HP 6125G,6125XG ACL and QoS Command Reference

Download

HP 6125 Blade Switch Series

CL and QoS

Command Reference

Part number: 5998-3170

Software version: Release 2103

Document version: 6W100-20120907

Legal and notice information

No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Contents

ACL configuration commands ····································································································································· 1

acl ·············································································································································································· 1 acl copy ····································································································································································· 2 acl ipv6 ······································································································································································ 3 acl ipv6 copy ···························································································································································· 4 acl ipv6 name ··························································································································································· 4 acl name ···································································································································································· 5 description ································································································································································· 5 display acl ································································································································································· 6 display acl ipv6 ························································································································································ 8 display acl resource ················································································································································· 9 display packet-filter ··············································································································································· 10 display time-range ················································································································································· 12 hardware-count enable ········································································································································· 13 packet-filter ····························································································································································· 14 packet-filter ipv6 ···················································································································································· 14 reset acl counter ···················································································································································· 15 reset acl ipv6 counter ············································································································································ 16 rule (Ethernet frame header ACL view) ··············································································································· 16 rule (IPv4 advanced ACL view) ···························································································································· 18 rule (IPv4 basic ACL view) ···································································································································· 23 rule (IPv6 advanced ACL view) ···························································································································· 24 rule (IPv6 basic ACL view) ···································································································································· 28 rule comment ·························································································································································· 30 rule remark ····························································································································································· 31 step ·········································································································································································· 32 time-range ······························································································································································ 33

QoS policy configuration commands ······················································································································· 36

Class configuration commands····································································································································· 36

display traffic classifier ········································································································································· 36 if-match ··································································································································································· 37 traffic classifier ······················································································································································· 41

Traffic behavior configuration commands ··················································································································· 42

accounting ······························································································································································ 42 car ··········································································································································································· 42 display traffic behavior ········································································································································· 44 filter ········································································································································································· 45 redirect ··································································································································································· 46 remark dot1p ························································································································································· 46 remark drop-precedence ······································································································································ 47 remark dscp ··························································································································································· 48 remark ip-precedence ··········································································································································· 49 remark local-precedence ······································································································································ 50 remark qos-local-id ················································································································································ 50 traffic behavior ······················································································································································ 51

QoS policy configuration and application commands ······························································································ 51

classifier behavior ················································································································································· 51 display qos policy ················································································································································· 52

display qos policy global ····································································································································· 53 display qos policy interface ································································································································· 55 display qos vlan-policy ········································································································································· 57 qos apply policy (interface view) ························································································································ 59 qos apply policy (user-profile view) ···················································································································· 59 qos apply policy global ········································································································································ 60 qos policy ······························································································································································· 61 qos vlan-policy ······················································································································································· 61 reset qos policy global·········································································································································· 62 reset qos vlan-policy ·············································································································································· 63

Priority mapping configuration commands ·············································································································· 64

Priority mapping table configuration commands ········································································································ 64

display qos map-table ··········································································································································· 64 import ······································································································································································ 65 qos map-table ························································································································································ 66

Port priority configuration commands ·························································································································· 66

qos priority ····························································································································································· 66

Port priority trust mode configuration commands ······································································································· 67

display qos trust interface ····································································································································· 67 qos trust ·································································································································································· 68

GTS and line rate configuration commands ············································································································ 70

GTS configuration commands ······································································································································ 70

display qos gts interface ······································································································································· 70 qos gts ···································································································································································· 71

Line rate configuration commands ······························································································································· 72

display qos lr interface ········································································································································· 72 qos lr ······································································································································································· 73

Congestion management configuration commands ································································································ 74

SP queuing configuration commands ·························································································································· 74

display qos sp ························································································································································ 74 qos sp ····································································································································································· 75

WRR queuing configuration commands ······················································································································ 75

display qos wrr interface ······································································································································ 75 qos wrr ··································································································································································· 76 qos wrr byte-count ················································································································································· 77 qos wrr group sp ··················································································································································· 78 qos wrr weight ······················································································································································· 79

WFQ configuration commands ···································································································································· 79

display qos wfq interface ····································································································································· 79 qos bandwidth queue ··········································································································································· 81 qos wfq ··································································································································································· 81 qos wfq byte-count ················································································································································ 82 qos wfq group sp ·················································································································································· 83 qos wfq weight ······················································································································································ 83

Congestion avoidance configuration commands ···································································································· 85

display qos wred interface ··································································································································· 85 display qos wred table ········································································································································· 85 qos wred apply ····················································································································································· 87 qos wred queue table ··········································································································································· 87 queue ······································································································································································ 88

Aggregate CAR configuration commands ··············································································································· 90

car name ································································································································································ 90

iii

display qos car name ··········································································································································· 90 qos car aggregative ·············································································································································· 91 reset qos car name ················································································································································ 92

Burst function configuration commands ···················································································································· 94

burst-mode enable ················································································································································· 94

Support and other resources ····································································································································· 95

Contacting HP ································································································································································ 95

Subscription service ·············································································································································· 95

Related information ························································································································································ 95

Documents ······························································································································································ 95 Websites ································································································································································· 95

Conventions ···································································································································································· 96

Index ··········································································································································································· 98

