Contents

Packet filter commands· 1

acl logging interval 1

acl trap interval 2

display packet-filter 2

display packet-filter statistics· 5

display packet-filter statistics sum·· 8

display packet-filter verbose· 9

packet-filter (Ethernet service instance view) 12

packet-filter (interface view) 13

packet-filter (service template view) 15

packet-filter default deny· 16

packet-filter global 17

reset packet-filter statistics· 18

 

Packet filter commands

If you do not specify a VPN instance, whether the rule applies to VPN packets varies by feature. See the description for the feature that uses ACLs.

acl logging interval

Use acl logging interval to enable logging for packet filtering and set the interval.

Use undo acl logging interval to restore the default.

Syntax

acl logging interval interval

undo acl logging interval

Default

The interval is 0. The device does not generate log entries for packet filtering.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the interval at which log entries are generated and output. It must be a multiple of 5, in the range of 0 to 1440 minutes. To disable the logging, set the value to 0.

Usage guidelines

The logging feature is available for IPv4 or IPv6 ACL rules that have the logging keyword.

You can configure the ACL module to generate log entries for packet filtering and output them to the information center at the output interval. The log entry records the number of matching packets and the matched ACL rules. When the first packet of a flow matches an ACL rule, the output interval starts, and the device immediately outputs a log entry for this packet. When the output interval ends, the device outputs a log entry for subsequent matching packets of the flow.

For more information about the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Configure the device to generate and output packet filtering log entries every 10 minutes.

<Sysname> system-view

[Sysname] acl logging interval 10

Related commands

rule (IPv4 advanced ACL view)

rule (IPv4 basic ACL view)

rule (IPv6 advanced ACL view)

rule (IPv6 basic ACL view)

acl trap interval

Use acl trap interval to enable SNMP notifications for packet filtering and set the interval.

Use undo acl interval to restore the default.

Syntax

acl trap interval interval

undo acl trap interval

Default

The interval is 0. The device does not generate SNMP notifications for packet filtering.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the interval at which SNMP notifications are generated and output. It must be a multiple of 5, in the range of 0 to 1440 minutes. To disable SNMP notifications, set the value to 0.

Usage guidelines

The SNMP notifications feature is available for IPv4 or IPv6 ACL rules that have the logging keyword.

You can configure the ACL module to generate SNMP notifications for packet filtering and output them to the SNMP module at the output interval. The notification records the number of matching packets and the matched ACL rules. When the first packet of a flow matches an ACL rule, the output interval starts, and the device immediately outputs a notification for this packet. When the output interval ends, the device outputs a notification for subsequent matching packets of the flow.

For more information about SNMP, see Network Management and Monitoring Configuration Guide.

Examples

# Configure the device to generate and output packet filtering SNMP notifications every 10 minutes.

<Sysname> system-view

[Sysname] acl trap interval 10

Related commands

rule (IPv4 advanced ACL view)

rule (IPv4 basic ACL view)

rule (IPv6 advanced ACL view)

rule (IPv6 basic ACL view)

display packet-filter

Use display packet-filter to display ACL application information for packet filtering.

Syntax

display packet-filter { global | interface [ interface-type interface-number ] } [ inbound | outbound ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

global: Specifies all physical interfaces.

interface [ interface-type interface-number ]: Specifies an interface by its type and number. If you do not specify an interface, this command displays ACL application information for packet filtering on all interfaces.  If you specify an Ethernet interface, you do not need to specify the slot slot-number option.

l2vpn-ac [ interface interface-type interface-number [ service-instance instance-id ] ]: Specifies an Ethernet service instance on an interface. The interface-type interface-number argument represents the interface type and number. The instance-id argument represents the ID of the Ethernet service instance, in the range of 1 to 4096. If you do not specify an interface, this command displays ACL application information for all Ethernet service instances on all interfaces. If you specify an interface but do not specify an Ethernet service instance, this command displays ACL application information for all Ethernet service instances on the specified interface.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

slot slot-number: Specifies the slot number of the device, which is fixed at 1.

Usage guidelines

If neither the inbound keyword nor the outbound keyword is specified, this command displays ACL application information for packet filtering in both directions.

