Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-ACL commands | 495.33 KB |
display packet-filter statistics
display packet-filter statistics sum
packet-filter (Ethernet service instance view)
packet-filter (interface view)
packet-filter (user profile view)
reset packet-filter statistics
ACL commands
acl
Use acl to create an ACL and enter its view, or enter the view of an existing ACL.
Use undo acl to delete the specified or all ACLs.
Syntax
Command for creating an IPv4 or Layer 2 ACL by specifying a number:
acl { name acl-name | number acl-number [ name acl-name ] [ match-order { auto | config } ] }
undo acl { all | name acl-name | number acl-number }
Command for creating an IPv6 ACL by specifying a number:
acl ipv6 { name acl-name | number acl-number [ name acl-name ] [ match-order { auto | config } ] }
undo acl ipv6 { all | name acl-name | number acl-number }
Commands for creating ACLs by specifying the related keywords:
· Command for creating an IPv4 ACL by specifying the advanced or basic keyword:
acl { advanced | basic } { acl-number | name acl-name } [ match-order { auto | config } ]
undo acl { all | { advanced | basic } { acl-number | name acl-name } }
· Command for creating an IPv6 ACL by specifying the advanced or basic keyword:
acl ipv6 { advanced | basic } { acl-number | name acl-name } [ match-order { auto | config } ]
undo acl ipv6 { all | { advanced | basic } { acl-number | name acl-name } }
· Command for creating a Layer 2 ACL by specifying the mac keyword:
acl mac { acl-number | name acl-name } [ match-order { auto | config } ]
undo acl mac { all | acl-number | name acl-name }
· Command for creating a user-defined ACL by specifying the user-defined keyword:
acl user-defined { acl-number | name acl-name }
undo acl user-defined { all | acl-number | name acl-name }
Default
No ACLs exist.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6: Specifies the IPv6 ACL type. To specify the IPv4 ACL type, do not use this keyword.
basic: Specifies the basic ACL type.
advanced: Specifies the advanced ACL type.
mac: Specifies the Layer 2 ACL type.
user-defined: Specifies the user-defined ACL type.
number acl-number: Assigns a number to the ACL. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
· 5000 to 5999 for user-defined ACLs.
name acl-name: Assigns a name to the ACL. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
match-order: Specifies the order in which ACL rules are compared against packets.
auto: Compares ACL rules in depth-first order.
config: Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has a higher priority. If you do not specify a match order, the config order applies by default. The match order for the WLAN client ACL, user-defined ACL, and WLAN AP ACL can only be config.
all: Specifies all ACLs of the specified type.
Usage guidelines
If you create a numbered ACL, you can enter the view of the ACL by using either of the following commands:
· The acl [ ipv6 ] number acl-number command.
· The acl { [ ipv6 ] { advanced | basic } | mac | user-defined } acl-number command.
If you create a ACL by using the acl [ ipv6 ] number acl-number name acl-name command, you can enter the view of the ACL by using either of the following commands:
· acl [ ipv6 ] name acl-name (for only basic ACLs and advanced ACLs).
· acl [ ipv6 ] number acl-number [ name acl-name ].
· acl { [ ipv6 ] { advanced | basic } | mac | user-defined } name acl-name.
If you create a named non-WLAN ACL by using the acl { [ ipv6 ] { advanced | basic } | mac | user-defined } name acl-name command, you can enter the view of the ACL by using either of the following commands:
· acl [ ipv6 ] name acl-name (for only basic ACLs and advanced ACLs).
· acl { [ ipv6 ] { advanced | basic } | mac | user-defined } name acl-name.
You can change the match order only for ACLs that do not contain any rules.
Examples
# Create IPv4 basic ACL 2000 and enter its view.
<Sysname> system-view
[Sysname] acl basic 2000
[Sysname-acl-ipv4-basic-2000]
# Create IPv4 basic ACL flow and enter its view.
<Sysname> system-view
[Sysname] acl basic name flow
[Sysname-acl-ipv4-basic-flow]
# Create IPv4 advanced ACL 3000 and enter its view.
<Sysname> system-view
[Sysname] acl advanced 3000
[Sysname-acl-ipv4-adv-3000]
# Create IPv6 basic ACL 2000 and enter its view.
<Sysname> system-view
[Sysname] acl ipv6 basic 2000
[Sysname-acl-ipv6-basic-2000]
# Create IPv6 basic ACL flow and enter its view.
<Sysname> system-view
[Sysname] acl ipv6 basic name flow
[Sysname-acl-ipv6-basic-flow]
# Create IPv6 advanced ACL abc and enter its view.
<Sysname> system-view
[Sysname] acl ipv6 advanced name abc
[Sysname-acl-ipv6-adv-abc]
# Create Layer 2 ACL 4000 and enter its view.
<Sysname> system-view
[Sysname] acl mac 4000
[Sysname-acl-mac-4000]
# Create Layer 2 ACL flow and enter its view.
<Sysname> system-view
[Sysname] acl mac name flow
[Sysname-acl-mac-flow]
# Create user-defined ACL 5000 and enter its view.
<Sysname> system-view
[Sysname] acl user-defined 5000
[Sysname-acl-user-5000]
# Create user-defined ACL flow and enter its view.
<Sysname> system-view
[Sysname] acl user-defined name flow
[Sysname-acl-user-flow]
Related commands
display acl
acl copy
Use acl copy to create an ACL by copying an ACL that already exists.
Syntax
acl [ ipv6 | mac | user-defined ] copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name }
Views
System view
Predefined user roles
network-admin
Parameters
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
user-defined: Specifies the user-defined ACL type.
source-acl-number: Specifies an existing source ACL by its number. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
· 5000 to 5999 for user-defined ACLs.
name source-acl-name: Specifies an existing source ACL by its name. The source-acl-name argument is a case-insensitive string of 1 to 63 characters.
dest-acl-number: Assigns a unique number to the new ACL. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
· 5000 to 5999 for user-defined ACLs.
name dest-acl-name: Assigns a unique name to the new ACL. The dest-acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
Usage guidelines
The new ACL and the source ACL must be the same type.
When specifying an ACL by its number, follow these rules:
· To specify an IPv6 ACL, you must specify both its ACL number and the ipv6 keyword.
· To specify a Layer 2 ACL, you can specify its ACL number without the mac keyword.
To specify an IPv6 ACL or Layer 2 ACL by a name, you must specify both the ACL name and the ipv6 or mac keyword.
The new ACL has the same properties and content as the source ACL, but uses a different number or name from the source ACL.
Examples
# Create IPv4 basic ACL 2002 by copying IPv4 basic ACL 2001.
<Sysname> system-view
[Sysname] acl copy 2001 to 2002
# Create IPv4 basic ACL paste by copying IPv4 basic ACL test.
<Sysname> system-view
[Sysname] acl copy name test to name paste
acl logging interval
Use acl logging interval to enable logging for packet filtering and set the interval.
Use undo acl logging interval to restore the default.
Syntax
acl logging interval interval
undo acl logging interval
Default
The interval is 0. The device does not generate log entries for packet filtering.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies the interval at which log entries are generated and output. It must be a multiple of 5, in the range of 0 to 1440 minutes. To disable the logging, set the value to 0.
Usage guidelines
The logging feature is available for IPv4 or IPv6 ACL rules that have the logging keyword.
You can configure the ACL module to generate log entries for packet filtering and output them to the information center at the output interval. The log entry records the number of matching packets and the matched ACL rules. When the first packet of a flow matches an ACL rule, the output interval starts, and the device immediately outputs a log entry for this packet. When the output interval ends, the device outputs a log entry for subsequent matching packets of the flow. For more information about the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Configure the device to generate and output packet filtering log entries every 10 minutes.
<Sysname> system-view
[Sysname] acl logging interval 10
Related commands
rule (IPv4 advanced ACL view)
rule (IPv4 basic ACL view)
rule (IPv6 advanced ACL view)
rule (IPv6 basic ACL view)
acl trap interval
Use acl trap interval to enable SNMP notifications for packet filtering and set the interval.
Use undo acl interval to restore the default.
Syntax
acl trap interval interval
undo acl trap interval
Default
The interval is 0. The device does not generate SNMP notifications for packet filtering.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies the interval at which SNMP notifications are generated and output. It must be a multiple of 5, in the range of 0 to 1440 minutes. To disable SNMP notifications, set the value to 0.
Usage guidelines
The SNMP notifications feature is available for IPv4 or IPv6 ACL rules that have the logging keyword.
You can configure the ACL module to generate SNMP notifications for packet filtering and output them to the SNMP module at the output interval. The notification records the number of matching packets and the matched ACL rules. When the first packet of a flow matches an ACL rule, the output interval starts, and the device immediately outputs a notification for this packet. When the output interval ends, the device outputs a notification for subsequent matching packets of the flow. For more information about SNMP, see Network Management and Monitoring Configuration Guide.
Examples
# Configure the device to generate and output packet filtering SNMP notifications every 10 minutes.
<Sysname> system-view
[Sysname] acl trap interval 10
Related commands
rule (IPv4 advanced ACL view)
rule (IPv4 basic ACL view)
rule (IPv6 advanced ACL view)
rule (IPv6 basic ACL view)
description
Use description to configure a description for an ACL.
Use undo description to delete an ACL description.
Syntax
description text
undo description
Default
An ACL does not have a description.
Views
IPv4 basic/advanced ACL view
IPv6 basic/advanced ACL view
Layer 2 ACL view
User-defined ACL view
Predefined user roles
network-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 127 characters.
Examples
# Configure a description for IPv4 basic ACL 2000.
<Sysname> system-view
[Sysname] acl basic 2000
[Sysname-acl-ipv4-basic-2000] description This is an IPv4 basic ACL.
Related commands
display acl
display acl
Use display acl to display ACL configuration and match statistics.
Syntax
display acl [ ipv6 | mac | user-defined ] { acl-number | all | name acl-name }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
user-defined: Specifies the user-defined ACL type.
acl-number: Specifies an ACL by its number. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
· 5000 to 5999 for user-defined ACLs.
all: Specifies all ACLs of the specified type.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.
Usage guidelines
This command displays ACL rules in config or auto order, whichever is configured.
To specify the IPv4 ACL type, do not specify the ipv6, mac, or user-defined keyword.
Examples
# Display configuration and match statistics for IPv4 basic ACL 2001.
<Sysname> display acl 2001
Basic IPv4 ACL 2001, 1 rule, match-order is auto,
This is an IPv4 basic ACL.
ACL's step is 5, start ID is 0
rule 5 permit source 1.1.1.1 0
rule 5 comment This rule is used on Ten-GigabitEthernet1/0/1.
Table 1 Command output
|
Field |
Description |
|
Basic IPv4 ACL 2001 |
Type and number of the ACL. The following field information is about IPv4 basic ACL 2001. |
|
1 rule |
The ACL contains one rule. |
|
match-order is auto |
The match order for the ACL is auto, which sorts ACL rules in depth-first order. This field is not displayed when the match order is config. |
|
This is an IPv4 basic ACL. |
Description of the ACL. |
|
ACL's step is 5 |
The rule numbering step is 5. |
|
start ID is 0 |
The start rule ID is 0. |
|
rule 5 permit source 1.1.1.1 0 |
Content of rule 5. The rule permits packets sourced from the IP address 1.1.1.1. |
|
rule 5 comment This rule is used on Ten-GigabitEthernet1/0/1. |
Comment of rule 5. |
display acl whitelist
Use display acl whitelist to display ACL rules in the ACL whitelist.
Syntax
display acl whitelist [ ipv6 ] slot slot-number
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv6: Specifies the IPv6 ACL whitelist. If you do not specify this keyword, the command displays ACL rules in the IPv4 ACL whitelist.
slot slot-number: Specifies an IRF member device by its member ID.
Usage guidelines
For ACL whitelist-based traffic policing, the system dynamically generates a whitelist according to existing TCP connections or other protocol sessions. The whitelist contains ACL rules used to match traffic. For information about the configuration command for whitelist-based traffic policing, see the qos car (control plane view) command in QoS commands.
