HP Moonshot-45XGc Command Reference Guide

HP Moonshot-45XGc Switch
ACL and QoS
Command Reference
Part Number: 7855
Software
Document version: 5W100-20140912
version: ESS 2407
Legal and notice information
© Copyright 2014 Hewlett-Packard Development Company, L.P.
No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Contents

ACL commands ···························································································································································· 1
acl ·············································································································································································· 1 acl copy ····································································································································································· 2 acl logging interval ·················································································································································· 3 acl name ···································································································································································· 4 description ································································································································································· 5 display acl ································································································································································· 5 display packet-filter ·················································································································································· 7 display packet-filter statistics ··································································································································· 8 display packet-filter statistics sum ························································································································ 10 display packet-filter verbose ································································································································· 11 display qos-acl resource ······································································································································· 13 packet-filter ····························································································································································· 14 packet-filter default deny ······································································································································ 15 reset acl counter ···················································································································································· 16 reset packet-filter statistics ····································································································································· 17 rule (Ethernet frame header ACL view) ··············································································································· 18 rule (IPv4 advanced ACL view) ···························································································································· 19 rule (IPv4 basic ACL view) ···································································································································· 24 rule (IPv6 advanced ACL view) ···························································································································· 25 rule (IPv6 basic ACL view) ···································································································································· 30 rule (user-defined ACL view) ································································································································ 32 rule comment ·························································································································································· 34 step ·········································································································································································· 34
QoS policy commands ·············································································································································· 36
Traffic class commands ················································································································································· 36
display traffic classifier ········································································································································· 36 if-match ··································································································································································· 37 traffic classifier ······················································································································································· 43
Traffic behavior commands ··········································································································································· 44
accounting ······························································································································································ 44 car ··········································································································································································· 44 display traffic behavior ········································································································································· 46 filter ········································································································································································· 47 nest top-most ·························································································································································· 48 redirect ··································································································································································· 48 remark customer-vlan-id ········································································································································ 49 remark dot1p ························································································································································· 50 remark drop-precedence ······································································································································ 51 remark dscp ··························································································································································· 51 remark ip-precedence ··········································································································································· 52 remark local-precedence ······································································································································ 53 remark qos-local-id ················································································································································ 54 remark service-vlan-id ··········································································································································· 54 traffic behavior ······················································································································································ 55
QoS policy commands ·················································································································································· 56
classifier behavior ················································································································································· 56 control-plane ·························································································································································· 57
i
display qos policy ················································································································································· 57 display qos policy control-plane ·························································································································· 58 display qos policy control-plane pre-defined ····································································································· 59 display qos policy global ····································································································································· 61 display qos policy interface ································································································································· 62 display qos vlan-policy ········································································································································· 63 qos apply policy (interface view, control plane view) ······················································································ 65 qos apply policy (user profile view) ···················································································································· 66 qos apply policy global ········································································································································ 67 qos policy ······························································································································································· 67 qos vlan-policy ······················································································································································· 68 reset qos policy control-plane ······························································································································ 69 reset qos policy global·········································································································································· 69 reset qos vlan-policy ·············································································································································· 70
Priority mapping commands ····································································································································· 71
Priority map commands ················································································································································· 71
display qos map-table ··········································································································································· 71 import ······································································································································································ 72 qos map-table ························································································································································ 73
Port priority commands ·················································································································································· 73
qos priority ····························································································································································· 73
Priority trust mode commands ······································································································································· 74
display qos trust interface ····································································································································· 74 qos trust ·································································································································································· 74
GTS and rate limit commands ··································································································································· 76
GTS commands ······························································································································································ 76
display qos gts interface ······································································································································· 76 qos gts ···································································································································································· 76
Rate limit commands ······················································································································································ 77
display qos lr interface ········································································································································· 77 qos lr ······································································································································································· 78
Congestion management commands ······················································································································· 80
SP commands ································································································································································· 80
display qos queue sp interface ···························································································································· 80 qos sp ····································································································································································· 80
WRR commands ····························································································································································· 81
display qos queue wrr interface ·························································································································· 81 qos wrr ··································································································································································· 82 qos wrr { byte-count | weight } ···························································································································· 83 qos wrr group sp ··················································································································································· 84
WFQ commands ···························································································································································· 85
display qos queue wfq interface·························································································································· 85 qos bandwidth queue ··········································································································································· 86 qos wfq ··································································································································································· 87 qos wfq { byte-count | weight } ··························································································································· 87 qos wfq group sp ·················································································································································· 88
Queue scheduling profile commands ·························································································································· 89
bandwidth ······························································································································································ 89 display qos qmprofile configuration ···················································································································· 90 display qos qmprofile interface ··························································································································· 91 qos apply qmprofile ·············································································································································· 92 qos qmprofile ························································································································································· 93 queue ······································································································································································ 93
ii
Queue-based accounting commands ··························································································································· 95
display qos queue-statistics interface outbound ································································································· 95
Congestion avoidance commands···························································································································· 96
WRED commands ·························································································································································· 96
display qos wred interface ··································································································································· 96 display qos wred table ········································································································································· 97 qos wred apply ····················································································································································· 98 qos wred table ······················································································································································· 99 queue ······································································································································································ 99 queue ecn ····························································································································································· 101 queue weighting-constant ··································································································································· 101
Aggregate CAR commands ···································································································································· 103
car name ······························································································································································ 103 display qos car name ········································································································································· 103 qos car ·································································································································································· 104 reset qos car name ·············································································································································· 106
Time range commands ··········································································································································· 107
display time-range ··············································································································································· 107 time-range ···························································································································································· 107
Data buffer commands ··········································································································································· 109
buffer apply ·························································································································································· 109 buffer queue guaranteed ···································································································································· 110 buffer queue shared ············································································································································ 111 buffer total-shared ················································································································································ 112 burst-mode enable ··············································································································································· 113 display buffer ······················································································································································· 113 display buffer usage············································································································································ 115
Index ········································································································································································ 118
iii

