- Table of Contents
-
- 14-Security Command Reference
- 00-Preface
- 01-Keychain commands
- 02-Public key management commands
- 03-PKI commands
- 04-SSH commands
- 05-SSL commands
- 06-Packet filter commands
- 07-DHCP snooping commands
- 08-DHCPv6 snooping commands
- 09-ARP attack protection commands
- 10-ND attack defense commands
- 11-Attack detection and prevention commands
- 12-uRPF commands
- 13-IP source guard commands
- 14-Crypto engine commands
- Related Documents
-
Title | Size | Download |
---|---|---|
06-Packet filter commands | 98.66 KB |
display packet-filter statistics
display packet-filter statistics sum
reset packet-filter statistics
Packet filter commands
If you do not specify a VPN instance, an ACL rule applies to both non-VPN packets and VPN packets.
display packet-filter
Use display packet-filter to display ACL application information for packet filtering.
Syntax
display packet-filter { global | interface [ interface-type interface-number ] } [ inbound | outbound ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
global: Specifies all physical interfaces.
interface [ interface-type interface-number ]: Specifies an interface by its type and number. If you do not specify an interface, this command displays ACL application information for packet filtering on all interfaces. If you specify an Ethernet interface, you do not need to specify the slot slot-number option.
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays ACL application information for packet filtering for the active MPU.
Usage guidelines
If neither the inbound keyword nor the outbound keyword is specified, this command displays ACL application information for packet filtering in both directions.
Examples
# Display ACL application information for inbound packet filtering on interface HundredGigE 1/0/1.
<Sysname> display packet-filter interface hundredgige 1/0/1 inbound
Interface: HundredGigE1/0/1
Inbound policy:
IPv4 ACL 2001
IPv6 ACL 2002 (Failed)
MAC ACL 4003
Table 1 Command output
Field |
Description |
Interface |
Interface to which the ACL applies. |
Global |
ACL application for packet filtering on all physical interfaces. |
Inbound policy |
ACL used for filtering incoming traffic. |
Outbound policy |
ACL used for filtering outgoing traffic. |
IPv4 ACL 2001 |
IPv4 basic ACL 2001 has been successfully applied. |
IPv6 ACL 2002 (Failed) |
The device has failed to apply IPv6 basic ACL 2002. |
IPv4 default action |
Packet filter default action for packets that do not match any IPv4 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. |
IPv6 default action |
Packet filter default action for packets that do not match any IPv6 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. |
MAC default action |
Packet filter default action for packets that do not match any Layer 2 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. |
display packet-filter statistics
Use display packet-filter statistics to display packet filtering statistics.
Syntax
display packet-filter statistics { global | interface interface-type interface-number } { inbound | outbound } [ [ ipv6 | mac | user-defined ] { acl-number | name acl-name } ] [ brief ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
global: Displays the statistics for all physical interfaces.
interface interface-type interface-number: Specifies an interface by its type and number.
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
user-defined: Specifies the user-defined ACL type.
acl-number: Specifies an ACL by its number. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
· 5000 to 5999 for user-defined ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.
brief: Displays brief statistics.
Usage guidelines
If acl-number, name acl-name, ipv6, mac, or user-defined is not specified, this command displays packet filtering statistics for all ACLs.
To specify the IPv4 ACL type, do not specify the ipv6 keyword.