ACL configuration commands

acl

Syntax

acl number acl-number [ name acl-name ] [ match-order { auto | config } ]

undo acl { all | name acl-name | number acl-number }

View

System view

Default level

2: System level

Parameters

number acl-number: Specifies the number of an access control list (ACL):

• 2000 to 2999 for IPv4 basic ACLs

• 3000 to 3999 for IPv4 advanced ACLs

• 4000 to 4999 for Ethernet frame header ACLs

name acl-name: Assigns a name to the ACL for easy identification. The acl-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter, and to avoid confusion, cannot be all.

match-order: Sets the order in which ACL rules are compared against packets:

• auto—Compares ACL rules in depth-first order. The depth-first order differs with ACL categories. For

more information, see ACL and QoS Configuration Guide.

• config—Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher

priority. If no match order is specified, the config order applies by default.

all: Deletes all IPv4 ACLs and Ethernet frame header ACLs.

Description

Use acl to create an IPv4 ACL or an Ethernet frame header ACL, and enter its view. If the ACL has been created, you enter its view directly.

Use undo acl to delete the specified IPv4 or Ethernet frame header ACL, or all IPv4 and Ethernet frame header ACLs.

By default, no ACL exists.

You can assign a name to an IPv4 or Ethernet frame header ACL only when you create it. After an ACL is created with a name, you cannot rename it or remove its name.

You can change match order only for ACLs that do not contain any rules.

To display any ACLs you have created, use the display acl command.

Examples

# Create IPv4 basic ACL 2000, and enter its view.

<Sysname> system-view

[Sysname] acl number 2000 [Sysname-acl-basic-2000]

# Create IPv4 basic ACL 2001 with the name flow, and enter its view.

<Sysname> system-view [Sysname] acl number 2001 name flow [Sysname-acl-basic-2001-flow]

acl copy

Syntax

acl copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name }

View

System view

Default level

2: System level

Parameters

source-acl-number: Specifies an existing source ACL by its number:

• 2000 to 2999 for IPv4 basic ACLs

• 3000 to 3999 for IPv4 advanced ACLs

• 4000 to 4999 for Ethernet frame header ACLs

name source-acl-name: Specifies an existing source ACL by its name. The source-acl-name argument takes a case-insensitive string of 1 to 63 characters.

dest-acl-number: Assigns a unique number to the ACL you are creating. This number must be from the same ACL category as the source ACL. Available value ranges include:

• 2000 to 2999 for IPv4 basic ACLs

• 3000 to 3999 for IPv4 advanced ACLs

• 4000 to 4999 for Ethernet frame header ACLs

name dest-acl-name: Assigns a unique name to the ACL you are creating. The dest-acl-name takes a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, cannot be all. For this ACL, the system automatically picks the smallest number from all available numbers in the same ACL category as the source ACL.

Description

Use acl copy to create an IPv4 or an Ethernet frame header ACL by copying an ACL that already exists. The new ACL has the same properties and content as the source ACL, but not the same ACL number and name.

You can assign a name for an ACL only when you create it. After an ACL is created with a name, you cannot rename it or remove its name.

Examples

# Create IPv4 basic ACL 2002 by copying IPv4 basic ACL 2001.

<Sysname> system-view [Sysname] acl copy 2001 to 2002

acl ipv6

Syntax

acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto | config } ]

undo acl ipv6 { all | name acl6-name | number acl6-number }

View

System view

Default level

2: System level

Parameters

number acl6-number: Specifies the number of an IPv6 ACL:

• 2000 to 2999 for IPv6 basic ACLs

• 3000 to 3999 for IPv6 advanced ACLs

name acl6-name: Assigns a name to the IPv6 ACL for easy identification. The acl6-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter, and to avoid confusion, cannot be all.

match-order: Sets the order in which ACL rules are compared against packets:

• auto—Compares ACL rules in depth-first order. The depth-first order differs with ACL categories. For

more information, see ACL and QoS Configuration Guide.

• config—Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher

priority. If no match order is specified, the config order applies by default.

all: Delete all IPv6 ACLs.

Description

Use acl ipv6 to create an IPv6 ACL and enter its ACL view. If the ACL has been created, you enter its view directly.

Use undo acl ipv6 to delete the specified IPv6 ACL or all IPv6 ACLs.

By default, no ACL exists.

You can assign a name to an IPv6 ACL only when you create it. After an IPv6 ACL is created, you cannot rename it or remove its name.

You can change match order only for ACLs that do not contain any rules.

To display any ACLs you have created, use the display acl ipv6 command.