ACL commands

acl
Use acl to create an ACL, and enter its view. If the ACL has been created, you directly enter its view.
Use undo acl to delete the specified or all ACLs.
Syntax
acl [ ipv6 ] number acl-number [ name acl-name ] [ match-order { auto | config } ]
undo acl [ ipv6 ] { all | name acl-name | number acl-number }
Default
No ACL exists.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6: Specifies IPv6 ACLs.
number acl-number: Specifies the number of an ACL.
2000 to 2999 for basic ACLs.
3000 to 3999 for advanced ACLs.
4000 to 4999 for Ethernet frame header ACLs. You cannot create an Ethernet frame header ACL if
5000 to 5999 for user-defined ACLs. You cannot create a user-defined ACL if the ipv6 keyword is
name acl-name: Assigns a name to the ACL for easy identification. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
match-order: Sets the order in which ACL rules are compared against packets.
auto: Compares ACL rules in depth-first order. The depth-first order varies by ACL category. For
config: Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher
all: Specifies all ACLs.
the ipv6 keyword is specified.
specified.
more information, see ACL and QoS Configuration Guide.
priority. If you do not specify a match order, the config-order applies by default.
If the ipv6 keyword is not specified, all ACLs refer to all IPv4 basic, IPv4 advanced, and Ethernet
frame header ACLs.
If the ipv6 keyword is specified, all ACLs refer to all IPv6 basic and IPv6 advanced ACLs.
1
Usage guidelines
You can assign a name to an ACL only when you create it. After an ACL is created with a name, you cannot rename it or remove its name.
You can change the match order only for ACLs that do not contain any rules.
Examples
# Create IPv4 basic ACL 2000, and enter its view.
<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000]
# Create IPv4 basic ACL 2001 with the name flow, and enter its view.
<Sysname> system-view [Sysname] acl number 2001 name flow [Sysname-acl-basic-2001-flow]
Related commands
display acl

acl copy

Use acl copy to create an ACL by copying an ACL that already exists.
Syntax
acl [ ipv6 ] copy { source-acl-number | name source-acl-name } to { dest-acl-number | name
dest-acl-name }
Views
System view
Predefined user roles
network-admin
Parameters
ipv6: Specifies IPv6 ACLs.
source-acl-number: Specifies an existing source ACL by its number.
2000 to 2999 for basic ACLs.
3000 to 3999 for advanced ACLs.
4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL
if the ipv6 keyword is specified.
5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is
specified.
name source-acl-name: Specifies an existing source ACL by its name. The source-acl-name argument is a case-insensitive string of 1 to 63 characters.
dest-acl-number: Assigns a unique number to the ACL you are creating. This number must be from the same ACL category as the source ACL. If you do not specify an ACL number, the system automatically picks the smallest number from all available numbers in the same ACL category as the source ACL. Available value ranges include:
2
2000 to 2999 for basic ACLs.
3000 to 3999 for advanced ACLs.
4000 to 4999 for Ethernet frame header ACLs. You cannot create an Ethernet frame header ACL if
the ipv6 keyword is specified.
5000 to 5999 for user-defined ACLs. You cannot create a user-defined ACL if the ipv6 keyword is
specified.
name dest-acl-name: Assigns a unique name to the ACL you are creating. The dest-acl-name is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all. If you do not specify an ACL name, the system does not name the ACL.
Usage guidelines
The new ACL has the same properties and content as the source ACL, but not the same ACL number and name.
You can assign a name to an ACL only when you create it. After an ACL is created with a name, you cannot rename it or remove its name.
Examples
# Create IPv4 basic ACL 2002 by copying IPv4 basic ACL 2001.
<Sysname> system-view [Sysname] acl copy 2001 to 2002

acl logging interval

Use acl logging interval to set the interval for generating and outputting packet filtering logs. The log information includes the number of matching packets and the matched ACL rules.
Use undo acl logging interval to restore the default.
Syntax
acl [ ipv6 ] logging interval interval
undo acl [ ipv6 ] logging interval
Default
The interval is 0. No packet filtering logs are generated.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies the interval in minutes at which packet filtering logs are generated and output. It must be a multiple of 5 and in the range of 0 to 1440. To disable generating packet filtering logs, assign 0 to the argument.
Usage guidelines
The system collects packet filtering logs only for IPv4 basic, IPv4 advanced, IPv6 basic, and IPv6 advanced ACL rules that have the logging keyword.
3
When the ipv6 keyword is not specified, this command sets the interval for generating and
outputting IPv4 packet filtering logs.
When the ipv6 keyword is specified, this command sets the interval for generating and outputting
IPv6 packet filtering logs.
Examples
# Enable the device to generate and output IPv4 packet filtering logs at 10-minute intervals.
<Sysname> system-view [Sysname] acl logging interval 10
Related commands
rule (IPv4 advanced ACL view)
rule (IPv4 basic ACL view)
rule (IPv6 advanced ACL view)
rule (IPv6 basic ACL view)

