name acl-name: Assigns a name to the ACL. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.

match-order: Specifies the order in which ACL rules are compared against packets.

· auto: Compares ACL rules in depth-first order. The depth-first order varies by ACL type. For more information, see ACL and QoS Configuration Guide.

· config: Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has a higher priority. If you do not specify a match order, the config order applies by default. The match order for the WLAN client ACL and WLAN AP ACL can only be config.

all: Specifies all ACLs of the specified type.

Usage guidelines

You can change the match order for ACLs that do not contain any rules.

Matching packets are forwarded through slow forwarding if an ACL rule contains match criteria or has functions enabled in addition to the following match criteria and functions:

· Source and destination IP addresses.

· Source and destination ports.

· Transport layer protocol.

· ICMP or ICMPv6 message type, message code, and message name.

· VPN instance.

· Logging.

· Time range.

Slow forwarding requires packets to be sent to the control plane for forwarding entry calculation, which affects the device forwarding performance.

Examples

# Create IPv4 basic ACL 2000, and enter its view.

<Sysname> system-view

[Sysname] acl basic 2000

[Sysname-acl-ipv4-basic-2000]

# Create IPv4 basic ACL flow, and enter its view.

<Sysname> system-view

[Sysname] acl basic name flow

[Sysname-acl-ipv4-basic-flow]

# Create IPv4 advanced ACL 3000, and enter its view.

<Sysname> system-view

[Sysname] acl advanced 3000

[Sysname-acl-ipv4-adv-3000]

# Create IPv6 basic ACL 2000, and enter its view.

<Sysname> system-view

[Sysname] acl ipv6 basic 2000

[Sysname-acl-ipv6-basic-2000]

# Create IPv6 basic ACL flow, and enter its view.

<Sysname> system-view

[Sysname] acl ipv6 basic name flow

[Sysname-acl-ipv6-basic-flow]

# Create IPv6 advanced ACL abc, and enter its view.

<Sysname> system-view

[Sysname] acl ipv6 advanced name abc

[Sysname-acl-ipv6-adv-abc]

# Create Layer 2 ACL 4000, and enter its view.

<Sysname> system-view

[Sysname] acl mac 4000

[Sysname-acl-mac-4000]

# Create Layer 2 ACL flow, and enter its view.

<Sysname> system-view

[Sysname] acl mac name flow

[Sysname-acl-mac-flow]

# Create WLAN client ACL 100, and enter its view.

<Sysname> system-view

[Sysname] acl wlan client 100

[Sysname-acl-client-100]

# Create WLAN client ACL flow, and enter its view.

<Sysname> system-view

[Sysname] acl wlan client name flow

[Sysname-acl-client-flow]

# Create WLAN AP ACL 200, and enter its view.

<Sysname> system-view

[Sysname] acl wlan ap 200

[Sysname-acl-ap-200]

# Create WLAN AP ACL flow, and enter its view.

<Sysname> system-view

[Sysname] acl wlan ap name flow

[Sysname-acl-ap-flow]

Related commands

display acl

acl copy

Use acl copy to create an ACL by copying an ACL that already exists.

Syntax

acl [ ipv6 | mac ] copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name }

Views

System view

Predefined user roles

network-admin

Parameters

ipv6: Specifies the IPv6 ACL type.

mac: Specifies the Layer 2 ACL type.

source-acl-number: Specifies an existing source ACL by its number. The following are available value ranges:

· 100 to 199 for WLAN client ACLs.

· 200 to 299 for WLAN AP ACLs.

· 2000 to 2999 for basic ACLs.

· 3000 to 3999 for advanced ACLs.

· 4000 to 4999 for Layer 2 ACLs.

name source-acl-name: Specifies an existing source ACL by its name. The source-acl-name argument is a case-insensitive string of 1 to 63 characters.

dest-acl-number: Assigns a unique number to the ACL you are creating. This number must be from the same ACL type as the source ACL. The following are available value ranges:

· 100 to 199 for WLAN client ACLs.

· 200 to 299 for WLAN AP ACLs.

· 2000 to 2999 for basic ACLs.

· 3000 to 3999 for advanced ACLs.

· 4000 to 4999 for Layer 2 ACLs.

name dest-acl-name: Assigns a unique name to the ACL you are creating. The dest-acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.

Usage guidelines

The new ACL has the same properties and content as the source ACL, but uses a different number or name from the source ACL.

To specify the IPv4 ACL type, do not specify the ipv6 or mac keyword.

Examples

# Create IPv4 basic ACL 2002 by copying IPv4 basic ACL 2001.

<Sysname> system-view

[Sysname] acl copy 2001 to 2002

# Create IPv4 basic ACL paste by copying IPv4 basic ACL test.

<Sysname> system-view

[Sysname] acl copy name test to name paste

acl trap interval

Use acl trap interval to enable SNMP notifications for packet filtering, and set the interval.

Use undo acl trap interval to restore the default.

Syntax

acl trap interval interval

undo acl trap interval

Default

The interval is 0. The device does not generate SNMP notifications for packet filtering.

Views

System view

Predefined user roles

network-admin

Parameters

trap: Enables SNMP notifications and sends the notifications to the SNMP module. For information about SNMP, see Network Management and Monitoring Configuration Guide.

interval interval: Sets the interval in minutes. It must be a multiple of 5, in the range of 0 to 1440. To disable the notification, set the value to 0.

Usage guidelines

The SNMP notifications is available for IPv4 and IPv6 ACL rules.

The packet filter module generates SNMP notifications and outputs them at the output interval. If an ACL is matched for the first time, the device immediately outputs a log entry or notification instead of waiting for the next output time.

Examples

# Configure the device to generate and output packet filtering log entries every 10 minutes.

<Sysname> system-view

[Sysname] acl trap interval 10

Related commands

· rule (IPv4 advanced ACL view)

· rule (IPv4 basic ACL view)

· rule (IPv6 advanced ACL view)

· rule (IPv6 basic ACL view)

description

Use description to configure a description for an ACL.

Use undo description to delete an ACL description.

Syntax

description text

undo description

Default

An ACL does not have a description.

Views

IPv4 basic/advanced ACL view

IPv6 basic/advanced ACL view

Layer 2 ACL view

WLAN AP/client ACL view

Predefined user roles

network-admin

Parameters

text: Configures a description for the ACL, a case-sensitive string of 1 to 127 characters.

Examples

# Configure a description for IPv4 basic ACL 2000.

<Sysname> system-view

[Sysname] acl basic 2000

[Sysname-acl-ipv4-basic-2000] description This is an IPv4 basic ACL.

Related commands

display acl

Use display acl to display ACL configuration and match statistics.

Syntax

display acl [ ipv6 | mac | wlan ] { acl-number | all | name acl-name }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv6: Specifies the IPv6 ACL type.

mac: Specifies the Layer 2 ACL type.

wlan client: Specifies the WLAN ACL type, including WLAN client ACL and WLAN AP ACL.

acl-number: Specifies an ACL by its number. The following are available value ranges:

· 100 to 199 for WLAN client ACL.

· 200 to 299 for WLAN AP ACL.

· 2000 to 2999 for basic ACLs.

· 3000 to 3999 for advanced ACLs.

· 4000 to 4999 for Layer 2 ACLs.

all: Displays information about all ACLs of the specified type.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

Usage guidelines

This command displays ACL rules in config or auto order, whichever is configured.

To specify the IPv4 ACL type, do not specify the ipv6, mac, or wlan keyword.

Examples

# Display configuration and match statistics for IPv4 basic ACL 2001.

<Sysname> display acl 2001

Basic IPv4 ACL 2001, 1 rules, match-order is auto,

This is an IPv4 basic ACL.

ACL's step is 5

rule 5 permit source 1.1.1.1 0

rule 5 comment This rule is used on GigabitEthernet 1/0/1.

Table 1 Command output

Field	Description
Basic IPv4 ACL 2001	Type and number of the ACL. The following field information is about IPv4 basic ACL 2000.
1 rules	The ACL contains one rule.
match-order is auto	The match order for the ACL is auto, which sorts ACL rules in depth-first order. This field is not present when the match order is config.
This is an IPv4 basic ACL.	Description of this ACL.
ACL's step is 5	The rule numbering step is 5.
rule 5 permit source 1.1.1.1 0	Content of rule 5. The rule permits packets sourced from the IP address 1.1.1.1.
rule 5 comment This rule is used on GigabitEthernet 1/0/1.	Comment of ACL rule 5.

display packet-filter

Use display packet-filter to display ACL application information for packet filtering.

Syntax

display packet-filter interface [ interface-type interface-number ] [ inbound | outbound ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface [ interface-type interface-number ]: Specifies an interface by its type and number. VLAN interfaces are not supported. If you do not specify an interface, this command displays ACL application information for packet filtering on all interfaces except VLAN interfaces.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays ACL application information for packet filtering for all member devices.

Usage guidelines

If neither the inbound keyword nor the outbound keyword is specified, this command displays ACL application information for packet filtering in both directions on interfaces.

