- Table of Contents
- Related Documents
-
Title | Size | Download |
---|---|---|
01-Text | 282.58 KB |
display qos policy user-profile
qos apply policy (interface view)
ACL commands
The WX1800H series access controllers do not support the slot keyword or the slot-number argument.
acl
Use acl to create an ACL, and enter its view. If the ACL has already been created, the command only places you in the ACL view.
Use undo acl to delete the specified or all ACLs.
Syntax
acl [ ipv6 ] { advanced | basic } { acl-number | name acl-name } [ match-order { auto | config } ]
acl mac { acl-number | name acl-name } [ match-order { auto | config } ]
acl wlan client { acl-number | name acl-name }
acl wlan ap { acl-number | name acl-name }
undo acl [ ipv6 ] { all | { advanced | basic } { acl-number | name acl-name } }
undo acl mac { all | acl-number | name acl-name }
undo acl wlan client { acl-number | all | name acl-name }
undo acl wlan ap { acl-number | all | name acl-name }
Default
No ACL exists.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6: Specifies the IPv6 ACL type. To specify the IPv4 ACL type, do not provide this keyword.
basic: Specifies the basic ACL type.
advanced: Specifies the advanced ACL type.
mac: Specifies the Layer 2 ACL type.
wlan client: Specifies the WLAN client ACL type.
wlan ap: Specifies the WLAN AP ACL type.
number acl-number: Assigns a number to the ACL. The following are available value ranges:
· 100 to 199 for WLAN client ACL.
· 200 to 299 for WLAN AP ACL.
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
name acl-name: Assigns a name to the ACL. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
match-order: Specifies the order in which ACL rules are compared against packets.
· auto: Compares ACL rules in depth-first order. The depth-first order varies by ACL type. For more information, see ACL and QoS Configuration Guide.
· config: Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has a higher priority. If you do not specify a match order, the config order applies by default. The match order for the WLAN client ACL and WLAN AP ACL can only be config.
all: Specifies all ACLs of the specified type.
Usage guidelines
You can change the match order for ACLs that do not contain any rules.
Matching packets are forwarded through slow forwarding if an ACL rule contains match criteria or has functions enabled in addition to the following match criteria and functions:
· Source and destination IP addresses.
· Source and destination ports.
· Transport layer protocol.
· ICMP or ICMPv6 message type, message code, and message name.
· VPN instance.
· Logging.
· Time range.
Slow forwarding requires packets to be sent to the control plane for forwarding entry calculation, which affects the device forwarding performance.
Examples
# Create IPv4 basic ACL 2000, and enter its view.
<Sysname> system-view
[Sysname] acl basic 2000
[Sysname-acl-ipv4-basic-2000]
# Create IPv4 basic ACL flow, and enter its view.
<Sysname> system-view
[Sysname] acl basic name flow
[Sysname-acl-ipv4-basic-flow]
# Create IPv4 advanced ACL 3000, and enter its view.
<Sysname> system-view
[Sysname] acl advanced 3000
[Sysname-acl-ipv4-adv-3000]
# Create IPv6 basic ACL 2000, and enter its view.
<Sysname> system-view
[Sysname] acl ipv6 basic 2000
[Sysname-acl-ipv6-basic-2000]
# Create IPv6 basic ACL flow, and enter its view.
<Sysname> system-view
[Sysname] acl ipv6 basic name flow
[Sysname-acl-ipv6-basic-flow]
# Create IPv6 advanced ACL abc, and enter its view.
<Sysname> system-view
[Sysname] acl ipv6 advanced name abc
[Sysname-acl-ipv6-adv-abc]
# Create Layer 2 ACL 4000, and enter its view.
<Sysname> system-view
[Sysname] acl mac 4000
[Sysname-acl-mac-4000]
# Create Layer 2 ACL flow, and enter its view.
<Sysname> system-view
[Sysname] acl mac name flow
[Sysname-acl-mac-flow]
# Create WLAN client ACL 100, and enter its view.
<Sysname> system-view
[Sysname] acl wlan client 100
[Sysname-acl-client-100]
# Create WLAN client ACL flow, and enter its view.
<Sysname> system-view
[Sysname] acl wlan client name flow
[Sysname-acl-client-flow]
# Create WLAN AP ACL 200, and enter its view.
<Sysname> system-view
[Sysname] acl wlan ap 200
[Sysname-acl-ap-200]
# Create WLAN AP ACL flow, and enter its view.
<Sysname> system-view
[Sysname] acl wlan ap name flow
[Sysname-acl-ap-flow]
Related commands
display acl
acl copy
Use acl copy to create an ACL by copying an ACL that already exists.
Syntax
acl [ ipv6 | mac ] copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name }
Views
System view
Predefined user roles
network-admin
Parameters
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
source-acl-number: Specifies an existing source ACL by its number. The following are available value ranges:
· 100 to 199 for WLAN client ACLs.
· 200 to 299 for WLAN AP ACLs.
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
name source-acl-name: Specifies an existing source ACL by its name. The source-acl-name argument is a case-insensitive string of 1 to 63 characters.
dest-acl-number: Assigns a unique number to the ACL you are creating. This number must be from the same ACL type as the source ACL. The following are available value ranges:
· 100 to 199 for WLAN client ACLs.
· 200 to 299 for WLAN AP ACLs.
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
name dest-acl-name: Assigns a unique name to the ACL you are creating. The dest-acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
Usage guidelines
The new ACL has the same properties and content as the source ACL, but uses a different number or name from the source ACL.
To specify the IPv4 ACL type, do not specify the ipv6 or mac keyword.
Examples
# Create IPv4 basic ACL 2002 by copying IPv4 basic ACL 2001.
<Sysname> system-view
[Sysname] acl copy 2001 to 2002
# Create IPv4 basic ACL paste by copying IPv4 basic ACL test.
<Sysname> system-view
[Sysname] acl copy name test to name paste
acl trap interval
Use acl trap interval to enable SNMP notifications for packet filtering, and set the interval.
Use undo acl trap interval to restore the default.
Syntax
acl trap interval interval
undo acl trap interval
Default
The interval is 0. The device does not generate SNMP notifications for packet filtering.
Views
System view
Predefined user roles
network-admin
Parameters
trap: Enables SNMP notifications and sends the notifications to the SNMP module. For information about SNMP, see Network Management and Monitoring Configuration Guide.
interval interval: Sets the interval in minutes. It must be a multiple of 5, in the range of 0 to 1440. To disable the notification, set the value to 0.
Usage guidelines
The SNMP notifications is available for IPv4 and IPv6 ACL rules.
The packet filter module generates SNMP notifications and outputs them at the output interval. If an ACL is matched for the first time, the device immediately outputs a log entry or notification instead of waiting for the next output time.
Examples
# Configure the device to generate and output packet filtering log entries every 10 minutes.
<Sysname> system-view
[Sysname] acl trap interval 10
Related commands
· rule (IPv4 advanced ACL view)
· rule (IPv4 basic ACL view)
· rule (IPv6 advanced ACL view)
· rule (IPv6 basic ACL view)
description
Use description to configure a description for an ACL.
Use undo description to delete an ACL description.
Syntax
description text
undo description
Default
An ACL does not have a description.
Views
IPv4 basic/advanced ACL view
IPv6 basic/advanced ACL view
Layer 2 ACL view
WLAN AP/client ACL view
Predefined user roles
network-admin
Parameters
text: Configures a description for the ACL, a case-sensitive string of 1 to 127 characters.
Examples
# Configure a description for IPv4 basic ACL 2000.
<Sysname> system-view
[Sysname] acl basic 2000
[Sysname-acl-ipv4-basic-2000] description This is an IPv4 basic ACL.
Related commands
display acl
display acl
Use display acl to display ACL configuration and match statistics.
Syntax
display acl [ ipv6 | mac | wlan ] { acl-number | all | name acl-name }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
wlan client: Specifies the WLAN ACL type, including WLAN client ACL and WLAN AP ACL.
acl-number: Specifies an ACL by its number. The following are available value ranges:
· 100 to 199 for WLAN client ACL.
· 200 to 299 for WLAN AP ACL.
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
all: Displays information about all ACLs of the specified type.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.
Usage guidelines
This command displays ACL rules in config or auto order, whichever is configured.
To specify the IPv4 ACL type, do not specify the ipv6, mac, or wlan keyword.
Examples
# Display configuration and match statistics for IPv4 basic ACL 2001.
<Sysname> display acl 2001
Basic IPv4 ACL 2001, 1 rules, match-order is auto,
This is an IPv4 basic ACL.
ACL's step is 5
rule 5 permit source 1.1.1.1 0
rule 5 comment This rule is used on GigabitEthernet 1/0/1.
Table 1 Command output
Field |
Description |
Basic IPv4 ACL 2001 |
Type and number of the ACL. The following field information is about IPv4 basic ACL 2000. |
1 rules |
The ACL contains one rule. |
match-order is auto |
The match order for the ACL is auto, which sorts ACL rules in depth-first order. This field is not present when the match order is config. |
This is an IPv4 basic ACL. |
Description of this ACL. |
ACL's step is 5 |
The rule numbering step is 5. |
rule 5 permit source 1.1.1.1 0 |
Content of rule 5. The rule permits packets sourced from the IP address 1.1.1.1. |
rule 5 comment This rule is used on GigabitEthernet 1/0/1. |
Comment of ACL rule 5. |
display packet-filter
Use display packet-filter to display ACL application information for packet filtering.
