No part of this documentation may be reproduced or transmitted in any form or by any means without
prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained
herein or for incidental or consequential damages in connection with the furnishing, performance, or
use of this material.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained
herein.
Traffic class commands ················································································································································· 36
Port priority commands ·················································································································································· 73
display qos lr interface ········································································································································· 77
qos lr ······································································································································································· 78
Aggregate CAR commands ···································································································································· 103
car name ······························································································································································ 103
display qos car name ········································································································································· 103
qos car ·································································································································································· 104
reset qos car name ·············································································································································· 106
Time range commands ··········································································································································· 107
Data buffer commands ··········································································································································· 109
Index ········································································································································································ 118
iii
ACL commands
acl
Use acl to create an ACL, and enter its view. If the ACL has been created, you directly enter its view.
Use undoacl to delete the specified or all ACLs.
Syntax
acl [ ipv6 ] number acl-number [ name acl-name ] [ match-order { auto | config } ]
undo acl [ ipv6 ] { all | name acl-name | number acl-number }
Default
No ACL exists.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6: Specifies IPv6 ACLs.
number acl-number: Specifies the number of an ACL.
• 2000 to 2999 for basic ACLs.
• 3000 to 3999 for advanced ACLs.
• 4000 to 4999 for Ethernet frame header ACLs. You cannot create an Ethernet frame header ACL if
• 5000 to 5999 for user-defined ACLs. You cannot create a user-defined ACL if the ipv6 keyword is
name acl-name: Assigns a name to the ACL for easy identification. The acl-name argument is a
case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it
cannot be all.
match-order: Sets the order in which ACL rules are compared against packets.
• auto: Compares ACL rules in depth-first order. The depth-first order varies by ACL category. For
• config: Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher
all: Specifies all ACLs.
the ipv6 keyword is specified.
specified.
more information, see ACL and QoS Configuration Guide.
priority. If you do not specify a match order, the config-order applies by default.
• If the ipv6 keyword is not specified, all ACLs refer to all IPv4 basic, IPv4 advanced, and Ethernet
frame header ACLs.
• If the ipv6 keyword is specified, all ACLs refer to all IPv6 basic and IPv6 advanced ACLs.
1
Usage guidelines
You can assign a name to an ACL only when you create it. After an ACL is created with a name, you
cannot rename it or remove its name.
You can change the match order only for ACLs that do not contain any rules.
Examples
# Create IPv4 basic ACL 2000, and enter its view.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000]
# Create IPv4 basic ACL 2001 with the name flow, and enter its view.
<Sysname> system-view
[Sysname] acl number 2001 name flow
[Sysname-acl-basic-2001-flow]
Related commands
display acl
acl copy
Use acl copy to create an ACL by copying an ACL that already exists.
Syntax
acl [ ipv6 ] copy { source-acl-number | name source-acl-name } to { dest-acl-number | name
dest-acl-name }
Views
System view
Predefined user roles
network-admin
Parameters
ipv6: Specifies IPv6 ACLs.
source-acl-number: Specifies an existing source ACL by its number.
• 2000 to 2999 for basic ACLs.
• 3000 to 3999 for advanced ACLs.
• 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL
if the ipv6 keyword is specified.
• 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is
specified.
name source-acl-name: Specifies an existing source ACL by its name. The source-acl-name argument is
a case-insensitive string of 1 to 63 characters.
dest-acl-number: Assigns a unique number to the ACL you are creating. This number must be from the
same ACL category as the source ACL. If you do not specify an ACL number, the system automatically
picks the smallest number from all available numbers in the same ACL category as the source ACL.
Available value ranges include:
2
• 2000 to 2999 for basic ACLs.
• 3000 to 3999 for advanced ACLs.
• 4000 to 4999 for Ethernet frame header ACLs. You cannot create an Ethernet frame header ACL if
the ipv6 keyword is specified.
• 5000 to 5999 for user-defined ACLs. You cannot create a user-defined ACL if the ipv6 keyword is
specified.
name dest-acl-name: Assigns a unique name to the ACL you are creating. The dest-acl-name is a
case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it
cannot be all. If you do not specify an ACL name, the system does not name the ACL.
Usage guidelines
The new ACL has the same properties and content as the source ACL, but not the same ACL number and
name.
You can assign a name to an ACL only when you create it. After an ACL is created with a name, you
cannot rename it or remove its name.