Examples

# Display ACL application information for incoming packet filtering on interface GigabitEthernet 1/0/1.

<Sysname> display packet-filter interface gigabitethernet 1/0/1 inbound

Interface: GigabitEthernet1/0/1

In-bound policy:

IPv4 ACL 2001

IPv6 ACL 2002 (Failed)

MAC ACL 4003 (Failed)

IPv4 ACL 2004

IPv4 default action: Deny

Table 2 Command output

Field	Description
Interface	Interface to which the ACL applies.
In-bound policy	ACL used for filtering incoming traffic.
Out-bound policy	ACL used for filtering outgoing traffic.
IPv4 ACL 2001	IPv4 basic ACL 2001 has been successfully applied.
IPv6 ACL 2002 (Failed)	The device has failed to apply IPv6 basic ACL 2002.
IPv4 default action	Packet filter default action for packets that do not match any IPv4 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering.
IPv6 default action	Packet filter default action for packets that do not match any IPv6 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering.
MAC default action	Packet filter default action for packets that do not match any Layer 2 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering.

display packet-filter verbose

Use display packet-filter verbose to display ACL application details for packet filtering.

Syntax

display packet-filter verbose interface interface-type interface-number { inbound | outbound } [ [ ipv6 | mac ] { acl-number | name acl-name } ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

ipv6: Specifies the IPv6 ACL type.

mac: Specifies the Layer 2 ACL type.

acl-number: Specifies an ACL by its number. The following are available value ranges:

· 2000 to 2999 for basic ACLs.

· 3000 to 3999 for advanced ACLs.

· 4000 to 4999 for Layer 2 ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

Usage guidelines

To specify the IPv4 ACL type, do not specify the ipv6 or mac keyword.

When none of acl-number, name acl-name, ipv6, and mac is specified, this command displays application details of all IPv4 ACLs for packet filtering.

Examples

# Display application details of all ACLs for incoming packet filtering on GigabitEthernet 1/0/1.

<Sysname> display packet-filter verbose interface gigabitethernet 1/0/1 inbound

Interface: GigabitEthernet1/0/1

In-bound policy:

IPv4 ACL 2001

rule 0 permit

rule 5 permit source 1.1.1.1 0 (Failed)

IPv4 ACL 2002 (Failed)

IPv6 ACL 2000

rule 0 permit

MAC ACL 4000

IPv4 default action: Deny

IPv6 default action: Deny

MAC default action: Deny

Table 3 Command output

Field	Description
Interface	Interface to which the ACL applies.
In-bound policy	ACL used for filtering incoming traffic.
Out-bound policy	ACL used for filtering outgoing traffic.
IPv4 ACL 2001	IPv4 basic ACL 2001 has been successfully applied.
IPv4 ACL 2002 (Failed)	The device has failed to apply IPv4 basic ACL 2002.
rule 5 permit source 1.1.1.1 0 (Failed)	The device has failed to apply rule 5.
IPv4 default action	Packet filter default action for packets that do not match any IPv4 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering.
IPv6 default action	Packet filter default action for packets that do not match any IPv6 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering.
MAC default action	Packet filter default action for packets that do not match any Layer 2 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering.

packet-filter

Use packet-filter to apply an ACL to an interface to filter packets.

Use undo packet-filter to remove an ACL application from an interface.

Syntax

packet-filter [ ipv6 | mac ] { acl-number | name acl-name } { inbound | outbound }

undo packet-filter [ ipv6 | mac ] { acl-number | name acl-name } { inbound | outbound }

Default

An interface does not filter packets.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6: Specifies the IPv6 ACL type.

mac: Specifies the Layer 2 ACL type.

acl-number: Specifies an ACL by its number. The following are available value ranges:

· 2000 to 2999 for basic ACLs.

· 3000 to 3999 for advanced ACLs.

· 4000 to 4999 for Layer 2 ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

inbound: Filters incoming packets.

outbound: Filters outgoing packets.

Usage guidelines

To specify the IPv4 ACL type, do not specify the ipv6 or mac keyword.

This feature does not take effect on an interface that is an aggregation member port.

Examples

# Apply IPv4 basic ACL 2001 to filter incoming traffic on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] packet-filter 2001 inbound

Related commands

· display packet-filter

· display packet-filter verbose

packet-filter default deny

Use packet-filter default deny to set the packet filtering default action to deny. The packet filter denies packets that do not match any ACL rule.

Use undo packet-filter default deny to restore the default.

Syntax

packet-filter default deny

undo packet-filter default deny

Default

The packet filter permits packets that do not match any ACL rule.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The packet filter applies the default action to all ACL applications for packet filtering. The default action appears in the display command output for packet filtering.

Examples

# Set the packet filter default action to deny.

<Sysname> system-view

[Sysname] packet-filter default deny

Related commands

· display packet-filter

· display packet-filter verbose

rule (IPv4 advanced ACL view)

Use rule to create or edit an IPv4 advanced ACL rule.

Use undo rule to delete an entire IPv4 advanced ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | destination { dest-address dest-wildcard | any } | destination-port operator port1 [ port2 ] | { dscp dscp | { precedence precedence | tos tos } * } | fragment | icmp-type { icmp-type [ icmp-code ] | icmp-message } | source { source-address source-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name ] *

undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | destination | destination-port | { dscp | { precedence | tos } * } | fragment | icmp-type | source | source-port | time-range ] *

Default

An IPv4 advanced ACL does not contain any rule.

Views

IPv4 advanced ACL view

Predefined user roles

network-admin

Parameters

rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.

deny: Denies matching packets.

permit: Allows matching packets to pass.

protocol: Specifies one of the following values:

· A protocol number in the range of 0 to 255.

· A protocol by its name: gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17). The ip keyword specifies all protocols.

Table 4 describes the parameters that you can specify regardless of the value for the protocol argument.

Table 4 Match criteria and other rule information for IPv4 advanced ACL rules

Parameters	Function	Description
source { source-address source-wildcard \| any }	Specifies a source address.	The source-address source-wildcard arguments specify a source IP address and a wildcard mask in dotted decimal notation. An all-zero wildcard represents a host address. The any keyword specifies any source IP address.
destination { dest-address dest-wildcard \| any }	Specifies a destination address.	The dest-address dest-wildcard arguments specify a destination IP address and a wildcard mask in dotted decimal notation. An all-zero wildcard represents a host address. The any keyword represents any destination IP address.
precedence precedence	Specifies an IP precedence value.	The precedence argument can be a number in the range of 0 to 7, or in words: routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), or network (7).
tos tos	Specifies a ToS preference.	The tos argument can be a number in the range of 0 to 15, or in words: max-reliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1), or normal (0).
dscp dscp	Specifies a DSCP priority.	The dscp argument can be a number in the range of 0 to 63, or in words: af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46).
fragment	Applies the rule only to non-first fragments.	If you do not specify this keyword, the rule applies to all fragments and non-fragments.
time-range time-range-name	Specifies a time range for the rule.	The time-range-name argument is a case-insensitive string of 1 to 32 characters. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide.

If the protocol argument is tcp (6) or udp (17), set the parameters shown in Table 5.

Table 5 TCP/UDP-specific parameters for IPv4 advanced ACL rules

Parameters	Function	Description
source-port operator port1 [ port2 ]	Specifies one or more UDP or TCP source ports.	The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. The port2 argument is needed only when the operator argument is range. TCP port numbers can be represented as: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), dns (53), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented as: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177).
destination-port operator port1 [ port2 ]	Specifies one or more UDP or TCP destination ports.
{ ack ack-value \| fin fin-value \| psh psh-value \| rst rst-value \| syn syn-value \| urg urg-value } *	Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG.	Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The TCP flags in a rule are ORed. For example, a rule configured with ack 0 psh 1 matches both packets that have the ACK flag bit not set and packets that have the PSH flag bit set.
established	Specifies the flags for indicating the established status of a TCP connection.	Parameter specific to TCP. The rule matches TCP connection packets with the ACK or RST flag bit set.

If the protocol argument is icmp (1), set the parameters shown in Table 6.

Table 6 ICMP-specific parameters for IPv4 advanced ACL rules

Parameters	Function	Description
icmp-type { icmp-type icmp-code \| icmp-message }	Specifies the ICMP message type and code.	The icmp-type argument is in the range of 0 to 255. The icmp-code argument is in the range of 0 to 255. The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 7.

Parameters

Function

Description

icmp-type { icmp-type icmp-code | icmp-message }

Specifies the ICMP message type and code.

The icmp-type argument is in the range of 0 to 255.

The icmp-code argument is in the range of 0 to 255.

The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 7.

Table 7 ICMP message names supported in IPv4 advanced ACL rules

ICMP message name	ICMP message type	ICMP message code
echo	8	0
echo-reply	0	0
fragmentneed-DFset	3	4
host-redirect	5	1
host-tos-redirect	5	3
host-unreachable	3	1
information-reply	16	0
information-request	15	0
net-redirect	5	0
net-tos-redirect	5	2
net-unreachable	3	0
parameter-problem	12	0
port-unreachable	3	3
protocol-unreachable	3	2
reassembly-timeout	11	1
source-quench	4	0
source-route-failed	3	5
timestamp-reply	14	0
timestamp-request	13	0
ttl-exceeded	11	0

Usage guidelines

Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.

You can edit ACL rules only when the match order is config.

· If you do not specify any optional keywords, the undo rule command deletes the entire rule.

· If you specify optional keywords or arguments, the undo rule command deletes the specified attributes.

To view rules in an ACL and their rule IDs, use the display acl all command.

