08-ACL and QoS Command Reference

HomeSupportSwitchesS6800 SeriesReference GuidesCommand ReferencesH3C S6800 Switch Series Command References-Release 26xx-6W10708-ACL and QoS Command Reference
01-ACL commands
Title Size Download
01-ACL commands 288.78 KB

ACL commands

acl

Use acl to create an ACL and enter its view, or enter the view of an existing ACL.

Use undo acl to delete the specified or all ACLs.

Syntax

Command set 1:

acl [ ipv6 ] { name acl-name | number acl-number [ name acl-name ] [ match-order { auto | config } ] }

undo acl [ ipv6 ] { all | name acl-name | number acl-number }

Command set 2:

acl [ ipv6 ] { advanced | basic } { acl-number | name acl-name } [ match-order { auto | config } ]

acl mac { acl-number | name acl-name } [ match-order { auto | config } ]

acl user-defined { acl-number | name acl-name }

undo acl [ ipv6 ] { all | { advanced | basic } { acl-number | name acl-name } }

undo acl mac { all | acl-number | name acl-name }

undo acl user-defined { all | acl-number | name acl-name }

Default

No ACLs exist.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6: Specifies the IPv6 ACL type. To specify the IPv4 ACL type, do not use this keyword.

basic: Specifies the basic ACL type.

advanced: Specifies the advanced ACL type.

mac: Specifies the Layer 2 ACL type.

user-defined: Specifies the user-defined ACL type.

acl-number: Assigns a number to the ACL.

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

·     4000 to 4999 for Layer 2 ACLs.

·     5000 to 5999 for user-defined ACLs.

name acl-name: Assigns a name to the ACL. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.

match-order: Specifies the order in which ACL rules are compared against packets.

·     auto: Compares ACL rules in depth-first order.

·     config: Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has a higher priority. If you do not specify a match order, the config order applies by default. The match order for the user-defined ACL can only be config.

all: Specifies all ACLs of the specified type.

Usage guidelines

For a numbered ACL, you can enter the view of the ACL by using the acl [ ipv6 ] number acl-number or acl [ ipv6 | mac | user-defined ] acl-number command.

For an ACL created by using the acl [ ipv6 ] number acl-number name acl-name command , you can enter the view of the ACL by using the following commands:

·     acl [ ipv6 ] name acl-name (for basic ACLs and advanced ACLs only)

·     acl [ ipv6 ] number acl-number [ name acl-name ]

·     acl { [ ipv6 ] { advanced | basic } | mac | user-defined } name acl-name

For a named ACL created by using the acl { [ ipv6 ] { advanced | basic } | mac | user-defined } name acl-name command, you can enter the view of the ACL by using the following commands:

·     acl [ ipv6 ] name acl-name (for basic ACLs and advanced ACLs only)

·     acl { [ ipv6 ] { advanced | basic } | mac | user-defined } name acl-name

You can specify both a number and a name when creating an ACL only in R2612 and later versions.

You can change the match order only for ACLs that do not contain any rules.

Matching packets are forwarded through slow forwarding if an ACL rule contains match criteria or has functions enabled in addition to the following match criteria and functions:

·     Source and destination IP addresses.

·     Source and destination ports.

·     Transport layer protocol.

·     ICMP or ICMPv6 message type, message code, and message name.

·     VPN instance.

·     Logging.

·     Time range.

Slow forwarding requires packets to be sent to the control plane for forwarding entry calculation, which affects the device forwarding performance.

Examples

# Create IPv4 basic ACL 2000 and enter its view.

<Sysname> system-view

[Sysname] acl basic 2000

[Sysname-acl-ipv4-basic-2000]

# Create IPv4 basic ACL flow and enter its view.

<Sysname> system-view

[Sysname] acl basic name flow

[Sysname-acl-ipv4-basic-flow]

# Create IPv4 advanced ACL 3000 and enter its view.

<Sysname> system-view

[Sysname] acl advanced 3000

[Sysname-acl-ipv4-adv-3000]

# Create IPv6 basic ACL 2000 and enter its view.

<Sysname> system-view

[Sysname] acl ipv6 basic 2000

[Sysname-acl-ipv6-basic-2000]

# Create IPv6 basic ACL flow and enter its view.

<Sysname> system-view

[Sysname] acl ipv6 basic name flow

[Sysname-acl-ipv6-basic-flow]

# Create IPv6 advanced ACL abc and enter its view.

<Sysname> system-view

[Sysname] acl ipv6 advanced name abc

[Sysname-acl-ipv6-adv-abc]

# Create Layer 2 ACL 4000 and enter its view.

<Sysname> system-view

[Sysname] acl mac 4000

[Sysname-acl-mac-4000]

# Create Layer 2 ACL flow and enter its view.

<Sysname> system-view

[Sysname] acl mac name flow

[Sysname-acl-mac-flow]

# Create user-defined ACL 5000 and enter its view.

<Sysname> system-view

[Sysname] acl user-defined 5000

[Sysname-acl-user-5000]

# Create user-defined ACL flow and enter its view.

<Sysname> system-view

[Sysname] acl user-defined name flow

[Sysname-acl-user-flow]

Related commands

display acl

acl copy

Use acl copy to create an ACL by copying an ACL that already exists.

Syntax

acl [ ipv6 | mac | user-defined ] copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name }

Views

System view

Predefined user roles

network-admin

Parameters

ipv6: Specifies the IPv6 ACL type.

mac: Specifies the Layer 2 ACL type.

user-defined: Specifies the user-defined ACL type.

source-acl-number: Specifies an existing source ACL by its number.

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

·     4000 to 4999 for Layer 2 ACLs.

·     5000 to 5999 for user-defined ACLs.

name source-acl-name: Specifies an existing source ACL by its name. The source-acl-name argument is a case-insensitive string of 1 to 63 characters.

dest-acl-number: Assigns a unique number to the new ACL. Available value ranges include:

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

·     4000 to 4999 for Layer 2 ACLs.

·     5000 to 5999 for user-defined ACLs.

name dest-acl-name: Assigns a unique name to the new ACL. The dest-acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.

Usage guidelines

The new ACL and the source ACL must be the same type.

The new ACL has the same properties and content as the source ACL, but uses a different number or name from the source ACL.

To specify the IPv4 ACL type, do not specify the ipv6, mac, or user-defined keyword.

Examples

# Create IPv4 basic ACL 2002 by copying IPv4 basic ACL 2001.

<Sysname> system-view

[Sysname] acl copy 2001 to 2002

# Create IPv4 basic ACL paste by copying IPv4 basic ACL test.

<Sysname> system-view

[Sysname] acl copy name test to name paste

acl logging interval

Use acl logging interval to enable logging for packet filtering and set the interval.

Use undo acl logging interval to restore the default.

Syntax

acl logging interval interval

undo acl logging interval

Default

The interval is 0. The device does not generate log entries for packet filtering.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the interval at which log entries are generated and output. It must be a multiple of 5, in the range of 0 to 1440 minutes. To disable the logging, set the value to 0.

Usage guidelines

The logging feature is available for IPv4 or IPv6 ACL rules that have the logging keyword.

You can configure the ACL module to generate log entries for packet filtering and output them to the information center at the output interval. The log entry records the number of matching packets and the matched ACL rules. If an ACL is matched for the first time, the device immediately outputs a log entry to record the matching packet. For more information about the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Configure the device to generate and output packet filtering log entries every 10 minutes.

<Sysname> system-view

[Sysname] acl logging interval 10

Related commands

rule (IPv4 advanced ACL view)

rule (IPv4 basic ACL view)

rule (IPv6 advanced ACL view)

rule (IPv6 basic ACL view)

acl trap interval

Use acl trap interval to enable SNMP notifications for packet filtering and set the interval.

Use undo acl interval to restore the default.

Syntax

acl trap interval interval

undo acl trap interval

Default

The interval is 0. The device does not generate SNMP notifications for packet filtering.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the interval at which SNMP notifications are generated and output. It must be a multiple of 5, in the range of 0 to 1440 minutes. To disable SNMP notifications, set the value to 0.

Usage guidelines

The SNMP notifications feature is available for IPv4 or IPv6 ACL rules that have the logging keyword.

You can configure the ACL module to generate SNMP notifications for packet filtering and output them to the SNMP module at the output interval. The notification records the number of matching packets and the matched ACL rules. If an ACL is matched for the first time, the device immediately outputs a notification to record the matching packet. For more information about SNMP, see Network Management and Monitoring Configuration Guide.

Examples

# Configure the device to generate and output packet filtering SNMP notifications every 10 minutes.

<Sysname> system-view

[Sysname] acl trap interval 10

Related commands

rule (IPv4 advanced ACL view)

rule (IPv4 basic ACL view)

rule (IPv6 advanced ACL view)

rule (IPv6 basic ACL view)

description

Use description to configure a description for an ACL.

Use undo description to delete an ACL description.

Syntax

description text

undo description

Default

An ACL does not have a description.

Views

IPv4 basic/advanced ACL view

IPv6 basic/advanced ACL view

Layer 2 ACL view

User-defined ACL view

Predefined user roles

network-admin

Parameters

text: Specifies a description, a case-sensitive string of 1 to 127 characters.

Examples

# Configure a description for IPv4 basic ACL 2000.

<Sysname> system-view

[Sysname] acl basic 2000

[Sysname-acl-ipv4-basic-2000] description This is an IPv4 basic ACL.

Related commands

display acl

display acl

Use display acl to display ACL configuration and match statistics.

Syntax

display acl [ ipv6 | mac | user-defined ] { acl-number | all | name acl-name }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv6: Specifies the IPv6 ACL type.

mac: Specifies the Layer 2 ACL type.

user-defined: Specifies the user-defined ACL type.

acl-number: Specifies an ACL by its number.

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

·     4000 to 4999 for Layer 2 ACLs.

·     5000 to 5999 for user-defined ACLs.

all: Specifies all ACLs of the specified type.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

Usage guidelines

This command displays ACL rules in config or auto order, whichever is configured.

To specify the IPv4 ACL type, do not specify the ipv6, mac, or user-defined keyword.

Examples

# Display configuration and match statistics for IPv4 basic ACL 2001.

<Sysname> display acl 2001

Basic IPv4 ACL 2001, 1 rule, match-order is auto,

This is an IPv4 basic ACL.

ACL's step is 5, start ID is 0

 rule 5 permit source 1.1.1.1 0

 rule 5 comment This rule is used on Ten-GigabitEthernet1/0/1.