Examples
# Display packet filtering statistics for all ACLs on incoming packets of HundredGigE 1/0/1.
<Sysname> display packet-filter statistics interface hundredgige 1/0/1 inbound
Interface: HundredGigE1/0/1
Inbound policy:
IPv4 ACL 2001, Hardware-count
From 2011-06-04 10:25:21 to 2011-06-04 10:35:57
rule 0 permit source 2.2.2.2 0 (2 packets)
rule 5 permit source 1.1.1.1 0 (Failed)
rule 10 permit vpn-instance test (No resource)
Totally 2 packets permitted, 0 packets denied
Totally 100% permitted, 0% denied
IPv6 ACL 2000
MAC ACL 4000
rule 0 permit
IPv4 default action: Deny
From 2011-06-04 10:25:21 to 2011-06-04 10:35:57
Totally 7 packets
IPv6 default action: Deny
From 2011-06-04 10:25:41 to 2011-06-04 10:35:57
Totally 0 packets
MAC default action: Deny
From 2011-06-04 10:25:34 to 2011-06-04 10:35:57
Totally 0 packets
Table 2 Command output
Field |
Description |
Interface |
Interface to which the ACL applies. |
Interface: HundredGigE1/0/1 Service Instance ID: 1 |
Ethernet service instance to which the ACL applies. HundredGigE1/0/1 is the interface where the Ethernet service instance resides. |
Inbound policy |
ACL used for filtering incoming traffic. |
Outbound policy |
ACL used for filtering outgoing traffic. |
IPv4 ACL 2001 |
IPv4 basic ACL 2001 has been successfully applied. |
IPv4 ACL 2002 (Failed) |
The device has failed to apply IPv4 basic ACL 2002. |
Hardware-count |
ACL rule match counting in hardware has been successfully enabled. |
Hardware-count (Failed) |
The device has failed to enable counting ACL rule matches in hardware. |
From 2011-06-04 10:25:21 to 2011-06-04 10:35:57 |
Start time and end time of the statistics. |
2 packets |
Two packets matched the rule. This field is not displayed when no packets matched the rule. |
No resource |
Resources are not enough for counting matches for the rule. In packet filtering statistics, this field is displayed for a rule when resources are not sufficient for rule match counting. |
rule 5 permit source 1.1.1.1 0 (Failed) |
The device has failed to apply rule 5. |
Totally 2 packets permitted, 0 packets denied |
Number of packets permitted and denied by the ACL. |
Totally 100% permitted, 0% denied |
Ratios of permitted and denied packets to all packets. |
IPv4 default action |
Packet filter default action for packets that do not match any IPv4 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. |
IPv6 default action |
Packet filter default action for packets that do not match any IPv6 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. |
MAC default action |
Packet filter default action for packets that do not match any Layer 2 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. |
Totally 7 packets |
The default action has been executed on seven packets. |
Related commands
reset packet-filter statistics
display packet-filter statistics sum
Use display packet-filter statistics sum to display accumulated packet filtering statistics for an ACL.
Syntax
display packet-filter statistics sum { inbound | outbound } [ ipv6 | mac | user-defined ] { acl-number | name acl-name } [ brief ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
user-defined: Specifies the user-defined ACL type.
acl-number: Specifies an ACL by its number. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
· 5000 to 5999 for user-defined ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.
brief: Displays brief statistics.
Usage guidelines
To specify the IPv4 ACL type, do not specify the ipv6 keyword.
Examples
# Display accumulated packet filtering statistics for IPv4 basic ACL 2001 on incoming packets.
<Sysname> display packet-filter statistics sum inbound 2001
Sum:
Inbound policy:
IPv4 ACL 2001
rule 0 permit source 2.2.2.2 0 (2 packets)
rule 5 permit source 1.1.1.1 0
rule 10 permit vpn-instance test
Totally 2 packets permitted, 0 packets denied
Totally 100% permitted, 0% denied
# Display brief accumulated packet filtering statistics for IPv4 basic ACL 2000 on incoming packets.
<Sysname> display packet-filter statistics sum inbound 2000 brief
Sum:
Inbound policy:
IPv4 ACL 2000
Totally 2 packets permitted, 0 packets denied
Totally 100% permitted, 0% denied
Table 3 Command output
Field |
Description |
Sum |
Accumulated packet filtering statistics. |
Inbound policy |
Accumulated packet filtering statistics in the inbound direction. |
Outbound policy |
Accumulated packet filtering statistics in the outbound direction. |
IPv4 ACL 2001 |
Accumulated packet filtering statistics of IPv4 basic ACL 2001. |
2 packets |
Two packets matched the rule. This field is not displayed when no packets matched the rule. |
Totally 2 packets permitted, 0 packets denied |
Number of packets permitted and denied by the ACL. |
Totally 100% permitted, 0% denied |
Ratios of permitted and denied packets to all packets. |
Related commands
reset packet-filter statistics
display packet-filter verbose
Use display packet-filter verbose to display ACL application details for packet filtering.
Syntax
display packet-filter verbose { global | interface interface-type interface-number } { inbound | outbound } [ [ ipv6 | mac | user-defined ] { acl-number | name acl-name } ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
global: Specifies all physical interfaces.
interface interface-type interface-number: Specifies an interface by its type and number. The slot slot-number option is not available for an Ethernet interface.