Examples
# Display ACL rules in the IPv4 dynamic whitelist for slot 2.
<Sysname> display acl whitelist slot 1
IPv4 ACL Whitelist, 2 rules
rule 1 permit tcp source 1.1.1.1 0 destination 1.1.1.2 0 source-port eq bgp destination-port eq 56197(dynamic)
rule 2 permit tcp source 2.2.2.1 0 destination 2.2.2.2 0 source-port eq bgp destination-port eq 56197(static)
Related commands
display qos car control-plane whitelist
qos car (control plane view)
display packet-filter
Use display packet-filter to display ACL application information for packet filtering.
Syntax
display packet-filter { global | interface [ interface-type interface-number ] | l2vpn-ac [ interface interface-type interface-number [ service-instance instance-id ] ] | vlan-interface } [ inbound | outbound ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
global: Specifies all physical interfaces.
interface [ interface-type interface-number ]: Specifies an interface by its type and number. If you do not specify an interface, this command displays ACL application information for packet filtering on all interfaces. If you specify an Ethernet interface, you do not need to specify the slot slot-number option.
l2vpn-ac [ interface interface-type interface-number [ service-instance instance-id ] ]: Specifies an Ethernet service instance on an interface. The interface-type interface-number argument represents the interface type and number. The instance-id argument represents the ID of the Ethernet service instance, in the range of 1 to 4096. If you do not specify an interface, this command displays ACL application information for all Ethernet service instances on all interfaces. If you specify an interface but do not specify an Ethernet service instance, this command displays ACL application information for all Ethernet service instances on the specified interface.
vlan-interface: Specifies the list of VLAN interfaces specified in the packet-filter vlan-interface command.
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays ACL application information for packet filtering for the master device.
Usage guidelines
If neither the inbound keyword nor the outbound keyword is specified, this command displays ACL application information for packet filtering in both directions.
Examples
# Display ACL application information for inbound packet filtering on interface Ten-GigabitEthernet 1/0/1.
<Sysname> display packet-filter interface ten-gigabitethernet 1/0/1 inbound
Interface: Ten-GigabitEthernet1/0/1
Inbound policy:
IPv4 ACL 2001r
IPv6 ACL 2002 (Failed)
MAC ACL 4003
# Display ACL application information for inbound and outbound packet filtering on all physical interfaces.
<Sysname> display packet-filter global
Global:
Inbound policy:
IPv4 ACL 2001
IPv6 ACL 2001
MAC ACL 4001
IPv4 default action: Deny (Failed)
IPv6 default action: Deny (Failed)
MAC default action: Deny
Outbound policy:
MAC ACL 4001
MAC default action: Deny
# Display ACL application information for inbound and outbound packet filtering on the list of VLAN interfaces.
<Sysname> display packet-filter vlan-interface
VLAN interface : 2 to 5
Inbound policy:
IPv4 ACL 2001
IPv4 default action: Deny (Failed)
VLAN interface : 2 to 5
Outbound policy:
MAC ACL 4001, Hardware-count
MAC default action: Deny
# Display ACL application information for inbound packet filtering on Ethernet service instance 1 of Ten-GigabitEthernet 1/0/1.
<Sysname> display packet-filter l2vpn-ac interface ten-gigabitethernet 1/0/1 service-instance 1 inbound
Interface: Ten-GigabitEthernet1/0/1 Service Instance ID: 1
Inbound policy:
IPv4 ACL 2001
IPv6 ACL 2002 (Failed)
MAC ACL 4003, Hardware-count (Failed)
Table 2 Command output
|
Field |
Description |
|
Interface |
Interface to which the ACL applies. |
|
Global |
ACL application for packet filtering on all physical interfaces. |
|
VLAN interface |
List of VLAN interfaces specified in the packet-filter vlan-interface command. |
|
Interface: Ten-GigabitEthernet1/0/1 Service Instance ID: 1 |
Ethernet service instance to which the ACL applies. Ten-GigabitEthernet1/0/1 is the interface where the Ethernet service instance resides. |
|
Inbound policy |
ACL used for filtering incoming traffic. |
|
Outbound policy |
ACL used for filtering outgoing traffic. |
|
IPv4 ACL 2001 |
IPv4 basic ACL 2001 has been successfully applied. |
|
IPv6 ACL 2002 (Failed) |
The device has failed to apply IPv6 basic ACL 2002. |
|
Hardware-count |
ACL rule match counting in hardware has been successfully enabled. |
|
Hardware-count (Failed) |
The device has failed to enable counting ACL rule matches in hardware. |
|
IPv4 default action |
Packet filter default action for packets that do not match any IPv4 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. |
|
IPv6 default action |
Packet filter default action for packets that do not match any IPv6 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. |
|
MAC default action |
Packet filter default action for packets that do not match any Layer 2 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. |
display packet-filter statistics
Use display packet-filter statistics to display packet filtering statistics.
Syntax
display packet-filter statistics { global | interface interface-type interface-number | l2vpn-ac interface interface-type interface-number service-instance instance-id | vlan-interface } { inbound | outbound } [ [ ipv6 | mac | user-defined ] { acl-number | name acl-name } ] [ brief ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
global: Displays the statistics for all physical interfaces.
interface interface-type interface-number: Specifies an interface by its type and number.
l2vpn-ac interface interface-type interface-number service-instance instance-id: Specifies an Ethernet service instance on an interface. The interface-type interface-number argument represents the interface type and number. The instance-id argument represents the ID of the Ethernet service instance, in the range of 1 to 4096.
vlan-interface: Specifies the list of VLAN interfaces specified in the packet-filter vlan-interface command.
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
user-defined: Specifies the user-defined ACL type.
acl-number: Specifies an ACL by its number. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
· 5000 to 5999 for user-defined ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.
brief: Displays brief statistics.
Usage guidelines
If you do not specify any parameters, this command displays packet filtering statistics for all ACLs.
Examples
# Display packet filtering statistics for all ACLs on incoming packets of Ten-GigabitEthernet 1/0/1.
<Sysname> display packet-filter statistics interface ten-gigabitethernet 1/0/1 inbound
Interface: Ten-GigabitEthernet1/0/1
Inbound policy:
IPv4 ACL 2001, Hardware-count
From 2011-06-04 10:25:21 to 2011-06-04 10:35:57
rule 0 permit source 2.2.2.2 0 (2 packets)
rule 5 permit source 1.1.1.1 0 (Failed)
rule 10 permit vpn-instance test (No resource)
Totally 2 packets permitted, 0 packets denied
Totally 100% permitted, 0% denied
IPv6 ACL 2000
MAC ACL 4000
rule 0 permit
# Display packet filtering statistics for ACL 3000 on incoming packets of the list of VLAN interfaces.
<Sysname> display packet-filter statistics vlan-interface inbound 3000
VLAN interface: 2 to 10
Inbound policy:
IPv4 ACL 3000, Hardware-count (Failed)
From 2011-06-04 10:25:34 to 2011-06-04 10:35:57
rule 0 permit source 2.2.2.2 0
rule 5 permit source 1.1.1.1 0 counting (2 packets)
rule 10 permit vpn-instance test
Totally 2 packets permitted, 0 packets denied
Totally 100% permitted, 0% denied
# Display packet filtering statistics for all ACLs on incoming packets on Ethernet service instance 1 of Ten-GigabitEthernet 1/0/1.
<Sysname> display packet-filter statistics l2vpn-ac interface ten-gigabitethernet 1/0/1 service-instance 1 inbound
Interface: Ten-GigabitEthernet1/0/1 Service Instance ID: 1
Inbound policy:
IPv4 ACL 2001, Hardware-count
From 2011-06-04 10:25:21 to 2011-06-04 10:35:57
rule 0 permit source 2.2.2.2 0 (2 packets)
rule 5 permit source 1.1.1.1 0 (Failed)
rule 10 permit vpn-instance test (No resource)
Totally 2 packets permitted, 0 packets denied
Totally 100% permitted, 0% denied
MAC ACL 4000
From 2011-06-04 10:25:34 to 2011-06-04 10:35:57
rule 0 permit
IPv6 ACL 2000
Table 3 Command output
|
Field |
Description |
|
Interface |
Interface to which the ACL applies. |
|
VLAN interface |
List of VLAN interfaces specified in the packet-filter vlan-interface command. |
|
Interface: Ten-GigabitEthernet1/0/1 Service Instance ID: 1 |
Ethernet service instance to which the ACL applies. Ten-GigabitEthernet1/0/1 is the interface where the Ethernet service instance resides. |
|
Inbound policy |
ACL used for filtering incoming traffic. |
|
Outbound policy |
ACL used for filtering outgoing traffic. |
|
IPv4 ACL 2001 |
IPv4 basic ACL 2001 has been successfully applied. |
|
IPv4 ACL 2002 (Failed) |
The device has failed to apply IPv4 basic ACL 2002. |
|
Hardware-count |
ACL rule match counting in hardware has been successfully enabled. |
|
Hardware-count (Failed) |
The device has failed to enable counting ACL rule matches in hardware. |
|
From 2011-06-04 10:25:21 to 2011-06-04 10:35:57 |
Start time and end time of the statistics. The start time is the time when the packet filter was deployed to the member device. |
|
2 packets |
Two packets matched the rule. This field is not displayed when no packets matched the rule. |
|
No resource |
Resources are not enough for counting matches for the rule. In packet filtering statistics, this field is displayed for a rule when resources are not sufficient for rule match counting. |
|
rule 5 permit source 1.1.1.1 0 (Failed) |
The device has failed to apply rule 5. |
|
Totally 2 packets permitted, 0 packets denied |
Number of packets permitted and denied by the ACL. |
|
Totally 100% permitted, 0% denied |
Ratios of permitted and denied packets to all packets. |
|
IPv4 default action |
Packet filter default action for packets that do not match any IPv4 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. |
|
IPv6 default action |
Packet filter default action for packets that do not match any IPv6 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. |
|
MAC default action |
Packet filter default action for packets that do not match any Layer 2 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. |
Related commands
reset packet-filter statistics
display packet-filter statistics sum
Use display packet-filter statistics sum to display accumulated packet filtering statistics for an ACL.
Syntax
display packet-filter statistics sum { inbound | outbound } [ ipv6 | mac | user-defined ] { acl-number | name acl-name } [ brief ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
user-defined: Specifies the user-defined ACL type.
acl-number: Specifies an ACL by its number. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
· 5000 to 5999 for user-defined ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.
brief: Displays brief statistics.
Usage guidelines
To specify the IPv4 ACL type, do not specify the ipv6, mac, or user-defined keyword.
Examples
# Display accumulated packet filtering statistics for IPv4 basic ACL 2001 on incoming packets.
<Sysname> display packet-filter statistics sum inbound 2001
Sum:
Inbound policy:
IPv4 ACL 2001
rule 0 permit source 2.2.2.2 0 (2 packets)
rule 5 permit source 1.1.1.1 0
Totally 2 packets permitted, 0 packets denied
Totally 100% permitted, 0% denied
# Display brief accumulated packet filtering statistics for IPv4 basic ACL 2000 on incoming packets.
<Sysname> display packet-filter statistics sum inbound 2000 brief
Sum:
Inbound policy:
IPv4 ACL 2000
Totally 2 packets permitted, 0 packets denied
Totally 100% permitted, 0% denied
Table 4 Command output
|
Field |
Description |
|
Sum |
Accumulated packet filtering statistics. |
|
Inbound policy |
Accumulated packet filtering statistics in the inbound direction. |
|
Outbound policy |
Accumulated packet filtering statistics in the outbound direction. |
|
IPv4 ACL 2001 |
Accumulated packet filtering statistics of IPv4 basic ACL 2001. |
|
2 packets |
Two packets matched the rule. This field is not displayed when no packets matched the rule. |
|
Totally 2 packets permitted, 0 packets denied |
Number of packets permitted and denied by the ACL. |
|
Totally 100% permitted, 0% denied |
Ratios of permitted and denied packets to all packets. |
Related commands
reset packet-filter statistics
display packet-filter verbose
Use display packet-filter verbose to display ACL application details for packet filtering.
Syntax
display packet-filter verbose { global | interface interface-type interface-number | l2vpn-ac interface interface-type interface-number service-instance instance-id | vlan-interface } { inbound | outbound } [ [ ipv6 | mac | user-defined ] { acl-number | name acl-name } ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
global: Specifies all physical interfaces.
interface interface-type interface-number: Specifies an interface by its type and number. The slot slot-number option is not available for an Ethernet interface.
l2vpn-ac interface interface-type interface-number service-instance instance-id: Specifies an Ethernet service instance on an interface. The interface-type interface-number argument represents the interface type and number. The instance-id argument represents the ID of the Ethernet service instance, in the range of 1 to 4096.
vlan-interface: Specifies the list of VLAN interfaces specified in the packet-filter vlan-interface command.
