Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-ACL Commands | 192.52 KB |
acl
Use acl to create a WLAN, IPv4 basic, IPv4 advanced, or Ethernet frame header ACL, and enter its view. If the ACL has been created, you directly enter its view.
Use undo acl to delete the specified ACLs.
Syntax
acl number acl-number [ name acl-name ] [ match-order { auto | config } ]
undo acl { all | name acl-name | number acl-number }
Default
No ACL exists.
Views
System view
Default command level
2: System level
Parameters
number acl-number: Specifies the number of an access control list (ACL):
· 100 to 199 for WLAN ACLs
· 2000 to 2999 for IPv4 basic ACLs
· 3000 to 3999 for IPv4 advanced ACLs
· 4000 to 4999 for Ethernet frame header ACLs
name acl-name: Assigns a name to the ACL for easy identification. The acl-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all. The name option is not available for WLAN ACLs.
match-order: Sets the order in which ACL rules are compared against packets:
· auto—Compares ACL rules in depth-first order. The depth-first order differs with ACL categories. For more information, see ACL and QoS Configuration Guide.
· config—Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher priority. If no match order is specified, the config order applies by default.
The match-order keyword is not available for WLAN ACLs. They always use the config order.
all: Deletes all WLAN, IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs.
Usage guidelines
You can assign a name to an ACL only when you create it. After an ACL is created with a name, you cannot rename it or remove its name.
You can change match order only for ACLs that do not contain any rules.
To display any ACLs you have created, use the display acl command.
Examples
# Create IPv4 basic ACL 2000, and enter its view.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000]
# Create IPv4 basic ACL 2001 with the name flow, and enter its view.
<Sysname> system-view
[Sysname] acl number 2001 name flow
[Sysname-acl-basic-2001-flow]
acl copy
Use acl copy to create a WLAN, IPv4 basic, IPv4 advanced, or Ethernet frame header ACL by copying an ACL that already exists. The new ACL has the same properties and content as the source ACL, but not the same ACL number and name.
Syntax
acl copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name }
Views
System view
Default command level
2: System level
Parameters
source-acl-number: Specifies an existing source ACL by its number:
· 100 to 199 for WLAN ACLs
· 2000 to 2999 for IPv4 basic ACLs
· 3000 to 3999 for IPv4 advanced ACLs
· 4000 to 4999 for Ethernet frame header ACLs
name source-acl-name: Specifies an existing source ACL by its name. The source-acl-name argument takes a case-insensitive string of 1 to 63 characters. The name option is not available for WLAN ACLs.
dest-acl-number: Assigns a unique number to the ACL you are creating. This number must be from the same ACL category as the source ACL. Available value ranges include:
· 100 to 199 for WLAN ACLs
· 2000 to 2999 for IPv4 basic ACLs
· 3000 to 3999 for IPv4 advanced ACLs
· 4000 to 4999 for Ethernet frame header ACLs
name dest-acl-name: Assigns a unique name to the ACL you are creating. The dest-acl-name takes a case-insensitive string of 1 to 63 characters. It must start with an English letter, and to avoid confusion, it cannot be all. For this ACL, the system automatically picks the smallest number from all available numbers in the same ACL category as the source ACL. The name option is not available for WLAN ACLs.
Usage guidelines
You can assign a name to an ACL only when you create it. After an ACL is created with a name, you cannot rename it or remove its name.
Examples
# Create IPv4 basic ACL 2002 by copying IPv4 basic ACL 2001.
<Sysname> system-view
[Sysname] acl copy 2001 to 2002
acl ipv6
Use acl ipv6 to create an IPv6 basic or IPv6 advanced ACL, and enter its ACL view. If the ACL has been created, you directly enter its view.
Use undo acl ipv6 to delete the specified ACLs.
Syntax
acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto | config } ]
undo acl ipv6 { all | name acl6-name | number acl6-number }
Default
No ACL exists.
Views
System view
Default command level
2: System level
Parameters
number acl6-number: Specifies the number of an ACL:
· 2000 to 2999 for IPv6 basic ACLs
· 3000 to 3999 for IPv6 advanced ACLs
name acl6-name: Assigns a name to the ACL for easy identification. The acl6-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
match-order: Sets the order in which ACL rules are compared against packets:
· auto: Compares ACL rules in depth-first order. The depth-first order differs with ACL categories. For more information, see ACL and QoS Configuration Guide.
· config: Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher priority. If no match order is specified, the config order applies by default.
all: Delete all IPv6 basic and IPv6 advanced ACLs.
Usage guidelines
You can assign a name to an ACL only when you create it. After an ACL is created, you cannot rename it or remove its name.
You can change match order only for ACLs that do not contain any rules.
To display any ACLs you have created, use the display acl ipv6 command.
Examples
# Create IPv6 basic ACL 2000 and enter its view.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000]
# Create IPv6 basic ACL 2001 with the name flow, and enter its view.
<Sysname> system-view
[Sysname] acl ipv6 number 2001 name flow
[Sysname-acl6-basic-2001-flow]
acl ipv6 copy
Use acl ipv6 copy to create an IPv6 basic or IPv6 advanced ACL by copying an ACL that already exists. The new ACL has the same properties and content as the source ACL, but not the same ACL number and name.