Syntax
display packet-filter interface [ interface-type interface-number ] [ inbound | outbound ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface [ interface-type interface-number ]: Specifies an interface by its type and number. VLAN interfaces are not supported. If you do not specify an interface, this command displays ACL application information for packet filtering on all interfaces except VLAN interfaces.
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays ACL application information for packet filtering for all member devices.
Usage guidelines
If neither the inbound keyword nor the outbound keyword is specified, this command displays ACL application information for packet filtering in both directions on interfaces.
Examples
# Display ACL application information for incoming packet filtering on interface GigabitEthernet 1/0/1.
<Sysname> display packet-filter interface gigabitethernet 1/0/1 inbound
Interface: GigabitEthernet1/0/1
In-bound policy:
IPv4 ACL 2001
IPv6 ACL 2002 (Failed)
MAC ACL 4003 (Failed)
IPv4 ACL 2004
IPv4 default action: Deny
Table 2 Command output
Field |
Description |
Interface |
Interface to which the ACL applies. |
In-bound policy |
ACL used for filtering incoming traffic. |
Out-bound policy |
ACL used for filtering outgoing traffic. |
IPv4 ACL 2001 |
IPv4 basic ACL 2001 has been successfully applied. |
IPv6 ACL 2002 (Failed) |
The device has failed to apply IPv6 basic ACL 2002. |
IPv4 default action |
Packet filter default action for packets that do not match any IPv4 ACLs: Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. Permit—The default action permit has been successfully applied for packet filtering. |
IPv6 default action |
Packet filter default action for packets that do not match any IPv6 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. |
MAC default action |
Packet filter default action for packets that do not match any Layer 2 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. |
display packet-filter verbose
Use display packet-filter verbose to display ACL application details for packet filtering.
Syntax
display packet-filter verbose interface interface-type interface-number { inbound | outbound } [ [ ipv6 | mac ] { acl-number | name acl-name } ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
acl-number: Specifies an ACL by its number. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays ACL application information for packet filtering for all member devices.
Usage guidelines
To specify the IPv4 ACL type, do not specify the ipv6 or mac keyword.
When none of acl-number, name acl-name, ipv6, and mac is specified, this command displays application details of all IPv4 ACLs for packet filtering.
Examples
# Display application details of all ACLs for incoming packet filtering on GigabitEthernet 1/0/1.
<Sysname> display packet-filter verbose interface gigabitethernet 1/0/1 inbound
Interface: GigabitEthernet1/0/1
In-bound policy:
IPv4 ACL 2001
rule 0 permit
rule 5 permit source 1.1.1.1 0 (Failed)
IPv4 ACL 2002 (Failed)
IPv6 ACL 2000
rule 0 permit
MAC ACL 4000
IPv4 default action: Deny
IPv6 default action: Deny
MAC default action: Deny
Table 3 Command output
Field |
Description |
Interface |
Interface to which the ACL applies. |
In-bound policy |
ACL used for filtering incoming traffic. |
Out-bound policy |
ACL used for filtering outgoing traffic. |
IPv4 ACL 2001 |
IPv4 basic ACL 2001 has been successfully applied. |
IPv4 ACL 2002 (Failed) |
The device has failed to apply IPv4 basic ACL 2002. |
rule 5 permit source 1.1.1.1 0 (Failed) |
The device has failed to apply rule 5. |
IPv4 default action |
Packet filter default action for packets that do not match any IPv4 ACLs: Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. |
IPv6 default action |
Packet filter default action for packets that do not match any IPv6 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. |
MAC default action |
Packet filter default action for packets that do not match any Layer 2 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. |
packet-filter
Use packet-filter to apply an ACL to an interface to filter packets.
Use undo packet-filter to remove an ACL application from an interface.
Syntax
packet-filter [ ipv6 | mac ] { acl-number | name acl-name } { inbound | outbound }
undo packet-filter [ ipv6 | mac ] { acl-number | name acl-name } { inbound | outbound }
Default
An interface does not filter packets.
Views
Interface view
Predefined user roles
network-admin
Parameters
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
acl-number: Specifies an ACL by its number. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.
inbound: Filters incoming packets.
outbound: Filters outgoing packets.
Usage guidelines
To specify the IPv4 ACL type, do not specify the ipv6 or mac keyword.
This feature does not take effect on an interface that is an aggregation member port.
Examples
# Apply IPv4 basic ACL 2001 to filter incoming traffic on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] packet-filter 2001 inbound
· display packet-filter
· display packet-filter verbose
packet-filter default deny
Use packet-filter default deny to set the packet filtering default action to deny. The packet filter denies packets that do not match any ACL rule.
Use undo packet-filter default deny to restore the default.
Syntax
packet-filter default deny
undo packet-filter default deny
Default
The packet filter permits packets that do not match any ACL rule.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The packet filter applies the default action to all ACL applications for packet filtering. The default action appears in the display command output for packet filtering.
Examples
# Set the packet filter default action to deny.
<Sysname> system-view
[Sysname] packet-filter default deny
Related commands
· display packet-filter
· display packet-filter verbose
rule (IPv4 advanced ACL view)
Use rule to create or edit an IPv4 advanced ACL rule.
Use undo rule to delete an entire IPv4 advanced ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | destination { dest-address dest-wildcard | any } | destination-port operator port1 [ port2 ] | { dscp dscp | { precedence precedence | tos tos } * } | fragment | icmp-type { icmp-type [ icmp-code ] | icmp-message } | source { source-address source-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name ] *
undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | destination | destination-port | { dscp | { precedence | tos } * } | fragment | icmp-type | source | source-port | time-range ] *
Default
An IPv4 advanced ACL does not contain any rule.
Views
IPv4 advanced ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
protocol: Specifies one of the following values:
· A protocol number in the range of 0 to 255.
· A protocol by its name: gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17). The ip keyword specifies all protocols.
Table 4 describes the parameters that you can specify regardless of the value for the protocol argument.
Table 4 Match criteria and other rule information for IPv4 advanced ACL rules
Parameters |
Function |
Description |
source { source-address source-wildcard | any } |
Specifies a source address. |
The source-address source-wildcard arguments specify a source IP address and a wildcard mask in dotted decimal notation. An all-zero wildcard represents a host address. The any keyword specifies any source IP address. |
destination { dest-address dest-wildcard | any } |
Specifies a destination address. |
The dest-address dest-wildcard arguments specify a destination IP address and a wildcard mask in dotted decimal notation. An all-zero wildcard represents a host address. The any keyword represents any destination IP address. |
precedence precedence |
Specifies an IP precedence value. |
The precedence argument can be a number in the range of 0 to 7, or in words: routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), or network (7). |
tos tos |
Specifies a ToS preference. |
The tos argument can be a number in the range of 0 to 15, or in words: max-reliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1), or normal (0). |
dscp dscp |
Specifies a DSCP priority. |
The dscp argument can be a number in the range of 0 to 63, or in words: af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46). |
fragment |
Applies the rule only to non-first fragments. |
If you do not specify this keyword, the rule applies to all fragments and non-fragments. |
time-range time-range-name |
Specifies a time range for the rule. |
The time-range-name argument is a case-insensitive string of 1 to 32 characters. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide. |
If the protocol argument is tcp (6) or udp (17), set the parameters shown in Table 5.
Table 5 TCP/UDP-specific parameters for IPv4 advanced ACL rules
Parameters |
Function |
Description |
source-port operator port1 [ port2 ] |
Specifies one or more UDP or TCP source ports. |
The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. The port2 argument is needed only when the operator argument is range. TCP port numbers can be represented as: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), dns (53), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented as: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177). |
destination-port operator port1 [ port2 ] |
Specifies one or more UDP or TCP destination ports. |
|
{ ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * |
Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG. |
Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The TCP flags in a rule are ORed. For example, a rule configured with ack 0 psh 1 matches both packets that have the ACK flag bit not set and packets that have the PSH flag bit set. |
established |
Specifies the flags for indicating the established status of a TCP connection. |
Parameter specific to TCP. The rule matches TCP connection packets with the ACK or RST flag bit set. |
If the protocol argument is icmp (1), set the parameters shown in Table 6.
Table 6 ICMP-specific parameters for IPv4 advanced ACL rules
Parameters |
Function |
Description |
icmp-type { icmp-type icmp-code | icmp-message } |
Specifies the ICMP message type and code. |
The icmp-type argument is in the range of 0 to 255. The icmp-code argument is in the range of 0 to 255. The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 7. |
Table 7 ICMP message names supported in IPv4 advanced ACL rules
ICMP message name |
ICMP message type |
ICMP message code |
echo |
8 |
0 |
echo-reply |
0 |
0 |
fragmentneed-DFset |
3 |
4 |
host-redirect |
5 |
1 |
host-tos-redirect |
5 |
3 |
host-unreachable |
3 |
1 |
information-reply |
16 |
0 |
information-request |
15 |
0 |
net-redirect |
5 |
0 |
net-tos-redirect |
5 |
2 |
net-unreachable |
3 |
0 |
parameter-problem |
12 |
0 |
port-unreachable |
3 |
3 |
protocol-unreachable |
3 |
2 |
reassembly-timeout |
11 |
1 |
source-quench |
4 |
0 |
source-route-failed |
3 |
5 |
timestamp-reply |
14 |
0 |
timestamp-request |
13 |
0 |
ttl-exceeded |
11 |
0 |
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
You can edit ACL rules only when the match order is config.
