-name ] *

Default

An IPv4 advanced ACL does not contain any rule.

Views

IPv4 advanced ACL view

Predefined user roles

network-admin

Parameters

deny: Denies matching packets.

permit: Allows matching packets to pass.

protocol: Specifies one of the following values:

· A protocol number in the range of 0 to 255.

· A protocol by its name: gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17). The ip keyword specifies all protocols.

Table 7 describes the parameters that you can specify regardless of the value for the protocol argument.

Table 7 Match criteria and other rule information for IPv4 advanced ACL rules

Parameters	Function	Description
source { source-address source-wildcard \| any }	Specifies a source address.	The source-address source-wildcard arguments specify a source IP address and a wildcard mask in dotted decimal notation. An all-zero wildcard represents a host address. The any keyword specifies any source IP address.
destination { dest-address dest-wildcard \| any }	Specifies a destination address.	The dest-address dest-wildcard arguments specify a destination IP address and a wildcard mask in dotted decimal notation. An all-zero wildcard represents a host address. The any keyword represents any destination IP address.
counting	Counts the number of times the IPv4 advanced ACL rule has been matched.	The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted.
precedence precedence	Specifies an IP precedence value.	The precedence argument can be a number in the range of 0 to 7, or in words: routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), or network (7).
tos tos	Specifies a ToS preference.	The tos argument can be a number in the range of 0 to 15, or in words: max-reliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1), or normal (0).
dscp dscp	Specifies a DSCP priority.	The dscp argument can be a number in the range of 0 to 63, or in words: af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46).
fragment	Applies the rule only to non-first fragments.	If you do not specify this keyword, the rule applies to all fragments and non-fragments.
logging	Logs matching packets.	This feature requires that the module (for example, packet filtering) that uses the ACL supports logging.
time-range time-range-name	Specifies a time range for the rule.	The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide.
vpn-instance vpn-instance-name	Applies the rule to a VPN instance.	The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the rule applies only to non-VPN packets.

If the protocol argument is tcp (6) or udp (7), set the parameters shown in Table 8.

Table 8 TCP/UDP-specific parameters for IPv4 advanced ACL rules

Parameters	Function	Description
source-port operator port1 [ port2 ]	Specifies one or more UDP or TCP source ports.	The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. port2 is needed only when the operator argument is range. TCP port numbers can be represented as: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented as: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177).
destination-port operator port1 [ port2 ]	Specifies one or more UDP or TCP destination ports.
{ ack ack-value \| fin fin-value \| psh psh-value \| rst rst-value \| syn syn-value \| urg urg-value } *	Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG.	Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The TCP flags in a rule are ANDed. For example, a rule configured with ack 0 psh 1 matches packets that have the ACK flag bit not set and the PSH flag bit set.
established	Specifies the flags for indicating the established status of a TCP connection.	Parameter specific to TCP. The rule matches TCP connection packets with the ACK or RST flag bit set.

If the protocol argument is icmp (1), set the parameters shown in Table 9.

Table 9 ICMP-specific parameters for IPv4 advanced ACL rules

Parameters	Function	Description
icmp-type { icmp-type icmp-code \| icmp-message }	Specifies the ICMP message type and code.	The icmp-type argument is in the range of 0 to 255. The icmp-code argument is in the range of 0 to 255. The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 10.

Parameters

Function

Description

icmp-type { icmp-type icmp-code | icmp-message }

Specifies the ICMP message type and code.

The icmp-type argument is in the range of 0 to 255.

The icmp-code argument is in the range of 0 to 255.

The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 10.

Table 10 ICMP message names supported in IPv4 advanced ACL rules

ICMP message name	ICMP message type	ICMP message code
echo	8	0
echo-reply	0	0
fragmentneed-DFset	3	4
host-redirect	5	1
host-tos-redirect	5	3
host-unreachable	3	1
information-reply	16	0
information-request	15	0
net-redirect	5	0
net-tos-redirect	5	2
net-unreachable	3	0
parameter-problem	12	0
port-unreachable	3	3
protocol-unreachable	3	2
reassembly-timeout	11	1
source-quench	4	0
source-route-failed	3	5
timestamp-reply	14	0
timestamp-request	13	0
ttl-exceeded	11	0

Usage guidelines

You can edit ACL rules only when the match order is config.

