Contents

Packet filter commands· 1

acl logging interval 1

acl trap interval 1

display packet-filter 2

display packet-filter statistics· 4

display packet-filter statistics sum·· 6

display packet-filter verbose· 7

packet-filter (interface view) 9

packet-filter (service template view) 11

packet-filter (user profile view) 11

packet-filter default deny· 12

packet-filter default hardware-count 13

reset packet-filter statistics· 14

 

Packet filter commands

acl logging interval

Use acl logging interval to enable logging for packet filtering and set the interval.

Use undo acl logging interval to restore the default.

Syntax

acl logging interval interval

undo acl logging interval

Default

The interval is 0. The device does not generate log entries for packet filtering.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the interval at which log entries are generated and output. It must be a multiple of 5, in the range of 0 to 1440 minutes. To disable the logging, set the value to 0.

Usage guidelines

The logging feature is available for IPv4 or IPv6 ACL rules that have the logging keyword.

You can configure the ACL module to generate log entries for packet filtering and output them to the information center at the output interval. The log entry records the number of matching packets and the matched ACL rules. When the first packet of a flow matches an ACL rule, the output interval starts, and the device immediately outputs a log entry for this packet. When the output interval ends, the device outputs a log entry for subsequent matching packets of the flow.

For more information about the information center, see System Management Configuration Guide

Examples

# Configure the device to generate and output packet filtering log entries every 10 minutes.

<Sysname> system-view

[Sysname] acl logging interval 10

Related commands

rule (IPv4 advanced ACL view)

rule (IPv4 basic ACL view)

rule (IPv6 advanced ACL view)

rule (IPv6 basic ACL view)

acl trap interval

Use acl trap interval to enable SNMP notifications for packet filtering and set the interval.

Use undo acl interval to restore the default.

Syntax

acl trap interval interval

undo acl trap interval

Default

The interval is 0. The device does not generate SNMP notifications for packet filtering.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the interval at which SNMP notifications are generated and output. It must be a multiple of 5, in the range of 0 to 1440 minutes. To disable SNMP notifications, set the value to 0.

Usage guidelines

The SNMP notifications feature is available for IPv4 or IPv6 ACL rules that have the logging keyword.

You can configure the ACL module to generate SNMP notifications for packet filtering and output them to the SNMP module at the output interval. The notification records the number of matching packets and the matched ACL rules. When the first packet of a flow matches an ACL rule, the output interval starts, and the device immediately outputs a notification for this packet. When the output interval ends, the device outputs a notification for subsequent matching packets of the flow.

For more information about SNMP, see Network Management and Monitoring Configuration Guide.

Examples

# Configure the device to generate and output packet filtering SNMP notifications every 10 minutes.

<Sysname> system-view

[Sysname] acl trap interval 10

Related commands

rule (IPv4 advanced ACL view)

rule (IPv4 basic ACL view)

rule (IPv6 advanced ACL view)

rule (IPv6 basic ACL view)

display packet-filter

Use display packet-filter to display ACL application information for packet filtering.

Syntax

display packet-filter { interface [ interface-type interface-number ] } [ inbound | outbound ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface [ interface-type interface-number ]: Specifies an interface by its type and number. If you do not specify an interface, this command displays ACL application information for packet filtering on all interfaces except VA interfaces. 

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

Usage guidelines

If neither the inbound keyword nor the outbound keyword is specified, this command displays ACL application information for packet filtering in both directions.

Examples

# Display ACL application information for inbound packet filtering on interface GigabitEthernet 1/0/1.

<Sysname> display packet-filter interface gigabitethernet 1/0/1 inbound

Interface: GigabitEthernet1/0/1

 Inbound policy:

  IPv4 ACL 2001

  IPv6 ACL 2002 (Failed)