· If you do not specify any optional keywords, the undo rule command deletes the entire rule.
· If you specify optional keywords or arguments, the undo rule command deletes the specified attributes.
To view rules in an ACL and their rule IDs, use the display acl all command.
Examples
# Create an IPv4 advanced ACL rule to permit TCP packets with the destination port 80 from 129.9.0.0/16 to 202.38.160.0/24.
<Sysname> system-view
[Sysname] acl advanced 3000
[Sysname-acl-ipv4-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80
# Create IPv4 advanced ACL rules to permit all IP packets but the ICMP packets destined for 192.168.1.0/24.
<Sysname> system-view
[Sysname] acl advanced 3001
[Sysname-acl-ipv4-adv-3001] rule deny icmp destination 192.168.1.0 0.0.0.255
[Sysname-acl-ipv4-adv-3001] rule permit ip
# Create IPv4 advanced ACL rules to permit inbound and outbound FTP packets.
<Sysname> system-view
[Sysname] acl advanced 3002
[Sysname-acl-ipv4-adv-3002] rule permit tcp source-port eq ftp
[Sysname-acl-ipv4-adv-3002] rule permit tcp source-port eq ftp-data
[Sysname-acl-ipv4-adv-3002] rule permit tcp destination-port eq ftp
[Sysname-acl-ipv4-adv-3002] rule permit tcp destination-port eq ftp-data
# Create IPv4 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.
<Sysname> system-view
[Sysname] acl advanced 3003
[Sysname-acl-ipv4-adv-3003] rule permit udp source-port eq snmp
[Sysname-acl-ipv4-adv-3003] rule permit udp source-port eq snmptrap
[Sysname-acl-ipv4-adv-3003] rule permit udp destination-port eq snmp
[Sysname-acl-ipv4-adv-3003] rule permit udp destination-port eq snmptrap
Related commands
· acl
· display acl
· step
· time-range
rule (IPv4 basic ACL view)
Use rule to create or edit an IPv4 basic ACL rule.
Use undo rule to delete an entire IPv4 basic ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } [ fragment | source { source-address source-wildcard | any } | time-range time-range-name ] *
undo rule rule-id [ fragment | source | time-range ] *
Default
An IPv4 basic ACL does not contain any rule.
Views
IPv4 basic ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
fragment: Applies the rule only to non-first fragments. If you do not specify this keyword, the rule applies to both fragments and non-fragments.
source { source-address source-wildcard | any }: Matches a source address. The source-address and source-wildcard arguments specify a source IP address and a wildcard mask in dotted decimal notation. A wildcard mask of zeros represents a host address. The any keyword represents any source IP address.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide.
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
You can edit ACL rules only when the match order is config.
· If you do not specify any optional keywords, the undo rule command deletes the entire rule.
· If you specify optional keywords or arguments, the undo rule command deletes the specified attributes.
To view rules in an ACL and their rule IDs, use the display acl all command.
Examples
# Create a rule in IPv4 basic ACL 2000 to deny the packets from any source IP segment but 10.0.0.0/8, 172.17.0.0/16, or 192.168.1.0/24.
<Sysname> system-view
[Sysname] acl basic 2000
[Sysname-acl-ipv4-basic-2000] rule permit source 10.0.0.0 0.255.255.255
[Sysname-acl-ipv4-basic-2000] rule permit source 172.17.0.0 0.0.255.255
[Sysname-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255
[Sysname-acl-ipv4-basic-2000] rule deny source any
Related commands
· acl
· display acl
· step
· time-range
rule (IPv6 advanced ACL view)
Use rule to create or edit an IPv6 advanced ACL rule.
Use undo rule to delete an entire IPv6 advanced ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | destination { dest-address dest-prefix | dest-address/dest-prefix | any } | destination-port operator port1 [ port2 ] | dscp dscp | flow-label flow-label-value | fragment | icmp6-type { icmp6-type icmp6-code | icmp6-message } | routing [ type routing-type ] | hop-by-hop [ type hop-type ] | source { source-address source-prefix | source-address/source-prefix | any } | source-port operator port1 [ port2 ] | time-range time-range-name ] *
undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | destination | destination-port | dscp | flow-label | fragment | icmp6-type | routing | hop-by-hop | source | source-port | time-range ] *
Default
An IPv6 advanced ACL does not contain any rule.
Views
IPv6 advanced ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
protocol: Specifies one of the following values:
· A protocol number in the range of 0 to 255.
· A protocol name: gre (47), icmpv6 (58), ipv6, ipv6-ah (51), ipv6-esp (50), ospf (89), tcp (6), or udp (17). The ipv6 keyword specifies all protocols.
Table 8 describes the parameters that you can specify regardless of the value for the protocol argument.
Table 8 Match criteria and other rule information for IPv6 advanced ACL rules
Parameters |
Function |
Description |
source { source-address source-prefix | source-address/source-prefix | any } |
Specifies a source IPv6 address. |
The source-address argument specifies an IPv6 source address. The source-prefix argument specifies a prefix length in the range of 1 to 128. The any keyword represents any IPv6 source address. |
destination { dest-address dest-prefix | dest-address/dest-prefix | any } |
Specifies a destination IPv6 address. |
The dest-address argument specifies a destination IPv6 address. The dest-prefix argument specifies a prefix length in the range of 1 to 128. The any keyword represents any IPv6 destination address. |
dscp dscp |
Specifies a DSCP preference. |
The dscp argument can be a number in the range of 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46). |
flow-label flow-label-value |
Specifies a flow label value in an IPv6 packet header. |
The flow-label-value argument is in the range of 0 to 1048575. |
fragment |
Applies the rule only to non-first fragments. |
If you do not specify this keyword, the rule applies to all fragments and non-fragments. |
routing [ type routing-type ] |
Specifies an IPv6 routing header type. |
routing-type: Value of the IPv6 routing header type, in the range of 0 to 255. If you do not specify the type routing-type option, the rule applies to all types of IPv6 routing header. |
hop-by-hop [ type hop-type ] |
Specifies an IPv6 Hop-by-Hop Options header type. |
hop-type: Value of the IPv6 Hop-by-Hop Options header type, in the range of 0 to 255. If you specify the type hop-type option, the rule applies to the specified type of IPv6 Hop-by-Hop Options header. Otherwise, the rule applies to all types of IPv6 Hop-by-Hop Options header. |
time-range time-range-name |
Specifies a time range for the rule. |
The time-range-name argument is a case-insensitive string of 1 to 32 characters. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide. |
If the protocol argument is tcp (6) or udp (17), set the parameters shown in Table 9.
Table 9 TCP/UDP-specific parameters for IPv6 advanced ACL rules
Parameters |
Function |
Description |
source-port operator port1 [ port2 ] |
Specifies one or more UDP or TCP source ports. |
The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. The port2 argument is needed only when the operator argument is range. TCP port numbers can be represented as: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), dns (53), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented as: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177). |
destination-port operator port1 [ port2 ] |
Specifies one or more UDP or TCP destination ports. |
|
{ ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * |
Specifies one or more TCP flags, including ACK, FIN, PSH, RST, SYN, and URG. |
Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The TCP flags in a rule are ORed. For example, a rule configured with ack 0 psh 1 matches both packets that have the ACK flag bit not set and packets that have the PSH flag bit set. |
established |
Specifies the flags for indicating the established status of a TCP connection. |
Parameter specific to TCP. The rule matches TCP connection packets with the ACK or RST flag bit set. |
If the protocol argument is icmpv6 (58), set the parameters shown in Table 10.
Table 10 ICMPv6-specific parameters for IPv6 advanced ACL rules
Parameters |
Function |
Description |
icmp6-type { icmp6-type icmp6-code | icmp6-message } |
Specifies the ICMPv6 message type and code. |
The icmp6-type argument is in the range of 0 to 255. The icmp6-code argument is in the range of 0 to 255. The icmp6-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 11. |
Table 11 ICMPv6 message names supported in IPv6 advanced ACL rules
ICMPv6 message name |
ICMPv6 message type |
ICMPv6 message code |
echo-reply |
129 |
0 |
echo-request |
128 |
0 |
err-Header-field |
4 |
0 |
frag-time-exceeded |
3 |
1 |
hop-limit-exceeded |
3 |
0 |
host-admin-prohib |
1 |
1 |
host-unreachable |
1 |
3 |
neighbor-advertisement |
136 |
0 |
neighbor-solicitation |
135 |
0 |
network-unreachable |
1 |
0 |
packet-too-big |
2 |
0 |
port-unreachable |
1 |
4 |
redirect |
137 |
0 |
router-advertisement |
134 |
0 |
router-solicitation |
133 |
0 |
unknown-ipv6-opt |
4 |
2 |
unknown-next-hdr |
4 |
1 |
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
You can edit ACL rules only when the match order is config.
· If you do not specify any optional keywords, the undo rule command deletes the entire rule.
· If you specify optional keywords or arguments, the undo rule command deletes the specified attributes.
To view rules in an ACL and their rule IDs, use the display acl ipv6 all command.