Examples

# Create an IPv4 advanced ACL rule to permit TCP packets with the destination port 80 from 129.9.0.0/16 to 202.38.160.0/24.

<Sysname> system-view

[Sysname] acl advanced 3000

[Sysname-acl-ipv4-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80

# Create IPv4 advanced ACL rules to permit all IP packets but the ICMP packets destined for 192.168.1.0/24.

<Sysname> system-view

[Sysname] acl advanced 3001

[Sysname-acl-ipv4-adv-3001] rule deny icmp destination 192.168.1.0 0.0.0.255

[Sysname-acl-ipv4-adv-3001] rule permit ip

# Create IPv4 advanced ACL rules to permit inbound and outbound FTP packets.

<Sysname> system-view

[Sysname] acl advanced 3002

[Sysname-acl-ipv4-adv-3002] rule permit tcp source-port eq ftp

[Sysname-acl-ipv4-adv-3002] rule permit tcp source-port eq ftp-data

[Sysname-acl-ipv4-adv-3002] rule permit tcp destination-port eq ftp

[Sysname-acl-ipv4-adv-3002] rule permit tcp destination-port eq ftp-data

# Create IPv4 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.

<Sysname> system-view

[Sysname] acl advanced 3003

[Sysname-acl-ipv4-adv-3003] rule permit udp source-port eq snmp

[Sysname-acl-ipv4-adv-3003] rule permit udp source-port eq snmptrap

[Sysname-acl-ipv4-adv-3003] rule permit udp destination-port eq snmp

[Sysname-acl-ipv4-adv-3003] rule permit udp destination-port eq snmptrap

Related commands

· acl

· display acl

· step

· time-range

rule (IPv4 basic ACL view)

Use rule to create or edit an IPv4 basic ACL rule.

Use undo rule to delete an entire IPv4 basic ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } [ fragment | source { source-address source-wildcard | any } | time-range time-range-name ] *

undo rule rule-id [ fragment | source | time-range ] *

Default

An IPv4 basic ACL does not contain any rule.

Views

IPv4 basic ACL view

Predefined user roles

network-admin

Parameters

deny: Denies matching packets.

permit: Allows matching packets to pass.

fragment: Applies the rule only to non-first fragments. If you do not specify this keyword, the rule applies to both fragments and non-fragments.

source { source-address source-wildcard | any }: Matches a source address. The source-address and source-wildcard arguments specify a source IP address and a wildcard mask in dotted decimal notation. A wildcard mask of zeros represents a host address. The any keyword represents any source IP address.

time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide.

Usage guidelines

You can edit ACL rules only when the match order is config.

· If you do not specify any optional keywords, the undo rule command deletes the entire rule.

· If you specify optional keywords or arguments, the undo rule command deletes the specified attributes.

To view rules in an ACL and their rule IDs, use the display acl all command.

Examples

# Create a rule in IPv4 basic ACL 2000 to deny the packets from any source IP segment but 10.0.0.0/8, 172.17.0.0/16, or 192.168.1.0/24.

<Sysname> system-view

[Sysname] acl basic 2000

[Sysname-acl-ipv4-basic-2000] rule permit source 10.0.0.0 0.255.255.255

[Sysname-acl-ipv4-basic-2000] rule permit source 172.17.0.0 0.0.255.255

[Sysname-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255

[Sysname-acl-ipv4-basic-2000] rule deny source any

Related commands

· acl

· display acl

· step

· time-range

rule (IPv6 advanced ACL view)

Use rule to create or edit an IPv6 advanced ACL rule.

Use undo rule to delete an entire IPv6 advanced ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | destination { dest-address dest-prefix | dest-address/dest-prefix | any } | destination-port operator port1 [ port2 ] | dscp dscp | flow-label flow-label-value | fragment | icmp6-type { icmp6-type icmp6-code | icmp6-message } | routing [ type routing-type ] | hop-by-hop [ type hop-type ] | source { source-address source-prefix | source-address/source-prefix | any } | source-port operator port1 [ port2 ] | time-range time-range-name ] *

undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | destination | destination-port | dscp | flow-label | fragment | icmp6-type | routing | hop-by-hop | source | source-port | time-range ] *

Default

An IPv6 advanced ACL does not contain any rule.

Views

IPv6 advanced ACL view

Predefined user roles

network-admin

Parameters

deny: Denies matching packets.

permit: Allows matching packets to pass.

protocol: Specifies one of the following values:

· A protocol number in the range of 0 to 255.

· A protocol name: gre (47), icmpv6 (58), ipv6, ipv6-ah (51), ipv6-esp (50), ospf (89), tcp (6), or udp (17). The ipv6 keyword specifies all protocols.

Table 8 describes the parameters that you can specify regardless of the value for the protocol argument.

Table 8 Match criteria and other rule information for IPv6 advanced ACL rules

Parameters	Function	Description
source { source-address source-prefix \| source-address/source-prefix \| any }	Specifies a source IPv6 address.	The source-address argument specifies an IPv6 source address. The source-prefix argument specifies a prefix length in the range of 1 to 128. The any keyword represents any IPv6 source address.
destination { dest-address dest-prefix \| dest-address/dest-prefix \| any }	Specifies a destination IPv6 address.	The dest-address argument specifies a destination IPv6 address. The dest-prefix argument specifies a prefix length in the range of 1 to 128. The any keyword represents any IPv6 destination address.
dscp dscp	Specifies a DSCP preference.	The dscp argument can be a number in the range of 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46).
flow-label flow-label-value	Specifies a flow label value in an IPv6 packet header.	The flow-label-value argument is in the range of 0 to 1048575.
fragment	Applies the rule only to non-first fragments.	If you do not specify this keyword, the rule applies to all fragments and non-fragments.
routing [ type routing-type ]	Specifies an IPv6 routing header type.	routing-type: Value of the IPv6 routing header type, in the range of 0 to 255. If you do not specify the type routing-type option, the rule applies to all types of IPv6 routing header.
hop-by-hop [ type hop-type ]	Specifies an IPv6 Hop-by-Hop Options header type.	hop-type: Value of the IPv6 Hop-by-Hop Options header type, in the range of 0 to 255. If you specify the type hop-type option, the rule applies to the specified type of IPv6 Hop-by-Hop Options header. Otherwise, the rule applies to all types of IPv6 Hop-by-Hop Options header.
time-range time-range-name	Specifies a time range for the rule.	The time-range-name argument is a case-insensitive string of 1 to 32 characters. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide.

If the protocol argument is tcp (6) or udp (17), set the parameters shown in Table 9.

Table 9 TCP/UDP-specific parameters for IPv6 advanced ACL rules

Parameters	Function	Description
source-port operator port1 [ port2 ]	Specifies one or more UDP or TCP source ports.	The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. The port2 argument is needed only when the operator argument is range. TCP port numbers can be represented as: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), dns (53), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented as: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177).
destination-port operator port1 [ port2 ]	Specifies one or more UDP or TCP destination ports.
{ ack ack-value \| fin fin-value \| psh psh-value \| rst rst-value \| syn syn-value \| urg urg-value } *	Specifies one or more TCP flags, including ACK, FIN, PSH, RST, SYN, and URG.	Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The TCP flags in a rule are ORed. For example, a rule configured with ack 0 psh 1 matches both packets that have the ACK flag bit not set and packets that have the PSH flag bit set.
established	Specifies the flags for indicating the established status of a TCP connection.	Parameter specific to TCP. The rule matches TCP connection packets with the ACK or RST flag bit set.

If the protocol argument is icmpv6 (58), set the parameters shown in Table 10.

Table 10 ICMPv6-specific parameters for IPv6 advanced ACL rules

Parameters	Function	Description
icmp6-type { icmp6-type icmp6-code \| icmp6-message }	Specifies the ICMPv6 message type and code.	The icmp6-type argument is in the range of 0 to 255. The icmp6-code argument is in the range of 0 to 255. The icmp6-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 11.

Parameters

Function

Description

icmp6-type { icmp6-type icmp6-code | icmp6-message }

Specifies the ICMPv6 message type and code.

The icmp6-type argument is in the range of 0 to 255.

The icmp6-code argument is in the range of 0 to 255.

The icmp6-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 11.

Table 11 ICMPv6 message names supported in IPv6 advanced ACL rules

ICMPv6 message name	ICMPv6 message type	ICMPv6 message code
echo-reply	129	0
echo-request	128	0
err-Header-field	4	0
frag-time-exceeded	3	1
hop-limit-exceeded	3	0
host-admin-prohib	1	1
host-unreachable	1	3
neighbor-advertisement	136	0
neighbor-solicitation	135	0
network-unreachable	1	0
packet-too-big	2	0
port-unreachable	1	4
redirect	137	0
router-advertisement	134	0
router-solicitation	133	0
unknown-ipv6-opt	4	2
unknown-next-hdr	4	1

Usage guidelines

You can edit ACL rules only when the match order is config.

· If you do not specify any optional keywords, the undo rule command deletes the entire rule.

· If you specify optional keywords or arguments, the undo rule command deletes the specified attributes.

To view rules in an ACL and their rule IDs, use the display acl ipv6 all command.

Examples

# Create an IPv6 advanced ACL rule to permit TCP packets with the destination port 80 from 2030:5060::/64 to FE80:5060::/96.