Examples

# Create IPv6 ACL 2000 and enter its view.

<Sysname> system-view [Sysname] acl ipv6 number 2000 [Sysname-acl6-basic-2000]

# Create IPv6 basic ACL 2001 with the name flow, and enter its view.

<Sysname> system-view [Sysname] acl ipv6 number 2001 name flow [Sysname-acl6-basic-2001-flow]

acl ipv6 copy

Syntax

acl ipv6 copy { source-acl6-number | name source-acl6-name } to { dest-acl6-number | name

dest-acl6-name }

View

System view

Default level

2: System level

Parameters

source-acl6-number: Specifies an existing source IPv6 ACL by its number:

• 2000 to 2999 for IPv6 basic ACLs

• 3000 to 3999 for IPv6 advanced ACLs

name source-acl6-name: Specifies an existing source IPv6 ACL by its name. The source-acl6-name argument takes a case-insensitive string of 1 to 63 characters.

dest-acl6-number: Assigns a unique number to the IPv6 ACL you are creating. This number must be from the same ACL category as the source ACL. Available value ranges include:

• 2000 to 2999 for IPv6 basic ACLs

• 3000 to 3999 for IPv6 advanced ACLs

name dest-acl6-name: Assigns a unique name to the IPv6 ACL you are creating. The dest-acl6-name takes a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, cannot be all. For this ACL, the system automatically picks the smallest number from all available numbers in the same ACL category as the source ACL.

Description

Use acl ipv6 copy to create an IPv6 ACL by copying an IPv6 ACL that already exists. The new ACL has the same properties and content as the source ACL, but not the same ACL number and name.

You can assign a name to an IPv6 ACL only when you create it. After an ACL is created with a name, you cannot rename it or remove its name.

Examples

# Create IPv6 basic ACL 2002 by copying IPv6 basic ACL 2001.

<Sysname> system-view [Sysname] acl ipv6 copy 2001 to 2002

acl ipv6 name

Syntax

acl ipv6 name acl6-name

View

System view

Default level

2: System level

Parameters

acl6-name: Specifies the name of an existing IPv6 ACL, a case-insensitive string of 1 to 63 characters. It must start with an English letter.

Description

Use acl ipv6 name to enter the view of an IPv6 ACL that has a name.

Related commands: acl ipv6.

Examples

# Enter the view of IPv6 ACL flow.

<Sysname> system-view [Sysname] acl ipv6 name flow [Sysname-acl6-basic-2001-flow]

acl name

Syntax

acl name acl-name

View

System view

Default level

2: System level

Parameters

acl-name: Specifies the IPv4 ACL name, a case-insensitive string of 1 to 63 characters. It must start with an English letter. The IPv4 ACL must already exist.

Description

Use acl name to enter the view of an IPv4 ACL that has a name.

Related commands: acl.

Examples

# Enter the view of IPv4 ACL flow.

<Sysname> system-view [Sysname] acl name flow [Sysname-acl-basic-2001-flow]

description

Syntax

description text

undo description

View

IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view

Default level

2: System level

Parameters

text: ACL description, a case-sensitive string of 1 to 127 characters.

Description

Use description to configure a description for an ACL.

Use undo description to remove the ACL description.

By default, an ACL has no ACL description.

Related commands: display acl and display acl ipv6.

Examples

# Configure a description for IPv4 basic ACL 2000.

<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] description This is an IPv4 basic ACL.

# Configure a description for IPv6 basic ACL 2000.

<Sysname> system-view [Sysname] acl ipv6 number 2000 [Sysname-acl6-basic-2000] description This is an IPv6 basic ACL.

display acl

Syntax

display acl { acl-number | all | name acl-name } [ slot slot-number ] [ | { begin | exclude | include }

regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

acl-number: Specifies an ACL by its number:

• 2000 to 2999 for IPv4 basic ACLs

• 3000 to 3999 for IPv4 advanced ACLs

• 4000 to 4999 for Ethernet frame header ACLs

all: Displays information for all IPv4 ACLs.

name acl-name: Specifies an ACL by its name. The acl-name argument takes a case-insensitive string of

1 to 63 characters. It must start with an English letter.

slot slot-number: Displays match statistics for ACLs on an IRF member switch. The slot-number argument represents the ID of the IRF member switch. Available values for the slot-number argument are member IDs already assigned in the IRF fabric. If no IRF member switch is specified, the command displays matches statistics for ACLs on all member switches.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display acl to display configuration and match statistics for the specified or all IPv4 ACLs.

This command displays ACL rules in config or depth-first order, whichever is configured.

Examples

# Display the configuration and match statistics for all IPv4 ACLs.

<Sysname> display acl all Basic ACL 2000, named flow, 3 rules, Statistics is enabled ACL's step is 5 rule 0 permit rule 5 permit source 1.1.1.1 0 (5 times matched) rule 10 permit vpn-instance mk

Basic ACL 2001, named -none-, 3 rules, match-order is auto, ACL's step is 5 rule 10 permit source 1.1.1.1 0 rule 10 comment This rule is used in rd. rule 5 permit source 2.2.2.2 0 rule 0 permit

Table 1 Command output

Field

Descri

tion

Basic ACL 2000

Category and number of the ACL. The following field information is about IPv4 basic ACL 2000.

named flow

The name of the ACL is flow. "-none-" means the ACL is not named.

3 rules

The ACL contains three rules.

match-order is auto

The match order for the ACL is auto, which sorts ACL rules in depth-first order. This field is not present when the match order is config.

Statistics is enabled The rule match counting is enabled for this ACL.

ACL's step is 5 The rule numbering step is 5.

rule 0 permit Content of rule 0.