# Display configuration and match statistics for IPv4 advanced ACL acl1_L3_IN.

<Sysname> display acl name acl1_L3_IN

Advanced IPv4 ACL named acl1_L3_IN, 1 rule

ACL's step is 5, start ID is 0

 rule 0 permit tcp (Stateful)

# Display configuration and match statistics for IPv4 advanced ACL acl1_L3_OUT.

<Sysname> display acl name acl1_L3_OUT

Advanced IPv4 ACL named acl1_L3_OUT, 1 rule

ACL's step is 5, start ID is 0

 rule 0 permit tcp source 2.2.2.2 0 destination 1.1.1.1 0 source-port eq 1000 destination-port eq 2000 (Dynamic)

Table 1 Command output

Field

Description

Basic IPv4 ACL 2001

Type and number of the ACL. The following field information is about IPv4 basic ACL 2001.

1 rule

The ACL contains one rule.

match-order is auto

The match order for the ACL is auto, which sorts ACL rules in depth-first order. This field is not displayed when the match order is config.

This is an IPv4 basic ACL.

Description of the ACL.

ACL's step is 5

The rule numbering step is 5.

start ID is 0

The start rule ID is 0.

rule 5 permit source 1.1.1.1 0

Content of rule 5. The rule permits packets sourced from the IP address 1.1.1.1.

rule 5 comment This rule is used on Ten-GigabitEthernet1/0/1.

Comment of rule 5.

Stateful

A stateful rule is deployed by the controller.

After a controller deploys a stateful ACL to an interface, the switch applies the stateful ACL to filter packets on the interface. When the first packet of a flow matches a rule in the stateful ACL, the switch creates a dynamic ACL and installs a rule into the dynamic ACL as follows:

·     Uses the same source and destination IP addresses as the first matching packet, except that the addresses are swapped.

·     Uses the same source and destination port numbers as the first matching packet, except that the port numbers are swapped.

The dynamic ACL is applied to the reverse direction of the stateful ACL on the interface. The stateful ACL works with the dynamic ACL to allow two-way communication between network entities.

A stateful ACL can be deployed only to an Ethernet service instance or the inbound direction of an Ethernet interface or a Layer 2 aggregate interface.

If stateful ACLs are deployed to both a Layer 2 aggregate interface and its member port, the stateful ACL deployed to the member port does not take effect.

Dynamic

A dynamic rule is added dynamically by an application module.

 

display packet-filter

Use display packet-filter to display ACL application information for packet filtering.

Syntax

display packet-filter { interface [ interface-type interface-number ] | l2vpn-ac [ interface interface-type interface-number [ service-instance instance-id ] ] | vlan-interface } [ inbound | outbound ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface [ interface-type interface-number ]: Specifies an interface by its type and number. If you do not specify an interface, this command displays ACL application information for packet filtering on all interfaces. You do not need to specify the slot slot-number option for an Ethernet interface.

l2vpn-ac [ interface interface-type interface-number [ service-instance instance-id ] ]: Specifies an Ethernet service instance on an interface. The interface-type interface-number argument represents the interface type and number. The instance-id argument represents the ID of the Ethernet service instance, in the range of 1 to 4096. If you do not specify an interface, this command displays ACL application information for all Ethernet service instances on all interfaces. If you specify an interface but do not specify an Ethernet service instance, this command displays ACL application information for all Ethernet service instances on the specified interface.

vlan-interface: Specifies the list of VLAN interfaces specified in the packet-filter vlan-interface command.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays ACL application information for packet filtering for the master device.

Usage guidelines

If neither the inbound keyword nor the outbound keyword is specified, this command displays ACL application information for packet filtering in both directions.

Examples

# Display ACL application information for inbound packet filtering on interface Ten-GigabitEthernet 1/0/1.

<Sysname> display packet-filter interface ten-gigabitethernet 1/0/1 inbound

Interface: Ten-GigabitEthernet1/0/1

 Inbound policy:

  IPv4 ACL 2001, Share-mode

  IPv6 ACL 2002 (Failed)

  MAC ACL 4003, Hardware-count (Failed)

  IPv4 default action: Deny

  IPv6 default action: Deny

  MAC default action: Deny

# Display ACL application information for inbound packet filtering on Ethernet service instance 1 of Ten-GigabitEthernet 1/0/1.

<Sysname> display packet-filter l2vpn-ac interface ten-gigabitethernet 1/0/1 service-instance 1 inbound

Interface: Ten-GigabitEthernet1/0/1  Service Instance ID: 1

 Inbound policy:

  IPv4 ACL 2001

  IPv6 ACL 2002 (Failed)

  MAC ACL 4003, Hardware-count (Failed)

# Display ACL application information for inbound and outbound packet filtering on the list of VLAN interfaces.

<Sysname> display packet-filter vlan-interface

VLAN interface : 2 to 5

Inbound policy:

IPv4 ACL 2001

IPv4 default action: Deny (Failed)

VLAN interface : 2 to 5

Outbound policy:

 MAC ACL 4001, Hardware-count

 MAC default action: Deny

Table 2 Command output

Field

Description

Interface

Interface to which the ACL applies.

Interface: Ten-GigabitEthernet1/0/1  Service Instance ID: 1

Ethernet service instance to which the ACL applies. Ten-GigabitEthernet 1/0/1 is the interface where the Ethernet service instance resides.

VLAN interface

List of VLAN interfaces specified in the packet-filter vlan-interface command.

Inbound policy

ACL used for filtering incoming traffic.

Outbound policy

ACL used for filtering outgoing traffic.

IPv4 ACL 2001

IPv4 basic ACL 2001 has been successfully applied.

IPv6 ACL 2002 (Failed)

The device has failed to apply IPv6 basic ACL 2002.

Share-mode

Sharing mode for QoS and ACL resources.

This field appears in the command output only if an ACL is applied with the share-mode keyword.

Hardware-count

ACL rule match counting in hardware has been successfully enabled.

Hardware-count (Failed)

The device has failed to enable counting ACL rule matches in hardware.

IPv4 default action

Packet filter default action for packets that do not match any IPv4 ACLs:

·     Deny—The default action deny has been successfully applied for packet filtering.

·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions.

·     Permit—The default action permit has been successfully applied for packet filtering.

IPv6 default action

Packet filter default action for packets that do not match any IPv6 ACLs:

·     Deny—The default action deny has been successfully applied for packet filtering.

·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions.

·     Permit—The default action permit has been successfully applied for packet filtering.

MAC default action

Packet filter default action for packets that do not match any Layer 2 ACLs:

·     Deny—The default action deny has been successfully applied for packet filtering.

·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions.

·     Permit—The default action permit has been successfully applied for packet filtering.

 

display packet-filter statistics

Use display packet-filter statistics to display packet filtering statistics.

Syntax

display packet-filter statistics { interface [ interface-type interface-number ] | l2vpn-ac interface interface-type interface-number service-instance instance-id | vlan-interface } { inbound | outbound } [ [ ipv6 | mac | user-defined ] { acl-number | name acl-name } ] [ brief ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

l2vpn-ac interface interface-type interface-number service-instance instance-id: Specifies an Ethernet service instance on an interface. The interface-type interface-number argument represents the interface type and number. The instance-id argument represents the ID of the Ethernet service instance, in the range of 1 to 4096.

vlan-interface: Specifies the list of VLAN interfaces specified in the packet-filter vlan-interface command.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

ipv6: Specifies the IPv6 ACL type.

mac: Specifies the Layer 2 ACL type.

user-defined: Specifies the user-defined ACL type.

acl-number: Specifies an ACL by its number. The following are available value ranges:

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

·     4000 to 4999 for Layer 2 ACLs.

·     5000 to 5999 for user-defined ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

brief: Displays brief statistics.

Usage guidelines

If acl-number, name acl-name, ipv6, mac, or user-defined is not specified, this command displays packet filtering statistics for all ACLs.

To specify the IPv4 ACL type, do not specify the ipv6, mac, or user-defined keyword.

Examples

# Display packet filtering statistics for all ACLs on incoming packets of Ten-GigabitEthernet 1/0/1.

<Sysname> display packet-filter statistics interface ten-gigabitethernet 1/0/1 inbound

Interface: Ten-GigabitEthernet1/0/1

 Inbound policy:

  IPv4 ACL 2001, Hardware-count

   From 2011-06-04 10:25:21 to 2011-06-04 10:35:57

   rule 0 permit source 2.2.2.2 0 (2 packets)

   rule 5 permit source 1.1.1.1 0 (Failed)

   rule 10 permit vpn-instance test (No resource)

   Totally 2 packets permitted, 0 packets denied

   Totally 100% permitted, 0% denied

 

  IPv6 ACL 2000

 

  MAC ACL 4000

   From 2011-06-04 10:25:34 to 2011-06-04 10:35:57

   rule 0 permit

 

  IPv4 default action: Deny

 

  IPv6 default action: Deny

 

  MAC default action: Deny

# Display packet filtering statistics for all ACLs on incoming packets on Ethernet service instance 1 of Ten-GigabitEthernet 1/0/1.

<Sysname> display packet-filter statistics l2vpn-ac interface ten-gigabitethernet 1/0/1 service-instance 1 inbound

Interface: Ten-GigabitEthernet1/0/1  Service Instance ID: 1

 Inbound policy:

  IPv4 ACL 2001, Hardware-count

   From 2011-06-04 10:25:21 to 2011-06-04 10:35:57

   rule 0 permit source 2.2.2.2 0 (2 packets)

   rule 5 permit source 1.1.1.1 0 (Failed)

   rule 10 permit vpn-instance test (No resource)

   Totally 2 packets permitted, 0 packets denied

   Totally 100% permitted, 0% denied

 

  MAC ACL 4000

   From 2011-06-04 10:25:34 to 2011-06-04 10:35:57

   rule 0 permit

 

  IPv6 ACL 2000

# Display packet filtering statistics for ACL 3000 on incoming packets of the list of VLAN interfaces.

<Sysname> display packet-filter statistics vlan-interface inbound 3000

VLAN interface: 2 to 10

Inbound policy:

 IPv4 ACL 3000, Hardware-count (Failed)

 From 2011-06-04 10:25:34 to 2011-06-04 10:35:57

 rule 0 permit source 2.2.2.2 0

 rule 5 permit source 1.1.1.1 0 counting (2 packets)

 rule 10 permit vpn-instance test

Totally 2 packets permitted, 0 packets denied

Totally 100% permitted, 0% denied

Table 3 Command output

Field

Description

Interface

Interface to which the ACL applies.

Interface: Ten-GigabitEthernet1/0/1  Service Instance ID: 1

Ethernet service instance to which the ACL applies. Ten-GigabitEthernet 1/0/1 is the interface where the Ethernet service instance resides.

VLAN interface

List of VLAN interfaces specified in the packet-filter vlan-interface command.

Inbound policy

ACL used for filtering incoming traffic.

Outbound policy

ACL used for filtering outgoing traffic.