Syntax
acl ipv6 copy { source-acl6-number | name source-acl6-name } to { dest-acl6-number | name dest-acl6-name }
Views
System view
Default command level
2: System level
Parameters
source-acl6-number: Specifies an existing source ACL by its number:
· 2000 to 2999 for IPv6 basic ACLs
· 3000 to 3999 for IPv6 advanced ACLs
name source-acl6-name: Specifies an existing source ACL by its name. The source-acl6-name argument takes a case-insensitive string of 1 to 63 characters.
dest-acl6-number: Assigns a unique number to the ACL you are creating. This number must be from the same ACL category as the source ACL. Available value ranges include:
· 2000 to 2999 for IPv6 basic ACLs
· 3000 to 3999 for IPv6 advanced ACLs
name dest-acl6-name: Assigns a unique name to the ACL you are creating. The dest-acl6-name takes a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all. For this ACL, the system automatically picks the smallest number from all available numbers in the same ACL category as the source ACL.
Usage guidelines
You can assign a name to an ACL only when you create it. After an ACL is created with a name, you cannot rename it or remove its name.
Examples
# Create IPv6 basic ACL 2002 by copying IPv6 basic ACL 2001.
<Sysname> system-view
[Sysname] acl ipv6 copy 2001 to 2002
acl ipv6 name
Use acl ipv6 name to enter the view of an IPv6 basic or IPv6 advanced ACL that has a name.
Syntax
acl ipv6 name acl6-name
Views
System view
Default command level
2: System level
Parameters
acl6-name: Specifies an IPv6 basic or IPv6 advanced ACL name, a case-insensitive string of 1 to 63 characters. It must start with an English letter. The ACL must already exist.
Examples
# Enter the view of IPv6 basic ACL flow.
<Sysname> system-view
[Sysname] acl ipv6 name flow
[Sysname-acl6-basic-2001-flow]
Related commands
acl ipv6
acl name
Use acl name to enter the view of an IPv4 basic, IPv4 advanced, or Ethernet frame header ACL that has a name.
Syntax
acl name acl-name
Views
System view
Default command level
2: System level
Parameters
acl-name: Specifies an IPv4 basic, IPv4 advanced, or Ethernet frame header ACL name, a case-insensitive string of 1 to 63 characters. It must start with an English letter. The ACL must already exist.
Examples
# Enter the view of IPv4 basic ACL flow.
<Sysname> system-view
[Sysname] acl name flow
[Sysname-acl-basic-2001-flow]
Related commands
acl
description
Use description to configure a description for an ACL.
Use undo description to remove the ACL description.
Syntax
description text
undo description
Default
An ACL has no ACL description.
Views
WLAN ACL view, IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view
Default command level
2: System level
Parameters
text: Specifies an ACL description, a case-sensitive string of 1 to 127 characters.
Examples
# Configure a description for IPv4 basic ACL 2000.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] description This is an IPv4 basic ACL.
# Configure a description for IPv6 basic ACL 2000.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000] description This is an IPv6 basic ACL.
· display acl
· display acl ipv6
display acl
Use display acl to display configuration and match statistics for WLAN, IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs.
Syntax
display acl { acl-number | all | name acl-name } [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
acl-number: Specifies an ACL by its number:
· 100 to 199 for WLAN ACLs
· 2000 to 2999 for IPv4 basic ACLs
· 3000 to 3999 for IPv4 advanced ACLs
· 4000 to 4999 for Ethernet frame header ACLs
all: Displays information for all WLAN, IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
This command displays ACL rules in config or depth-first order, whichever is configured.
Examples
# Display configuration and match statistics for all WLAN, IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs.
<Sysname> display acl all
Basic ACL 2000, named flow, 2 rules,
This is an IPv4 basic ACL.
Statistics is enabled
ACL's step is 5
rule 0 permit
rule 5 permit source 1.1.1.1 0 (2 times matched)
Basic ACL 2001, named -none-, 2 rules, match-order is auto,
ACL's step is 5
rule 5 permit source 2.2.2.2 0
rule 0 permit
Table 1 Command output
|
Field |
Description |
|
Basic ACL 2000 |
Category and number of the ACL. The following field information is about IPv4 basic ACL 2000. |
|
named flow |
The name of the ACL is flow. "-none-" means the ACL is not named. This field is not present for a WLAN ACL. |
|
2 rules |
The ACL contains three rules. |
|
match-order is auto |
The match order for the ACL is auto, which sorts ACL rules in depth-first order. This field is not present when the match order is config. |
|
This is an IPv4 basic ACL. |
Description of the ACL. |
|
Statistics is enabled |
The rule match counting is enabled for this ACL. |
|
Failed to enable statistics |
Failed to enable rule match counting for this ACL. |
|
ACL's step is 5 |
The rule numbering step is 5. |
|
rule 0 permit |
Content of rule 0. |
|
2 times matched |
There have been two matches for the rule. The statistic counts only ACL matches performed in software. This field is not displayed when no packets have matched the rule. |
|
No statistics resource |
Resources are not enough for counting matches for the rules. |
|
Uncompleted |
Applying the rule to hardware failed because no sufficient resources were available or the hardware does not support the rule. This event might occur when you modify a rule in an ACL that has been applied. |
display acl ipv6
Use display acl ipv6 to display configuration and match statistics for IPv6 basic and IPv6 advanced ACLs.
Syntax
display acl ipv6 { acl6-number | all | name acl6-name } [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
acl6-number: Specifies an ACL by its number:
· 2000 to 2999 for IPv6 basic ACLs
· 3000 to 3999 for IPv6 advanced ACLs
all: Displays information for all IPv6 basic and IPv6 advanced ACLs.
name acl6-name: Specifies an ACL by its name. The acl6-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
This command displays ACL rules in config or depth-first order, whichever is configured.