acl name

Use acl name to enter the view of an ACL that has a name.
Syntax
acl [ ipv6 ] name acl-name
Views
System view
Predefined user roles
network-admin
Parameters
acl-name: Specifies the name of an ACL, a case-insensitive string of 1 to 63 characters. It must start with an English letter. The ACL must already exist. For a basic ACL or advanced ACL, if you do not specify the
ipv6 keyword, this option specifies the name of an IPv4 basic ACL or advanced ACL. If you specify the ipv6 keyword, this option specifies the name of an IPv6 basic ACL or advanced ACL.
Examples
# Enter the view of IPv4 basic ACL flow, which already exists.
<Sysname> system-view [Sysname] acl name flow [Sysname-acl-basic-2001-flow]
# Enter the view of IPv6 basic ACL flow, which already exists.
<Sysname> system-view [Sysname] acl ipv6 name flow [Sysname-acl6-basic-2001-flow]
Related commands
acl
4

description

Use description to configure a description for an ACL.
Use undo description to delete an ACL description.
Syntax
description text
undo description
Default
An ACL has no description.
Views
IPv4/IPv6 basic ACL view
IPv4/IPv6 advanced ACL view
Ethernet frame header ACL view
User-defined ACL view
Predefined user roles
network-admin
Parameters
text: Configures a description for the ACL, a case-sensitive string of 1 to 127 characters.
Examples
# Configure a description for IPv4 basic ACL 2000.
<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] description This is an IPv4 basic ACL.
Related commands

display acl

display acl
Use display acl to display configuration and match statistics for ACLs.
Syntax
display acl [ ipv6 ] { acl-number | all | name acl-name }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv6: Specifies IPv6 ACLs.
5
acl-number: Specifies an ACL by its number.
p
2000 to 2999 for basic ACLs.
3000 to 3999 for advanced ACLs.
4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL
if the ipv6 keyword is specified.
5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is
specified.
all: Displays information about all IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs if you do not specify the ipv6 keyword, or displays information about all IPv6 basic and IPv6 advanced ACLs if you specify the ipv6 keyword.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter.
Usage guidelines
This command displays ACL rules in config or depth-first order, whichever is configured.
Examples
# Display configuration and match statistics for IPv4 basic ACL 2001.
<Sysname> display acl 2001 Basic ACL 2001, named flow, 1 rule, match-order is auto, This is an IPv4 basic ACL. ACL's step is 5 rule 5 permit source 1.1.1.1 0 (5 times matched) rule 5 comment This rule is used on FortyGigE 1/1/1.
Table 1 Command output
Field
Descri
Basic ACL 2001
named flow
1 rule The ACL contains one rule.
match-order is auto
This is an IPv4 basic ACL. Description of this ACL.
ACL's step is 5 The rule numbering step is 5.
rule 5 permit source 1.1.1.1 0 Content of rule 5.
5 times matched
rule 5 comment This rule is used on FortyGigE 1/1/1.
Category and number of the ACL. The following field information is about IPv4 basic ACL 2000.
The name of the ACL is flow. If the ACL is not named, this field displays
-none-.
The match order for the ACL is auto, which sorts ACL rules in depth-first order. This field is not present when the match order is config.
There have been five matches for the rule. The statistic counts only ACL matches performed in software.
This field is not displayed when no packets matched the rule.
Comment of ACL rule 5.
tion
6

display packet-filter

p
Use display packet-filter to display whether an ACL has been successfully applied to an interface for packet filtering.
Syntax
display packet-filter { interface [ interface-type interface-number ] [ inbound | outbound ] | interface vlan-interface vlan-interface-number [ inbound | outbound ] [ slot slot-number ] }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface [ interface-type interface-number ]: Specifies an interface by its type and number. VLAN
interfaces are not supported. If you do not specify an interface, this command displays ACL application information on all interfaces except VLAN interfaces for packet filtering.
interface vlan-interface vlan-interface-number: Specifies a VLAN interface by its number.
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
slot slot-number: Specifies an IRF member device. The slot-number argument represents the ID of the IRF
member device. If you do not specify an IRF member device, this command displays ACL application information for packet filtering on the master.
Usage guidelines
If neither the inbound keyword nor the outbound keyword is specified, this command displays the ACL application information for both incoming and outgoing packet filtering.
Examples
# Display ACL application information for incoming packet filtering on interface FortyGigE 1/1/1.
<Sysname> display packet-filter interface fortygige 1/1/1 inbound Interface: FortyGigE1/1/1 In-bound policy: ACL 2001, Hardware-count ACL6 2002 IPv4 default action: Deny IPv6 default action: Deny
Table 2 Command output
Field Descri
tion
Interface Interface to which the ACL applies.
In-bound policy ACL used for filtering incoming traffic.
Out-bound policy ACL used for filtering outgoing traffic.
7
Field Description
ACL 2001 IPv4 basic ACL 2001 has been successfully applied.
Hardware-count Successfully enables counting ACL rule matches.
IPv4 default action
IPv6 default action
MAC default action
Packet filter default action for packets that do not match any IPv4 ACLs. This field is displayed only when the default action is deny.
Packet filter default action for packets that do not match any IPv6 ACLs. This field is displayed only when the default action is deny.
Packet filter default action for packets that do not match any Ethernet frame header ACLs. This field is displayed only when the default action is deny.