Examples
<Sysname> system-view
[Sysname] acl ipv6 advanced 3000
[Sysname-acl-ipv6-adv-3000] rule permit tcp source 2030:5060::/64 destination fe80:5060::/96 destination-port eq 80
# Create IPv6 advanced ACL rules to permit all IPv6 packets but the ICMPv6 packets destined for FE80:5060:1001::/48.
<Sysname> system-view
[Sysname] acl ipv6 advanced 3001
[Sysname-acl-ipv6-adv-3001] rule deny icmpv6 destination fe80:5060:1001:: 48
[Sysname-acl-ipv6-adv-3001] rule permit ipv6
# Create IPv6 advanced ACL rules to permit inbound and outbound FTP packets.
<Sysname> system-view
[Sysname] acl ipv6 advanced 3002
[Sysname-acl-ipv6-adv-3002] rule permit tcp source-port eq ftp
[Sysname-acl-ipv6-adv-3002] rule permit tcp source-port eq ftp-data
[Sysname-acl-ipv6-adv-3002] rule permit tcp destination-port eq ftp
[Sysname-acl-ipv6-adv-3002] rule permit tcp destination-port eq ftp-data
# Create IPv6 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.
<Sysname> system-view
[Sysname] acl ipv6 advanced 3003
[Sysname-acl-ipv6-adv-3003] rule permit udp source-port eq snmp
[Sysname-acl-ipv6-adv-3003] rule permit udp source-port eq snmptrap
[Sysname-acl-ipv6-adv-3003] rule permit udp destination-port eq snmp
[Sysname-acl-ipv6-adv-3003] rule permit udp destination-port eq snmptrap
# Create IPv6 advanced ACL 3004, and configure two rules: one permits packets with the Hop-by-Hop Options header type as 5, and the other one denies packets with other Hop-by-Hop Options header types.
<Sysname> system-view
[Sysname] acl ipv6 advanced 3004
[Sysname-acl-ipv6-adv-3004] rule permit ipv6 hop-by-hop type 5
[Sysname-acl-ipv6-adv-3004] rule deny ipv6 hop-by-hop
Related commands
· acl
· display acl
· step
· time-range
rule (IPv6 basic ACL view)
Use rule to create or edit an IPv6 basic ACL rule.
Use undo rule to delete an entire IPv6 basic ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } [ fragment | routing [ type routing-type ] | source { source-address source-prefix | source-address/source-prefix | any } | time-range time-range-name ] *
undo rule rule-id [ fragment | routing | source | time-range ] *
Default
An IPv6 basic ACL does not contain any rule.
Views
IPv6 basic ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
fragment: Applies the rule only to non-first fragments. If you do not specify this keyword, the rule applies to both fragments and non-fragments.
routing [ type routing-type ]: Applies the rule to the specified type of routing header or all types of routing header. The routing-type argument specifies the value of the routing header type, in the range of 0 to 255. If you do not specify the type routing-type option, the rule applies to all types of IPv6 routing header.
source { source-address source-prefix | source-address/source-prefix | any }: Matches a source IPv6 address. The source-address argument specifies a source IPv6 address. The source-prefix argument specifies an address prefix length in the range of 1 to 128. The any keyword represents any IPv6 source address.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide.
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
You can edit ACL rules only when the match order is config.
· If you do not specify any optional keywords, the undo rule command deletes the entire rule.
· If you specify optional keywords or arguments, the undo rule command deletes the specified attributes.
To view rules in an ACL and their rule IDs, use the display acl ipv6 all command.
Examples
# Create an IPv6 basic ACL rule to deny the packets from any source IP segment but 1001::/16, 3124:1123::/32, or FE80:5060:1001::/48.
<Sysname> system-view
[Sysname] acl ipv6 basic 2000
[Sysname-acl-ipv6-basic-2000] rule permit source 1001:: 16
[Sysname-acl-ipv6-basic-2000] rule permit source 3124:1123:: 32
[Sysname-acl-ipv6-basic-2000] rule permit source fe80:5060:1001:: 48
[Sysname-acl-ipv6-basic-2000] rule deny source any
Related commands
· acl
· display acl
· step
· time-range
rule (Layer 2 ACL view)
Use rule to create or edit a Layer 2 ACL rule.
Use undo rule to delete a Layer 2 ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } [ cos vlan-pri | dest-mac dest-address dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac source-address source-mask | time-range time-range-name ] *
undo rule rule-id [ time-range ]
Default
A Layer 2 ACL does not contain any rule.
Views
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
cos vlan-pri: Matches an 802.1p priority. The 802.1p priority can be specified by one of the following values:
· A priority number in the range of 0 to 7.
· A priority name: best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5), voice (6), or network-management (7).
dest-mac dest-address dest-mask: Matches a destination MAC address range. The dest-address and dest-mask arguments represent a destination MAC address and mask in the H-H-H format.
lsap lsap-type lsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The lsap-type argument is a 16-bit hexadecimal number that represents the encapsulation format. The lsap-type-mask argument is a 16-bit hexadecimal number that represents the LSAP mask.
type protocol-type protocol-type-mask: Matches one or more protocols in the Layer 2. The protocol-type argument is a 16-bit hexadecimal number that represents a protocol type in Ethernet_II and Ethernet_SNAP frames. The protocol-type-mask argument is a 16-bit hexadecimal number that represents a protocol type mask.
source-mac source-address source-mask: Matches a source MAC address range. The source-address argument represents a source MAC address, and the sour-mask argument represents a mask in the H-H-H format.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide.
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
You can edit ACL rules only when the match order is config.
· If you do not specify any optional keywords, the undo rule command deletes the entire rule.
· If you specify optional keywords or arguments, the undo rule command deletes the specified attributes.
To view rules in an ACL and their rule IDs, use the display acl all command.
Examples
# Create a rule in Layer 2 ACL 4000 to permit ARP packets and deny RARP packets.
<Sysname> system-view
[Sysname] acl mac 4000
[Sysname-acl-mac-4000] rule permit type 0806 ffff
[Sysname-acl-mac-4000] rule deny type 8035 ffff
Related commands
· acl
· display acl
· step
· time-range
rule (WLAN client ACL view)
Use rule to create or edit a WLAN client ACL rule.
Use undo rule to delete a WLAN client ACL rule.
Syntax
rule [ rule-id ] { deny | permit } [ ssid ssid-name ]
undo rule rule-id
Default
A WLAN client ACL does not contain any rule.
Views
WLAN client ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
ssid ssid-name: Specifies an SSID by its name, a case-sensitive string of 1 to 32 characters. Supported characters include letters and digits, and spaces are allowed. If you do not specify this option, the rule applies to packets with any SSID.
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
To view rules in an ACL and their rule IDs, use the display acl all command.
Examples
# Configure rules for WLAN client ACL 111 to permit packets with the SSID ME and deny packets with the SSID HIM.
[Sysname] acl wlan client 111
[Sysname-acl-client-111] rule permit ssid ME
[Sysname-acl-client-111] rule deny ssid HIM
Related commands
· acl wlan client
· display acl
· step
rule (WLAN AP ACL view)
Use rule to create or edit a WLAN AP ACL rule.
Use undo rule to delete a WLAN AP ACL rule.
Syntax
rule [ rule-id ] { deny | permit } [ mac mac-address mac-mask ] [ serial-id serial-id ]
undo rule rule-id
Default
A WLAN AP ACL does not contain any rule.
Views
WLAN AP ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
mac mac-address mac-mask: Matches an AP MAC address range. The mac-address argument represents a MAC address in the H-H-H format, and the mac-mask argument represents a mask in the H-H-H format. If you do not specify this option, the rule applies to all MAC addresses.
serial-id serial-id: Matches an AP serial ID. The serial-id argument is a case-insensitive string of 1 to 32 characters. If you do not specify this option, the rule applies to all serial IDs.
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
To view rules in an ACL and their rule IDs, use the display acl all command.
Examples
# Configure rules for WLAN AP ACL 222 to permit the AP with the serial ID 210235A42QB095000766 and deny the AP with the serial ID 210235A42QB095000777.
<Sysname> system-view
[Sysname] acl wlan ap 222
[Sysname-acl-ap-222] rule permit serial-id 219801A1NQB117012935
[Sysname-acl-ap-222] rule deny serial-id 219801A1NQB117012946
Related commands
· acl wlan ap
· display acl
· step
rule comment
Use rule comment to add a comment about an existing ACL rule or edit its comment to make the rule easy to understand.
Use undo rule comment to delete an ACL rule comment.
Syntax
rule rule-id comment text
undo rule rule-id comment
Default
A rule does not have a comment.
Views
IPv4 basic/advanced ACL view
IPv6 basic/advanced ACL view
Layer 2 ACL view
WLAN AP/client ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies an ACL rule ID in the range of 0 to 65534. The ACL rule must already exist.
text: Specifies a comment about the ACL rule, a case-sensitive string of 1 to 127 characters.
Examples
# Create a rule for IPv4 basic ACL 2000, and add a comment about the rule.
<Sysname> system-view
[Sysname] acl basic 2000
[Sysname-acl-ipv4-basic-2000] rule 0 deny source 1.1.1.1 0
[Sysname-acl-ipv4-basic-2000] rule 0 comment This rule is used on GigabitEthernet 1/0/1.