Examples
# Display configuration and match statistics for all IPv6 basic and IPv6 advanced ACLs.
<Sysname> display acl ipv6 all
Basic IPv6 ACL 2000, named flow, 2 rules,
This is an IPv6 basic ACL.
Statistics is enabled
ACL's step is 5
rule 0 permit
rule 5 permit source 1::/64 (2 times matched)
Basic IPv6 ACL 2001, named -none-, 2 rules, match-order is auto,
ACL's step is 5
rule 5 permit source 1::/64
rule 0 permit
Table 2 Command output
|
Field |
Description |
|
Basic IPv6 ACL 2000 |
Category and number of the ACL. The following field information is about this IPv6 basic ACL 2000. |
|
named flow |
The name of the ACL is flow. "-none-" means the ACL is not named. |
|
2 rules |
The ACL contains three rules. |
|
match-order is auto |
The match order for the ACL is auto, which sorts ACL rules in depth-first order. This field is not present when the match order is config. |
|
This is an IPv6 basic ACL. |
Description of the ACL. |
|
Statistics is enabled |
The rule match counting is enabled for this ACL. |
|
Failed to enable statistics |
Failed to enable rule match counting in this ACL. |
|
ACL's step is 5 |
The rule numbering step is 5. |
|
rule 0 permit |
Content of rule 0. |
|
5 times matched |
There have been five matches for the rule. The statistic counts only ACL matches performed by software. This field is not displayed when no packets have matched the rule. |
|
No statistics resource |
Resources are not enough for counting matches for the ACL rules. |
|
Uncompleted |
Applying the rule to hardware failed because no sufficient resources were available or the hardware does not support the rule. This event might occur when you modify a rule in an ACL that has been applied. |
display time-range
Use display time-range to display the configuration and status of the specified time range or all time ranges.
Syntax
display time-range { time-range-name | all } [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
time-range-name: Specifies a time range name, a case-insensitive string of 1 to 32 characters. It must start with an English letter.
all: Displays the configuration and status of all existing time ranges.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display the configuration and status of time range t4.
<Sysname> display time-range t4
Current time is 17:12:34 4/13/2010 Tuesday
Time-range : t4 ( Inactive )
10:00 to 12:00 Mon
14:00 to 16:00 Wed
from 00:00 1/1/2010 to 00:00 2/1/2010
from 00:00 6/1/2010 to 00:00 7/1/2010
Table 3 Command output
|
Field |
Description |
|
Current time |
Current system time. |
|
Time-range |
Configuration and status of the time range, including its name, status (active or inactive), and start time and end time. |
reset acl counter
Use reset acl counter to clear statistics for one or all WLAN, IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs.
Syntax
reset acl counter { acl-number | all | name acl-name }
Views
User view
Default command level
2: System level
Parameters
acl-number: Specifies an ACL by its number:
· 100 to 199 for WLAN ACLs
· 2000 to 2999 for IPv4 basic ACLs
· 3000 to 3999 for IPv4 advanced ACLs
· 4000 to 4999 for Ethernet frame header ACLs
all: Clears statistics for all WLAN, IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter.
Examples
# Clear statistics for IPv4 basic ACL 2001.
<Sysname> reset acl counter 2001
Related commands
display acl
reset acl ipv6 counter
Use reset acl ipv6 counter to clear statistics for one or all IPv6 basic and IPv6 advanced ACLs.
Syntax
reset acl ipv6 counter { acl6-number | all | name acl6-name }
Views
User view
Default command level
2: System level
Parameters
acl6-number: Specifies an ACL by its number:
· 2000 to 2999 for IPv6 basic ACLs
· 3000 to 3999 for IPv6 advanced ACLs
all: Clears statistics for all IPv6 basic and advanced ACLs.
name acl6-name: Specifies an ACL by its name. The acl6-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter.
Examples
# Clear statistics for IPv6 basic ACL 2001.
<Sysname> reset acl ipv6 counter 2001
Related commands
display acl ipv6
rule (Ethernet frame header ACL view)
Use rule to create or edit an Ethernet frame header ACL rule. You can edit ACL rules only when the match order is config.
Use undo rule to delete an Ethernet frame header ACL rule or some attributes in the rule. If no optional keywords are provided, this command deletes the entire rule. If optional keywords or arguments are provided, this command deletes the specified attributes.
Syntax
rule [ rule-id ] { deny | permit } [ cos vlan-pri | counting | dest-mac dest-address dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac source-address source-mask | time-range time-range-name ] *
undo rule rule-id [ counting | time-range ] *
Default
An Ethernet frame header ACL does not contain any rule.
Ethernet frame header ACL view
Default command level
2: System level
Parameters
rule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
cos vlan-pri: Matches an 802.1p priority. The vlan-pri argument can be a number in the range of 0 to 7, or in words, best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5), voice (6), or network-management (7).
counting: Counts the number of times the ACL rule has been matched.
dest-mac dest-address dest-mask: Matches a destination MAC address range. The dest-address and dest-mask arguments represent a destination MAC address and mask in H-H-H format.
lsap lsap-type lsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The lsap-type argument is a 16-bit hexadecimal number that represents the encapsulation format. The lsap-type-mask argument is a 16-bit hexadecimal number that represents the LSAP mask.
type protocol-type protocol-type-mask: Matches one or more protocols in the Ethernet frame header. The protocol-type argument is a 16-bit hexadecimal number that represents a protocol type in Ethernet_II and Ethernet_SNAP frames. The protocol-type-mask argument is a 16-bit hexadecimal number that represents a protocol type mask.
source-mac source-address source-mask: Matches a source MAC address range. The source-address argument represents a source MAC address, and the source-mask argument represents a mask in H-H-H format.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the timer range.