<Sysname> system-view

[Sysname] acl ipv6 advanced 3000

[Sysname-acl-ipv6-adv-3000] rule permit tcp source 2030:5060::/64 destination fe80:5060::/96 destination-port eq 80

# Create IPv6 advanced ACL rules to permit all IPv6 packets but the ICMPv6 packets destined for FE80:5060:1001::/48.

<Sysname> system-view

[Sysname] acl ipv6 advanced 3001

[Sysname-acl-ipv6-adv-3001] rule deny icmpv6 destination fe80:5060:1001:: 48

[Sysname-acl-ipv6-adv-3001] rule permit ipv6

# Create IPv6 advanced ACL rules to permit inbound and outbound FTP packets.

<Sysname> system-view

[Sysname] acl ipv6 advanced 3002

[Sysname-acl-ipv6-adv-3002] rule permit tcp source-port eq ftp

[Sysname-acl-ipv6-adv-3002] rule permit tcp source-port eq ftp-data

[Sysname-acl-ipv6-adv-3002] rule permit tcp destination-port eq ftp

[Sysname-acl-ipv6-adv-3002] rule permit tcp destination-port eq ftp-data

# Create IPv6 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.

<Sysname> system-view

[Sysname] acl ipv6 advanced 3003

[Sysname-acl-ipv6-adv-3003] rule permit udp source-port eq snmp

[Sysname-acl-ipv6-adv-3003] rule permit udp source-port eq snmptrap

[Sysname-acl-ipv6-adv-3003] rule permit udp destination-port eq snmp

[Sysname-acl-ipv6-adv-3003] rule permit udp destination-port eq snmptrap

# Create IPv6 advanced ACL 3004, and configure two rules: one permits packets with the Hop-by-Hop Options header type as 5, and the other one denies packets with other Hop-by-Hop Options header types.

<Sysname> system-view

[Sysname] acl ipv6 advanced 3004

[Sysname-acl-ipv6-adv-3004] rule permit ipv6 hop-by-hop type 5

[Sysname-acl-ipv6-adv-3004] rule deny ipv6 hop-by-hop

Related commands

· acl

· display acl

· step

· time-range

rule (IPv6 basic ACL view)

Use rule to create or edit an IPv6 basic ACL rule.

Use undo rule to delete an entire IPv6 basic ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } [ fragment | routing [ type routing-type ] | source { source-address source-prefix | source-address/source-prefix | any } | time-range time-range-name ] *

undo rule rule-id [ fragment | routing | source | time-range ] *

Default

An IPv6 basic ACL does not contain any rule.

Views

IPv6 basic ACL view

Predefined user roles

network-admin

Parameters

deny: Denies matching packets.

permit: Allows matching packets to pass.

fragment: Applies the rule only to non-first fragments. If you do not specify this keyword, the rule applies to both fragments and non-fragments.

routing [ type routing-type ]: Applies the rule to the specified type of routing header or all types of routing header. The routing-type argument specifies the value of the routing header type, in the range of 0 to 255. If you do not specify the type routing-type option, the rule applies to all types of IPv6 routing header.

source { source-address source-prefix | source-address/source-prefix | any }: Matches a source IPv6 address. The source-address argument specifies a source IPv6 address. The source-prefix argument specifies an address prefix length in the range of 1 to 128. The any keyword represents any IPv6 source address.

Usage guidelines

You can edit ACL rules only when the match order is config.

· If you do not specify any optional keywords, the undo rule command deletes the entire rule.

· If you specify optional keywords or arguments, the undo rule command deletes the specified attributes.

To view rules in an ACL and their rule IDs, use the display acl ipv6 all command.

Examples

# Create an IPv6 basic ACL rule to deny the packets from any source IP segment but 1001::/16, 3124:1123::/32, or FE80:5060:1001::/48.

<Sysname> system-view

[Sysname] acl ipv6 basic 2000

[Sysname-acl-ipv6-basic-2000] rule permit source 1001:: 16

[Sysname-acl-ipv6-basic-2000] rule permit source 3124:1123:: 32

[Sysname-acl-ipv6-basic-2000] rule permit source fe80:5060:1001:: 48

[Sysname-acl-ipv6-basic-2000] rule deny source any

Related commands

· acl

· display acl

· step

· time-range

rule (Layer 2 ACL view)

Use rule to create or edit a Layer 2 ACL rule.

Use undo rule to delete a Layer 2 ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } [ cos vlan-pri | dest-mac dest-address dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac source-address source-mask | time-range time-range-name ] *

undo rule rule-id [ time-range ]

Default

A Layer 2 ACL does not contain any rule.

Views

Layer 2 ACL view

Predefined user roles

network-admin

Parameters

deny: Denies matching packets.

permit: Allows matching packets to pass.

cos vlan-pri: Matches an 802.1p priority. The 802.1p priority can be specified by one of the following values:

· A priority number in the range of 0 to 7.

· A priority name: best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5), voice (6), or network-management (7).

dest-mac dest-address dest-mask: Matches a destination MAC address range. The dest-address and dest-mask arguments represent a destination MAC address and mask in the H-H-H format.

lsap lsap-type lsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The lsap-type argument is a 16-bit hexadecimal number that represents the encapsulation format. The lsap-type-mask argument is a 16-bit hexadecimal number that represents the LSAP mask.

type protocol-type protocol-type-mask: Matches one or more protocols in the Layer 2. The protocol-type argument is a 16-bit hexadecimal number that represents a protocol type in Ethernet_II and Ethernet_SNAP frames. The protocol-type-mask argument is a 16-bit hexadecimal number that represents a protocol type mask.

source-mac source-address source-mask: Matches a source MAC address range. The source-address argument represents a source MAC address, and the sour-mask argument represents a mask in the H-H-H format.

Usage guidelines

You can edit ACL rules only when the match order is config.

· If you do not specify any optional keywords, the undo rule command deletes the entire rule.

· If you specify optional keywords or arguments, the undo rule command deletes the specified attributes.

To view rules in an ACL and their rule IDs, use the display acl all command.

Examples

# Create a rule in Layer 2 ACL 4000 to permit ARP packets and deny RARP packets.

<Sysname> system-view

[Sysname] acl mac 4000

[Sysname-acl-mac-4000] rule permit type 0806 ffff

[Sysname-acl-mac-4000] rule deny type 8035 ffff

Related commands

· acl

· display acl

· step

· time-range

rule (WLAN client ACL view)

Use rule to create or edit a WLAN client ACL rule.

Use undo rule to delete a WLAN client ACL rule.

Syntax

rule [ rule-id ] { deny | permit } [ ssid ssid-name ]

undo rule rule-id

Default

A WLAN client ACL does not contain any rule.

Views

WLAN client ACL view

Predefined user roles

network-admin

Parameters

deny: Denies matching packets.

permit: Allows matching packets to pass.

ssid ssid-name: Specifies an SSID by its name, a case-sensitive string of 1 to 32 characters. Supported characters include letters and digits, and spaces are allowed. If you do not specify this option, the rule applies to packets with any SSID.

Usage guidelines

To view rules in an ACL and their rule IDs, use the display acl all command.

Examples

# Configure rules for WLAN client ACL 111 to permit packets with the SSID ME and deny packets with the SSID HIM.

<Sysname> system-view

[Sysname] acl wlan client 111

[Sysname-acl-client-111] rule permit ssid ME

[Sysname-acl-client-111] rule deny ssid HIM

Related commands

· acl wlan client

· display acl

· step

rule (WLAN AP ACL view)

Use rule to create or edit a WLAN AP ACL rule.

Use undo rule to delete a WLAN AP ACL rule.

Syntax

rule [ rule-id ] { deny | permit } [ mac mac-address mac-mask ] [ serial-id serial-id ]

undo rule rule-id

Default

A WLAN AP ACL does not contain any rule.

Views

WLAN AP ACL view

Predefined user roles

network-admin

Parameters

deny: Denies matching packets.

permit: Allows matching packets to pass.

mac mac-address mac-mask: Matches an AP MAC address range. The mac-address argument represents a MAC address in the H-H-H format, and the mac-mask argument represents a mask in the H-H-H format. If you do not specify this option, the rule applies to all MAC addresses.

serial-id serial-id: Matches an AP serial ID. The serial-id argument is a case-insensitive string of 1 to 32 characters. If you do not specify this option, the rule applies to all serial IDs.

Usage guidelines

To view rules in an ACL and their rule IDs, use the display acl all command.

Examples

# Configure rules for WLAN AP ACL 222 to permit the AP with the serial ID 210235A42QB095000766 and deny the AP with the serial ID 210235A42QB095000777.

<Sysname> system-view

[Sysname] acl wlan ap 222

[Sysname-acl-ap-222] rule permit serial-id 219801A1NQB117012935

[Sysname-acl-ap-222] rule deny serial-id 219801A1NQB117012946

Related commands

· acl wlan ap

· display acl

· step

rule comment

Use rule comment to add a comment about an existing ACL rule or edit its comment to make the rule easy to understand.

Use undo rule comment to delete an ACL rule comment.

Syntax

rule rule-id comment text

undo rule rule-id comment

Default

A rule does not have a comment.

Views

IPv4 basic/advanced ACL view

IPv6 basic/advanced ACL view

Layer 2 ACL view

WLAN AP/client ACL view

Predefined user roles

network-admin

Parameters

rule-id: Specifies an ACL rule ID in the range of 0 to 65534. The ACL rule must already exist.

text: Specifies a comment about the ACL rule, a case-sensitive string of 1 to 127 characters.