IPv4 ACL 2001

IPv4 basic ACL 2001 has been successfully applied.

IPv4 ACL 2002 (Failed)

The device has failed to apply IPv4 basic ACL 2002.

Hardware-count

ACL rule match counting in hardware has been successfully enabled.

Hardware-count (Failed)

The device has failed to enable counting ACL rule matches in hardware.

From 2011-06-04 10:25:21 to 2011-06-04 10:35:57

Start time and end time of the statistics.

2 packets

Two packets matched the rule.

This field is not displayed when no packets matched the rule.

No resource

Resources are not enough for counting matches for the rule. In packet filtering statistics, this field is displayed for a rule when resources are not sufficient for rule match counting.

rule 5 permit source 1.1.1.1 0 (Failed)

The device has failed to apply rule 5.

Totally 2 packets permitted, 0 packets denied

Number of packets permitted and denied by the ACL.

Totally 100% permitted, 0% denied

Ratios of permitted and denied packets to all packets.

IPv4 default action

Packet filter default action for packets that do not match any IPv4 ACLs:

·     Deny—The default action deny has been successfully applied for packet filtering.

·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions.

·     Permit—The default action permit has been successfully applied for packet filtering.

IPv6 default action

Packet filter default action for packets that do not match any IPv6 ACLs:

·     Deny—The default action deny has been successfully applied for packet filtering.

·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions.

·     Permit—The default action permit has been successfully applied for packet filtering.

MAC default action

Packet filter default action for packets that do not match any Layer 2 ACLs:

·     Deny—The default action deny has been successfully applied for packet filtering.

·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions.

·     Permit—The default action permit has been successfully applied for packet filtering.

Totally 7 packets

The default action has been executed on seven packets.

 

Related commands

reset packet-filter statistics

display packet-filter statistics sum

Use display packet-filter statistics sum to display accumulated packet filtering statistics for an ACL.

Syntax

display packet-filter statistics sum { inbound | outbound } [ ipv6 | mac | user-defined ] { acl-number | name acl-name } [ brief ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

ipv6: Specifies the IPv6 ACL type.

mac: Specifies the Layer 2 ACL type.

user-defined: Specifies the user-defined ACL type.

acl-number: Specifies an ACL by its number. The following are available value ranges:

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

·     4000 to 4999 for Layer 2 ACLs.

·     5000 to 5999 for user-defined ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

brief: Displays brief statistics.

Usage guidelines

To specify the IPv4 ACL type, do not specify the ipv6, mac, or user-defined keyword.

Examples

# Display accumulated packet filtering statistics for IPv4 basic ACL 2001 on incoming packets.

<Sysname> display packet-filter statistics sum inbound 2001

Sum:

 Inbound policy:

  IPv4 ACL 2001

   rule 0 permit source 2.2.2.2 0 (2 packets)

   rule 5 permit source 1.1.1.1 0

   rule 10 permit vpn-instance test

   Totally 2 packets permitted, 0 packets denied

   Totally 100% permitted, 0% denied

# Display brief accumulated packet filtering statistics for IPv4 basic ACL 2000 on incoming packets.

<Sysname> display packet-filter statistics sum inbound 2000 brief

Sum:

 Inbound policy:

  IPv4 ACL 2000

   Totally 2 packets permitted, 0 packets denied

   Totally 100% permitted, 0% denied

Table 4 Command output

Field

Description

Sum

Accumulated packet filtering statistics.

Inbound policy

Accumulated packet filtering statistics in the inbound direction.

Outbound policy

Accumulated packet filtering statistics in the outbound direction.

IPv4 ACL 2001

Accumulated packet filtering statistics of IPv4 basic ACL 2001.

2 packets

Two packets matched the rule.

This field is not displayed when no packets matched the rule.

Totally 2 packets permitted, 0 packets denied

Number of packets permitted and denied by the ACL.

Totally 100% permitted, 0% denied

Ratios of permitted and denied packets to all packets.

 

Related commands

reset packet-filter statistics

display packet-filter verbose

Use display packet-filter verbose to display ACL application details for packet filtering.

Syntax

display packet-filter verbose { interface [ interface-type interface-number ] | l2vpn-ac interface interface-type interface-number service-instance instance-id | vlan-interface } { inbound | outbound } [ [ ipv6 | mac | user-defined ] { acl-number | name acl-name } ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. The slot slot-number option is not available for an Ethernet interface.

l2vpn-ac interface interface-type interface-number service-instance instance-id: Specifies an Ethernet service instance on an interface. The interface-type interface-number argument represents the interface type and number. The instance-id argument represents the ID of the Ethernet service instance, in the range of 1 to 4096.

vlan-interface: Specifies the list of VLAN interfaces specified in the packet-filter vlan-interface command.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

ipv6: Specifies the IPv6 ACL type.

mac: Specifies the Layer 2 ACL type.

user-defined: Specifies the user-defined ACL type.

acl-number: Specifies an ACL by its number. The following are available value ranges:

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

·     4000 to 4999 for Layer 2 ACLs.

·     5000 to 5999 for user-defined ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays ACL application details for packet filtering for the master device.

Usage guidelines

If acl-number, name acl-name, ipv6, mac, or user-defined is not specified, this command displays application details of all ACLs for packet filtering.

To specify the IPv4 ACL type, do not specify the ipv6, mac, or user-defined keyword.

Examples

# Display application details of all ACLs for inbound packet filtering on Ten-GigabitEthernet 1/0/1.

<Sysname> display packet-filter verbose interface ten-gigabitethernet 1/0/1 inbound

Interface: Ten-GigabitEthernet1/0/1

 Inbound policy:

  IPv4 ACL 2001

   rule 0 permit

   rule 5 permit source 1.1.1.1 0 (Failed)

   rule 10 permit vpn-instance test (Failed)

 

  IPv4 ACL 2002 (Failed)

 

  IPv6 ACL 2000

   rule 0 permit

 

  MAC ACL 4000

 

  IPv4 default action: Deny

 

  IPv6 default action: Deny

 

  MAC default action: Deny

# Display application details of all ACLs for inbound packet filtering on Ethernet service instance 1 of Ten-GigabitEthernet 1/0/1.

<Sysname> display packet-filter verbose l2vpn-ac interface ten-gigabitethernet 1/0/1 service-instance 1 inbound

Interface: Ten-GigabitEthernet1/0/1  Service Instance ID: 1

 Inbound policy:

  IPv4 ACL 2001

   rule 0 permit

   rule 5 permit source 1.1.1.1 0 (Failed)

   rule 10 permit vpn-instance test (Failed)

 

  IPv6 ACL 2000

   rule 0 permit

 

  MAC ACL 4000

 

  IPv4 default action: Deny

 

  IPv6 default action: Deny

 

  MAC default action: Deny

# Display application details of the ACL for inbound packet filtering on the list of VLAN interfaces.

<Sysname> display packet-filter verbose vlan-interface inbound

VLAN interface: 2 to 10

Inbound policy:

 IPv4 ACL 2001, Hardware-count

 rule 0 permit

 rule 5 permit source 1.1.1.1 0

 rule 10 permit vpn-instance test

Table 5 Command output

Field

Description

Interface

Interface to which the ACL applies.

Interface: Ten-GigabitEthernet1/0/1  Service Instance ID: 1

Ethernet service instance to which the ACL applies. Ten-GigabitEthernet 1/0/1 is the interface where the Ethernet service instance resides.

VLAN interface

List of VLAN interfaces specified in the packet-filter vlan-interface command.

Inbound policy

ACL used for filtering incoming traffic.

Outbound policy

ACL used for filtering outgoing traffic.

IPv4 ACL 2001

IPv4 basic ACL 2001 has been successfully applied.

IPv4 ACL 2002 (Failed)

The device has failed to apply IPv4 basic ACL 2002.

Hardware-count

ACL rule match counting in hardware has been successfully enabled.

Hardware-count (Failed)

The device has failed to enable counting ACL rule matches in hardware.

rule 5 permit source 1.1.1.1 0 (Failed)

The device has failed to apply rule 5.

IPv4 default action

Packet filter default action for packets that do not match any IPv4 ACLs:

·     Deny—The default action deny has been successfully applied for packet filtering.

·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions.

·     Permit—The default action permit has been successfully applied for packet filtering.

IPv6 default action

Packet filter default action for packets that do not match any IPv6 ACLs:

·     Deny—The default action deny has been successfully applied for packet filtering.

·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions.

·     Permit—The default action permit has been successfully applied for packet filtering.

MAC default action

Packet filter default action for packets that do not match any Layer 2 ACLs:

·     Deny—The default action deny has been successfully applied for packet filtering.

·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions.

·     Permit—The default action permit has been successfully applied for packet filtering.

 

display qos-acl resource

Use display qos-acl resource to display QoS and ACL resource usage.

Syntax

display qos-acl resource [ advanced-mode ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

advanced-mode: Displays QoS and ACL resource usage in advanced mode. If you do not specify this keyword, the command displays QoS and ACL resource usage in common mode. This keyword is available in R2612 and later versions.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays QoS and ACL resource usage for all member devices.

Examples

# Display QoS and ACL resource usage in common mode.

<Sysname> display qos-acl resource

Interfaces: XGE1/0/1 to XGE1/0/48 (slot 1)

---------------------------------------------------------------------

 Type             Total      Reserved   Configured Remaining  Usage

---------------------------------------------------------------------

 VFP ACL          1024       261        0          763        25%

 IFP ACL          16384      14336      8          2040       87%

 IFP Meter        8192       7168       0          1024       87%

 IFP Counter      8192       7168       2          1022       87%

 EFP ACL          1024       0          3          1021       0%

 EFP Meter        512        0          0          512        0%

 EFP Counter      512        0          0          512        0%

Table 6 Command output

Field

Description

Interfaces

Interface range for the resources.

Type

Resource type:

·     ACL—ACL rule resources.

·     Meter—Traffic policing resources.

·     Counter—Traffic accounting resources.

·     VFP—Resources for marking local QoS ID before Layer 2 forwarding.

·     IFP—Inbound resources.

·     EFP—Outbound resources.

Total

Total number of resources.

Reserved

Number of reserved resources.

Configured

Number of resources that has been applied.

Remaining

Number of resources that you can apply.

Usage

Configured and reserved resources as a percentage of total resources. If the percentage is not an integer, this field displays the integer part. For example, if the actual usage is 50.8%, this field displays 50%.