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt fails.
To view rules in an ACL and their rule IDs, use the display acl all command.
Examples
# Create a rule in ACL 4000 to permit ARP packets and deny RARP packets.
<Sysname> system-view
[Sysname] acl number 4000
[Sysname-acl-ethernetframe-4000] rule permit type 0806 ffff
[Sysname-acl-ethernetframe-4000] rule deny type 8035 ffff
Related commands
· acl
· display acl
· step
· time-range
rule (IPv4 advanced ACL view)
Use rule to create or edit an IPv4 advanced ACL rule. You can edit ACL rules only when the match order is config.
Use undo rule to delete an entire IPv4 advanced ACL rule or some attributes in the rule. If no optional keywords are provided, this command deletes the entire rule. If optional keywords or arguments are provided, this command deletes the specified attributes.
Syntax
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { dest-address dest-wildcard | any } | destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmp-type { icmp-type [ icmp-code ] | icmp-message } | logging | precedence precedence | reflective | source { source-address source-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name | tos tos ] *
undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | dscp | fragment | icmp-type | logging | precedence | reflective | source | source-port | time-range | tos ] *
Default
An IPv4 advanced ACL does not contain any rule.
Views
IPv4 advanced ACL view
Default command level
2: System level
Parameters
rule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
protocol: Protocol carried by IPv4. It can be a number in the range of 0 to 255, or in words, gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17). Table 4 describes the parameters that you can specify regardless of the value that the protocol argument takes.
Table 4 Match criteria and other rule information for IPv4 advanced ACL rules
|
Parameters |
Function |
Description |
|
source { source-address source-wildcard | any } |
Specifies a source address |
The source-address source-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address. The any keyword specifies any source IP address. |
|
destination { dest-address dest-wildcard | any } |
Specifies a destination address |
The dest-address dest-wildcard arguments represent a destination IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address. The any keyword represents any destination IP address. |
|
counting |
Counts the number of times the ACL rule has been matched. This option is disabled by default. |
N/A |
|
precedence precedence |
Specifies an IP precedence value |
The precedence argument can be a number in the range of 0 to 7, or in words, routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), or network (7). |
|
tos tos |
Specifies a ToS preference |
The tos argument can be a number in the range of 0 to 15, or in words, max-reliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1), or normal (0). |
|
dscp dscp |
Specifies a DSCP priority |
The dscp argument can be a number in the range of 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46). |
|
logging |
Logs matching packets |
This function requires that the module that uses the ACL supports logging. |
|
reflective |
Specifies that the rule be reflective |
A rule with the reflective keyword can be defined only for TCP, UDP, or ICMP packets and can only be a permit statement. |
|
fragment |
Applies the rule to only non-first fragments |
Without this keyword, the rule applies to all fragments and non-fragments. |
|
time-range time-range-name |
Specifies a time range for the rule |
The time-range-name argument takes a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the timer range. |
|
|
NOTE: If you provide the precedence or tos keyword in addition to the dscp keyword, only the dscp keyword takes effect. |
If the protocol argument takes tcp (6) or udp (7), set the parameters shown in Table 5.
Table 5 TCP/UDP-specific parameters for IPv4 advanced ACL rules
|
Parameters |
Function |
Description |
|
source-port operator port1 [ port2 ] |
Specifies one or more UDP or TCP source ports. |
The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. port2 is needed only when the operator argument is range. TCP port numbers can be represented as: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented as: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177). |
|
destination-port operator port1 [ port2 ] |
Specifies one or more UDP or TCP destination ports. |
|
|
{ ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * |
Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG. |
Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The TCP flags in a rule are ORed. For example, a rule configured with ack 1 psh 0 matches packets with the ACK flag bit set and packets with the PSH flag bit not set. |
|
established |
Specifies the flags for indicating the established status of a TCP connection. |
Parameter specific to TCP. The rule matches TCP connection packets with the ACK or RST flag bit set. |
If the protocol argument takes icmp (1), set the parameters shown in Table 6.
Table 6 ICMP-specific parameters for IPv4 advanced ACL rules
|
Parameters |
Function |
Description |
|
icmp-type { icmp-type [ icmp-code ] | icmp-message } |
Specifies the ICMP message type and code. |
The icmp-type argument is in the range of 0 to 255. The icmp-code argument is in the range of 0 to 255. The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 7. |
Table 7 ICMP message names supported in IPv4 advanced ACL rules
|
ICMP message name |
ICMP message type |
ICMP message code |
|
echo |
8 |
0 |
|
echo-reply |
0 |
0 |
|
fragmentneed-DFset |
3 |
4 |
|
host-redirect |
5 |
1 |
|
host-tos-redirect |
5 |
3 |
|
host-unreachable |
3 |
1 |
|
information-reply |
16 |
0 |
|
information-request |
15 |
0 |
|
net-redirect |
5 |
0 |
|
net-tos-redirect |
5 |
2 |
|
net-unreachable |
3 |
0 |
|
parameter-problem |
12 |
0 |
|
port-unreachable |
3 |
3 |
|
protocol-unreachable |
3 |
2 |
|
reassembly-timeout |
11 |
1 |
|
source-quench |
4 |
0 |
|
source-route-failed |
3 |
5 |
|
timestamp-reply |
14 |
0 |
|
timestamp-request |
13 |
0 |
|
ttl-exceeded |
11 |
0 |
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt fails.
To view rules in an ACL and their rule IDs, use the display acl all command.