Examples

# Display ACL application information for inbound packet filtering on interface HundredGigE 1/0/1.

<Sysname> display packet-filter interface hundredgige 1/0/1 inbound

Interface: HundredGigE1/0/1

 Inbound policy:

  IPv4 ACL 2001, Share-mode

  IPv6 ACL 2002 (Failed)

  MAC ACL 4003

# Display ACL application information for inbound and outbound packet filtering on all physical interfaces.

<Sysname> display packet-filter global

Global:

 Inbound policy:

  IPv4 ACL 2001

  IPv6 ACL 2001

  MAC ACL 4001

  IPv4 default action: Deny (Failed)

  IPv6 default action: Deny (Failed)

  MAC default action: Deny

 Outbound policy:

  MAC ACL 4001

  MAC default action: Deny

# Display ACL application information for inbound packet filtering for Ethernet service instance 1 on interface  HundredGigE 1/0/1.

<Sysname> display packet-filter l2vpn-ac interface hundredgige 1/0/1 service-instance 1 inbound

Interface: hundredgige 1/0/1  Service Instance ID: 1

 Inbound policy:

  IPv4 ACL 2001

  IPv6 ACL 2002 (Failed)

  MAC ACL 4003, Hardware-count (Failed)

Table 1 Command output

Field	Description
Interface	Interface to which the ACL applies.
Global	ACL application for packet filtering on all physical interfaces.
Inbound policy	ACL used for filtering incoming traffic.
Outbound policy	ACL used for filtering outgoing traffic.
IPv4 ACL 2001	IPv4 basic ACL 2001 has been successfully applied.
IPv6 ACL 2002 (Failed)	The device has failed to apply IPv6 basic ACL 2002.
Share-mode	Sharing mode for QoS and ACL resources. This field appears in the command output only if an ACL is applied with the share-mode keyword.
IPv4 default action	Packet filter default action for packets that do not match any IPv4 ACLs: ·     Deny—The default action deny has been successfully applied for packet filtering. ·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. ·     Permit—The default action permit has been successfully applied for packet filtering.
IPv6 default action	Packet filter default action for packets that do not match any IPv6 ACLs: ·     Deny—The default action deny has been successfully applied for packet filtering. ·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. ·     Permit—The default action permit has been successfully applied for packet filtering.
MAC default action	Packet filter default action for packets that do not match any Layer 2 ACLs: ·     Deny—The default action deny has been successfully applied for packet filtering. ·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. ·     Permit—The default action permit has been successfully applied for packet filtering.

‌

display packet-filter statistics

Use display packet-filter statistics to display packet filtering statistics.

Syntax

display packet-filter statistics { global | interface interface-type interface-number } { inbound | outbound } [ [ ipv6 | mac | user-defined ] { acl-number | name acl-name } ] [ brief ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

global: Displays the statistics for all physical interfaces.

interface interface-type interface-number: Specifies an interface by its type and number.

l2vpn-ac [ interface interface-type interface-number [ service-instance instance-id ] ]: Specifies an Ethernet service instance on an interface. The interface-type interface-number argument represents the interface type and number. The instance-id argument represents the ID of the Ethernet service instance, in the range of 1 to 4096.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

ipv6: Specifies the IPv6 ACL type.

mac: Specifies the Layer 2 ACL type.

user-defined: Specifies the user-defined ACL type.

acl-number: Specifies an ACL by its number. The following are available value ranges:

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

·     4000 to 4999 for Layer 2 ACLs.

·     5000 to 5999 for user-defined ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

brief: Displays brief statistics.

Usage guidelines

If you do not specify any parameters, this command displays packet filtering statistics for all ACLs.

To specify the IPv4 ACL type, do not specify the ipv6 keyword.

Examples

# Display packet filtering statistics for all ACLs on incoming packets of HundredGigE 1/0/1.

<Sysname> display packet-filter statistics interface hundredgige 1/0/1 inbound

Interface: HundredGigE1/0/1

 Inbound policy:

  IPv4 ACL 2001, Hardware-count

   From 2019-06-04 10:25:21 to 2019-06-04 10:35:57

   rule 0 permit source 2.2.2.2 0 (2 packets)

   rule 5 permit source 1.1.1.1 0 (Failed)

   rule 10 permit vpn-instance test (No resource)

   Totally 2 packets permitted, 0 packets denied

   Totally 100% permitted, 0% denied

 

  IPv6 ACL 2000

 

  MAC ACL 4000

   rule 0 permit

 

  IPv4 default action: Deny

   From 2011-06-04 10:25:21 to 2011-06-04 10:35:57

   Totally 7 packets

 

  IPv6 default action: Deny

   From 2011-06-04 10:25:41 to 2011-06-04 10:35:57

   Totally 0 packets

  MAC default action: Deny

   From 2011-06-04 10:25:34 to 2011-06-04 10:35:57

   Totally 0 packets

# Display packet filtering statistics for all ACLs on incoming packets for Ethernet service instance 1 on HundredGigE 1/0/1.