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
user-defined: Specifies the user-defined ACL type.
acl-number: Specifies an ACL by its number. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
· 5000 to 5999 for user-defined ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays ACL application details for packet filtering for the master device.
Usage guidelines
If acl-number, name acl-name, ipv6, mac, or user-defined is not specified, this command displays application details of all ACLs for packet filtering.
Examples
# Display application details of all ACLs for inbound packet filtering on Ten-GigabitEthernet 1/0/1.
<Sysname> display packet-filter verbose interface ten-gigabitethernet 1/0/1 inbound
Interface: Ten-GigabitEthernet1/0/1
Inbound policy:
IPv4 ACL 2001
rule 0 permit
rule 5 permit source 1.1.1.1 0 (Failed)
IPv6 ACL 2000
rule 0 permit
MAC ACL 4000
IPv4 default action: Deny
MAC default action: Deny
# Display application details of all ACLs for inbound packet filtering on all physical interfaces.
<Sysname> display packet-filter verbose global inbound
Global:
Inbound policy:
IPv4 ACL 2001
rule 0 permit
rule 5 permit source 1.1.1.1 0 (Failed)
rule 10 permit vpn-instance test (Failed)
IPv4 ACL 2002 (Failed)
IPv6 ACL 2000, Hardware-count
MAC ACL 4000, Hardware-count
rule 0 permit
IPv4 default action: Deny
IPv6 default action: Deny
MAC default action: Deny
# Display application details of the ACL for inbound packet filtering on the list of VLAN interfaces.
<Sysname> display packet-filter verbose vlan-interface inbound
VLAN interface: 2 to 10
Inbound policy:
IPv4 ACL 2001, Hardware-count
rule 0 permit
rule 5 permit source 1.1.1.1 0
rule 10 permit vpn-instance test
# Display application details of all ACLs for inbound packet filtering on Ethernet service instance 1 of Ten-GigabitEthernet 1/0/1.
<Sysname> display packet-filter verbose l2vpn-ac interface ten-gigabitethernet 1/0/1 service-instance 1 inbound
Interface: Ten-GigabitEthernet1/0/1 Service Instance ID: 1
Inbound policy:
IPv4 ACL 2001
rule 0 permit
rule 5 permit source 1.1.1.1 0 (Failed)
rule 10 permit vpn-instance test (Failed)
IPv6 ACL 2000
rule 0 permit
MAC ACL 4000
IPv4 default action: Deny
IPv6 default action: Deny
MAC default action: Deny
Table 5 Command output
|
Field |
Description |
|
Interface |
Interface to which the ACL applies. |
|
VLAN interface |
List of VLAN interfaces specified in the packet-filter vlan-interface command. |
|
Global |
ACL application details for packet filtering on all physical interfaces. |
|
Interface: Ten-GigabitEthernet1/0/1 Service Instance ID: 1 |
Ethernet service instance to which the ACL applies. Ten-GigabitEthernet1/0/1 is the interface where the Ethernet service instance resides. |
|
Inbound policy |
ACL used for filtering incoming traffic. |
|
Outbound policy |
ACL used for filtering outgoing traffic. |
|
IPv4 ACL 2001 |
IPv4 basic ACL 2001 has been successfully applied. |
|
IPv4 ACL 2002 (Failed) |
The device has failed to apply IPv4 basic ACL 2002. |
|
Hardware-count |
ACL rule match counting in hardware has been successfully enabled. |
|
Hardware-count (Failed) |
The device has failed to enable counting ACL rule matches in hardware. |
|
rule 5 permit source 1.1.1.1 0 (Failed) |
The device has failed to apply rule 5. |
|
IPv4 default action |
Packet filter default action for packets that do not match any IPv4 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. |
|
IPv6 default action |
Packet filter default action for packets that do not match any IPv6 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. |
|
MAC default action |
Packet filter default action for packets that do not match any Layer 2 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. |
display qos-acl resource
Use display qos-acl resource to display QoS and ACL resource usage.
Syntax
display qos-acl resource [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays QoS and ACL resource usage for all member devices.
Usage guidelines
This command does not display any usage data if the specified device does not support counting QoS and ACL resources.
The total number of QoS and ACL resources varies by operating mode. You can use the switch-mode command to set the operating mode and the display qos-acl resource command to display the total number of QoS and ACL resources. For more information about the switch-mode command, see device management commands in Fundamentals Command Reference.
Examples
# Display QoS and ACL resource usage.
<Sysname> display qos-acl resource
Interfaces: XGE1/0/1 to XGE1/0/48, HGE1/0/49
HGE1/0/50 (slot 1)
---------------------------------------------------------------------
Type Total Reserved Configured Remaining Usage
---------------------------------------------------------------------
TTI ACL 3072 0 2 3070 0%
IPCL0 ACL 768 9 0 759 1%
IPCL1 ACL 256 0 0 256 0%
IPCL2 ACL 256 30 0 226 11%
IPCL Counter 4096 35 0 4061 0%
EPCL ACL 256 0 0 256 0%
EPCL Counter 1024 0 0 1024 0%
IPCL Meter 4888 0 0 4888 0%
EPCL Meter 4096 0 0 4096 0%
Table 6 Command output
|
Field |
Description |
|
Interfaces |
Interface range for the resources. |
|
Type |
Resource type: · TTI ACL—ACL resources used for tunnel termination and interfaces. · IPCL ACL—ACL resources used for inbound policies. · IPCL Counter—Accounting resources used for inbound policies. · EPCL ACL—ACL resources used for outbound policies. · EPCL Counter—Accounting resources used for outbound policies. · IPCL Meter—Traffic policing resources used in inbound QoS policies. · EPCL Meter—Traffic policing resources used in outbound QoS policies. |
|
Total |
Total number of resources. |
|
Reserved |
Number of reserved resources. |
|
Configured |
Number of resources that has been applied. |
|
Remaining |
Number of resources that you can apply. |
|
Usage |
Configured and reserved resources as a percentage of total resources. If the percentage is not an integer, this field displays the integer part. For example, if the actual usage is 50.8%, this field displays 50%. |
packet-filter (Ethernet service instance view)
Use packet-filter to apply an ACL to an Ethernet service instance to filter packets.
Use undo packet-filter to remove an ACL from an Ethernet service instance.
Syntax
packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } { inbound | outbound } [ hardware-count ]
undo packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } { inbound | outbound }
Default
No ACL is applied to an Ethernet service instance to filter packets.
Views
Ethernet service instance view
Predefined user roles
network-admin
Parameters
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
user-defined: Specifies the user-defined ACL type.
acl-number: Specifies an ACL by its number. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
· 5000 to 5999 for user-defined ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.
inbound: Filters incoming packets.
outbound: Filters outgoing packets.
hardware-count: Enables counting ACL rule matches performed in hardware. If you do not specify this keyword, rule matches for the ACL are not counted in hardware.
Usage guidelines
For information about configuring Ethernet service instances, see MPLS L2VPN or VPLS in MPLS Configuration Guide or see VXLAN Configuration Guide.
If you use the acl-number argument to specify an ACL, follow these guidelines:
· To specify an IPv4 ACL, use the acl-number argument directly.
· To specify an IPv6 ACL, specify the ipv6 keyword, and then the acl-number argument.
· To specify a Layer 2 ACL or user-defined ACL, the mac or user-defined keyword is not a must. You can either specify the mac or user-defined keyword and then the acl-number argument or specify only the acl-number argument.
If you use the name acl-name option to specify an ACL, follow these guidelines:
· To specify an IPv4 ACL, use the name acl-name option.
· To specify an IPv6, Layer 2, or user-defined ACL, specify the related keyword and then the name acl-name option.
For an ACL applied to an Ethernet service instance, if the vpn-instance keyword is specified for an ACL rule, the ACL does not take effect. If the vpn-instance keyword is not specified, the rule applies to both public network and private network packets.
The hardware-count keyword in this command enables match counting in hardware for all rules in an ACL, and the counting keyword in the rule command enables match counting specific to rules.
To disable ACL rule match counting in hardware when resources are insufficient, you must execute the undo packet-filter command, and then reconfigure the packet-filter command without specifying the hardware-count keyword.
To disable ACL rule match counting in hardware when resources are sufficient, you can directly reconfigure the packet-filter command without specifying the hardware-count keyword.
Examples
# Apply IPv4 advanced ACL 3001 to filter incoming traffic on Ethernet service instance 1 of Ten-GigabitEthernet 1/0/1, and enable counting ACL rule matches performed in hardware.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 1/0/1
[Sysname-Ten-GigabitEthernet1/0/1] service-instance 200
[Sysname-Ten-GigabitEthernet1/0/1-srv200] packet-filter 3001 inbound hardware-count
Related commands
display packet-filter
display packet-filter statistics
display packet-filter verbose
packet-filter (interface view)
Use packet-filter to apply an ACL to an interface to filter packets.
Use undo packet-filter to remove an ACL from an interface.
Syntax
packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } { inbound | outbound } [ hardware-count ]
undo packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } { inbound | outbound }
Default
No ACL is applied to an interface to filter packets.
Views
Layer 2 Ethernet interface view
Layer 3 Ethernet interface view
Layer 3 Ethernet subinterface view
VLAN interface view
VSI interface view
Predefined user roles
network-admin
Parameters
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
user-defined: Specifies the user-defined ACL type.
acl-number: Specifies an ACL by its number. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
· 5000 to 5999 for user-defined ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.
inbound: Filters incoming packets.
outbound: Filters outgoing packets.
hardware-count: Enables counting ACL rule matches performed in hardware. If you do not specify this keyword, rule matches for the ACL are not counted in hardware.
Usage guidelines
If you use the acl-number argument to specify an ACL, follow these guidelines:
· To specify an IPv4 ACL, use the acl-number argument directly.
· To specify an IPv6 ACL, specify the ipv6 keyword, and then the acl-number argument.
· To specify a Layer 2 ACL or user-defined ACL, the mac or user-defined keyword is not a must. You can either specify the mac or user-defined keyword and then the acl-number argument or specify only the acl-number argument.
If you use the name acl-name option to specify an ACL, follow these guidelines:
· To specify an IPv4 ACL, use the name acl-name option.
· To specify an IPv6, Layer 2, or user-defined ACL, specify the related keyword and then the name acl-name option.
For an ACL applied to an interface, if the vpn-instance keyword is specified for an ACL rule, the ACL does not take effect. If the vpn-instance keyword is not specified, the rule applies to both public network and private network packets.
The hardware-count keyword in this command enables match counting in hardware for all rules in an ACL, and the counting keyword in the rule command enables match counting specific to rules.
To disable ACL rule match counting in hardware when resources are insufficient, you must execute the undo packet-filter command and then reconfigure the packet-filter command without specifying the hardware-count keyword.
To disable ACL rule match counting in hardware when resources are sufficient, you can directly reconfigure the packet-filter command without specifying the hardware-count keyword.
To the same direction of an interface, you can apply a maximum of three ACLs: one IPv4 ACL, one IPv6 ACL, and one Layer 2 ACL.
You can use the packet-filter command in VLAN interface view or the packet-filter vlan-interface command in system view to configure packet filtering in one direction of a VLAN interface. You cannot configure both of them in one direction of a VLAN interface.
The packet filtering configured on a VLAN interface filters only packets forwarded at Layer 3.
Examples
# Apply IPv4 basic ACL 2001 to filter incoming traffic on Ten-GigabitEthernet 1/0/1, and enable counting ACL rule matches performed in hardware.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 1/0/1
[Sysname-Ten-GigabitEthernet1/0/1] packet-filter 2001 inbound hardware-count
display packet-filter
display packet-filter statistics
display packet-filter verbose
packet-filter (user profile view)
Use packet-filter to apply an ACL to a user profile to filter packets.
Use undo packet-filter to remove an ACL from a user profile.
Syntax
packet-filter [ ipv6 ] { acl-number | name acl-name } { inbound | outbound }
undo packet-filter [ ipv6 ] { acl-number | name acl-name } { inbound | outbound }
Default
No ACL is applied to a user profile to filter packets.