Related commands
display acl
step
Use step to set a rule numbering step for an ACL.
Use undo step to restore the default.
Syntax
step step-value
undo step
Default
The rule numbering step for an ACL is 5, and the start rule ID is 0.
Views
IPv4 basic/advanced ACL view
IPv6 basic/advanced ACL view
Layer 2 ACL view
WLAN AP/client ACL view
Predefined user roles
network-admin
Parameters
step-value: Specifies the ACL rule numbering step in the range of 1 to 20.
Usage guidelines
The rule numbering step sets the increment by which the system numbers rules automatically. For example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are numbered 0, 5, 10, 15, and so on.
The wider the numbering step, the more rules you can insert between two rules. Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6, and 8.
Examples
# Set the rule numbering step to 2 for IPv4 basic ACL 2000.
<Sysname> system-view
[Sysname] acl basic 2000
[Sysname-acl-ipv4-basic-2000] step 2
Related commands
display acl
QoS policy commands
The WX1800H series access controllers do not support the slot keyword or the slot-number argument.
Traffic class commands
display traffic classifier
Use display traffic classifier to display traffic classes.
Syntax
display traffic classifier { system-defined | user-defined } [ classifier-name ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
system-defined: Specifies system-defined traffic classes.
user-defined: Specifies user-defined traffic classes.
classifier-name: Specifies a traffic class by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a traffic class, this command displays all traffic classes.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays the traffic classes for the master device.
Examples
# Display all user-defined traffic classes.
<Sysname> display traffic classifier user-defined
User-defined classifier information:
Classifier: 1 (ID 100)
Operator: AND
Rule(s) :
If-match acl 2000
Classifier: 2 (ID 101)
Operator: AND
Rule(s) :
If-match not protocol ipv6
Classifier: 3 (ID 102)
Operator: AND
Rule(s) :
-none-
# Display the system-defined traffic class default-class.
<Sysname> display traffic classifier system-defined default-class
System-defined classifier information:
Classifier: default-class (ID 0)
Operator: AND
Rule(s) :
If-match any
Field |
Description |
Classifier |
Traffic class name and its match criteria. |
Operator |
Match operator you set for the traffic class. If the operator is AND, the traffic class matches the packets that match all its match criteria. If the operator is OR, the traffic class matches the packets that match any of its match criteria. |
Rule(s) |
Match criteria. |
if-match
Use if-match to define a match criterion.
Use undo if-match to delete a match criterion.
Syntax
if-match [ not ] match-criteria
undo if-match [ not ] match-criteria
Default
No match criterion is configured.
Views
Traffic class view
Predefined user roles
network-admin
Parameters
not: Matches packets that do not conform to the specified criterion.
match-criteria: Specifies a match criterion. Table 13 shows the available match criteria.
Table 13 Available match criteria
Option |
Description |
acl [ ipv6 | mac ] { acl-number | name acl-name } |
Matches an ACL. The acl-number argument has the following value ranges: · 2000 to 3999 for both IPv4 and IPv6 ACLs. · 4000 to 4999 for Layer 2 ACLs. The acl-name argument is a case-insensitive string of 1 to 63 characters, which must start with an English letter. To avoid confusion, make sure the argument is not all. |
any |
Matches all packets. |
Matches 802.1p priority values in VLAN tags. The dot1p-value&<1-8> argument specifies a space-separated list of up to eight 802.1p priority values. The value range for the dot1p-value argument is 0 to 7. |
|
customer-vlan-id vlan-id-list |
Matches VLAN IDs in VLAN tags. The vlan-id-list argument specifies a space-separated list of up to 10 VLAN items. Each item specifies a VLAN or a range of VLANs in the form of vlan-id1 to vlan-id2. The value for vlan-id2 must be greater than or equal to the value for vlan-id1. The value range for the vlan-id argument is 1 to 4094. |
destination-mac mac-address |
Matches a destination MAC address. |
dscp dscp-value&<1-8> |
Matches DSCP values. The dscp-value&<1-8> argument specifies a space-separated list of up to eight DSCP values. The value range for the dscp-value argument is 0 to 63 or keywords shown in Table 15. |
ip-precedence ip-precedence-value&<1-8> |
Matches IP precedence values. The ip-precedence-value&<1-8> argument specifies a space-separated list of up to eight IP precedence values. The value range for the ip-precedence-value argument is 0 to 7. |
local-precedence local-precedence-value&<1-8> |
Matches local precedence values. The local-precedence-value&<1-8> argument specifies a space-separated list of up to eight local precedence values. The value range for the local-precedence-value argument is 0 to 7. |
protocol protocol-name |
Matches a protocol. The protocol-name argument can be arp, bittorrent, ip, or ipv6. |
source-mac mac-address |
Matches a source MAC address. |
Usage guidelines
In a traffic class with the logical OR operator, you can configure multiple if match commands for any of the available match criteria.
When you configure a match criterion that can have multiple values in one if-match command, follow these restrictions and guidelines:
· You can specify up to eight values for any of the following match criteria in one if-match command:
? 802.1p priority.
? DSCP.
? IP precedence.
? Local precedence.
? VLAN ID.
· If a packet matches one of the specified values, it matches the if-match command.
· To delete a criterion that has multiple values, the specified values in the undo if-match command must be the same as those specified in the if-match command. The order of values can be different.
When you configure ACL-based match criteria, follow these restrictions and guidelines:
· If the ACL used as a match criterion does not exist, the traffic class cannot be applied to hardware.
· In a traffic class, you can add two if-match statements that use the same ACL as the match criterion. In one statement, specify the ACL by its name. In the other statement, specify the ACL by its number.
· If the ACL in a traffic class contains a deny rule, the if-match statement is ignored:
? If the operator of the traffic class is OR, the matching process continues with the next if-match statement.
? If the operator of the traffic class is AND, the matching process continues with the next traffic class.
The source MAC address and destination MAC address match criteria are applicable only to Ethernet interfaces.
Examples
# Define a match criterion for traffic class class1 to match the packets with a destination MAC address of 0050-ba27-bed3.
<Sysname> system-view
[Sysname] traffic classifier class1
[Sysname-classifier-class1] if-match destination-mac 0050-ba27-bed3
# Define a match criterion for traffic class class2 to match the packets with a source MAC address of 0050-ba27-bed2.
<Sysname> system-view
[Sysname] traffic classifier class2
[Sysname-classifier-class2] if-match source-mac 0050-ba27-bed2
# Define a match criterion for traffic class class1 to match the packets with 802.1p priority 3 in the VLAN tag.
<Sysname> system-view
[Sysname] traffic classifier class1
[Sysname-classifier-class1] if-match customer-dot1p 3
# Define a match criterion for traffic class class1 to match the advanced ACL 3101.
<Sysname> system-view
[Sysname] traffic classifier class1
[Sysname-classifier-class1] if-match acl 3101
# Define a match criterion for traffic class class1 to match the ACL named flow.
<Sysname> system-view
[Sysname] traffic classifier class1
[Sysname-classifier-class1] if-match acl name flow
# Define a match criterion for traffic class class1 to match the advanced IPv6 ACL 3101.
<Sysname> system-view
[Sysname] traffic classifier class1
[Sysname-classifier-class1] if-match acl ipv6 3101
# Define a match criterion for traffic class class1 to match the IPv6 ACL named flow.
<Sysname> system-view
[Sysname] traffic classifier class1
[Sysname-classifier-class1] if-match acl ipv6 name flow
# Define a match criterion for traffic class class1 to match all packets.
<Sysname> system-view
[Sysname] traffic classifier class1
[Sysname-classifier-class1] if-match any
# Define a match criterion for traffic class class1 to match the packets with a DSCP value of 1, 6, or 9.
<Sysname> system-view
[Sysname] traffic classifier class1
[Sysname-classifier-class1] if-match dscp 1 6 9
# Define a match criterion for traffic class class1 to match the packets with an IP precedence value of 1 or 6.
<Sysname> system-view
[Sysname] traffic classifier class1
[Sysname-classifier-class1] if-match ip-precedence 1 6
# Define a match criterion for traffic class class1 to match the packets with a local precedence value of 1 or 6.
<Sysname> system-view
[Sysname] traffic classifier class1
[Sysname-classifier-class1] if-match local-precedence 1 6
# Define a match criterion for traffic class class1 to match IP packets.
<Sysname> system-view
[Sysname] traffic classifier class1
[Sysname-classifier-class1] if-match protocol ip
# Define a match criterion for traffic class class1 to match the packets with VLAN ID 1, 6, or 9 in the VLAN tag.
<Sysname> system-view
[Sysname] traffic classifier class1
[Sysname-classifier-class1] if-match customer-vlan-id 1 6 9
traffic classifier
Use traffic classifier to create a traffic class and enter traffic class view.
Use undo traffic classifier to delete a traffic class.
Syntax
traffic classifier classifier-name [ operator { and | or } ]
undo traffic classifier classifier-name
Default
No traffic class exists.
Views
System view
Predefined user roles
network-admin
Parameters
classifier-name: Specifies the name of the traffic class to be created, a case-sensitive string of 1 to 31 characters.
operator: Sets the operator to logic AND (the default) or OR for the traffic class.
and: Specifies the logic AND operator. The traffic class matches the packets that match all its criteria.
or: Specifies the logic OR operator. The traffic class matches the packets that match any of its criteria.