Examples
# Create an IPv4 advanced ACL rule to permit TCP packets with the destination port 80 from 129.9.0.0/16 to 202.38.160.0/24, and enable logging matching packets.
<Sysname> system-view
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80 logging
# Create IPv4 advanced ACL rules to permit all IP packets but the ICMP packets destined for 192.168.1.0/24.
<Sysname> system-view
[Sysname] acl number 3001
[Sysname-acl-adv-3001] rule permit ip
[Sysname-acl-adv-3001] rule deny icmp destination 192.168.1.0 0.0.0.255
# Create IPv4 advanced ACL rules to permit inbound and outbound FTP packets.
<Sysname> system-view
[Sysname] acl number 3002
[Sysname-acl-adv-3002] rule permit tcp source-port eq ftp
[Sysname-acl-adv-3002] rule permit tcp source-port eq ftp-data
[Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp
[Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp-data
# Create IPv4 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.
<Sysname> system-view
[Sysname] acl number 3003
[Sysname-acl-adv-3003] rule permit udp source-port eq snmp
[Sysname-acl-adv-3003] rule permit udp source-port eq snmptrap
[Sysname-acl-adv-3003] rule permit udp destination-port eq snmp
[Sysname-acl-adv-3003] rule permit udp destination-port eq snmptrap
· acl
· display acl
· step
· time-range
rule (IPv4 basic ACL view)
Use rule to create or edit an IPv4 basic ACL rule. You can edit ACL rules only when the match order is config.
Use undo rule to delete an entire IPv4 basic ACL rule or some attributes in the rule. If no optional keywords are provided, this command deletes the entire rule. If optional keywords or arguments are provided, this command deletes the specified attributes.
Syntax
rule [ rule-id ] { deny | permit } [ counting | fragment | logging | source { source-address source-wildcard | any } | time-range time-range-name ] *
undo rule rule-id [ counting | fragment | logging | source | time-range ] *
Default
An IPv4 basic ACL does not contain any rule.
Views
IPv4 basic ACL view
Default command level
2: System level
Parameters
rule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
counting: Counts the number of times the ACL rule has been matched. This option is disabled by default.
fragment: Applies the rule only to non-first fragments. A rule without this keyword applies to both fragments and non-fragments.
logging: Logs matching packets. This function is available only when the application module that uses the ACL supports the logging function.
source { source-address source-wildcard | any }: Matches a source address. The source-address source-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation. A wildcard mask of zeros specifies a host address. The any keyword represents any source IP address.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the timer range.
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt fails.
To view rules in an ACL and their rule IDs, use the display acl all command.
Examples
# Create a rule in IPv4 basic ACL 2000 to deny the packets from any source IP segment but 10.0.0.0/8, 172.17.0.0/16, or 192.168.1.0/24.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule permit source 10.0.0.0 0.255.255.255
[Sysname-acl-basic-2000] rule permit source 172.17.0.0 0.0.255.255
[Sysname-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255
[Sysname-acl-basic-2000] rule deny source any
Related commands
· acl
· display acl
· step
· time-range
rule (IPv6 advanced ACL view)
Use rule to create or edit an IPv6 advanced ACL rule. You can edit ACL rules only when the match order is config.
Use undo rule to delete an entire IPv6 advanced ACL rule or some attributes in the rule. If no optional keywords are provided, this command deletes the entire rule. If optional keywords or arguments are provided, this command deletes the specified attributes.
Syntax
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { dest-address dest-prefix | dest-address/dest-prefix | any } | destination-port operator port1 [ port2 ] | dscp dscp | flow-label flow-label-value | fragment | icmp6-type { icmp6-type icmp6-code | icmp6-message } | logging | routing [ type routing-type ] | source { source-address source-prefix | source-address/source-prefix | any } | source-port operator port1 [ port2 ] | time-range time-range-name ] *
undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | dscp | flow-label | fragment | icmp6-type | logging | routing | source | source-port | time-range ] *
Default
An IPv6 advanced ACL does not contain any rule.
Views
IPv6 advanced ACL view
Default command level
2: System level
Parameters
rule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
protocol: Matches protocol carried over IPv6. It can be a number in the range of 0 to 255, or in words, gre (47), icmpv6 (58), ipv6, ipv6-ah (51), ipv6-esp (50), ospf (89), tcp (6), or udp (17). Table 8 describes the parameters that you can specify regardless of the value that the protocol argument takes.
Table 8 Match criteria and other rule information for IPv6 advanced ACL rules
|
Parameters |
Function |
Description |
|
source { source-address source-prefix | source-address/source-prefix | any } |
Specifies a source IPv6 address. |
The source-address and source-prefix arguments represent an IPv6 source address, and prefix length in the range of 1 to 128. The any keyword represents any IPv6 source address. |
|
destination { dest-address dest-prefix | dest-address/dest-prefix | any } |
Specifies a destination IPv6 address. |
The dest-address and dest-prefix arguments represent a destination IPv6 address, and prefix length in the range of 1 to 128. The any keyword specifies any IPv6 destination address. |
|
counting |
Counts the number of times the ACL rule has been matched. This option is disabled by default. |
N/A |
|
dscp dscp |
Specifies a DSCP preference. |
The dscp argument can be a number in the range of 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46). |
|
flow-label flow-label-value |
Specifies a flow label value in an IPv6 packet header. |
The flow-label-value argument is in the range of 0 to 1048575. |
|
logging |
Logs matching packets. |
This function requires that the module that uses the ACL supports logging. |
|
routing [ type routing-type ] |
Specifies the type of routing header. |
The routing-type argument takes a value in the range of 0 to 255. If no routing type header is specified, the rule applies to the IPv6 packets with any type of routing header. |
|
fragment |
Applies the rule to only non-first fragments. |
Without this keyword, the rule applies to all fragments and non-fragments. |
|
time-range time-range-name |
Specifies a time range for the rule. |
The time-range-name argument takes a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the timer range. |
If the protocol argument takes tcp (6) or udp (17), set the parameters shown in Table 9.