display packet-filter statistics

Use display packet-filter statistics to display match statistics of ACLs for packet filtering.
Syntax
display packet-filter statistics interface interface-type interface-number { inbound | outbound } [ [ ipv6 ] { acl-number | name acl-name } ] [ brief ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Displays the statistics of an interface specified by its type and
number.
inbound: Displays the statistics in the inbound direction.
outbound: Displays the statistics in the outbound direction.
ipv6: Specifies IPv6 ACLs.
acl-number: Specifies an ACL by its number.
2000 to 2999 for basic ACLs.
3000 to 3999 for advanced ACLs.
4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL
if the ipv6 keyword is specified.
5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is
specified.
8
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to
p
63 characters. It must start with an English letter.
brief: Displays brief statistics.
Usage guidelines
When none of acl-number and name acl-name is specified, this command displays match statistics of all ACLs for packet filtering.
If the ipv6 keyword is not specified, all ACLs refer to all IPv4 basic, IPv4 advanced, and Ethernet
frame header ACLs.
If the ipv6 keyword is specified, all ACLs refer to all IPv6 basic and IPv6 advanced ACLs.
Examples
# Display match statistics of all ACLs (IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs) for incoming packet filtering on FortyGigE 1/1/1.
<Sysname> display packet-filter statistics interface fortygige 1/1/1 inbound Interface: FortyGigE1/1/1 In-bound policy: ACL 2001, Hardware-count From 2011-06-04 10:25:21 to 2011-06-04 10:35:57 rule 0 permit source 2.2.2.2 0 rule 5 permit source 1.1.1.1 0 Totally 0 packets permitted, 0 packets denied Totally 0% permitted, 0% denied
IPv4 default action: Deny
Table 3 Command output
Field Descri
Interface Interface to which the ACL applies.
In-bound policy ACL used for filtering incoming traffic.
Out-bound policy ACL used for filtering outgoing traffic.
ACL 2001 IPv4 basic ACL 2001 has been successfully applied.
Hardware-count Successfully enables counting ACL rule matches.
From 2011-06-04 10:25:21 to 2011-06-04 10:35:57
Totally 0 packets permitted, 0 packets denied
Totally 0% permitted, 0% denied Ratios of permitted and denied packets to all packets.
IPv4 default action
IPv6 default action
MAC default action
Start time and end time of the statistics.
Number of packets permitted and denied by the ACL.
Packet filter default action for packets that do not match any IPv4 ACLs. This field is displayed only when the default action is deny.
Packet filter default action for packets that do not match any IPv6 ACLs. This field is displayed only when the default action is deny.
Packet filter default action for packets that do not match any Ethernet frame header ACLs. This field is displayed only when the default action is deny.
tion
9
Related commands
reset packet-filter statistics

display packet-filter statistics sum

Use display packet-filter statistics sum to display accumulated packet filtering ACL statistics.
Syntax
display packet-filter statistics sum { inbound | outbound } [ ipv6 ] { acl-number | name acl-name } [ brief ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
inbound: Displays the statistics in the inbound direction.
outbound: Displays the statistics in the outbound direction.
Examples
ipv6: Specifies IPv6 ACLs.
acl-number: Specifies an ACL by its number.
2000 to 2999 for basic ACLs.
3000 to 3999 for advanced ACLs.
4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL
if the ipv6 keyword is specified.
5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is
specified.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter.
brief: Displays brief accumulated packet filtering ACL statistics.
# Display accumulated packet filtering ACL statistics of IPv4 basic ACL 2001 for incoming packets.
<Sysname> display packet-filter statistics sum inbound 2001 Sum: In-bound policy: ACL 2001 rule 0 permit source 2.2.2.2 0 (2 packets) rule 5 permit source 1.1.1.1 0 Totally 2 packets permitted, 0 packets denied Totally 100% permitted, 0% denied
10
Table 4 Command output
p
Field Descri
Sum Accumulated packet filtering ACL statistics.
In-bound policy Accumulated ACL statistics used for filtering incoming traffic.
Out-bound policy Accumulated ACL statistics used for filtering outgoing traffic.
ACL 2001 Accumulated ACL statistics used for IPv4 basic ACL 2001.
2 packets
Totally 2 packets permitted, 0 packets denied
Totally 100% permitted, 0% denied Ratios of permitted and denied packets to all packets.
Related commands
reset packet-filter statistics