5 times matched

There have been five matches for the rule. If the counting keyword is configured for the rule or the hardware-count enable command is enabled for the ACL, the statistic counts both rule matches performed in both software and hardware. Otherwise, the statistics counts only rule matches performed in software.

rule 10 comment This rule is used in rd. The description of ACL rule 10 is "This rule is used in rd."

display acl ipv6

Syntax

display acl ipv6 { acl6-number | all | name acl6-name } [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

acl6-number: Specifies an IPv6 ACL by its number:

• 2000 to 2999 for IPv6 basic ACLs

• 3000 to 3999 for IPv6 advanced ACLs

all: Displays information for all IPv6 ACLs.

name acl6-name: Specifies an IPv6 ACL by its name. The acl6-name argument takes a case-insensitive

string of 1 to 63 characters. It must start with an English letter.

slot slot-number: Displays the match statistics for IPv6 ACLs on an IRF member switch. The slot-number argument represents the ID of the IRF member switch. Available values for the slot-number argument are member IDs already assigned in the IRF fabric. If no IRF member switch is specified, the command displays match statistics for IPv6 ACLs on all member switches.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display acl ipv6 to display the configuration and match statistics for the specified IPv6 ACL or all IPv6 ACLs.

This command displays ACL rules in config or depth-first order, whichever is configured.

Examples

# Display the configuration and match statistics for all IPv6 ACLs.

<Sysname> display acl ipv6 all Basic IPv6 ACL 2000, named flow, 2 rules, Statistics is enabled ACL's step is 5 rule 0 permit rule 5 permit source 1::/64 (5 times matched)

Basic IPv6 ACL 2001, named -none-, 3 rules, match-order is auto, ACL's step is 5

rule 10 permit source1::/64 rule 10 comment This rule is used in rd. rule 5 permit source 2::/64 rule 0 permit

Table 2 Command output

Field Descri

tion

Basic IPv6 ACL 2000

Category and number of the ACL. The following field information is about this IPv6 basic ACL 2000.

named flow

The name of the ACL is flow. "-none-" means the ACL is not named.

2 rules The ACL contains two rules.

match-order is auto

The match order for the ACL is auto, which sorts ACL rules in depth-first order. This field is not present when the match order is config.

Statistics is enabled The rule match counting is enabled for this ACL.

ACL's step is 5 The rule numbering step is 5.

rule 0 permit Content of rule 0.

5 times matched

rule 10 comment This rule is used in rd. The description of ACL rule 10 is "This rule is used in rd."

display acl resource

Syntax

display acl resource [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

slot slot-number: Displays the usage of ACL rules on an IRF member switch. The slot-number argument

represents the ID of the IRF member switch. Available values for the slot-number argument are member IDs already assigned in the IRF fabric. If no IRF member switch is specified, the command displays the usage of ACL rules on all member switches.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display acl resource to display the usage of ACL rules.

Examples

# Display the usage of ACL rules on a device.

<Sysname> display acl resource Interface: XGE1/1/1 to XGE1/1/4, GE1/1/5 to GE1/0/16, XGE1/0/17

-------------------------------------------------------------------- Type Total Reserved Configured Remaining Usage

-------------------------------------------------------------------- VFP ACL 2048 512 0 1536 25% IFP ACL 4096 1024 17 3055 25% IFP Meter 2048 512 0 1536 25% IFP Counter 2048 512 0 1536 25% EFP ACL 512 0 0 512 0% EFP Meter 256 0 0 256 0% EFP Counter 512 0 0 512 0%

Table 3 Command output

Field Description

Interface Interface indicated by its type and number

Type

Rule type:

• VFP ACL—ACL rules for QinQ before Layer 2 forwarding

• IFP ACL—ACL rules applied to inbound traffic

• IFP Meter—Traffic policing rules for inbound traffic

• IFP Counter—Traffic counting rules for inbound traffic

• EFP ACL—ACL rules for outbound traffic

• EEP Meter—Traffic counting rules for inbound traffic

• EFP Counter—Traffic counting rules for outbound traffic

Total Total number of ACL rules supported

Reserved Number of reserved ACL rules

Configured Number of ACL rules that have been applied

Remaining Number of ACL rules that you can apply

Usage Usage of the ACL rules

display packet-filter

Syntax

display packet-filter { { all | interface interface-type interface-number } [ inbound | outbound ] | interface vlan-interface vlan-interface-number [ inbound | outbound ] [ slot slot-number ] } [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

all: Specifies all interfaces.

interface interface-type interface-number: Specifies an interface by its type and number. VLAN interfaces

are not supported.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

interface vlan-interface vlan-interface-number: Specifies a VLAN interface by its number.

slot slot-number: Specifies an IRF member switch. The slot-number argument is the ID of the IRF member

switch. Available values for the slot-number argument are member IDs already assigned in the IRF fabric. If no IRF member switch is specified, the command displays application status of incoming and outgoing packet filtering ACLs for VLAN interfaces of the master.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display packet-filter to display whether an ACL has been successfully applied to an interface for packet filtering.

• The ACL application status may be different on the master and on an IRF member switch because

of ACL resource insufficiency. You can specify the slot number in the display packet-filter command to check the ACL application status on the member switch.

• If you specify neither the inbound keyword nor the outbound keyword, the command displays the

application status of both incoming and outgoing packet filtering ACLs.