<Sysname> display packet-filter statistics l2vpn-ac interface hundredgige 1/0/1 service-instance 1 inbound

Interface: HundredGigE1/0/1  Service Instance ID: 1

 Inbound policy:

  IPv4 ACL 2001, Hardware-count

   From 2011-06-04 10:25:21 to 2011-06-04 10:35:57

   rule 0 permit source 2.2.2.2 0 (2 packets)

   rule 5 permit source 1.1.1.1 0 (Failed)

   rule 10 permit vpn-instance test (No resource)

   Totally 2 packets 256 bytes permitted, 0 packets denied

   Totally 100% permitted, 0% denied

 

  MAC ACL 4000

   From 2011-06-04 10:25:34 to 2011-06-04 10:35:57

   rule 0 permit

 

  IPv6 ACL 2000

Table 2 Command output

Field	Description
Interface	Interface to which the ACL applies.
Interface: HundredGigE1/0/1  Service Instance ID: 1	Ethernet service instance to which the ACL applies. HundredGigE1/0/1 is the interface where the Ethernet service instance resides.
Inbound policy	ACL used for filtering incoming traffic.
Outbound policy	ACL used for filtering outgoing traffic.
IPv4 ACL 2001	IPv4 basic ACL 2001 has been successfully applied.
IPv4 ACL 2002 (Failed)	The device has failed to apply IPv4 basic ACL 2002.
Hardware-count	ACL rule match counting in hardware has been successfully enabled.
Hardware-count (Failed)	The device has failed to enable counting ACL rule matches in hardware.
From 2011-06-04 10:25:21 to 2011-06-04 10:35:57	Start time and end time of the statistics.
2 packets	Two packets matched the rule. This field is not displayed when no packets matched the rule.
No resource	Resources are not enough for counting matches for the rule. In packet filtering statistics, this field is displayed for a rule when resources are not sufficient for rule match counting.
rule 5 permit source 1.1.1.1 0 (Failed)	The device has failed to apply rule 5.
Totally 2 packets permitted, 0 packets denied	Number of packets permitted and denied by the ACL.
Totally 100% permitted, 0% denied	Ratios of permitted and denied packets to all packets.
IPv4 default action	Packet filter default action for packets that do not match any IPv4 ACLs: ·     Deny—The default action deny has been successfully applied for packet filtering. ·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. ·     Permit—The default action permit has been successfully applied for packet filtering.
IPv6 default action	Packet filter default action for packets that do not match any IPv6 ACLs: ·     Deny—The default action deny has been successfully applied for packet filtering. ·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. ·     Permit—The default action permit has been successfully applied for packet filtering.
MAC default action	Packet filter default action for packets that do not match any Layer 2 ACLs: ·     Deny—The default action deny has been successfully applied for packet filtering. ·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. ·     Permit—The default action permit has been successfully applied for packet filtering.
Totally 7 packets	The default action has been executed on seven packets.

‌

Related commands

reset packet-filter statistics

display packet-filter statistics sum

Use display packet-filter statistics sum to display accumulated packet filtering statistics for an ACL.

Syntax

display packet-filter statistics sum { inbound | outbound } [ ipv6 | mac | user-defined ] { acl-number | name acl-name } [ brief ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

ipv6: Specifies the IPv6 ACL type.

mac: Specifies the Layer 2 ACL type.

user-defined: Specifies the user-defined ACL type.

acl-number: Specifies an ACL by its number. The following are available value ranges:

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

·     4000 to 4999 for Layer 2 ACLs.

·     5000 to 5999 for user-defined ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

brief: Displays brief statistics.

Usage guidelines

To specify the IPv4 ACL type, do not specify the ipv6 keyword.