display packet-filter verbose

Use display packet-filter verbose to display application details of ACLs for packet filtering.
Syntax
tion
Two packets matched the rule.
This field is not displayed when no packets matched the rule.
Number of packets permitted and denied by the ACL.
display packet-filter verbose interface interface-type interface-number { inbound | outbound } [ [ ipv6 ] { acl-number | name acl-name } ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
ipv6: Specifies IPv6 ACLs.
acl-number: Specifies an ACL by its number.
2000 to 2999 for basic ACLs.
3000 to 3999 for advanced ACLs.
4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL
if the ipv6 keyword is specified.
5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is
specified.
11
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to
p
63 characters. It must start with an English letter.
slot slot-number: Specifies an IRF member device. The slot-number argument represents the ID of the IRF member device. If you do not specify an IRF member device, this command displays ACL application details for packet filtering on the master.
Usage guidelines
When none of acl-number and name acl-name is specified, this command displays application details of all ACLs for packet filtering.
If the ipv6 keyword is not specified, all ACLs refer to all IPv4 basic, IPv4 advanced, and Ethernet
frame header ACLs.
If the ipv6 keyword is specified, all ACLs refer to all IPv6 basic and IPv6 advanced ACLs.
Examples
# Display application details of all ACLs (IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs) for incoming packet filtering on FortyGigE 1/1/1.
<Sysname> display packet-filter verbose interface fortygige 1/1/1 inbound Interface: FortyGigE1/1/1 In-bound policy: ACL 2001, Hardware-count rule 0 permit rule 5 permit source 1.1.1.1 0
ACL6 2000, Hardware-count rule 0 permit
ACL 4000, Hardware-count
IPv4 default action: Deny
IPv6 default action: Deny
MAC default action: Deny
Table 5 Command output
Field Descri
Interface Interface to which the ACL applies.
In-bound policy ACL used for filtering incoming traffic.
Out-bound policy ACL used for filtering outgoing traffic.
ACL 2001 IPv4 basic ACL 2001 has been successfully applied.
Hardware-count Successfully enables counting ACL rule matches.
Packet filter default action for packets that do not match any IPv4
IPv4 default action
IPv6 default action
ACLs. This field is displayed only when the default action is deny.
Packet filter default action for packets that do not match any IPv6 ACLs. This field is displayed only when the default action is
deny.
tion
12
Field Description
p
MAC default action

display qos-acl resource

Use display qos-acl resource to display QoS and ACL resource usage.
Syntax
display qos-acl resource [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies an IRF member device. The slot-number argument represents the ID of the IRF
member device. If you do not specify an IRF member device, this command displays QoS and ACL resource usage on all member devices.
Packet filter default action for packets that do not match any Ethernet frame header ACLs. This field is displayed only when the default action is deny.
Examples
# Display QoS and ACL resource usage.
<Sysname> display qos-acl resource Interfaces: XGE1/0/1 to XGE1/0/45, FGE1/1/1 to FGE1/1/4
--------------------------------------------------------------------- Type Total Reserved Configured Remaining Usage
--------------------------------------------------------------------- VFP ACL 1024 272 0 752 26% IFP ACL 2048 1664 0 384 81% IFP Meter 1024 832 0 192 81% IFP Counter 1024 832 0 192 81% EFP ACL 1024 0 0 1024 0% EFP Meter 512 0 0 512 0% EFP Counter 512 0 0 512 0%
Table 6 Command output
Field Descri
Interfaces Interface range for the resource.
tion
13
Field Description
Type
Total Total number of resource.
Reserved Number of reserved resource.
Configured Number of resource that has been applied.
Remaining Number of resource that you can apply.
Usage

packet-filter

Resource type:
VFP ACL—ACL rules for local QoS ID remarking before Layer 2
forwarding.
IFP ACL—ACL rules applied to inbound traffic.
IFP Meter—Traffic policing rules for inbound traffic.
IFP Counter—Traffic counting rules for inbound traffic.
EFP Meter—Traffic policing rules for outbound traffic.
EFP Counter—Traffic counting rules for outbound traffic.
Configured and reserved resources as a percentage of total resources. If the percentage is not an integer, this field displays the integer part. For example, if the actual usage is 50.8%, this field displays 50%.
Use packet-filter to apply an ACL to an interface to filter packets.
Use undo packet-filter to remove an ACL application from an interface.
Syntax
packet-filter [ ipv6 ] { acl-number | name acl-name } { inbound | outbound } [ hardware-count ]
undo packet-filter [ ipv6 ] { acl-number | name acl-name } { inbound | outbound }
Default
An interface does not filter packets.
Views
Layer 2/Layer 3 Ethernet interface view
VLAN interface view
S-channel interface/S-channel aggregate interface view
VSI interface/VSI aggregate interface view
Predefined user roles
network-admin
Parameters
ipv6: Specifies IPv6 ACLs.
acl-number: Specifies an ACL by its number.
2000 to 2999 for basic ACLs.
3000 to 3999 for advanced ACLs.
14
4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL
if the ipv6 keyword is specified.
5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is
specified.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter.
inbound: Filters incoming packets.
outbound: Filters outgoing packets.
hardware-count: Enables counting ACL rule matches performed in hardware. This keyword enables
match counting for all rules in an ACL, and the counting keyword in the rule command enables match counting specific to rules. If the hardware-count keyword is not specified, rule matches for the ACL are not counted.
Examples
# Apply IPv4 basic ACL 2001 to filter incoming traffic on FortyGigE 1/1/1, and enable counting ACL rule matches performed in hardware.
<Sysname> system-view [Sysname] interface fortygige 1/1/1 [Sysname-FortyGigE1/1/1] packet-filter 2001 inbound hardware-count
Related commands
display packet-filter
display packet-filter statistics
display packet-filter verbose

