Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-ACL commands | 292.5 KB |
display packet-filter statistics
display packet-filter statistics sum
packet-filter default hardware-count
reset packet-filter statistics
In this document, EB cards refer to the interface cards suffixed with EB, EC1 cards refer to the interface cards suffixed with EC1, EC2 cards refer to the interface cards suffixed with EC2, EF cards refer to the interface cards suffixed with EF, FD cards refer to the interface cards suffixed with FD, and FG cards refer to the cards suffixed with FG.
acl
Use acl to create an ACL, and enter its view. If the ACL has already been created, you directly enter its view.
Use undo acl to delete the specified or all ACLs.
Syntax
acl [ ipv6 ] number acl-number [ name acl-name ] [ match-order { auto | config } ]
undo acl [ ipv6 ] { all | name acl-name | number acl-number }
Default
No ACL exists.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
number acl-number: Specifies the number of an ACL.
· 2000 to 2999 for IPv4 basic ACLs if the ipv6 keyword is not specified and for IPv6 basic ACLs if the ipv6 keyword is specified.
· 3000 to 3999 for IPv4 advanced ACLs s if the ipv6 keyword is not specified and for IPv6 advanced ACLs if the ipv6 keyword is specified.
· 4000 to 4999 for Ethernet frame header ACLs. This entry is not displayed if the ipv6 keyword is specified.
· 5000 to 5999 for user-defined ACLs. This entry is not displayed if the ipv6 keyword is specified.
name acl-name: Assigns a name to the ACL for easy identification. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
match-order: Sets the order in which ACL rules are compared against packets.
· auto: Compares ACL rules in depth-first order. The depth-first order varies by ACL category. For more information, see ACL and QoS Configuration Guide.
· config: Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher priority. If you do not specify a match order, the config-order applies by default.
The match-order keyword is not available for user-defined ACLs. They always use the config-order.
all: Specifies all ACLs.
· If the ipv6 keyword is not specified, all ACLs refer to all IPv4 basic, IPv4 advanced, Ethernet frame header, and user-defined ACLs.
· If the ipv6 keyword is specified, all ACLs refer to all IPv6 basic and IPv6 advanced ACLs.
Usage guidelines
You can assign a name to an ACL only when you create it. After an ACL is created with a name, you cannot rename it or remove its name.
You can change the match order only for ACLs that do not contain any rules.
Examples
# Create IPv4 basic ACL 2000, and enter its view.
<Sysname> system-view
[Sysname] acl number 2000
# Create IPv4 basic ACL 2001 with the name flow, and enter its view.
<Sysname> system-view
[Sysname] acl number 2001 name flow
[Sysname-acl-basic-2001-flow]
Related commands
display acl
acl copy
Use acl copy to create an ACL by copying an ACL that already exists.
Syntax
acl [ ipv6 ] copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name }
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
source-acl-number: Specifies an existing source ACL by its number.
· 2000 to 2999 for IPv4 basic ACLs if the ipv6 keyword is not specified and for IPv6 basic ACLs if the ipv6 keyword is specified.
· 3000 to 3999 for IPv4 advanced ACLs s if the ipv6 keyword is not specified and for IPv6 advanced ACLs if the ipv6 keyword is specified.
· 4000 to 4999 for Ethernet frame header ACLs. This entry is not displayed if the ipv6 keyword is specified.
· 5000 to 5999 for user-defined ACLs. This entry is not displayed if the ipv6 keyword is specified.
name source-acl-name: Specifies an existing source ACL by its name. The source-acl-name argument is a case-insensitive string of 1 to 63 characters. For a basic ACL or advanced ACL, if you do not specify the ipv6 keyword, this option specifies the name of an IPv4 basic ACL or advanced ACL; if you specify the ipv6 keyword, this option specifies the name of an IPv6 basic ACL or advanced ACL.
dest-acl-number: Assigns a unique number to the ACL you are creating. This number must be from the same ACL category as the source ACL. If you do not specify an ACL number, the system automatically picks the smallest number from all available numbers in the same ACL category as the source ACL. Available value ranges include:
· 2000 to 2999 for IPv4 basic ACLs if the ipv6 keyword is not specified and for IPv6 basic ACLs if the ipv6 keyword is specified.
· 3000 to 3999 for IPv4 advanced ACLs s if the ipv6 keyword is not specified and for IPv6 advanced ACLs if the ipv6 keyword is specified.
· 4000 to 4999 for Ethernet frame header ACLs. This entry is not displayed if the ipv6 keyword is specified.
· 5000 to 5999 for user-defined ACLs. This entry is not displayed if the ipv6 keyword is specified.
name dest-acl-name: Assigns a unique name to the ACL you are creating. The dest-acl-name is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all. If you do not specify an ACL name, the system does not name the ACL. For a basic ACL or advanced ACL, if you do not specify the ipv6 keyword, this option specifies the name of an IPv4 basic ACL or advanced ACL; if you specify the ipv6 keyword, this option specifies the name of an IPv6 basic ACL or advanced ACL.
Usage guidelines
The new ACL has the same properties and content as the source ACL, but not the same ACL number and name.
You can assign a name to an ACL only when you create it. After an ACL is created with a name, you cannot rename it or remove its name.
Examples
# Create IPv4 basic ACL 2002 by copying IPv4 basic ACL 2001.
<Sysname> system-view
[Sysname] acl copy 2001 to 2002
acl hardware-mode
Use acl hardware-mode to specify the ACL hardware mode.
Syntax
acl hardware-mode { advanced | basic }
Default
The ACL hardware mode is advanced.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
advanced: Specifies the advanced ACL hardware mode. In this mode, the card supports IPv4 basic, IPv4 advanced, Ethernet frame header, IPv6 basic, IPv6 advanced, and user-defined ACLs.
basic: Specifies the basic ACL hardware mode. In this mode, the card supports only IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs.
Usage guidelines
|
|
IMPORTANT: Use caution to change the ACL hardware mode. The change operation might cause ACL configuration to go invalid. |
This command applies to only EB cards, EC2 cards, or FD cards.
To make the configuration take effect, you must save it and then restart the device.
Devices with different ACL hardware mode cannot form an IRF fabric. For more information about IRF, see Virtual Technologies Configuration Guide.
This command is supported only by the default MDC. For more information about MDC, see Virtual Technologies Configuration Guide.
Examples
# Specify the ACL hardware mode as basic.
<Sysname> system-view
[Sysname] acl hardware-mode basic
display acl hardware-mode
acl hardware-mode ipv6
Use acl hardware-mode ipv6 to enable or disable IPv6 for the ACL hardware mode.
Syntax
acl hardware-mode ipv6 { disable | enable }
Default
IPv6 is disabled for the ACL hardware mode.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
disable: Disables IPv6 for the ACL hardware mode. When IPv6 is disabled, the card supports only IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs.
enable: Enables IPv6 for the ACL hardware mode. When IPv6 is enabled, the card supports IPv4 basic, IPv4 advanced, Ethernet frame header, IPv6 basic, IPv6 advanced, and user-defined ACLs.
Usage guidelines
This command applies to only EC1 cards, EF cards, or FG cards.
To make the configuration take effect, you must save it and then restart the device.
The ACL hardware mode must be same on all IRF member devices. Otherwise, the devices cannot form an IRF fabric. For more information about IRF, see Virtual Technologies Configuration Guide.
This command is supported only by the default MDC. For more information about MDC, see Virtual Technologies Configuration Guide.
Examples
# Enable IPv6 for the ACL hardware mode.
<Sysname> system-view
[Sysname] acl hardware-mode ipv6 enable
Related commands
display acl hardware-mode
acl logging interval
Use acl logging interval to set the interval for generating and outputting packet filtering logs. The log information includes the number of matching packets and the matched ACL rules.
Use undo acl logging interval to restore the default.
Syntax
acl [ ipv6 ] logging interval interval
undo acl [ ipv6 ] logging interval
Default
The interval is 0. No packet filtering logs are generated.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
interval: Specifies the interval in minutes at which packet filtering logs are generated and output. It must be a multiple of 5 and in the range of 0 to 1440. To disable generating packet filtering logs, assign 0 to the argument.
Usage guidelines
The system collects packet filtering logs only for IPv4 basic, IPv4 advanced, IPv6 basic, and IPv6 advanced ACL rules that have the logging keyword.
· When the ipv6 keyword is not specified, this command sets the interval for generating and outputting IPv4 packet filtering logs.
· When the ipv6 keyword is specified, this command sets the interval for generating and outputting IPv6 packet filtering logs.
Examples
# Enable the device to generate and output IPv4 packet filtering logs at 10-minute intervals.
<Sysname> system-view
[Sysname] acl logging interval 10
Related commands
· rule (IPv4 advanced ACL view)
· rule (IPv4 basic ACL view)
· rule (IPv6 advanced ACL view)
· rule (IPv6 basic ACL view)
acl name
Use acl name to enter the view of an ACL that has a name.
Syntax
acl [ ipv6 ] name acl-name
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
acl-name: Specifies the name of an ACL, a case-insensitive string of 1 to 63 characters. It must start with an English letter. The ACL must already exist. For a basic ACL or advanced ACL, if you do not specify the ipv6 keyword, this option specifies the name of an IPv4 basic ACL or advanced ACL. If you specify the ipv6 keyword, this option specifies the name of an IPv6 basic ACL or advanced ACL.
Examples
# Enter the view of IPv4 basic ACL flow, which already exists.
<Sysname> system-view
[Sysname] acl name flow
[Sysname-acl-basic-2001-flow]
# Enter the view of IPv6 basic ACL flow, which already exists.
<Sysname> system-view
[Sysname] acl ipv6 name flow
[Sysname-acl6-basic-2001-flow]
Related commands
acl
description
Use description to configure a description for an ACL.
Use undo description to delete an ACL description.
Syntax
description text
undo description
Default
An ACL has no description.
Views
IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view, user-defined ACL view
Predefined user roles
network-admin
mdc-admin
Parameters
text: Configures a description for the ACL, a case-sensitive string of 1 to 127 characters.
Examples
# Configure a description for IPv4 basic ACL 2000.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] description This is an IPv4 basic ACL.
Related commands
display acl
display acl
Use display acl to display configuration and match statistics for ACLs.
Syntax
display acl [ ipv6 ] { acl-number | all | name acl-name }
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
acl-number: Specifies an ACL by its number.