  MAC ACL 4003

Table 1 Command output

Field	Description
Interface	Interface to which the ACL applies.
Inbound policy	ACL used for filtering incoming traffic.
Outbound policy	ACL used for filtering outgoing traffic.
IPv4 ACL 2001	IPv4 basic ACL 2001 has been successfully applied.
IPv6 ACL 2002 (Failed)	The device has failed to apply IPv6 basic ACL 2002.
IPv4 default action	Packet filter default action for packets that do not match any IPv4 ACLs: ·     Deny—The default action deny has been successfully applied for packet filtering. ·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. ·     Permit—The default action permit has been successfully applied for packet filtering. ·     Hardware-count—The hardware-count feature has been successfully applied for the default action for packet filtering. ·     Hardware-count (Failed)—The device has failed to apply the hardware-count feature for the packet filtering default action.
IPv6 default action	Packet filter default action for packets that do not match any IPv6 ACLs: ·     Deny—The default action deny has been successfully applied for packet filtering. ·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. ·     Permit—The default action permit has been successfully applied for packet filtering. ·     Hardware-count—The hardware-count feature has been successfully applied for the default action for packet filtering. ·     Hardware-count (Failed)—The device has failed to apply the hardware-count feature for the packet filtering default action.
MAC default action	Packet filter default action for packets that do not match any Layer 2 ACLs: ·     Deny—The default action deny has been successfully applied for packet filtering. ·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. ·     Permit—The default action permit has been successfully applied for packet filtering. ·     Hardware-count—The hardware-count feature has been successfully applied for the default action for packet filtering. ·     Hardware-count (Failed)—The device has failed to apply the hardware-count feature for the packet filtering default action.

‌

display packet-filter statistics

Use display packet-filter statistics to display packet filtering statistics.

Syntax

display packet-filter statistics { interface interface-type interface-number } { inbound | outbound } [ default ] [ brief ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

default: Displays the default action statistics for packet filtering.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

brief: Displays brief statistics.

Usage guidelines

If you do not specify any parameters, this command displays packet filtering statistics for all ACLs.

To specify the IPv4 ACL type, do not specify the ipv6 keyword.

Examples

# Display packet filtering statistics for all ACLs on incoming packets of GigabitEthernet 1/0/1.

<Sysname> display packet-filter statistics interface gigabitethernet 1/0/1 inbound

Interface: GigabitEthernet1/0/1

 Inbound policy:

  IPv4 ACL 2001, Hardware-count

   From 2019-06-04 10:25:21 to 2019-06-04 10:35:57

   rule 0 permit source 2.2.2.2 0 (2 packets)

   rule 5 permit source 1.1.1.1 0 (Failed)

   Totally 2 packets permitted, 0 packets denied

   Totally 100% permitted, 0% denied

 

  IPv6 ACL 2000

 

  MAC ACL 4000

   rule 0 permit

 

  IPv4 default action: Deny, Hardware-count

   From 2019-06-04 10:25:21 to 2019-06-04 10:35:57

   Totally 7 packets

 

  IPv6 default action: Deny, Hardware-count

   From 2019-06-04 10:25:41 to 2019-06-04 10:35:57

   Totally 0 packets

  MAC default action: Deny, Hardware-count

   From 2019-06-04 10:25:34 to 2019-06-04 10:35:57

   Totally 0 packets

Table 2 Command output

Field	Description
Interface	Interface to which the ACL applies.
Inbound policy	ACL used for filtering incoming traffic.
Outbound policy	ACL used for filtering outgoing traffic.
IPv4 ACL 2001	IPv4 basic ACL 2001 has been successfully applied.
IPv4 ACL 2002 (Failed)	The device has failed to apply IPv4 basic ACL 2002.
From 2019-06-04 10:25:21 to 2019-06-04 10:35:57	Start time and end time of the statistics.
2 packets	Two packets matched the rule. This field is not displayed when no packets matched the rule.
No resource	Resources are not enough for counting matches for the rule. In packet filtering statistics, this field is displayed for a rule when resources are not sufficient for rule match counting.
rule 5 permit source 1.1.1.1 0 (Failed)	The device has failed to apply rule 5.
Totally 2 packets permitted, 0 packets denied	Number of packets permitted and denied by the ACL.
Totally 100% permitted, 0% denied	Ratios of permitted and denied packets to all packets.
IPv4 default action	Packet filter default action for packets that do not match any IPv4 ACLs: ·     Deny—The default action deny has been successfully applied for packet filtering. ·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. ·     Permit—The default action permit has been successfully applied for packet filtering. ·     Hardware-count—The hardware-count feature has been successfully applied for the default action for packet filtering. ·     Hardware-count (Failed)—The device has failed to apply the hardware-count feature for the packet filtering default action.
IPv6 default action	Packet filter default action for packets that do not match any IPv6 ACLs: ·     Deny—The default action deny has been successfully applied for packet filtering. ·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. ·     Permit—The default action permit has been successfully applied for packet filtering. ·     Hardware-count—The hardware-count feature has been successfully applied for the default action for packet filtering. ·     Hardware-count (Failed)—The device has failed to apply the hardware-count feature for the packet filtering default action.
MAC default action	Packet filter default action for packets that do not match any Layer 2 ACLs: ·     Deny—The default action deny has been successfully applied for packet filtering. ·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. ·     Permit—The default action permit has been successfully applied for packet filtering. ·     Hardware-count—The hardware-count feature has been successfully applied for the default action for packet filtering. ·     Hardware-count (Failed)—The device has failed to apply the hardware-count feature for the packet filtering default action.
Totally 7 packets	The default action has been executed on seven packets.