Examples

# Display the application status of incoming and outgoing packet filtering ACLs for interface GigabitEthernet 1/0/1.

<Sysname> display packet-filter interface gigabitethernet 1/0/1 Interface: GigabitEthernet1/0/1 In-bound Policy: acl 2001, Successful Out-bound Policy: acl6 2500, Fail

Table 4 Command output

Field Descri

tion

Interface Interface to which the ACL applies.

In-bound Policy ACL used for filtering incoming traffic on the interface.

Out-bound Policy ACL used for filtering outgoing traffic on the interface.

acl 2001, Successful IPv4 ACL 2001 has been applied to the interface.

acl6 2500, Fail The device has failed to apply IPv6 ACL 2500 to the interface.

display time-range

Syntax

display time-range { time-range-name | all } [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

time-range-name: Specifies a time range name, a case-insensitive string of 1 to 32 characters. It must start with an English letter.

all: Displays the configuration and status of all existing time ranges.

|: Filters command output by specifying a regular expression. For more information about regular

expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display time-range to display the configuration and status of the specified time range or all time ranges.

Examples

# Display the configuration and status of time range t4.

<Sysname> display time-range t4 Current time is 17:12:34 4/13/2010 Tuesday

Time-range : t4 ( Inactive ) 10:00 to 12:00 Mon 14:00 to 16:00 Wed from 00:00 1/1/2010 to 23:59 1/31/2010 from 00:00 6/1/2010 to 23:59 6/30/2010

Table 5 Command output

Field

Descri

tion

Current time Current system time

Time-range

Configuration and status of the time range, including its name, status (active or inactive), and start time and end time

hardware-count enable

Syntax

hardware-count enable

undo hardware-count enable

View

IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view

Default level

2: System level

Parameters

None

Description

Use hardware-count enable to enable counting ACL rule matches performed in hardware. The device automatically counts the rule match counting performed in software.

Use undo hardware-count enable to disable counting ACL rule matches performed in hardware. This command also resets the hardware match counters for all rules in the ACL. For a rule configured with the counting keyword, this command only resets the rule’s hardware match counter.

By default, ACL rule matches performed in hardware are not counted.

The hardware-count enable command enables match counting for all rules in an ACL, and the counting keyword in the rule command enables match c ounting specific to ru les. For an individual rule, rule match counting works as long as either the hardware-count enable command or the counting keyword is configured.

When an ACL is referenced by a QoS policy, this command or the counting keyword does not take effect. No ACL rule matches are counted.

Related commands: display acl, display acl ipv6, and rule.

Examples

# Enable rule match counting for IPv4 ACL 2000.

<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] hardware-count enable

# Enable rule match counting for IPv6 ACL 2000.

<Sysname> system-view [Sysname] acl ipv6 number 2000 [Sysname-acl6-basic-2000] hardware-count enable

packet-filter

Syntax

packet-filter { acl-number | name acl-name } { inbound | outbound }

undo packet-filter { acl-number | name acl-name } { inbound | outbound }

View

Layer 2 Ethernet interface view, VLAN interface view

Default level

2: System level

Parameters

acl-number: Specifies an IPv4 ACL by its number:

• 2000 to 2999 for IPv4 basic ACLs

• 3000 to 3999 for IPv4 advanced ACLs

• 4000 to 4999 for Ethernet frame header ACLs

name acl-name: Specifies an IPv4 ACL by its name. The acl-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter.

inbound: Filters incoming packets.

outbound: Filters outgoing packets.

Description

Use packet-filter to apply an IPv4 basic, IPv4 advanced, or Ethernet frame header ACL to an interface to filter packets.

Use undo packet-filter to restore the default.

By default, an interface does not filter packets.

Related commands: display packet-filter.

Examples

# Apply IPv4 ACL 2001 to filter incoming traffic on GigabitEthernet 1/0/1.

<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] packet-filter 2001 inbound

packet-filter ipv6

Syntax

packet-filter ipv6 { acl6-number | name acl6-name } { inbound | outbound }

undo packet-filter ipv6 { acl6-number | name acl6-name } { inbound | outbound }

View

Layer 2 Ethernet interface view, VLAN interface view

Default level

2: System level

Parameters

acl6-number: Specifies an IPv6 ACL by its number:

• 2000 to 2999 for IPv6 basic ACLs

• 3000 to 3999 for IPv6 advanced ACLs

name acl6-name: Specifies an IPv6 ACL by its name. The acl6-name argument takes a case-insensitive string of 1 to 63 characters. It must start with an English letter.

inbound: Filters incoming IPv6 packets

outbound: Filters outgoing IPv6 packets

Description

Use packet-filter ipv6 to apply an IPv6 basic or IPv6 advanced ACL to an interface to filter IPv6 packets.

Use undo packet-filter ipv6 to restore the default.

By default, an interface does not filter IPv6 packets.

Related commands: display packet-filter.