Views
User profile view
Predefined user roles
network-admin
Parameters
ipv6: Specifies the IPv6 ACL type.
acl-number: Specifies an ACL by its number:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.
inbound: Filters incoming packets.
outbound: Filters outgoing packets.
Usage guidelines
To specify the IPv4 ACL type, do not provide the ipv6 keyword.
You can apply only one ACL to the same direction of a user profile.
For an ACL applied to a user profile, if the vpn-instance keyword is specified for an ACL rule, the ACL does not take effect. If the vpn-instance keyword is not specified, the rule applies to both public network and private network packets.
Examples
# Apply IPv4 basic ACL 2001 to filter traffic received by user profile user-profile1.
<Sysname> system-view
[Sysname] user-profile user-profile1
[Sysname-user-profile-user-profile1] packet-filter 2001 inbound
Related commands
display user-profile (Security Command Reference)
packet-filter default deny
Use packet-filter default deny to set the packet filtering default action to deny. The packet filter denies packets that do not match any ACL rule.
Use undo packet-filter default deny to restore the default.
Syntax
packet-filter default deny
undo packet-filter default deny
Default
The packet filtering default action is permit. The packet filter permits packets that do not match any ACL rule.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The packet filter applies the default action to all ACL applications for packet filtering. The default action appears in the display command output for packet filtering.
Examples
# Set the packet filter default action to deny.
<Sysname> system-view
[Sysname] packet-filter default deny
Related commands
display packet-filter
display packet-filter statistics
display packet-filter verbose
packet-filter filter
Use packet-filter filter to specify the applicable scope of packet filtering on a VLAN interface.
Use undo packet-filter filter to restore the default.
Syntax
packet-filter filter { route | all }
undo packet-filter filter
Default
The packet filtering filters packets forwarded at Layer 3.
Views
VLAN interface view
Predefined user roles
network-admin
Parameters
route: Filters packets forwarded at Layer 3 by the VLAN interface.
all: Filters all packets, including packets forwarded at Layer 3 by the VLAN interface and packets forwarded at Layer 2 by the physical ports associated with the VLAN interface.
Examples
# Configure the packet filtering on VLAN-interface 2 to filter packets forwarded at Layer 3.
<Sysname> system-view
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] packet-filter filter route
packet-filter global
Use packet-filter global to apply an ACL to filter packets globally.
Use undo packet-filter global to remove an ACL for global packet filtering.
Syntax
packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } global { inbound | outbound } [ hardware-count ]
undo packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } global { inbound | outbound }
Default
No ACL is applied to filter packets globally.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
user-defined: Specifies the user-defined ACL type.
acl-number: Specifies an ACL by its number. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
· 5000 to 5999 for user-defined ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.
global: Specifies all physical interfaces.
inbound: Filters incoming packets.
outbound: Filters outgoing packets.
hardware-count: Enables counting ACL rule matches performed in hardware. If you do not specify this keyword, rule matches for the ACL are not counted in hardware.
Usage guidelines
If you use the acl-number argument to specify an ACL, follow these guidelines:
· To specify an IPv4 ACL, use the acl-number argument directly.
· To specify an IPv6 ACL, specify the ipv6 keyword, and then the acl-number argument.
· To specify a Layer 2 ACL or user-defined ACL, the mac or user-defined keyword is not a must. You can either specify the mac or user-defined keyword and then the acl-number argument or specify only the acl-number argument.
If you use the name acl-name option to specify an ACL, follow these guidelines:
· To specify an IPv4 ACL, use the name acl-name option.
· To specify an IPv6, Layer 2, or user-defined ACL, specify the related keyword and then the name acl-name option.
For an ACL applied globally, if the vpn-instance keyword is specified for an ACL rule, the ACL does not take effect. If the vpn-instance keyword is not specified, the rule applies to both public network and private network packets.
The hardware-count keyword in this command enables match counting in hardware for all rules in an ACL, and the counting keyword in the rule command enables match counting specific to rules.
To disable ACL rule match counting in hardware when resources are insufficient, you must execute the undo packet-filter command and then reconfigure the packet-filter command without specifying the hardware-count keyword.
To disable ACL rule match counting in hardware when resources are sufficient, you can directly reconfigure the packet-filter command without specifying the hardware-count keyword.
Examples
# Apply IPv4 basic ACL 2001 to filter incoming traffic on all physical interfaces, and enable counting ACL rule matches performed in hardware.
<Sysname> system-view
[Sysname] packet-filter 2001 global inbound hardware-count
Related commands
display packet-filter
display packet-filter statistics
display packet-filter verbose
packet-filter vlan-interface
Use packet-filter vlan-interface to apply an ACL to a list of VLAN interfaces to filter packets.
Use undo packet-filter vlan-interface to remove an ACL from a list of VLAN interfaces.
Syntax
packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } vlan-interface vlan-interface-list { inbound | outbound } [ hardware-count ]
undo packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } vlan-interface vlan-interface-list { inbound | outbound }
Default
No ACL is applied to a list of VLAN interfaces to filter packets.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
user-defined: Specifies the user-defined ACL type.
acl-number: Specifies an ACL by its number. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
· 5000 to 5999 for user-defined ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.
vlan-interface vlan-interface-list: Specifies a space-separated list of up to eight VLAN interface items. Each item specifies a VLAN interface or a range of VLAN interfaces in the form of start-vlan-interface to end-vlan-interface.
inbound: Filters incoming packets.
outbound: Filters outgoing packets.
hardware-count: Enables counting ACL rule matches performed in hardware. If you do not specify this keyword, rule matches for the ACL are not counted in hardware.
Usage guidelines
If you use the acl-number argument to specify an ACL, follow these guidelines:
· To specify an IPv4 ACL, use the acl-number argument directly.
· To specify an IPv6 ACL, specify the ipv6 keyword, and then the acl-number argument.
· To specify a Layer 2 ACL or user-defined ACL, the mac or user-defined keyword is not a must. You can either specify the mac or user-defined keyword and then the acl-number argument or specify only the acl-number argument.
If you use the name acl-name option to specify an ACL, follow these guidelines:
· To specify an IPv4 ACL, use the name acl-name option.
· To specify an IPv6, Layer 2, or user-defined ACL, specify the related keyword and then the name acl-name option.
You can use the packet-filter command in VLAN interface view or use the packet-filter vlan-interface command in system view to configure packet filtering in one direction of a VLAN interface. You cannot configure both of them in the same direction of a VLAN interface.
You can apply only one ACL to the same direction of VLAN interfaces.
For an ACL applied to a list of VLAN interfaces, if the vpn-instance keyword is specified for an ACL rule, the ACL does not take effect. If the vpn-instance keyword is not specified, the rule applies to both public network and private network packets.
This command is available only when the system operates in PACKET-FILTER VLAN-INTERFACE mode. For more information about system operating modes, see device management in Fundamentals Configuration Guide.
The hardware-count keyword in this command enables match counting in hardware for all rules in an ACL, and the counting keyword in the rule command enables match counting specific to rules.
With the packet-filter vlan-interface command, you can configure only two filters: one for each direction. You can repeat the command to add VLAN interfaces to the packet filter in each direction. As a best practice to save resources, use the packet-filter vlan-interface command to configure packet filtering for VLAN interfaces that share the same packet filtering ACL.
For a packet filter, the use of the hardware-count keyword must be consistent across all its VLAN interfaces. You must specify the hardware-count keyword for all its VLAN interfaces or none of its VLAN interfaces.
A list of VLAN interfaces can contain up to eight VLAN interface items. Each item has at least one VLAN interface. Follow these restrictions and guidelines when you use the undo packet-filter vlan-interface command:
· You can specify the entire VLAN interface list to remove the ACL from all VLAN interfaces in the list.
· You can specify one or more VLAN interface items of the list to remove the ACL from the specified VLAN interfaces.
· For a VLAN interface item with multiple VLAN interfaces, you cannot remove the ACL from only some of the VLAN interfaces of the VLAN interface item.
To disable ACL rule match counting in hardware when resources are insufficient, you must execute the undo packet-filter command and then reconfigure the packet-filter command without specifying the hardware-count keyword.
To disable ACL rule match counting in hardware when resources are sufficient, you can directly reconfigure the packet-filter command without specifying the hardware-count keyword.
Examples
# Apply IPv4 basic ACL 2003 to filter incoming traffic on VLAN interfaces 3 through 10, and enable counting ACL rule matches performed in hardware.
<Sysname> system-view
[Sysname] packet-filter 2003 vlan-interface 3 to 10 inbound hardware-count
Related commands
display packet-filter
display packet-filter statistics
display packet-filter verbose
reset acl counter
Use reset acl counter to clear statistics for ACLs.
Syntax
reset acl [ ipv6 | mac | user-defined ] counter { acl-number | all | name acl-name }
Views
User view
Predefined user roles
network-admin
Parameters
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
user-defined: Specifies the user-defined ACL type.
acl-number: Specifies an ACL by its number. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
· 5000 to 5999 for user-defined ACLs.
all: Clears statistics for all ACLs of the specified type.
name acl-name: Clears statistics of an ACL specified by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.
Usage guidelines
When specifying an ACL by its number, follow these rules:
· To specify an IPv6 ACL, you must specify both its ACL number and the ipv6 keyword.
· To specify a Layer 2 ACL, you can specify its ACL number without the mac keyword.
· To specify a user-defined ACL, you can specify its ACL number without the user-defined keyword.
To specify an IPv6 ACL, Layer 2 ACL, or user-defined ACL by a name, you must specify both the ACL name and the ipv6, mac, or user-defined keyword.
Examples
# Clear statistics for IPv4 basic ACL 2001.
<Sysname> reset acl counter 2001
Related commands
display acl
reset packet-filter statistics
Use reset packet-filter statistics to clear the packet filtering statistics.
Syntax
reset packet-filter statistics { global | interface [ interface-type interface-number ] | l2vpn-ac [ interface interface-type interface-number service-instance instance-id ] | vlan-interface } { inbound | outbound } [ [ ipv6 | mac | user-defined ] { acl-number | name acl-name } ]
Views
User view
Predefined user roles
network-admin
Parameters
global: Specifies all physical interfaces.
interface [ interface-type interface-number ]: Specifies an interface by its type and number. If you do not specify an interface, this command clears packet filtering statistics for all interfaces.
l2vpn-ac [ interface interface-type interface-number service-instance instance-id ]: Specifies an Ethernet service instance on an interface. The interface-type interface-number argument represents the interface type and number. The instance-id argument represents the ID of the Ethernet service instance, in the range of 1 to 4096. If you do not specify an Ethernet service instance, this command clears packet filtering statistics for all Ethernet service instances.
vlan-interface: Specifies the list of VLAN interfaces specified in the packet-filter vlan-interface command.
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
user-defined: Specifies the user-defined ACL type.
acl-number: Specifies an ACL by its number. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
· 5000 to 5999 for user-defined ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.
Usage guidelines
If acl-number, name acl-name, ipv6, mac, or user-defined is not specified, this command clears the packet filtering statistics for all ACLs.
To specify the IPv4 ACL type, do not specify the ipv6, mac, or user-defined keyword.
Examples
# Clear IPv4 basic ACL 2001 statistics for inbound packet filtering on Ten-GigabitEthernet 1/0/1.
<Sysname> reset packet-filter statistics interface ten-gigabitethernet 1/0/1 inbound 2001
# Clear IPv4 basic ACL 2001 statistics for inbound packet filtering on the list of VLAN interfaces.
<Sysname> reset packet-filter statistics vlan-interface inbound 2001
# Clear IPv4 basic ACL 2001 statistics for inbound packet filtering on Ethernet service instance 1 of Ten-GigabitEthernet 1/0/1.
<Sysname> reset packet-filter statistics interface ten-gigabitethernet 1/0/1 service-instance 1 inbound 2001
Related commands
display packet-filter statistics
display packet-filter statistics sum
rule (IPv4 advanced ACL view)
Use rule to create or edit an IPv4 advanced ACL rule.