 

# Display QoS and ACL resource usage in advanced mode.

<Sysname> display qos-acl resource advanced-mode

 

Interfaces:  XGE1/0/1 to XGE1/0/48, FGE1/0/49 to FGE1/0/54 (slot 1)

---------------------------------------------------------------------

 Stage      Slice      Total        Configured     Remaining  Usage

---------------------------------------------------------------------

 IFP        0          2048         6              2042       0%

 IFP        1          2048         6              2042       0%

 IFP        2          2048         1              2047       0%

 IFP        3          2048         1              2047       0%

 IFP        4          1024         10             1014       0%

 IFP        5          1024         10             1014       0%

 IFP        6          1024         1              1023       0%

 IFP        7          1024         1              1023       0%

 IFP        8          1024         20             1004       1%

 IFP        9          1024         20             1004       1%

 IFP        10         1024         59             965        5%

 IFP        11         1024         59             965        5%

 VFP        0          256          0              256        0%

 VFP        1          256          0              256        0%

 VFP        2          256          0              256        0%

 VFP        3          256          5              251        1%

 EFP        0          256          0              256        0%

 EFP        1          256          0              256        0%

 EFP        2          256          0              256        0%

 EFP        3          256          0              256        0%

Table 7 Command output

Field

Description

Interfaces

Interface range for the resources.

Stage

Processing stage:

·     VFP—Layer 2 forwarding.

·     IFP—Receiving.

·     EFP—Sending.

Slice

Slice ID.

Total

Total number of resources.

Configured

Number of resources that has been applied.

Remaining

Number of resources that can be applied.

Usage

Applied resources as a percentage of total resources. If the percentage is not an integer, this field displays the integer part. For example, if the actual usage is 50.8%, this field displays 50%.

 

packet-filter (Ethernet service instance view)

Use packet-filter to apply an ACL to an Ethernet service instance to filter packets.

Use undo packet-filter to remove an ACL from an Ethernet service instance.

Syntax

packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } { inbound | outbound } [ hardware-count ]

undo packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } { inbound | outbound }

Default

No ACL is applied to an Ethernet service instance to filter packets.

Views

Ethernet service instance view

Predefined user roles

network-admin

Parameters

ipv6: Specifies the IPv6 ACL type.

mac: Specifies the Layer 2 ACL type.

user-defined: Specifies the user-defined ACL type.

acl-number: Specifies an ACL by its number. The following are available value ranges:

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

·     4000 to 4999 for Layer 2 ACLs.

·     5000 to 5999 for user-defined ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

inbound: Filters incoming packets.

outbound: Filters outgoing packets.

hardware-count: Enables counting ACL rule matches performed in hardware. If you do not specify this keyword, rule matches for the ACL are not counted in hardware.

Usage guidelines

For information about configuring Ethernet service instances, see MPLS L2VPN or VPLS in MPLS Configuration Guide or see VXLAN Configuration Guide.

To specify the IPv4 ACL type, do not specify the ipv6, mac, or user-defined keyword.

The hardware-count keyword in this command enables match counting for all rules in an ACL, and the counting keyword in the rule command enables match counting specific to rules.

To disable ACL rule match counting in hardware when resources are insufficient, you must execute the undo packet-filter command and then reconfigure the packet-filter command without specifying the hardware-count keyword.

To disable ACL rule match counting in hardware when resources are sufficient, you can directly reconfigure the packet-filter command without specifying the hardware-count keyword.

 

 

 

 

Examples

# Apply IPv4 advanced ACL 3001 to filter incoming traffic on Ethernet service instance 1 of Ten-GigabitEthernet 1/0/1, and enable counting ACL rule matches performed in hardware.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] service-instance 200

[Sysname-Ten-GigabitEthernet1/0/1-srv200] packet-filter 3001 inbound hardware-count

Related commands

display packet-filter

display packet-filter statistics

display packet-filter verbose

packet-filter (interface view)

Use packet-filter to apply an ACL to an interface to filter packets.

Use undo packet-filter to remove an ACL from an interface.

Syntax

packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } { inbound | outbound } [ hardware-count ] [ share-mode ]

undo packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } { inbound | outbound }

Default

No ACL is applied to an interface to filter packets.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Layer 3 Ethernet interface/subinterface view

Layer 3 aggregate interface view

VLAN interface view

VSI interface view

S-channel interface view

S-channel aggregate interface view

Predefined user roles

network-admin

Parameters

ipv6: Specifies the IPv6 ACL type.

mac: Specifies the Layer 2 ACL type.

user-defined: Specifies the user-defined ACL type.

acl-number: Specifies an ACL by its number. The following are available value ranges:

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

·     4000 to 4999 for Layer 2 ACLs.

·     5000 to 5999 for user-defined ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

inbound: Filters incoming packets.

outbound: Filters outgoing packets.

hardware-count: Enables counting ACL rule matches performed in hardware. If you do not specify this keyword, rule matches for the ACL are not counted in hardware.

share-mode: Applies the ACL in sharing mode to a Layer 2 or Layer 3 Ethernet interface. In this mode, all interfaces on the device with the same ACL applied in one direction share one QoS and ACL resource. In the inbound direction, this mode is used by default.

Usage guidelines

To specify the IPv4 ACL type, do not specify the ipv6, mac, or user-defined keyword.

The hardware-count keyword in this command enables match counting for all rules in an ACL, and the counting keyword in the rule command enables match counting specific to rules.

To disable ACL rule match counting in hardware when resources are insufficient, you must execute the undo packet-filter command and then reconfigure the packet-filter command without specifying the hardware-count keyword.

To disable ACL rule match counting in hardware when resources are sufficient, you can directly reconfigure the packet-filter command without specifying the hardware-count keyword.

To the same direction of an interface, you can apply a maximum of four ACLs: one IPv4 ACL, one IPv6 ACL, one Layer 2 ACL, and one user-defined ACL.

In the outbound direction, you can apply only one ACL with the share-mode keyword to one interface and apply a maximum of seven such ACLs on the device.

You cannot change the sharing mode dynamically after an ACL is applied to an interface. To change the sharing mode for an applied ACL, you must remove the ACL from the interface, and then reapply the ACL with or without the share-mode keyword specified.

You can use the packet-filter command in VLAN interface view or the packet-filter vlan-interface command in system view to configure packet filtering in one direction of a VLAN interface. You cannot configure both of them in the same direction of a VLAN interface.

You cannot apply an ACL to the outbound direction of a Layer 2 or Layer 3 aggregate interface.

For information about VSI interfaces, see VXLAN Configuration Guide. For information about S-channel interfaces and S-channel aggregate interfaces, see EVB Configuration Guide.

Examples

# Apply IPv4 basic ACL 2001 to filter incoming traffic on Ten-GigabitEthernet 1/0/1, and enable counting ACL rule matches performed in hardware.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] packet-filter 2001 inbound hardware-count

# Apply IPv4 basic ACL 2001 in sharing mode to filter outgoing traffic on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] packet-filter 2001 outbound share-mode

Related commands

display packet-filter

display packet-filter statistics

display packet-filter verbose

packet-filter default deny

Use packet-filter default deny to set the packet filtering default action to deny. The packet filter denies packets that do not match any ACL rule.

Use undo packet-filter default deny to restore the default.

Syntax

packet-filter default deny

undo packet-filter default deny

Default

The packet filtering default action is permit. The packet filter permits packets that do not match any ACL rule.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The packet filter applies the default action to all ACL applications for packet filtering. The default action appears in the display command output for packet filtering.

Examples

# Set the packet filter default action to deny.

<Sysname> system-view

[Sysname] packet-filter default deny

Related commands

display packet-filter

display packet-filter statistics

display packet-filter verbose

packet-filter vlan-interface

Use packet-filter vlan-interface to apply an ACL to a list of VLAN interfaces to filter packets.

Use undo packet-filter vlan-interface to remove an ACL from a list of VLAN interfaces.

Syntax

packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } vlan-interface vlan-interface-list { inbound | outbound } [ hardware-count ]

undo packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } vlan-interface vlan-interface-list { inbound | outbound }

Default

No ACL is applied to a list of VLAN interfaces to filter packets.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6: Specifies the IPv6 ACL type.

mac: Specifies the Layer 2 ACL type.

user-defined: Specifies the user-defined ACL type.

acl-number: Specifies an ACL by its number. The following are available value ranges:

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

·     4000 to 4999 for Layer 2 ACLs.

·     5000 to 5999 for user-defined ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

vlan-interface vlan-interface-list: Specifies a space-separated list of up to eight VLAN interface items. Each item specifies a VLAN interface or a range of VLAN interfaces in the form of start-vlan-interface to end-vlan-interface.

inbound: Filters incoming packets.

outbound: Filters outgoing packets.

hardware-count: Enables counting ACL rule matches performed in hardware. If you do not specify this keyword, rule matches for the ACL are not counted in hardware.

Usage guidelines

To specify the IPv4 ACL type, do not specify the ipv6, mac, or user-defined keyword.

You can use the packet-filter command in VLAN interface view or use the packet-filter vlan-interface command in system view to configure packet filtering in one direction of a VLAN interface. You cannot configure both of them in the same direction of a VLAN interface.

The hardware-count keyword in this command enables match counting for all rules in an ACL, and the counting keyword in the rule command enables match counting specific to rules.

With the packet-filter vlan-interface command, you can configure only two filters: one for each direction. You can repeat the command to add VLAN interfaces to the packet filter in each direction. As a best practice to save resources, use the packet-filter vlan-interface command to configure packet filtering for VLAN interfaces that share the same packet filtering ACL.

For a packet filter, the use of the hardware-count keyword must be consistent across all its VLAN interfaces. You must specify the hardware-count keyword for all its VLAN interfaces or none of its VLAN interfaces.

A list of VLAN interfaces can contain up to eight VLAN interface items. Each item has at least one VLAN interface. Follow these restrictions and guidelines when you use the undo packet-filter vlan-interface command:

·     You can specify the entire VLAN interface list to remove the ACL from all VLAN interfaces in the list.

·     You can specify one or more VLAN interface items of the list to remove the ACL from the specified VLAN interfaces.

·     For a VLAN interface item with multiple VLAN interfaces, you cannot remove the ACL from only some of the VLAN interfaces of the VLAN interface item.

To disable ACL rule match counting in hardware when resources are insufficient, you must execute the undo packet-filter command and then reconfigure the packet-filter command without specifying the hardware-count keyword.

To disable ACL rule match counting in hardware when resources are sufficient, you can directly reconfigure the packet-filter command without specifying the hardware-count keyword.

Examples

# Apply IPv4 basic ACL 2003 to filter incoming traffic on VLAN interfaces 3 through 10, and enable counting ACL rule matches performed in hardware.

<Sysname> system-view

[Sysname] packet-filter 2003 vlan-interface 3 to 10 inbound hardware-count

Related commands

display packet-filter

display packet-filter statistics

display packet-filter verbose

packet-filter filter

Use packet-filter filter to specify the applicable scope of packet filtering on a VLAN interface.

Use undo packet-filter filter to restore the default.