Examples

# Apply IPv6 ACL 2500 to filter incoming packets on GigabitEthernet 1/0/1.

<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] packet-filter ipv6 2500 inbound

reset acl counter

Syntax

reset acl counter { acl-number | all | name acl-name }

View

User view

Default level

2: System level

Parameters

acl-number: Specifies an ACL by its number:

• 2000 to 2999 for IPv4 basic ACLs

• 3000 to 3999 for IPv4 advanced ACLs

• 4000 to 4999 for Ethernet frame header ACLs

all: Clears statistics for all IPv4 and Ethernet frame header ACLs.

name acl-name: Specifies an IPv4 or Ethernet frame header ACL by its name. The acl-name argument

takes a case-insensitive string of 1 to 63 characters. It must start with an English letter.

Description

Use reset acl counter to clear statistics for the specified IPv4 or Ethernet frame header ACL, or all IPv4 and Ethernet frame header ACLs.

Related commands: display acl.

Examples

# Clear statistics for IPv4 basic ACL 2001.

<Sysname> reset acl counter 2001

# Clear statistics for IPv4 ACL flow.

<Sysname> reset acl counter name flow

reset acl ipv6 counter

Syntax

reset acl ipv6 counter { acl6-number | all | name acl6-name }

View

User view

Default level

2: System level

Parameters

acl6-number: Specifies an IPv6 ACL by its number:

• 2000 to 2999 for IPv6 basic ACLs

• 3000 to 3999 for IPv6 advanced ACLs

all: Clears statistics for all IPv6 basic and advanced ACLs.

name acl6-name: Specifies an IPv6 ACL by its name. The acl6-name argument takes a case-insensitive

string of 1 to 63 characters. It must start with an English letter.

Description

Use reset acl ipv6 counter to clear statistics for the specified IPv6 ACL or all IPv6 basic and IPv6 advanced ACLs.

Related commands: display acl ipv6.

Examples

# Clear statistics for IPv6 basic ACL 2001.

<Sysname> reset acl ipv6 counter 2001

# Clear statistics for IPv6 ACL flow.

<Sysname> reset acl ipv6 counter name flow

rule (Ethernet frame header ACL view)

Syntax

rule [ rule-id ] { deny | permit } [ cos vlan-pri | counting | dest-mac dest-addr dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac sour-addr source-mask | time-range time-range-name ] *

undo rule rule-id [ counting | time-range ] *

View

Ethernet frame header ACL view

Default level

2: System level

Parameters

rule-id: Specifies a rule ID, in the range of 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.

deny: Denies matching packets.

permit: Allows matching packets to pass.

cos vlan-pri: Matches an 802.1p priority. The vlan-pri argument can be a number in the range of 0 to 7, or in words, best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5), voice (6), or network-management (7).

counting: Counts the number of times the Ethernet frame header ACL rule has been matched in

hardware.

dest-mac dest-addr dest-mask: Matches a destination MAC address range. The dest-addr and dest-mask arguments represent a destination MAC address and mask in H-H-H format.

lsap lsap-type lsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The lsap-type argument is a 16-bit hexadecimal number that represents the encapsulation format. The lsap-type-mask argument is a 16-bit hexadecimal number that represents the LSAP mask.

type protocol-type protocol-type-mask: Matches one or more protocols in the Ethernet frame header. The protocol-type argument is a 16-bit hexadecimal number that represents a protocol type in Ethernet_II and

Ethernet_SNAP frames. The protocol-type-mask argument is a 16-bit hexadecimal number that represents a protocol type mask.

source-mac sour-addr source-mask: Matches a source MAC address range. The sour-addr argument represents a source MAC address, and the sour-mask argument represents a mask in H-H-H format.

time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule; however, the rule using the time range can take effect only after you configure the timer range.

Description

Use rule to cre a te or edit a n Ethernet frame he ader ACL rule. You can edit ACL rules on ly when the match order is config.

Use undo rule to delete an Ethernet frame header ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specified attributes.

By default, an Ethernet frame header ACL does not contain any rule.

Wit hin an ACL, the permit or d e ny statement of each rule must be u nique. If the ACL rule you are creat i ng or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail.

To view rules in an ACL and their rule IDs, use the display acl all command.

Related commands: acl, display acl, step, and time-range.

NOTE:

The lsap keyword is not supported if the ACL is for QoS traffic classification or packet filtering.

Examples

# Create a rule in ACL 4000 to permit ARP packets and deny RARP packets.

<Sysname> system-view [Sysname] acl number 4000 [Sysname-acl-ethernetframe-4000] rule permit type 0806 ffff [Sysname-acl-ethernetframe-4000] rule deny type 8035 ffff

rule (IPv4 advanced ACL view)

Syntax

rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { dest-addr dest-wildcard | any } | destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmp-type { icmp-type [ icmp-code ] | icmp-message } | precedence precedence | source { sour-addr sour-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name | tos tos | vpn-instance

vpn-instance-name ] *

undo rule rule-id [ { { ack | fin | psh | rst | sy

n | urg } * | established } | counting | destination | destination-port | dscp | fragment | icmp-type | precedence | source | source-port | time-range | tos | vpn-instance ] *

View

IPv4 advanced ACL view

Default level

2: System level

Parameters

deny: Denies matching packets.

permit: Allows matching packets to pass.

protocol: Protocol carried by IPv4. It can be a number in the range of 0 to 255, or in words, gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17) . Table 6 de

scribes the parameters that you

can specify regardless of the value that the protocol argument takes.