Use undo rule to delete an entire IPv4 advanced ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { microsegment microsegment-id [ mask-length mask-length ] | object-group address-group-name | dest-address dest-wildcard | any } | destination-port { object-group port-group-name | operator port1 [ port2 ] } | { dscp dscp | { precedence precedence | tos tos } * } | fragment | icmp-type { icmp-type [ icmp-code ] | icmp-message } | [ flow-logging | logging ] | packet-length operator length-value1 [ length-value2 ] | source { microsegment microsegment-id [ mask-length mask-length ] | object-group address-group-name | source-address source-wildcard | any } | source-port { object-group port-group-name | operator port1 [ port2 ] } | time-range time-range-name | vpn-instance vpn-instance-name ] *
undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | { dscp | { precedence | tos } * } | fragment | icmp-type | [ flow-logging | logging ] | packet-length | source | source-port | time-range | vpn-instance ] *
undo rule { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { microsegment microsegment-id [ mask-length mask-length ] | object-group address-group-name | dest-address dest-wildcard | any } | destination-port { object-group port-group-name | operator port1 [ port2 ] } | { dscp dscp | { precedence precedence | tos tos } * } | fragment | icmp-type { icmp-type [ icmp-code ] | icmp-message } | [ flow-logging | logging ] | packet-length operator length-value1 [ length-value2 ] | source { microsegment microsegment-id [ mask-length mask-length ] | object-group address-group-name | source-address source-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name | vpn-instance vpn-instance-name ] *
Default
No IPv4 advanced ACL rules exist.
Views
IPv4 advanced ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from the start rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
protocol: Specifies a protocol carried over IPv4 by its number in the range of 0 to 255 or by its keyword, as shown in Table 7.
Table 7 Protocols carried over IPv4
|
Number |
Keyword |
Description |
|
N/A |
ip |
Matches IPv4 packets. |
|
1 |
icmp |
Matches ICMP packets. |
|
2 |
igmp |
Matches IGMP packets. |
|
4 |
ipinip |
Matches IP-in-IP packets. |
|
6 |
tcp |
Matches TCP packets. |
|
17 |
udp |
Matches UDP packets. |
|
47 |
gre |
Matches GRE packets. For information about GRE, see Layer 3—IP Services Configuration Guide. |
|
89 |
ospf |
Matches OSPF packets. |
Table 8 describes the parameters that you can specify, regardless of the value for the protocol argument.
Table 8 Match criteria and other rule information for IPv4 advanced ACL rules
|
Parameters |
Function |
Description |
|
source { microsegment microsegment-id [ mask-length mask-length ] | object-group address-group-name | source-address source-wildcard | any } |
Specifies a source address. |
(Only the S5560X-HI and S6520X-HI switch series support the microsegment parameter.) The microsegment-id argument specifies a source microsegment ID in the range of 0 to 65535. Microsegment 0 is a system-defined microsegment, and it is insignificant. The mask-length mask-length option specifies a mask length for an aggregate microsegment. The value range for the mask-length argument is 1 to the number of contiguous 0s of the decimal number converted from the aggregate microsegment ID. If a mask length is specified, the microsegment-id argument must be an even number other than 0. For more information about microsegments, see Security Configuration Guide. The address-group-name argument specifies an object group of source IP addresses. The source-address source-wildcard arguments specify a source IP address and a wildcard mask in dotted decimal notation. An all-zero wildcard represents a host address. The any keyword specifies any source IP address. |
|
destination { microsegment microsegment-id [ mask-length mask-length ] | object-group address-group-name | dest-address dest-wildcard | any } |
Specifies a destination address. |
(Only the S5560X-HI and S6520X-HI switch series support the microsegment parameter.) The microsegment-id argument specifies a destination microsegment ID in the range of 0 to 65535. Microsegment 0 is a system-defined microsegment, and it is insignificant. The mask-length mask-length option specifies a mask length for an aggregate microsegment. The value range for the mask-length argument is 1 to the number of contiguous 0s of the decimal number converted from the aggregate microsegment ID. For more information about microsegments, see Security Configuration Guide. The address-group-name argument specifies an object group of destination IP addresses. The dest-address dest-wildcard arguments specify a destination IP address and a wildcard mask in dotted decimal notation. An all-zero wildcard mask represents a host address. The any keyword represents any destination IP address. |
|
counting |
Enables rule match counting in software. |
The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting in hardware for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted in software. |
|
precedence precedence |
Specifies an IP precedence value. |
The precedence argument can be a number in the range of 0 to 7, or in words: routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), or network (7). |
|
tos tos |
Specifies a ToS preference. |
The tos argument can be a number in the range of 0 to 15, or in words: max-reliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1), or normal (0). |
|
dscp dscp |
Specifies a DSCP priority. |
The dscp argument can be a number in the range of 0 to 63, or in words: af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46). |
|
fragment |
Applies the rule only to fragments. |
If you do not specify this keyword, the rule applies to all fragments and non-fragments. |
|
flow-logging |
Logs matching packets on a per-flow basis. The log information includes the number of matching packets, and the source IP address, destination IP address, source port number, and destination port number of the matching flow. |
This feature requires that the module (for example, packet filtering) that uses the ACL supports logging. |
|
logging |
Logs the number of matching packets. |
This feature requires that the module (for example, packet filtering) that uses the ACL supports logging. |
|
packet-length operator length-value1 [ length-value2 ] |
Matches the packet length in the Total Length field in the IPv4 packet header. |
The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The length-value2 argument is needed only when the operator argument is range. The length-value1 and length-value2 arguments are packet length values in the range of 0 to 16383 bytes. A rule with this option is not supported on a Layer 2 or Layer 3 aggregate interface. |
|
time-range time-range-name |
Specifies a time range for the rule. |
The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide. |
|
vpn-instance vpn-instance-name |
Applies the rule to an MPLS L3VPN instance. |
The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the rule applies to both non-VPN packets and VPN packets. For an ACL used by other features, if you do not specify a VPN instance, the implementation varies by feature. For more information, see the configuration guide of the feature. |
If the protocol argument is tcp (6) or udp (17), set the parameters shown in Table 9.
Table 9 TCP/UDP-specific parameters for IPv4 advanced ACL rules
|
Parameters |
Function |
Description |
|
source-port { object-group port-group-name | operator port1 [ port2 ] } |
Specifies one or more UDP or TCP source ports. |
The port-group-name argument specifies an object group of ports. The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. The port2 argument is needed only when the operator argument is range. TCP port numbers can be represented as: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), dns (53), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented as: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177). |
|
destination-port { object-group port-group-name | operator port1 [ port2 ] } |
Specifies one or more UDP or TCP destination ports. |
|
|
{ ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * |
Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG. |
Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The TCP flags in a rule are ANDed. For example, a rule configured with ack 0 psh 1 matches packets that have the ACK flag bit not set and the PSH flag bit set. |
|
established |
Specifies the flags for indicating the established status of a TCP connection. |
Parameter specific to TCP. The rule matches TCP connection packets with the ACK or RST flag bit set. |
If the protocol argument is icmp (1), set the parameters shown in Table 10.
Table 10 ICMP-specific parameters for IPv4 advanced ACL rules
|
Parameters |
Function |
Description |
|
icmp-type { icmp-type icmp-code | icmp-message } |
Specifies the ICMP message type and code. |
The icmp-type argument is in the range of 0 to 255. The icmp-code argument is in the range of 0 to 255. The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 11. |
Table 11 ICMP message names supported in IPv4 advanced ACL rules
|
ICMP message name |
ICMP message type |
ICMP message code |
|
echo |
8 |
0 |
|
echo-reply |
0 |
0 |
|
fragmentneed-DFset |
3 |
4 |
|
host-redirect |
5 |
1 |
|
host-tos-redirect |
5 |
3 |
|
host-unreachable |
3 |
1 |
|
information-reply |
16 |
0 |
|
information-request |
15 |
0 |
|
net-redirect |
5 |
0 |
|
net-tos-redirect |
5 |
2 |
|
net-unreachable |
3 |
0 |
|
parameter-problem |
12 |
0 |
|
port-unreachable |
3 |
3 |
|
protocol-unreachable |
3 |
2 |
|
reassembly-timeout |
11 |
1 |
|
source-quench |
4 |
0 |
|
source-route-failed |
3 |
5 |
|
timestamp-reply |
14 |
0 |
|
timestamp-request |
13 |
0 |
|
ttl-exceeded |
11 |
0 |
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
You can edit ACL rules only when the match order is config.
If an IPv4 advanced ACL is used for QoS traffic classification or packet filtering in a VXLAN network, the ACL matches packets as follows:
· On a VTEP, the ACL can only match the incoming packets of Ethernet service instances.
· On an intermediate transport device, the ACL can match both incoming packets and outgoing packets.
To view the existing IPv4 basic and advanced ACL rules, use the display acl all command.
The undo rule rule-id command without any optional parameters deletes an entire rule. If you specify optional parameters, the undo rule rule-id command deletes the specified attributes for the rule.
The undo rule { deny | permit } command can only be used to delete an entire rule. You must specify all the attributes of the rule for the command.
Examples
# Create an IPv4 advanced ACL rule to permit TCP packets with the destination port 80 from 129.9.0.0/16 to 202.38.160.0/24.
<Sysname> system-view
[Sysname] acl advanced 3000
[Sysname-acl-ipv4-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80
# Create IPv4 advanced ACL rules to permit all IP packets but the ICMP packets destined for 192.168.1.0/24.
<Sysname> system-view
[Sysname] acl advanced 3001
[Sysname-acl-ipv4-adv-3001] rule deny icmp destination 192.168.1.0 0.0.0.255
[Sysname-acl-ipv4-adv-3001] rule permit ip
# Create IPv4 advanced ACL rules to permit inbound and outbound FTP packets.
<Sysname> system-view
[Sysname] acl advanced 3002
[Sysname-acl-ipv4-adv-3002] rule permit tcp source-port eq ftp
[Sysname-acl-ipv4-adv-3002] rule permit tcp source-port eq ftp-data
[Sysname-acl-ipv4-adv-3002] rule permit tcp destination-port eq ftp
[Sysname-acl-ipv4-adv-3002] rule permit tcp destination-port eq ftp-data
# Create IPv4 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.
<Sysname> system-view
[Sysname] acl advanced 3003
[Sysname-acl-ipv4-adv-3003] rule permit udp source-port eq snmp
[Sysname-acl-ipv4-adv-3003] rule permit udp source-port eq snmptrap
[Sysname-acl-ipv4-adv-3003] rule permit udp destination-port eq snmp
[Sysname-acl-ipv4-adv-3003] rule permit udp destination-port eq snmptrap
# Create an IPv4 advanced ACL rule to permit the IP packets with its source IP address as a member of microsegment 1 and its destination IP address as a member of microsegment 2.
<Sysname> system-view
[Sysname] acl advanced 3005
[Sysname-acl-adv-3005] rule permit ip source microsegment 1 destination microsegment 2
Related commands
acl
acl logging interval
display acl
microsegment (Security Command Reference)
microsegment aggregation (Security Command Reference)
step
time-range
rule (IPv4 basic ACL view)
Use rule to create or edit an IPv4 basic ACL rule.
Use undo rule to delete an entire IPv4 basic ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } [ counting | fragment | [ flow-logging | logging ] | source { object-group address-group-name | source-address source-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *
undo rule rule-id [ counting | fragment | [ flow-logging | logging ] | source | time-range | vpn-instance ] *
undo rule { deny | permit } [ counting | fragment | [ flow-logging | logging ] | source { object-group address-group-name | source-address source-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *
Default
No IPv4 basic ACL rules exist.
Views
IPv4 basic ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from the start rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
counting: Enables rule match counting in software. If you do not specify this keyword, matches for the rule are not counted in software.
fragment: Applies the rule only to fragments. If you do not specify this keyword, the rule applies to both fragments and non-fragments.
flow-logging: Logs matching packets on a per-flow basis. The log information includes the number of matching packets, and the source IP address, destination IP address, source port number, and destination port number of the matching flow. This feature is available only when the module (for example, packet filtering) that uses the ACL supports the logging feature.
logging: Logs the number of matching packets. This feature is available only when the application module (for example, packet filtering) that uses the ACL supports the logging feature.
source { object-group address-group-name | source-address source-wildcard | any }: Matches a source address. The object-group address-group-name option specifies an object group of source IP addresses. The source-address and source-wildcard arguments specify a source IP address and a wildcard mask in dotted decimal notation. A wildcard mask of zeros represents a host address. The any keyword represents any source IP address.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide.
vpn-instance vpn-instance-name: Applies the rule to an MPLS L3VPN instance. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. For an ACL used to filter packets, if you do not specify a VPN instance, the rule applies to both non-VPN packets and VPN packets.For an ACL used by other features, if you do not specify a VPN instance, the implementation varies by feature. For more information, see the configuration guide of the feature.