packet-filter default deny

Use packet-filter default deny to set the packet filtering default action to deny. The packet filter denies packets that do not match any ACL rule.
Use undo packet-filter default deny to restore the default.
Syntax
packet-filter default deny
undo packet-filter default deny
Default
The packet filter permits packets that do not match any ACL rule.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The packet filter applies the default action to all ACL applications for packet filtering. The default action appears in the display command output for packet filtering.
15
Examples
# Set the packet filter default action to deny.
<Sysname> system-view [Sysname] packet-filter default deny
Related commands
display packet-filter
display packet-filter statistics
display packet-filter verbose

reset acl counter

Use reset acl counter to clear statistics for ACLs.
Syntax
reset acl counter [ ipv6 ] { acl-number | all | name acl-name }
Views
User view
Predefined user roles
network-admin
Parameters
ipv6: Specifies IPv6 ACLs.
acl-number: Specifies an ACL by its number.
2000 to 2999 for basic ACLs.
3000 to 3999 for advanced ACLs.
4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL
5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is
all: Clears statistics for all IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs if you do not specify the ipv6 keyword, or clears statistics for all IPv6 basic and IPv6 advanced ACLs if you specify the
ipv6 keyword.
name acl-name: Clears statistics of an ACL specified by its name. The acl-name argument is a
case-insensitive string of 1 to 63 characters. It must start with an English letter.
Examples
# Clear statistics for IPv4 basic ACL 2001.
<Sysname> reset acl counter 2001
if the ipv6 keyword is specified.
specified.
Related commands
display acl
16

reset packet-filter statistics

Use reset packet-filter statistics to clear the match statistics (including the accumulated statistics) of ACLs for packet filtering.
Syntax
reset packet-filter statistics interface [ interface-type interface-number ] { inbound | outbound } [ [ ipv6 ] { acl-number | name acl-name } ]
Views
User view
Predefined user roles
network-admin
Parameters
interface [ interface-type interface-number ]: Specifies an interface by its type and number. If you do not
specify an interface, this command clears packet filtering ACL statistics on all interfaces.
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
ipv6: Specifies IPv6 ACLs.
acl-number: Specifies an ACL by its number.
2000 to 2999 for basic ACLs.
3000 to 3999 for advanced ACLs.
4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL
if the ipv6 keyword is specified.
5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is
specified.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter.
Usage guidelines
When neither of acl-number and name acl-name is specified, this command clears the match statistics of all ACLs for packet filtering.
If the ipv6 keyword is not specified, all ACLs refer to all IPv4 basic, IPv4 advanced, and Ethernet
frame header ACLs.
If the ipv6 keyword is specified, all ACLs refer to all IPv6 basic and IPv6 advanced ACLs.
Examples
# Clear IPv4 basic ACL 2001 statistics for incoming packet filtering of interface FortyGigE 1/1/1.
<Sysname> reset packet-filter statistics interface fortygige 1/1/1 inbound 2001
Related commands
display packet-filter statistics
display packet-filter statistics sum
17

rule (Ethernet frame header ACL view)

Use rule to create or edit an Ethernet frame header ACL rule.
Use undo rule to delete an Ethernet frame header ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } [ cos vlan-pri | counting | dest-mac dest-address dest-mask | { lsap
lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac source-address source-mask | time-range time-range-name ] *
undo rule rule-id [ counting | time-range ] *
Default
An Ethernet frame header ACL does not contain any rule.
Views
Ethernet frame header ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
cos vlan-pri: Matches an 802.1p priority. The vlan-pri argument can be a number in the range of 0 to 7, or in words, best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5), voice (6), or network-management (7).
counting: Counts the number of times the Ethernet frame header ACL rule has been matched. The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting for all rules in an ACL. If the counting keyword is not
specified, matches for the rule are not counted.
dest-mac dest-address dest-mask: Matches a destination MAC address range. The dest-address and dest-mask arguments represent a destination MAC address and mask in the H-H-H format.
lsap lsap-type lsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The lsap-type argument is a 16-bit hexadecimal number that represents the encapsulation format. The lsap-type-mask argument is a 16-bit hexadecimal number that represents the LSAP mask.
type protocol-type protocol-type-mask: Matches one or more protocols in the Ethernet frame header. The protocol-type argument is a 16-bit hexadecimal number that represents a protocol type in Ethernet_II and
Ethernet_SNAP frames. The protocol-type-mask argument is a 16-bit hexadecimal number that represents a protocol type mask.
source-mac source-address source-mask: Matches a source MAC address range. The source-address argument represents a source MAC address, and the sour-mask argument represents a mask in the H-H-H format.
18
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the timer range. For more information about time range, see ACL and QoS Configuration Guide.
Usage guidelines
When an Ethernet frame header ACL with the lsap keyword specified is used for QoS traffic classification or packet filtering, the lsap-type argument must be AAAA and the lsap-type-mask argument must be FFFF. Otherwise, the ACL cannot be applied successfully.
Within an ACL, the permit or deny state ment of each ru le must be un iqu e. If the ACL rule you are creatin g or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
You can edit ACL rules only when the match order is config.
If you do not specify any optional keywords, the undo rule command deletes the entire rule.
If you specify optional keywords or arguments, the undo rule command deletes the specified
attributes.
To view rules in an ACL and their rule IDs, use the display acl all command.
Examples
# Create a rule in Ethernet frame header ACL 4000 to permit ARP packets and deny RARP packets.
<Sysname> system-view [Sysname] acl number 4000 [Sysname-acl-ethernetframe-4000] rule permit type 0806 ffff [Sysname-acl-ethernetframe-4000] rule deny type 8035 ffff
Related commands
acl
display acl
step
time-range