Examples
# Create a traffic class class1.
<Sysname> system-view
[Sysname] traffic classifier class1
[Sysname-classifier-class1]
Related commands
display traffic classifier
Traffic behavior commands
car
Use car to configure a CAR action in absolute value in a traffic behavior.
Use undo car to delete the action.
Syntax
car cir committed-information-rate [ cbs committed-burst-size ] [ green action | red action | yellow action ] *
undo car
Default
No CAR action is configured.
Views
Traffic behavior view
Predefined user roles
network-admin
Parameters
cir committed-information-rate: Specifies the committed information rate (CIR) in the range of 8 to 10000000 kbps.
cbs committed-burst-size: Specifies the committed burst size (CBS) in the range of 1000 to 1000000000 bytes.
green action: Specifies the action to take on packets that conform to the CIR. The default setting is pass.
red action: Specifies the action to take on packets that does not conform to the CIR. The default setting is discard.
yellow action: Specifies the action to take on packets that conform to the PIR but not to the CIR. The default setting is pass. This option is not supported in the current software version.
action: Sets the action to take on the packet:
· discard: Drops the packet.
· pass: Permits the packet to pass through.
Usage guidelines
If you configure the car command multiple times in the same traffic behavior, the most recent configuration takes effect.
Examples
# Configure a CAR action in traffic behavior database.
<Sysname> system-view
[Sysname] traffic behavior database
[Sysname-behavior-database] car cir 200 cbs 51200 green pass
display traffic behavior
Use display traffic behavior to display traffic behaviors.
Syntax
display traffic behavior { system-defined | user-defined } [ behavior-name ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
system-defined: Specifies system-defined traffic behaviors.
user-defined: Specifies user-defined traffic behaviors.
behavior-name: Specifies a behavior by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a traffic behavior, this command displays all traffic behaviors.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays the traffic behaviors for the master device.
Examples
# Display all user-defined traffic behaviors.
<Sysname> display traffic behavior user-defined
User-defined behavior information:
Behavior: 1 (ID 100)
Filter enable: Permit
Marking:
Remark dscp 3
Committed Access Rate:
CIR 112 (kbps), CBS 5120 (Bytes), EBS 0 (Bytes)
Green action : pass
Yellow action : pass
Red action : discard
# Display all system-defined traffic behaviors.
<Sysname> display traffic behavior system-defined
System-defined behavior information:
Behavior: be (ID 0)
-none-
Behavior: af (ID 1)
-none-
Behavior: ef (ID 2)
-none-
Behavior: be-flow-based (ID 3)
-none-
Field |
Description |
Behavior |
Name and contents of a traffic behavior. |
Marking |
Information about priority marking. |
Remark dscp |
Action of setting the DSCP value for packets. |
Committed Access Rate |
Information about the CAR action. |
Green action |
Action to take on green packets. |
Yellow action |
Action to take on yellow packets. This field is not supported in the current software version. |
Red action |
Action to take on red packets. |
Filter enable |
Traffic filtering action. |
none |
No other traffic behavior is configured. |
filter
Use filter to configure a traffic filtering action in a traffic behavior.
Use undo filter to delete the action.
Syntax
filter { deny | permit }
undo filter
Default
No traffic filtering action is configured.
Views
Traffic behavior view
Predefined user roles
network-admin
Parameters
deny: Drops packets.
permit: Transmits packets.
Examples
# Configure a traffic filtering action as deny in traffic behavior database.
<Sysname> system-view
[Sysname] traffic behavior database
[Sysname-behavior-database] filter deny
remark dscp
Use remark dscp to configure a DSCP marking action in a traffic behavior.
Use undo remark dscp to delete the action.
Syntax
remark dscp dscp-value
undo remark dscp
Default
No DSCP marking action is configured.
Views
Traffic behavior view
Predefined user roles
network-admin
Parameters
dscp-value: Specifies a DSCP value, which can be a number from 0 to 63 or a keyword in Table 15.
Table 15 DSCP keywords and values
Keyword |
DSCP value (binary) |
DSCP value (decimal) |
default |
000000 |
0 |
af11 |
001010 |
10 |
af12 |
001100 |
12 |
af13 |
001110 |
14 |
af21 |
010010 |
18 |
af22 |
010100 |
20 |
af23 |
010110 |
22 |
af31 |
011010 |
26 |
af32 |
011100 |
28 |
af33 |
011110 |
30 |
af41 |
100010 |
34 |
af42 |
100100 |
36 |
af43 |
100110 |
38 |
cs1 |
001000 |
8 |
cs2 |
010000 |
16 |
cs3 |
011000 |
24 |
cs4 |
100000 |
32 |
cs5 |
101000 |
40 |
cs6 |
110000 |
48 |
cs7 |
111000 |
56 |
ef |
101110 |
46 |
Examples
# Configure traffic behavior database to mark matching traffic with DSCP 6.
<Sysname> system-view
[Sysname] traffic behavior database
[Sysname-behavior-database] remark dscp 6
remark local-precedence
Use remark local-precedence to configure a local precedence marking action in a traffic behavior.
Use undo remark local-precedence to delete the action.
Syntax
remark local-precedence local-precedence-value
undo remark local-precedence
Default
No local precedence marking action is configured.
Views
Traffic behavior view
Predefined user roles
network-admin
Parameters
local-precedence-value: Specifies the local precedence to be marked for packets, in the range of 0 to 7.
Examples
# Configure traffic behavior database to mark matching traffic with local precedence 2.
<Sysname> system-view
[Sysname] traffic behavior database
[Sysname-behavior-database] remark local-precedence 2
traffic behavior
Use traffic behavior to create a traffic behavior and enter traffic behavior view.
Use undo traffic behavior to delete a traffic behavior.
Syntax
traffic behavior behavior-name
undo traffic behavior behavior-name
Default
No traffic behavior exists.
Views
System view
Predefined user roles
network-admin
Parameters
behavior-name: Specifies a name for the traffic behavior, a case-sensitive string of 1 to 31 characters.
Examples
# Create a traffic behavior named behavior1.
<Sysname> system-view
[Sysname] traffic behavior behavior1
[Sysname-behavior-behavior1]
Related commands
display traffic behavior
QoS policy commands
classifier behavior
Use classifier behavior to associate a traffic behavior with a traffic class in a QoS policy.
Use undo classifier to delete a class-behavior association from a QoS policy.
Syntax
classifier classifier-name behavior behavior-name [ insert-before before-classifier-name ]
undo classifier classifier-name
Default
No traffic behavior is associated with a traffic class.
Views
QoS policy view
Predefined user roles
network-admin
Parameters
classifier-name: Specifies a traffic class by its name, a case-sensitive string of 1 to 31 characters.
behavior-name: Specifies a traffic behavior by its name, a case-sensitive string of 1 to 31 characters.
insert-before before-classifier-name: Inserts the new traffic class before an existing traffic class in the QoS policy. The before-classifier-name argument specifies an existing traffic class by its name, a case-sensitive string of 1 to 31 characters. If you do not specify the insert-before before-classifier-name option, the new traffic class is placed at the end of the QoS policy.
Usage guidelines
A traffic class can be associated only with one traffic behavior in a QoS policy.
If the specified traffic class or traffic behavior does not exist, the system defines a null traffic class or traffic behavior.
The undo classifier default-class command performs the following operations:
· Deletes the existing class-behavior association for the system-defined class default-class.
· Associates the system-defined class default-class with the system-defined behavior be.
Examples
# Associate traffic class database with traffic behavior test in QoS policy user1.
<Sysname> system-view
[Sysname] qos policy user1
[Sysname-qospolicy-user1] classifier database behavior test
# Associate the traffic class database with the traffic behavior test in the QoS policy user1, and insert the traffic class database before an existing traffic class class-a.
<Sysname> system-view
[Sysname] qos policy user1
[Sysname-qospolicy-user1] classifier database behavior test insert-before class-a
Related commands
qos policy
display qos policy
Use display qos policy to display QoS policies.
Syntax
display qos policy { system-defined | user-defined } [ policy-name [ classifier classifier-name ] ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
system-defined: Displays system-defined QoS policies.
user-defined: Displays user-defined QoS policies.
policy-name: Specifies a QoS policy by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a QoS policy, this command displays all user-defined QoS policies.
classifier classifier-name: Specifies a traffic class by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a traffic class, this command displays all traffic classes.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays the QoS policies for the master device.
Examples
# Display all user-defined QoS policies.
<Sysname> display qos policy user-defined
User-defined QoS policy information:
Policy: 1 (ID 100)
Classifier: 1 (ID 100)
Behavior: 1
Marking:
Remark dscp 3
Committed Access Rate:
CIR 112 (kbps), CBS 5120 (Bytes), EBS 0 (Bytes)
Green action : pass
Yellow action : pass
Red action : discard
Classifier: 3 (ID 102)
Behavior: 3
-none-
# Display the system-defined QoS policy.
<Sysname> display qos policy system-defined
System-defined QoS policy information:
Policy: default (ID 0)
Classifier: default-class (ID 0)
Behavior: be
-none-
Classifier: ef (ID 1)
Behavior: ef
-none-
Classifier: af1 (ID 2)
Behavior: af
-none-
Classifier: af2 (ID 3)
Behavior: af
-none-
Classifier: af3 (ID 4)
Behavior: af
-none-
Classifier: af4 (ID 5)
Behavior: af
-none-
For the output description, see Table 12 and Table 14.
display qos policy interface
Use display qos policy interface to display the QoS policies applied to interfaces.