The undo rule rule-id command deletes the entire rule if you do not specify any optional parameters. It deletes the specified attributes if you specify optional parameters.

The undo rule { deny | permit } command can only be used to delete the entire rule. You must specify all the attributes of the rule for the command.

Use the display acl all command to display the rules in Ethernet frame header, IPv4 advanced, IPv4 basic, and user-defined ACLs.

Examples

# Create an IPv4 advanced ACL rule to permit TCP packets with the destination port 80 from 129.9.0.0/16 to 202.38.160.0/24.

<Sysname> system-view

[Sysname] acl number 3000

[Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80

# Create IPv4 advanced ACL rules to permit all IP packets but the ICMP packets destined for 192.168.1.0/24.

<Sysname> system-view

[Sysname] acl number 3001

[Sysname-acl-adv-3001] rule deny icmp destination 192.168.1.0 0.0.0.255

[Sysname-acl-adv-3001] rule permit ip

# Create IPv4 advanced ACL rules to permit inbound and outbound FTP packets.

<Sysname> system-view

[Sysname] acl number 3002

[Sysname-acl-adv-3002] rule permit tcp source-port eq ftp

[Sysname-acl-adv-3002] rule permit tcp source-port eq ftp-data

[Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp

[Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp-data

# Create IPv4 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.

<Sysname> system-view

[Sysname] acl number 3003

[Sysname-acl-adv-3003] rule permit udp source-port eq snmp

[Sysname-acl-adv-3003] rule permit udp source-port eq snmptrap

[Sysname-acl-adv-3003] rule permit udp destination-port eq snmp

[Sysname-acl-adv-3003] rule permit udp destination-port eq snmptrap

Related commands

· acl

· acl logging interval

· display acl

· step

· time-range

rule (IPv4 basic ACL view)

Use rule to create or edit an IPv4 basic ACL rule.

Use undo rule to delete an entire IPv4 basic ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } [ counting | fragment | logging | source { source-address source-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *

undo rule { deny | permit } [ counting | fragment | logging | source { source-address source-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *

Default

An IPv4 basic ACL does not contain any rule.

Views

IPv4 basic ACL view

Predefined user roles

network-admin

Parameters

deny: Denies matching packets.

permit: Allows matching packets to pass.

counting: Counts the number of times the IPv4 basic ACL rule has been matched. The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted.

fragment: Applies the rule only to non-first fragments. If you do not specify this keyword, the rule applies to both fragments and non-fragments.

logging: Logs matching packets. This feature is available only when the application module (for example, packet filtering) that uses the ACL supports the logging feature.

source { source-address source-wildcard | any }: Matches a source address. The source-address and source-wildcard arguments specify a source IP address and a wildcard mask in dotted decimal notation. A wildcard mask of zeros represents a host address. The any keyword represents any source IP address.

vpn-instance vpn-instance-name: Applies the rule to a VPN instance. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the rule applies only to non-VPN packets.

Usage guidelines

You can edit ACL rules only when the match order is config.

The undo rule rule-id command deletes the entire rule if you do not specify any optional parameters. It deletes the specified attributes if you specify optional parameters.

The undo rule { deny | permit } command can only be used to delete the entire rule. You must specify all the attributes of the rule for the command.

Use the display acl all command to display the rules in Ethernet frame header, IPv4 advanced, IPv4 basic, and user-defined ACLs.

Examples

# Create a rule in IPv4 basic ACL 2000 to deny the packets from any source IP segment but 10.0.0.0/8, 172.17.0.0/16, or 192.168.1.0/24.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] rule permit source 10.0.0.0 0.255.255.255

[Sysname-acl-basic-2000] rule permit source 172.17.0.0 0.0.255.255

[Sysname-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255

[Sysname-acl-basic-2000] rule deny source any

Related commands

· acl

· acl logging interval

· display acl

· step

· time-range

rule (IPv6 advanced ACL view)

Use rule to create or edit an IPv6 advanced ACL rule.