Examples

# Create a rule for IPv4 basic ACL 2000, and add a comment about the rule.

<Sysname> system-view

[Sysname] acl basic 2000

[Sysname-acl-ipv4-basic-2000] rule 0 deny source 1.1.1.1 0

[Sysname-acl-ipv4-basic-2000] rule 0 comment This rule is used on GigabitEthernet 1/0/1.

Related commands

display acl

step

Use step to set a rule numbering step for an ACL.

Use undo step to restore the default.

Syntax

step step-value

undo step

Default

The rule numbering step for an ACL is 5, and the start rule ID is 0.

Views

IPv4 basic/advanced ACL view

IPv6 basic/advanced ACL view

Layer 2 ACL view

WLAN AP/client ACL view

Predefined user roles

network-admin

Parameters

step-value: Specifies the ACL rule numbering step in the range of 1 to 20.

Usage guidelines

The rule numbering step sets the increment by which the system numbers rules automatically. For example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are numbered 0, 5, 10, 15, and so on.

The wider the numbering step, the more rules you can insert between two rules. Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6, and 8.

Examples

# Set the rule numbering step to 2 for IPv4 basic ACL 2000.

<Sysname> system-view

[Sysname] acl basic 2000

[Sysname-acl-ipv4-basic-2000] step 2

Related commands

display acl

QoS policy commands

The WX1800H series access controllers do not support the slot keyword or the slot-number argument.

Traffic class commands

display traffic classifier

Use display traffic classifier to display traffic classes.

Syntax

display traffic classifier { system-defined | user-defined } [ classifier-name ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

system-defined: Specifies system-defined traffic classes.

user-defined: Specifies user-defined traffic classes.

classifier-name: Specifies a traffic class by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a traffic class, this command displays all traffic classes.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays the traffic classes for the master device.

Examples

# Display all user-defined traffic classes.

<Sysname> display traffic classifier user-defined

User-defined classifier information:

Classifier: 1 (ID 100)

Operator: AND

Rule(s) :

If-match acl 2000

Classifier: 2 (ID 101)

Operator: AND

Rule(s) :

If-match not protocol ipv6

Classifier: 3 (ID 102)

Operator: AND

Rule(s) :

-none-

# Display the system-defined traffic class default-class.

<Sysname> display traffic classifier system-defined default-class

System-defined classifier information:

Classifier: default-class (ID 0)

Operator: AND

Rule(s) :

If-match any

Table 12 Command output

Field	Description
Classifier	Traffic class name and its match criteria.
Operator	Match operator you set for the traffic class. If the operator is AND, the traffic class matches the packets that match all its match criteria. If the operator is OR, the traffic class matches the packets that match any of its match criteria.
Rule(s)	Match criteria.

if-match

Use if-match to define a match criterion.

Use undo if-match to delete a match criterion.

Syntax

if-match [ not ] match-criteria

undo if-match [ not ] match-criteria

Default

No match criterion is configured.

Views

Traffic class view

Predefined user roles

network-admin

Parameters

not: Matches packets that do not conform to the specified criterion.

match-criteria: Specifies a match criterion. Table 13 shows the available match criteria.

Table 13 Available match criteria

Option	Description
acl [ ipv6 \| mac ] { acl-number \| name acl-name }	Matches an ACL. The acl-number argument has the following value ranges: · 2000 to 3999 for both IPv4 and IPv6 ACLs. · 4000 to 4999 for Layer 2 ACLs. The acl-name argument is a case-insensitive string of 1 to 63 characters, which must start with an English letter. To avoid confusion, make sure the argument is not all.
any	Matches all packets.
customer-dot1p dot1p-value&<1-8>	Matches 802.1p priority values in VLAN tags. The dot1p-value&<1-8> argument specifies a space-separated list of up to eight 802.1p priority values. The value range for the dot1p-value argument is 0 to 7.
customer-vlan-id vlan-id-list	Matches VLAN IDs in VLAN tags. The vlan-id-list argument specifies a space-separated list of up to 10 VLAN items. Each item specifies a VLAN or a range of VLANs in the form of vlan-id1 to vlan-id2. The value for vlan-id2 must be greater than or equal to the value for vlan-id1. The value range for the vlan-id argument is 1 to 4094.
destination-mac mac-address	Matches a destination MAC address.
dscp dscp-value&<1-8>	Matches DSCP values. The dscp-value&<1-8> argument specifies a space-separated list of up to eight DSCP values. The value range for the dscp-value argument is 0 to 63 or keywords shown in Table 15.
ip-precedence ip-precedence-value&<1-8>	Matches IP precedence values. The ip-precedence-value&<1-8> argument specifies a space-separated list of up to eight IP precedence values. The value range for the ip-precedence-value argument is 0 to 7.
local-precedence local-precedence-value&<1-8>	Matches local precedence values. The local-precedence-value&<1-8> argument specifies a space-separated list of up to eight local precedence values. The value range for the local-precedence-value argument is 0 to 7.
protocol protocol-name	Matches a protocol. The protocol-name argument can be arp, bittorrent, ip, or ipv6.
source-mac mac-address	Matches a source MAC address.

Usage guidelines

In a traffic class with the logical OR operator, you can configure multiple if match commands for any of the available match criteria.

When you configure a match criterion that can have multiple values in one if-match command, follow these restrictions and guidelines:

· You can specify up to eight values for any of the following match criteria in one if-match command:

? 802.1p priority.

? DSCP.

? IP precedence.

? Local precedence.

? VLAN ID.

· If a packet matches one of the specified values, it matches the if-match command.

· To delete a criterion that has multiple values, the specified values in the undo if-match command must be the same as those specified in the if-match command. The order of values can be different.

When you configure ACL-based match criteria, follow these restrictions and guidelines:

· If the ACL used as a match criterion does not exist, the traffic class cannot be applied to hardware.

· In a traffic class, you can add two if-match statements that use the same ACL as the match criterion. In one statement, specify the ACL by its name. In the other statement, specify the ACL by its number.

· If the ACL in a traffic class contains a deny rule, the if-match statement is ignored:

? If the operator of the traffic class is OR, the matching process continues with the next if-match statement.

? If the operator of the traffic class is AND, the matching process continues with the next traffic class.

The source MAC address and destination MAC address match criteria are applicable only to Ethernet interfaces.

Examples

# Define a match criterion for traffic class class1 to match the packets with a destination MAC address of 0050-ba27-bed3.

<Sysname> system-view

[Sysname] traffic classifier class1

[Sysname-classifier-class1] if-match destination-mac 0050-ba27-bed3

# Define a match criterion for traffic class class2 to match the packets with a source MAC address of 0050-ba27-bed2.

<Sysname> system-view

[Sysname] traffic classifier class2

[Sysname-classifier-class2] if-match source-mac 0050-ba27-bed2

# Define a match criterion for traffic class class1 to match the packets with 802.1p priority 3 in the VLAN tag.

<Sysname> system-view

[Sysname] traffic classifier class1

[Sysname-classifier-class1] if-match customer-dot1p 3

# Define a match criterion for traffic class class1 to match the advanced ACL 3101.

<Sysname> system-view

[Sysname] traffic classifier class1

[Sysname-classifier-class1] if-match acl 3101

# Define a match criterion for traffic class class1 to match the ACL named flow.

<Sysname> system-view

[Sysname] traffic classifier class1

[Sysname-classifier-class1] if-match acl name flow

# Define a match criterion for traffic class class1 to match the advanced IPv6 ACL 3101.

<Sysname> system-view

[Sysname] traffic classifier class1

[Sysname-classifier-class1] if-match acl ipv6 3101

# Define a match criterion for traffic class class1 to match the IPv6 ACL named flow.

<Sysname> system-view

[Sysname] traffic classifier class1

[Sysname-classifier-class1] if-match acl ipv6 name flow

# Define a match criterion for traffic class class1 to match all packets.

<Sysname> system-view

[Sysname] traffic classifier class1

[Sysname-classifier-class1] if-match any

# Define a match criterion for traffic class class1 to match the packets with a DSCP value of 1, 6, or 9.

<Sysname> system-view

[Sysname] traffic classifier class1

[Sysname-classifier-class1] if-match dscp 1 6 9

# Define a match criterion for traffic class class1 to match the packets with an IP precedence value of 1 or 6.

<Sysname> system-view

[Sysname] traffic classifier class1

[Sysname-classifier-class1] if-match ip-precedence 1 6

# Define a match criterion for traffic class class1 to match the packets with a local precedence value of 1 or 6.

<Sysname> system-view

[Sysname] traffic classifier class1

[Sysname-classifier-class1] if-match local-precedence 1 6

# Define a match criterion for traffic class class1 to match IP packets.

<Sysname> system-view

[Sysname] traffic classifier class1

[Sysname-classifier-class1] if-match protocol ip

# Define a match criterion for traffic class class1 to match the packets with VLAN ID 1, 6, or 9 in the VLAN tag.

<Sysname> system-view

[Sysname] traffic classifier class1

[Sysname-classifier-class1] if-match customer-vlan-id 1 6 9

traffic classifier

Use traffic classifier to create a traffic class and enter traffic class view.