Table 9 TCP/UDP-specific parameters for IPv6 advanced ACL rules
|
Parameters |
Function |
Description |
|
source-port operator port1 [ port2 ] |
Specifies one or more UDP or TCP source ports. |
The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. port2 is needed only when the operator argument is range. TCP port numbers can be represented as: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented as: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177). |
|
destination-port operator port1 [ port2 ] |
Specifies one or more UDP or TCP destination ports. |
|
|
{ ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * |
Specifies one or more TCP flags, including ACK, FIN, PSH, RST, SYN, and URG. |
Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The TCP flags in a rule are ORed. For example, a rule configured with ack 1 psh 0 matches packets with the ACK flag bit set and packets with the PSH flag bit. |
|
established |
Specifies the flags for indicating the established status of a TCP connection. |
Parameter specific to TCP. The rule matches TCP connection packets with the ACK or RST flag bit set. |
If the protocol argument takes icmpv6 (58), set the parameters shown in Table 10.
Table 10 ICMPv6-specific parameters for IPv6 advanced ACL rules
|
Parameters |
Function |
Description |
|
icmp6-type { icmp6-type icmp6-code | icmp6-message } |
Specifies the ICMPv6 message type and code. |
The icmp6-type argument is in the range of 0 to 255. The icmp6-code argument is in the range of 0 to 255. The icmp6-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 11. |
Table 11 ICMPv6 message names supported in IPv6 advanced ACL rules
|
ICMPv6 message name |
ICMPv6 message type |
ICMPv6 message code |
|
echo-reply |
129 |
0 |
|
echo-request |
128 |
0 |
|
err-Header-field |
4 |
0 |
|
frag-time-exceeded |
3 |
1 |
|
hop-limit-exceeded |
3 |
0 |
|
host-admin-prohib |
1 |
1 |
|
host-unreachable |
1 |
3 |
|
neighbor-advertisement |
136 |
0 |
|
neighbor-solicitation |
135 |
0 |
|
network-unreachable |
1 |
0 |
|
packet-too-big |
2 |
0 |
|
port-unreachable |
1 |
4 |
|
redirect |
137 |
0 |
|
router-advertisement |
134 |
0 |
|
router-solicitation |
133 |
0 |
|
unknown-ipv6-opt |
4 |
2 |
|
unknown-next-hdr |
4 |
1 |
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt fails.
To view rules in an ACL and their rule IDs, use the display acl ipv6 all command.
Examples
# Create an IPv6 advanced ACL rule to permit TCP packets with the destination port 80 from 2030:5060::/64 to FE80:5060::/96, and enable logging matching packets.
<Sysname> system-view
[Sysname] acl ipv6 number 3000
[Sysname-acl6-adv-3000] rule permit tcp source 2030:5060::/64 destination fe80:5060::/96 destination-port eq 80 logging
# Create IPv6 advanced ACL rules to permit all IPv6 packets but the ICMPv6 packets destined for FE80:5060:1001::/48.
<Sysname> system-view
[Sysname] acl ipv6 number 3001
[Sysname-acl6-adv-3001] rule permit ipv6
[Sysname-acl6-adv-3001] rule deny icmpv6 destination fe80:5060:1001:: 48
# Create IPv6 advanced ACL rules to permit inbound and outbound FTP packets.
<Sysname> system-view
[Sysname] acl ipv6 number 3002
[Sysname-acl6-adv-3002] rule permit tcp source-port eq ftp
[Sysname-acl6-adv-3002] rule permit tcp source-port eq ftp-data
[Sysname-acl6-adv-3002] rule permit tcp destination-port eq ftp
[Sysname-acl6-adv-3002] rule permit tcp destination-port eq ftp-data
# Create IPv6 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.
<Sysname> system-view
[Sysname] acl ipv6 number 3003
[Sysname-acl6-adv-3003] rule permit udp source-port eq snmp
[Sysname-acl6-adv-3003] rule permit udp source-port eq snmptrap
[Sysname-acl6-adv-3003] rule permit udp destination-port eq snmp
[Sysname-acl6-adv-3003] rule permit udp destination-port eq snmptrap
· acl ipv6
· display ipv6 acl
· step
· time-range
rule (IPv6 basic ACL view)
Use rule to create or edit an IPv6 basic ACL rule. You can edit ACL rules only when the match order is config.
Use undo rule to delete an entire IPv6 basic ACL rule or some attributes in the rule. If no optional keywords are provided, this command deletes the entire rule. If optional keywords or arguments are provided, this command deletes the specified attributes.
Syntax
rule [ rule-id ] { deny | permit } [ counting | fragment | logging | routing [ type routing-type ] | source { source-address source-prefix | source-address/source-prefix | any } | time-range time-range-name ] *
undo rule rule-id [ counting | fragment | logging | routing | source | time-range ] *
Default
An IPv6 basic ACL does not contain any rule.
