Contents

Interface forwarding commands· 1

connection-interface· 1

demux· 1

destination-interface· 2

display interface connection· 3

display interface transceiver 4

display mux· 5

display this interface connection· 6

downstream-port 7

fast-mux· 8

firmware update· 9

mux· 10

source-interface· 10

transceiver tx-disable· 11

upstream-port 12

Port mirroring· 14

display mirroring-group· 14

mirroring-group· 15

mirroring-group mirroring-mux· 15

mirroring-group mirroring-port (interface view) 16

mirroring-group mirroring-port (system view) 17

mirroring-group monitor-port (interface view) 18

mirroring-group monitor-port (system view) 19

Traffic filtering commands· 20

acl 20

display acl 21

display buffer usage interface· 22

display qos policy interface· 23

filter 24

if-match· 24

qos apply policy (interface view) 25

qos apply policy global 26

qos policy· 27

rule (IPv4 advanced ACL view) 27

rule (IPv6 advanced ACL view) 29

classifier behavior 32

traffic classifier 32

Ethernet interface commands· 33

description· 33

display counters· 34

display interface· 35

flow-interval 40

shutdown· 41

 

Interface forwarding commands

connection-interface

Use connection-interface to connect a pair of interfaces.

Use undo connection-interface to remove the configuration.

Syntax

connection-interface interface-type interface-number1 interface-type interface-number2

undo connection-interface interface-type interface-number1 interface-type interface-number2

Default

No connection is established between interfaces.

Views

System view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

This command connects a pair of interfaces. After you execute this command, each interface will be configured as a source interface and a destination interface of the other interface. A packet received Command a source interface will be forwarded out its destination interface.

The source and destination interfaces must be on the same device.

To avoid congestion when traffic is forwarded from a source interface to a destination interface, make sure they are installed with transceiver modules operating at the same speed.

After the connection-interface command is executed, the source-interface command will be issued on the two connected interfaces. After the undo destination-interface command is executed, the source-interface command will be deleted from the two connected interfaces.

Examples

# Connect interface Ten-GigabitEthernet1/0/1 and Ten-GigabitEthernet1/0/2.

<Sysname> system-view

[sysname] connection-interface Ten-GigabitEthernet 1/0/1 Ten-GigabitEthernet 1/0/2

Related commands

source-interface

demux

Use demux to create a Demux group and enter its view, or enter the view of an existing Demux group.

Use undo demux to restore the default.

Syntax

demux demux-id fpga fpga-number

undo demux demux-id fpga fpga-number

Default

No Demux group exists.

Views

System view

Predefined user roles

network-admin

Parameters

demux-id: Specifies a Demux group by its ID. In SecurityMux mode and enhanced SecurityMux mode, the value is 1. In multi-group SecurityMux mode, the value range is 1 to 4.

fpga fpga-number: Specifies the FPGA associated with the Demux group. The fpga-number argument specifies an FPGA firmware number.

Usage guidelines

A Demux group can achieve ultra-low latency traffic forwarding. Packets received from a downstream interface are forwarded out of multiple upstream interfaces.

A Mux group and a Demux group are used together. A Mux group is used to process upstream traffic, and a Demux group is used to process downstream traffic.

Before you can configure a Demux group, you must configure a Mux group.

Examples

# Create Demux group 1 and enter its view.

<Sysname> system-view

[Sysname] demux 1 fpga 0

[Sysname-demux-group-1-fpga-0]

Related commands

downstream-port

upstream-port

destination-interface

Use destination-interface to specify the destination interface.

Use undo destination-interface to cancel the configuration.

Syntax

destination-interface interface-list

undo destination-interface interface-list

Default

No destination interface is specified.

Views

Layer 2 Ethernet interface view

Layer 3 Ethernet interface view

Predefined user roles

network-admin

Parameters

interface-list: Specifies an interface list in the format of interface-list = { interface-type interface-number1 [ to interface-type interface-number2 ] }&<1-24>. The interface-type interface-number argument specifies an interface by its type and number. The & <1- 24> argument indicates that you can specify the preceding parameter for up to 24 times. The value of the interface-type interface-number2 argument cannot be smaller than the value of the interface-type interface-number1 argument. The selected interfaces must reside on the same interface module or submodule.

Usage guidelines

To enable fast forwarding of packets, you can execute this command to specify a destination interface for the current interface. When the current interface receives a packet, the packet will be forwarded out the specified destination interface. With multiple destination interfaces specified for a source interface, when the source interface receives a packet, a copy of the packet will be forwarded out each of the specified destination interfaces.

The specified destination interface must be on the same device as the current interface.

To avoid congestion when traffic is forwarded from a source interface to a destination interface, make sure they are installed with transceiver modules operating at the same speed.

After the destination-interface command is executed on an interface, the source-interface command will be issued on the specified destination interface. After the undo destination-interface command is executed on an interface, the source-interface command will be deleted from the specified destination interface.

Examples

# Configure the Ten-GigabitEthernet1/0/2 as the destination interface of Ten-GigabitEthernet1/0/1.

<Sysname> system-view

[sysname] interface Ten-GigabitEthernet 1/0/1

[sysname-Ten-GigabitEthernet1/0/1] destination-interface Ten-GigabitEthernet 1/0/2

Related commands

source-interface

display interface connection

Use display interface connection to display interface interconnection information.

Syntax

display interface [ interface-type interface-number ] connection

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface-type interface-number: Displays interconnection information for the specified interface. The interface-type interface-number option specifies an interface by its type and number. If you do not specify this option, the command displays interconnection information for all interfaces.

Examples

# Display interconnection information for interface Ten-GigabitEthernet1/0/1.

<Sysname> display interface Ten-GigabitEthernet 1/0/1 connection

Connection(s):

XGE1/0/1 <-> XGE1/0/3

XGE1/0/1 --> XGE1/0/4

# Display interconnection information for all interfaces.

<Sysname> display interface connection

Connection(s):

XGE1/0/1 <-> XGE1/0/3

         --> XGE1/0/4

XGE1/0/2 --> XGE1/0/5

         <-- XGE1/0/6

XGE1/0/3 <-> XGE1/0/1

XGE1/0/4 <-- XGE1/0/1

XGE1/0/5 <-- XGE1/0/2

XGE1/0/6 --> XGE1/0/2

Table 1 Command output

Field	Description
Connection(s)	Interface interconnection information: ·     <->—The two interfaces are source and destination interfaces. ·     -->—The interface on the left is the source interface of the interface on the right. ·     <--—The interface on the left is the destination interface of the interface on the right.

 

Related commands

connection-interface

destination-interface

source-interface

display interface transceiver

Use display interface transceiver to display the transceiver modules and source interfaces of interfaces.

Syntax

display interface transceiver

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the transceiver modules and source interfaces of all interfaces.

<Sysname> display interface transceiver

Interface                    Transceiver type               Source interface

XGE1/0/1                     1000_BASE_SX_SFP(D)            XGE1/0/2

XGE1/0/2                     --                             XGE1/0/1

XGE1/0/3                     --(D)                          XGE1/0/4

XGE1/0/5                     Unknown                        XGE1/0/6

Table 2 Command output

Field	Description
Interface	Abbreviated interface name.
Transceiver	Model of the transceiver module. This field displays – if no transceiver module is installed. This field displays (D) if the transceiver tx-disable command has been executed on the interface. This field displays Unknown if no transceiver module information is detected.
Source interface	Abbreviated name of the source interface.

 

display mux

Use display mux to display information about FastMux, Mux, and Demux groups.

Syntax

display mux [ mode { fast-mux | mux | demux } [ mux-id fpga fpga-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

mode: Specifies a Mux type. If you do not specify this keyword, the command displays information for all FastMux, Mux, and Demux groups.

fast-mux: Displays FastMux group information.

mux: Displays Mux group information.

demux: Displays Demux group information.

mux-id: Specifies a FastMux, Mux, or Demux group by its ID. The value range for this argument is 1 to 4. If you do not specify this argument, the command displays information about all FastMux, Mux, and Demux groups.

fpga fpga-number: Specifies the FPGA associated with the group. The fpga-number argument specifies an FPGA firmware number.