· 2000 to 2999 for IPv4 basic ACLs if the ipv6 keyword is not specified and for IPv6 basic ACLs if the ipv6 keyword is specified.
· 3000 to 3999 for IPv4 advanced ACLs s if the ipv6 keyword is not specified and for IPv6 advanced ACLs if the ipv6 keyword is specified.
· 4000 to 4999 for Ethernet frame header ACLs. This entry is not displayed if the ipv6 keyword is specified.
· 5000 to 5999 for user-defined ACLs. This entry is not displayed if the ipv6 keyword is specified.
all: Displays information about all IPv4 basic, IPv4 advanced, Ethernet frame header, and user-defined ACLs if you do not specify the ipv6 keyword, or displays information about all IPv6 basic and IPv6 advanced ACLs if you specify the ipv6 keyword.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter. For a basic ACL or advanced ACL, if you do not specify the ipv6 keyword, this option specifies the name of an IPv4 basic ACL or advanced ACL. If you specify the ipv6 keyword, this option specifies the name of an IPv6 basic ACL or advanced ACL.
Usage guidelines
This command displays ACL rules in config or depth-first order, whichever is configured.
Examples
# Display configuration and match statistics for IPv4 basic ACL 2001.
<Sysname> display acl 2001
Basic ACL 2001, named flow, 1 rule, match-order is auto,
This is an IPv4 basic ACL.
ACL's step is 5
rule 5 permit source 1.1.1.1 0 (5 times matched)
rule 5 comment This rule is used on GigabitEthernet 5/0/1.
Table 1 Command output
|
Field |
Description |
|
Basic ACL 2001 |
Category and number of the ACL. The following field information is about IPv4 basic ACL 2000. |
|
named flow |
The name of the ACL is flow. If the ACL is not named, this field displays -none-. |
|
1 rule |
The ACL contains one rule. |
|
match-order is auto |
The match order for the ACL is auto, which sorts ACL rules in depth-first order. This field is not present when the match order is config. |
|
This is an IPv4 basic ACL. |
Description of this ACL. |
|
ACL's step is 5 |
The rule numbering step is 5. |
|
rule 5 permit source 1.1.1.1 0 |
Content of rule 5. The rule permits packets sourced from the IP address 1.1.1.1. |
|
5 times matched |
There have been five matches for the rule. The statistic counts only ACL matches performed in software. This field is not displayed when no packets matched the rule. |
|
rule 5 comment This rule is used on GigabitEthernet 5/0/1. |
Comment of ACL rule 5. |
display acl hardware-mode
Use display acl hardware-mode to display information about the ACL hardware mode and the IPv6 status for the mode.
Syntax
display acl hardware-mode
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Usage guidelines
This command is supported only by the default MDC. For more information about MDC, see Virtual Technologies Configuration Guide.
Examples
# Display information about the ACL hardware mode and the IPv6 status for the mode.
<Sysname> display acl hardware-mode
Current ACL hardware mode:
Mode: Advanced
IPv6 status: Disabled
Next startup ACL hardware mode:
Mode: Basic
IPv6 status: Enabled
Table 2 Command output
|
Field |
Description |
|
Current ACL hardware mode |
Current ACL hardware mode and the IPv6 status for the mode. |
|
Next startup ACL hardware mode |
ACL hardware mode and IPv6 status at next startup. |
|
Mode |
ACL hardware mode: · Basic. · Advanced. |
|
IPv6 status |
IPv6 status for the ACL hardware mode: · Enabled. · Disabled. |
display packet-filter
Use display packet-filter to display whether an ACL has been successfully applied to an interface for packet filtering.
Syntax
In standalone mode:
display packet-filter { interface [ interface-type interface-number ] [ inbound | outbound ] | { global | interface vlan-interface vlan-interface-number | vlan [ vlan-id ] } [ inbound | outbound ] [ slot slot-number ] }
In IRF mode:
display packet-filter { interface [ interface-type interface-number ] [ inbound | outbound ] | { global | interface vlan-interface vlan-interface-number | vlan [ vlan-id ] } [ inbound | outbound ] [ chassis chassis-number slot slot-number ] }
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
global: Specifies all physical interfaces.
interface [ interface-type interface-number ]: Specifies an interface by its type and number. VLAN interfaces are not supported. If you do not specify an interface, this command displays ACL application information on all interfaces except VLAN interfaces for packet filtering.
interface vlan-interface vlan-interface-number: Specifies a VLAN interface by its number.
vlan [ vlan-id ]: Specifies a VLAN by its ID. If you do not specify any VLAN, the command displays ACL application information in all VLANs for packet filtering.
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays ACL application information on the MPU for packet filtering. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the ID of the IRF member device, and the slot-number argument represents the number of the slot that holds the card. If you do not specify an IRF member device or card, this command displays ACL application information for packet filtering on all MPUs of the IRF fabric. (In IRF mode.)
Usage guidelines
If neither the inbound keyword nor the outbound keyword is specified, this command displays the ACL application information for packet filtering in both directions.
Examples
# Display ACL application information for inbound and outbound packet filtering in VLAN 2.
<Sysname> display packet-filter vlan 2
VLAN: 2
In-bound policy:
ACL 2001
ACL6 2001
ACL 4001
IPv4 default action: Deny
IPv6 default action: Deny
MAC default action: Deny
Out-bound policy:
ACL6 2001 (Failed)
IPv6 default action: Deny (Failed)
# Display ACL application information for inbound packet filtering on interfaces GigabitEthernet 3/0/1.
<Sysname> display packet-filter interface gigabitethernet 3/0/1 inbound
Interface: GigabitEthernet3/0/1
In-bound policy:
ACL 2001
ACL6 2002 (Failed)
ACL 4003 (Failed), Hardware-count (Failed)
ACL 2004, Hardware-count (Failed)
IPv4 default action: Deny, Hardware-count
# Display ACL application information for inbound and outbound packet filtering on all physical interfaces.
<Sysname> display packet-filter global
Global:
In-bound policy:
ACL 2001
ACL6 2001
ACL 4001
IPv4 default action: Deny (Failed)
IPv6 default action: Deny (Failed)
MAC default action: Deny
Out-bound policy:
ACL 4001, Hardware-count
MAC default action: Deny
Table 3 Command output
|
Field |
Description |
|
Interface |
Interface to which the ACL applies. |
|
VLAN |
VLAN to which the ACL applies. |
|
Global |
ACL application for packet filtering on all physical interfaces. |
|
In-bound policy |
ACL used for filtering incoming traffic. |
|
Out-bound policy |
ACL used for filtering outgoing traffic. |
|
ACL 2001 |
IPv4 basic ACL 2001 has been successfully applied. |
|
ACL6 2002 (Failed) |
The device has failed to apply IPv6 basic ACL 2002. |
|
Hardware-count |
Successfully enables counting ACL rule matches. |
|
Hardware-count (Failed) |
The device has failed to enable counting ACL rule matches. |
|
IPv4 default action |
Packet filter default action for packets that do not match any IPv4 ACLs: Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. · Hardware-count—The hardware-count feature has been successfully applied for the default packet filtering action. Hardware-count (Failed)—The device has failed to apply the hardware-count feature for the default packet filtering action. |
|
IPv6 default action |
Packet filter default action for packets that do not match any IPv6 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. · Hardware-count—The hardware-count feature has been successfully applied for the default packet filtering action. · Hardware-count (Failed)—The device has failed to apply the hardware-count feature for the default packet filtering action. |
|
MAC default action |
Packet filter default action for packets that do not match any Ethernet frame header ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. · Hardware-count—The hardware-count feature has been successfully applied for the default packet filtering action. · Hardware-count (Failed)—The device has failed to apply the hardware-count feature for the default packet filtering action. |
display packet-filter statistics
Use display packet-filter statistics to display match statistics and default action statistics of ACLs for packet filtering.
Syntax
display packet-filter statistics { global | interface interface-type interface-number | vlan vlan-id } { inbound | outbound } [ default | [ ipv6 ] { acl-number | name acl-name } ] [ brief ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
global: Displays the statistics of all physical interfaces.
interface interface-type interface-number: Displays the statistics of an interface specified by its type and number.
vlan vlan-id: Displays the statistics of a VLAN specified by its ID.
inbound: Displays the statistics in the inbound direction.
outbound: Displays the statistics in the outbound direction.
default: Displays the default action statistics for packet filtering.
acl-number: Specifies the number of an ACL.
· 2000 to 2999 for IPv4 basic ACLs if the ipv6 keyword is not specified and for IPv6 basic ACLs if the ipv6 keyword is specified.
· 3000 to 3999 for IPv4 advanced ACLs s if the ipv6 keyword is not specified and for IPv6 advanced ACLs if the ipv6 keyword is specified.
· 4000 to 4999 for Ethernet frame header ACLs. This entry is not displayed if the ipv6 keyword is specified.
· 5000 to 5999 for user-defined ACLs. This entry is not displayed if the ipv6 keyword is specified.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter. For a basic ACL or advanced ACL, if you do not specify the ipv6 keyword, this option specifies the name of an IPv4 basic ACL or advanced ACL. If you specify the ipv6 keyword, this option specifies the name of an IPv6 basic ACL or advanced ACL.
brief: Displays brief statistics.
Usage guidelines
When none of default, acl-number, and name acl-name is specified, this command displays match statistics and default action statistics of all ACLs for packet filtering.
· If the ipv6 keyword is not specified, all ACLs refer to all IPv4 basic, IPv4 advanced, Ethernet frame header, and user-defined ACLs.
· If the ipv6 keyword is specified, all ACLs refer to all IPv6 basic and IPv6 advanced ACLs.
Examples
# Display match statistics and default action statistics of all ACLs (including IPv4 basic, IPv4 advanced, Ethernet frame header, and user-defined ACLs) for inbound packet filtering on GigabitEthernet 3/0/1.