Use undo traffic classifier to delete a traffic class.

Syntax

traffic classifier classifier-name [ operator { and | or } ]

undo traffic classifier classifier-name

Default

No traffic class exists.

Views

System view

Predefined user roles

network-admin

Parameters

classifier-name: Specifies the name of the traffic class to be created, a case-sensitive string of 1 to 31 characters.

operator: Sets the operator to logic AND (the default) or OR for the traffic class.

and: Specifies the logic AND operator. The traffic class matches the packets that match all its criteria.

or: Specifies the logic OR operator. The traffic class matches the packets that match any of its criteria.

Examples

# Create a traffic class class1.

<Sysname> system-view

[Sysname] traffic classifier class1

[Sysname-classifier-class1]

Related commands

display traffic classifier

Traffic behavior commands

car

Use car to configure a CAR action in absolute value in a traffic behavior.

Use undo car to delete the action.

Syntax

car cir committed-information-rate [ cbs committed-burst-size ] [ green action | red action | yellow action ] *

undo car

Default

No CAR action is configured.

Views

Traffic behavior view

Predefined user roles

network-admin

Parameters

cir committed-information-rate: Specifies the committed information rate (CIR) in the range of 8 to 10000000 kbps.

cbs committed-burst-size: Specifies the committed burst size (CBS) in the range of 1000 to 1000000000 bytes.

green action: Specifies the action to take on packets that conform to the CIR. The default setting is pass.

red action: Specifies the action to take on packets that does not conform to the CIR. The default setting is discard.

yellow action: Specifies the action to take on packets that conform to the PIR but not to the CIR. The default setting is pass. This option is not supported in the current software version.

action: Sets the action to take on the packet:

· discard: Drops the packet.

· pass: Permits the packet to pass through.

Usage guidelines

If you configure the car command multiple times in the same traffic behavior, the most recent configuration takes effect.

Examples

# Configure a CAR action in traffic behavior database.

<Sysname> system-view

[Sysname] traffic behavior database

[Sysname-behavior-database] car cir 200 cbs 51200 green pass

display traffic behavior

Use display traffic behavior to display traffic behaviors.

Syntax

display traffic behavior { system-defined | user-defined } [ behavior-name ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

system-defined: Specifies system-defined traffic behaviors.

user-defined: Specifies user-defined traffic behaviors.

behavior-name: Specifies a behavior by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a traffic behavior, this command displays all traffic behaviors.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays the traffic behaviors for the master device.

Examples

# Display all user-defined traffic behaviors.

<Sysname> display traffic behavior user-defined

User-defined behavior information:

Behavior: 1 (ID 100)

Filter enable: Permit

Marking:

Remark dscp 3

Committed Access Rate:

CIR 112 (kbps), CBS 5120 (Bytes), EBS 0 (Bytes)

Green action : pass

Yellow action : pass

Red action : discard

# Display all system-defined traffic behaviors.

<Sysname> display traffic behavior system-defined

System-defined behavior information:

Behavior: be (ID 0)

-none-

Behavior: af (ID 1)

-none-

Behavior: ef (ID 2)

-none-

Behavior: be-flow-based (ID 3)

-none-

Table 14 Command output

Field	Description
Behavior	Name and contents of a traffic behavior.
Marking	Information about priority marking.
Remark dscp	Action of setting the DSCP value for packets.
Committed Access Rate	Information about the CAR action.
Green action	Action to take on green packets.
Yellow action	Action to take on yellow packets. This field is not supported in the current software version.
Red action	Action to take on red packets.
Filter enable	Traffic filtering action.
none	No other traffic behavior is configured.

filter

Use filter to configure a traffic filtering action in a traffic behavior.

Use undo filter to delete the action.

Syntax

filter { deny | permit }

undo filter

Default

No traffic filtering action is configured.

Views

Traffic behavior view

Predefined user roles

network-admin

Parameters

deny: Drops packets.

permit: Transmits packets.

Examples

# Configure a traffic filtering action as deny in traffic behavior database.

<Sysname> system-view

[Sysname] traffic behavior database

[Sysname-behavior-database] filter deny

remark dscp

Use remark dscp to configure a DSCP marking action in a traffic behavior.

Use undo remark dscp to delete the action.

Syntax

remark dscp dscp-value

undo remark dscp

Default

No DSCP marking action is configured.

Views

Traffic behavior view

Predefined user roles

network-admin

Parameters

dscp-value: Specifies a DSCP value, which can be a number from 0 to 63 or a keyword in Table 15.

Table 15 DSCP keywords and values

Keyword	DSCP value (binary)	DSCP value (decimal)
default	000000	0
af11	001010	10
af12	001100	12
af13	001110	14
af21	010010	18
af22	010100	20
af23	010110	22
af31	011010	26
af32	011100	28
af33	011110	30
af41	100010	34
af42	100100	36
af43	100110	38
cs1	001000	8
cs2	010000	16
cs3	011000	24
cs4	100000	32
cs5	101000	40
cs6	110000	48
cs7	111000	56
ef	101110	46

Examples

# Configure traffic behavior database to mark matching traffic with DSCP 6.

<Sysname> system-view

[Sysname] traffic behavior database

[Sysname-behavior-database] remark dscp 6

remark local-precedence

Use remark local-precedence to configure a local precedence marking action in a traffic behavior.

Use undo remark local-precedence to delete the action.

Syntax

remark local-precedence local-precedence-value

undo remark local-precedence

Default

No local precedence marking action is configured.

Views

Traffic behavior view

Predefined user roles

network-admin

Parameters

local-precedence-value: Specifies the local precedence to be marked for packets, in the range of 0 to 7.

Examples

# Configure traffic behavior database to mark matching traffic with local precedence 2.

<Sysname> system-view

[Sysname] traffic behavior database

[Sysname-behavior-database] remark local-precedence 2

traffic behavior

Use traffic behavior to create a traffic behavior and enter traffic behavior view.

Use undo traffic behavior to delete a traffic behavior.

Syntax

traffic behavior behavior-name

undo traffic behavior behavior-name

Default

No traffic behavior exists.

Views

System view

Predefined user roles

network-admin

Parameters

behavior-name: Specifies a name for the traffic behavior, a case-sensitive string of 1 to 31 characters.

Examples

# Create a traffic behavior named behavior1.

<Sysname> system-view

[Sysname] traffic behavior behavior1

[Sysname-behavior-behavior1]

Related commands

display traffic behavior

QoS policy commands

classifier behavior

Use classifier behavior to associate a traffic behavior with a traffic class in a QoS policy.

Use undo classifier to delete a class-behavior association from a QoS policy.

Syntax

classifier classifier-name behavior behavior-name [ insert-before before-classifier-name ]

undo classifier classifier-name

Default

No traffic behavior is associated with a traffic class.

Views

QoS policy view

Predefined user roles

network-admin

Parameters

classifier-name: Specifies a traffic class by its name, a case-sensitive string of 1 to 31 characters.

behavior-name: Specifies a traffic behavior by its name, a case-sensitive string of 1 to 31 characters.

insert-before before-classifier-name: Inserts the new traffic class before an existing traffic class in the QoS policy. The before-classifier-name argument specifies an existing traffic class by its name, a case-sensitive string of 1 to 31 characters. If you do not specify the insert-before before-classifier-name option, the new traffic class is placed at the end of the QoS policy.

Usage guidelines

A traffic class can be associated only with one traffic behavior in a QoS policy.

If the specified traffic class or traffic behavior does not exist, the system defines a null traffic class or traffic behavior.

The undo classifier default-class command performs the following operations:

· Deletes the existing class-behavior association for the system-defined class default-class.

· Associates the system-defined class default-class with the system-defined behavior be.

Examples

# Associate traffic class database with traffic behavior test in QoS policy user1.

<Sysname> system-view

[Sysname] qos policy user1

[Sysname-qospolicy-user1] classifier database behavior test

# Associate the traffic class database with the traffic behavior test in the QoS policy user1, and insert the traffic class database before an existing traffic class class-a.

<Sysname> system-view

[Sysname] qos policy user1

[Sysname-qospolicy-user1] classifier database behavior test insert-before class-a

Related commands

qos policy

display qos policy

Use display qos policy to display QoS policies.

Syntax

display qos policy { system-defined | user-defined } [ policy-name [ classifier classifier-name ] ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

system-defined: Displays system-defined QoS policies.

user-defined: Displays user-defined QoS policies.

policy-name: Specifies a QoS policy by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a QoS policy, this command displays all user-defined QoS policies.

classifier classifier-name: Specifies a traffic class by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a traffic class, this command displays all traffic classes.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays the QoS policies for the master device.

Examples

# Display all user-defined QoS policies.

<Sysname> display qos policy user-defined

User-defined QoS policy information:

Policy: 1 (ID 100)

Classifier: 1 (ID 100)

Behavior: 1

Marking:

Remark dscp 3

Committed Access Rate:

CIR 112 (kbps), CBS 5120 (Bytes), EBS 0 (Bytes)

Green action : pass

Yellow action : pass

Red action : discard

Classifier: 3 (ID 102)

Behavior: 3

-none-

# Display the system-defined QoS policy.

<Sysname> display qos policy system-defined

System-defined QoS policy information:

Policy: default (ID 0)

Classifier: default-class (ID 0)

Behavior: be

-none-

Classifier: ef (ID 1)

Behavior: ef

-none-

Classifier: af1 (ID 2)

Behavior: af

-none-

Classifier: af2 (ID 3)

Behavior: af

-none-

Classifier: af3 (ID 4)

Behavior: af

-none-

Classifier: af4 (ID 5)

Behavior: af

-none-

For the output description, see Table 12 and Table 14.

display qos policy interface

Use display qos policy interface to display the QoS policies applied to interfaces.