Use undo rule to delete an entire IPv6 advanced ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { dest-address dest-prefix | dest-address/dest-prefix | any } | destination-port operator port1 [ port2 ] | dscp dscp | flow-label flow-label-value | fragment | icmp6-type { icmp6-type icmp6-code | icmp6-message } | logging | routing [ type routing-type ] | hop-by-hop [ type hop-type ] | source { source-address source-prefix | source-address/source-prefix | any } | source-port operator port1 [ port2 ] | time-range time-range-name | vpn-instance vpn-instance-name ] *

undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | dscp | flow-label | fragment | icmp6-type | logging | routing | hop-by-hop | source | source-port | time-range | vpn-instance ] *

undo rule { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { dest-address dest-prefix | dest-address/dest-prefix | any } | destination-port operator port1 [ port2 ] | dscp dscp | flow-label flow-label-value | fragment | icmp6-type { icmp6-type icmp6-code | icmp6-message } | logging | routing [ type routing-type ] | hop-by-hop [ type hop-type ] | source { source-address source-prefix | source-address/source-prefix | any } | source-port operator port1 [ port2 ] | time-range time-range-name | vpn-instance vpn-instance-name ] *

Default

An IPv6 advanced ACL does not contain any rule.

Views

IPv6 advanced ACL view

Predefined user roles

network-admin

Parameters

deny: Denies matching packets.

permit: Allows matching packets to pass.

protocol: Specifies one of the following values:

· A protocol number in the range of 0 to 255.

· A protocol by its name: gre (47), icmpv6 (58), ipv6, ipv6-ah (51), ipv6-esp (50), ospf (89), tcp (6), or udp (17). The ipv6 keyword specifies all protocols.

Table 11 describes the parameters that you can specify regardless of the value for the protocol argument.

Table 11 Match criteria and other rule information for IPv6 advanced ACL rules

Parameters	Function	Description
source { source-address source-prefix \| source-address/source-prefix \| any }	Specifies a source IPv6 address.	The source-address argument specifies an IPv6 source address. The source-prefix argument specifies a prefix length in the range of 1 to 128. The any keyword represents any IPv6 source address.
destination { dest-address dest-prefix \| dest-address/dest-prefix \| any }	Specifies a destination IPv6 address.	The dest-address argument specifies a destination IPv6 address. The dest-prefix argument specifies a prefix length in the range of 1 to 128. The any keyword represents any IPv6 destination address.
counting	Counts the number of times the IPv6 advanced ACL rule has been matched.	The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter ipv6 command enables match counting for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted.
dscp dscp	Specifies a DSCP preference.	The dscp argument can be a number in the range of 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46).
flow-label flow-label-value	Specifies a flow label value in an IPv6 packet header.	The flow-label-value argument is in the range of 0 to 1048575.
fragment	Applies the rule only to non-first fragments.	If you do not specify this keyword, the rule applies to all fragments and non-fragments.
logging	Logs matching packets.	This feature requires that the module (for example, packet filtering) that uses the ACL supports logging.
routing [ type routing-type ]	Specifies an IPv6 routing header type.	routing-type: Value of the IPv6 routing header type, in the range of 0 to 255. If you specify the type routing-type option, the rule applies to the specified type of IPv6 routing header. Otherwise, the rule applies to all types of IPv6 routing header.
hop-by-hop [ type hop-type ]	Specifies an IPv6 Hop-by-Hop Options header type.	hop-type: Value of the IPv6 Hop-by-Hop Options header type, in the range of 0 to 255. If you specify the type hop-type option, the rule applies to the specified type of IPv6 Hop-by-Hop Options header. Otherwise, the rule applies to all types of IPv6 Hop-by-Hop Options header.
time-range time-range-name	Specifies a time range for the rule.	The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide.
vpn-instance vpn-instance-name	Applies the rule to a VPN instance.	The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the rule applies only to non-VPN packets.