Examples

# Display information about all FastMux groups.

<Sysname> display mux mode fast-mux

Fast multiplex group 1 fpga 0 (7:1):

Upstream interface: Ten-GigabitEthernet1/0/1

Active Downstream interfaces: Ten-GigabitEthernet1/0/2 to Ten-GigabitEthernet1/0/8

Inactive Downstream interfaces: Ten-GigabitEthernet1/0/9 to Ten-GigabitEthernet1/0/10

 

Fast multiplex group 2 fpga 0 (7:1):

Upstream interface: Ten-GigabitEthernet1/0/11

Active Downstream interfaces: Ten-GigabitEthernet1/0/12 to Ten-GigabitEthernet1/0/13

Table 3 Command output

Field	Description
Fast multiplex group ID	FastMux group ID and the maximum ratio between the downstream and upstream interfaces in the group.
Multiplex group ID	Mux group ID.
Demultiplex group ID	Demux group ID.
fpga number	FPGA firmware number. Firmware number of the FPGA associated with the FastMux, Mux, or Demux group.
Upstream interface	Upstream interface name.
Active Downstream interfaces	Name of the downstream interface that takes effect.
Inactive Downstream interfaces	Name of the downstream interface that does not take effect.

 

display this interface connection

Use display this interface connection to display interconnection information of an interface.

Syntax

display this interface connection

Views

Layer 2 Ethernet interface view

Layer 3 Ethernet interface view

Predefined user roles

network-admin

network-operator

Examples

# Display interconnection information of interface Ten-GigabitEthernet1/0/1.

<Sysname> system-view

[sysname] interface Ten-GigabitEthernet 1/0/1

[sysname-Ten-GigabitEthernet1/0/1] display this interface connection

Connection(s):

XGE1/0/1 <-> XGE1/0/3

XGE1/0/1 --> XGE1/0/4

Table 4 Command output

Field	Description
Connection(s)	Interface interconnection information: ·     <->—The two interfaces are source and destination interfaces. ·     -->—The interface on the left is the source interface of the interface on the right. ·     <--—The interface on the left is the destination interface of the interface on the right.

 

downstream-port

Use downstream-port to configure downstream interfaces.

Use undo downstream-port to remove downstream interfaces.

Syntax

downstream-port interface-list

undo downstream-port [ interface-list ]

Default

No downstream interface exists.

Views

FastMux group view

Mux group view

Demux group view

Predefined user roles

network-admin

Parameters

interface-list: Specifies an interface list in the format of interface-list = { interface-type interface-number1 [ to interface-type interface-number2 ] }&<1-24>. The interface-type interface-number argument specifies an interface by its type and number. The & <1- 24> argument indicates that you can specify the preceding parameter for up to 24 times. The value of the interface-type interface-number2 argument cannot be smaller than the value of the interface-type interface-number1 argument.

Usage guidelines

If you configure an interface as a downstream interface, you cannot configure it as the following interfaces:

·     Upstream interface (configured by using the upstream-port command).

·     Monitor port (configured by using the upstream-port monitportlist command).

·     Monitor port for a local mirroring group (configured by using the mirroring-group monitor-port command).

Examples

# In FastMux group view, configure Ten-GigabitEthernet1/0/1 as a downstream interface.

<Sysname> system-view

[Sysname] fast-mux 1 type 1 fpga 0

[Sysname-fast-mux-group-1-fpga-0] downstream-port Ten-GigabitEthernet 1/0/1

Related commands

upstream-port

fast-mux

Use fast-mux to create a FastMux group and enter its view, or enter the view of an existing FastMux group.

Use undo fast-mux to delete a FastMux group.

Syntax

fast-mux fast-mux-id type type-id fpga fpga-number

undo fast-mux fast-mux-id [ type type-id ] fpga fpga-number

Default

No FastMux group exists.

Views

System view

Predefined user roles

network-admin

Parameters

fast-mux-id: Specifies a FastMux group by its ID in the range of 1 to 4.

type type-id: Specifies a FastMux group type by its ID in the range of 1 to 2. 1 represents the 7:1 resource group type, and 2 represents the 15:1 resource group type.

fpga fpga-number: Specifies the FPGA associated with the FastMux group. The fpga-number argument specifies an FPGA firmware number.

Usage guidelines

Configure a FastMux group to implement ultra-low latency traffic forwarding. You can add an upstream interface and multiple downstream interfaces to a FastMux group. Packets from the downstream interfaces are sent to the upstream interface, which lowers latency.

Examples

# Create FastMux group 1 and enter its view.

<Sysname> system-view

[Sysname] fast-mux 1 type 1 fpga 0

[Sysname-fast-mux-group-1-fpga-0]

Related commands

downstream-port

upstream-port

firmware update

Use firmware update to upgrade firmware.

Syntax

firmware update slot slot-number fpga fpga-number { fast-mux | multi-sec-mux | sec-mux | sec-mux-enhance | tapping-aggr }

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a device by its number, which is fixed at 1.

fpga fpga-number: Specifies an FPGA by its firmware number.

fast-mux: Specifies a FastMux mode. This application supports four FastMux groups, which separately implement 15:1, 15:1, 7:1, and 7:1 upstream traffic multiplexing ratios with a minimum latency of 35 ns.

multi-sec-mux: Specifies the multi-group SecurityMux mode. It supports four Mux groups and four Demux groups. A Mux group can have one upstream interface. The groups separately implement 7:1, 7:1, 13:1, and 15:1 upstream traffic multiplexing ratios, and 1:7, 1:7, 1:13, 1:15 downstream traffic demultiplexing ratios. This application supports ACL-based packet forwarding control on the outgoing interfaces of downstream traffic. Two monitor ports are used to monitor the traffic of Mux groups.

sec-mux: Specifies the SecurityMux mode. In this mode, a Mux group can have only one upstream interface. This application supports a maximum upstream traffic multiplexing ratio of 47:1 and a maximum downstream traffic demultiplexing ratio of 1:47. This application supports ACL-based packet forwarding control on the outgoing interfaces of downstream traffic and a minimum latency of 59 ns.

sec-mux-enhance: Specifies the enhanced SecurityMux mode. In this mode, a Mux group can have two upstream interfaces. This application supports a maximum upstream traffic multiplexing ratio of 46:2 and a maximum downstream demultiplexing ratio of 2:46. This application supports ACL-based packet forwarding control on the outgoing interfaces of upstream or downstream traffic.

tapping-aggr: Specifies the tapping aggregation mode, which supports mirroring traffic to other interfaces.

Usage guidelines

If a switch has two FPGAs, you can specify different modes for them. For the H3C developed modes (multi-sec-mux, fast-mux, sec-mux, sec-mux-enhance, and tapping-aggr), the first FPGA supports all modes, and the second FPGA supports only the tapping aggregation mode. The device does not support user-developed modes.

To successfully change the FPGA mode, first delete the FastMux groups, Mux groups, Demux groups, monitor ports for tapping aggregation, and applied QoS policies in the current mode.

To upgrade the FPGA by using an H3C developed mode, specify the multi-sec-mux, fast-mux, sec-mux, sec-mux-enhance, or tapping-aggr keyword.

Examples

# Upgrade the FPGA firmware to the FastMux mode.

<Sysname> firmware update slot 1 fpga 0 fast-mux

Updating firmware for FPGA on the specified card or subcard. Continue?[Y/N]:y

Updating the firmware.............................Done.

mux

Use mux to create a Mux group and enter its view, or enter the view of an existing Mux group.

Use undo mux to restore the default.

Syntax

mux mux-id fpga fpga-number

undo mux mux-id fpga fpga-number

Default

No Mux group exists.

Views

System view

Predefined user roles

network-admin

Parameters

mux-id: Specifies a Mux group by its ID. In SecurityMux mode and enhanced SecurityMux mode, the value is 1. In multi-group SecurityMux mode, the value range is 1 to 4.

fpga fpga-number: Specifies the FPGA associated with the Mux group. The fpga-number argument specifies an FPGA firmware number.