<Sysname> system-view
[Sysname] acl copy 2001 to 2002
acl logging interval
Use acl logging interval to set the interval for generating and outputting packet filtering logs. The log
information includes the number of matching packets and the matched ACL rules.
Use undo acl logging interval to restore the default.
Syntax
acl [ ipv6 ] logging interval interval
undo acl [ ipv6 ] logging interval
Default
The interval is 0. No packet filtering logs are generated.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies the interval in minutes at which packet filtering logs are generated and output. It must
be a multiple of 5 and in the range of 0 to 1440. To disable generating packet filtering logs, assign 0
to the argument.
Usage guidelines
The system collects packet filtering logs only for IPv4 basic, IPv4 advanced, IPv6 basic, and IPv6
advanced ACL rules that have the logging keyword.
3
• When the ipv6 keyword is not specified, this command sets the interval for generating and
outputting IPv4 packet filtering logs.
• When the ipv6 keyword is specified, this command sets the interval for generating and outputting
IPv6 packet filtering logs.
Examples
# Enable the device to generate and output IPv4 packet filtering logs at 10-minute intervals.
Use acl name to enter the view of an ACL that has a name.
Syntax
acl [ ipv6 ] name acl-name
Views
System view
Predefined user roles
network-admin
Parameters
acl-name: Specifies the name of an ACL, a case-insensitive string of 1 to 63 characters. It must start with
an English letter. The ACL must already exist. For a basic ACL or advanced ACL, if you do not specify the
ipv6 keyword, this option specifies the name of an IPv4 basic ACL or advanced ACL. If you specify the
ipv6 keyword, this option specifies the name of an IPv6 basic ACL or advanced ACL.
Examples
# Enter the view of IPv4 basic ACL flow, which already exists.
<Sysname> system-view
[Sysname] acl name flow
[Sysname-acl-basic-2001-flow]
# Enter the view of IPv6 basic ACL flow, which already exists.
<Sysname> system-view
[Sysname] acl ipv6 name flow
[Sysname-acl6-basic-2001-flow]
Related commands
acl
4
description
Use description to configure a description for an ACL.
Use undo description to delete an ACL description.
Syntax
description text
undo description
Default
An ACL has no description.
Views
IPv4/IPv6 basic ACL view
IPv4/IPv6 advanced ACL view
Ethernet frame header ACL view
User-defined ACL view
Predefined user roles
network-admin
Parameters
text: Configures a description for the ACL, a case-sensitive string of 1 to 127 characters.
Examples
# Configure a description for IPv4 basic ACL 2000.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] description This is an IPv4 basic ACL.
Related commands
display acl
display acl
Use displayacl to display configuration and match statistics for ACLs.
Syntax
display acl [ ipv6 ] { acl-number | all | name acl-name }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv6: Specifies IPv6 ACLs.
5
acl-number: Specifies an ACL by its number.
p
• 2000 to 2999 for basic ACLs.
• 3000 to 3999 for advanced ACLs.
• 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL
if the ipv6 keyword is specified.
• 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is
specified.
all: Displays information about all IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs if you do
not specify the ipv6 keyword, or displays information about all IPv6 basic and IPv6 advanced ACLs if
you specify the ipv6 keyword.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to
63 characters. It must start with an English letter.
Usage guidelines
This command displays ACL rules in config or depth-first order, whichever is configured.
Examples
# Display configuration and match statistics for IPv4 basic ACL 2001.
<Sysname> display acl 2001
Basic ACL 2001, named flow, 1 rule, match-order is auto,
This is an IPv4 basic ACL.
ACL's step is 5
rule 5 permit source 1.1.1.1 0 (5 times matched)
rule 5 comment This rule is used on FortyGigE 1/1/1.
Table 1 Command output
Field
Descri
Basic ACL 2001
named flow
1 rule The ACL contains one rule.
match-order is auto
This is an IPv4 basic ACL. Description of this ACL.
ACL's step is 5 The rule numbering step is 5.
rule 5 permit source 1.1.1.1 0 Content of rule 5.
5 times matched
rule 5 comment This rule is used
on FortyGigE 1/1/1.
Category and number of the ACL. The following field information is about
IPv4 basic ACL 2000.
The name of the ACL is flow. If the ACL is not named, this field displays
-none-.
The match order for the ACL is auto, which sorts ACL rules in depth-first
order. This field is not present when the match order is config.
There have been five matches for the rule. The statistic counts only ACL
matches performed in software.
This field is not displayed when no packets matched the rule.