<Sysname> display packet-filter statistics interface gigabitethernet 3/0/1 inbound
Interface: GigabitEthernet3/0/1
In-bound policy:
ACL 2001, Hardware-count
From 2011-06-04 10:25:21 to 2011-06-04 10:35:57
rule 0 permit source 2.2.2.2 0 (2 packets)
rule 5 permit source 1.1.1.1 0 (Failed)
rule 10 permit vpn-instance test (No resource)
Totally 2 packets permitted, 0 packets denied
Totally 100% permitted, 0% denied
ACL 2002 (Failed)
ACL 4000
From 2011-06-04 10:25:34 to 2011-06-04 10:35:57
rule 0 permit
ACL ipv6 2000
IPv4 default action: Deny, Hardware-count
From 2011-06-04 10:25:21 to 2011-06-04 10:35:57
Totally 7 packets
IPv6 default action: Deny, Hardware-count
From 2011-06-04 10:25:41 to 2011-06-04 10:35:57
Totally 0 packets
MAC default action: Deny, Hardware-count
From 2011-06-04 10:25:34 to 2011-06-04 10:35:57
Totally 0 packets
# Display statistics of IPv4 advanced ACL 3000 for inbound packet filtering in VLAN 2.
<Sysname> display packet-filter statistics vlan 2 inbound 3000
VLAN: 2
In-bound policy:
ACL 3000, Hardware-count (Failed)
From 2011-06-04 10:25:34 to 2011-06-04 10:35:57
rule 0 permit source 2.2.2.2 0
rule 5 permit source 1.1.1.1 0 counting (2 packets)
rule 10 permit vpn-instance test (Failed)
Table 4 Command output
|
Field |
Description |
|
Interface |
Interface to which the ACL applies. |
|
VLAN |
VLAN to which the ACL applies. |
|
In-bound policy |
ACL used for filtering incoming traffic. |
|
Out-bound policy |
ACL used for filtering outgoing traffic. |
|
ACL 2001 |
IPv4 basic ACL 2001 has been successfully applied. |
|
ACL 2002 (Failed) |
The device has failed to apply IPv4 basic ACL 2002. |
|
Hardware-count |
Successfully enables counting ACL rule matches. |
|
Hardware-count (Failed) |
The device has failed to enable counting ACL rule matches. |
|
From 2011-06-04 10:25:21 to 2011-06-04 10:35:57 |
Start time and end time of the statistics. |
|
2 packets |
Two packets matched the rule. This field is not displayed when no packets matched the rule. |
|
No resource |
Resource is not enough for counting matches for the rule. In accumulated packet filtering ACL statistics, this field is displayed for a rule when resource is not enough for counting matches for the rule in one application. |
|
rule 5 permit source 1.1.1.1 0 (Failed) |
The device has failed to apply rule 5. |
|
Totally 2 packets permitted, 0 packets denied |
Number of packets permitted and denied by the ACL. |
|
Totally 100% permitted, 0% denied |
Ratios of permitted and denied packets to all packets. |
|
IPv4 default action |
Packet filter default action for packets that do not match any IPv4 ACLs: Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. · Hardware-count—The hardware-count feature has been successfully applied for the default action for packet filtering. · Hardware-count (Failed)—The device has failed to apply the hardware-count feature for the packet filtering default action. |
|
IPv6 default action |
Packet filter default action for packets that do not match any IPv6 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. · Hardware-count—The hardware-count feature has been successfully applied for the default packet filtering action. · Hardware-count (Failed)—The device has failed to apply the hardware-count feature for the default packet filtering action. |
|
MAC default action |
Packet filter default action for packets that do not match any Ethernet frame header ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. · Hardware-count—The hardware-count feature has been successfully applied for the default packet filtering action. · Hardware-count (Failed)—The device has failed to apply the hardware-count feature for the default packet filtering action. |
|
Totally 7 packets |
The default action has been executed for seven times. |
Related commands
reset packet-filter statistics
display packet-filter statistics sum
Use display packet-filter statistics sum to display accumulated packet filtering ACL statistics.
Syntax
display packet-filter statistics sum { inbound | outbound } [ ipv6 ] { acl-number | name acl-name } [ brief ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
inbound: Displays the statistics in the inbound direction.
outbound: Displays the statistics in the outbound direction.
acl-number: Specifies the number of an ACL.
· 2000 to 2999 for IPv4 basic ACLs if the ipv6 keyword is not specified and for IPv6 basic ACLs if the ipv6 keyword is specified.
· 3000 to 3999 for IPv4 advanced ACLs s if the ipv6 keyword is not specified and for IPv6 advanced ACLs if the ipv6 keyword is specified.
· 4000 to 4999 for Ethernet frame header ACLs. This entry is not displayed if the ipv6 keyword is specified.
· 5000 to 5999 for user-defined ACLs. This entry is not displayed if the ipv6 keyword is specified.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter. For a basic ACL or advanced ACL, if you do not specify the ipv6 keyword, this option specifies the name of an IPv4 basic ACL or advanced ACL; if you specify the ipv6 keyword, this option specifies the name of an IPv6 basic ACL or advanced ACL.
brief: Displays brief accumulated packet filtering ACL statistics.
Examples
# Display accumulated packet filtering ACL statistics of IPv4 basic ACL 2001 for incoming packets.
<Sysname> display packet-filter statistics sum inbound 2001
Sum:
In-bound policy:
ACL 2001
rule 0 permit source 2.2.2.2 0 (2 packets)
rule 5 permit source 1.1.1.1 0
rule 10 permit vpn-instance test
Totally 2 packets permitted, 0 packets denied
Totally 100% permitted, 0% denied
Table 5 Command output
|
Field |
Description |
|
Sum |
Accumulated packet filtering ACL statistics. |
|
In-bound policy |
Accumulated ACL statistics used for filtering incoming traffic. |
|
Out-bound policy |
Accumulated ACL statistics used for filtering outgoing traffic. |
|
ACL 2001 |
Accumulated ACL statistics used for IPv4 basic ACL 2001. |
|
2 packets |
Two packets matched the rule. This field is not displayed when no packets matched the rule. |
|
Totally 2 packets permitted, 0 packets denied |
Number of packets permitted and denied by the ACL. |
|
Totally 100% permitted, 0% denied |
Ratios of permitted and denied packets to all packets. |
Related commands
reset packet-filter statistics
display packet-filter verbose
Use display packet-filter verbose to display application details of ACLs for packet filtering.
Syntax
In standalone mode:
display packet-filter verbose { global | interface interface-type interface-number | vlan vlan-id } { inbound | outbound } [ [ ipv6 ] { acl-number | name acl-name } ] [ slot slot-number ]
In IRF mode:
display packet-filter verbose { global | interface interface-type interface-number | vlan vlan-id } { inbound | outbound } [ [ ipv6 ] { acl-number | name acl-name } ] [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
global: Specifies all physical interfaces.
interface interface-type interface-number: Specifies an interface by its type and number.
vlan vlan-id: Specifies a VLAN by its VLAN ID.
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
acl-number: Specifies the number of an ACL.
· 2000 to 2999 for IPv4 basic ACLs if the ipv6 keyword is not specified and for IPv6 basic ACLs if the ipv6 keyword is specified.
· 3000 to 3999 for IPv4 advanced ACLs s if the ipv6 keyword is not specified and for IPv6 advanced ACLs if the ipv6 keyword is specified.
· 4000 to 4999 for Ethernet frame header ACLs. This entry is not displayed if the ipv6 keyword is specified.
· 5000 to 5999 for user-defined ACLs. This entry is not displayed if the ipv6 keyword is specified.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter. For a basic ACL or advanced ACL, if you do not specify the ipv6 keyword, this option specifies the name of an IPv4 basic ACL or advanced ACL. If you specify the ipv6 keyword, this option specifies the name of an IPv6 basic ACL or advanced ACL.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays ACL application details on the MPU for packet filtering. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the ID of the IRF member device, and the slot-number argument represents the number of the slot that holds the card. If you do not specify an IRF member device or card, this command displays ACL application details for packet filtering on all MPUs of the IRF fabric. (In IRF mode.)
Usage guidelines
When neither acl-number nor name acl-name is specified, this command displays application details of all ACLs for packet filtering.
· If the ipv6 keyword is not specified, all ACLs refer to all IPv4 basic, IPv4 advanced, Ethernet frame header, and user-defined ACLs.
· If the ipv6 keyword is specified, all ACLs refer to all IPv6 basic and IPv6 advanced ACLs.
Examples
# Display application details of all IPv4 ACLs (including IPv4 basic, IPv4 advanced, Ethernet frame header, and user-defined ACLs) for inbound packet filtering in VLAN 2.
<Sysname> display packet-filter verbose vlan 2 inbound
VLAN: 2
In-bound policy:
ACL 2001, Hardware-count
rule 0 permit
rule 5 permit source 1.1.1.1 0 (Failed)
rule 10 permit vpn-instance test (Failed)
ACL 2002 (Failed)
# Display application details of all IPv4 ACLs (including IPv4 basic, IPv4 advanced, Ethernet frame header, and user-defined ACLs) for inbound packet filtering on GigabitEthernet 3/0/1.
<Sysname> display packet-filter verbose interface gigabitethernet 3/0/1 inbound
Interface: GigabitEthernet3/0/1
In-bound policy:
ACL 2001, Hardware-count (Failed)
rule 0 permit
rule 5 permit source 1.1.1.1 0 (Failed)
rule 10 permit vpn-instance test (Failed)
ACL 2002 (Failed), Hardware-count (Failed)
ACL6 2000, Hardware-count
rule 0 permit
ACL 4000, Hardware-count
IPv4 default action: Deny, Hardware-count (Failed)
IPv6 default action: Deny, Hardware-count (Failed)
MAC default action: Deny, Hardware-count
# Display application details of all IPv4 ACLs (including IPv4 basic, IPv4 advanced, Ethernet frame header, and user-defined ACLs) for inbound packet filtering on all physical interfaces.