‌

Related commands

reset packet-filter statistics

display packet-filter statistics sum

Use display packet-filter statistics sum to display accumulated packet filtering statistics for an ACL.

Syntax

display packet-filter statistics sum { inbound | outbound } [ brief ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

brief: Displays brief statistics.

Usage guidelines

To specify the IPv4 ACL type, do not specify the ipv6 keyword.

Examples

# Display accumulated packet filtering statistics for IPv4 basic ACL 2001 on incoming packets.

<Sysname> display packet-filter statistics sum inbound 2001

Sum:

 Inbound policy:

  IPv4 ACL 2001

   rule 0 permit source 2.2.2.2 0 (2 packets)

   rule 5 permit source 1.1.1.1 0

   Totally 2 packets permitted, 0 packets denied

   Totally 100% permitted, 0% denied

# Display brief accumulated packet filtering statistics for IPv4 basic ACL 2000 on incoming packets.

<Sysname> display packet-filter statistics sum inbound 2000 brief

Sum:

 Inbound policy:

  IPv4 ACL 2000

   Totally 2 packets permitted, 0 packets denied

   Totally 100% permitted, 0% denied

Table 3 Command output

Field	Description
Sum	Accumulated packet filtering statistics.
Inbound policy	Accumulated packet filtering statistics in the inbound direction.
Outbound policy	Accumulated packet filtering statistics in the outbound direction.
IPv4 ACL 2001	Accumulated packet filtering statistics of IPv4 basic ACL 2001.
2 packets	Two packets matched the rule. This field is not displayed when no packets matched the rule.
Totally 2 packets permitted, 0 packets denied	Number of packets permitted and denied by the ACL.
Totally 100% permitted, 0% denied	Ratios of permitted and denied packets to all packets.

 

Related commands

reset packet-filter statistics

display packet-filter verbose

Use display packet-filter verbose to display ACL application details for packet filtering.

Syntax

display packet-filter verbose { interface interface-type interface-number } { inbound | outbound } [ [ ipv6 | mac ] { acl-number | name acl-name } ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. The slot slot-number option is not available for an Ethernet interface.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

Usage guidelines

If acl-number, name acl-name, ipv6, mac, or user-defined is not specified, this command displays application details of all ACLs for packet filtering.

To specify the IPv4 ACL type, do not specify the ipv6 keyword.

Examples

# Display application details of all ACLs for inbound packet filtering on GigabitEthernet 1/0/1.

<Sysname> display packet-filter verbose interface gigabitethernet 1/0/1 inbound

Interface: GigabitEthernet1/0/1

 Inbound policy:

  IPv4 ACL 2001

   rule 0 permit

   rule 5 permit source 1.1.1.1 0 (Failed)

 

  IPv6 ACL 2000

   rule 0 permit

 

  MAC ACL 4000

 

  IPv4 default action: Deny

 

  IPv6 default action: Deny, Hardware-count (Failed)

 