Usage guidelines

A Mux group can achieve ultra-low latency traffic forwarding. You can add one upstream interface and multiple downstream interfaces to a Mux group. Packets from the downstream interfaces are sent to the upstream interface, which lowers latency.

A Mux group and a Demux group are used together. A Mux group is used to process upstream traffic, and a Demux group is used to process downstream traffic.

Before you can modify or delete a Mux group, you must delete all Demux groups on the switch.

Examples

# Create Mux group 1 and enter its view.

<Sysname> system-view

[Sysname] mux 1 fpga 0

[Sysname-mux-group-1-fpga-0]

Related commands

downstream-port

upstream-port

source-interface

Use source-interface to specify the source interface.

Use undo source-interface to restore the default.

Syntax

source-interface interface-type interface-number

undo source-interface

Default

No source interface is specified.

Views

Layer 2 Ethernet interface view

Layer 3 Ethernet interface view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

To enable fast forwarding of packets, you can execute this command to specify a source interface for the current interface. When the source interface receives a packet, the packet will be directly forwarded out the current interface.

The specified source interface must be on the same device as the current interface.

To avoid congestion when traffic is forwarded from a source interface to a destination interface, make sure they are installed with transceiver modules operating at the same speed.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure Ten-GigabitEthernet1/0/2 as the source interface of Ten-GigabitEthernet1/0/1.

<Sysname> system-view

[Sysname] interface Ten-GigabitEthernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] source-interface Ten-GigabitEthernet 1/0/2

Related commands

connection-interface

destination-interface

transceiver tx-disable

Use transceiver tx-disable to disable the transceiver module installed in an interface from sending packets.

Use transceiver tx-enable to enable the transceiver module installed in an interface to send packets.

Syntax

transceiver { tx-disable | tx-enable }

Default

A transceiver module installed in an interface can send packets.

Views

Layer 2 Ethernet interface view

Layer 3 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

After a connection is established, executing the transceiver tx-disable command will interrupt the connection.

·     When a 10-Gbps transceiver module is installed in an SFP+ interface, both the local and peer interface will go down.

·     When a 1-Gbps transceiver module is installed in an SFP+ interface, the local interface status will not change, while the peer interface will go down.

Examples

# Disable the transceiver module installed in interface Ten-GigabitEthernet1/0/1 from sending packets.

<Sysname> system-view

[Sysname] interface Ten-GigabitEthernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] transceiver tx-disable

# Enable the transceiver module installed in interface Ten-GigabitEthernet1/0/1 to send packets.

<Sysname> system-view

[Sysname] interface Ten-GigabitEthernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] transceiver tx-enable

upstream-port

Use upstream-port to configure upstream interfaces.

Use undo upstream-port to delete upstream interfaces.

Syntax

FastMux group view/Mux group view:

upstream-port interface-list [ monitportlist interface-list | redirect-mode mode-number ]

undo upstream-port interface-list [ monitportlist interface-list | redirect-mode mode-number ]

Demux group view:

upstream-port interface-list

undo upstream-port interface-list

Default

No upstream interfaces exist.

Views

FastMux group view

Mux group view

Demux group view

Predefined user roles

network-admin

Parameters

interface-list: Specifies an interface list in the format of interface-list = { interface-type interface-number1 [ to interface-type interface-number2 ] }&<1-24>. The interface-type interface-number argument specifies an interface by its type and number. The & <1- 24> argument indicates that you can specify the preceding parameter for up to 24 times. The value of the interface-type interface-number2 argument cannot be smaller than the value of the interface-type interface-number1 argument.

monitportlist interface-list: Specifies the monitor port list. If you do not specify this option, the traffic is forwarded to only upstream interfaces.

redirect-mode mode-number: Specifies a redirection mode by its number in the range of 0 to 1. The default value for the mode-number argument is 0. The redirection modes are as follows:

·     0—Forwards packets to the upstream interface and copies them to the monitor ports. These interfaces use the same FPGA.

·     1—Forwards packets to the upstream interface and copies them to the monitor ports and the internal interface on the FPGA in tapping aggregation mode. Traffic on the internal interface of the FPGA in tapping aggregation mode is forwarded out of monitor ports on the FPGA.

 

NOTE: Redirection mode 1 is supported only on devices that have two FPGAs.

 

Usage guidelines

You can execute this command multiple times to configure multiple upstream interfaces or configure the mapping interface list and redirection mode for an upstream interface.

If you configure an interface as an upstream interface, you cannot configure it as the following interfaces:

·     Monitor port (configured by using the monitportlist interface-list option in the upstream-port command).

·     Downstream interface.

·     Monitor port for a local mirroring group (configured by using the mirroring-group monitor-port command).

If you configure an interface as a monitor port by using the monitportlist interface-list option in the upstream-port command, you cannot configure it as the following interfaces:

·     Upstream interface.

·     Downstream interface.

·     Source interface.

·     Destination interface.

·     Monitor port for another upstream port (configured by using the upstream-port interface-list monitportlist interface-list command).

·     Monitor port for a local mirroring group (configured by using the mirroring-group monitor-port command).

Examples

# In FastMux group view, configure Ethernet interface Ten-GigabitEthernet1/0/1 as an upstream interface.

<Sysname> system-view

[Sysname] fast-mux 1 type 1 fpga 0

[Sysname-fast-mux-group-1] upstream-port Ten-GigabitEthernet 1/0/1

Related commands

downstream-port

Port mirroring

display mirroring-group

Use display mirroring-group to display mirroring group information.

Syntax

display mirroring-group { group-id | all | local }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-id: Specifies a mirroring group by its number. The value range for this argument is 1.

all: Specifies all mirroring groups.

local: Specifies local mirroring groups.

Usage guidelines

Mirroring group information includes the type, status, and content of a mirroring group. It is sorted by mirroring group number.

Examples

# Display information about all mirroring groups.

<Sysname> display mirroring-group all

Mirroring group 1:

    FPGA: 1

    Type: Local

    Status: Active

    Mirroring mux group:

        Mux-downstream 1 FPGA 0  Inbound

    Monitor port: Ten-GigabitEthernet1/0/2

Table 5 Command output

Field	Description
Mirroring group	Number of the mirroring group.
Type	Type of the mirroring group: ·     Local. ·     Remote source. ·     Remote destination.
Status	Status of the mirroring group: ·     Active—The mirroring group has taken effect. ·     Incomplete—The mirroring group configuration is not complete and does not take effect.
FPGA	FPGA associated with a mirroring group.
Mirroring port	Source port.
Mirroring mux group	Source mux group.
Mux-downstream 1 FPGA 0 inbound	Mirrors only packets received on downstream interfaces in mux group 1 associated with FPGA 2.
Monitor port	Destination port.

 

mirroring-group

Use mirroring-group to create a mirroring group.

Use undo mirroring-group to delete mirroring groups.

Syntax

mirroring-group group-id local fpga fpga-number

undo mirroring-group { group-id | all | local }

Default

No mirroring groups exist.

Views

System view

Predefined user roles

network-admin

Parameters

group-id: Specifies a mirroring group ID. The value range for this argument is fixed at 1.

local: Specifies local mirroring groups.

fpga fpga-number: Specifies a Field Programmable Gate Array (FPGA). The fpga-number argument specifies an FPGA firmware number. You must specify an FPGA firmware number in multi-group SecurityMux mode or tapping aggregation mode.

all: Specifies all mirroring groups.

Usage guidelines

Only one mirroring group is supported.

Examples

# Create local mirroring group 1.

<Sysname> system-view

[Sysname] mirroring-group 1 local fpga 1

mirroring-group mirroring-mux

Use mirroring-group mirroring-mux to configure a source mux group for a local FPGA mirroring group.

Use undo mirroring-group mirroring-mux to delete the specified source mux group from a local FPGA mirroring group.