Examples

# Display accumulated packet filtering statistics for IPv4 basic ACL 2001 on incoming packets.

<Sysname> display packet-filter statistics sum inbound 2001

Sum:

 Inbound policy:

  IPv4 ACL 2001

   rule 0 permit source 2.2.2.2 0 (2 packets)

   rule 5 permit source 1.1.1.1 0

   rule 10 permit vpn-instance test

   Totally 2 packets permitted, 0 packets denied

   Totally 100% permitted, 0% denied

# Display brief accumulated packet filtering statistics for IPv4 basic ACL 2000 on incoming packets.

<Sysname> display packet-filter statistics sum inbound 2000 brief

Sum:

 Inbound policy:

  IPv4 ACL 2000

   Totally 2 packets permitted, 0 packets denied

   Totally 100% permitted, 0% denied

Table 3 Command output

Field	Description
Sum	Accumulated packet filtering statistics.
Inbound policy	Accumulated packet filtering statistics in the inbound direction.
Outbound policy	Accumulated packet filtering statistics in the outbound direction.
IPv4 ACL 2001	Accumulated packet filtering statistics of IPv4 basic ACL 2001.
2 packets	Two packets matched the rule. This field is not displayed when no packets matched the rule.
Totally 2 packets permitted, 0 packets denied	Number of packets permitted and denied by the ACL.
Totally 100% permitted, 0% denied	Ratios of permitted and denied packets to all packets.

 

Related commands

reset packet-filter statistics

display packet-filter verbose

Use display packet-filter verbose to display ACL application details for packet filtering.

Syntax

display packet-filter verbose { global | interface interface-type interface-number } { inbound | outbound } [ [ ipv6 | mac | user-defined ] { acl-number | name acl-name } ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

global: Specifies all physical interfaces.

interface interface-type interface-number: Specifies an interface by its type and number. The slot slot-number option is not available for an Ethernet interface.

l2vpn-ac [ interface interface-type interface-number [ service-instance instance-id ] ]: Specifies an Ethernet service instance on an interface. The interface-type interface-number argument represents the interface type and number. The instance-id argument represents the ID of the Ethernet service instance, in the range of 1 to 4096.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

ipv6: Specifies the IPv6 ACL type.

mac: Specifies the Layer 2 ACL type.

user-defined: Specifies the user-defined ACL type.

acl-number: Specifies an ACL by its number. The following are available value ranges:

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

·     4000 to 4999 for Layer 2 ACLs.

·     5000 to 5999 for user-defined ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

slot slot-number: Specifies the slot number of the device, which is fixed at 1.

Usage guidelines

If acl-number, name acl-name, ipv6, mac, or user-defined is not specified, this command displays application details of all ACLs for packet filtering.

To specify the IPv4 ACL type, do not specify the ipv6 keyword.

Examples

# Display application details of all ACLs for inbound packet filtering on HundredGigE 1/0/1.

<Sysname> display packet-filter verbose interface hundredgige 1/0/1 inbound

Interface: HundredGigE1/0/1

 Inbound policy:

  IPv4 ACL 2001

   rule 0 permit

   rule 5 permit source 1.1.1.1 0 (Failed)

   rule 10 permit vpn-instance test (Failed)

 

  IPv6 ACL 2000

   rule 0 permit

 

  MAC ACL 4000

 

  IPv4 default action: Deny

 

  IPv6 default action: Deny

 

  MAC default action: Deny

# Display application details of all ACLs for inbound packet filtering for Ethernet service instance 1 on HundredGigE 1/0/1.

<Sysname> display packet-filter verbose l2vpn-ac interface hundredgige 1/0/1 service-instance 1 inbound

Interface: HundredGigE1/0/1  Service Instance ID: 1

 Inbound policy:

  IPv4 ACL 2001

   rule 0 permit

   rule 5 permit source 1.1.1.1 0 (Failed)

   rule 10 permit vpn-instance test (Failed)

 

  IPv6 ACL 2000

   rule 0 permit

 

  MAC ACL 4000

 

  IPv4 default action: Deny

 

  IPv6 default action: Deny

 