If the protocol argument is tcp (6) or udp (17), set the parameters shown in Table 12.

Table 12 TCP/UDP-specific parameters for IPv6 advanced ACL rules

Parameters	Function	Description
source-port operator port1 [ port2 ]	Specifies one or more UDP or TCP source ports.	The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. port2 is needed only when the operator argument is range. TCP port numbers can be represented as: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented as: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177).
destination-port operator port1 [ port2 ]	Specifies one or more UDP or TCP destination ports.
{ ack ack-value \| fin fin-value \| psh psh-value \| rst rst-value \| syn syn-value \| urg urg-value } *	Specifies one or more TCP flags, including ACK, FIN, PSH, RST, SYN, and URG.	Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The TCP flags in a rule are ANDed. For example, a rule configured with ack 0 psh 1 matches packets that have the ACK flag bit not set and the PSH flag bit set.
established	Specifies the flags for indicating the established status of a TCP connection.	Parameter specific to TCP. The rule matches TCP connection packets with the ACK or RST flag bit set.

If the protocol argument is icmpv6 (58), set the parameters shown in Table 13.

Table 13 ICMPv6-specific parameters for IPv6 advanced ACL rules

Parameters	Function	Description
icmp6-type { icmp6-type icmp6-code \| icmp6-message }	Specifies the ICMPv6 message type and code.	The icmp6-type argument is in the range of 0 to 255. The icmp6-code argument is in the range of 0 to 255. The icmp6-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 14.

Parameters

Function

Description

icmp6-type { icmp6-type icmp6-code | icmp6-message }

Specifies the ICMPv6 message type and code.

The icmp6-type argument is in the range of 0 to 255.

The icmp6-code argument is in the range of 0 to 255.

The icmp6-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 14.

Table 14 ICMPv6 message names supported in IPv6 advanced ACL rules

ICMPv6 message name	ICMPv6 message type	ICMPv6 message code
echo-reply	129	0
echo-request	128	0
err-Header-field	4	0
frag-time-exceeded	3	1
hop-limit-exceeded	3	0
host-admin-prohib	1	1
host-unreachable	1	3
neighbor-advertisement	136	0
neighbor-solicitation	135	0
network-unreachable	1	0
packet-too-big	2	0
port-unreachable	1	4
redirect	137	0
router-advertisement	134	0
router-solicitation	133	0
unknown-ipv6-opt	4	2
unknown-next-hdr	4	1

Usage guidelines

You can edit ACL rules only when the match order is config.

If an ACL is to match information in the IPv6 packet payload, it can only match packets with one extension header. It cannot match packets with two or more extension headers or with the Encapsulating Security Payload Header.

If an ACL is for QoS traffic classification or packet filtering:

· Do not specify the fragment or vpn-instance keyword.

· Do not specify neq for the operator argument.

· Do not specify the flow-label or routing keyword if the ACL is for outbound application.

· Do not specify gt, lt, or range for the operator argument if the ACL is for outbound application.

· Do not specify ipv6-ah or ipv6-esp for the protocol argument, nor set its value to 0, 43, 44, 51, or 60, if the ACL is for outbound application.

The undo rule rule-id command deletes the entire rule if you do not specify any optional parameters. It deletes the specified attributes if you specify optional parameters.

The undo rule { deny | permit } command can only be used to delete the entire rule. You must specify all the attributes of the rule for the command.

Use the display acl ipv6 all command to display the rules in IPv6 advanced and basic ACLs.

Examples

# Create an IPv6 advanced ACL rule to permit TCP packets with the destination port 80 from 2030:5060::/64 to FE80:5060::/96.