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
The object group you specify when creating or editing a rule must already exist. Otherwise, the rule will not be created or changed.
You can edit ACL rules only when the match order is config.
If an IPv4 basic ACL is used for QoS traffic classification or packet filtering in a VXLAN network, the ACL matches packets as follows:
· On a VTEP, the ACL can only match the incoming packets of Ethernet service instances.
· On an intermediate transport device, the ACL can match both incoming packets and outgoing packets.
The counting keyword in this command enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting in hardware for all rules in an ACL.
To view the existing IPv4 basic and advanced ACL rules, use the display acl all command.
The undo rule rule-id command without any optional parameters deletes an entire rule. If you specify optional parameters, the undo rule rule-id command deletes the specified attributes for the rule.
The undo rule { deny | permit } command can only be used to delete an entire rule. You must specify
all the attributes of the rule for the command.
Examples
# Create a rule in IPv4 basic ACL 2000 to deny the packets from any source IP subnet but 10.0.0.0/8, 172.17.0.0/16, or 192.168.1.0/24.
<Sysname> system-view
[Sysname] acl basic 2000
[Sysname-acl-ipv4-basic-2000] rule permit source 10.0.0.0 0.255.255.255
[Sysname-acl-ipv4-basic-2000] rule permit source 172.17.0.0 0.0.255.255
[Sysname-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255
[Sysname-acl-ipv4-basic-2000] rule deny source any
Related commands
acl
acl logging interval
display acl
step
time-range
rule (IPv6 advanced ACL view)
Use rule to create or edit an IPv6 advanced ACL rule.
Use undo rule to delete an entire IPv6 advanced ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { microsegment microsegment-id [ mask-length mask-length ] | dest-address dest-prefix | dest-address/dest-prefix | any } | destination-port { object-group port-group-name | operator port1 [ port2 ] } | dscp dscp | flow-label flow-label-value | fragment | icmp6-type { icmp6-type icmp6-code | icmp6-message } | [ flow-logging | logging ] | packet-length operator length-value1 [ length-value2 ] | routing [ type routing-type ] | hop-by-hop [ type hop-type ] | source { microsegment microsegment-id [ mask-length mask-length ] | object-group address-group-name | source-address source-prefix | source-address/source-prefix | any } | source-port { object-group port-group-name | operator port1 [ port2 ] } | time-range time-range-name | vpn-instance vpn-instance-name ] *
undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | dscp | flow-label | fragment | icmp6-type | [ flow-logging | logging ] | packet-length | routing | hop-by-hop | source | source-port | time-range | vpn-instance ] *
undo rule { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { microsegment microsegment-id [ mask-length mask-length ] | object-group address-group-name | dest-address dest-prefix | dest-address/dest-prefix | any } | destination-port { object-group port-group-name | operator port1 [ port2 ] } | dscp dscp| flow-label flow-label-value | fragment | icmp6-type { icmp6-type icmp6-code | icmp6-message } | [ flow-logging | logging ] | packet-length operator length-value1 [ length-value2 ] | routing [ type routing-type ] | hop-by-hop [ type hop-type ] | source { microsegment microsegment-id [ mask-length mask-length ] | object-group address-group-name | source-address source-prefix | source-address/source-prefix | any } | source-port { object-group port-group-name | operator port1 [ port2 ] } | time-range time-range-name | vpn-instance vpn-instance-name ] *
Default
No IPv6 advanced ACL rules exist.
Views
IPv6 advanced ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from the start rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
protocol: Specifies a protocol carried over IPv6 by its number in the range of 0 to 255 or by its keyword, as shown in Table 12.
Table 12 Protocols carried over IPv6
|
Number |
Keyword |
Description |
|
N/A |
ipv6 |
Matches IPv6 packets. |
|
1 |
icmpv6 |
Matches ICMPv6 packets. |
|
2 |
igmp |
Matches IGMP packets. |
|
4 |
ipinip |
Matches IP-in-IP packets. |
|
6 |
tcp |
Matches TCP packets. |
|
17 |
udp |
Matches UDP packets. |
|
47 |
gre |
Matches GRE packets. For information about GRE, see Layer 3—IP Services Configuration Guide. |
|
50 |
ipv6-esp |
Matches IPv6-ESP packets. |
|
51 |
ipv6-ah |
Matches IPv6-AH packets. |
|
89 |
ospf |
Matches OSPF packets. |
Table 13 describes the parameters that you can specify, regardless of the value for the protocol argument.
Table 13 Match criteria and other rule information for IPv6 advanced ACL rules
|
Parameters |
Function |
Description |
|
source { microsegment microsegment-id [ mask-length mask-length ] | object-group address-group-name | source-address source-prefix | source-address/source-prefix | any } |
Specifies a source IPv6 address. |
The microsegment-id argument specifies a source microsegment ID in the range of 0 to 65535. Microsegment 0 is a system-defined microsegment, and its function depends on the device model. The mask-length mask-length option specifies a mask length for an aggregate microsegment. The value range for the mask-length argument is 1 to the number of contiguous 0s of the decimal number converted from the aggregate microsegment ID. For more information about microsegments, see Security Configuration Guide. The address-group-name argument specifies an object group of source IPv6 addresses. The source-address argument specifies an IPv6 source address. The source-prefix argument specifies a prefix length in the range of 1 to 128. The any keyword represents any IPv6 source address. |
|
destination { microsegment microsegment-id [ mask-length mask-length ] | object-group address-group-name | dest-address dest-prefix | dest-address/dest-prefix | any } |
Specifies a destination IPv6 address. |
(Only the S5560X-HI and S6520X-HI switch series support the microsegment parameter.) The microsegment-id argument specifies a destination microsegment ID in the range of 0 to 65535. Microsegment 0 is a system-defined microsegment, and it is insignificant. The mask-length mask-length option specifies a mask length for an aggregate microsegment. The value range for the mask-length argument is 1 to the number of contiguous 0s of the decimal number converted from the aggregate microsegment ID. If a mask length is specified, the microsegment-id argument must be an even number other than 0. For more information about microsegments, see Security Configuration Guide. The address-group-name argument specifies an object group of destination IPv6 addresses. The dest-address argument specifies a destination IPv6 address. The dest-prefix argument specifies a prefix length in the range of 1 to 128. The any keyword represents any IPv6 destination address. |
|
counting |
Enables rule match counting in software. |
The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter ipv6 command enables match counting in hardware for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted in software. |
|
dscp dscp |
Specifies a DSCP preference. |
The dscp argument can be a number in the range of 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46). |
|
flow-label flow-label-value |
Specifies a flow label value in an IPv6 packet header. |
The flow-label-value argument is in the range of 0 to 1048575. |
|
fragment |
Applies the rule only to fragments. |
If you do not specify this keyword, the rule applies to all fragments and non-fragments. |
|
flow-logging |
Logs matching packets on a per-flow basis. The log information includes the number of matching packets, and the source IP address, destination IP address, source port number, and destination port number of the matching flow. |
This feature requires that the module (for example, packet filtering) that uses the ACL supports logging. |
|
logging |
Logs the number of matching packets. |
This feature requires that the module (for example, packet filtering) that uses the ACL supports logging. |
|
packet-length operator length-value1 [ length-value2 ] |
Matches the packet length, including the IPv6 basic header, IPv6 extension header, and payload. |
The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The length-value2 argument is needed only when the operator argument is range. The value range for the length-value1 and length-value2 arguments varies by device model. |
|
routing [ type routing-type ] |
Specifies an IPv6 routing header type. |
routing-type: Value of the IPv6 routing header type, in the range of 0 to 255. If you specify the type routing-type option, the rule applies to the specified type of IPv6 routing header. If you do not specify the type routing-type option, the rule applies to all types of IPv6 routing headers. |
|
hop-by-hop [ type hop-type ] |
Specifies an IPv6 Hop-by-Hop Options header type. |
hop-type: Value of the IPv6 Hop-by-Hop Options header type, in the range of 0 to 255. If you specify the type hop-type option, the rule applies to the specified type of IPv6 Hop-by-Hop Options header. If you do not specify the type hop-type option, the rule applies to all types of IPv6 Hop-by-Hop Options header. |
|
time-range time-range-name |
Specifies a time range for the rule. |
The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide. |
|
vpn-instance vpn-instance-name |
Applies the rule to an MPLS L3VPN instance. |
The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the rule applies to both non-VPN packets and VPN packets For an ACL used by other features, if you do not specify a VPN instance, the implementation varies by feature. For more information, see the configuration guide of the feature. |
If the protocol argument is tcp (6) or udp (17), set the parameters shown in Table 14.
Table 14 TCP/UDP-specific parameters for IPv6 advanced ACL rules
|
Parameters |
Function |
Description |
|
source-port { object-group port-group-name | operator port1 [ port2 ] } |
Specifies one or more UDP or TCP source ports. |
The port-group-name argument specifies an object group of ports. The operator argument can be only eq (equal to).. The port argument specifies a TCP or UDP port number in the range of 0 to 65535. TCP port numbers can be represented as: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), dns (53), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented as: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177). |
|
destination-port { object-group port-group-name | operator port1 [ port2 ] } |
Specifies one or more UDP or TCP destination ports. |
|
|
{ ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * |
Specifies one or more TCP flags, including ACK, FIN, PSH, RST, SYN, and URG. |
Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The TCP flags in a rule are ANDed. For example, a rule configured with ack 0 psh 1 matches packets that have the ACK flag bit not set and the PSH flag bit set. |
|
established |
Specifies the flags for indicating the established status of a TCP connection. |
Parameter specific to TCP. The rule matches TCP packets with the ACK or RST flag bit set. |
If the protocol argument is icmpv6 (58), set the parameters shown in Table 15.
Table 15 ICMPv6-specific parameters for IPv6 advanced ACL rules
|
Parameters |
Function |
Description |
|
icmp6-type { icmp6-type icmp6-code | icmp6-message } |
Specifies the ICMPv6 message type and code. |
The icmp6-type argument is in the range of 0 to 255. The icmp6-code argument is in the range of 0 to 255. The icmp6-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 16. |
Table 16 ICMPv6 message names supported in IPv6 advanced ACL rules
|
ICMPv6 message name |
ICMPv6 message type |
ICMPv6 message code |
|
echo-reply |
129 |
0 |
|
echo-request |
128 |
0 |
|
err-Header-field |
4 |
0 |
|
frag-time-exceeded |
3 |
1 |
|
hop-limit-exceeded |
3 |
0 |
|
host-admin-prohib |
1 |
1 |
|
host-unreachable |
1 |
3 |
|
neighbor-advertisement |
136 |
0 |
|
neighbor-solicitation |
135 |
0 |
|
network-unreachable |
1 |
0 |
|
packet-too-big |
2 |
0 |
|
port-unreachable |
1 |
4 |
|
redirect |
137 |
0 |
|
router-advertisement |
134 |
0 |
|
router-solicitation |
133 |
0 |
|
unknown-ipv6-opt |
4 |
2 |
|
unknown-next-hdr |
4 |
1 |
Usage guidelines
If an IPv6 advanced ACL is used for QoS traffic classification or packet filtering:
· Do not specify the fragment keyword.
· Do not specify the routing, hop-by-hop, or flow-label keyword if the ACL is for outbound application.
An ACL rule does not support configuring both the routing keyword and any other protocol type carried by IPv6.
Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
You can edit ACL rules only when the match order is config.
To view the existing IPv6 basic and advanced ACL rules, use the display acl ipv6 all command.
The undo rule rule-id command without any optional parameters deletes an entire rule. If you specify optional parameters, the undo rule rule-id command deletes the specified attributes for a rule.
The undo rule { deny | permit } command can only be used to delete an entire rule. You must specify all the attributes of the rule for the command.