<Sysname> display packet-filter verbose global inbound
Global:
In-bound policy:
ACL 2001
rule 0 permit
rule 5 permit source 1.1.1.1 0 (Failed)
rule 10 permit vpn-instance test (Failed)
ACL 2002 (Failed)
ACL6 2000, Hardware-count
ACL 4000, Hardware-count
rule 0 permit
IPv4 default action: Deny
IPv6 default action: Deny
MAC default action: Deny
Table 6 Command output
|
Field |
Description |
|
Interface |
Interface to which the ACL applies. |
|
VLAN |
VLAN to which the ACL applies. |
|
Global |
ACL application details for packet filtering on all physical interfaces. |
|
In-bound policy |
ACL used for filtering incoming traffic. |
|
Out-bound policy |
ACL used for filtering outgoing traffic. |
|
ACL 2001 |
IPv4 basic ACL 2001 has been successfully applied. |
|
ACL 2002 (Failed) |
The device has failed to apply IPv4 basic ACL 2002. |
|
Hardware-count |
Successfully enables counting ACL rule matches. |
|
Hardware-count (Failed) |
The device has failed to enable counting ACL rule matches. |
|
rule 5 permit source 1.1.1.1 0 (Failed) |
The device has failed to apply rule 5 because hardware resources are not sufficient or the rule is not supported. |
|
IPv4 default action |
Packet filter default action for packets that do not match any IPv4 ACLs: Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. · Hardware-count—The hardware-count feature has been successfully applied for the default action for packet filtering. · Hardware-count (Failed)—The device has failed to apply the hardware-count feature for the packet filtering default action. |
|
IPv6 default action |
Packet filter default action for packets that do not match any IPv6 ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. · Hardware-count—The hardware-count feature has been successfully applied for the default action for packet filtering. · Hardware-count (Failed)—The device has failed to apply the hardware-count feature for the packet filtering default action. |
|
MAC default action |
Packet filter default action for packets that do not match any Ethernet frame header ACLs: · Deny—The default action deny has been successfully applied for packet filtering. · Deny (Failed)—The device has failed to apply the default action deny for packet filtering. The action permit still functions. · Permit—The default action permit has been successfully applied for packet filtering. · Hardware-count—The hardware-count feature has been successfully applied for the default packet filtering action. · Hardware-count (Failed)—The device has failed to apply the hardware-count feature for the default packet filtering action. |
display qos-acl resource
Use display qos-acl resource to display QoS and ACL resource usage.
Syntax
In standalone mode:
display qos-acl resource [ slot slot-number ]
In IRF mode:
display qos-acl resource [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays ACL QoS and ACL resource usage on all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the ID of the IRF member device, and the slot-number argument represents the number of the slot that holds the card. If you do not specify an IRF member device or card, this command displays QoS and ACL resource usage on member devices of the IRF fabric. (In IRF mode.)
Usage guidelines
This command does not display any usage data if the specified card or IRF member device does not support counting QoS and ACL resource.
Examples
# Display QoS and ACL resource usage.
<Sysname> display qos-acl resource
Interfaces: GE2/0/1 to GE2/0/24
---------------------------------------------------------------------
Type Total Reserved Configured Remaining Usage
---------------------------------------------------------------------
ACL rule 4096 96 92 3908 4%
Inbound ACL 4096 96 25 3908 2%
Outbound ACL 4096 0 67 3908 1%
IN-MQC-CAR 8192 0 0 8192 0%
IN-COMM-CAR 7168 0 0 7168 0%
IN-COUNT 8192 0 80 8112 0%
OUT-MQC-CAR 8192 0 80 8112 0%
OUT-COUNT 8192 0 80 8112 0%
Interfaces: GE2/0/25 to GE2/0/48
---------------------------------------------------------------------
Type Total Reserved Configured Remaining Usage
---------------------------------------------------------------------
ACL rule 4096 96 92 3908 4%
Inbound ACL 4096 96 25 3908 2%
Outbound ACL 4096 0 67 3908 1%
IN-MQC-CAR 8192 0 0 8192 0%
IN-COMM-CAR 7168 0 0 7168 0%
IN-COUNT 8192 0 80 8112 0%
OUT-MQC-CAR 8192 0 80 8112 0%
OUT-COUNT 8192 0 80 8112 0%
Interfaces: FGE4/5/0/3 to FGE4/5/0/4
---------------------------------------------------------------------
Type Total Reserved Configured Remaining Usage
---------------------------------------------------------------------
Inbound ACL 3840 96 32 3712 3%
Outbound ACL 1088 0 40 1048 3%
IN-MQC-CAR 8192 0 0 8192 0%
IN-COMM-CAR 8192 0 0 8192 0%
IN-COUNT 8192 0 60 8132 0%
OUT-MQC-CAR 8192 0 0 8192 0%
OUT-COUNT 8192 0 0 8192 0%
Interfaces: FGE4/5/0/1 to FGE4/5/0/2
---------------------------------------------------------------------
Type Total Reserved Configured Remaining Usage
---------------------------------------------------------------------
Inbound ACL 3840 96 32 3712 3%
Outbound ACL 1088 0 40 1048 3%
IN-MQC-CAR 8192 0 0 8192 0%
IN-COMM-CAR 8192 0 0 8192 0%
IN-COUNT 8192 0 60 8132 0%
OUT-MQC-CAR 8192 0 0 8192 0%
OUT-COUNT 8192 0 0 8192 0%
Interfaces: FGE4/5/0/7 to FGE4/5/0/8
---------------------------------------------------------------------
Type Total Reserved Configured Remaining Usage
---------------------------------------------------------------------
Inbound ACL 3840 96 32 3712 3%
Outbound ACL 1088 0 40 1048 3%
IN-MQC-CAR 8192 0 0 8192 0%
IN-COMM-CAR 8192 0 0 8192 0%
IN-COUNT 8192 0 60 8132 0%
OUT-MQC-CAR 8192 0 0 8192 0%
OUT-COUNT 8192 0 0 8192 0%
Interfaces: FGE4/5/0/5 to FGE4/5/0/6
---------------------------------------------------------------------
Type Total Reserved Configured Remaining Usage
---------------------------------------------------------------------
Inbound ACL 3840 96 32 3712 3%
Outbound ACL 1088 0 40 1048 3%
IN-MQC-CAR 8192 0 0 8192 0%
IN-COMM-CAR 8192 0 0 8192 0%
IN-COUNT 8192 0 60 8132 0%
OUT-MQC-CAR 8192 0 0 8192 0%
OUT-COUNT 8192 0 0 8192 0%
Interfaces: FGE4/5/0/11 to FGE4/5/0/12
---------------------------------------------------------------------
Type Total Reserved Configured Remaining Usage
---------------------------------------------------------------------
Inbound ACL 3840 96 32 3712 3%
Outbound ACL 1088 0 40 1048 3%
IN-MQC-CAR 8192 0 0 8192 0%
IN-COMM-CAR 8192 0 0 8192 0%
IN-COUNT 8192 0 60 8132 0%
OUT-MQC-CAR 8192 0 0 8192 0%
OUT-COUNT 8192 0 0 8192 0%
Interfaces: FGE4/5/0/9 to FGE4/5/0/10
---------------------------------------------------------------------
Type Total Reserved Configured Remaining Usage
---------------------------------------------------------------------
Inbound ACL 3840 96 32 3712 3%
Outbound ACL 1088 0 40 1048 3%
IN-MQC-CAR 8192 0 0 8192 0%
IN-COMM-CAR 8192 0 0 8192 0%
IN-COUNT 8192 0 60 8132 0%
OUT-MQC-CAR 8192 0 0 8192 0%
OUT-COUNT 8192 0 0 8192 0%
Interfaces: FGE4/5/0/15 to FGE4/5/0/16
---------------------------------------------------------------------
Type Total Reserved Configured Remaining Usage
---------------------------------------------------------------------
Inbound ACL 3840 96 32 3712 3%
Outbound ACL 1088 0 40 1048 3%
IN-MQC-CAR 8192 0 0 8192 0%
IN-COMM-CAR 8192 0 0 8192 0%
IN-COUNT 8192 0 60 8132 0%
OUT-MQC-CAR 8192 0 0 8192 0%
OUT-COUNT 8192 0 0 8192 0%
Interfaces: FGE4/5/0/13 to FGE4/5/0/14
---------------------------------------------------------------------
Type Total Reserved Configured Remaining Usage
---------------------------------------------------------------------
Inbound ACL 3840 96 32 3712 3%
Outbound ACL 1088 0 40 1048 3%
IN-MQC-CAR 8192 0 0 8192 0%
IN-COMM-CAR 8192 0 0 8192 0%
IN-COUNT 8192 0 60 8132 0%
OUT-MQC-CAR 8192 0 0 8192 0%
OUT-COUNT 8192 0 0 8192 0%
Table 7 Command output
|
Field |
Description |
|
Interfaces |
Interface range for the resource. |
|
Type |
Resource type. |
|
Total |
Total number of resource. |
|
Reserved |
Number of reserved resource. |
|
Configured |
Number of resource that has been applied. |
|
Remaining |
Number of resource that you can apply. |
|
Usage |
Configured and reserved resources as a percentage of total resources. If the percentage is not an integer, this field displays the integer part. For example, if the actual usage is 50.8%, this field displays 50%. |
packet-filter
Use packet-filter to apply an ACL to an interface to filter packets.
Use undo packet-filter to remove an ACL application from an interface.
Syntax
packet-filter [ ipv6 ] { acl-number | name acl-name } { inbound | outbound } [ hardware-count ]
undo packet-filter [ ipv6 ] { acl-number | name acl-name } { inbound | outbound }
Default
An interface does not filter packets.
Views
Interface view
Predefined user roles
network-admin
mdc-admin
Parameters
acl-number: Specifies an ACL by its number.
· 2000 to 2999 for IPv4 basic ACLs if the ipv6 keyword is not specified and for IPv6 basic ACLs if the ipv6 keyword is specified.
· 3000 to 3999 for IPv4 advanced ACLs s if the ipv6 keyword is not specified and for IPv6 advanced ACLs if the ipv6 keyword is specified.
· 4000 to 4999 for Ethernet frame header ACLs. This entry is not displayed if the ipv6 keyword is specified.
· 5000 to 5999 for user-defined ACLs. This entry is not displayed if the ipv6 keyword is specified. User-defined ACLs do not support outbound packet filtering.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter. For a basic ACL or advanced ACL, if you do not specify the ipv6 keyword, this option specifies the name of an IPv4 basic ACL or advanced ACL. If you specify the ipv6 keyword, this option specifies the name of an IPv6 basic ACL or advanced ACL.
inbound: Filters incoming packets.
outbound: Filters outgoing packets.
hardware-count: Enables counting ACL rule matches performed in hardware. This keyword enables match counting for all rules in an ACL, and the counting keyword in the rule command enables match counting specific to rules. If the hardware-count keyword is not specified, rule matches for the ACL are not counted.
Usage guidelines
When you use the packet-filter command in VLAN interface view to filter the outgoing IPv4 packets, the command is effect on only Layer 3 unicast packets.
The rule you add to an ACL that has been used by a packet filter cannot take effect if hardware resources are insufficient or the packet filter does not support the rule. Such rules are marked as Failed in the output from the display acl { acl-number | all | name acl-name } slot slot-number command. To successfully apply the rule, you must delete the rule and reconfigure it when hardware resources are sufficient.
Avoid the case that multiple users configure the packet-filter command at the same time. Otherwise, the configuration might fail.