<Sysname> system-view

[Sysname] acl ipv6 number 3000

[Sysname-acl6-adv-3000] rule permit tcp source 2030:5060::/64 destination fe80:5060::/96 destination-port eq 80

# Create IPv6 advanced ACL rules to permit all IPv6 packets but the ICMPv6 packets destined for FE80:5060:1001::/48.

<Sysname> system-view

[Sysname] acl ipv6 number 3001

[Sysname-acl6-adv-3001] rule deny icmpv6 destination fe80:5060:1001:: 48

[Sysname-acl6-adv-3001] rule permit ipv6

# Create IPv6 advanced ACL rules to permit inbound and outbound FTP packets.

<Sysname> system-view

[Sysname] acl ipv6 number 3002

[Sysname-acl6-adv-3002] rule permit tcp source-port eq ftp

[Sysname-acl6-adv-3002] rule permit tcp source-port eq ftp-data

[Sysname-acl6-adv-3002] rule permit tcp destination-port eq ftp

[Sysname-acl6-adv-3002] rule permit tcp destination-port eq ftp-data

# Create IPv6 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.

<Sysname> system-view

[Sysname] acl ipv6 number 3003

[Sysname-acl6-adv-3003] rule permit udp source-port eq snmp

[Sysname-acl6-adv-3003] rule permit udp source-port eq snmptrap

[Sysname-acl6-adv-3003] rule permit udp destination-port eq snmp

[Sysname-acl6-adv-3003] rule permit udp destination-port eq snmptrap

# Create IPv6 advanced ACL 3004, and configure two rules: one permits packets with the Hop-by-Hop Options header type as 5, and the other one denies packets with other Hop-by-Hop Options header types.

<Sysname> system-view

[Sysname] acl ipv6 number 3004

[Sysname-acl6-adv-3004] rule permit ipv6 hop-by-hop type 5

[Sysname-acl6-adv-3004] rule deny ipv6 hop-by-hop

Related commands

· acl

· acl logging interval

· display acl

· step

· time-range

rule (IPv6 basic ACL view)

Use rule to create or edit an IPv6 basic ACL rule.

Use undo rule to delete an entire IPv6 basic ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } [ counting | fragment | logging | routing [ type routing-type ] | source { source-address source-prefix | source-address/source-prefix | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *

undo rule { deny | permit } [ counting | fragment | logging | routing [ type routing-type ] | source { source-address source-prefix | source-address/source-prefix | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *

Default

An IPv6 basic ACL does not contain any rule.

Views

IPv6 basic ACL view

Predefined user roles

network-admin

Parameters

deny: Denies matching packets.

permit: Allows matching packets to pass.

counting: Counts the number of times the IPv6 basic ACL rule has been matched. The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter ipv6 command enables match counting for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted.

fragment: Applies the rule only to non-first fragments. If you do not specify this keyword, the rule applies to both fragments and non-fragments.

logging: Logs matching packets. This feature is available only when the application module (for example, packet filtering) that uses the ACL supports the logging feature.

routing [ type routing-type ]: Applies the rule to the specified type of routing header or all types of routing header. The routing-type argument specifies the value of the routing header type, which is in the range of 0 to 255. If you specify the type routing-type option, the rule applies to the specified type of routing header. Otherwise, the rule applies to any type of routing header.

source { source-address source-prefix | source-address/source-prefix | any }: Matches a source IPv6 address. The source-address argument specifies a source IPv6 address. The source-prefix argument specifies an address prefix length in the range of 1 to 128. The any keyword represents any IPv6 source address.

Usage guidelines

You can edit ACL rules only when the match order is config.

The undo rule rule-id command deletes the entire rule if you do not specify any optional parameters. It deletes the specified attributes if you specify optional parameters.

The undo rule { deny | permit } command can only be used to delete the entire rule. You must specify all the attributes of the rule for the command.

Use the display acl ipv6 all command to display the rules in IPv6 advanced and basic ACLs.

Examples

# Create an IPv6 basic ACL rule to deny the packets from any source IP segment but 1001::/16, 3124:1123::/32, or FE80:5060:1001::/48.