  MAC default action: Deny

Table 4 Command output

Field	Description
Interface	Interface to which the ACL applies.
Global	ACL application details for packet filtering on all physical interfaces.
Interface: HundredGigE1/0/1  Service Instance ID: 1	Ethernet service instance to which the ACL applies. HundredGigE1/0/1 is the interface where the Ethernet service instance resides.
Inbound policy	ACL used for filtering incoming traffic.
Outbound policy	ACL used for filtering outgoing traffic.
IPv4 ACL 2001	IPv4 basic ACL 2001 has been successfully applied.
IPv4 ACL 2002 (Failed)	The device has failed to apply IPv4 basic ACL 2002.
Hardware-count	ACL rule match counting in hardware has been successfully enabled.
Hardware-count (Failed)	The device has failed to enable counting ACL rule matches in hardware.
rule 5 permit source 1.1.1.1 0 (Failed)	The device has failed to apply rule 5.
IPv4 default action	Packet filter default action for packets that do not match any IPv4 ACLs: ·     Deny—The default action deny has been successfully applied for packet filtering. ·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. ·     Permit—The default action permit has been successfully applied for packet filtering.
IPv6 default action	Packet filter default action for packets that do not match any IPv6 ACLs: ·     Deny—The default action deny has been successfully applied for packet filtering. ·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. ·     Permit—The default action permit has been successfully applied for packet filtering.
MAC default action	Packet filter default action for packets that do not match any Layer 2 ACLs: ·     Deny—The default action deny has been successfully applied for packet filtering. ·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. ·     Permit—The default action permit has been successfully applied for packet filtering.

‌

packet-filter (Ethernet service instance view)

Use packet-filter to apply an ACL to an Ethernet service instance to filter packets.

Use undo packet-filter to remove an ACL from an Ethernet service instance.

Syntax

packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } { inbound [ extension ] | outbound } [ hardware-count ]

undo packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } { inbound | outbound }

Default

No ACL is applied to an Ethernet service instance to filter packets.

Views

Ethernet service instance view

Predefined user roles

network-admin

Parameters

ipv6: Specifies the IPv6 ACL type.

mac: Specifies the Layer 2 ACL type.

user-defined: Specifies the user-defined ACL type.

acl-number: Specifies an ACL by its number. The following are available value ranges:

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

·     4000 to 4999 for Layer 2 ACLs.

·     5000 to 5999 for user-defined ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

inbound: Filters incoming packets.

extension: Applies the packet filter in extended mode.

outbound: Filters outgoing packets.

hardware-count: Enables counting ACL rule matches performed in hardware. If you do not specify this keyword, rule matches for the ACL are not counted in hardware.

Usage guidelines

For information about configuring Ethernet service instances, see MPLS L2VPN or VPLS in MPLS Configuration Guide or see VXLAN Configuration Guide.

If you use the acl-number argument to specify an ACL, follow these guidelines:

·     To specify an IPv4 ACL, use the acl-number argument directly.

·     To specify an IPv6 ACL, specify the ipv6 keyword, and then the acl-number argument.

·     To specify a Layer 2 ACL or user-defined ACL, the mac or user-defined keyword is not a must. You can either specify the mac or user-defined keyword and then the acl-number argument or specify only the acl-number argument.

If you use the name acl-name option to specify an ACL, follow these guidelines:

·     To specify an IPv4 ACL, use the name acl-name option.

·     To specify an IPv6, Layer 2, or user-defined ACL, specify the related keyword and then the name acl-name option.

When specifying an ACL, follow these restrictions and guidelines:

·     If the specified ACL does not exist or does not have any rules, the ACL will not be referenced.

·     In the specified ACL, whether an ACL rule supports the vpn-instance keyword and how the vpn-instance keyword takes effect vary by device model.

The hardware-count keyword in this command enables match counting in hardware for all rules in an ACL, and the counting keyword in the rule command enables match counting specific to rules.

To disable ACL rule match counting in hardware when resources are insufficient, you must execute the undo packet-filter command, and then re-execute the packet-filter command without specifying the hardware-count keyword.

To disable the extended mode or ACL rule match counting in hardware when resources are sufficient, you can directly re-execute the packet-filter command without specifying the extension or hardware-count keyword.

 

 

 

 

Examples

# Apply IPv4 advanced ACL 3001 to filter incoming traffic on Ethernet service instance 1 of HundredGigE 1/0/1, and enable counting ACL rule matches performed in hardware.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] service-instance 200

[Sysname-HundredGigE1/0/1-srv200] packet-filter 3001 inbound hardware-count

Related commands

display packet-filter

display packet-filter statistics

display packet-filter verbose

packet-filter (interface view)

Use packet-filter to apply an ACL to an interface to filter packets.

Use undo packet-filter to remove an ACL from an interface.