Comment of ACL rule 5.
tion
6
display packet-filter
p
Use display packet-filter to display whether an ACL has been successfully applied to an interface for
packet filtering.
interface [ interface-type interface-number ]: Specifies an interface by its type and number. VLAN
interfaces are not supported. If you do not specify an interface, this command displays ACL application
information on all interfaces except VLAN interfaces for packet filtering.
interface vlan-interface vlan-interface-number: Specifies a VLAN interface by its number.
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
slot slot-number: Specifies an IRF member device. The slot-number argument represents the ID of the IRF
member device. If you do not specify an IRF member device, this command displays ACL application
information for packet filtering on the master.
Usage guidelines
If neither the inbound keyword nor the outbound keyword is specified, this command displays the ACL
application information for both incoming and outgoing packet filtering.
Examples
# Display ACL application information for incoming packet filtering on interface FortyGigE
1/1/1.
Packet filter default action for packets that do not match any IPv4
ACLs. This field is displayed only when the default action is deny.
Packet filter default action for packets that do not match any IPv6
ACLs. This field is displayed only when the default action is deny.
Packet filter default action for packets that do not match any Ethernet
frame header ACLs. This field is displayed only when the default
action is deny.
display packet-filter statistics
Use displaypacket-filterstatistics to display match statistics of ACLs for packet filtering.
Totally 0% permitted, 0% denied Ratios of permitted and denied packets to all packets.
IPv4 default action
IPv6 default action
MAC default action
Start time and end time of the statistics.
Number of packets permitted and denied by the ACL.
Packet filter default action for packets that do not match any IPv4
ACLs. This field is displayed only when the default action is deny.
Packet filter default action for packets that do not match any IPv6
ACLs. This field is displayed only when the default action is deny.
Packet filter default action for packets that do not match any
Ethernet frame header ACLs. This field is displayed only when the
default action is deny.
tion
9
Related commands
reset packet-filter statistics
display packet-filter statistics sum
Use displaypacket-filterstatistics sum to display accumulated packet filtering ACL statistics.
inbound: Displays the statistics in the inbound direction.
outbound: Displays the statistics in the outbound direction.
Examples
ipv6: Specifies IPv6 ACLs.
acl-number: Specifies an ACL by its number.
• 2000 to 2999 for basic ACLs.
• 3000 to 3999 for advanced ACLs.
• 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL
if the ipv6 keyword is specified.
• 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is
specified.
nameacl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to
63 characters. It must start with an English letter.
interface interface-typeinterface-number: Specifies an interface by its type and number.
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
ipv6: Specifies IPv6 ACLs.
acl-number: Specifies an ACL by its number.
• 2000 to 2999 for basic ACLs.
• 3000 to 3999 for advanced ACLs.
• 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL
if the ipv6 keyword is specified.
• 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is
specified.
11
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to
p
63 characters. It must start with an English letter.
slotslot-number: Specifies an IRF member device. The slot-number argument represents the ID of the IRF
member device. If you do not specify an IRF member device, this command displays ACL application
details for packet filtering on the master.
Usage guidelines
When none of acl-number and name acl-name is specified, this command displays application details of
all ACLs for packet filtering.
• If the ipv6 keyword is not specified, all ACLs refer to all IPv4 basic, IPv4 advanced, and Ethernet
frame header ACLs.
•If the ipv6 keyword is specified, all ACLs refer to all IPv6 basic and IPv6 advanced ACLs.
Examples
# Display application details of all ACLs (IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs)
for incoming packet filtering on FortyGigE 1/1/1.
Packet filter default action for packets that do not match any IPv4
IPv4 default action
IPv6 default action
ACLs. This field is displayed only when the default action is
deny.
Packet filter default action for packets that do not match any IPv6
ACLs. This field is displayed only when the default action is
deny.
tion
12
Field Description
p
MAC default action
display qos-acl resource
Use display qos-acl resource to display QoS and ACL resource usage.
Syntax
display qos-acl resource [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies an IRF member device. The slot-number argument represents the ID of the IRF
member device. If you do not specify an IRF member device, this command displays QoS and ACL
resource usage on all member devices.
Packet filter default action for packets that do not match any
Ethernet frame header ACLs. This field is displayed only when
the default action is deny.
Examples
# Display QoS and ACL resource usage.
<Sysname> display qos-acl resource
Interfaces: XGE1/0/1 to XGE1/0/45, FGE1/1/1 to FGE1/1/4
---------------------------------------------------------------------
Type Total Reserved Configured Remaining Usage
Configured Number of resource that has been applied.