Table 6 Match criteria and other rule information for IPv4 advanced ACL rules

Parameters Function

Description

source { sour-addr sour-wildcard | any }

Specifies a source address

The sour-addr sour-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address.

The any keyword specifies any source IP address.

destination { dest-addr dest-wildcard | any }

Specifies a destination address

The dest-addr dest-wildcard arguments represent a destination IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address.

The any keyword represents any destination IP address.

counting

Counts the number of times the IPv4 ACL rule has been matched in hardware.

—

precedence precedence

Specifies an IP precedence value

The precedence argument can be a number in the range of 0 to 7, or in words, routine (0), priority (1),

immediate (2), flash (3), flash-override (4), critical (5), internet (6), or network (7).

tos tos Specifies a ToS preference

The tos argument can be a number in the range of 0 to 15, or in words, max-reliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1), or normal (0).

dscp dscp Specifies a DSCP priority

The dscp argument can be a number in the range of 0 to 63, or in words,

af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1

(8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46).

vpn-instance vpn-instance-name

Applies the rule to packets in a VPN instance

The vpn-instance-name argument takes a case-sensitive string of 1 to 31 characters.

If no VPN instance is specified, the rule applies only to non-VPN packets.

fragment

Applies the rule to only non-first fragments

Without this keyword, the rule applies to all fragments and non-fragments.

Parameters Function

Description

time-range time-range-name

Specifies a time range for the rule

The time-range-name argument takes a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule; however, the rule using the time range can take effect only after you configure the timer range.

NOTE:

If you provide the precedence or tos keyword in addition to the dscp keyword, only the dscp keyword takes effect.

If the protocol argument takes tcp (6) or udp (7), you can set the parameters shown in Table 7.

Table 7 TCP/UDP-specific parameters for IPv4 advanced ACL rules

Parameters Function Descri

tion

source-port operator port1 [ port2 ]

Specifies one or more UDP or TCP source ports

The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range).

The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to

65535. port2 is needed only when the operator argument is range.

TCP port numbers can be represented in these words: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43),

and www

(80).

UDP port numbers can be represented in these words: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435),

nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp

(123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177).

destination-port operator port1 [ port2 ]

Specifies one or more UDP or TCP destination ports

{ ack ack-value | fin fin-value | psh

psh-value | rst rst-value | syn syn-value | urg urg-value } *

Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG

Parameters specific to TCP.

The value for each argument can be 0 (flag bit not set) or 1 (flag bit set).

The TCP flags in one rule are ANDed.

Parameters Function Description

established

Specifies the flags for indicating the established status of a TCP connection

Parameter specific to TCP.

The rule matches TCP connection packets with the ACK or RST flag bit set.

If the protocol argument takes icmp (1), you can set the parameters shown in Table 8.

Table 8 ICMP-specific parameters for IPv4 advanced ACL rules

Parameters Function Descri

tion

icmp-type { icmp-type [ icmp-code ]

| icmp-message }

Specifies the ICMP message type and code

The icmp-type argument is in the range of 0 to 255.

The icmp-code argument is in the range of 0 to 255.

The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 9.

Table 9 ICMP message names supported in IPv4 advanced ACL rules

ICMP messa

e name ICMP message type

ICMP message code

echo 8 0

echo-reply 0 0

fragmentneed-DFset 3 4

host-redirect 5 1

host-tos-redirect 5 3

host-unreachable 3 1

information-reply 16 0

information-request 15 0

net-redirect 5 0

net-tos-redirect 5 2

net-unreachable 3 0

parameter-problem 12 0

port-unreachable 3 3

protocol-unreachable 3 2

reassembly-timeout 11 1

source-quench 4 0

source-route-failed 3 5

timestamp-reply 14 0

timestamp-request 13 0

ICMP message name ICMP message type

ICMP message code

ttl-exceeded 11 0

Description

Use rule to create or edit an IPv4 advanced ACL rule. You can edit ACL rules only when the match order is config.

Use undo rule to delete an entire IPv4 advanced ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specified attributes.

By default, an IPv4 advanced ACL does not contain any rule.

To view rules in an ACL and their rule IDs, use the display acl all command.

If an IPv4 advanced ACL is for QoS traffic classification or packet filtering:

• Do not specify the vpn-instance keyword.

• Do not specify neq for the operator argument.

• The counting keyword (even if specified) does not take effect for QoS traffic classification.

Related commands: acl, display acl, step, and time-range.

Examples

# Create an IPv4 advanced ACL rule to permit TCP packets with the destination port 80 from

129.9.0.0/16 to 202.38.160.0/24.

<Sysname> system-view [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination

202.38.160.0 0.0.0.255 destination-port eq 80

# Create IPv4 advanced ACL rules to permit all IP packets but the ICMP packets destined for

192.168.1.0/24.