Syntax

packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } { inbound | outbound } [ hardware-count ] [ share-mode ]

undo packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } { inbound | outbound }

Default

No ACL is applied to an interface to filter packets.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6: Specifies the IPv6 ACL type.

mac: Specifies the Layer 2 ACL type.

user-defined: Specifies the user-defined ACL type.

acl-number: Specifies an ACL by its number. The following are available value ranges:

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

·     4000 to 4999 for Layer 2 ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

inbound: Filters incoming packets.

outbound: Filters outgoing packets.

hardware-count: Enables counting ACL rule matches performed in hardware. If you do not specify this keyword, rule matches for the ACL are not counted in hardware.

share-mode: Applies the ACL in sharing mode to a Layer 2 or Layer 3 Ethernet interface. In this mode, all interfaces with the same ACL applied in one direction share one QoS and ACL resource.

Usage guidelines

To specify the IPv4 ACL type, do not specify the ipv6 keyword.

When specifying an ACL, follow these restrictions and guidelines:

·     If the specified ACL does not exist or does not have any rules, the ACL will not be referenced.

·     If the vpn-instance vpn-instance-name option is specified in an ACL rule, the rule takes effect only on VPN packets. If the vpn-instance vpn-instance-name option is not specified in an ACL rule, the rule takes effect only on non-VPN packets.

The hardware-count keyword in this command enables match counting in hardware for all rules in an ACL, and the counting keyword in the rule command enables match counting specific to rules.

To disable ACL rule match counting in hardware when resources are insufficient, you must execute the undo packet-filter command and then re-execute the packet-filter command without specifying the hardware-count keyword.

To disable ACL rule match counting in hardware when resources are sufficient, you can directly re-execute the packet-filter command without specifying the hardware-count keyword.

You can apply a maximum of four ACLs to the same direction of an interface: one IPv4 ACL, one IPv6 ACL, one Layer 2 ACL, and one user-defined ACL.

If you specify the share-mode keyword when applying an ACL to an interface, follow these restrictions and guidelines:

·     You can apply multiple ACLs to one direction of an interface. However, you can apply only one ACL with the share-mode keyword specified to one direction of an interface.

·     You cannot change the sharing mode dynamically after an ACL is applied to an interface. To change the sharing mode for an applied ACL, you must remove the ACL from the interface, and then reapply the ACL with or without the share-mode keyword specified.

·     You cannot apply a QoS policy or PBR policy with the share-mode keyword to the same direction of an interface. For information about applying a QoS policy to an interface, see QoS in ACL and QoS Configuration Guide. For information about applying a PBR policy to an interface, see policy-based routing in Layer 3—IP Routing Configuration Guide.

In a scenario with a mixture of Layer 2 and Layer 3 traffic, when you apply ACLs to the outbound direction of a VLAN interface for packet filtering, the outbound traffic of Layer 3 aggregate subinterfaces with the same VLAN will also be matched.

Examples

# Apply IPv4 basic ACL 2001 to filter incoming traffic on HundredGigE 1/0/1, and enable counting ACL rule matches performed in hardware.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] packet-filter 2001 inbound hardware-count

# Apply IPv4 basic ACL 2001 in sharing mode to filter outgoing traffic on HundredGigE 1/0/1.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] packet-filter 2001 outbound share-mode

Related commands

display packet-filter

display packet-filter statistics

display packet-filter verbose

packet-filter (service template view)

Use packet-filter to apply an ACL to a service template to filter packets.

Use undo packet-filter to remove an ACL from a service template.

Syntax

packet-filter [ ipv6 ] { acl-number | name acl-name } { inbound | outbound }

undo packet-filter [ ipv6 ] { inbound | outbound }

Default

No ACL is applied to a service template to filter packets.

Views

Service template view

Predefined user roles

network-admin

Parameters

ipv6: Specifies the IPv6 ACL type.

acl-number: Specifies an ACL by its number. The following are available value ranges:

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

inbound: Filters incoming packets.

outbound: Filters outgoing packets.

Usage guidelines

To filter packets of a service template, you must apply an ACL to the service template on the AC and create the applied ACL on APs.

An ACL applied to a service template can only match the source IP address, destination IP address, source port number, destination port number, and protocol of packets.

You can apply only one ACL to the same direction of a service template.

This command can be executed only when the service template is disabled.

Examples

# Apply IPv4 basic ACL 2001 to filter incoming traffic of service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] packet-filter 2001 inbound

packet-filter default deny

Use packet-filter default deny to set the packet filtering default action to deny. The packet filter denies packets that do not match any ACL rule.

Use undo packet-filter default deny to restore the default.