Remaining Number of resource that you can apply.
Usage
packet-filter
Resource type:
•VFP ACL—ACL rules for local QoS ID remarking before Layer 2
forwarding.
• IFP ACL—ACL rules applied to inbound traffic.
• IFP Meter—Traffic policing rules for inbound traffic.
• IFP Counter—Traffic counting rules for inbound traffic.
• EFP Meter—Traffic policing rules for outbound traffic.
• EFP Counter—Traffic counting rules for outbound traffic.
Configured and reserved resources as a percentage of total resources. If the
percentage is not an integer, this field displays the integer part. For example,
if the actual usage is 50.8%, this field displays 50%.
Use packet-filter to apply an ACL to an interface to filter packets.
Use undo packet-filter to remove an ACL application from an interface.
• 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL
if the ipv6 keyword is specified.
• 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is
specified.
nameacl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to
63 characters. It must start with an English letter.
inbound: Filters incoming packets.
outbound: Filters outgoing packets.
hardware-count: Enables counting ACL rule matches performed in hardware. This keyword enables
match counting for all rules in an ACL, and the counting keyword in the rule command enables match
counting specific to rules. If the hardware-count keyword is not specified, rule matches for the ACL are
not counted.
Examples
# Apply IPv4 basic ACL 2001 to filter incoming traffic on FortyGigE 1/1/1, and enable counting ACL
rule matches performed in hardware.
Use packet-filterdefaultdeny to set the packet filtering default action to deny. The packet filter denies
packets that do not match any ACL rule.
Use undopacket-filterdefaultdeny to restore the default.
Syntax
packet-filter default deny
undo packet-filter default deny
Default
The packet filter permits packets that do not match any ACL rule.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The packet filter applies the default action to all ACL applications for packet filtering. The default action
appears in the display command output for packet filtering.
reset acl counter [ ipv6 ] { acl-number | all | name acl-name }
Views
User view
Predefined user roles
network-admin
Parameters
ipv6: Specifies IPv6 ACLs.
acl-number: Specifies an ACL by its number.
• 2000 to 2999 for basic ACLs.
• 3000 to 3999 for advanced ACLs.
• 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL
• 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is
all: Clears statistics for all IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs if you do not
specify the ipv6 keyword, or clears statistics for all IPv6 basic and IPv6 advanced ACLs if you specify the
ipv6 keyword.
name acl-name: Clears statistics of an ACL specified by its name. The acl-name argument is a
case-insensitive string of 1 to 63 characters. It must start with an English letter.
Examples
# Clear statistics for IPv4 basic ACL 2001.
<Sysname> reset acl counter 2001
if the ipv6 keyword is specified.
specified.
Related commands
display acl
16
reset packet-filter statistics
Use resetpacket-filterstatistics to clear the match statistics (including the accumulated statistics) of ACLs
for packet filtering.
interface [ interface-type interface-number ]: Specifies an interface by its type and number. If you do not
specify an interface, this command clears packet filtering ACL statistics on all interfaces.
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
ipv6: Specifies IPv6 ACLs.
acl-number: Specifies an ACL by its number.
• 2000 to 2999 for basic ACLs.
• 3000 to 3999 for advanced ACLs.
• 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL
if the ipv6 keyword is specified.
• 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is
specified.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to
63 characters. It must start with an English letter.
Usage guidelines
When neither of acl-number and name acl-name is specified, this command clears the match statistics of
all ACLs for packet filtering.
• If the ipv6 keyword is not specified, all ACLs refer to all IPv4 basic, IPv4 advanced, and Ethernet
frame header ACLs.
•If the ipv6 keyword is specified, all ACLs refer to all IPv6 basic and IPv6 advanced ACLs.
Examples
# Clear IPv4 basic ACL 2001 statistics for incoming packet filtering of interface FortyGigE 1/1/1.
An Ethernet frame header ACL does not contain any rule.