Follow these guidelines when you configure a packet filter on a VLAN interface:
· Use the undo packet-filter command to remove the packet filter from the VLAN interface if the ACL application fails on an interface card, for example, because of hardware resource insufficiency. The switch applies the packet filter configured on a VLAN interface to the main processing unit and all interface cards. When an application failure occurs on an interface card, the switch cannot automatically remove the ACL that has been applied to the main processing unit or any other interface card.
· You must also use the undo packet-filter command to remove the packet filter if the switch fails to update the packet filter on an interface card after you edit the ACL rules. If you do not remove the packet filter, the old ACL rules continue to take effect and the display packet-filter command shows the initial ACL application status.
If an Ethernet frame header ACL is for packet filtering on an EB, EC2, or FD card that operates in basic ACL hardware mode, the ACL matches IPv6 packets by only the destination MAC address (for incoming packets only) and 802.1p priority.
When an EB, EC2, or FD card operates in basic ACL hardware mode, it does not support packet filter for outbound IPv4 packets on VLAN interfaces.
Examples
# Apply IPv4 basic ACL 2001 to filter incoming traffic on GigabitEthernet 3/0/1, and enable counting ACL rule matches performed in hardware.
<Sysname> system-view
[Sysname] interface gigabitethernet 3/0/1
[Sysname-GigabitEthernet3/0/1] packet-filter 2001 inbound hardware-count
· display packet-filter
· display packet-filter statistics
· display packet-filter verbose
packet-filter default deny
Use packet-filter default deny to set the packet filtering default action to deny. The packet filter denies packets that do not match any ACL rule.
Use undo packet-filter default deny to restore the default.
Syntax
packet-filter default deny
undo packet-filter default deny
Default
The packet filter permits packets that do not match any ACL rule.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
The packet filter applies the default action to all ACL applications for packet filtering. The default action appears in the display command output for packet filtering.
Examples
# Set the packet filter default action to deny.
<Sysname> system-view
[Sysname] packet-filter default deny
Related commands
· display packet-filter
· display packet-filter statistics
· display packet-filter verbose
packet-filter default hardware-count
Use packet-filter default hardware-count to enable hardware-count for the packet filtering default action.
Use undo packet-filter default hardware-count to restore the default.
Syntax
packet-filter default { inbound | outbound } hardware-count
undo packet-filter default { inbound | outbound } hardware-count
Default
Hardware-count is disabled for the packet filtering default action.
Views
Interface view
Predefined user roles
network-admin
mdc-admin
Parameters
inbound: Specifies the incoming packets.
outbound: Specifies the outgoing packets.
Usage guidelines
To enable hardware-count for the packet filtering default action on an interface, make sure you have applied ACLs to the interface for packet filtering.
Examples
# Set the packet filtering default action to deny globally. Apply IPv4 basic ACL 2001 to GigabitEthernet 3/0/1 for filtering incoming packets, and enable hardware-count for the packet filtering default action on GigabitEthernet 3/0/1.
<Sysname> system-view
[Sysname] packet-filter default deny
[Sysname] interface gigabitethernet 3/0/1
[Sysname-GigabitEthernet3/0/1] packet-filter 2001 inbound
[Sysname-GigabitEthernet3/0/1] packet-filter default inbound hardware-count
Related commands
· packet-filter
· packet-filter default deny
· display packet-filter
· display packet-filter statistics
packet-filter global
Use packet-filter global to apply an ACL to filter packets globally.
Use undo packet-filter global to remove an ACL for filtering packets globally.
Syntax
packet-filter [ ipv6 ] { acl-number | name acl-name } global { inbound | outbound } [ hardware-count ]
undo packet-filter [ ipv6 ] { acl-number | name acl-name } global { inbound | outbound }
Default
Physical interfaces do not filter packets.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
acl-number: Specifies an ACL by its number:
· 2000 to 2999 for IPv4 basic ACLs if the ipv6 keyword is not specified and for IPv6 basic ACLs if the ipv6 keyword is specified.
· 3000 to 3999 for IPv4 advanced ACLs s if the ipv6 keyword is not specified and for IPv6 advanced ACLs if the ipv6 keyword is specified.
· 4000 to 4999 for Ethernet frame header ACLs. This entry is not displayed if the ipv6 keyword is specified.
· 5000 to 5999 for user-defined ACLs. This entry is not displayed if the ipv6 keyword is specified. User-defined ACLs do not support outbound packet filtering.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter. For a basic ACL or advanced ACL, if you do not specify the ipv6 keyword, this option specifies the name of an IPv4 basic ACL or advanced ACL; if you specify the ipv6 keyword, this option specifies the name of an IPv6 basic ACL or advanced ACL.
global: Specifies all physical interfaces.
inbound: Filters incoming packets.
outbound: Filters outgoing packets.
hardware-count: Enables counting ACL rule matches performed in hardware. This keyword enables match counting for all rules in an ACL, and the counting keyword in the rule command enables match counting specific to rules. If the hardware-count keyword is not specified, rule matches for the ACL are not counted.
Examples
# Apply IPv4 basic ACL 2001 to filter incoming traffic on all physical interfaces, and enable counting ACL rule matches performed in hardware.
<Sysname> system-view
[Sysname] packet-filter 2001 global inbound hardware-count
Related commands
· display packet-filter
· display packet-filter statistics
· display packet-filter verbose
packet-filter vlan
Use packet-filter vlan to apply an ACL to VLANs to filter packets.
Use undo packet-filter vlan to remove an ACL for filtering packets from VLANs.
Syntax
packet-filter [ ipv6 ] { acl-number | name acl-name } vlan vlan-list { inbound | outbound } [ hardware-count ]
undo packet-filter [ ipv6 ] { acl-number | name acl-name } vlan vlan-list { inbound | outbound }
Default
The system does not filter packets in a VLAN.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
acl-number: Specifies an ACL by its number:
· 2000 to 2999 for IPv4 basic ACLs if the ipv6 keyword is not specified and for IPv6 basic ACLs if the ipv6 keyword is specified.
· 3000 to 3999 for IPv4 advanced ACLs s if the ipv6 keyword is not specified and for IPv6 advanced ACLs if the ipv6 keyword is specified.
· 4000 to 4999 for Ethernet frame header ACLs. This entry is not displayed if the ipv6 keyword is specified.
· 5000 to 5999 for user-defined ACLs. This entry is not displayed if the ipv6 keyword is specified. User-defined ACLs do not support outbound packet filtering.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter. For a basic ACL or advanced ACL, if you do not specify the ipv6 keyword, this option specifies the name of an IPv4 basic ACL or advanced ACL; if you specify the ipv6 keyword, this option specifies the name of an IPv6 basic ACL or advanced ACL.
vlan vlan-list: Specifies a space-separated list of up to 10 VLAN ID items. Each item specifies a VLAN by its ID or a range of VLANs in the form of start-vlan-id to end-vlan-id.
inbound: Filters incoming packets.
outbound: Filters outgoing packets.
hardware-count: Enables counting ACL rule matches performed in hardware. This keyword enables match counting for all rules in an ACL, and the counting keyword in the rule command enables match counting specific to rules. If the hardware-count keyword is not specified, rule matches for the ACL are not counted.
Examples
# Apply IPv4 basic ACL 2001 to filter incoming traffic in VLAN 2, and enable counting ACL rule matches performed in hardware.
<Sysname> system-view
[Sysname] packet-filter 2001 vlan 2 inbound hardware-count
Related commands
· display packet-filter
· display packet-filter statistics
· display packet-filter verbose
reset acl counter
Use reset acl counter to clear statistics for ACLs.
Syntax
reset acl [ ipv6 ] counter { acl-number | all | name acl-name }
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
acl-number: Specifies an ACL by its number.
· 2000 to 2999 for IPv4 basic ACLs if the ipv6 keyword is not specified and for IPv6 basic ACLs if the ipv6 keyword is specified.
· 3000 to 3999 for IPv4 advanced ACLs s if the ipv6 keyword is not specified and for IPv6 advanced ACLs if the ipv6 keyword is specified.
· 4000 to 4999 for Ethernet frame header ACLs. This entry is not displayed if the ipv6 keyword is specified.
· 5000 to 5999 for user-defined ACLs. This entry is not displayed if the ipv6 keyword is specified.
all: Clears statistics for all IPv4 basic, IPv4 advanced, Ethernet frame header, and user-defined ACLs if you do not specify the ipv6 keyword, or clears statistics for all IPv6 basic and IPv6 advanced ACLs if you specify the ipv6 keyword.
name acl-name: Clears statistics of an ACL specified by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter. For a basic ACL or advanced ACL, if you do not specify the ipv6 keyword, this option specifies the name of an IPv4 basic ACL or advanced ACL. If you specify the ipv6 keyword, this option specifies the name of an IPv6 basic ACL or advanced ACL.
Examples
# Clear statistics for IPv4 basic ACL 2001.
<Sysname> reset acl counter 2001
Related commands
display acl
reset packet-filter statistics
Use reset packet-filter statistics to clear the match statistics (including the accumulated statistics) and the default action statistics of ACLs for packet filtering.
Syntax
reset packet-filter statistics { global | interface [ interface-type interface-number ] | vlan [ vlan-id ] } { inbound | outbound } [ default | [ ipv6 ] { acl-number | name acl-name } ]
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
global: Specifies all physical interfaces.
interface [ interface-type interface-number ]: Specifies an interface by its type and number. If you do not specify an interface, this command clears packet filtering ACL statistics on all interfaces.
vlan [ vlan-id ]: Specifies a VLAN by its ID. If you do not specify a VLAN, this command clears packet filtering ACL statistics in all VLANs.
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
default: Clears the default action statistics of ACLs for packet filtering.
acl-number: Specifies an ACL by its number.
· 2000 to 2999 for IPv4 basic ACLs if the ipv6 keyword is not specified and for IPv6 basic ACLs if the ipv6 keyword is specified.
· 3000 to 3999 for IPv4 advanced ACLs s if the ipv6 keyword is not specified and for IPv6 advanced ACLs if the ipv6 keyword is specified.
· 4000 to 4999 for Ethernet frame header ACLs. This entry is not displayed if the ipv6 keyword is specified.
· 5000 to 5999 for user-defined ACLs. This entry is not displayed if the ipv6 keyword is specified.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter. For a basic ACL or advanced ACL, if you do not specify the ipv6 keyword, this option specifies the name of an IPv4 basic ACL or advanced ACL. If you specify the ipv6 keyword, this option specifies the name of an IPv6 basic ACL or advanced ACL.