rule (IPv4 advanced ACL view)

Use rule to create or edit an IPv4 advanced ACL rule.
Use undo rule to delete an entire IPv4 advanced ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value
| syn syn-value | urg urg-value } * | established } | counting | destination { dest-address dest-wildcard | any } | destination-port operator port1 [ port2 ] | { dscp dscp | { precedence precedence | tos tos } * } | fragment | icmp-type { icmp-type [ icmp-code ] | icmp-message } | logging | source { source-address source-wildcard | any } | source-port operator port1 [ port2 ] | time-range
time-range-name | vpn
undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | { dscp | { precedence | tos } * } | fragment | icmp-type | logging | source | source-port | time-range | vpn-instance ] *
-instance vpn-instance-name ] *
19
Default
p
An IPv4 advanced ACL does not contain any rule.
Views
IPv4 advanced ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
protocol: Specifies a protocol number in the range of 0 to 255, or specifies a protocol by its name, gre (47), icmp (1) , igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17) . Th e ip keyword specifies all protocols. Table 7 d argument.
Table 7 Match criteria and other rule information for IPv4 advanced ACL rules
escribes the parameters that you can specify regardless of the value for the protocol
Parameters Function Descri
source
{ source-address source-wildcard |
any }
destination
{ dest-address dest-wildcard |
any }
counting
precedence
precedence
tos tos Specifies a ToS preference.
Specifies a source address.
Specifies a destination address.
Counts the number of times the IPv4 advanced ACL rule has been matched.
Specifies an IP precedence value.
The source-address source-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address.
The any keyword specifies any source IP address.
The dest-address dest-wildcard arguments represent a destination IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address.
The any keyword represents any destination IP address.
The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting for all ru l e s in an ACL. If the counting keyword is not specified, matches for the rule are not counted.
The precedence argument can be a number in the range of 0 to 7, or in words, routine (0), priority (1),
immediate (2), flash (3), flash-override (4), critical (5), internet (6), or network (7).
The tos argument can be a number in the range of 0 to 15, or in words, max-reliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1), or normal (0).
tion
20
Parameters Function Description
p
The dscp argument can be a number in the range of 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21
dscp dscp Specifies a DSCP priority.
(18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46).
fragment
logging Logs matching packets.
time-range
time-range-name
vpn-instance
vpn-instance-name
Applies the rule only to non-first fragments.
Specifies a time range for the rule.
Applies the rule to a VPN instance.
If you do not specify this keyword, the rule applies to all fragments and non-fragments.
This function requires that the module (for example, packet filtering) that uses the ACL supports logging.
The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the timer range.
For more information about time range, see ACL and QoS Configuration Guide.
The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
If you do not specify a VPN instance, the rule applies only to non-VPN packets.
If the protocol argument is tcp (6) or udp (7), set the parameters shown in Table 8.
Table 8 TCP/UDP-specific parameters for IPv4 advanced ACL rules
Parameters Function Descri
The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range).
source-port operator port1 [ port2 ]
destination-port operator port1
[ port2 ]
Specifies one or more UDP or TCP source ports.
Specifies one or more UDP or TCP destination ports.
The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. port2 is needed only when the operator argument is range.
TCP port numbers can be represented as: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80).
UDP port numbers can be represented as: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65),
talk (517), tftp (69), time (37), who (513), and xdmcp (177).
tion
21
Parameters Function Description
p
g
{ ack ack-value | fin fin-value |
psh psh-value | rst rst-value | syn syn-value | urg urg-value } *
established
Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG.
Specifies the flags for indicating the established status of a TCP connection.
Parameters specific to TCP.
The value for each argument can be 0 (flag bit not set) or 1 (flag bit set).
The TCP flags in a rule are ANDed. For example, a rule configured with ack 0 psh 1 matches packets that have the ACK flag bit not set and the PSH flag bit set.
Parameter specific to TCP.
The rule matches TCP connection packets with the ACK or RST flag bit set.
If the protocol argument is icmp (1), set the parameters shown in Table 9.
Table 9 ICMP-specific parameters for IPv4 advanced ACL rules
Parameters Function Descri
The icmp-type argument is in the range of 0 to 255.
icmp-type { icmp-type icmp-code | icmp-message }
Specifies the ICMP message type and code.
The icmp-code argument is in the range of 0 to 255.
The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 10.
tion
Table 10 ICMP message names supported in IPv4 advanced ACL rules
ICMP messa
echo 8 0
echo-reply 0 0
fragmentneed-DFset 3 4
host-redirect 5 1
host-tos-redirect 5 3
host-unreachable 3 1
information-reply 16 0
information-request 15 0
net-redirect 5 0
net-tos-redirect 5 2
net-unreachable 3 0
parameter-problem 12 0
port-unreachable 3 3
protocol-unreachable 3 2
e name ICMP message type
ICMP message code
reassembly-timeout 11 1
source-quench 4 0
22
ICMP message name ICMP message type
source-route-failed 3 5
timestamp-reply 14 0
timestamp-request 13 0
ttl-exceeded 11 0
Usage guidelines
If an ACL is for QoS traffic classification or packet filtering:
Do not specify the vpn-instance keyword if the ACL is for outbound QoS traffic classification or
outbound packet filtering.
Do not specify neq for the operator argument.
Within an ACL, the permit or deny state ment of each ru le must be un iqu e. If the ACL rule you are creatin g or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
You can edit ACL rules only when the match order is config.
If you do not specify any optional keywords, the undo rule command deletes the entire rule.
If you specify optional keywords or arguments, the undo rule command deletes the specified
attributes.
ICMP message code
Examples
To view rules in an ACL and their rule IDs, use the display acl all command.
# Create an IPv4 advanced ACL rule to permit TCP packets with the destination port 80 from
129.9.0.0/16 to 202.38.160.0/24.
<Sysname> system-view [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination
202.38.160.0 0.0.0.255 destination-port eq 80
# Create IPv4 advanced ACL rules to permit all IP packets but the ICMP packets destined for
192.168.1.0/24.
<Sysname> system-view [Sysname] acl number 3001 [Sysname-acl-adv-3001] rule deny icmp destination 192.168.1.0 0.0.0.255 [Sysname-acl-adv-3001] rule permit ip
# Create IPv4 advanced ACL rules to permit inbound and outbound FTP packets.
<Sysname> system-view [Sysname] acl number 3002 [Sysname-acl-adv-3002] rule permit tcp source-port eq ftp [Sysname-acl-adv-3002] rule permit tcp source-port eq ftp-data [Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp [Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp-data
# Create IPv4 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.
<Sysname> system-view [Sysname] acl number 3003 [Sysname-acl-adv-3003] rule permit udp source-port eq snmp
23
[Sysname-acl-adv-3003] rule permit udp source-port eq snmptrap [Sysname-acl-adv-3003] rule permit udp destination-port eq snmp [Sysname-acl-adv-3003] rule permit udp destination-port eq snmptrap
Related commands
acl
acl logging interval
display acl
step
time-range