Views
Ethernet frame header ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an
ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the
numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is
5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
cos vlan-pri: Matches an 802.1p priority. The vlan-pri argument can be a number in the range of 0 to 7, or in words, best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5),
voice (6), or network-management (7).
counting: Counts the number of times the Ethernet frame header ACL rule has been matched. The
counting keyword enables match counting specific to rules, and the hardware-count keyword in the
packet-filter command enables match counting for all rules in an ACL. If the counting keyword is not
specified, matches for the rule are not counted.
dest-mac dest-address dest-mask: Matches a destination MAC address range. The dest-address and
dest-mask arguments represent a destination MAC address and mask in the H-H-H format.
lsap lsap-type lsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The lsap-type
argument is a 16-bit hexadecimal number that represents the encapsulation format. The lsap-type-mask
argument is a 16-bit hexadecimal number that represents the LSAP mask.
type protocol-type protocol-type-mask: Matches one or more protocols in the Ethernet frame header. The
protocol-type argument is a 16-bit hexadecimal number that represents a protocol type in Ethernet_II and
Ethernet_SNAP frames. The protocol-type-mask argument is a 16-bit hexadecimal number that represents
a protocol type mask.
source-macsource-addresssource-mask: Matches a source MAC address range. The source-address
argument represents a source MAC address, and the sour-mask argument represents a mask in the H-H-H
format.
18
time-rangetime-range-name: Specifies a time range for the rule. The time-range-name argument is a
case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not
configured, the system creates the rule. However, the rule using the time range can take effect only after
you configure the timer range. For more information about time range, see ACL and QoS Configuration Guide.
Usage guidelines
When an Ethernet frame header ACL with the lsap keyword specified is used for QoS traffic classification
or packet filtering, the lsap-type argument must be AAAA and the lsap-type-mask argument must be FFFF.
Otherwise, the ACL cannot be applied successfully.
Within an ACL, the permit or deny state ment of each ru le must be un iqu e. If the ACL rule you are creatin g
or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created
or changed.
You can edit ACL rules only when the match order is config.
• If you do not specify any optional keywords, the undo rule command deletes the entire rule.
• If you specify optional keywords or arguments, the undo rule command deletes the specified
attributes.
To view rules in an ACL and their rule IDs, use the display acl all command.
Examples
# Create a rule in Ethernet frame header ACL 4000 to permit ARP packets and deny RARP packets.
<Sysname> system-view
[Sysname] acl number 4000
[Sysname-acl-ethernetframe-4000] rule permit type 0806 ffff
[Sysname-acl-ethernetframe-4000] rule deny type 8035 ffff
Related commands
• acl
• display acl
• step
• time-range
rule (IPv4 advanced ACL view)
Use rule to create or edit an IPv4 advanced ACL rule.
Use undorule to delete an entire IPv4 advanced ACL rule or some attributes in the rule.
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an
ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the
numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is
5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
protocol: Specifies a protocol number in the range of 0 to 255, or specifies a protocol by its name, gre
(47), icmp (1) , igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17) . Th e ip keyword specifies all
protocols. Table 7 d
argument.
Table 7 Match criteria and other rule information for IPv4 advanced ACL rules
escribes the parameters that you can specify regardless of the value for the protocol
Parameters Function Descri
source
{ source-address
source-wildcard |
any }
destination
{ dest-address
dest-wildcard |
any }
counting
precedence
precedence
tostosSpecifies a ToS preference.
Specifies a source address.
Specifies a destination
address.
Counts the number of times the
IPv4 advanced ACL rule has
been matched.
Specifies an IP precedence
value.
The source-address source-wildcard arguments
represent a source IP address and wildcard mask in
dotted decimal notation. An all-zero wildcard specifies
a host address.
The any keyword specifies any source IP address.
The dest-address dest-wildcard arguments represent a
destination IP address and wildcard mask in dotted
decimal notation. An all-zero wildcard specifies a host
address.
The any keyword represents any destination IP address.
The counting keyword enables match counting specific
to rules, and the hardware-count keyword in the
packet-filter command enables match counting for all
ru l e s in an ACL. If the counting keyword is not specified,
matches for the rule are not counted.
The precedence argument can be a number in the range
of 0 to 7, or in words, routine (0), priority (1),
immediate (2), flash (3), flash-override (4), critical (5),
internet (6), or network (7).
The tos argument can be a number in the range of 0 to
15, or in words, max-reliability (2), max-throughput
(4), min-delay (8), min-monetary-cost (1), or normal
(0).
tion
20
Parameters Function Description
p
The dscp argument can be a number in the range of 0 to
63, or in words, af11 (10), af12 (12), af13 (14), af21
If you do not specify this keyword, the rule applies to all
fragments and non-fragments.
This function requires that the module (for example,
packet filtering) that uses the ACL supports logging.