Syntax

packet-filter default deny

undo packet-filter default deny

Default

The packet filtering default action is permit. The packet filter permits packets that do not match any ACL rule.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The packet filter applies the default action to all ACL applications for packet filtering. The default action appears in the display command output for packet filtering.

Examples

# Set the packet filter default action to deny.

<Sysname> system-view

[Sysname] packet-filter default deny

Related commands

display packet-filter

display packet-filter statistics

display packet-filter verbose

packet-filter global

Use packet-filter global to apply an ACL to filter packets globally.

Use undo packet-filter global to remove an ACL for global packet filtering.

Syntax

packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } global { inbound | outbound } [ hardware-count ]

undo packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } global { inbound | outbound }

Default

No ACL is applied to filter packets globally.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6: Specifies the IPv6 ACL type.

mac: Specifies the Layer 2 ACL type.

user-defined: Specifies the user-defined ACL type.

acl-number: Specifies an ACL by its number. The following are available value ranges:

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

·     4000 to 4999 for Layer 2 ACLs.

·     5000 to 5999 for user-defined ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

global: Specifies all physical interfaces.

inbound: Filters incoming packets.

outbound: Filters outgoing packets.

hardware-count: Enables counting ACL rule matches performed in hardware. If you do not specify this keyword, rule matches for the ACL are not counted in hardware.

Usage guidelines

To specify the IPv4 ACL type, do not specify the ipv6 keyword.

If the specified ACL does not exist or does not have any rules, the ACL will not be referenced.

The hardware-count keyword in this command enables match counting in hardware for all rules in an ACL, and the counting keyword in the rule command enables match counting specific to rules.

To disable the extended mode or ACL rule match counting in hardware when resources are insufficient, you must execute the undo packet-filter command and then re-execute the packet-filter command without specifying the hardware-count keyword.

To disable the extended mode or ACL rule match counting in hardware when resources are sufficient, you can directly re-execute the packet-filter command without specifying the hardware-count keyword.

Examples

# Apply IPv4 basic ACL 2001 to filter incoming traffic on all physical interfaces, and enable counting ACL rule matches performed in hardware.

<Sysname> system-view

[Sysname] packet-filter 2001 global inbound hardware-count

Related commands

display packet-filter

display packet-filter statistics

display packet-filter verbose

reset packet-filter statistics

Use reset packet-filter statistics to clear the packet filtering statistics.

Syntax

reset packet-filter statistics { global | interface [ interface-type interface-number ] } { inbound | outbound } [ ipv6 | mac | user-defined ] { acl-number | name acl-name }

Views

User view

Predefined user roles

network-admin

Parameters

global: Specifies all physical interfaces.

interface [ interface-type interface-number ]: Specifies an interface by its type and number. If you do not specify an interface, this command clears packet filtering statistics for all interfaces.

l2vpn-ac [ interface interface-type interface-number [ service-instance instance-id ] ]: Specifies an Ethernet service instance on an interface. The interface-type interface-number argument represents the interface type and number. The instance-id argument represents the ID of the Ethernet service instance, in the range of 1 to 4096. If you do not specify an interface, this command clears packet filtering statistics for all Ethernet service instances on all interfaces. If you specify an interface but do not specify an Ethernet service instance, this command clears packet filtering statistics for all Ethernet service instances on the specified interface.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

ipv6: Specifies the IPv6 ACL type.

mac: Specifies the Layer 2 ACL type.

user-defined: Specifies the user-defined ACL type.

acl-number: Specifies an ACL by its number. The following are available value ranges:

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

·     4000 to 4999 for Layer 2 ACLs.

·     5000 to 5999 for user-defined ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

Usage guidelines

If acl-number, name acl-name, ipv6, mac, or user-defined is not specified, this command clears the packet filtering statistics for all ACLs.

To specify the IPv4 ACL type, do not specify the ipv6 keyword.

Examples

# Clear IPv4 basic ACL 2001 statistics for inbound packet filtering on HundredGigE 1/0/1.

<Sysname> reset packet-filter statistics interface hundredgige 1/0/1 inbound 2001

# Clear IPv4 basic ACL 2001 statistics for inbound packet filtering for Ethernet service instance 1 on HundredGigE 1/0/1.

<Sysname> reset packet-filter statistics l2vpn-ac interface hundredgige 1/0/1 service-instance 1 inbound 2001

Related commands

display packet-filter statistics

display packet-filter statistics sum