<Sysname> system-view

[Sysname] acl ipv6 number 2000

[Sysname-acl6-basic-2000] rule permit source 1001:: 16

[Sysname-acl6-basic-2000] rule permit source 3124:1123:: 32

[Sysname-acl6-basic-2000] rule permit source fe80:5060:1001:: 48

[Sysname-acl6-basic-2000] rule deny source any

Related commands

· acl

· acl logging interval

· display acl

· step

· time-range

rule (user-defined ACL view)

Use rule to create or edit a user-defined ACL rule.

Use undo rule to delete a user-defined ACL rule.

Syntax

rule [ rule-id ] { deny | permit } [ { l2 rule-string rule-mask offset }&<1-8> ] [ counting | time-range time-range-name ] *

undo rule rule-id

undo rule { deny | permit } [ { l2 rule-string rule-mask offset }&<1-8> ] [ counting | time-range time-range-name ] *

Default

A user-defined ACL does not contain any rule.

Views

User-defined ACL view

Predefined user roles

network-admin

Parameters

deny: Denies matching packets.

permit: Allows matching packets to pass.

l2: Specifies that the offset is relative to the beginning of the Layer 2 frame header.

rule-string: Defines a match pattern in hexadecimal format. Its length must be a multiple of two.

rule-mask: Defines a match pattern mask in hexadecimal format. Its length must be the same as that of the match pattern. A match pattern mask is used for ANDing the selected string of a packet.

offset: Specifies an offset in bytes after which the match operation begins.

&<1-8>: Specifies that up to eight match patterns can be defined in the ACL rule.

counting: Counts the number of times the user-defined ACL rule has been matched. The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted.

Usage guidelines

You can delete a user-defined ACL rule in the following ways:

· Specify the rule ID for the undo rule rule-id command.

· Specify all the attributes of the rule for the undo rule { deny | permit } command.

Use the display acl all command to display the rules in Ethernet frame header, IPv4 advanced, IPv4 basic, and user-defined ACLs.

Examples

# Create a rule for user-defined ACL 5005 to permit packets in which the 13th and 14th bytes starting from the Layer 2 header are 0x0806 (the ARP packets).

<Sysname> system-view

[Sysname] acl number 5005

[Sysname-acl-user-5005] rule permit l2 0806 ffff 12

Related commands

· acl

· display acl

· time-range

rule comment

Use rule comment to add a comment about an existing ACL rule or edit its comment to make the rule easy to understand.

Use undo rule comment to delete an ACL rule comment.

Syntax

rule rule-id comment text

undo rule rule-id comment

Default

An ACL has not rule comment.

Views

IPv4 basic/advanced ACL view

IPv6 basic/advanced ACL view

Ethernet frame header ACL view

user-defined ACL view

Predefined user roles

network-admin

Parameters

rule-id: Specifies an ACL rule ID in the range of 0 to 65534. The ACL rule must already exist.

text: Specifies a comment about the ACL rule, a case-sensitive string of 1 to 127 characters.

Examples

# Create a rule for IPv4 basic ACL 2000, and add a comment about the rule.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] rule 0 deny source 1.1.1.1 0

[Sysname-acl-basic-2000] rule 0 comment This rule is used on ten-gigabitethernet 1/1/1.

Related commands

display acl

step

Use step to set a rule numbering step for an ACL.

Use undo step to restore the default.

Syntax

step step-value

undo step

Default

The rule numbering step is five.

Views

IPv4 basic/advanced ACL view

IPv6 basic/advanced ACL view

Ethernet frame header ACL view

Predefined user roles

network-admin

Parameters

step-value: ACL rule numbering step in the range of 1 to 20.

Usage guidelines

The rule numbering step sets the increment by which the system numbers rules automatically. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 12, the rule is numbered 15.

The wider the numbering step, the more rules you can insert between two rules. Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules numbered 0, 5, 9, 10, and 15, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6, and 8.

Examples

# Set the rule numbering step to 2 for IPv4 basic ACL 2000.

<Sysname> system-view

[Sysname] acl number 2000

[Sysname-acl-basic-2000] step 2

Related commands

display acl

09-ACL and QoS Command Reference

ACL commands

acl logging interval

packet-filter (interface view)

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us