Syntax

mirroring-group group-id mirroring-mux { demux-downstream demux-id | fast-mux-downstream fast-mux-id| mux-downstream mux-id } fpga fpga-number inbound

undo mirroring-group group-id mirroring-mux { fast-mux-downstream fast-mux-id| mux-downstream mux-id } fpga fpga-number

Default

No source mux group is configured for a local FPGA mirroring group.

Views

System view

Predefined user roles

network-admin

Parameters

group-id: Specifies a mirroring group by its ID. The mirroring group ID is fixed at 1, and the mirroring group must have been created.

demux-downstream demux-id: Specifies downstream interfaces in a Demux group. The demux-id argument specifies a Demux group by its ID in the range of 1 to 4.

fast-mux-downstream fast-mux-id: Specifies downstream interfaces in a FastMux group. The fast-mux-id argument specifies a FastMux group by its ID in the range of 1 to 4.

mux-downstream mux-id: Specifies downstream interfaces in a Mux group. The mux-id argument specifies a mux group by its ID in the range of 1 to 4.

fpga fpga-number: Specifies a Field Programmable Gate Array (FPGA). The fpga-number argument specifies an FPGA firmware number. You must specify an FPGA firmware number in multi-group SecurityMux mode or tapping aggregation mode.

inbound: Mirrors only incoming packets of downstream interfaces.

Examples

# Create local mirroring group 1, configure downstream interfaces in the FastMux group as the source interfaces of the mirroring group, and mirrors only incoming packets of downstream interfaces.

<Sysname> system-view

[Sysname] mirroring-group 1 local fpga 1

[Sysname] mirroring-group 1 fast-mux-downstream 1 fpga 0 inbound

Related commands

mirroring-group

mirroring-group mirroring-port (interface view)

Use mirroring-group mirroring-port to configure a port as a source port for a mirroring group.

Use undo mirroring-group mirroring-port to restore the default.

Syntax

mirroring-group group-id mirroring-port inbound

undo mirroring-group group-id mirroring-port

Default

A port does not act as a source port for any mirroring groups.

Views

Interface view

Predefined user roles

network-admin

Parameters

group-id: Specifies a mirroring group by its ID. The mirroring group ID is fixed at 1, and the mirroring group must have been created.

inbound: Mirrors only received packets.

Usage guidelines

A source port cannot be used as the monitor port of its mirroring group. A monitor port cannot be used as a source port.

Examples

# Create local mirroring group 1, configure Ten-GigabitEthernet1/0/1 as its source interface, and mirrors only received packets.

<Sysname> system-view

[Sysname] mirroring-group 1 local fpga 1

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mirroring-group 1 mirroring-port inbound

Related commands

mirroring-group

mirroring-group mirroring-port (system view)

Use mirroring-group mirroring-port to configure source ports for a mirroring group.

Use undo mirroring-group mirroring-port to remove source ports from a mirroring group.

Syntax

mirroring-group group-id mirroring-port interface-list inbound

undo mirroring-group group-id mirroring-port interface-list

Default

No source port is configured for a mirroring group.

Views

System view

Predefined user roles

network-admin

Parameters

group-id: Specifies a mirroring group by its ID. The mirroring group ID is fixed at 1, and the mirroring group must have been created.

interface-list: Specifies a space-separated list of up to eight interface items. Each item specifies an interface by its type and number or specifies a range of interfaces in the form of interface-type interface-number1 to interface-type interface-number2. When you specify a range of interfaces, the interfaces must be of the same type and on the same slot. The start interface number must be identical to or lower than the end interface number.

inbound: Mirrors only received packets.

Usage guidelines

A source port cannot be used as the monitor port of its mirroring group. A monitor port cannot be used as a source port.

Examples

# Create local mirroring group 1, configure Ten-GigabitEthernet1/0/1 as its source interface, and mirrors only received packets.

<Sysname> system-view

[Sysname] mirroring-group 1 local fpga 1

[Sysname] mirroring-group 1 mirroring-port ten-gigabitethernet 1/0/1 inbound

Related commands

mirroring-group

mirroring-group monitor-port (interface view)

Use mirroring-group monitor-port to configure a port as the monitor port for a mirroring group.

Use undo mirroring-group monitor-port to restore the default.

Syntax

mirroring-group group-id monitor-port

undo mirroring-group group-id monitor-port

Default

A port does not act as the monitor port for any mirroring groups.

Views

Interface view

Predefined user roles

network-admin

Parameters

group-id: Specifies a mirroring group by its ID. The mirroring group ID is fixed at 1, and the mirroring group must have been created.

Usage guidelines

A maximum of four mirroring destination interfaces are supported.

If you configure an interface as the monitor port in a mirroring group, you cannot configure it as the following interfaces:

·     Upstream interface.

·     Downstream interface.

·     Source interface.

·     Destination interface.

·     Monitor port (configured by using the upstream-port interface-list monitportlist interface-list command).

·     Source port of the mirroring group (configured by using the mirroring-group group-id mirroring-port interface-type interface-number command).

Examples

# Create local mirroring group 1, and specify Ten-GigabitEthernet1/0/1 as the destination interface.

<Sysname> system-view

[Sysname] mirroring-group 1 local fpga 1

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] mirroring-group 1 monitor-port

Related commands

mirroring-group

mirroring-group monitor-port (system view)

Use mirroring-group monitor-port to configure the monitor ports for a mirroring group.

Use undo mirroring-group monitor-port to remove the monitor ports from a mirroring group.

Syntax

mirroring-group group-id monitor-port interface-type interface-number

undo mirroring-group group-id monitor-port interface-type interface-number

Default

No monitor port is configured for a mirroring group.

Views

System view

Predefined user roles

network-admin

Parameters

group-id: Specifies a mirroring group by its ID. The mirroring group ID is fixed at 1, and the mirroring group must have been created.

interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

A maximum of four mirroring destination interfaces are supported.

If you configure an interface as the monitor port in a mirroring group, you cannot configure it as the following interfaces:

·     Upstream interface.

·     Downstream interface.

·     Source interface.

·     Destination interface.

·     Monitor port (configured by using the upstream-port interface-list monitportlist interface-list command).

·     Source port of the mirroring group (configured by using the mirroring-group group-id mirroring-port interface-type interface-number command).

Examples

# Create local mirroring group 1, and specify Ten-GigabitEthernet1/0/1 as the destination interface.

<Sysname> system-view

[Sysname] mirroring-group 1 local fpga 1

[Sysname] mirroring-group 1 monitor-port ten-gigabitethernet 1/0/1

Related commands

mirroring-group

Traffic filtering commands

acl

Use acl to create an ACL and enter its view, or enter the view of an existing ACL.

Use undo acl to delete the specified or all ACLs.

Syntax

Command for creating an IPv4 ACL by specifying a number:

acl { name acl-name | number acl-number [ name acl-name ] [ match-order { auto | config } ] }

undo acl { all | name acl-name | number acl-number }

Command for creating an IPv6 ACL by specifying a number:

acl ipv6 { name acl-name | number acl-number [ name acl-name ]  [ match-order { auto | config } ] }

undo acl ipv6 { all | name acl-name | number acl-number }

Commands for creating ACLs by specifying the related keywords:

·     Command for creating an IPv4 ACL by specifying the advanced keyword:

acl { advanced } { acl-number | name acl-name } [ match-order { auto | config } ]

undo acl { all | { advanced } { acl-number | name acl-name } }

·     Command for creating an IPv6 ACL by specifying the advanced keyword:

acl ipv6 { advanced } { acl-number | name acl-name }  [ match-order { auto | config } ]

undo acl ipv6 { all | { advanced } { acl-number | name acl-name } }

Default

No ACLs exist.

Views

System view

Predefined user roles

network-admin

Parameters

advanced: Specifies the advanced ACL type.

acl-number: Assigns a number to the ACL. The value range is 3000 to 3999 for advanced ACLs.

name acl-name: Assigns a name to the ACL. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.

match-order { auto | config }: Specifies the order in which ACL rules are compared against packets. To compare ACL rules in depth-first order, specify the auto keyword. To compare ACL rules in ascending order of rule ID, specify the config keyword.  If you do not specify a match order, the config order applies by default.

all: Specifies all ACLs of the specified type.