Usage guidelines
When none of default, acl-number, and name acl-name is specified, this command clears the match statistics and default action statistics of all ACLs for packet filtering.
· If the ipv6 keyword is not specified, all ACLs refer to all IPv4 basic, IPv4 advanced, Ethernet frame header, and user-defined ACLs.
· If the ipv6 keyword is specified, all ACLs refer to all IPv6 basic and IPv6 advanced ACLs.
Examples
# Clear IPv4 basic ACL 2001 statistics for incoming packet filtering in VLAN 2.
<Sysname> reset packet-filter statistics vlan 2 inbound 2001
Related commands
· display packet-filter statistics
· display packet-filter statistics sum
rule (Ethernet frame header ACL view)
Use rule to create or edit an Ethernet frame header ACL rule.
Use undo rule to delete an Ethernet frame header ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } [ cos vlan-pri | counting | dest-mac dest-address dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac source-address source-mask | time-range time-range-name ] *
undo rule rule-id [ counting | time-range ] *
undo rule { deny | permit } [ cos vlan-pri | counting | dest-mac dest-address dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac source-address source-mask | time-range time-range-name ] *
Default
An Ethernet frame header ACL does not contain any rule.
Views
Ethernet frame header ACL view
Predefined user roles
network-admin
mdc-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
cos vlan-pri: Matches an 802.1p priority. The vlan-pri argument can be a number in the range of 0 to 7, or in words, best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5), voice (6), or network-management (7).
counting: Counts the number of times the Ethernet frame header ACL rule has been matched. The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted.
dest-mac dest-address dest-mask: Matches a destination MAC address range. The dest-address and dest-mask arguments represent a destination MAC address and mask in the H-H-H format.
lsap lsap-type lsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The lsap-type argument is a 16-bit hexadecimal number that represents the encapsulation format. The lsap-type-mask argument is a 16-bit hexadecimal number that represents the LSAP mask. This option is not supported in the current software version. It is reversed for future support.
type protocol-type protocol-type-mask: Matches one or more protocols in the Ethernet frame header. The protocol-type argument is a 16-bit hexadecimal number that represents a protocol type in Ethernet_II and Ethernet_SNAP frames. The protocol-type-mask argument is a 16-bit hexadecimal number that represents a protocol type mask. To match ARP packets, IPv4 packets, and IPv6 packets, set the protocol-type protocol-type-mask argument to 0x0806 0xFFFF, 0x0800 0xFFFF, and 0x86DD 0xFFFF. On an EB/EC2/FD card that operates in basic ACL hardware mode, the protocol-type protocol-type-mask argument cannot be set to 0x86DD 0xFFFF, which matches IPv6 packets.
source-mac source-address source-mask: Matches a source MAC address range. The source-address argument represents a source MAC address, and the sour-mask argument represents a mask in the H-H-H format.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide.
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
On an EB, EC2, or FD card that is in basic ACL hardware mode:
· An Ethernet frame header ACL does not take effect on IPv4 packets.
· An Ethernet frame header ACL does not match ARP packets by the source MAC address and the destination MAC address.
· If an Ethernet frame header ACL is for packet filtering, the ACL matches IPv6 packets by only the destination MAC address (for incoming packets only) and 802.1p priority.
· If an Ethernet frame header ACL is for other applications, the ACL matches IPv6 packets by only the source MAC address (for incoming packets only), destination MAC address (for incoming packets only) and 802.1p priority.
You can edit ACL rules only when the match order is config.
The undo rule rule-id command deletes the entire rule if you do not specify any optional parameters. It deletes the specified attributes if you specify optional parameters.
The undo rule { deny | permit } command can only be used to delete the entire rule. You must specify all the attributes of the rule for the command.
Use the display acl all command to view the rules in Ethernet frame header, IPv4 advanced, IPv4 basic, and user-defined ACLs.
Examples
# Create a rule in Ethernet frame header ACL 4000 to permit ARP packets and deny RARP packets.
<Sysname> system-view
[Sysname] acl number 4000
[Sysname-acl-ethernetframe-4000] rule permit type 0806 ffff
[Sysname-acl-ethernetframe-4000] rule deny type 8035 ffff
Related commands
· acl
· display acl
· step
· time-range
rule (IPv4 advanced ACL view)
Use rule to create or edit an IPv4 advanced ACL rule.
Use undo rule to delete an entire IPv4 advanced ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { object-group addr-group-name | dest-address dest-wildcard | any } | destination-port { object-group port-group-name | operator port1 [ port2 ] } | { dscp dscp | { precedence precedence | tos tos } * } | fragment | icmp-type { icmp-type [ icmp-code ] | icmp-message } | logging | source { object-group addr-group-name | source-address source-wildcard | any } | source-port { object-group port-group-name | operator port1 [ port2 ] } | time-range time-range-name | vpn-instance vpn-instance-name ] *
undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | { dscp | { precedence | tos } * } | fragment | icmp-type | logging | source | source-port | time-range | vpn-instance ] *
undo rule { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { object-group addr-group-name | dest-address dest-wildcard | any } | destination-port { object-group port-group-name | operator port1 [ port2 ] } | { dscp dscp | { precedence precedence | tos tos } * } | fragment | icmp-type { icmp-type [ icmp-code ] | icmp-message } | logging | source { object-group addr-group-name | source-address source-wildcard | any } | source-port { object-group port-group-name | operator port1 [ port2 ] } | time-range time-range-name | vpn-instance vpn-instance-name ] *
Default
An IPv4 advanced ACL does not contain any rule.
Views
IPv4 advanced ACL view
Predefined user roles
network-admin
mdc-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
protocol: Specifies one of the following values:
· A protocol number in the range of 0 to 255.
· A protocol by its name: gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17). The ip keyword specifies all protocols.
Table 8 describes the parameters that you can specify regardless of the value for the protocol argument.
Table 8 Match criteria and other rule information for IPv4 advanced ACL rules
|
Parameters |
Function |
Description |
|
source { object-group addr-group-name | source-address source-wildcard | any } |
Specifies source addresses. |
The addr-group-name argument specifies an object group of source IP addresses. The source-address source-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address. The any keyword specifies any source IP address. |
|
destination { object-group addr-group-name | dest-address dest-wildcard | any } |
Specifies destination addresses. |
The addr-group-name argument specifies an object group of destination IP addresses. The dest-address dest-wildcard arguments represent a destination IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address. The any keyword represents any destination IP address. |
|
counting |
Counts the number of times the IPv4 advanced ACL rule has been matched. |
The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted. |
|
precedence precedence |
Specifies an IP precedence value. |
The precedence argument can be a number in the range of 0 to 7, or in words: routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), or network (7). |
|
tos tos |
Specifies a ToS preference. |
The tos argument can be a number in the range of 0 to 15, or in words: max-reliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1), or normal (0). If the ACL is used on an EB, EC2, or FD card in basic ACL hardware mode, this option (even if specified,) does not take effect for outbound application. |
|
dscp dscp |
Specifies a DSCP priority. |
The dscp argument can be a number in the range of 0 to 63, or in words: af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46). |
|
fragment |
Applies the rule only to fragments. |
If you do not specify this keyword, the rule applies to all fragments and non-fragments. |
|
logging |
Logs matching packets. |
This feature requires that the module (for example, packet filtering) that uses the ACL supports logging. |
|
time-range time-range-name |
Specifies a time range for the rule. |
The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide. |
|
vpn-instance vpn-instance-name |
Applies the rule to a VPN instance. |
The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the rule applies to all packets. On a PE or MCE, rules with this option do not apply to packets received from a VPN site. For more information about PE and MCE, see MPLS Configuration Guide. If the ACL is used on an EB, EC2, or FD card in basic ACL hardware mode, this option (even if specified,) does not take effect. |
|
|
IMPORTANT: If the dscp keyword is specified together with precendence or tos, the precendence or tos configuration does not take effect. |
If the protocol argument is tcp (6) or udp (7), set the parameters shown in Table 9.
Table 9 TCP/UDP-specific parameters for IPv4 advanced ACL rules
|
Parameters |
Function |
Description |
|
source-port { object-group port-group-name | operator port1 [ port2 ] } |
Specifies one or more UDP or TCP source ports. |
The port-group-name argument specifies an object group of ports. The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. port2 is needed only when the operator argument is range. TCP port numbers can be represented as: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented as: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177). |
|
destination-port { object-group port-group-name | operator port1 [ port2 ] } |
Specifies one or more UDP or TCP destination ports. |
|
|
{ ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * |
Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG. |
Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The TCP flags in a rule are ANDed. A rule configured with ack 0 psh 1 matches packets that have the ACK flag bit not set and the PSH flag bit set. |
|
established |
Specifies the flags for indicating the established status of a TCP connection. |
Parameter specific to TCP. The rule matches TCP connection packets with the ACK or RST flag bit set. |
If the protocol argument is icmp (1), set the parameters shown in Table 10.
Table 10 ICMP-specific parameters for IPv4 advanced ACL rules
|
Parameters |
Function |
Description |
|
icmp-type { icmp-type icmp-code | icmp-message } |
Specifies the ICMP message type and code. |
The icmp-type argument is in the range of 0 to 255. The icmp-code argument is in the range of 0 to 255. The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 11. |
Table 11 ICMP message names supported in IPv4 advanced ACL rules
|
ICMP message name |
ICMP message type |
ICMP message code |
|
echo |
8 |
0 |
|
echo-reply |
0 |
0 |
|
fragmentneed-DFset |
3 |
4 |
|
host-redirect |
5 |
1 |
|
host-tos-redirect |
5 |
3 |
|
host-unreachable |
3 |
1 |
|
information-reply |
16 |
0 |
|
information-request |
15 |
0 |
|
net-redirect |
5 |
0 |
|
net-tos-redirect |
5 |
2 |
|
net-unreachable |
3 |
0 |
|
parameter-problem |
12 |
0 |
|
port-unreachable |
3 |
3 |
|
protocol-unreachable |
3 |
2 |
|
reassembly-timeout |
11 |
1 |
|
source-quench |
4 |
0 |
|
source-route-failed |
3 |
5 |
|
timestamp-reply |
14 |
0 |
|
timestamp-request |
13 |
0 |
|
ttl-exceeded |
11 |
0 |
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
The object group you specify when creating or editing a rule must already exist. Otherwise, the rule will not be created or changed.