Syntax

display qos policy interface [ interface-type interface-number ] [ inbound | outbound ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays QoS policy information for each interface.

inbound: Displays the QoS policy applied to the incoming traffic of the specified interface.

outbound: Displays the QoS policy applied to the outgoing traffic of the specified interface.

Usage guidelines

If you do not specify a direction, this command displays the QoS policy applied to incoming traffic and the QoS policy applied to outgoing traffic.

If you specify a VT interface, this command displays the QoS policies applied to each VA interface of the VT interface. It does not display QoS information about the VT interface.

Examples

# Display the QoS policy applied to the incoming traffic of GigabitEthernet 1/0/1.

<Sysname> display qos policy interface gigabitethernet 1/0/1 inbound

Interface: GigabitEthernet1/0/1

Direction: Inbound

Policy: 1

Classifier: 1

Matched : 0 (Packets) 0 (Bytes)

5-minute statistics:

Forwarded: 0/0 (pps/bps)

Dropped : 0/0 (pps/bps)

Operator: AND

Rule(s) :

If-match acl 2000

Behavior: 1

Marking:

Remark dscp 3

Committed Access Rate:

CIR 112 (kbps), CBS 5120 (Bytes), EBS 0 (Bytes)

Green action : pass

Yellow action : pass

Red action : discard

Green packets : 0 (Packets) 0 (Bytes)

Yellow packets: 0 (Packets) 0 (Bytes)

Red packets : 0 (Packets) 0 (Bytes)

Classifier: 2

Matched : 0 (Packets) 0 (Bytes)

5-minute statistics:

Forwarded: 0/0 (pps/bps)

Dropped : 0/0 (pps/bps)

Operator: AND

Rule(s) :

If-match not protocol ipv6

Behavior: 2

Filter enable: Permit

Marking:

Remark mpls-exp 4

Classifier: 3

Matched : 0 (Packets) 0 (Bytes)

5-minute statistics:

Forwarded: 0/0 (pps/bps)

Dropped : 0/0 (pps/bps)

Operator: AND

Rule(s) :

-none-

Behavior: 3

-none-

Table 16 Command output

Field	Description
Direction	Direction in which the QoS policy is applied to the interface.
Matched	Number of matching packets.
Forwarded	Average rate of successfully forwarded matching packets in a statistics collection period.
Dropped	Average rate of dropped matching packets in a statistics collection period.
Green packets	Traffic statistics for green packets.
Yellow packets	Traffic statistics for yellow packets. This field is not supported in the current software version.
Red packets	Traffic statistics for red packets.

For the description of other fields, see Table 12 and Table 14.

display qos policy user-profile

Use display qos policy user-profile to display QoS policies applied to user profiles.

Syntax

display qos policy user-profile [ name profile-name ] [ user-id user-id ] [ slot slot-number ] [ inbound | outbound ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name profile-name: Specifies a user profile by its name, a case-sensitive string of 1 to 31 characters. Valid characters include English letters, digits, and underscores (_). The name must start with an English letter and must be unique. If you do not specify a user profile, this command displays QoS policies applied to all user profiles.

user-id user-id: Specifies an online user by a system-assigned, hexadecimal ID. If you do not specify an online user, this command displays QoS policies applied to user profiles for all online users.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays QoS policies applied to user profiles for all member devices.

inbound: Specifies QoS policies applied to incoming traffic.

outbound: Specifies QoS policies applied to outgoing traffic.

Usage guidelines

If you do not specify a direction, this command displays QoS policies applied in the inbound direction and QoS policies applied in the outbound direction.

Examples

# Display QoS policies applied to all user profiles for all online users.

<Sysname> display qos policy user-profile

User-Profile: abc

slot 1:

User ID: 0x30000000(local)

Direction: Inbound

Policy: p1

Classifier: default-class

Matched : 0 (Packets) 0 (Bytes)

Operator: AND

Rule(s) :

If-match any

Behavior: be

-none-

User-Profile: a12

slot 2:

User ID: 0x30000001(local)

Direction: Inbound

Policy: p1

Classifier: default-class

Matched : 0 (Packets) 0 (Bytes)

Operator: AND

Rule(s) :

If-match any

Behavior: be

-none-

Classifier: a

Operator: AND

Rule(s) :

If-match any

Behavior: a

Committed Access Rate:

CIR 100 (kbps), CBS 6250 (Bytes), EBS 0 (Bytes)

Green action : pass

Yellow action : pass

Red action : discard

Green packets : 0 (Packets)

Red packets : 0 (Packets)

Table 17 Command output

Field	Description
Matched	Number of packets that meet match criteria.
Green packets	Statistics about green packets.
Yellow packets	Statistics about yellow packets. This field is not supported in the current software version.
Red packets	Statistics about red packets.

For the description of other fields, see Table 12 and Table 14.

qos apply policy (interface view)

Use qos apply policy to apply a QoS policy to an interface.

Use undo qos apply policy to remove an applied QoS policy.

Syntax

qos apply policy policy-name { inbound | outbound }

undo qos apply policy policy-name { inbound | outbound }

Default

No QoS policy is applied to an interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a QoS policy by its name, a case-sensitive string of 1 to 31 characters.

inbound: Applies the QoS policy to incoming traffic.

outbound: Applies the QoS policy to the outgoing traffic of an interface.

Examples

# Apply QoS policy USER1 to the outgoing traffic of GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] qos apply policy USER1 outbound

qos apply policy (user profile view)

Use qos apply policy global to apply a QoS policy to a user profile.

Use undo qos apply policy global to remove a QoS policy applied to a user profile.

Syntax

qos apply policy policy-name { inbound | outbound }

undo qos apply policy policy-name { inbound | outbound }

Default

No QoS policy is applied to a user profile.

Views

User profile view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a QoS policy by its name, a case-sensitive string of 1 to 31 characters.

inbound: Applies the QoS policy to the incoming traffic of the device (traffic sent by online users).

outbound: Applies the QoS policy to the outgoing traffic of the device (traffic received by online users).

Usage guidelines

Deleting a user profile also removes the QoS policies applied to the user profile.

Examples

# Apply the QoS policy test to incoming traffic of user profile user.

<Sysname> system-view

[Sysname] user-profile user

[Sysname-user-profile-user] qos apply policy test outbound

qos policy

Use qos policy to create a QoS policy and enter QoS policy view.

Use undo qos policy to delete a QoS policy.

Syntax

qos policy policy-name

undo qos policy policy-name

Default

No QoS policy is configured.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a QoS policy by its name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

To delete a QoS policy that has been applied to an object, you must first remove the QoS policy from the object.

Examples

# Define QoS policy user1.

<Sysname> system-view

[Sysname] qos policy user1

[Sysname-qospolicy-user1]

Related commands

· classifier behavior

· qos apply policy

Priority mapping commands

Priority map commands

display qos map-table

Use display qos map-table to display the configuration of a priority map.

Syntax

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

The device provides the following types of priority map.

Table 18 Priority maps

Priority map	Description
dot11e-lp	802.11e-local priority map.
dot1p-lp	802.1p-local priority map.
dscp-lp	DSCP-local priority map.
lp-dot11e	Local-802.11e priority map.
lp-dot1p	Local-802.1p priority map.
lp-dscp	Local-DSCP priority map.

Usage guidelines

If you do not specify a priority map, this command displays the configuration of all priority maps.

Examples

# Display the configuration of the 802.1p-local priority map.

<Sysname> display qos map-table dot1p-lp

MAP-TABLE NAME: dot1p-lp TYPE: pre-define

IMPORT : EXPORT

0 : 2

1 : 0

2 : 1

3 : 3

4 : 4

5 : 5

6 : 6

7 : 7

Table 19 Command output

Field	Description
MAP-TABLE NAME	Name of the priority map.
TYPE	Type of the priority map.
IMPORT	Input values of the priority map.
EXPORT	Output values of the priority map.

import

Use import to configure mappings for a priority map.

Use undo import to restore the specified or all mappings to the default for a priority map.

Syntax

import import-value-list export export-value

undo import { import-value-list | all }

Default

The default priority maps are used. For more information, see ACL and QoS Configuration Guide.

Views

Priority map view

Predefined user roles

network-admin

Parameters

import-value-list: Specifies a list of input values.

export-value: Specifies the output value.

all: Restores all mappings in the priority map to the default.

Examples

# Configure the 802.1p-drop priority map to map 802.1p priority values 4 and 5 to drop priority 1.

<Sysname> system-view

[Sysname] qos map-table dot1p-dp

[Sysname-maptbl-dot1p-dp] import 4 5 export 1

Related commands

display qos map-table

qos map-table

Use qos map-table to enter the specified priority map view.

Syntax

qos map-table { dot11e-lp | dot1p-lp | dscp-lp | lp-dot11e | lp-dot1p | lp-dscp }

Views

System view

Predefined user roles

network-admin

Parameters

For the description of all keywords, see Table 18.