Syntax

packet-filter filter { route | all }

undo packet-filter filter

Default

The packet filtering filters packets forwarded at Layer 3.

Views

VLAN interface view

Predefined user roles

network-admin

Parameters

route: Filters packets forwarded at Layer 3 by the VLAN interface.

all: Filters all packets, including packets forwarded at Layer 3 by the VLAN interface and packets forwarded at Layer 2 by the physical ports associated with the VLAN interface.

Examples

# Configure the packet filtering on VLAN-interface 2 to filter packets forwarded at Layer 3.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] packet-filter filter route

packet-filter vlan-interface

Use packet-filter vlan-interface to apply an ACL to a list of VLAN interfaces to filter packets.

Use undo packet-filter vlan-interface to remove an ACL from a list of VLAN interfaces.

Syntax

packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } vlan-interface vlan-interface-list { inbound | outbound } [ hardware-count ]

undo packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } vlan-interface vlan-interface-list { inbound | outbound }

Default

No ACL is applied to a list of VLAN interfaces to filter packets.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6: Specifies the IPv6 ACL type.

mac: Specifies the Layer 2 ACL type.

user-defined: Specifies the user-defined ACL type.

acl-number: Specifies an ACL by its number. The following are available value ranges:

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

·     4000 to 4999 for Layer 2 ACLs.

·     5000 to 5999 for user-defined ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

vlan-interface vlan-interface-list: Specifies a space-separated list of up to eight VLAN interface items. Each item specifies a VLAN interface or a range of VLAN interfaces in the form of start-vlan-interface to end-vlan-interface.

inbound: Filters incoming packets.

outbound: Filters outgoing packets.

hardware-count: Enables counting ACL rule matches performed in hardware. If you do not specify this keyword, rule matches for the ACL are not counted in hardware.

Usage guidelines

To specify the IPv4 ACL type, do not specify the ipv6, mac, or user-defined keyword.

You can use the packet-filter command in VLAN interface view or use the packet-filter vlan-interface command in system view to configure packet filtering in one direction of a VLAN interface. You cannot configure both of them in the same direction of a VLAN interface.

Do not enable the packet filtering continuous mode after applying an ACL to a list of VLAN interfaces. If you enable the continuous mode, packet filtering on the list of VLAN interfaces becomes invalid.

The hardware-count keyword in this command enables match counting for all rules in an ACL, and the counting keyword in the rule command enables match counting specific to rules.

With the packet-filter vlan-interface command, you can configure only two filters: one for each direction. You can repeat the command to add VLAN interfaces to the packet filter in each direction. As a best practice to save resources, use the packet-filter vlan-interface command to configure packet filtering for VLAN interfaces that share the same packet filtering ACL.

For a packet filter, the use of the hardware-count keyword must be consistent across all its VLAN interfaces. You must specify the hardware-count keyword for all its VLAN interfaces or none of its VLAN interfaces.

A list of VLAN interfaces can contain up to eight VLAN interface items. Each item has at least one VLAN interface. Follow these restrictions and guidelines when you use the undo packet-filter vlan-interface command:

·     You can specify the entire VLAN interface list to remove the ACL from all VLAN interfaces in the list.

·     You can specify one or more VLAN interface items of the list to remove the ACL from the specified VLAN interfaces.

·     For a VLAN interface item with multiple VLAN interfaces, you cannot remove the ACL from only some of the VLAN interfaces of the VLAN interface item.

To disable ACL rule match counting in hardware when resources are insufficient, you must execute the undo packet-filter command and then reconfigure the packet-filter command without specifying the extension or hardware-count keyword.

To disable ACL rule match counting in hardware when resources are sufficient, you can directly reconfigure the packet-filter command without specifying the extension or hardware-count keyword.

Examples

# Apply IPv4 basic ACL 2003 to filter incoming traffic on VLAN interfaces 3 through 10, and enable counting ACL rule matches performed in hardware.

<Sysname> system-view

[Sysname] packet-filter 2003 vlan-interface 3 to 10 inbound hardware-count

Related commands

display packet-filter

display packet-filter statistics

display packet-filter verbose

reset acl counter

Use reset acl counter to clear statistics for ACLs.

Syntax

reset acl [ ipv6 | mac | user-defined ] counter { acl-number | all | name acl-name }

Views

User view

Predefined user roles

network-admin

Parameters

ipv6: Specifies the IPv6 ACL type.

mac: Specifies the Layer 2 ACL type.

user-defined: Specifies the user-defined ACL type.

acl-number: Specifies an ACL by its number. The following are available value ranges:

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

·     4000 to 4999 for Layer 2 ACLs.

·     5000 to 5999 for user-defined ACLs.

all: Clears statistics for all ACLs of the specified type.

name acl-name: Clears statistics of an ACL specified by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

Usage guidelines

To specify the IPv4 ACL type, do not specify the ipv6, mac, or user-defined keyword.

Examples

# Clear statistics for IPv4 basic ACL 2001.

<Sysname> reset acl counter 2001

Related commands

display acl

reset packet-filter statistics

Use reset packet-filter statistics to clear the packet filtering statistics and accumulated statistics for an ACL.

Syntax

reset packet-filter statistics { interface [ interface-type interface-number ] | l2vpn-ac [ interface interface-type interface-number service-instance instance-id ] | vlan-interface } { inbound | outbound } [ [ ipv6 | mac | user-defined ] { acl-number | name acl-name } ]

Views

User view

Predefined user roles

network-admin

Parameters

interface [ interface-type interface-number ]: Specifies an interface by its type and number. If you do not specify an interface, this command clears packet filtering statistics for all interfaces.

l2vpn-ac [ interface interface-type interface-number service-instance instance-id ]: Specifies an Ethernet service instance on an interface. The interface-type interface-number argument represents the interface type and number. The instance-id argument represents the ID of the Ethernet service instance, in the range of 1 to 4096. If you do not specify an Ethernet service instance, this command clears packet filtering statistics for all Ethernet service instances.

vlan-interface: Specifies the list of VLAN interfaces specified in the packet-filter vlan-interface command.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

ipv6: Specifies the IPv6 ACL type.

mac: Specifies the Layer 2 ACL type.

user-defined: Specifies the user-defined ACL type.

acl-number: Specifies an ACL by its number. The following are available value ranges:

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

·     4000 to 4999 for Layer 2 ACLs.

·     5000 to 5999 for user-defined ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

Usage guidelines

If acl-number, name acl-name, ipv6, mac, or user-defined is not specified, this command clears the packet filtering statistics for all ACLs.

To specify the IPv4 ACL type, do not specify the ipv6, mac, or user-defined keyword.

Examples

# Clear IPv4 basic ACL 2001 statistics for inbound packet filtering on Ten-GigabitEthernet 1/0/1.

<Sysname> reset packet-filter statistics interface ten-gigabitethernet 1/0/1 inbound 2001

# Clear IPv4 basic ACL 2001 statistics for inbound packet filtering on Ethernet service instance 1 of Ten-GigabitEthernet 1/0/1.

<Sysname> reset packet-filter statistics interface ten-gigabitethernet 1/0/1 service-instance 1 inbound 2001

# Clear IPv4 basic ACL 2001 statistics for inbound packet filtering on the list of VLAN interfaces.

<Sysname> reset packet-filter statistics vlan-interface inbound 2001

Related commands

display packet-filter statistics

display packet-filter statistics sum

rule (IPv4 advanced ACL view)

Use rule to create or edit an IPv4 advanced ACL rule.

Use undo rule to delete an entire IPv4 advanced ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { dest-address dest-wildcard | any } | destination-port operator port1 [ port2 ] | { dscp dscp | { precedence precedence | tos tos } * } | fragment | icmp-type { icmp-type [ icmp-code ] | icmp-message } | logging | qos-local-id local-id-value | source { source-address source-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name | vpn-instance vpn-instance-name ] *

rule [ rule-id ] { deny | permit } vxlan [ destination { dest-address dest-wildcard | any } | source { source-address source-wildcard | any } | source-port operator port1 [ port2 ] | vxlan-id vxlan-id ] * inner-protocol inner-protocol [ counting | inner-destination { dest-address dest-wildcard | any } | inner-destination-port operator port1 [ port2 ] | inner-established | inner-source { source-address source-wildcard | any } | inner-source-port operator port1 [ port2 ] | logging | time-range time-range-name ] *

undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | { dscp | { precedence | tos } * } | fragment | icmp-type | logging | qos-local-id | source | source-port | time-range | vpn-instance | vxlan-id ] *

undo rule { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { dest-address dest-wildcard | any } | destination-port operator port1 [ port2 ] | { dscp dscp | { precedence precedence | tos tos } * } | fragment | icmp-type { icmp-type [ icmp-code ] | icmp-message } | logging | qos-local-id | source { source-address source-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name | vpn-instance vpn-instance-name ] *

undo rule { deny | permit } vxlan [ destination { dest-address dest-wildcard | any } | source { source-address source-wildcard | any } | source-port operator port1 [ port2 ] | vxlan-id vxlan-id ] * inner-protocol inner-protocol [ counting | inner-destination { dest-address dest-wildcard | any } | inner-destination-port operator port1 [ port2 ] | inner-established | inner-source { source-address source-wildcard | any } | inner-source-port operator port1 [ port2 ] | logging | time-range time-range-name ] *

Default

No IPv4 advanced ACL rules exist.

Views

IPv4 advanced ACL view

Predefined user roles

network-admin

Parameters

rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from the start rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.

deny: Denies matching packets.

permit: Allows matching packets to pass.

protocol: Specifies one of the following values:

·     A protocol number in the range of 0 to 255.

·     A protocol by its name: gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17). The ip keyword specifies all protocols.

For a rule to match GRE packets or IPinIP encapsulation packets, you must specify gre (47) or ipinip (4) for the protocol argument in the rule.

Table 8 describes the parameters that you can specify regardless of the value for the protocol argument.

Table 8 Match criteria and other rule information for IPv4 advanced ACL rules

Parameters

Function

Description

source { source-address source-wildcard | any }

Specifies a source address.

The source-address source-wildcard arguments specify a source IP address and a wildcard mask in dotted decimal notation. An all-zero wildcard represents a host address.

The any keyword specifies any source IP address.

destination { dest-address dest-wildcard | any }

Specifies a destination address.

The dest-address dest-wildcard arguments specify a destination IP address and a wildcard mask in dotted decimal notation. An all-zero wildcard mask represents a host address.

The any keyword represents any destination IP address.

counting

Counts the times that the rule is matched.

The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting in hardware for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted in software.

precedence precedence

Specifies an IP precedence value.

The precedence argument can be a number in the range of 0 to 7, or in words: routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), or network (7).

tos tos

Specifies a ToS preference.