Usage guidelines

If you create a numbered ACL, you can enter the view of the ACL by using either of the following commands:

·     acl [ ipv6 ] number acl-number

·     acl { [ ipv6 ] { advanced } acl-number

If you create an ACL by using the acl [ ipv6 ] number acl-number name acl-name command, you can enter the view of the ACL by using either of the following commands:

·     acl [ ipv6 ] name acl-name (you can use this command to enter only the view of an existing ACL)

·     acl [ ipv6 ] number acl-number [ name acl-name ]

·     acl [ ipv6 ] advanced  name acl-name

If you create a named ACL by using the acl [ ipv6 ]  advanced  name acl-name command, you can enter the view of the ACL by using either of the following commands:

·     acl [ ipv6 ] name acl-name (you can use this command to enter only the view of an existing ACL)

·     acl { [ ipv6 ]  advanced name acl-name

You can change the match order only for ACLs that do not contain any rules.

Examples

# Create IPv4 advanced ACL 3000 and enter its view.

<Sysname> system-view

[Sysname] acl advanced 3000

[Sysname-acl-ipv4-adv-3000]

# Create IPv6 advanced ACL abc and enter its view.

<Sysname> system-view

[Sysname] acl ipv6 advanced name abc

[Sysname-acl-ipv6-adv-abc]

Related commands

display acl

display acl

Use display acl to display ACL configuration and match statistics.

Syntax

display acl [ ipv6 ] { acl-number | all | name acl-name }

Views

Any view

Predefined user roles

network-admin

Parameters

ipv6: Specifies IPv6 ACLs.

acl-number: Specifies an advanced ACL by its number in the range of 3000 to 3999.

all: Specifies all ACLs of the specified type.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

Usage guidelines

This command displays ACL rules in config or auto order, whichever is configured.

Examples

# Display configuration and match statistics for IPv4 advanced ACL 3001.

<Sysname> display acl 3001

Advanced IPv4 ACL 3001, 1 rule, match-order is auto,

This is an IPv4 Advanced ACL.

ACL's step is 5, start ID is 0

 rule 5 permit source 1.1.1.1 0

display buffer usage interface

Use display buffer usage interface to display buffer usage statistics for interfaces.

Syntax

display buffer usage interface [ interface-type [ interface-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface-type interface-number: Specifies an interface by its type and number. If you do not specify the interface-type argument, this command displays buffer usage statistics for all Ethernet interfaces. If you specify the interface-type argument without the interface-number argument, this command displays buffer usage statistics for all Ethernet interfaces of the specified type.

Examples

# Display brief buffer usage statistics for GigabitEthernet 1/0/1.

<Sysname> display buffer usage interface ten-gigabitethernet 1/0/1

Interface              QueueID Total       Used        Threshold(%) Violations

--------------------------------------------------------------------------------

XGE1/0/1               0       65536       0           60           0

                       1       0           0           60           0

                       2       0           0           60           0

                       3       0           0           60           0

                       4       0           0           60           0

                       5       0           0           60           0

                       6       0           0           60           0

                       7       0           0           60           0

Table 6 Command output

Field	Description
Interface	Interface name.
QueueID	Queue number. The device currently only supports queue 0.
Total	Data buffer size in bytes allowed for a queue.
Used	Data buffer size in bytes that has been used by a queue.
Threshold(%)	Buffer usage threshold for a queue. The threshold value is the same as the per-interface threshold value. This field is fixed at 60 and does not support modification currently.
Violations	Number of threshold violations for a queue. The value of this field is reset upon a switch reboot.

 

display qos policy interface

Use display qos policy interface to display the QoS policies applied to interfaces.

Syntax

display qos policy interface [ interface-type interface-number ] [ outbound ]

Views

Any view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays QoS policies applied to all interfaces.

outbound: Specifies the QoS policies applied to the outbound direction.

Examples

# Display the QoS policy applied to the outgoing traffic of Ten-GigabitEthernet1/0/1.

<Sysname> display qos policy interface ten-gigabitethernet 1/0/1

Interface: Ten-GigabitEthernet1/0/1

  Direction: Outbound

  Policy: p1

   Classifier: c1

     Operator: AND

     Rule(s) :

      If-match any

     Behavior: b1

      Filter enable: Deny

   Classifier: c2

     Operator: AND

     Rule(s) :

      If-match acl 3000

     Behavior: b2

      Filter enable: Permit

filter

Use filter to configure a traffic filtering action in a traffic behavior.

Use undo filter to restore the default.

Syntax

filter { deny | permit }

undo filter

Default

No traffic filtering action is configured.

Views

Traffic behavior view

Predefined user roles

network-admin

Parameters

deny: Drops packets.

permit: Transmits packets.

Examples

# Configure a traffic filtering action as deny in traffic behavior database.

<Sysname> system-view

[Sysname] traffic behavior database

[Sysname-behavior-database] filter deny

if-match

Use if-match to define a match criterion.

Use undo if-match to delete a match criterion.

Syntax

if-match match-criteria

undo if-match match-criteria

Default

No match criterion is configured.

Views

Traffic class view

Predefined user roles

network-admin

Parameters

match-criteria: Specifies a match criterion. Table 7 shows the available match criteria.

Table 7 Available match criteria

Value	Description
acl [ ipv6 ] { acl-number | name acl-name }	Matches an ACL. ·     The acl-number argument is an integer in the range of 3000 to 3999. ·     The acl-name argument is a case-insensitive string of 1 to 63 characters, which must start with an English letter. To avoid confusion, make sure the argument is not all.
any	Matches all packets.

‌

Usage guidelines

In a traffic class, you can configure multiple if match commands for any of the available match criteria.

When you configure ACL-based match criteria, make sure the ACL used as a match criterion already exists.

When the action of the ACL rule used by an if-match criterion is deny, the ACL rule action does not take effect, and the action defined in the traffic behavior is used.

Examples

# Define a match criterion for traffic class class1 to match ACL 3101.

<Sysname> system-view

[Sysname] traffic classifier class1

[Sysname-classifier-class1] if-match acl 3101

qos apply policy (interface view)

Use qos apply policy to apply a QoS policy to an interface.

Use undo qos apply policy to remove an applied QoS policy.

Syntax

qos apply policy policy-name outbound

undo qos apply policy policy-name outbound

Default

No QoS policy is applied.

Views

Interface view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a QoS policy by its name, a case-sensitive string of 1 to 31 characters.

outbound: Applies the QoS policy to the outbound direction.

Usage guidelines

If you apply QoS policies both globally and to an interface, the QoS configuration on the interface takes priority. If no configuration is applied to an interface, the global configuration will be used.

If you perform either of the following operations when continuous traffic exists on the device, the actions on the packets passed will not match correctly within a short period of time:

·     Apply a QoS policy globally and then apply it to an interface.

·     Apply a QoS policy to an interface and then apply it globally.

Examples

# Apply QoS policy TEST1 to the outgoing traffic of Ten-GigabitEthernet1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] qos apply policy TEST1 outbound

qos apply policy global

Use qos apply policy global to apply a QoS policy globally.

Use undo qos apply policy global to remove a globally applied QoS policy.

Syntax

qos apply policy policy-name global outbound

undo qos apply policy policy-name global outbound

Default

No QoS policy is applied globally.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a QoS policy by its name, a case-sensitive string of 1 to 31 characters.

outbound: Applies the QoS policy to the outbound direction.

Usage guidelines

A QoS policy applied globally takes effect on traffic of all interfaces.

If you perform either of the following operations when continuous traffic exists on the device, the actions on the packets passed will not match correctly within a short period of time:

·     Apply a QoS policy globally and then apply it to an interface.

·     Apply a QoS policy to an interface and then apply it globally.

Examples

# Globally apply generic QoS policy user1 to the outgoing traffic.

<Sysname> system-view

[Sysname] qos apply policy user1 global outbound

qos policy

Use qos policy to create a QoS policy and enter its view, or enter the view of an existing QoS policy.