Views
IPv6 basic ACL view
Default command level
2: System level
Parameters
rule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
counting: Counts the number of times the ACL rule has been matched. This option is disabled by default.
fragment: Applies the rule only to non-first fragments. A rule without this keyword applies to both fragments and non-fragments.
logging: Logs matching packets. This function requires that the module that uses the ACL supports logging.
routing [ type routing-type ]: Matches a specific type of routing header or any type of routing header. The routing-type argument takes a value in the range of 0 to 255. If no routing header type is specified, the rule matches any type of routing header.
source { source-address source-prefix | source-address/source-prefix | any }: Matches a source IP address. The source-address and source-prefix arguments represent a source IPv6 address and address prefix length in the range of 1 to 128. The any keyword represents any IPv6 source address.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument takes a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the timer range.
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt fails.
To view rules in an ACL and their rule IDs, use the display acl ipv6 all command.
Examples
# Create an IPv6 basic ACL rule to deny the packets from any source IP segment but 1001::/16, 3124:1123::/32, or FE80:5060:1001::/48.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000] rule permit source 1001:: 16
[Sysname-acl6-basic-2000] rule permit source 3124:1123:: 32
[Sysname-acl6-basic-2000] rule permit source fe80:5060:1001:: 48
[Sysname-acl6-basic-2000] rule deny source any
Related commands
· acl ipv6
· display ipv6 acl
· step
· time-range
rule (WLAN ACL view)
Use rule to create or edit a WLAN ACL rule.
Use undo rule to delete an entire WLAN ACL rule.
Syntax
rule [ rule-id ] { deny | permit } [ ssid ssid-name ]
undo rule rule-id
Default
A WLAN ACL does not contain any rule.
Views
WLAN ACL view
Default command level
2: system level
Parameters
rule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
ssid ssid-name: Specifies a WLAN's SSID name, a case-sensitive string of 1 to 32 alphanumeric characters. Spaces are allowed. If the ssid option is not specified, the rule applies to packets with any SSID.
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt fails.
To view rules in an ACL and their rule IDs, use the display acl all command.
Examples
# Create a rule for WLAN ACL 100 to permit packets with the SSID name of user1 and apply this ACL to user interface VTY 0 to restrict user access.
<Sysname> system-view
[Sysname] acl number 100
[Sysname-acl-wlan-100] rule permit ssid user1
[Sysname-acl-wlan-100] quit
[Sysname] user-interface vty 0
[Sysname-ui-vty0] acl 100 inbound
Related commands
· acl
· display acl
· step
rule comment
Use rule comment to add a comment about an existing ACL rule or edit its comment to make the rule easy to understand.
Use undo rule comment to delete the ACL rule comment.
Syntax
rule rule-id comment text
undo rule rule-id comment
Default
An ACL rule has no rule comment.
Views
WLAN ACL view, IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view
Default command level
2: System level
Parameters
rule-id: Specifies an ACL rule ID, in the range of 0 to 65534. The ACL rule must already exist.
text: Specifies a comment about the ACL rule, a case-sensitive string of 1 to 127 characters.
Examples
# Create a rule in IPv4 basic ACL 2000 and add a comment about the rule.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule 0 deny source 1.1.1.1 0
[Sysname-acl-basic-2000] rule 0 comment This rule is used on Ethernet 1/1.
# Create a rule in IPv6 basic ACL 2000 and add a comment about the rule.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000] rule 0 permit source 1001::1 128
[Sysname-acl6-basic-2000] rule 0 comment This rule is used on Ethernet 1/1.
· display acl
· display acl ipv6
rule remark
Use rule remark to add a start or end remark for a range of rules that are created for the same purpose.
Use undo rule remark to delete the specified or all rule range remarks.
Syntax
rule [ rule-id ] remark text
undo rule [ rule-id ] remark [ text ]
Default
No rule range remarks are configured.
Views
WLAN ACL view, IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view
Default command level
2: System level
Parameters
rule-id: Specifies a rule number in the range of 0 to 65534. The specified rule can be one that has been created or not. If you specify no rule ID when adding a remark, the system automatically picks the rule ID that is the nearest higher multiple of the numbering step to the current highest rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the system picks rule 30.
text: Specifies a remark, a case-sensitive string of 1 to 63 characters.
Usage guidelines
A rule range remark always appears immediately above the specified rule. If the specified rule has not been created yet, the position of the comment in the ACL is as follows:
· If the match order is config, the remark is inserted into the ACL in descending order of rule ID.
· If the match order is auto, the remark is placed at the end of the ACL. After you create the rule, the remark appears above the rule.
To display rule range remarks in an ACL, use the display this or display current-configuration.
When you delete rule range remarks, follow these guidelines:
· If neither rule-id nor text is specified, all rule range remarks are removed.
· Use the undo rule remark text command to remove all remarks that are the same as the text argument.
· Use the undo rule rule-id remark command to delete a specific rule range remark. If you also specify the text argument, you must type in the remark the same as was specified to successfully remove the remark.
When adding an end remark for a rule range, you can specify the end rule number plus 1 for the rule-id argument so all rules in this range appears between the two remarks. You can also specify the end rule number for the rule-id argument. In this approach, the end rule appears below the end remark. Whichever approach you use, be consistent.