The tos argument can be a number in the range of 0 to 15, or in words: max-reliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1), or normal (0).

dscp dscp

Specifies a DSCP priority.

The dscp argument can be a number in the range of 0 to 63, or in words: af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46).

fragment

Applies the rule only to non-first fragments.

If you do not specify this keyword, the rule applies to all fragments and non-fragments.

logging

Logs matching packets.

This feature requires that the module (for example, packet filtering) that uses the ACL supports logging.

time-range time-range-name

Specifies a time range for the rule.

The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range.

For more information about time range, see ACL and QoS Configuration Guide.

qos-local-id local-id-value

Specifies a local QoS ID.

The value range for the local-id-value argument is 1 to 4095. By default, no local QoS ID is specified.

If the ACL is used for traffic classification in a QoS policy, follow these restrictions and guidelines:

·     The supported value range for the local-id-value argument is 1 to 3999 if the QoS policy is applied to the inbound direction.

·     The supported value range for the local-id-value argument is 1 to 511 if the QoS policy is applied to the outbound direction.

·     In an IRF fabric, you cannot match the packets on a member device by using the local QoS ID marked on another member device.

·     In a VXLAN network, you cannot match the packets by using the local QoS ID marked on the remote VTEP or VXLAN IP gateway.

vpn-instance vpn-instance-name

Applies the rule to an MPLS L3VPN instance.

The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.

If you do not specify a VPN instance, the rule applies to both non-VPN packets and VPN packets.

 

If the protocol argument is tcp (6) or udp (7), set the parameters shown in Table 9.

Table 9 TCP/UDP-specific parameters for IPv4 advanced ACL rules

Parameters

Function

Description

source-port operator port1 [ port2 ]

Specifies one or more UDP or TCP source ports.

The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range) .

The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. The port2 argument is needed only when the operator argument is range.

TCP port numbers can be represented as: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), dns (53), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80).

UDP port numbers can be represented as: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177).

destination-port operator port1 [ port2 ]

Specifies one or more UDP or TCP destination ports.

{ ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } *

Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG.

Parameters specific to TCP.

The value for each argument can be 0 (flag bit not set) or 1 (flag bit set).

The TCP flags in a rule are ANDed. For example, a rule configured with ack 0 psh 1 matches packets that have the ACK flag bit not set and the PSH flag bit set.

established

Specifies the flags for indicating the established status of a TCP connection.

Parameter specific to TCP.

The rule matches TCP packets with the ACK or RST flag bit set.

 

If the protocol argument is icmp (1), set the parameters shown in Table 10.

Table 10 ICMP-specific parameters for IPv4 advanced ACL rules

Parameters

Function

Description

icmp-type { icmp-type icmp-code | icmp-message }

Specifies the ICMP message type and code.

The icmp-type argument is in the range of 0 to 255.

The icmp-code argument is in the range of 0 to 255.

The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 11.

 

Table 11 ICMP message names supported in IPv4 advanced ACL rules

ICMP message name

ICMP message type

ICMP message code

echo

8

0

echo-reply

0

0

fragmentneed-DFset

3

4

host-redirect

5

1

host-tos-redirect

5

3

host-unreachable

3

1

information-reply

16

0

information-request

15

0

net-redirect

5

0

net-tos-redirect

5

2

net-unreachable

3

0

parameter-problem

12

0

port-unreachable

3

3

protocol-unreachable

3

2

reassembly-timeout

11

1

source-quench

4

0

source-route-failed

3

5

timestamp-reply

14

0

timestamp-request

13

0

ttl-exceeded

11

0

 

vxlan: Specifies VXLAN encapsulation.

vxlan-id vxlan-id: Specifies a VXLAN ID in the range of 0 to 16777215.

inner-protocol inner-protocol: Specifies an inner protocol type by its number in the range of 0 to 255 or by its name: gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17). The ip keyword specifies all inner protocols. Table 12 describes the parameters that you can specify regardless of the value for the inner-protocol argument.

Table 12 Match criteria and other rule information for IPv4 advanced ACL rules

Parameters

Function

Description

inner-established

Specifies the inner flags for indicating the established status of a TCP connection.

Parameter specific to the inner TCP protocol.

The rule matches TCP connection packets with the ACK or RST flag bit set.

inner-source { source-address source-wildcard | any }

Specifies inner source IPv4 addresses.

The source-address source-wildcard arguments represent an inner source IPv4 address and an inner wildcard mask in dotted decimal notation. An all-zero wildcard mask specifies a host address.

The any keyword specifies any inner source IPv4 addresses.

If you configure this parameter without the inner-destination parameter, this parameter also matches the packets with the inner destination IP address in the specified network segment.

inner-destination { dest-address dest-wildcard | any }

Specifies inner destination IPv4 addresses.

The dest-address dest-wildcard arguments represent an inner destination IPv4 address and an inner wildcard mask in dotted decimal notation. An all-zero wildcard mask specifies a host address.

The any keyword represents any inner destination IPv4 addresses.

 

If the inner-protocol argument is tcp (6) or udp (17), set the parameters shown in Table 13.

Table 13 TCP/UDP-specific parameters for IPv4 advanced ACL rules

Parameters

Function

Description

inner-source-port operator port1 [ port2 ]

Specifies inner UDP or TCP source ports.

The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range).

The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. The port2 argument is needed only when the operator argument is range.

TCP port numbers can be represented as: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), dns (53), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80).

UDP port numbers can be represented as: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177).

The TCP port domain is saved as dns in the configuration file.

inner-destination-port operator port1 [ port2 ]

Specifies inner UDP or TCP destination ports.

 

Usage guidelines

Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.

You can edit ACL rules only when the match order is config.

To view the existing IPv4 basic and advanced ACL rules, use the display acl all command.

The undo rule rule-id command without any optional parameters deletes an entire rule. If you specify optional parameters, the undo rule rule-id command deletes the specified attributes for the rule.

The undo rule { deny | permit } command can only be used to delete an entire rule. You must specify all the attributes of the rule for the command.

Examples

# Create an IPv4 advanced ACL rule to permit TCP packets with the destination port 80 from 129.9.0.0/16 to 202.38.160.0/24.

<Sysname> system-view

[Sysname] acl advanced 3000

[Sysname-acl-ipv4-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80

# Create IPv4 advanced ACL rules to permit all IP packets but the ICMP packets destined for 192.168.1.0/24.

<Sysname> system-view

[Sysname] acl advanced 3001

[Sysname-acl-ipv4-adv-3001] rule deny icmp destination 192.168.1.0 0.0.0.255

[Sysname-acl-ipv4-adv-3001] rule permit ip

# Create IPv4 advanced ACL rules to permit inbound and outbound FTP packets.

<Sysname> system-view

[Sysname] acl advanced 3002

[Sysname-acl-ipv4-adv-3002] rule permit tcp source-port eq ftp

[Sysname-acl-ipv4-adv-3002] rule permit tcp source-port eq ftp-data

[Sysname-acl-ipv4-adv-3002] rule permit tcp destination-port eq ftp

[Sysname-acl-ipv4-adv-3002] rule permit tcp destination-port eq ftp-data

# Create IPv4 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.

<Sysname> system-view

[Sysname] acl advanced 3003

[Sysname-acl-ipv4-adv-3003] rule permit udp source-port eq snmp

[Sysname-acl-ipv4-adv-3003] rule permit udp source-port eq snmptrap

[Sysname-acl-ipv4-adv-3003] rule permit udp destination-port eq snmp

[Sysname-acl-ipv4-adv-3003] rule permit udp destination-port eq snmptrap

# Create an IPv4 advanced ACL rule to permit VXLAN packets whose inner source IP address is in subnet 192.168.1.0/24.

<Sysname> system-view

[Sysname] acl advanced 3004

[Sysname-acl-ipv4-adv-3004] rule permit vxlan inner-protocol ip inner-source 192.168.1.0 0.0.0.255

Related commands

acl

acl logging interval

display acl

step

time-range

rule (IPv4 basic ACL view)

Use rule to create or edit an IPv4 basic ACL rule.

Use undo rule to delete an entire IPv4 basic ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } [ counting | fragment | logging | source { source-address source-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *

undo rule rule-id [ counting | fragment | logging | source | time-range | vpn-instance ] *

undo rule { deny | permit } [ counting | fragment | logging | source { source-address source-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *

Default

No IPv4 basic ACL rules exist.

Views

IPv4 basic ACL view

Predefined user roles

network-admin

Parameters

rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from the start rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.

deny: Denies matching packets.

permit: Allows matching packets to pass.

counting: Counts the times that the rule is matched. If you do not specify this keyword, matches for the rule are not counted.

fragment: Applies the rule only to non-first fragments. If you do not specify this keyword, the rule applies to both fragments and non-fragments.

logging: Logs matching packets. This feature is available only when the application module (for example, packet filtering) that uses the ACL supports the logging feature.

source { source-address source-wildcard | any }: Matches a source address. The source-address and source-wildcard arguments specify a source IP address and a wildcard mask in dotted decimal notation. A wildcard mask of zeros represents a host address. The any keyword represents any source IP address.

time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide.

vpn-instance vpn-instance-name: Applies the rule to an MPLS L3VPN instance. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the rule applies to both non-VPN packets and VPN packets.

Usage guidelines

Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.

You can edit ACL rules only when the match order is config.

The counting keyword in this command enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting in hardware for all rules in an ACL.

To view the existing IPv4 basic and advanced ACL rules, use the display acl all command.

The undo rule rule-id command without any optional parameters deletes an entire rule. If you specify optional parameters, the undo rule rule-id command deletes the specified attributes for the rule.

The undo rule { deny | permit } command can only be used to delete an entire rule. You must specify all the attributes of the rule for the command.

Examples

# Create a rule in IPv4 basic ACL 2000 to deny the packets from any source IP subnet but 10.0.0.0/8, 172.17.0.0/16, or 192.168.1.0/24.

<Sysname> system-view

[Sysname] acl basic 2000

[Sysname-acl-ipv4-basic-2000] rule permit source 10.0.0.0 0.255.255.255

[Sysname-acl-ipv4-basic-2000] rule permit source 172.17.0.0 0.0.255.255

[Sysname-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255

[Sysname-acl-ipv4-basic-2000] rule deny source any

Related commands

acl

acl logging interval

display acl

step

time-range

rule (IPv6 advanced ACL view)

Use rule to create or edit an IPv6 advanced ACL rule.