rule (IPv4 basic ACL view)

Use rule to create or edit an IPv4 basic ACL rule.
Use undo rule to delete an entire IPv4 basic ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } [ counting | fragment | logging | source { source-address source-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *
undo rule rule-id [ counting | fragment | logging | source | time-range | vpn-instance ] *
Default
An IPv4 basic ACL does not contain any rule.
Views
IPv4 basic ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
counting: Counts the number of times the IPv4 basic ACL rule has been matched. The counting keyword
enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted.
fragment: Applies the rule only to non -first fragments. If you do not specify this keyword, the rule applies to both fragments and non-fragments.
logging: Logs matching packets. This function is available only when the application module (for example, packet filtering) that uses the ACL supports the logging function.
24
source { source-address source-wildcard | any }: Matches a source address. The source-address source-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation.
A wildcard mask of zeros specifies a host address. The any keyword represents any source IP address.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a
case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the timer range. For more information about time range, see ACL and QoS Configuration Guide.
vpn-instance vpn-instance-name: Applies the rule to a VPN instance. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the rule applies only to non-VPN packets.
Usage guidelines
If an ACL is for outbound QoS traffic classification or outbound packet filtering, do not specify the vpn-instance keyword.
Within an ACL, the permit or deny state ment of each ru le must be un iqu e. If the ACL rule you are creatin g or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
You can edit ACL rules only when the match order is config.
If you do not specify any optional keywords, the undo rule command deletes the entire rule.
If you specify optional keywords or arguments, the undo rule command deletes the specified
attributes.
To view rules in an ACL and their rule IDs, use the display acl all command.
Examples
# Create a rule in IPv4 basic ACL 2000 to deny the packets from any source IP segment but 10.0.0.0/8,
172.17.0.0/16, or 192.168.1.0/24.
<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.0.0.0 0.255.255.255 [Sysname-acl-basic-2000] rule permit source 172.17.0.0 0.0.255.255 [Sysname-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 [Sysname-acl-basic-2000] rule deny source any
Related commands
acl
acl logging interval
display acl
step
time-range

rule (IPv6 advanced ACL view)

Use rule to create or edit an IPv6 advanced ACL rule.
Use undo rule to delete an entire IPv6 advanced ACL rule or some attributes in the rule.
25
Loading...
+ 94 hidden pages