Examples
# Display the running configuration of IPv4 basic ACL 2000.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] display this
#
acl number 2000
rule 0 permit source 14.1.1.0 0.0.0.255
rule 5 permit source 10.1.1.1 0 time-range work-time
rule 10 permit source 192.168.0.0 0.0.0.255
rule 15 permit source 1.1.1.1 0
rule 20 permit source 10.1.1.1 0
rule 25 permit counting
#
return
# Add a start comment "Rules for VIP_start" and an end comment "Rules for VIP_end" for the rule range 10 to 25.
[Sysname-acl-basic-2000] rule 10 remark Rules for VIP_start
[Sysname-acl-basic-2000] rule 26 remark Rules for VIP_end
# Verify the configuration.
[Sysname-acl-basic-2000] display this
#
acl number 2000
rule 0 permit source 14.1.1.0 0.0.0.255
rule 5 permit source 10.1.1.1 0 time-range work-time
rule 10 remark Rules for VIP_start
rule 10 permit source 192.168.0.0 0.0.0.255
rule 15 permit source 1.1.1.1 0
rule 20 permit source 10.1.1.1 0
rule 25 permit counting
rule 26 remark Rules for VIP_end
#
return
Related commands
· display this
· display current-configuration (Fundamentals Command Reference)
step
Use step to set a rule numbering step for an ACL. The rule numbering step sets the increment by which the system numbers rules automatically. For example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between two rules. Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6, and 8.
Use undo step to restore the default.
Syntax
step step-value
undo step
Default
The rule numbering step is 5.
Views
WLAN ACL view, IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view
Default command level
2: System level
Parameters
step-value: ACL rule numbering step, in the range of 1 to 20.
Usage guidelines
After you restore the default numbering step by using the undo step command, the rules are renumbered in steps of 5.
Examples
# Set the rule numbering step to 2 for IPv4 basic ACL 2000.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] step 2
# Set the rule numbering step to 2 for IPv6 basic ACL 2000.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000] step 2
· display acl
· display acl ipv6
time-range
Use time-range to configure a time range. If you provide an existing time range name, the command adds a statement to the time range.
Use undo time-range to delete a time range or a statement in the time range.
Syntax
time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 }
undo time-range time-range-name [ start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 ]
Default
No time range exists.
Views
System view
Default command level
2: System level
Parameters
time-range-name: Specifies a time range name. The name is a case-insensitive string of 1 to 32 characters. It must start with an English letter and to avoid confusion, it cannot be all.
start-time to end-time: Specifies a periodic statement. Both start-time and end-time are in hh:mm format (24-hour clock). The value is in the range of 00:00 to 23:59 for the start time, and 00:00 to 24:00 for the end time. The end time must be greater than the start time.
days: Specifies the day or days of the week (in words or digits) on which the periodic statement is valid. If you specify multiple values, separate each value with a space, and make sure they do not overlap. These values can take one of the following forms:
· A digit in the range of 0 to 6, respectively, for Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday.
· A day of a week in abbreviated words: sun, mon, tue, wed, thu, fri, and sat.
· working-day for Monday through Friday.
· off-day for Saturday and Sunday.
· daily for the whole week.
from time1 date1: Specifies the start time and date of an absolute statement. The time1 argument specifies the time of the day in hh:mm format (24-hour clock). Its value is in the range of 00:00 to 23:59. The date1 argument specifies a date in MM/DD/YYYY or YYYY/MM/DD format, where MM is the month of the year in the range of 1 to 12, DD is the day of the month with the range depending on MM, and YYYY is the year in the calendar in the range of 1970 to 2100. If not specified, the start time is 01/01/1970 00:00 AM, the earliest time available in the system.
to time2 date2: Specifies the end time and date of the absolute time statement. The time2 argument has the same format as the time1 argument, but its value is in the range of 00:00 to 24:00. The date2 argument has the same format and value range as the date1 argument. The end time must be greater than the start time. If not specified, the end time is 12/31/2100 24:00 PM, the maximum time available in the system.
Usage guidelines
You can create multiple statements in a time range. Each time statement can take one of the following forms:
· Periodic statement in the start-time to end-time days format. A periodic statement recurs periodically on a day or days of the week.
· Absolute statement in the from time1 date1 to time2 date2 format. An absolute statement does not recur.
· Compound statement in the start-time to end-time days from time1 date1 to time2 date2 format. A compound statement recurs on a day or days of the week only within the specified period. For example, to create a time range that is active from 08:00 to 12:00 on Monday between January 1, 2010 00:00 and December 31, 2010 23:59, use the time-range test 08:00 to 12:00 mon from 00:00 01/01/2010 to 23:59 12/31/2010 command.
You can create a maximum of 256 time ranges, each with a maximum of 32 periodic statements and 12 absolute statements. The active period of a time range is calculated as follows:
1. Combining all periodic statements
2. Combining all absolute statements
3. Taking the intersection of the two statement sets as the active period of the time range
Examples
# Create a periodic time range t1, setting it to be active between 8:00 to 18:00 during working days.
<Sysname> system-view
[Sysname] time-range t1 8:0 to 18:0 working-day
# Create an absolute time range t2, setting it to be active in the whole year of 2010.
<Sysname> system-view
[Sysname] time-range t2 from 0:0 1/1/2010 to 24:0 12/31/2010
# Create a compound time range t3, setting it to be active from 08:00 to 12:00 on Saturdays and Sundays of the year 2010.
<Sysname> system-view
[Sysname] time-range t3 8:0 to 12:0 off-day from 0:0 1/1/2010 to 24:0 12/31/2010
# Create a compound time range t4, setting it to be active from 10:00 to 12:00 on Mondays and from 14:00 to 16:00 on Wednesdays in the period of January through June of the year 2010.
<Sysname> system-view
[Sysname] time-range t4 10:0 to 12:0 1 from 0:0 1/1/2010 to 24:0 1/31/2010
[Sysname] time-range t4 14:0 to 16:0 3 from 0:0 6/1/2010 to 24:0 6/30/2010
display time-range