Examples

# Enter the 802.1p-local priority map view.

<Sysname> system-view

[Sysname] qos map-table dot1p-lp

[Sysname-maptbl-dot1p-lp]

Related commands

· display qos map-table

· import

Port priority commands

qos priority

Use qos priority to change the port priority of an interface.

Use undo qos priority to restore the default.

Syntax

qos priority priority-value

undo qos priority

Default

The port priority is 0.

Views

Interface view

Predefined user roles

network-admin

Parameters

priority-value: Specifies the port priority value in the range of 0 to 7.

Examples

# Set the port priority of interface GigabitEthernet 1/0/1 to 2.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] qos priority 2

Related commands

display qos trust interface

Priority trust mode commands

display qos trust interface

Use display qos trust interface to display the priority trust mode and port priority of an interface.

Syntax

display qos trust interface [ interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays the priority trust modes and port priorities of all interfaces.

Examples

# Display the priority trust mode and port priority of GigabitEthernet 1/0/1.

<Sysname> display qos trust interface gigabitethernet 1/0/1

Interface: GigabitEthernet1/0/1

Port priority information

Port priority: 4

Port dot1p priority: -

Port dscp priority: -

Port priority trust type: dot1p

Table 20 Command output

Field	Description
Interface	Interface type and interface number.
Port priority	Port priority set for the interface.
Port dot1p priority	802.1p priority of the port.
Port dscp priority	DSCP priority of the port.
Port priority trust type	Priority trust mode on the interface: dot1p or dscp.

qos trust

Use qos trust to set the priority trust mode for an interface.

Use undo qos trust to restore the default priority trust mode.

Syntax

qos trust { dot1p | dscp }

undo qos trust

Default

The port priority is trusted.

Views

Interface view

Predefined user roles

network-admin

Parameters

dot1p: Uses the 802.1p priority in incoming packets for priority mapping.

dscp: Uses the DSCP value in incoming packets for priority mapping.

Examples

# Set the priority trust mode to 802.1p priority on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] qos trust dot1p

Related commands

display qos trust interface

Traffic policing commands

qos car

Use qos car to configure a CAR policy for a user profile.

Use undo qos car to delete a CAR policy from a user profile.

Syntax

qos car { inbound | outbound } any cir committed-information-rate [ cbs committed-burst-size ]

undo qos car { inbound | outbound }

Default

No CAR policy is configured for a user profile.

Views

User profile view

Predefined user roles

network-admin

Parameters

inbound: Performs CAR for incoming traffic (traffic sent by the online users).

outbound: Performs CAR for outgoing traffic (traffic received by the online users).

any: Performs CAR for all IP packets in the specified direction.

cir committed-information-rate: Specifies the CIR in the range of 8 to 10000000 kbps.

cbs committed-burst-size: Specifies the CBS in the range of 1000 to 1000000000 bytes.

Usage guidelines

The conforming traffic is permitted to pass through, and the excess traffic is dropped.

If you configure CAR policies multiple times, the most recent configuration takes effect.

Examples

# Perform CAR for packets received by the user profile user. The CAR parameters are as follows:

· The CIR is 200 kbps.

· The CBS is 51200 bytes.

<Sysname> system-view

[Sysname] user-profile user

[Sysname-user-profile-user] qos car outbound any cir 200 cbs 51200

Time range commands

display time-range

Use display time-range to display time range configuration and status.

Syntax

display time-range { time-range-name | all }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

time-range-name: Specifies a time range name, a case-insensitive string of 1 to 32 characters.

all: Displays the configuration and status of all existing time ranges.

Examples

# Display the configuration and status of time range t4.

<Sysname> display time-range t4

Current time is 09:40:55 5/26/2015 Tuesday

Time-range : t4 (Inactive)

10:00 to 12:00 Mon

14:00 to 16:00 Wed

from 00:00 1/1/2014 to 00:00 1/1/2015

from 00:00 6/1/2015 to 00:00 7/1/2015

Table 21 Command output

Field	Description
Current time	Current system time.
Time-range	Configuration and status of the time range, including its name, status (active or inactive), and start time and end time.

time-range

Use time-range to create or edit a time range.

Use undo time-range to delete a time range or a statement in the time range.

Syntax

time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 }

undo time-range time-range-name [ start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 ]

Default

No time range exists.

Views

System view

Predefined user roles

network-admin

Parameters

time-range-name: Specifies a time range name. The name is a case-insensitive string of 1 to 32 characters. To avoid confusion, it cannot be all.

start-time to end-time: Specifies a periodic statement. Both start-time and end-time are in hh:mm format (24-hour clock). The value is in the range of 00:00 to 23:59 for the start time, and 00:00 to 24:00 for the end time. The end time must be greater than the start time.

days: Specifies the day or days of the week (in words or digits) on which the periodic statement is valid. If you specify multiple values, separate each value with a space, and make sure they do not overlap. These values can take one of the following forms:

· A digit in the range of 0 to 6, respectively for Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday.

· A day of a week in abbreviated words: sun, mon, tue, wed, thu, fri, and sat.

· working-day for Monday through Friday.

· off-day for Saturday and Sunday.

· daily for the whole week.

from time1 date1: Specifies the start time and date of an absolute statement. The time1 argument specifies the time of the day in hh:mm format (24-hour clock). Its value is in the range of 00:00 to 23:59. The date1 argument specifies a date in MM/DD/YYYY or YYYY/MM/DD format, where MM is the month of the year in the range of 1 to 12, DD is the day of the month with the range varying by MM, and YYYY is the year in the calendar in the range of 1970 to 2100. If you do not specify this option, the start time is 01/01/1970 00:00 AM, the earliest time available in the system.

to time2 date2: Specifies the end time and date of the absolute time statement. The time2 argument has the same format as the time1 argument, but its value is in the range of 00:00 to 24:00. The date2 argument has the same format and value range as the date1 argument. The end time must be greater than the start time. If you do not specify this option, the end time is 12/31/2100 24:00 PM, the maximum time available in the system.

Usage guidelines

If an existing time range name is provided, this command adds a statement to the time range.

You can create multiple statements in a time range. Each time statement can take one of the following forms:

· Periodic statement in the start-time to end-time days format. A periodic statement recurs periodically on a day or days of the week.

· Absolute statement in the from time1 date1 to time2 date2 format. An absolute statement does not recur.

· Compound statement in the start-time to end-time days from time1 date1 to time2 date2 format. A compound statement recurs on a day or days of the week only within the specified period. For example, to create a time range that is active from 08:00 to 12:00 on Monday between January 1, 2011, 00:00 and December 31, 2011, 23:59, use the time-range test 08:00 to 12:00 mon from 00:00 01/01/2011 to 23:59 12/31/2011 command.

You can create a maximum of 1024 time ranges, each with a maximum of 32 periodic statements and 12 absolute statements. The active period of a time range is calculated as follows:

1. Combining all periodic statements.

2. Combining all absolute statements.

3. Taking the intersection of the two statement sets as the active period of the time range.

Examples

# Create a periodic time range t1, setting it to be active between 8:00 to 18:00 during working days.

<Sysname> system-view

[Sysname] time-range t1 08:00 to 18:00 working-day

# Create an absolute time range t2, setting it to be active in the whole year of 2015.

<Sysname> system-view

[Sysname] time-range t2 from 00:00 1/1/2015 to 24:00 12/31/2015

# Create a compound time range t3, setting it to be active from 08:00 to 12:00 on Saturdays and Sundays of the year 2015.

<Sysname> system-view

[Sysname] time-range t3 08:00 to 12:00 off-day from 00:00 1/1/2015 to 24:00 12/31/2015

# Create a compound time range t4, setting it to be active from 10:00 to 12:00 on Mondays and from 14:00 to 16:00 on Wednesdays in January and June of the year 2015.

<Sysname> system-view

[Sysname] time-range t4 10:00 to 12:00 1 from 00:00 1/1/2015 to 24:00 1/31/2015

[Sysname] time-range t4 14:00 to 16:00 3 from 00:00 6/1/2015 to 24:00 6/30/2015

Related commands

display time-range

Index

A C D F I P Q R S T

acl,1

acl copy,3

acl trap interval,4

car,33

classifier behavior,38

description,5

display acl,6

display packet-filter,7

display packet-filter verbose,8

display qos map-table,47

display qos policy,39

display qos policy interface,41

display qos policy user-profile,42

display qos trust interface,50

display time-range,53

display traffic behavior,34

display traffic classifier,28

filter,35

if-match,29

import,48

packet-filter,10

packet-filter default deny,11

qos apply policy (interface view),44

qos apply policy (user profile view),45

qos car,52

qos map-table,48

qos policy,45

qos priority,49

qos trust,50

remark dscp,36

remark local-precedence,37

rule (IPv4 advanced ACL view),12

rule (IPv4 basic ACL view),16

rule (IPv6 advanced ACL view),17

rule (IPv6 basic ACL view),21

rule (Layer 2 ACL view),22

rule (WLAN AP ACL view),25

rule (WLAN client ACL view),24

rule comment,26

step,26

time-range,53

traffic behavior,38

traffic classifier,32

09 ACL and QoS

ACL commands

acl trap interval

QoS policy commands

display traffic classifier

remark local-precedence

traffic behavior

import

display qos trust interface

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us