Examples
<Sysname> system-view
[Sysname] acl ipv6 advanced 3000
[Sysname-acl-ipv6-adv-3000] rule permit tcp source 2030:5060::/64 destination fe80:5060::/96 destination-port eq 80
# Create IPv6 advanced ACL rules to permit all IPv6 packets but the ICMPv6 packets destined for FE80:5060:1001::/48.
<Sysname> system-view
[Sysname] acl ipv6 advanced 3001
[Sysname-acl-ipv6-adv-3001] rule deny icmpv6 destination fe80:5060:1001:: 48
[Sysname-acl-ipv6-adv-3001] rule permit ipv6
# Create IPv6 advanced ACL rules to permit inbound and outbound FTP packets.
<Sysname> system-view
[Sysname] acl ipv6 advanced 3002
[Sysname-acl-ipv6-adv-3002] rule permit tcp source-port eq ftp
[Sysname-acl-ipv6-adv-3002] rule permit tcp source-port eq ftp-data
[Sysname-acl-ipv6-adv-3002] rule permit tcp destination-port eq ftp
[Sysname-acl-ipv6-adv-3002] rule permit tcp destination-port eq ftp-data
# Create IPv6 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.
<Sysname> system-view
[Sysname] acl ipv6 advanced 3003
[Sysname-acl-ipv6-adv-3003] rule permit udp source-port eq snmp
[Sysname-acl-ipv6-adv-3003] rule permit udp source-port eq snmptrap
[Sysname-acl-ipv6-adv-3003] rule permit udp destination-port eq snmp
[Sysname-acl-ipv6-adv-3003] rule permit udp destination-port eq snmptrap
# Create IPv6 advanced ACL 3004, and configure two rules: one permits packets with the Hop-by-Hop Options header type as 5, and the other one denies packets with other Hop-by-Hop Options header types.
<Sysname> system-view
[Sysname] acl ipv6 advanced 3004
[Sysname-acl-ipv6-adv-3004] rule permit ipv6 hop-by-hop type 5
[Sysname-acl-ipv6-adv-3004] rule deny ipv6 hop-by-hop
# Create an IPv6 advanced ACL rule to permit the IPv6 packets with its source IPv6 address as a member of microsegment 1 and its destination IPv6 address as a member of microsegment 2.
<Sysname> system-view
[Sysname] acl ipv6 advanced 3006
[Sysname-acl-ipv6-adv-3006] rule permit ipv6 source microsegment 1 destination microsegment 2
Related commands
acl
acl logging interval
display acl
microsegment (Security Command Reference)
microsegment aggregation (Security Command Reference)
step
time-range
rule (IPv6 basic ACL view)
Use rule to create or edit an IPv6 basic ACL rule.
Use undo rule to delete an entire IPv6 basic ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } [ counting | fragment | [ flow-logging | logging ] | routing [ type routing-type ] | source { object-group address-group-name | source-address source-prefix | source-address/source-prefix | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *
undo rule rule-id [ counting | fragment | [ flow-logging | logging ] | routing | source | time-range | vpn-instance ] *
undo rule { deny | permit } [ counting | fragment | [ flow-logging | logging ] | routing [ type routing-type ] | source { object-group address-group-name | source-address source-prefix | source-address/source-prefix | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *
Default
No IPv6 basic ACL rules exist.
Views
IPv6 basic ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from the start rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
counting: Enables rule match counting in software. If you do not specify this keyword, matches for the rule are not counted in software.
fragment: Applies the rule only to fragments. If you do not specify this keyword, the rule applies to both fragments and non-fragments.
flow-logging: Logs matching packets on a per-flow basis. The log information includes the number of matching packets, and the source IP address, destination IP address, source port number, and destination port number of the matching flow. This feature is available only when the module (for example, packet filtering) that uses the ACL supports the logging feature.
logging: Logs the number of matching packets. This feature is available only when the application module (for example, packet filtering) that uses the ACL supports the logging feature.
routing [ type routing-type ]: Applies the rule to the specified type of IPv6 routing header or all types of IPv6 routing headers. The routing-type argument specifies the value of the IPv6 routing header type, in the range of 0 to 255. If you do not specify the type routing-type option, the rule applies to all types of IPv6 routing headers.
source { object-group address-group-name | source-address source-prefix | source-address/source-prefix | any }: Matches a source IPv6 address. The object-group address-group-name option specifies an object group of source IPv6 addresses. The source-address argument specifies a source IPv6 address. The source-prefix argument specifies an address prefix length in the range of 1 to 128. The any keyword represents any IPv6 source address.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide.
vpn-instance vpn-instance-name: Applies the rule to an MPLS L3VPN instance. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. For an ACL used to filter packets, if you do not specify a VPN instance, the rule applies to both non-VPN packets and VPN packets. For an ACL used by other features, if you do not specify a VPN instance, the implementation varies by feature. For more information, see the configuration guide of the feature
Usage guidelines
The fragment keyword is not supported for a QoS policy or a packet filter.
The routing keyword is not supported for an outbound QoS policy or packet filter.
Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
The object group you specify when creating or editing a rule must already exist. Otherwise, the rule will not be created or changed.
You can edit ACL rules only when the match order is config.
The counting keyword in this command enables match counting specific to rules, and the hardware-count keyword in the packet-filter ipv6 command enables match counting in hardware for all rules in an ACL.
To view the existing IPv6 basic and advanced ACL rules, use the display acl ipv6 all command.
The undo rule rule-id command without any optional parameters deletes an entire rule. If you specify optional parameters, the undo rule rule-id command deletes the specified attributes for a rule.
The undo rule { deny | permit } command can only be used to delete an entire rule. You must specify all the attributes of the rule for the command.
Examples
# Create an IPv6 basic ACL rule to deny the packets from any source IP subnet but 1001::/16, 3124:1123::/32, or FE80:5060:1001::/48.
<Sysname> system-view
[Sysname] acl ipv6 basic 2000
[Sysname-acl-ipv6-basic-2000] rule permit source 1001:: 16
[Sysname-acl-ipv6-basic-2000] rule permit source 3124:1123:: 32
[Sysname-acl-ipv6-basic-2000] rule permit source fe80:5060:1001:: 48
[Sysname-acl-ipv6-basic-2000] rule deny source any
Related commands
acl
acl logging interval
display acl
step
time-range
rule (Layer 2 ACL view)
Use rule to create or edit a Layer 2 ACL rule.
Use undo rule to delete an entire Layer 2 ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } [ cos dot1p | counting | dest-mac dest-address dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac source-address source-mask | time-range time-range-name ] *
undo rule rule-id [ counting | time-range ] *
undo rule { deny | permit } [ cos dot1p | counting | dest-mac dest-address dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac source-address source-mask | time-range time-range-name ] *
Default
No Layer 2 ACL rules exist.
Views
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from the start rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
cos dot1p: Matches an 802.1p priority. The 802.1p priority can be specified by one of the following values:
· A priority number in the range of 0 to 7.
· A priority name: best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5), voice (6), or network-management (7).
counting: Enables rule match counting in software. If you do not specify this keyword, matches for the rule are not counted in software.
dest-mac dest-address dest-mask: Matches a destination MAC address range. The dest-address and dest-mask arguments represent a destination MAC address and mask in the H-H-H format.
lsap lsap-type lsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The lsap-type argument is a hexadecimal number that represents the encapsulation format. The value range for the lsap-type argument is 0 to ffff. The lsap-type-mask argument is a hexadecimal number that represents the LSAP mask. The value range for the lsap-type-mask argument is 0 to ffff.
type protocol-type protocol-type-mask: Matches one or more protocols in the Layer 2. The protocol-type argument is a hexadecimal number that represents a protocol type in Ethernet_II and Ethernet_SNAP frames. The value range for the protocol-type argument is 0 to ffff. The protocol-type-mask argument is a hexadecimal number that represents a protocol type mask. The value range for the protocol-type-mask argument is 0 to ffff.
source-mac source-address source-mask: Matches a source MAC address range. The source-address argument represents a source MAC address, and the sour-mask argument represents a mask in the H-H-H format.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide.
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
You can edit ACL rules only when the match order is config.
The counting keyword in this command enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting in hardware for all rules in an ACL.
To view the existing Layer 2 ACL rules, use the display acl mac all command.
The undo rule rule-id command without any optional parameters deletes an entire rule. If you specify optional parameters, the undo rule rule-id command deletes the specified attributes for the rule.
The undo rule { deny | permit } command can only be used to delete an entire rule. You must specify all the attributes of the rule for the command.
Examples
# Create a rule in Layer 2 ACL 4000 to permit ARP packets and deny RARP packets.
<Sysname> system-view
[Sysname] acl mac 4000
[Sysname-acl-mac-4000] rule permit type 0806 ffff
[Sysname-acl-mac-4000] rule deny type 8035 ffff
Related commands
acl
display acl
step
time-range
rule (user-defined ACL view)
Use rule to create or edit a user-defined ACL rule.
Use undo rule to delete a user-defined ACL rule.
Syntax
rule [ rule-id ] { deny | permit } [ { { ipv4 | ipv6 | l2 } rule-string rule-mask offset }&<1-8> ] [ counting | time-range time-range-name ] *
undo rule rule-id
undo rule { deny | permit } [ { l2 rule-string rule-mask offset }&<1-8> ] [ counting | time-range time-range-name ] *
Command set 2:
rule [ rule-id ] { deny | permit } [ ipv6-protocol ] protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | destination { object-group address-group-name | dest-address dest-wildcard | any | microsegment microsegment-id [ mask-length mask-length ] } | destination-port { operator port1 [ port2 ] } | { { precedence precedence | tos tos } * | dscp dscp } | source { object-group address-group-name | source-address source-wildcard | any | microsegment microsegment-id [ mask-length mask-length ] } | source-port { operator port1 [ port2 ] } | udf-format ] * [ { { ipv4 | ipv6 | l2 } rule-string rule-mask offset }&<1-8> ] [ counting | time-range time-range-name ] *
undo rule rule-id [ ipv6-protocol ] [ { { ack | fin | psh | rst | syn | urg } * | established } | destination | destination-port | { { precedence | tos } * | dscp } } | source | source-port | udf-format | vpn-instance | ipv4 | ipv6 | l2 | counting | time-range ] *
undo rule { deny | permit } [ ipv6-protocol ] protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | destination { object-group address-group-name | dest-address dest-wildcard | any | microsegment microsegment-id [ mask-length mask-length ] } | destination-port { operator port1 [ port2 ] } } | { { precedence precedence | tos tos } * | dscp dscp } | source { object-group address-group-name | source-address source-wildcard | any | microsegment microsegment-id [ mask-length mask-length ] } | source-port { operator port1 [ port2 ] } | udf-format ] * [ { { ipv4 | ipv6 | l2 } rule-string rule-mask offset }&<1-8> ] [ counting | time-range time-range-name ] *
Default
No user-defined ACL rules exist.
Views
User-defined ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. The numbering step for user-defined ACLs is fixed at 5. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
ipv4: Specifies that the offset is relative to the beginning of the IPv4 header.
ipv6: Specifies that the offset is relative to the beginning of the IPv6 header.
l2: Specifies that the offset is relative to the beginning of the Layer 2 frame header.
l4: Specifies that the offset is relative to the beginning of the Layer 4 header.
l5: Specifies that the offset is relative to the beginning of the Layer 5 header.
rule-string: Defines a match pattern in hexadecimal format. Its length must be a multiple of two.
rule-mask: Defines a match pattern mask in hexadecimal format. Its length must be the same as that of the match pattern. A match pattern mask is used for ANDing the selected string of a packet.
offset: Specifies an offset in bytes after which the match operation begins.
&<1-8>: Specifies that up to eight match patterns can be defined in the ACL rule.
counting: Enables rule match counting in software. If you do not specify this keyword, matches for the rule are not counted in software.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide.
ipv6-protocol: Matches IPv6 packets. If you specify this parameter, do not specify the ipv4 keyword in the command. If you do not specify this parameter, the command matches IPv4 packets, and do not specify the ipv6 keyword in the command.
protocol: Specifies one of the following values:
· For IPv4:
¡ A protocol number in the range of 0 to 255.
¡ A protocol by its name: gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17). The ip keyword specifies all protocols.
· For IPv6:
¡ A protocol number in the range of 0 to 255.