<Sysname> system-view [Sysname] acl number 3001 [Sysname-acl-adv-3001] rule permit ip [Sysname-acl-adv-3001] rule deny icmp destination 192.168.1.0 0.0.0.255

# Create IPv4 advanced ACL rules to permit inbound and outbound FTP packets.

<Sysname> system-view [Sysname] acl number 3002 [Sysname-acl-adv-3002] rule permit tcp source-port eq ftp [Sysname-acl-adv-3002] rule permit tcp source-port eq ftp-data [Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp [Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp-data

# Create IPv4 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.

<Sysname> system-view [Sysname] acl number 3003 [Sysname-acl-adv-3003] rule permit udp source-port eq snmp

[Sysname-acl-adv-3003] rule permit udp source-port eq snmptrap [Sysname-acl-adv-3003] rule permit udp destination-port eq snmp [Sysname-acl-adv-3003] rule permit udp destination-port eq snmptrap

rule (IPv4 basic ACL view)

Syntax

rule [ rule-id ] { deny | permit } [ counting | fragment | source { sour-addr sour-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *

undo rule rule-id [ counting | fragment | source | time-range | vpn-instance ] *

View

IPv4 basic ACL view

Default level

2: System level

Parameters

deny: Denies matching packets.

permit: Allows matching packets to pass.

counting: Counts the number of times the IPv4 ACL rule has been matched in hardware.

fragment: Applies the rule only to non-first fragments. A rule without this keyword applies to both

fragments and non-fragments.

source { sour-addr sour-wildcard | any }: Matches a source address. The sour-addr sour-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation. A wildcard mask of zeros specifies a host address. The any keyword represents any source IP address.

vpn-instance vpn-instance-name: Applies the rule to packets in a VPN instance. The vpn-instance-name argument takes a case-sensitive string of 1 to 31 characters. If no VPN instance is specified, the rule applies only to non-VPN packets.

Description

Use rule to create or edit an IPv4 basic ACL rule. You can edit ACL rules only when the match order is config.

Use undo rule to delete an entire IPv4 basic ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specified attributes.

By default, an IPv4 basic ACL does not contain any rule.

To view rules in an ACL and their rule IDs, use the display acl all command.

Related commands: acl, display acl, step, and time-range.

NOTE:

• If an IPv4 basic ACL is for QoS traffic classification, do not specify the vpn-instance keyword, and

the

counting keyword (even if specified) does not take effect for QoS.

• If an IPv4 basic ACL is for packet filtering, do not specify the vpn-instance keyword.

Examples

# Create a rule in IPv4 basic ACL 2000 to deny the packets from any source IP segment but 10.0.0.0/8,

172.17.0.0/16, or 192.168.1.0/24.

<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.0.0.0 0.255.255.255 [Sysname-acl-basic-2000] rule permit source 172.17.0.0 0.0.255.255 [Sysname-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 [Sysname-acl-basic-2000] rule deny source any

rule (IPv6 advanced ACL view)

Syntax

rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value

| syn syn-value | urg urg-value } * | established } | counting | destination { dest dest-prefix | dest/dest-prefix | any } | destination-port operator port1 [ port2 ] | dscp dscp | flow-label flow-label-value | fragment | icmp6-type { icmp6-type icmp6-code | icmp6-message } | routing [ type routing-type ] | source { source source-prefix | source/source-prefix | any } | source-port operator port1

[ port2 ] | time-range time-range-name ] *

undo rule ru

le-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | dscp | flow-label | fragment | icmp6-type | routing | source | source-port | time-range ] *

View

IPv6 advanced ACL view

Default level

2: System level

Parameters

deny: Denies matching packets.

permit: Allows matching packets to pass.

protocol: Matches protocol carried over IPv6. It can be a number in the range of 0 to 255, or in words, gre (47), icmpv6 (58), ipv6, ipv6-ah (51), ipv6-esp (50), ospf (89), tcp (6), or udp (17) . Table 10 de

scribes the parameters that you can specify regardless of the value that the protocol argument takes.

Table 10 Match criteria and other rule information for IPv6 advanced ACL rules

Parameters Function Descri

tion

source { source

source-prefix | source/source-prefix |

any }

Specifies a source IPv6 address

The source and source-prefix arguments represent an IPv6 source address, and prefix length in the range of 1 to 128.

The any keyword represents any IPv6 source address.

destination { dest dest-prefix | dest/dest-prefix | any }

Specifies a destination IPv6 address

The dest and dest-prefix arguments represent a destination IPv6 address, and prefix length in the range of 1 to 128.

The any keyword specifies any IPv6 destination address.

counting

Counts the number of times the IPv6 ACL rule has been matched in hardware

—

dscp dscp Specifies a DSCP preference

The dscp argument can be a number in the range of 0 to 63, or in words, af11 (10), af12

(12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56),

default (0), or ef (46).

flow-label flow-label-value

Specifies a flow label value in an IPv6 packet header

The flow-label-value argument is in the range of 0 to 1048575.

routing [ type routing-type ]

Specifies the type of routing header

The routing-type argument takes a value in the range of 0 to 255.

If no routing type header is specified, the rule applies to the IPv6 packets that have any type of routing header.

fragment

Applies the rule to only non-first fragments

Without this keyword, the rule applies to all fragments and non-fragments.

time-range

time-range-name

Specifies a time range for the rule

+ 74 hidden pages

HP 6125G,6125XG ACL and QoS Command Reference

Specifications and Main Features

Frequently Asked Questions

User Manual