The time-range-name argument is a case-insensitive
string of 1 to 32 characters. It must start with an English
letter. If the time range is not configured, the system
creates the rule. However, the rule using the time range
can take effect only after you configure the timer range.
For more information about time range, see ACL and QoS Configuration Guide.
The vpn-instance-name argument is a case-sensitive
string of 1 to 31 characters.
If you do not specify a VPN instance, the rule applies
only to non-VPN packets.
If the protocol argument is tcp (6) or udp (7), set the parameters shown in Table 8.
Table 8 TCP/UDP-specific parameters for IPv4 advanced ACL rules
Parameters Function Descri
The operator argument can be lt (lower than), gt (greater than), eq
(equal to), neq (not equal to), or range (inclusive range).
source-portoperatorport1
[ port2 ]
destination-port
operator port1
[ port2 ]
Specifies one or
more UDP or TCP
source ports.
Specifies one or
more UDP or TCP
destination ports.
The port1 and port2 arguments are TCP or UDP port numbers in the
range of 0 to 65535. port2 is needed only when the operator
argument is range.
Specifies one or
more TCP flags
including ACK,
FIN, PSH, RST,
SYN, and URG.
Specifies the flags
for indicating the
established status
of a TCP
connection.
Parameters specific to TCP.
The value for each argument can be 0 (flag bit not set) or 1 (flag bit
set).
The TCP flags in a rule are ANDed. For example, a rule configured
with ack 0 psh 1 matches packets that have the ACK flag bit not set
and the PSH flag bit set.
Parameter specific to TCP.
The rule matches TCP connection packets with the ACK or RST flag bit
set.
If the protocol argument is icmp (1), set the parameters shown in Table 9.
Table 9 ICMP-specific parameters for IPv4 advanced ACL rules
Parameters Function Descri
The icmp-type argument is in the range of 0 to 255.
icmp-type { icmp-type
icmp-code |
icmp-message }
Specifies the ICMP
message type and
code.
The icmp-code argument is in the range of 0 to 255.
The icmp-message argument specifies a message name.
Supported ICMP message names and their corresponding
type and code values are listed in Table 10.
If an ACL is for QoS traffic classification or packet filtering:
• Do not specify the vpn-instance keyword if the ACL is for outbound QoS traffic classification or
outbound packet filtering.
• Do not specify neq for the operator argument.
Within an ACL, the permit or deny state ment of each ru le must be un iqu e. If the ACL rule you are creatin g
or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created
or changed.
You can edit ACL rules only when the match order is config.
• If you do not specify any optional keywords, the undo rule command deletes the entire rule.
• If you specify optional keywords or arguments, the undo rule command deletes the specified
attributes.
ICMP message code
Examples
To view rules in an ACL and their rule IDs, use the display acl all command.
# Create an IPv4 advanced ACL rule to permit TCP packets with the destination port 80 from
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an
ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the
numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is
5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
counting: Counts the number of times the IPv4 basic ACL rule has been matched. The counting keyword
enables match counting specific to rules, and the hardware-count keyword in the packet-filter command
enables match counting for all rules in an ACL. If the counting keyword is not specified, matches for the
rule are not counted.
fragment: Applies the rule only to non -first fragments. If you do not specify this keyword, the rule applies
to both fragments and non-fragments.
logging: Logs matching packets. This function is available only when the application module (for
example, packet filtering) that uses the ACL supports the logging function.
24
source { source-address source-wildcard | any }: Matches a source address. The source-address
source-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation.
A wildcard mask of zeros specifies a host address. The any keyword represents any source IP address.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a
case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not
configured, the system creates the rule. However, the rule using the time range can take effect only after
you configure the timer range. For more information about time range, see ACL and QoS Configuration Guide.
vpn-instance vpn-instance-name: Applies the rule to a VPN instance. The vpn-instance-name argument is
a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the rule applies only
to non-VPN packets.
Usage guidelines
If an ACL is for outbound QoS traffic classification or outbound packet filtering, do not specify the
vpn-instance keyword.
Within an ACL, the permit or deny state ment of each ru le must be un iqu e. If the ACL rule you are creatin g
or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created
or changed.
You can edit ACL rules only when the match order is config.
• If you do not specify any optional keywords, the undo rule command deletes the entire rule.
• If you specify optional keywords or arguments, the undo rule command deletes the specified
attributes.
To view rules in an ACL and their rule IDs, use the display acl all command.
Examples
# Create a rule in IPv4 basic ACL 2000 to deny the packets from any source IP segment but 10.0.0.0/8,