  MAC default action: Deny

Table 4 Command output

Field	Description
Interface	Interface to which the ACL applies.
Inbound policy	ACL used for filtering incoming traffic.
Outbound policy	ACL used for filtering outgoing traffic.
IPv4 ACL 2001	IPv4 basic ACL 2001 has been successfully applied.
IPv4 ACL 2002 (Failed)	The device has failed to apply IPv4 basic ACL 2002.
rule 5 permit source 1.1.1.1 0 (Failed)	The device has failed to apply rule 5.
IPv4 default action	Packet filter default action for packets that do not match any IPv4 ACLs: ·     Deny—The default action deny has been successfully applied for packet filtering. ·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. ·     Permit—The default action permit has been successfully applied for packet filtering. ·     Hardware-count—The hardware-count feature has been successfully applied for the default action for packet filtering. ·     Hardware-count (Failed)—The device has failed to apply the hardware-count feature for the packet filtering default action.
IPv6 default action	Packet filter default action for packets that do not match any IPv6 ACLs: ·     Deny—The default action deny has been successfully applied for packet filtering. ·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. ·     Permit—The default action permit has been successfully applied for packet filtering. ·     Hardware-count—The hardware-count feature has been successfully applied for the default action for packet filtering. ·     Hardware-count (Failed)—The device has failed to apply the hardware-count feature for the packet filtering default action.
MAC default action	Packet filter default action for packets that do not match any Layer 2 ACLs: ·     Deny—The default action deny has been successfully applied for packet filtering. ·     Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. ·     Permit—The default action permit has been successfully applied for packet filtering. ·     Hardware-count—The hardware-count feature has been successfully applied for the default action for packet filtering. ·     Hardware-count (Failed)—The device has failed to apply the hardware-count feature for the packet filtering default action.

‌

 

packet-filter (interface view)

Use packet-filter to apply an ACL to an interface to filter packets.

Use undo packet-filter to remove an ACL from an interface.

Syntax

packet-filter [ ipv6 | mac ] { acl-number | name acl-name } { inbound | outbound }

undo packet-filter [ ipv6 | mac ] { acl-number | name acl-name } { inbound | outbound }

Default

No ACL is applied to an interface to filter packets.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6: Specifies the IPv6 ACL type.

mac: Specifies the Layer 2 ACL type.

acl-number: Specifies an ACL by its number. The following are available value ranges:

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

·     4000 to 4999 for Layer 2 ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

inbound: Filters incoming packets.

outbound: Filters outgoing packets.

Usage guidelines

To specify the IPv4 ACL type, do not specify the ipv6 keyword.

To the same direction of an interface, you can apply a maximum of 32 ACLs.

You can use the packet-filter command in VLAN interface view or the packet-filter vlan-interface command in system view to configure packet filtering in one direction of a VLAN interface. You cannot configure both of them in one direction of a VLAN interface.

Examples

# Apply IPv4 basic ACL 2001 to filter incoming traffic on GigabitEthernet 1/0/1, and enable counting ACL rule matches performed in hardware.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] packet-filter 2001 inbound hardware-count

Related commands

display packet-filter

display packet-filter statistics

display packet-filter verbose

packet-filter (service template view)

Use packet-filter to apply an ACL to a service template to filter packets.

Use undo packet-filter to remove an ACL from a service template.

Syntax

packet-filter [ ipv6 ] { acl-number | name acl-name } { inbound | outbound }

undo packet-filter [ ipv6 ] { inbound | outbound }

Default

No ACL is applied to a service template to filter packets.

Views

Service template view

Predefined user roles

network-admin

Parameters

ipv6: Specifies the IPv6 ACL type.

acl-number: Specifies an ACL by its number. The following are available value ranges:

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

inbound: Filters incoming packets.

outbound: Filters outgoing packets.

Usage guidelines

To filter packets of a service template, you must apply an ACL to the service template on the AC and create the applied ACL on APs.

An ACL applied to a service template can only match the source IP address, destination IP address, source port number, destination port number, and protocol of packets.

You can apply only one ACL to the same direction of a service template.

This command can be executed only when the service template is disabled.

Examples

# Apply IPv4 basic ACL 2001 to filter incoming traffic of service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] packet-filter 2001 inbound

packet-filter (user profile view)

Use packet-filter to apply an ACL to a user profile to filter packets.

Use undo packet-filter to remove an ACL from a user profile.