Use undo qos policy to delete a QoS policy.

Syntax

qos policy policy-name

undo qos policy policy-name

Default

No QoS policies exist.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a name for the QoS policy, a case-sensitive string of 1 to 31 characters.

Usage guidelines

To delete a QoS policy that has been applied to an object, you must first remove the QoS policy from the object.

Examples

# Create a generic QoS policy named user1.

<Sysname> system-view

[Sysname] qos policy user1

[Sysname-qospolicy-user1]

Related commands

qos apply policy

qos apply policy global

rule (IPv4 advanced ACL view)

Use rule to create or edit an IPv4 advanced ACL rule.

Use undo rule to delete an entire IPv4 advanced ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } udp [ destination dest-address dest-wildcard | destination-port operator port1 [ port2 ] | source source-address source-wildcard  | source-port operator port1 [ port2 ] ]*

rule [ rule-id ] { deny | permit } tcp [ destination dest-address dest-wildcard | destination-port operator port1 [ port2 ] | source source-address source-wildcard  | source-port operator port1 [ port2 ] ]*

undo rule [ rule-id ] { deny | permit } udp [ destination dest-address dest-wildcard | destination-port operator port1 [ port2 ] | source source-address source-wildcard  | source-port operator port1 [ port2 ] ]*

undo rule [ rule-id ] { deny | permit } tcp [ destination dest-address dest-wildcard | destination-port operator port1 [ port2 ] | source source-address source-wildcard | source-port operator port1 [ port2 ] ]*

Default

No IPv4 advanced ACL rules exist.

Views

IPv4 advanced ACL view

Predefined user roles

network-admin

Parameters

rule-id:: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from the start rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.

deny: Denies matching packets.

permit: Allows matching packets to pass.

tcp: Matches TCP packets.

udp: Matches UDP packets.

Table 8 Match criteria and other rule information for IPv4 advanced ACL rules

Parameters	Function	Description
source source-address source-wildcard	Specifies a source IPv4 address.	The source-address argument specifies an IPv4 source address. The source-wildcard argument specifies the wildcard mask of the source address. 0 represents host address.
destination dest-address dest-wildcard	Specifies a destination IPv4 address.	The dest-address argument specifies a destination IPv4 address. The dest-wildcard argument specifies the wildcard mask of the destination address. 0 represents host address.

 

Table 9 TCP/UDP-specific parameters for IPv4 advanced ACL rules

Parameters	Function	Description
source-port operator port1 [ port2 ]	Specifies one or more UDP or TCP source ports.	The operator argument can be lt (lower than), gt (greater than), eq (equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. The port2 argument is needed only when the operator argument is range. TCP port numbers can be represented as: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), dns (53), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented as: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177).
destination-port operator port1 [ port2 ]	Specifies one or more UDP or TCP destination ports.

 

Usage guidelines

If the specified rule does not exist when you execute the rule command, the command automatically creates the rule. If the specified rule already exists, the command appends the new configuration to the rule.

Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.

You can edit ACL rules only when the match order is config.

To view the existing IPv4 advanced ACL rules, use the display acl all command.

The undo rule rule-id command without any optional parameters deletes an entire rule. If you specify optional parameters, the undo rule rule-id command deletes the specified attributes for a rule.

The undo rule { deny | permit } command can only be used to delete an entire rule. You must specify all the attributes of the rule for the command.

Examples

# Create an IPv4 advanced ACL rule to permit devices in the 129.9.0.0/16 network to establish connections with devices (WWW port 80) in the 202.38.160.0/24 network.

<Sysname> system-view

[Sysname] acl advanced 3000

[Sysname-acl-ipv4-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 source-port eq 80 destination-port eq 80

Related commands

acl

display acl

rule (IPv6 advanced ACL view)

Use rule to create or edit an IPv6 advanced ACL rule.

Use undo rule to delete an entire IPv6 advanced ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } udp [ destination dest-address dest-prefix | destination-port operator port1 [ port2 ] | source source-address source-prefix | source-port operator port1 [ port2 ] ]*

rule [ rule-id ] { deny | permit } tcp [ destination dest-address dest-prefix | destination-port operator port1 [ port2 ] | source source-address source-prefix | source-port operator port1 [ port2 ] ]*

undo rule [ rule-id ] { deny | permit } udp [ destination dest-address dest-prefix | destination-port operator port1 [ port2 ] | source source-address source-prefix | source-port operator port1 [ port2 ] ]*

undo rule [ rule-id ] { deny | permit } tcp [ destination dest-address dest-prefix | destination-port operator port1 [ port2 ] | source source-address source-prefix | source-port operator port1 [ port2 ] ]*

Default

No IPv6 advanced ACL rules exist.

Views

IPv6 advanced ACL view

Predefined user roles

network-admin

Parameters

rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from the start rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.

deny: Denies matching packets.

permit: Allows matching packets to pass.

tcp: Matches TCP packets.

udp: Matches UDP packets.

Table 10 Match criteria and other rule information for IPv6 advanced ACL rules

Parameters	Function	Description
source source-address source-prefix	Specifies a source IPv6 address.	The source-address argument specifies an IPv6 source address. The source-prefix argument specifies a prefix length in the range of 1 to 128.
destination dest-address dest-prefix	Specifies a destination IPv6 address.	The dest-address argument specifies a destination IPv6 address. The dest-prefix argument specifies a prefix length in the range of 1 to 128.

 

Table 11 TCP/UDP-specific parameters for IPv6 advanced ACL rules

Parameters	Function	Description
source-port operator port1 [ port2 ]	Specifies one or more UDP or TCP source ports.	The operator argument can be lt (lower than), gt (greater than), eq (equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. The port2 argument is needed only when the operator argument is range. TCP port numbers can be represented as: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), dns (53), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented as: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177).
destination-port operator port1 [ port2 ]	Specifies one or more UDP or TCP destination ports.

 

Usage guidelines

If the specified rule does not exist when you execute the rule command, the command automatically creates the rule. If the specified rule already exists, the command appends the new configuration to the rule.

Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.

You can edit ACL rules only when the match order is config.

To view the existing IPv6 advanced ACL rules, use the display acl ipv6 all command.

The undo rule rule-id command without any optional parameters deletes an entire rule. If you specify optional parameters, the undo rule rule-id command deletes the specified attributes for a rule.

The undo rule { deny | permit } command can only be used to delete an entire rule. You must specify all the attributes of the rule for the command.

Examples

# Create an IPv6 advanced ACL rule to permit devices in the 2030:5060::/64 network to establish FTP connections with devices (WWW port 80) in the FE80:5060::/96 network.

<Sysname> system-view

[Sysname] acl ipv6 advanced 3000

[Sysname-acl-ipv6-adv-3000] rule permit tcp source 2030:5060::/64 destination fe80:5060::/96 source-port eq ftp destination-port eq 80

Related commands

acl

display acl

classifier behavior

Use classifier behavior to associate a traffic behavior with a traffic class in a QoS policy.

Use undo classifier to delete a class-behavior association from a QoS policy.

Syntax

classifier classifier-name behavior behavior-name

undo classifier classifier-name

Default

No traffic behavior is associated with a traffic class.

Views

QoS policy view

Predefined user roles

network-admin

Parameters

classifier-name: Specifies a traffic class by its name, a case-sensitive string of 1 to 31 characters.

behavior-name: Specifies a traffic behavior by its name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

A traffic class can be associated only with one traffic behavior in a QoS policy.

If the specified traffic class or traffic behavior does not exist, the system defines a null traffic class or traffic behavior.

Examples

# Associate traffic class database with traffic behavior test in QoS policy user1.

<Sysname> system-view

[Sysname] qos policy user1

[Sysname-qospolicy-user1] classifier database behavior test

Related commands

qos policy

traffic classifier

Use traffic classifier to create a traffic class and enter traffic class view, or enter the view of an existing traffic class.