¡ A protocol by its name: gre (47), icmpv6 (58), ipv6, ipv6-ah (51), ipv6-esp (50), ospf (89), tcp (6), or udp (17). The ipv6 keyword specifies all protocols.
If the protocol argument is tcp (6), set the parameters shown in Table 17.
Table 17 TCP-specific parameters for user-defined ACL rules
|
Parameters |
Function |
Description |
|
ack ack-value |
Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG. |
The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The TCP flags in a rule are ANDed. For example, a rule configured with ack 0 psh 1 matches the packets that have the ACK flag bit not set and the PSH flag bit set. |
|
fin fin-value |
||
|
psh psh-value |
||
|
rst rst-value |
||
|
syn syn-value |
||
|
urg urg-value |
||
|
established |
Specifies the flags for indicating the established status of a TCP connection. |
The rule matches TCP connection packets with the ACK or RST flag bit set. |
precedence precedence: Specifies an IP precedence value in the range of 0 to 7 or specifies one of the following keywords: routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), and network (7).
tos tos: Specifies a ToS value in the range of 0 to 15 or specifies one of the following keywords: max-reliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1), and normal (0).
dscp dscp: Specifies a DSCP value, which can be a number from 0 to 63 or a keyword in Table 18.
Table 18 DSCP keywords and values
|
Keyword |
DSCP value (binary) |
DSCP value (decimal) |
|
af11 |
001010 |
10 |
|
af12 |
001100 |
12 |
|
af13 |
001110 |
14 |
|
af21 |
010010 |
18 |
|
af22 |
010100 |
20 |
|
af23 |
010110 |
22 |
|
af31 |
011010 |
26 |
|
af32 |
011100 |
28 |
|
af33 |
011110 |
30 |
|
af41 |
100010 |
34 |
|
af42 |
100100 |
36 |
|
af43 |
100110 |
38 |
|
cs1 |
001000 |
8 |
|
cs2 |
010000 |
16 |
|
cs3 |
011000 |
24 |
|
cs4 |
100000 |
32 |
|
cs5 |
101000 |
40 |
|
cs6 |
110000 |
48 |
|
cs7 |
111000 |
56 |
|
default |
000000 |
0 |
|
ef |
101110 |
46 |
source { source-address source-wildcard | any }: Specifies a source IP address.
· The source-address source-wildcard arguments specify a source IP address and a wildcard mask in dotted decimal notation. An all-zero wildcard represents a host address.
· The any keyword specifies any source IP address.
destination { dest-address dest-wildcard | any }: Specifies a destination IP address.
· The dest-address dest-wildcard arguments specify a destination IP address and a wildcard mask in dotted decimal notation. An all-zero wildcard represents a host address.
· The any keyword specifies any destination IP address.
source object-group address-group-name: Specifies an object group of source IP addresses. To specify an IPv6 address object group, also specify the ipv6-protocol parameter. The specified address object group must already exist.
destination object-group address-group-name: Specifies an object group of destination IP addresses. To specify an IPv6 address object group, also specify the ipv6-protocol parameter. The specified address object group must already exist.
source microsegment microsegment-id [ mask-length mask-length ]: Specifies source microsegments.
destination microsegment microsegment-id [ mask-length mask-length ]: Specifies destination microsegments.
· microsegment-id: Secifies a destination microsegment ID in the range of 0 to 65535.
· mask-length mask-length: Specifies a mask length for an aggregate microsegment. The value range for the argument is 1 to the number of contiguous 0s of the decimal number converted from the aggregate microsegment ID. If a mask length is specified, the microsegment-id argument must be an even number other than 0. If the aggregate microsegment has not been created, it is automtically created and can be displayed by using the display acl command instead of the display microsegment aggregation command.
|
|
NOTE: Only the S5560X-HI and S6520X-HI switch series support the microsegment microsegment-id option. |
source-port { operator port1 [ port2 ] }: Specifies one or more source TCP or UDP ports.
· The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range).
· The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. The port2 argument is needed only when the operator argument is range.
destination-port { operator port1 [ port2 ] }: Specifies one or more destination TCP or UDP ports.
· The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range).
· The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. The port2 argument is needed only when the operator argument is range.
udf-format: Specifies the packet format. The following packet formats are supported:
· ifa—Matches INT packets.
· raw_ip—For IPv4, matches all packets except for GRE, ICMP, IGMP, IPinIP, OSPF, TCP, and UDP packets. For IPv6, matches all packets except for GRE, ICMPv6, IPv6, IPv6-AH, IPv6-ESP, TCP, and UDP packets.
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
If the rule ID has been used when you create a rule:
· For command set 1, the new rule overwrites the existing rule.
· For command set 2, the contents in the new rule are incrementally added to the existing rule.
Both the undo rule rule-id command and the undo rule { deny | permit } command can delete an entire rule. When you use the undo rule { deny | permit } command, you must specify all the attributes of the rule. The undo rule { deny | permit } command is used to delete rules without rule IDs created by scripts.
For command set 2:
· In addition to user-defined strings, a rule can use the source IP address, destination IP address, port number, and protocol type to match packets.
· To match INT packets, follow these rules:
¡ To match TCP INT packets, specify tcp for the protocol argument.
¡ To match UDP INT packets, specify udp for the protocol argument.
¡ Specify ifa for the udf-format argument, and specify l5 for offset purposes.
· To match TCP packets, specify tcp for the protocol argument, and specify l5 for offset purposes.
· To match UDP packets, specify udp for the protocol argument, and specify l4 or l5 for offset purposes.
· To match IP packets, specify ip for the protocol argument, and specify l4 for offset purposes.
· You can use the undo rule rule-id command to delete some attributes of the rule by specifying keywords in the command or delete the entire rule without specifying any keywords.
· For a rule to take effect, do not configure both IPv4 and IPv6 attributes in the rule.
· The precedence and tos parameters cannot be used to match IPv6 packets.
The counting keyword in this command enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting in hardware for all rules in an ACL.
To view the existing user-defined ACL rules, use the display acl user-defined all command.
To match the GRE packets with specific flags set and with GRE header of the specified length:
· Specify gre for the protocol argument.
· Specify a header length for the udf-format argument.
· Specify an offset to match the C, R, and K bits.
For example, to match the GRE over IPv4 packets with a 4-byte GRE header and with C=0, R=0, and K=1, execute the rule permit gre gre-8byte l4 20 e0 0 command. To match the GRE over IPv6 packets with a 4-byte GRE header and with C=0, R=0, and K=1, execute the rule permit ipv6-protocol gre gre-8byte l4 20 e0 0 command.
· The value l4 indicates that the offset starts from the Layer 4 header.
· The value 20 represents the string to match (the three most significant bits (C, R, and K bits) are 001.
· The value e0 indicates that only the three most significant bits are of interest.
· The value 0 indicates no offset.
Examples
# Create a rule for user-defined ACL 5005 to permit ARP packets where the 12th and 13th bytes starting from the Layer 2 header are 0x0806.
<Sysname> system-view
[Sysname] acl user-defined 5005
[Sysname-acl-user-5005] rule permit l2 0806 ffff 12
# Create a rule for user-defined ACL 5007 to allow hosts in subnet 2030:5060::/64 to establish connections with destination port 80 on hosts in subnet FE80:5060::/96.
<Sysname> system-view
[Sysname] acl user-defined 5007
[Sysname-acl-user-5007] rule permit ipv6-protocol tcp source 2030:5060::/64 destination fe80:5060::/96
# Create a rule for user-defined ACL 5009 to allow the TCP packets with the ACK bit set to pass through.
<Sysname> system-view
[Sysname] acl user-defined 5009
[Sysname-acl-user-5009] rule permit tcp ack 1
# Create a rule for user-defined ACL 5010 to allow the IPv4 and IPv6 packets with source UDP port number 100.
<Sysname> system-view
[Sysname] acl user-defined 5010
[Sysname-acl-user-5010] rule permit dual-stack udp source-port eq 100
Related commands
acl
display acl
microsegment (Security Command Reference)
microsegment aggregation (Security Command Reference)
object-group (Security Command Reference)
time-range
rule comment
Use rule comment to configure a comment for an ACL rule.
Use undo rule comment to delete an ACL rule comment.
Syntax
rule rule-id comment text
undo rule rule-id comment
Default
A rule does not have a comment.
Views
IPv4 basic/advanced ACL view
IPv6 basic/advanced ACL view
Layer 2 ACL view
User-defined ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies an ACL rule ID in the range of 0 to 65534. The ACL rule must already exist.
text: Specifies a comment about the ACL rule, a case-sensitive string of 1 to 127 characters.
Usage guidelines
This command adds a comment to a rule if the rule does not have a comment. It modifies the comment for a rule if the rule already has a comment.
Examples
# Create a rule for IPv4 basic ACL 2000, and add a comment about the rule.
<Sysname> system-view
[Sysname] acl basic 2000
[Sysname-acl-ipv4-basic-2000] rule 0 deny source 1.1.1.1 0
[Sysname-acl-ipv4-basic-2000] rule 0 comment This rule is used on ten-gigabitethernet 1/0/1.
Related commands
display acl
rule remark
Use rule remark to insert a remark for an ACL rule.
Use undo rule remark to delete ACL rule remarks.
Syntax
rule [ rule-id ] remark text
undo rule [ rule-id ] remark [ text ]
Default
An ACL rule does not have a remark.
Views
IPv4 basic/advanced ACL view
IPv6 basic/advanced ACL view
Layer 2 ACL view
User-defined ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies an ACL rule ID in the range of 0 to 65534. The ACL rule can be an existing or nonexistent one. The rule ID determines the position where a remark is placed:
· For the config match order, if the rule ID is the same as an existing rule ID, the device inserts the remark before the existing rule. If the rule ID is a new rule ID, the device inserts the remark according to ascending order of rule IDs.
· For the auto match order, if the rule ID is the same as an existing rule ID, the device inserts the remark before the existing rule. If the rule ID is a new rule ID, the device inserts the remark at the end of the ACL rules.
text: Specifies a remark for the ACL rule, a case-sensitive string of 1 to 127 characters.
Usage guidelines
If you do not specify the rule-id argument in the rule remark command, the system automatically assigns a rule ID to the remark. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0.
If you do not specify the rule-id or text argument in the undo rule remark command, the system deletes all rule remarks. If you do not specify the rule-id argument but specify the text argument, the system deletes only the specified remark.
Examples
# Add remarks Rules for VIP_start and Rules for VIP_end for rule 10 and rule 25, respectively, to indicate that rule 10, rule 15, rule 20, and rule 25 are designed for VIP users.
<Sysname> system-view
[Sysname] acl basic 2000
[Sysname-acl-basic-2000] rule 10 remark Rules for VIP_start
[Sysname-acl-basic-2000] rule 26 remark Rules for VIP_end
[Sysname-acl-basic-2000] display this
#
acl number 2000
rule 0 permit source 14.1.1.0 0.0.0.255
rule 5 permit source 10.1.1.1 0 time-range work-time
rule 10 remark Rules for VIP_start
rule 10 permit source 192.168.0.0 0.0.0.255
rule 15 permit source 1.1.1.1 0
rule 20 permit source 10.1.1.1 0
rule 25 permit counting
rule 26 remark Rules for VIP_end
#
return
Related commands
display acl
step
Use step to set a rule numbering step for an ACL.
Use undo step to restore the default.
Syntax
step step-value [ start start-value ]
undo step
Default
The rule numbering step is 5, and the start rule ID is 0.
Views
IPv4 basic/advanced ACL view
IPv6 basic/advanced ACL view
Layer 2 ACL view
Predefined user roles
network-admin
Parameters
step-value: Specifies the ACL rule numbering step in the range of 1 to 20.
start start-value: Specifies the start rule ID in the range of 0 to 20.
Usage guidelines
The rule numbering step sets the increment by which the system numbers rules automatically. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from the start rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 12, the rule is numbered 15.
The wider the numbering step, the more rules you can insert between two rules. Whenever the step or start rule ID changes, the rules are renumbered, starting from the start rule ID. For example, if there are five rules numbered 0, 5, 9, 10, and 15, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6, and 8.
Examples
# Set the rule numbering step to 2 for IPv4 basic ACL 2000.
<Sysname> system-view
[Sysname] acl basic 2000
[Sysname-acl-ipv4-basic-2000] step 2
Related commands
display acl