Syntax
display qos policy interface [ interface-type interface-number ] [ inbound | outbound ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays QoS policy information for each interface.
inbound: Displays the QoS policy applied to the incoming traffic of the specified interface.
outbound: Displays the QoS policy applied to the outgoing traffic of the specified interface.
Usage guidelines
If you do not specify a direction, this command displays the QoS policy applied to incoming traffic and the QoS policy applied to outgoing traffic.
If you specify a VT interface, this command displays the QoS policies applied to each VA interface of the VT interface. It does not display QoS information about the VT interface.
Examples
# Display the QoS policy applied to the incoming traffic of GigabitEthernet 1/0/1.
<Sysname> display qos policy interface gigabitethernet 1/0/1 inbound
Interface: GigabitEthernet1/0/1
Direction: Inbound
Policy: 1
Classifier: 1
Matched : 0 (Packets) 0 (Bytes)
5-minute statistics:
Forwarded: 0/0 (pps/bps)
Dropped : 0/0 (pps/bps)
Operator: AND
Rule(s) :
If-match acl 2000
Behavior: 1
Marking:
Remark dscp 3
Committed Access Rate:
CIR 112 (kbps), CBS 5120 (Bytes), EBS 0 (Bytes)
Green action : pass
Yellow action : pass
Red action : discard
Green packets : 0 (Packets) 0 (Bytes)
Yellow packets: 0 (Packets) 0 (Bytes)
Red packets : 0 (Packets) 0 (Bytes)
Classifier: 2
Matched : 0 (Packets) 0 (Bytes)
5-minute statistics:
Forwarded: 0/0 (pps/bps)
Dropped : 0/0 (pps/bps)
Operator: AND
Rule(s) :
If-match not protocol ipv6
Behavior: 2
Filter enable: Permit
Marking:
Remark mpls-exp 4
Classifier: 3
Matched : 0 (Packets) 0 (Bytes)
5-minute statistics:
Forwarded: 0/0 (pps/bps)
Dropped : 0/0 (pps/bps)
Operator: AND
Rule(s) :
-none-
Behavior: 3
-none-
Table 16 Command output
Field |
Description |
Direction |
Direction in which the QoS policy is applied to the interface. |
Matched |
Number of matching packets. |
Forwarded |
Average rate of successfully forwarded matching packets in a statistics collection period. |
Dropped |
Average rate of dropped matching packets in a statistics collection period. |
Green packets |
Traffic statistics for green packets. |
Yellow packets |
Traffic statistics for yellow packets. This field is not supported in the current software version. |
Red packets |
Traffic statistics for red packets. |
For the description of other fields, see Table 12 and Table 14.
display qos policy user-profile
Use display qos policy user-profile to display QoS policies applied to user profiles.
Syntax
display qos policy user-profile [ name profile-name ] [ user-id user-id ] [ slot slot-number ] [ inbound | outbound ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name profile-name: Specifies a user profile by its name, a case-sensitive string of 1 to 31 characters. Valid characters include English letters, digits, and underscores (_). The name must start with an English letter and must be unique. If you do not specify a user profile, this command displays QoS policies applied to all user profiles.
user-id user-id: Specifies an online user by a system-assigned, hexadecimal ID. If you do not specify an online user, this command displays QoS policies applied to user profiles for all online users.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays QoS policies applied to user profiles for all member devices.
inbound: Specifies QoS policies applied to incoming traffic.
outbound: Specifies QoS policies applied to outgoing traffic.
Usage guidelines
If you do not specify a direction, this command displays QoS policies applied in the inbound direction and QoS policies applied in the outbound direction.
Examples
# Display QoS policies applied to all user profiles for all online users.
<Sysname> display qos policy user-profile
User-Profile: abc
slot 1:
User ID: 0x30000000(local)
Direction: Inbound
Policy: p1
Classifier: default-class
Matched : 0 (Packets) 0 (Bytes)
Operator: AND
Rule(s) :
If-match any
Behavior: be
-none-
User-Profile: a12
slot 2:
User ID: 0x30000001(local)
Direction: Inbound
Policy: p1
Classifier: default-class
Matched : 0 (Packets) 0 (Bytes)
Operator: AND
Rule(s) :
If-match any
Behavior: be
-none-
Classifier: a
Operator: AND
Rule(s) :
If-match any
Behavior: a
Committed Access Rate:
CIR 100 (kbps), CBS 6250 (Bytes), EBS 0 (Bytes)
Green action : pass
Yellow action : pass
Red action : discard
Green packets : 0 (Packets)
Red packets : 0 (Packets)
Table 17 Command output
Field |
Description |
Matched |
Number of packets that meet match criteria. |
Green packets |
Statistics about green packets. |
Yellow packets |
Statistics about yellow packets. This field is not supported in the current software version. |
Red packets |
Statistics about red packets. |
For the description of other fields, see Table 12 and Table 14.
qos apply policy (interface view)
Use qos apply policy to apply a QoS policy to an interface.
Use undo qos apply policy to remove an applied QoS policy.
Syntax
qos apply policy policy-name { inbound | outbound }
undo qos apply policy policy-name { inbound | outbound }
Default
No QoS policy is applied to an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a QoS policy by its name, a case-sensitive string of 1 to 31 characters.
inbound: Applies the QoS policy to incoming traffic.
outbound: Applies the QoS policy to the outgoing traffic of an interface.
Examples
# Apply QoS policy USER1 to the outgoing traffic of GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] qos apply policy USER1 outbound
qos apply policy (user profile view)
Use qos apply policy global to apply a QoS policy to a user profile.
Use undo qos apply policy global to remove a QoS policy applied to a user profile.
Syntax
qos apply policy policy-name { inbound | outbound }
undo qos apply policy policy-name { inbound | outbound }
Default
No QoS policy is applied to a user profile.
Views
User profile view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a QoS policy by its name, a case-sensitive string of 1 to 31 characters.
inbound: Applies the QoS policy to the incoming traffic of the device (traffic sent by online users).
outbound: Applies the QoS policy to the outgoing traffic of the device (traffic received by online users).
Usage guidelines
Deleting a user profile also removes the QoS policies applied to the user profile.
Examples
# Apply the QoS policy test to incoming traffic of user profile user.
<Sysname> system-view
[Sysname] user-profile user
[Sysname-user-profile-user] qos apply policy test outbound
qos policy
Use qos policy to create a QoS policy and enter QoS policy view.
Use undo qos policy to delete a QoS policy.
Syntax
qos policy policy-name
undo qos policy policy-name
Default
No QoS policy is configured.
Views
System view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a QoS policy by its name, a case-sensitive string of 1 to 31 characters.
To delete a QoS policy that has been applied to an object, you must first remove the QoS policy from the object.
Examples
# Define QoS policy user1.
<Sysname> system-view
[Sysname] qos policy user1
[Sysname-qospolicy-user1]
Related commands
· classifier behavior
· qos apply policy
Priority mapping commands
Priority map commands
display qos map-table
Use display qos map-table to display the configuration of a priority map.
Syntax
display qos map-table [ dot11e-lp | dot1p-lp | dscp-lp | lp-dot11e | lp-dot1p | lp-dscp ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
The device provides the following types of priority map.
Priority map |
Description |
dot11e-lp |
802.11e-local priority map. |
dot1p-lp |
802.1p-local priority map. |
dscp-lp |
DSCP-local priority map. |
lp-dot11e |
Local-802.11e priority map. |
lp-dot1p |
Local-802.1p priority map. |
lp-dscp |
Local-DSCP priority map. |
Usage guidelines
If you do not specify a priority map, this command displays the configuration of all priority maps.
Examples
# Display the configuration of the 802.1p-local priority map.
<Sysname> display qos map-table dot1p-lp
MAP-TABLE NAME: dot1p-lp TYPE: pre-define
IMPORT : EXPORT
0 : 2
1 : 0
2 : 1
3 : 3
4 : 4
5 : 5
6 : 6
7 : 7
Table 19 Command output
Field |
Description |
MAP-TABLE NAME |
Name of the priority map. |
TYPE |
Type of the priority map. |
IMPORT |
Input values of the priority map. |
EXPORT |
Output values of the priority map. |
import
Use import to configure mappings for a priority map.
Use undo import to restore the specified or all mappings to the default for a priority map.
Syntax
import import-value-list export export-value
undo import { import-value-list | all }
Default
The default priority maps are used. For more information, see ACL and QoS Configuration Guide.
Views
Priority map view
Predefined user roles
network-admin
Parameters
import-value-list: Specifies a list of input values.
export-value: Specifies the output value.
all: Restores all mappings in the priority map to the default.
Examples
# Configure the 802.1p-drop priority map to map 802.1p priority values 4 and 5 to drop priority 1.
<Sysname> system-view
[Sysname] qos map-table dot1p-dp
[Sysname-maptbl-dot1p-dp] import 4 5 export 1
Related commands
display qos map-table
qos map-table
Use qos map-table to enter the specified priority map view.