Use undo rule to delete an entire IPv6 advanced ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { dest-address dest-prefix | dest-address/dest-prefix | any } | destination-port operator port1 [ port2 ] | dscp dscp | flow-label flow-label-value | fragment | icmp6-type { icmp6-type icmp6-code | icmp6-message } | logging | qos-local-id local-id-value | routing [ type routing-type ] | hop-by-hop [ type hop-type ] | source { source-address source-prefix | source-address/source-prefix | any } | source-port operator port1 [ port2 ] | time-range time-range-name | vpn-instance vpn-instance-name ] *

undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | dscp | flow-label | fragment | icmp6-type | logging | qos-local-id | routing | hop-by-hop | source | source-port | time-range | vpn-instance] *

undo rule { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { dest-address dest-prefix | dest-address/dest-prefix | any } | destination-port operator port1 [ port2 ] | dscp dscp | flow-label flow-label-value | fragment | icmp6-type { icmp6-type icmp6-code | icmp6-message } | logging | qos-local-id | routing [ type routing-type ] | hop-by-hop [ type hop-type ] | source { source-address source-prefix | source-address/source-prefix | any } | source-port operator port1 [ port2 ] | time-range time-range-name | vpn-instance vpn-instance-name ] *

Default

No IPv6 advanced ACL rules exist.

Views

IPv6 advanced ACL view

Predefined user roles

network-admin

Parameters

rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from the start rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.

deny: Denies matching packets.

permit: Allows matching packets to pass.

protocol: Specifies one of the following values:

·     A protocol number in the range of 0 to 255.

·     A protocol name: gre (47), icmpv6 (58), ipv6, ipv6-ah (51), ipv6-esp (50), ospf (89), tcp (6), or udp (17). The ipv6 keyword specifies all protocols.

For a rule to match GRE packets, you must specify gre (47) for the protocol argument in the rule.

Table 14 describes the parameters that you can specify regardless of the value for the protocol argument.

Table 14 Match criteria and other rule information for IPv6 advanced ACL rules

Parameters

Function

Description

source { source-address source-prefix | source-address/source-prefix | any }

Specifies a source IPv6 address.

The source-address argument specifies an IPv6 source address.

The source-prefix argument specifies a prefix length in the range of 1 to 128.

The any keyword represents any IPv6 source address.

destination { dest-address dest-prefix | dest-address/dest-prefix | any }

Specifies a destination IPv6 address.

The dest-address argument specifies a destination IPv6 address.

The dest-prefix argument specifies a prefix length in the range of 1 to 128.

The any keyword represents any IPv6 destination address.

counting

Counts the times that the rule is matched.

The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter ipv6 command enables match counting in hardware for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted in software.

dscp dscp

Specifies a DSCP preference.

The dscp argument can be a number in the range of 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46).

flow-label flow-label-value

Specifies a flow label value in an IPv6 packet header.

The flow-label-value argument is in the range of 0 to 1048575.

fragment

Applies the rule only to non-first fragments.

If you do not specify this keyword, the rule applies to all fragments and non-fragments.

logging

Logs matching packets.

This feature requires that the module (for example, packet filtering) that uses the ACL supports logging.

routing [ type routing-type ]

Specifies an IPv6 routing header type.

routing-type: Value of the IPv6 routing header type, in the range of 0 to 255.

If you specify the type routing-type option, the rule applies to the specified type of IPv6 routing header. If you do not specify the type routing-type option, the rule applies to all types of IPv6 routing headers.

hop-by-hop [ type hop-type ]

Specifies an IPv6 Hop-by-Hop Options header type.

hop-type: Value of the IPv6 Hop-by-Hop Options header type, in the range of 0 to 255.

If you specify the type hop-type option, the rule applies to the specified type of IPv6 Hop-by-Hop Options header. If you do not specify the type hop-type option, the rule applies to all types of IPv6 Hop-by-Hop Options header.

time-range time-range-name

Specifies a time range for the rule.

The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range.

For more information about time range, see ACL and QoS Configuration Guide.

qos-local-id local-id-value

Specifies a local QoS ID.

The value range for the local-id-value argument is 1 to 3999. By default, no local QoS ID is specified.

If the ACL is used for traffic classification in a QoS policy, follow these restrictions and guidelines:

·     The supported value range for the local-id-value argument is 1 to 3999 if the QoS policy is applied to the inbound direction.

·     The supported value range for the local-id-value argument is 1 to 511 if the QoS policy is applied to the outbound direction.

·     In an IRF fabric, you cannot match the packets on a member device by using the local QoS ID marked on another member device.

·     In a VXLAN network, you cannot match the packets by using the local QoS ID marked on the remote VTEP or VXLAN IP gateway.

vpn-instance vpn-instance-name

Applies the rule to an MPLS L3VPN instance.

The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.

If you do not specify a VPN instance, the rule applies to both non-VPN packets and VPN packets.

 

If the protocol argument is tcp (6) or udp (17), set the parameters shown in Table 15.

Table 15 TCP/UDP-specific parameters for IPv6 advanced ACL rules

Parameters

Function

Description

source-port operator port1 [ port2 ]

Specifies one or more UDP or TCP source ports.

The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range) .

The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. The port2 argument is needed only when the operator argument is range.

TCP port numbers can be represented as: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), dns (53), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80).

UDP port numbers can be represented as: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177).

destination-port operator port1 [ port2 ]

Specifies one or more UDP or TCP destination ports.

{ ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } *

Specifies one or more TCP flags, including ACK, FIN, PSH, RST, SYN, and URG.

Parameters specific to TCP.

The value for each argument can be 0 (flag bit not set) or 1 (flag bit set).

The TCP flags in a rule are ANDed. For example, a rule configured with ack 0 psh 1 matches packets that have the ACK flag bit not set and the PSH flag bit set.

established

Specifies the flags for indicating the established status of a TCP connection.

Parameter specific to TCP.

The rule matches TCP packets with the ACK or RST flag bit set.

 

If the protocol argument is icmpv6 (58), set the parameters shown in Table 16.

Table 16 ICMPv6-specific parameters for IPv6 advanced ACL rules

Parameters

Function

Description

icmp6-type { icmp6-type icmp6-code | icmp6-message }

Specifies the ICMPv6 message type and code.

The icmp6-type argument is in the range of 0 to 255.

The icmp6-code argument is in the range of 0 to 255.

The icmp6-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 17.

 

Table 17 ICMPv6 message names supported in IPv6 advanced ACL rules

ICMPv6 message name

ICMPv6 message type

ICMPv6 message code

echo-reply

129

0

echo-request

128

0

err-Header-field

4

0

frag-time-exceeded

3

1

hop-limit-exceeded

3

0

host-admin-prohib

1

1

host-unreachable

1

3

neighbor-advertisement

136

0

neighbor-solicitation

135

0

network-unreachable

1

0

packet-too-big

2

0

port-unreachable

1

4

redirect

137

0

router-advertisement

134

0

router-solicitation

133

0

unknown-ipv6-opt

4

2

unknown-next-hdr

4

1

 

Usage guidelines

If an IPv6 advanced ACL is used for outbound QoS traffic classification or packet filtering, do not specify the flow-label parameter.

If an IPv6 advanced ACL is used for packet filtering, do not specify the fragment keyword.

Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.

You can edit ACL rules only when the match order is config.

To view the existing IPv6 basic and advanced ACL rules, use the display acl ipv6 all command.

The undo rule rule-id command without any optional parameters deletes an entire rule. If you specify optional parameters, the undo rule rule-id command deletes the specified attributes for a rule.

The undo rule { deny | permit } command can only be used to delete an entire rule. You must specify all the attributes of the rule for the command.

Examples

# Create an IPv6 advanced ACL rule to permit TCP packets with the destination port 80 from 2030:5060::/64 to FE80:5060::/96.

<Sysname> system-view

[Sysname] acl ipv6 advanced 3000

[Sysname-acl-ipv6-adv-3000] rule permit tcp source 2030:5060::/64 destination fe80:5060::/96 destination-port eq 80

# Create IPv6 advanced ACL rules to permit all IPv6 packets but the ICMPv6 packets destined for FE80:5060:1001::/48.

<Sysname> system-view

[Sysname] acl ipv6 advanced 3001

[Sysname-acl-ipv6-adv-3001] rule deny icmpv6 destination fe80:5060:1001:: 48

[Sysname-acl-ipv6-adv-3001] rule permit ipv6

# Create IPv6 advanced ACL rules to permit inbound and outbound FTP packets.

<Sysname> system-view

[Sysname] acl ipv6 advanced 3002

[Sysname-acl-ipv6-adv-3002] rule permit tcp source-port eq ftp

[Sysname-acl-ipv6-adv-3002] rule permit tcp source-port eq ftp-data

[Sysname-acl-ipv6-adv-3002] rule permit tcp destination-port eq ftp

[Sysname-acl-ipv6-adv-3002] rule permit tcp destination-port eq ftp-data

# Create IPv6 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.

<Sysname> system-view

[Sysname] acl ipv6 advanced 3003

[Sysname-acl-ipv6-adv-3003] rule permit udp source-port eq snmp

[Sysname-acl-ipv6-adv-3003] rule permit udp source-port eq snmptrap

[Sysname-acl-ipv6-adv-3003] rule permit udp destination-port eq snmp

[Sysname-acl-ipv6-adv-3003] rule permit udp destination-port eq snmptrap

# Create IPv6 advanced ACL 3004, and configure two rules: one permits packets with the Hop-by-Hop Options header type as 5, and the other one denies packets with other Hop-by-Hop Options header types.

<Sysname> system-view

[Sysname] acl ipv6 advanced 3004

[Sysname-acl-ipv6-adv-3004] rule permit ipv6 hop-by-hop type 5

[Sysname-acl-ipv6-adv-3004] rule deny ipv6 hop-by-hop

Related commands

acl

acl logging interval

display acl

step

time-range

rule (IPv6 basic ACL view)

Use rule to create or edit an IPv6 basic ACL rule.

Use undo rule to delete an entire IPv6 basic ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } [ counting | fragment | logging | routing [ type routing-type ] | source { source-address source-prefix | source-address/source-prefix | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *

undo rule rule-id [ counting | fragment | logging | routing | source | time-range | vpn-instance ] *

undo rule { deny | permit } [ counting | fragment | logging | routing [ type routing-type ] | source { source-address source-prefix | source-address/source-prefix | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *

Default

No IPv6 basic ACL rules exist.

Views

IPv6 basic ACL view

Predefined user roles

network-admin

Parameters

rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from the start rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.

deny: Denies matching packets.

permit: Allows matching packets to pass.

counting: Counts the times that the rule is matched. If you do not specify this keyword, matches for the rule are not counted.

fragment: Applies the rule only to non-first fragments. If you do not specify this keyword, the rule applies to both fragments and non-fragments.

logging: Logs matching packets. This feature is available only when the application module (for example, packet filtering) that uses the ACL supports the logging feature.

routing [ type routing-type ]: Applies the rule to the specified type of IPv6 routing header or all types of IPv6 routing headers. The routing-type argument specifies the value of the IPv6 routing header type, in the range of 0 to 255. If you do not specify the type routing-type option, the rule applies to all types of IPv6 routing headers.

source { source-address source-prefix | source-address/source-prefix | any }: Matches a source IPv6 address. The source-address argument specifies a source IPv6 address. The source-prefix argument specifies an address prefix length in the range of 1 to 128. The any keyword represents any IPv6 source address.

time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide.

vpn-instance vpn-instance-name: Applies the rule to an MPLS L3VPN instance. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the rule applies to both non-VPN packets and VPN packets.