Syntax

packet-filter [ ipv6 ] { acl-number | name acl-name } { inbound | outbound }

undo packet-filter [ ipv6 ] { acl-number | name acl-name } { inbound | outbound }

Default

No ACL is applied to a user profile to filter packets.

Views

User profile view

Predefined user roles

network-admin

Parameters

ipv6: Specifies the IPv6 ACL type.

acl-number: Specifies an ACL by its number. The following are available value ranges:

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

inbound: Filters incoming packets.

outbound: Filters outgoing packets.

Usage guidelines

To specify the IPv4 ACL type, do not specify the ipv6 keyword.

To the same direction of a user profile, you can apply only one ACL.

If the specified ACL does not exist or does not have any rules, it will not be referenced.

Examples

# Apply IPv4 basic ACL 2001 to filter the incoming traffic of user profile user-profile1.

<Sysname> system-view

[Sysname] user-profile user-profile1

[Sysname-user-profile-user-profile1] packet-filter 2001 inbound

Related commands

display user-profile (User Access and Authentication Command Reference)

packet-filter default deny

Use packet-filter default deny to set the packet filtering default action to deny. The packet filter denies packets that do not match any ACL rule.

Use undo packet-filter default deny to restore the default.

Syntax

packet-filter default deny

undo packet-filter default deny

Default

The packet filtering default action is permit. The packet filter permits packets that do not match any ACL rule.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The packet filter applies the default action to all ACL applications for packet filtering. The default action appears in the display command output for packet filtering.

Examples

# Set the packet filter default action to deny.

<Sysname> system-view

[Sysname] packet-filter default deny

Related commands

display packet-filter

display packet-filter statistics

display packet-filter verbose

packet-filter default hardware-count

Use packet-filter default hardware-count to enable hardware-count for the packet filtering default action.

Use undo packet-filter default hardware-count to disable hardware-count for the packet filtering default action.

Syntax

packet-filter default { inbound | outbound } hardware-count

undo packet-filter default { inbound | outbound } hardware-count

Default

Hardware-count is disabled for the packet filtering default action.

Views

Interface view

Predefined user roles

network-admin

Parameters

inbound: Specifies the incoming packets.

outbound: Specifies the outgoing packets.

Usage guidelines

To enable hardware-count for the packet filtering default action on an interface, make sure you have applied ACLs to the interface for packet filtering.

Examples

# Set the packet filtering default action to deny. Apply IPv4 basic ACL 2001 to GigabitEthernet 1/0/1 for filtering incoming packets, and enable hardware-count for the packet filtering default action on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] packet-filter default deny

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] packet-filter 2001 inbound

[Sysname-GigabitEthernet1/0/1] packet-filter default inbound hardware-count

Related commands

packet-filter

packet-filter default deny

display packet-filter

display packet-filter statistics

reset packet-filter statistics

Use reset packet-filter statistics to clear the packet filtering statistics.

Syntax

reset packet-filter statistics { interface [ interface-type interface-number ] } { inbound | outbound } [ default | [ ipv6 | mac ] { acl-number | name acl-name } ]

Views

User view

Predefined user roles

network-admin

Parameters

interface [ interface-type interface-number ]: Specifies an interface by its type and number. If you do not specify an interface, this command clears packet filtering statistics for all interfaces.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

default: Clears the default action statistics for packet filtering.

ipv6: Specifies the IPv6 ACL type.

mac: Specifies the Layer 2 ACL type.

acl-number: Specifies an ACL by its number. The following are available value ranges:

·     2000 to 2999 for basic ACLs.

·     3000 to 3999 for advanced ACLs.

·     4000 to 4999 for Layer 2 ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

Usage guidelines

If default, acl-number, name acl-name, ipv6, mac, or user-defined is not specified, this command clears the packet filtering statistics for all ACLs.

To specify the IPv4 ACL type, do not specify the ipv6 keyword.

Examples

# Clear IPv4 basic ACL 2001 statistics for inbound packet filtering on GigabitEthernet 1/0/1.

<Sysname> reset packet-filter statistics interface gigabitethernet 1/0/1 inbound 2001

Related commands

display packet-filter statistics

display packet-filter statistics sum