Use undo traffic classifier to delete a traffic class.

Syntax

traffic classifier classifier-name [ operator { and | or } ]

undo traffic classifier classifier-name

Default

No traffic class exists.

Views

System view

Predefined user roles

network-admin

Parameters

classifier-name: Specifies a traffic class by its name, a case-sensitive string of 1 to 31 characters.

operator: Sets the operator to logic AND (the default) or OR for the traffic class.

and: Specifies the logic AND operator. The traffic class matches the packets that match all its criteria.

or: Specifies the logic OR operator. The traffic class matches the packets that match any of its criteria.

Examples

# Create a traffic class named class1.

<Sysname> system-view

[Sysname] traffic classifier class1

[Sysname-classifier-class1]

Ethernet interface commands

description

Use description to configure a description for the interface.

Use undo description  to restore the default.

Syntax

description text

undo description

Default

The description of an interface is interface-name Interface, for example, Ten-GigabitEthernet1/0/1  Interface.

Views

Ethernet interface view

Predefined user roles

network-admin

Parameters

text: Specifies an interface description, a case-sensitive string of 1 to 255 characters.

Examples

# Configure lan-interface as the description of interface Ten-GigabitEthernet1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] description lan-interface

display counters

Use display counters to display traffic statistics information about an interface.

Syntax

display counters { inbound | outbound } interface [ interface-type [ interface-number] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

inbound: Displays incoming packet statistics information.

outbound: Displays outgoing packet statistics information.

interface-type: Specifies an interface type.

interface-number: Specifies an interface number.

Usage guidelines

If you do not specify an interface type, this command displays traffic statistics information about all interfaces.

If you specify an interface type without specifying an interface number, this command displays traffic statistics information about all interfaces of the specified type.

If you specify an interface type and an interface number, this command displays traffic statistics information about the specified interface.

Examples

# Display incoming packet statistics information.

<Sysname> display counters inbound interface

Interface            Total (pkts)    Broadcast (pkts)    Multicast (pkts)  Err (pkts)

XGE1/0/1                      100                 100                   0           0

XGE1/0/2                 Overflow            Overflow            Overflow    Overflow

 

 Overflow: More than 14 digits (7 digits for column "Err").

       --: Not supported.

Table 12 Command output

Field	Description
Interface	Abbreviated interface name.
Total (pkts)	Total number of packets received or sent by the interface.
Broadcast (pkts)	Number of broadcast packets received or sent by the interface.
Multicast (pkts)	Number of multicast packets received or sent by the interface.
Err (pkts)	Number of error packets received or sent by the interface.
Overflow: More than 14 digits (7 digits for column "Err").	If the length of the value for a statistics item exceeds the display limit, the value for the statistics item displays Overflow. ·     For the Err item, the display limit is 7 decimal digits. ·     For other items, the display limit is 14 decimal digits.
--: Not supported.	If statistics for a field is not supported, the value for this field displays --.

 

display interface

Use display interface to display interface information.

Syntax

display interface [ interface-type [ interface-number ] ] [ brief [ description | down ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface-type: : Specifies an interface type.

interface-number: : Specifies an interface number.

brief: Displays brief interface information. If you do not specify this keyword, the command displays detailed interface information.

description: Displays complete interface descriptions. If you do not specify this keyword, the command displays only the first 25 characters of each interface description.

down: Displays information about interfaces in down state and the causes. If you do not specify this keyword, the command displays information about interfaces in all states.

Usage guidelines

If you do not specify an interface type, this command displays information about all interfaces.

If you specify an interface type but do not specify an interface number, this command displays information about all interfaces of the specified type.