Usage guidelines

Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.

You can edit ACL rules only when the match order is config.

The counting keyword in this command enables match counting specific to rules, and the hardware-count keyword in the packet-filter ipv6 command enables match counting in hardware for all rules in an ACL.

To view the existing IPv6 basic and advanced ACL rules, use the display acl ipv6 all command.

The undo rule rule-id command without any optional parameters deletes an entire rule. If you specify optional parameters, the undo rule rule-id command deletes the specified attributes for a rule.

The undo rule { deny | permit } command can only be used to delete an entire rule. You must specify all the attributes of the rule for the command.

Examples

# Create an IPv6 basic ACL rule to deny the packets from any source IP subnet but 1001::/16, 3124:1123::/32, or FE80:5060:1001::/48.

<Sysname> system-view

[Sysname] acl ipv6 basic 2000

[Sysname-acl-ipv6-basic-2000] rule permit source 1001:: 16

[Sysname-acl-ipv6-basic-2000] rule permit source 3124:1123:: 32

[Sysname-acl-ipv6-basic-2000] rule permit source fe80:5060:1001:: 48

[Sysname-acl-ipv6-basic-2000] rule deny source any

Related commands

acl

acl logging interval

display acl

step

time-range

rule (Layer 2 ACL view)

Use rule to create or edit a Layer 2 ACL rule.

Use undo rule to delete an entire Layer 2 ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } [ cos dot1p | counting | dest-mac dest-address dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac source-address source-mask | time-range time-range-name ] *

rule [ rule-id ] { deny | permit } vxlan [ counting | dest-mac dest-address dest-mask | inner-dest-mac inner-dest-address inner-dest-mask | inner-source-mac inner-source-address inner-source-mask | inner-type inner-protocol-type inner-protocol-type-mask | source-mac source-address source-mask | time-range time-range-name | type protocol-type protocol-type-mask | vxlan-id vxlan-id ] *

undo rule rule-id [ counting | time-range ] *

undo rule { deny | permit } [ cos dot1p | counting | dest-mac dest-address dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac source-address source-mask | time-range time-range-name ] *

undo rule { deny | permit } vxlan [ counting | dest-mac dest-address dest-mask | inner-dest-mac inner-dest-address inner-dest-mask | inner-source-mac inner-source-address inner-source-mask | inner-type inner-protocol-type inner-protocol-type-mask | source-mac source-address source-mask | time-range time-range-name | type protocol-type protocol-type-mask | vxlan-id vxlan-id ] *

Default

No Layer 2 ACL rules exist.

Views

Layer 2 ACL view

Predefined user roles

network-admin

Parameters

rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from the start rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.

deny: Denies matching packets.

permit: Allows matching packets to pass.

cos dot1p: Matches an 802.1p priority. The 802.1p priority can be specified by one of the following values:

·     A priority number in the range of 0 to 7.

·     A priority name: best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5), voice (6), or network-management (7).

counting: Counts the times that the rule is matched. If you do not specify this keyword, matches for the rule are not counted.

dest-mac dest-address dest-mask: Matches a destination MAC address range. The dest-address and dest-mask arguments represent a destination MAC address and mask in the H-H-H format.

lsap lsap-type lsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The lsap-type argument is a hexadecimal number that represents the encapsulation format. The value range for the lsap-type argument is 0 to ffff. The lsap-type-mask argument is a hexadecimal number that represents the LSAP mask. The value range for the lsap-type-mask argument is 0 to ffff.

type protocol-type protocol-type-mask: Matches one or more protocols in the Layer 2. The protocol-type argument is a hexadecimal number that represents a protocol type in Ethernet_II and Ethernet_SNAP frames. The value range for the protocol-type argument is 0 to ffff. The protocol-type-mask argument is a hexadecimal number that represents a protocol type mask. The value range for the protocol-type-mask argument is 0 to ffff.

source-mac source-address source-mask: Matches a source MAC address range. The source-address argument represents a source MAC address, and the sour-mask argument represents a mask in the H-H-H format.

time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide.

vxlan: Specifies VXLAN encapsulation.

vxlan-id vxlan-id: Specifies a VXLAN ID in the range of 0 to 16777215.

inner-type inner-protocol-type inner-protocol-type-mask: Matches inner link layer protocols. The inner-protocol-type argument is a 16-bit hexadecimal number that represents a protocol type in inner Ethernet_II and Ethernet_SNAP frames. The protocol-type-mask argument is a 16-bit hexadecimal number that represents a protocol type mask.

inner-source-mac inner-source-address inner-source-mask: Matches an inner source MAC address range. The inner-source-address argument represents an inner source MAC address in the H-H-H format and the inner-source-mask argument represents a mask in the H-H-H format.

inner-dest-mac inner-dest-address inner-dest-mask: Matches an inner destination MAC address range. The inner-dest-address and inner-dest-mask arguments represent an inner destination MAC address and a mask in the H-H-H format.

Usage guidelines

Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.

You can edit ACL rules only when the match order is config.

The counting keyword in this command enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting in hardware for all rules in an ACL.

To view the existing Layer 2 ACL rules, use the display acl mac all command.

The undo rule rule-id command without any optional parameters deletes an entire rule. If you specify optional parameters, the undo rule rule-id command deletes the specified attributes for the rule.

The undo rule { deny | permit } command can only be used to delete an entire rule. You must specify all the attributes of the rule for the command.

Examples

# Create a rule in Layer 2 ACL 4000 to permit ARP packets and deny RARP packets.

<Sysname> system-view

[Sysname] acl mac 4000

[Sysname-acl-mac-4000] rule permit type 0806 ffff

[Sysname-acl-mac-4000] rule deny type 8035 ffff

# Create a rule in Layer 2 ACL 4001 to permit VXLAN packets whose VXLAN ID is 300.

<Sysname> system-view

[Sysname] acl mac 4001

[Sysname-acl-mac-4001] rule permit vxlan vxlan-id 300

Related commands

acl

display acl

step

time-range

rule (user-defined ACL view)

Use rule to create or edit a user-defined ACL rule.

Use undo rule to delete a user-defined ACL rule.

Syntax

rule [ rule-id ] { deny | permit } [ { { l2 I l4 } rule-string rule-mask offset }&<1-8> ] [ counting | time-range time-range-name ] *

undo rule rule-id

undo rule { deny | permit } [ { { l2 I l4 } rule-string rule-mask offset }&<1-8> ] [ counting | time-range time-range-name ] *

Default

No user-defined ACL rules exist.

Views

User-defined ACL view

Predefined user roles

network-admin

Parameters

rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. The numbering step for user-defined ACLs is fixed at 5. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.

deny: Denies matching packets.

permit: Allows matching packets to pass.

l2: Specifies that the offset is relative to the beginning of the Layer 2 frame header.

l4: Specifies that the offset is relative to the beginning of the Layer 4 header.

rule-string: Defines a match pattern in hexadecimal format. Its length must be a multiple of two.

rule-mask: Defines a match pattern mask in hexadecimal format. Its length must be the same as that of the match pattern. A match pattern mask is used for ANDing the selected string of a packet.

offset: Specifies an offset in bytes after which the match operation begins.

&<1-8>: Specifies that up to eight match patterns can be defined in the ACL rule.

counting: Counts the times that the rule is matched. If you do not specify this keyword, matches for the rule are not counted.

time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide.

Usage guidelines

Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.

The counting keyword in this command enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting in hardware for all rules in an ACL.

To view the existing user-defined ACL rules, use the display acl user-defined all command.

Both the undo rule rule-id command and the undo rule { deny | permit } command delete an entire rule. When you use the undo rule { deny | permit } command, you must specify all the attributes of the rule.

Examples

# Create a rule for user-defined ACL 5005 to permit ARP packets where the 13th and 14th bytes starting from the Layer 2 header are 0x0806.

<Sysname> system-view

[Sysname] acl user-defined 5005

[Sysname-acl-user-5005] rule permit l2 0806 ffff 12

Related commands

acl

display acl

time-range

rule comment

Use rule comment to configure a comment for an ACL rule.

Use undo rule comment to delete an ACL rule comment.

Syntax

rule rule-id comment text

undo rule rule-id comment

Default

A rule does not have a comment.

Views

IPv4 basic/advanced ACL view

IPv6 basic/advanced ACL view

Layer 2 ACL view

User-defined ACL view

Predefined user roles

network-admin

Parameters

rule-id: Specifies an ACL rule ID in the range of 0 to 65534. The ACL rule must already exist.

text: Specifies a comment about the ACL rule, a case-sensitive string of 1 to 127 characters.

Usage guidelines

This command adds a comment to a rule if the rule does not have a comment. It modifies the comment for a rule if the rule already has a comment.

Examples

# Create a rule for IPv4 basic ACL 2000, and add a comment about the rule.

<Sysname> system-view

[Sysname] acl basic 2000

[Sysname-acl-ipv4-basic-2000] rule 0 deny source 1.1.1.1 0

[Sysname-acl-ipv4-basic-2000] rule 0 comment This rule is used on ten-gigabitethernet 1/0/1.

Related commands

display acl

step

Use step to set a rule numbering step for an ACL.

Use undo step to restore the default.

Syntax

step step-value [ start start-value ]

undo step

Default

The rule numbering step is 5, and the start rule ID is 0.

Views

IPv4 basic/advanced ACL view

IPv6 basic/advanced ACL view

Layer 2 ACL view

Predefined user roles

network-admin

Parameters

step-value: Specifies the ACL rule numbering step in the range of 1 to 20.

start start-value: Specifies the start rule ID in the range of 0 to 20.

Usage guidelines

The rule numbering step sets the increment by which the system numbers rules automatically. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from the start rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 12, the rule is numbered 15.

The wider the numbering step, the more rules you can insert between two rules. Whenever the step or start rule ID changes, the rules are renumbered, starting from the start rule ID. For example, if there are five rules numbered 0, 5, 9, 10, and 15, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6, and 8.

Examples

# Set the rule numbering step to 2 for IPv4 basic ACL 2000.

<Sysname> system-view

[Sysname] acl basic 2000

[Sysname-acl-ipv4-basic-2000] step 2

Related commands

display acl

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网