You can edit ACL rules only when the match order is config.
The undo rule rule-id command deletes the entire rule if you do not specify any optional parameters. It deletes the specified attributes if you specify optional parameters.
The undo rule { deny | permit } command can only be used to delete the entire rule. You must specify all the attributes of the rule for the command.
Use the display acl all command to view the rules in Ethernet frame header, IPv4 advanced, IPv4 basic, and user-defined ACLs.
Examples
# Create an IPv4 advanced ACL rule to permit TCP packets with the destination port 80 from 129.9.0.0/16 to 202.38.160.0/24.
<Sysname> system-view
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80
# Create IPv4 advanced ACL rules to permit all IP packets but the ICMP packets destined for 192.168.1.0/24.
<Sysname> system-view
[Sysname] acl number 3001
[Sysname-acl-adv-3001] rule deny icmp destination 192.168.1.0 0.0.0.255
[Sysname-acl-adv-3001] rule permit ip
# Create IPv4 advanced ACL rules to permit inbound and outbound FTP packets.
<Sysname> system-view
[Sysname] acl number 3002
[Sysname-acl-adv-3002] rule permit tcp source-port eq ftp
[Sysname-acl-adv-3002] rule permit tcp source-port eq ftp-data
[Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp
[Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp-data
# Create IPv4 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.
<Sysname> system-view
[Sysname] acl number 3003
[Sysname-acl-adv-3003] rule permit udp source-port eq snmp
[Sysname-acl-adv-3003] rule permit udp source-port eq snmptrap
[Sysname-acl-adv-3003] rule permit udp destination-port eq snmp
[Sysname-acl-adv-3003] rule permit udp destination-port eq snmptrap
Related commands
· acl
· acl logging interval
· display acl
· step
· time-range
rule (IPv4 basic ACL view)
Use rule to create or edit an IPv4 basic ACL rule.
Use undo rule to delete an entire IPv4 basic ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } [ counting | fragment | logging | source { object-group addr-group-name | source-address source-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *
undo rule rule-id [ counting | fragment | logging | source | time-range | vpn-instance ] *
undo rule { deny | permit } [ counting | fragment | logging | source { object-group addr-group-name | source-address source-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *
Default
An IPv4 basic ACL does not contain any rule.
Views
IPv4 basic ACL view
Predefined user roles
network-admin
mdc-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
counting: Counts the number of times the IPv4 basic ACL rule has been matched. The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted.
fragment: Applies the rule only to fragments. If you do not specify this keyword, the rule applies to both fragments and non-fragments.
logging: Logs matching packets. This feature is available only when the application module (for example, packet filtering) that uses the ACL supports the logging feature.
source { object-group addr-group-name | source-address source-wildcard | any }: Matches source IP addresses. The object-group addr-group-name option specifies an object group of source IP addresses. The source-address source-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation. A wildcard mask of zeros specifies a host address. The any keyword represents any source IP address.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide.
vpn-instance vpn-instance-name: Applies the rule to a VPN instance. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the rule applies to all packets. On a PE or MCE, rules with this option do not apply to packets received from a VPN site. For more information about PE and MCE, see MPLS Configuration Guide. If the ACL is used on an EB, EC2, or FD card in basic ACL hardware mode, this option (even if specified,) does not take effect.
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
The object group you specify when creating or editing a rule must already exist. Otherwise, the rule will not be created or changed.
You can edit ACL rules only when the match order is config.
The undo rule rule-id command deletes the entire rule if you do not specify any optional parameters. It deletes the specified attributes if you specify optional parameters.
The undo rule { deny | permit } command can only be used to delete the entire rule. You must specify all the attributes of the rule for the command.
Use the display acl all command to view the rules in Ethernet frame header, IPv4 advanced, IPv4 basic, and user-defined ACLs.
Examples
# Create a rule in IPv4 basic ACL 2000 to deny the packets from any source IP segment but 10.0.0.0/8, 172.17.0.0/16, or 192.168.1.0/24.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule permit source 10.0.0.0 0.255.255.255
[Sysname-acl-basic-2000] rule permit source 172.17.0.0 0.0.255.255
[Sysname-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255
[Sysname-acl-basic-2000] rule deny source any
Related commands
· acl
· acl logging interval
· display acl
· step
· time-range
rule (IPv6 advanced ACL view)
Use rule to create or edit an IPv6 advanced ACL rule.
Use undo rule to delete an entire IPv6 advanced ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { object-group addr-group-name | dest-address dest-prefix | dest-address/dest-prefix | any } | destination-port { object-group port-group-name | operator port1 [ port2 ] } | dscp dscp | flow-label flow-label-value | fragment | icmp6-type { icmp6-type icmp6-code | icmp6-message } | logging | routing [ type routing-type ] | hop-by-hop [ type hop-type ] | source { object-group addr-group-name | source-address source-prefix | source-address/source-prefix | any } | source-port { object-group port-group-name | operator port1 [ port2 ] } | time-range time-range-name | vpn-instance vpn-instance-name ] *
undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | dscp | flow-label | fragment | icmp6-type | logging | routing | hop-by-hop | source | source-port | time-range | vpn-instance ] *
undo rule { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { object-group addr-group-name | dest-address dest-prefix | dest-address/dest-prefix | any } | destination-port { object-group port-group-name | operator port1 [ port2 ] } | dscp dscp | flow-label flow-label-value | fragment | icmp6-type { icmp6-type icmp6-code | icmp6-message } | logging | routing [ type routing-type ] | hop-by-hop [ type hop-type ] | source { object-group addr-group-name | source-address source-prefix | source-address/source-prefix | any } | source-port { object-group port-group-name | operator port1 [ port2 ] } | time-range time-range-name | vpn-instance vpn-instance-name ] *
Default
An IPv6 advanced ACL does not contain any rule.
Views
IPv6 advanced ACL view
Predefined user roles
network-admin
mdc-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
protocol: Specifies one of the following values:
· A protocol number in the range of 0 to 255.
· A protocol by its name: gre (47), icmpv6 (58), ipv6, ipv6-ah (51), ipv6-esp (50), ospf (89), tcp (6), or udp (17). The ipv6 keyword specifies all protocols.
Table 12 describes the parameters that you can specify regardless of the value for the protocol argument.
Table 12 Match criteria and other rule information for IPv6 advanced ACL rules
|
Parameters |
Function |
Description |
|
source { object-group addr-group-name | source-address source-prefix | source-address/source-prefix | any } |
Specifies source IPv6 addresses. |
The addr-group-name argument specifies an object group of source IPv6 addresses. The source-address argument represents an IPv6 source address. The source-prefix argument represents an IPv6 prefix length in the range of 1 to 128. The any keyword represents any IPv6 source address. |
|
destination { object-group addr-group-name | dest-address dest-prefix | dest-address/dest-prefix | any } |
Specifies destination IPv6 addresses. |
The addr-group-name argument specifies an object group of destination IPv6 addresses. The dest-address argument represents a destination IPv6 address. The dest-prefix argument represents a prefix length in the range of 1 to 128. The any keyword specifies any IPv6 destination address. |
|
counting |
Counts the number of times the IPv6 advanced ACL rule has been matched. |
The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter ipv6 command enables match counting for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted. |
|
dscp dscp |
Specifies a DSCP preference. |
The dscp argument can be a number in the range of 0 to 63, or in words: af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46). |
|
flow-label flow-label-value |
Specifies a flow label value in an IPv6 packet header. |
The flow-label-value argument is in the range of 0 to 1048575. |
|
fragment |
Applies the rule only to fragments. |
If you do not specify this keyword, the rule applies to all fragments and non-fragments. |
|
logging |
Logs matching packets. |
This feature requires that the module (for example, packet filtering) that uses the ACL supports logging. |
|
routing [ type routing-type ] |
Specifies an IPv6 routing header type. |
routing-type: Value of the IPv6 routing header type, in the range of 0 to 255. If you specify the type routing-type option, the rule applies to the specified type of IPv6 routing header. Otherwise, the rule applies to any types of IPv6 routing header. |
|
hop-by-hop [ type hop-type ] |
Specifies an IPv6 Hop-by-Hop Options header type. |
hop-type: Value of the IPv6 Hop-by-Hop Options header type, in the range of 0 to 255. If you specify the type hop-type option, the rule applies to the specified type of IPv6 Hop-by-Hop Options header. Otherwise, the rule applies to any types of IPv6 Hop-by-Hop Options header. |
|
time-range time-range-name |
Specifies a time range for the rule. |
The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide. |
|
vpn-instance vpn-instance-name |
Applies the rule to a VPN instance. |
The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the rule applies to all packets. This parameter is not supported in the current software version. The option is reserved for future support. |
If the protocol argument is tcp (6) or udp (17), set the parameters shown in Table 13.
Table 13 TCP/UDP-specific parameters for IPv6 advanced ACL rules
|
Parameters |
Function |
Description |
|
source-port { object-group port-group-name | operator port1 [ port2 ] } |
Specifies one or more UDP or TCP source ports. |
The port-group-name argument specifies an object group of ports. The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. port2 is needed only when the operator argument is range. TCP port numbers can be represented as: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented as: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177). |
|
destination-port { object-group port-group-name | operator port1 [ port2 ] } |
Specifies one or more UDP or TCP destination ports. |
|
|
{ ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * |
Specifies one or more TCP flags, including ACK, FIN, PSH, RST, SYN, and URG. |
Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The TCP flags in a rule are ANDed. A rule configured with ack 0 psh 1 matches packets that have the ACK flag bit not set and the PSH flag bit set. The parameters are not supported in the current software version. They are reserved for future support. |
|
established |
Specifies the flags for indicating the established status of a TCP connection. |
Parameter specific to TCP. The rule matches TCP connection packets with the ACK or RST flag bit set. |
If the protocol argument is icmpv6 (58), set the parameters shown in Table 14.