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
user-defined: Specifies the user-defined ACL type.
acl-number: Specifies an ACL by its number. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
· 5000 to 5999 for user-defined ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays ACL application details for packet filtering for the active MPU.
Usage guidelines
If acl-number, name acl-name, ipv6, mac, or user-defined is not specified, this command displays application details of all ACLs for packet filtering.
To specify the IPv4 ACL type, do not specify the ipv6 keyword.
Examples
# Display application details of all ACLs for inbound packet filtering on HundredGigE 1/0/1.
<Sysname> display packet-filter verbose interface hundredgige 1/0/1 inbound
Interface: HundredGigE1/0/1
Inbound policy:
IPv4 ACL 2001
rule 0 permit
rule 5 permit source 1.1.1.1 0 (Failed)
rule 10 permit vpn-instance test (Failed)
IPv6 ACL 2000
rule 0 permit
MAC ACL 4000
IPv4 default action: Deny
IPv6 default action: Deny
MAC default action: Deny
Table 4 Command output
Field |
Description |
Interface |
Interface to which the ACL applies. |
Global |
ACL application details for packet filtering on all physical interfaces. |
Interface: HundredGigE1/0/1 Service Instance ID: 1 |
Ethernet service instance to which the ACL applies. HundredGigE1/0/1 is the interface where the Ethernet service instance resides. |
Inbound policy |
ACL used for filtering incoming traffic. |
Outbound policy |
ACL used for filtering outgoing traffic. |
IPv4 ACL 2001 |
IPv4 basic ACL 2001 has been successfully applied. |
IPv4 ACL 2002 (Failed) |
The device has failed to apply IPv4 basic ACL 2002. |
Hardware-count |
ACL rule match counting in hardware has been successfully enabled. |
Hardware-count (Failed) |
The device has failed to enable counting ACL rule matches in hardware. |
rule 5 permit source 1.1.1.1 0 (Failed) |
The device has failed to apply rule 5. |
IPv4 default action |
Packet filter default action for packets that do not match any IPv4 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. |
IPv6 default action |
Packet filter default action for packets that do not match any IPv6 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. |
MAC default action |
Packet filter default action for packets that do not match any Layer 2 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. |
packet-filter
Use packet-filter to apply an ACL to an interface to filter packets.
Use undo packet-filter to remove an ACL from an interface.
Syntax
packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } { inbound [ extension ] | outbound } [ hardware-count ] [ share-mode ]
undo packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } { inbound | outbound }
Default
No ACL is applied to an interface to filter packets.
Views
Interface view
Predefined user roles
network-admin
Parameters
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
user-defined: Specifies the user-defined ACL type.
acl-number: Specifies an ACL by its number. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.
inbound: Filters incoming packets.
extension: Applies the packet filter in extended mode.
outbound: Filters outgoing packets.
hardware-count: Enables counting ACL rule matches performed in hardware. If you do not specify this keyword, rule matches for the ACL are not counted in hardware.
share-mode: Applies the ACL in sharing mode to a Layer 2 or Layer 3 Ethernet interface. In this mode, all interfaces on an interface card with the same ACL applied in one direction share one QoS and ACL resource.
Usage guidelines
To specify the IPv4 ACL type, do not specify the ipv6 keyword.
The hardware-count keyword in this command enables match counting in hardware for all rules in an ACL, and the counting keyword in the rule command enables match counting specific to rules.
To disable the extended mode or ACL rule match counting in hardware when resources are insufficient, you must execute the undo packet-filter command and then reconfigure the packet-filter command without specifying the extension or hardware-count keyword.
To disable the extended mode or ACL rule match counting in hardware when resources are sufficient, you can directly reconfigure the packet-filter command without specifying the extension or hardware-count keyword.
You can apply a maximum of four ACLs to the same direction of an interface: one IPv4 ACL, one IPv6 ACL, one Layer 2 ACL, and one user-defined ACL.
If you specify the share-mode keyword when applying an ACL to an interface, follow these restrictions and guidelines:
· You can apply multiple ACLs to one direction of an interface. However, you can apply only one ACL with the share-mode keyword specified to one direction of an interface.
· You cannot change the sharing mode dynamically after an ACL is applied to an interface. To change the sharing mode for an applied ACL, you must remove the ACL from the interface, and then reapply the ACL with or without the share-mode keyword specified.