Syntax
qos map-table { dot11e-lp | dot1p-lp | dscp-lp | lp-dot11e | lp-dot1p | lp-dscp }
Views
System view
Predefined user roles
network-admin
Parameters
For the description of all keywords, see Table 18.
Examples
# Enter the 802.1p-local priority map view.
<Sysname> system-view
[Sysname] qos map-table dot1p-lp
[Sysname-maptbl-dot1p-lp]
Related commands
· display qos map-table
· import
Port priority commands
qos priority
Use qos priority to change the port priority of an interface.
Use undo qos priority to restore the default.
Syntax
qos priority priority-value
undo qos priority
Default
The port priority is 0.
Views
Interface view
Predefined user roles
network-admin
Parameters
priority-value: Specifies the port priority value in the range of 0 to 7.
Examples
# Set the port priority of interface GigabitEthernet 1/0/1 to 2.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] qos priority 2
Related commands
display qos trust interface
Priority trust mode commands
display qos trust interface
Use display qos trust interface to display the priority trust mode and port priority of an interface.
Syntax
display qos trust interface [ interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays the priority trust modes and port priorities of all interfaces.
Examples
# Display the priority trust mode and port priority of GigabitEthernet 1/0/1.
<Sysname> display qos trust interface gigabitethernet 1/0/1
Interface: GigabitEthernet1/0/1
Port priority information
Port priority: 4
Port dot1p priority: -
Port dscp priority: -
Port priority trust type: dot1p
Table 20 Command output
Field |
Description |
Interface |
Interface type and interface number. |
Port priority |
Port priority set for the interface. |
Port dot1p priority |
802.1p priority of the port. |
Port dscp priority |
DSCP priority of the port. |
Port priority trust type |
Priority trust mode on the interface: dot1p or dscp. |
qos trust
Use qos trust to set the priority trust mode for an interface.
Use undo qos trust to restore the default priority trust mode.
Syntax
qos trust { dot1p | dscp }
undo qos trust
Default
The port priority is trusted.
Views
Interface view
Predefined user roles
network-admin
Parameters
dot1p: Uses the 802.1p priority in incoming packets for priority mapping.
dscp: Uses the DSCP value in incoming packets for priority mapping.
Examples
# Set the priority trust mode to 802.1p priority on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] qos trust dot1p
Related commands
Traffic policing commands
qos car
Use qos car to configure a CAR policy for a user profile.
Use undo qos car to delete a CAR policy from a user profile.
Syntax
qos car { inbound | outbound } any cir committed-information-rate [ cbs committed-burst-size ]
undo qos car { inbound | outbound }
Default
No CAR policy is configured for a user profile.
Views
User profile view
Predefined user roles
network-admin
Parameters
inbound: Performs CAR for incoming traffic (traffic sent by the online users).
outbound: Performs CAR for outgoing traffic (traffic received by the online users).
any: Performs CAR for all IP packets in the specified direction.
cir committed-information-rate: Specifies the CIR in the range of 8 to 10000000 kbps.
cbs committed-burst-size: Specifies the CBS in the range of 1000 to 1000000000 bytes.
Usage guidelines
The conforming traffic is permitted to pass through, and the excess traffic is dropped.
If you configure CAR policies multiple times, the most recent configuration takes effect.
Examples
# Perform CAR for packets received by the user profile user. The CAR parameters are as follows:
· The CIR is 200 kbps.
· The CBS is 51200 bytes.
<Sysname> system-view
[Sysname] user-profile user
[Sysname-user-profile-user] qos car outbound any cir 200 cbs 51200
Time range commands
display time-range
Use display time-range to display time range configuration and status.
Syntax
display time-range { time-range-name | all }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
time-range-name: Specifies a time range name, a case-insensitive string of 1 to 32 characters.
all: Displays the configuration and status of all existing time ranges.
Examples
# Display the configuration and status of time range t4.
<Sysname> display time-range t4
Current time is 09:40:55 5/26/2015 Tuesday
Time-range : t4 (Inactive)
10:00 to 12:00 Mon
14:00 to 16:00 Wed
from 00:00 1/1/2014 to 00:00 1/1/2015
from 00:00 6/1/2015 to 00:00 7/1/2015
Table 21 Command output
Field |
Description |
Current time |
Current system time. |
Time-range |
Configuration and status of the time range, including its name, status (active or inactive), and start time and end time. |
time-range
Use time-range to create or edit a time range.
Use undo time-range to delete a time range or a statement in the time range.
Syntax
time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 }
undo time-range time-range-name [ start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 ]
Default
No time range exists.
Views
System view
Predefined user roles
network-admin
Parameters
time-range-name: Specifies a time range name. The name is a case-insensitive string of 1 to 32 characters. To avoid confusion, it cannot be all.
start-time to end-time: Specifies a periodic statement. Both start-time and end-time are in hh:mm format (24-hour clock). The value is in the range of 00:00 to 23:59 for the start time, and 00:00 to 24:00 for the end time. The end time must be greater than the start time.
days: Specifies the day or days of the week (in words or digits) on which the periodic statement is valid. If you specify multiple values, separate each value with a space, and make sure they do not overlap. These values can take one of the following forms:
· A digit in the range of 0 to 6, respectively for Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday.
· A day of a week in abbreviated words: sun, mon, tue, wed, thu, fri, and sat.
· working-day for Monday through Friday.
· off-day for Saturday and Sunday.
· daily for the whole week.
from time1 date1: Specifies the start time and date of an absolute statement. The time1 argument specifies the time of the day in hh:mm format (24-hour clock). Its value is in the range of 00:00 to 23:59. The date1 argument specifies a date in MM/DD/YYYY or YYYY/MM/DD format, where MM is the month of the year in the range of 1 to 12, DD is the day of the month with the range varying by MM, and YYYY is the year in the calendar in the range of 1970 to 2100. If you do not specify this option, the start time is 01/01/1970 00:00 AM, the earliest time available in the system.
to time2 date2: Specifies the end time and date of the absolute time statement. The time2 argument has the same format as the time1 argument, but its value is in the range of 00:00 to 24:00. The date2 argument has the same format and value range as the date1 argument. The end time must be greater than the start time. If you do not specify this option, the end time is 12/31/2100 24:00 PM, the maximum time available in the system.
Usage guidelines
If an existing time range name is provided, this command adds a statement to the time range.
You can create multiple statements in a time range. Each time statement can take one of the following forms:
· Periodic statement in the start-time to end-time days format. A periodic statement recurs periodically on a day or days of the week.
· Absolute statement in the from time1 date1 to time2 date2 format. An absolute statement does not recur.
· Compound statement in the start-time to end-time days from time1 date1 to time2 date2 format. A compound statement recurs on a day or days of the week only within the specified period. For example, to create a time range that is active from 08:00 to 12:00 on Monday between January 1, 2011, 00:00 and December 31, 2011, 23:59, use the time-range test 08:00 to 12:00 mon from 00:00 01/01/2011 to 23:59 12/31/2011 command.
You can create a maximum of 1024 time ranges, each with a maximum of 32 periodic statements and 12 absolute statements. The active period of a time range is calculated as follows:
1. Combining all periodic statements.
2. Combining all absolute statements.
3. Taking the intersection of the two statement sets as the active period of the time range.
Examples
# Create a periodic time range t1, setting it to be active between 8:00 to 18:00 during working days.
<Sysname> system-view
[Sysname] time-range t1 08:00 to 18:00 working-day
# Create an absolute time range t2, setting it to be active in the whole year of 2015.
<Sysname> system-view
[Sysname] time-range t2 from 00:00 1/1/2015 to 24:00 12/31/2015
# Create a compound time range t3, setting it to be active from 08:00 to 12:00 on Saturdays and Sundays of the year 2015.
<Sysname> system-view
[Sysname] time-range t3 08:00 to 12:00 off-day from 00:00 1/1/2015 to 24:00 12/31/2015
# Create a compound time range t4, setting it to be active from 10:00 to 12:00 on Mondays and from 14:00 to 16:00 on Wednesdays in January and June of the year 2015.
<Sysname> system-view
[Sysname] time-range t4 10:00 to 12:00 1 from 00:00 1/1/2015 to 24:00 1/31/2015
[Sysname] time-range t4 14:00 to 16:00 3 from 00:00 6/1/2015 to 24:00 6/30/2015
Related commands
display time-range
acl,1
acl copy,3
acl trap interval,4
car,33
classifier behavior,38
description,5
display acl,6
display packet-filter,7
display packet-filter verbose,8
display qos map-table,47
display qos policy,39
display qos policy interface,41
display qos policy user-profile,42
display qos trust interface,50
display time-range,53
display traffic behavior,34
display traffic classifier,28
filter,35
if-match,29
import,48
packet-filter,10
packet-filter default deny,11
qos apply policy (interface view),44
qos apply policy (user profile view),45
qos car,52
qos map-table,48
qos policy,45
qos priority,49
qos trust,50
remark dscp,36
remark local-precedence,37
rule (IPv4 advanced ACL view),12
rule (IPv4 basic ACL view),16
rule (IPv6 advanced ACL view),17
rule (IPv6 basic ACL view),21
rule (Layer 2 ACL view),22
rule (WLAN AP ACL view),25
rule (WLAN client ACL view),24
rule comment,26
step,26
time-range,53
traffic behavior,38
traffic classifier,32