Table 14 ICMPv6-specific parameters for IPv6 advanced ACL rules
|
Parameters |
Function |
Description |
|
icmp6-type { icmp6-type icmp6-code | icmp6-message } |
Specifies the ICMPv6 message type and code. |
The icmp6-type argument is in the range of 0 to 255. The icmp6-code argument is in the range of 0 to 255. The icmp6-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 15. |
Table 15 ICMPv6 message names supported in IPv6 advanced ACL rules
|
ICMPv6 message name |
ICMPv6 message type |
ICMPv6 message code |
|
echo-reply |
129 |
0 |
|
echo-request |
128 |
0 |
|
err-Header-field |
4 |
0 |
|
frag-time-exceeded |
3 |
1 |
|
hop-limit-exceeded |
3 |
0 |
|
host-admin-prohib |
1 |
1 |
|
host-unreachable |
1 |
3 |
|
neighbor-advertisement |
136 |
0 |
|
neighbor-solicitation |
135 |
0 |
|
network-unreachable |
1 |
0 |
|
packet-too-big |
2 |
0 |
|
port-unreachable |
1 |
4 |
|
redirect |
137 |
0 |
|
router-advertisement |
134 |
0 |
|
router-solicitation |
133 |
0 |
|
unknown-ipv6-opt |
4 |
2 |
|
unknown-next-hdr |
4 |
1 |
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
The object group you specify when creating or editing a rule must already exist. Otherwise, the rule will not be created or changed.
You can edit ACL rules only when the match order is config.
The undo rule rule-id command deletes the entire rule if you do not specify any optional parameters. It deletes the specified attributes if you specify optional parameters.
The undo rule { deny | permit } command can only be used to delete the entire rule. You must specify all the attributes of the rule for the command.
Use the display acl ipv6 all command to view the rules in IPv6 advanced and basic ACLs.
Examples
<Sysname> system-view
[Sysname] acl ipv6 number 3000
[Sysname-acl6-adv-3000] rule permit tcp source 2030:5060::/64 destination fe80:5060::/96 destination-port eq 80
# Create IPv6 advanced ACL rules to permit all IPv6 packets but the ICMPv6 packets destined for FE80:5060:1001::/48.
<Sysname> system-view
[Sysname] acl ipv6 number 3001
[Sysname-acl6-adv-3001] rule deny icmpv6 destination fe80:5060:1001:: 48
[Sysname-acl6-adv-3001] rule permit ipv6
# Create IPv6 advanced ACL rules to permit inbound and outbound FTP packets.
<Sysname> system-view
[Sysname] acl ipv6 number 3002
[Sysname-acl6-adv-3002] rule permit tcp source-port eq ftp
[Sysname-acl6-adv-3002] rule permit tcp source-port eq ftp-data
[Sysname-acl6-adv-3002] rule permit tcp destination-port eq ftp
[Sysname-acl6-adv-3002] rule permit tcp destination-port eq ftp-data
# Create IPv6 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.
<Sysname> system-view
[Sysname] acl ipv6 number 3003
[Sysname-acl6-adv-3003] rule permit udp source-port eq snmp
[Sysname-acl6-adv-3003] rule permit udp source-port eq snmptrap
[Sysname-acl6-adv-3003] rule permit udp destination-port eq snmp
[Sysname-acl6-adv-3003] rule permit udp destination-port eq snmptrap
# Create IPv6 advanced ACL 3004, and configure two rules: one permits packets with the Hop-by-Hop Options header type as 5, and the other one denies packets with other Hop-by-Hop Options header types.
<Sysname> system-view
[Sysname] acl ipv6 number 3004
[Sysname-acl6-adv-3004] rule permit ipv6 hop-by-hop type 5
[Sysname-acl6-adv-3004] rule deny ipv6 hop-by-hop
Related commands
· acl
· acl logging interval
· display acl
· step
· time-range
rule (IPv6 basic ACL view)
Use rule to create or edit an IPv6 basic ACL rule.
Use undo rule to delete an entire IPv6 basic ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } [ counting | fragment | logging | routing [ type routing-type ] | source { object-group addr-group-name | source-address source-prefix | source-address/source-prefix | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *
undo rule rule-id [ counting | fragment | logging | routing | source | time-range | vpn-instance ] *
undo rule { deny | permit } [ counting | fragment | logging | routing [ type routing-type ] | source { object-group addr-group-name | source-address source-prefix | source-address/source-prefix | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *
Default
An IPv6 basic ACL does not contain any rule.
Views
IPv6 basic ACL view
Predefined user roles
network-admin
mdc-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
counting: Counts the number of times the IPv6 basic ACL rule has been matched. The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter ipv6 command enables match counting for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted.
fragment: Applies the rule only to fragments. If you do not specify this keyword, the rule applies to both fragments and non-fragments.
logging: Logs matching packets. This feature is available only when the application module (for example, packet filtering) that uses the ACL supports the logging feature.
routing [ type routing-type ]: Applies the rule to the specified type of routing header or all types of routing header. The routing-type argument specifies the value of the routing header type, which is in the range of 0 to 255. If you specify the type routing-type option, the rule applies to the specified type of routing header. Otherwise, the rule applies to any type of routing header.
source { object-group addr-group-name | source-address source-prefix | source-address/source-prefix | any }: Matches source IPv6 addresses. The object-group addr-group-name option specifies an object group of source IPv6 addresses. The ipv6-address and prefix-length arguments represent a source IPv6 address and address prefix length in the range of 1 to 128. The any keyword represents any IPv6 source address.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide.
vpn-instance vpn-instance-name: Applies the rule to a VPN instance. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the rule applies to all packets. This option is not supported in the current software version. It is reversed for future support.
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
The object group you specify when creating or editing a rule must already exist. Otherwise, the rule will not be created or changed.
You can edit ACL rules only when the match order is config.
The undo rule rule-id command deletes the entire rule if you do not specify any optional parameters. It deletes the specified attributes if you specify optional parameters.
The undo rule { deny | permit } command can only be used to delete the entire rule. You must specify all the attributes of the rule for the command.
Use the display acl ipv6 all command to view the rules in IPv6 advanced and basic ACLs.
Examples
# Create an IPv6 basic ACL rule to deny the packets from any source IP segment but 1001::/16, 3124:1123::/32, or FE80:5060:1001::/48.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000] rule permit source 1001:: 16
[Sysname-acl6-basic-2000] rule permit source 3124:1123:: 32
[Sysname-acl6-basic-2000] rule permit source fe80:5060:1001:: 48
[Sysname-acl6-basic-2000] rule deny source any
Related commands
· acl
· acl logging interval
· display acl
· step
· time-range
rule (user-defined ACL view)
Use rule to create or edit a user-defined ACL rule.
Use undo rule to delete a user-defined ACL rule.
Syntax
rule [ rule-id ] { deny | permit } [ { { ipv4 | ipv6 | l2 | l4 } rule-string rule-mask offset }&<1-8> ] [ counting | time-range time-range-name ] *
undo rule rule-id
undo rule { deny | permit } [ { { ipv4 | ipv6 | l2 | l4 } rule-string rule-mask offset }&<1-8> ] [ counting | time-range time-range-name ] *
Default
A user-defined ACL does not contain any rule.
Views
User-defined ACL view
Predefined user roles
network-admin
mdc-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
ipv4: Specifies that the offset is relative to the beginning of the IPv4 header. The start byte is +20.
ipv6: Specifies that the offset is relative to the beginning of the IPv6 header. The start byte is +40.
l2: Specifies that the offset is relative to the beginning of the Layer 3 frame header. The start byte is -2.
l4: Specifies that the offset is relative to the beginning of the Layer 4 header. The start byte is +20.
rule-string: Defines a match pattern in hexadecimal format. Its length must be a multiple of two.
rule-mask: Defines a match pattern mask in hexadecimal format. Its length must be the same as that of the match pattern. A match pattern mask is used for ANDing the selected string of a packet.
offset: Specifies an offset in bytes after which the match operation begins.
&<1-8>: Specifies that up to eight match patterns can be defined in the ACL rule.
counting: Counts the number of times the user-defined ACL rule has been matched. The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide.
Table 16 User-defined ACL usage
|
Command keyword |
Start byte |
Configurable offset length |
Applicable packets |
|
|
EB/EC2/FD card in advanced ACL hardware mode |
EC1/EF/FG card with IPv6 enabled for ACL hardware mode |
|||
|
ipv4 |
+20 byte of an IPv4 header |
9 |
12 |
IPv4 packets excluding IPv4 UDP/TCP packets |
|
ipv6 |
+40 byte of an IPv6 header |
Not supported |
14 |
IPv6 packets |
|
l2 |
-2 byte of a L3 header |
10 |
13 |
Non-IPv4, non-IPv6 and non-MPLS packets |
|
l4 |
+20 byte of a L4 header |
4 |
12 |
IPv4 UDP/TCP packets |
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
You can delete a user-defined ACL rule in the following ways:
· Specify the rule ID for the undo rule rule-id command.
· Specify all the attributes of the rule for the undo rule { deny | permit } command.
Use the display acl all command to view the rules in Ethernet frame header, IPv4 advanced, IPv4 basic, and user-defined ACLs.
Examples
# Create a rule for user-defined ACL 5005 to permit packets in which the 23th and 24th bytes starting from the IPv4 header are 0x0808.
<Sysname> system-view
[Sysname] acl number 5005
[Sysname-acl-user-5005] rule 0 permit ipv4 0808 ffff 2
Related commands
· acl
· display acl
· time-range
rule comment
Use rule comment to add a comment about an existing ACL rule or edit its comment to make the rule easy to understand.
Use undo rule comment to delete an ACL rule comment.
Syntax
rule rule-id comment text
undo rule rule-id comment
Default
An ACL has not rule comment.
Views
IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view, user-defined ACL view
Predefined user roles
network-admin
mdc-admin
Parameters
rule-id: Specifies an ACL rule ID in the range of 0 to 65534. The ACL rule must already exist.
text: Specifies a comment about the ACL rule, a case-sensitive string of 1 to 127 characters.
Examples
# Create a rule for IPv4 basic ACL 2000, and add a comment about the rule.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule 0 deny source 1.1.1.1 0
[Sysname-acl-basic-2000] rule 0 comment This rule is used on GigabitEthernet 3/0/1.
Related commands
display acl
step
Use step to set a rule numbering step for an ACL.
Use undo step to restore the default.
Syntax
step step-value
undo step
Default
The rule numbering step is five.
Views
IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view
Predefined user roles
network-admin
mdc-admin
Parameters
step-value: ACL rule numbering step in the range of 1 to 20.
Usage guidelines
The rule numbering step sets the increment by which the system numbers rules automatically. For example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between two rules. Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6, and 8.
Examples
# Set the rule numbering step to 2 for IPv4 basic ACL 2000.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] step 2
Related commands
display acl