· You cannot apply a QoS policy or PBR policy with the share-mode keyword to the same direction of an interface. For information about applying a QoS policy to an interface, see QoS in ACL and QoS Configuration Guide. For information about applying a PBR policy to an interface, see policy-based routing in Layer 3—IP Services Configuration Guide.
Examples
# Apply IPv4 basic ACL 2001 to filter incoming traffic on HundredGigE 1/0/1, and enable counting ACL rule matches performed in hardware.
<Sysname> system-view
[Sysname] interface hundredgige 1/0/1
[Sysname-HundredGigE1/0/1] packet-filter 2001 inbound hardware-count
display packet-filter
display packet-filter statistics
display packet-filter verbose
packet-filter default deny
Use packet-filter default deny to set the packet filtering default action to deny. The packet filter denies packets that do not match any ACL rule.
Use undo packet-filter default deny to restore the default.
Syntax
packet-filter default deny
undo packet-filter default deny
Default
The packet filtering default action is permit. The packet filter permits packets that do not match any ACL rule.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The packet filter applies the default action to all ACL applications for packet filtering. The default action appears in the display command output for packet filtering.
This command does not take effect on MPLS packets. To deny MPLS packets by using a packet filter, configure the corresponding ACL to deny matching MPLS packets.
Examples
# Set the packet filter default action to deny.
<Sysname> system-view
[Sysname] packet-filter default deny
Related commands
display packet-filter
display packet-filter statistics
display packet-filter verbose
packet-filter global
Use packet-filter global to apply an ACL to filter packets globally.
Use undo packet-filter global to remove an ACL for global packet filtering.
Syntax
packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } global { inbound | outbound } [ hardware-count ]
undo packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } global { inbound | outbound }
Default
No ACL is applied to filter packets globally.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
user-defined: Specifies the user-defined ACL type.
acl-number: Specifies an ACL by its number. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
· 5000 to 5999 for user-defined ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.
global: Specifies all physical interfaces.
inbound: Filters incoming packets.
outbound: Filters outgoing packets.
hardware-count: Enables counting ACL rule matches performed in hardware. If you do not specify this keyword, rule matches for the ACL are not counted in hardware.
Usage guidelines
To specify the IPv4 ACL type, do not specify the ipv6 keyword.
The hardware-count keyword in this command enables match counting in hardware for all rules in an ACL, and the counting keyword in the rule command enables match counting specific to rules.
To disable the extended mode or ACL rule match counting in hardware when resources are insufficient, you must execute the undo packet-filter command and then reconfigure the packet-filter command without specifying the hardware-count keyword.
To disable the extended mode or ACL rule match counting in hardware when resources are sufficient, you can directly reconfigure the packet-filter command without specifying the hardware-count keyword.
Examples
# Apply IPv4 basic ACL 2001 to filter incoming traffic on all physical interfaces, and enable counting ACL rule matches performed in hardware.
<Sysname> system-view
[Sysname] packet-filter 2001 global inbound hardware-count
Related commands
display packet-filter
display packet-filter statistics
display packet-filter verbose
reset packet-filter statistics
Use reset packet-filter statistics to clear the packet filtering statistics.
Syntax
reset packet-filter statistics { global | interface [ interface-type interface-number ] } { inbound | outbound } [ ipv6 | mac | user-defined ] { acl-number | name acl-name }
Views
User view
Predefined user roles
network-admin
Parameters
global: Specifies all physical interfaces.
interface [ interface-type interface-number ]: Specifies an interface by its type and number. If you do not specify an interface, this command clears packet filtering statistics for all interfaces.
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
user-defined: Specifies the user-defined ACL type.
acl-number: Specifies an ACL by its number. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
· 5000 to 5999 for user-defined ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.
Usage guidelines
If acl-number, name acl-name, ipv6, mac, or user-defined is not specified, this command clears the packet filtering statistics for all ACLs.
To specify the IPv4 ACL type, do not specify the ipv6 keyword.
Examples
# Clear IPv4 basic ACL 2001 statistics for inbound packet filtering on HundredGigE 1/0/1.
<Sysname> reset packet-filter statistics interface hundredgige 1/0/1 inbound 2001
Related commands
display packet-filter statistics
display packet-filter statistics sum