Examples

# Display information about Ethernet interface Ten-GigabitEthernet 1/0/1.

<Sysname> display interface Ten-GigabitEthernet 1/0/1

Ten-GigabitEthernet1/0/1

Current state: UP

Line protocol state: UP

Description: Ten-GigabitEthernet1/0/1 Interface

Bandwidth: 10000000 kbps

Maximum transmission unit: 1500

Forbid jumbo frames to pass

Broadcast max-ratio: 100%

Multicast max-ratio: 100%

Unicast max-ratio: 100%

Known-unicast max-ratio: 100%

Internet protocol processing: Disabled

IP packet frame type: Ethernet II, hardware address: 0000-0000-0000

IPv6 packet frame type: Ethernet II, hardware address: 0000-0000-0000

Last link flapping: 0 hours 0 minutes 10 seconds

Last clearing of counters: 13:42:51 Sun 01/06/2013

Current system time:2013-01-06 19:59:30

Last time when physical state changed to up:2013-01-06 19:59:21

Last time when physical state changed to down:2013-01-06 13:38:46

 Peak input rate: 0 bytes/sec, at 00-00-00 00:00:00

 Peak output rate: 0 bytes/sec, at 00-00-00 00:00:00

 Last 300 seconds input: 0 packets/sec 0 bytes/sec 0%

 Last 300 seconds output: 0 packets/sec 0 bytes/sec 0%

 Input (total):  0 packets, 0 bytes

         0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses

 Input (normal):  0 packets, - bytes

 - unicasts, - broadcasts, - multicasts, 0 pauses

 Input:  0 input errors, 0 runts, 0 giants, 0 throttles

         0 CRC, 0 frame, - overruns, 0 aborts

 0 ignored, - parity errors

 Output (total): 0 packets, 0 bytes

         0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses

 Output (normal): 0 packets, - bytes

- unicasts, - broadcasts, - multicasts, 0 pauses

 Output: 0 output errors, - underruns, - buffer failures

         0 aborts, 0 deferred, 0 collisions, 0 late collisions

 0 lost carrier, - no carrier

Table 13 Command output

Field	Description
Current state	Physical link state of the interface: ·     Administratively DOWN—The interface has been shut down by using the shutdown command. ·     DOWN—The interface is administratively up, but its physical state is down (possibly because no physical link exists or the link has failed). ·     UP—The interface is both administratively and physically up.
Line protocol state	Data link layer state of the interface. The state is determined through automatic parameter negotiation at the data link layer. ·     UP—The data link layer protocol is up. ·     UP (spoofing)—The data link layer protocol is up, but the link is an on-demand link or does not exist. This attribute is typical of null interfaces and loopback interfaces. ·     DOWN—The data link layer protocol is down.
Description	Description information of the interface.
Bandwidth	Expected bandwidth of the interface.
Maximum transmission unit	MTU of the interface.
Broadcast max-	Broadcast storm suppression threshold. This field is not supported in the current software version.
Multicast max-	Multicast storm suppression threshold. This field is not supported in the current software version.
Unicast max-	Unknown unicast storm suppression threshold. This field is not supported in the current software version.
Known-unicast max-	Known unicast storm suppression threshold. This field is not supported in the current software version.
Internet protocol processing: Disabled	The interface is not assigned an IP address. This field is not supported in the current software version.
IP packet frame type	IPv4 packet framing format. This field is not supported in the current software version.
hardware address	MAC address of the interface. This field is not supported in the current software version.
IPv6 packet frame type	IPv6 packet framing format. This field is not supported in the current software version.
Last link flapping	The amount of time that has elapsed since the most recent physical state change of the interface. This field displays Never if the interface has been physically down since device startup.
Last clearing of counters	Time when the reset counters interface command was last used to clear the interface statistics. This field displays Never if the reset counters interface command has never been used on the interface since device startup.
Current system time	Current system time in the YYYY/MM/DD HH:MM:SS format. If the time zone is configured, this field is in the YYYY/MM/DD HH:MM:SS zone-name±HH:MM:SS format, where the zone-name argument is the local time zone.
Last time when physical state changed to up	Last time when the physical state of the interface changed to up. If the time zone is configured, this field is in the YYYY/MM/DD HH:MM:SS zone-name±HH:MM:SS format, where the zone-name argument is the local time zone. A hyphen (-) indicates that the physical state of the interface has never changed.
Last time when physical state changed to down	Last time when the physical state of the interface changed to down. If the time zone is configured, this field is in the YYYY/MM/DD HH:MM:SS zone-name±HH:MM:SS format, where the zone-name argument is the local time zone. A hyphen (-) indicates that the physical state of the interface has never changed.
Peak input rate	Peak rate of inbound traffic in Bps, and the time when the peak inbound traffic rate occurred.
Peak output rate	Peak rate of outbound traffic in Bps, and the time when the peak outbound traffic rate occurred.
Last interval seconds input:  0 packets/sec 0 bytes/sec 0% Last interval seconds output:  0 packets/sec 0 bytes/sec 0%	Average inbound or outbound traffic rate (in pps and Bps) in the last statistics polling interval, and the ratio of the actual rate to the interface bandwidth. A hyphen (-) indicates that the statistical item is not supported.
Input (total):  0 packets, 0 bytes          0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses	The two fields on the first line represent the inbound traffic statistics (in packets and bytes) for the interface. All inbound normal packets, abnormal packets, and normal pause frames were counted. The four fields on the second line represent: ·     Number of inbound unicast packets. ·     Number of inbound broadcasts. ·     Number of inbound multicasts. ·     Number of inbound pause frames. A hyphen (-) indicates that the statistical item is not supported.
Input (normal):  0 packets, - bytes  - unicasts, - broadcasts, - multicasts, 0 pauses	The two fields on the first line represent the inbound normal traffic and pause frame statistics (in packets and bytes) for the interface. The four fields on the second line represent: ·     Number of inbound normal unicast packets. ·     Number of inbound normal broadcasts. ·     Number of inbound normal multicasts. ·     Number of inbound normal pause frames. A hyphen (-) indicates that the statistical item is not supported.
input errors	Statistics of incoming error packets.
runts	Number of inbound frames meeting the following conditions: ·     Shorter than 64 bytes. ·     In correct format. ·     Containing valid CRCs.
giants	Number of inbound giants. Giants refer to frames larger than the maximum frame length supported on the interface. For an Ethernet interface that does not permit jumbo frames, the maximum frame length is 1518 bytes. For an Ethernet interface that permits jumbo frames, the maximum Ethernet frame length is set when you configure jumbo frame support on the interface.
throttles	Number of inbound frames that had a non-integer number of bytes.
CRC	Total number of inbound frames that had a normal length, but contained CRC errors.
frame	Total number of inbound frames that contained CRC errors and a non-integer number of bytes.
overruns	Number of packets dropped because the input rate of the port exceeded the queuing capability.
aborts	Total number of illegal inbound packets: ·     Fragment frames—CRC error frames shorter than 64 bytes. The length (in bytes) can be an integral or non-integral value. ·     Jabber frames—CRC error frames greater than the maximum frame length supported on the Ethernet interface (with an integral or non-integral length). ¡     For an Ethernet interface that does not permit jumbo frames, the maximum frame length is 1518 bytes. ¡     For an Ethernet interface that permits jumbo frames, the maximum Ethernet frame length is set when you configure jumbo frame support on the interface. ·     Symbol error frames—Frames that contained a minimum of one undefined symbol. ·     Unknown operation code frames—Non-pause MAC control frames. ·     Length error frames—Frames whose 802.3 length fields did not match the actual frame length (46 to 1500 bytes).
ignored	Number of inbound frames dropped because the receiving buffer of the port ran low.
parity errors	Total number of frames with parity errors.
Output (total): 0 packets, 0 bytes          0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses	The two fields on the first line represent the outbound traffic statistics (in packets and bytes) for the interface. All outbound normal packets, abnormal packets, and normal pause frames were counted. The four fields on the second line represent: ·     Number of outbound unicast packets. ·     Number of outbound broadcasts. ·     Number of outbound multicasts. ·     Number of outbound pause frames. A hyphen (-) indicates that the statistical item is not supported.
Output (normal): 0 packets, - bytes - unicasts, - broadcasts, - multicasts, 0 pauses	The two fields on the first line represent the outbound normal traffic and pause frame statistics (in packets and bytes) for the interface. The four fields on the second line represent: ·     Number of outbound normal unicast packets. ·     Number of outbound normal broadcasts. ·     Number of outbound normal multicasts. ·     Number of outbound normal pause frames. A hyphen (-) indicates that the statistical item is not supported.
output errors	Number of outbound packets with errors.
underruns	Number of packets dropped because the output rate of the interface exceeded the output queuing capability. This is a low-probability hardware anomaly.
buffer failures	Number of packets dropped because the transmitting buffer of the interface ran low.
aborts	Number of packets that failed to be transmitted, for example, because of Ethernet collisions.
deferred	Number of frames that the interface deferred to transmit because of detected collisions.
collisions	Number of frames that the interface stopped transmitting because Ethernet collisions were detected during transmission.
late collisions	Number of frames that the interface deferred to transmit after transmitting their first 512 bits because of detected collisions.
lost carrier	Number of carrier losses during transmission. This counter increases by one when a carrier is lost, and applies to serial WAN interfaces.
no carrier	Number of times that the port failed to detect the carrier when attempting to send frames. This counter increases by one when a port failed to detect the carrier, and applies to serial WAN interfaces.

 

# Display brief information about all interfaces.

<Sysname> display interface brief

Brief information on interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Protocol: (s) - spoofing

Interface            Link Protocol Primary IP        Description

InLoop0              UP   UP(s)    --

MGE0/0/0             UP   UP       192.168.1.113

NULL0                UP   UP(s)    --

XGE1/0/1             ADM  DOWN     1.1.1.1

# Display information about interfaces in DOWN state and the causes.

<Sysname> display interface brief down

Brief information on interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Interface            Link Cause

XGE1/0/1             DOWN Not connected

Table 14 Command output

Field	Description
Brief information on interfaces in route mode:	Brief information about Layer 3 interfaces.
Interface	Interface name.
Link	Physical link state of the interface: ·     UP—The interface is physically up. ·     DOWN—The interface is physically down. ·     ADM—The interface has been shut down by using the shutdown command. To restore the physical state of the interface, use the undo shutdown command.
Protocol	Data link layer protocol state of the interface: ·     UP—The data link layer protocol of the interface is up. ·     DOWN—The data link layer protocol of the interface is down. ·     UP(s)—The data link layer protocol of the interface is up, but the link is an on-demand link or does not exist. The (s) attribute represents the spoofing flag. This value is typical of null interfaces and loopback interfaces.
Primary IP	Primary IP address of the interface. This field displays two hyphens (--) if the interface does not have an IP address.
Description	Description of the interface.
Cause	Cause for the physical link state of an interface to be DOWN: ·     Administratively—The interface has been manually shut down by using the shutdown command. To restore the physical state of the interface, use the undo shutdown command. ·     Not connected—No physical connection exists (for example, the network cable is disconnected or faulty, or no forwarding related configuration exists). ·     Storm-Constrain—The storm control feature has detected that unknown unicast traffic, multicast traffic, or broadcast traffic exceeded the upper threshold.

 

flow-interval

Use flow-interval to set the statistics polling interval.

Use undo flow-interval to restore the default.

Syntax

flow-interval interval

undo flow-interval

Default

The statistics polling interval is 300 seconds.

Views

Ethernet interface view

Predefined user roles

network-admin

Parameters

interval: Sets the statistics polling interval in the range of 5 to 300 seconds.

Examples

# Set the statistics polling interval to 100 seconds on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] flow-interval 100

shutdown

Use shutdown to shut down an Ethernet interface.

Use undo shutdown to bring up an Ethernet interface.

Syntax

shutdown

undo shutdown

Default

By default, an Ethernet interface is down.

Views

Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

CAUTION: Executing the shutdown command on an interface will disconnect the link of the interface and interrupt communication. Use this command with caution.

 

In some scenarios (such as editing the interface operating parameters), the interface modifications cannot take effect immediately. You must shut down and then bring up the interface for the modifications to take effect.

Examples

# Shut down and then bring up Ethernet interface Ten-GigabitEthernet1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] shutdown

[Sysname-Ten-GigabitEthernet1/0/1] undo shutdown