HP Moonshot-45XGc Command Reference Guide

Download

HP Moonshot-45XGc Switch

ACL and QoS

Command Reference

Part Number: 7855

Software

Document version: 5W100-20140912

07-001

version: ESS 2407

Legal and notice information

No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

ACL commands ···························································································································································· 1

acl ·············································································································································································· 1 acl copy ····································································································································································· 2 acl logging interval ·················································································································································· 3 acl name ···································································································································································· 4 description ································································································································································· 5 display acl ································································································································································· 5 display packet-filter ·················································································································································· 7 display packet-filter statistics ··································································································································· 8 display packet-filter statistics sum ························································································································ 10 display packet-filter verbose ································································································································· 11 display qos-acl resource ······································································································································· 13 packet-filter ····························································································································································· 14 packet-filter default deny ······································································································································ 15 reset acl counter ···················································································································································· 16 reset packet-filter statistics ····································································································································· 17 rule (Ethernet frame header ACL view) ··············································································································· 18 rule (IPv4 advanced ACL view) ···························································································································· 19 rule (IPv4 basic ACL view) ···································································································································· 24 rule (IPv6 advanced ACL view) ···························································································································· 25 rule (IPv6 basic ACL view) ···································································································································· 30 rule (user-defined ACL view) ································································································································ 32 rule comment ·························································································································································· 34 step ·········································································································································································· 34

QoS policy commands ·············································································································································· 36

Traffic class commands ················································································································································· 36

display traffic classifier ········································································································································· 36 if-match ··································································································································································· 37 traffic classifier ······················································································································································· 43

Traffic behavior commands ··········································································································································· 44

accounting ······························································································································································ 44 car ··········································································································································································· 44 display traffic behavior ········································································································································· 46 filter ········································································································································································· 47 nest top-most ·························································································································································· 48 redirect ··································································································································································· 48 remark customer-vlan-id ········································································································································ 49 remark dot1p ························································································································································· 50 remark drop-precedence ······································································································································ 51 remark dscp ··························································································································································· 51 remark ip-precedence ··········································································································································· 52 remark local-precedence ······································································································································ 53 remark qos-local-id ················································································································································ 54 remark service-vlan-id ··········································································································································· 54 traffic behavior ······················································································································································ 55

classifier behavior ················································································································································· 56 control-plane ·························································································································································· 57

display qos policy ················································································································································· 57 display qos policy control-plane ·························································································································· 58 display qos policy control-plane pre-defined ····································································································· 59 display qos policy global ····································································································································· 61 display qos policy interface ································································································································· 62 display qos vlan-policy ········································································································································· 63 qos apply policy (interface view, control plane view) ······················································································ 65 qos apply policy (user profile view) ···················································································································· 66 qos apply policy global ········································································································································ 67 qos policy ······························································································································································· 67 qos vlan-policy ······················································································································································· 68 reset qos policy control-plane ······························································································································ 69 reset qos policy global·········································································································································· 69 reset qos vlan-policy ·············································································································································· 70

Priority mapping commands ····································································································································· 71

Priority map commands ················································································································································· 71

display qos map-table ··········································································································································· 71 import ······································································································································································ 72 qos map-table ························································································································································ 73

Port priority commands ·················································································································································· 73

qos priority ····························································································································································· 73

Priority trust mode commands ······································································································································· 74

display qos trust interface ····································································································································· 74 qos trust ·································································································································································· 74

GTS and rate limit commands ··································································································································· 76

GTS commands ······························································································································································ 76

display qos gts interface ······································································································································· 76 qos gts ···································································································································································· 76

Rate limit commands ······················································································································································ 77

display qos lr interface ········································································································································· 77 qos lr ······································································································································································· 78

Congestion management commands ······················································································································· 80

SP commands ································································································································································· 80

display qos queue sp interface ···························································································································· 80 qos sp ····································································································································································· 80

WRR commands ····························································································································································· 81

display qos queue wrr interface ·························································································································· 81 qos wrr ··································································································································································· 82 qos wrr { byte-count | weight } ···························································································································· 83 qos wrr group sp ··················································································································································· 84

WFQ commands ···························································································································································· 85

display qos queue wfq interface·························································································································· 85 qos bandwidth queue ··········································································································································· 86 qos wfq ··································································································································································· 87 qos wfq { byte-count | weight } ··························································································································· 87 qos wfq group sp ·················································································································································· 88

Queue scheduling profile commands ·························································································································· 89

bandwidth ······························································································································································ 89 display qos qmprofile configuration ···················································································································· 90 display qos qmprofile interface ··························································································································· 91 qos apply qmprofile ·············································································································································· 92 qos qmprofile ························································································································································· 93 queue ······································································································································································ 93

Queue-based accounting commands ··························································································································· 95

display qos queue-statistics interface outbound ································································································· 95

Congestion avoidance commands···························································································································· 96

WRED commands ·························································································································································· 96

display qos wred interface ··································································································································· 96 display qos wred table ········································································································································· 97 qos wred apply ····················································································································································· 98 qos wred table ······················································································································································· 99 queue ······································································································································································ 99 queue ecn ····························································································································································· 101 queue weighting-constant ··································································································································· 101

Aggregate CAR commands ···································································································································· 103

car name ······························································································································································ 103 display qos car name ········································································································································· 103 qos car ·································································································································································· 104 reset qos car name ·············································································································································· 106

Time range commands ··········································································································································· 107

display time-range ··············································································································································· 107 time-range ···························································································································································· 107

Data buffer commands ··········································································································································· 109

buffer apply ·························································································································································· 109 buffer queue guaranteed ···································································································································· 110 buffer queue shared ············································································································································ 111 buffer total-shared ················································································································································ 112 burst-mode enable ··············································································································································· 113 display buffer ······················································································································································· 113 display buffer usage············································································································································ 115

Index ········································································································································································ 118

iii

ACL commands

acl

Use acl to create an ACL, and enter its view. If the ACL has been created, you directly enter its view.

Use undo acl to delete the specified or all ACLs.

Syntax

acl [ ipv6 ] number acl-number [ name acl-name ] [ match-order { auto | config } ]

undo acl [ ipv6 ] { all | name acl-name | number acl-number }

Default

No ACL exists.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6: Specifies IPv6 ACLs.

number acl-number: Specifies the number of an ACL.

• 2000 to 2999 for basic ACLs.

• 3000 to 3999 for advanced ACLs.

• 4000 to 4999 for Ethernet frame header ACLs. You cannot create an Ethernet frame header ACL if

• 5000 to 5999 for user-defined ACLs. You cannot create a user-defined ACL if the ipv6 keyword is

name acl-name: Assigns a name to the ACL for easy identification. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.

match-order: Sets the order in which ACL rules are compared against packets.

• auto: Compares ACL rules in depth-first order. The depth-first order varies by ACL category. For

• config: Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher

all: Specifies all ACLs.

the ipv6 keyword is specified.

specified.

more information, see ACL and QoS Configuration Guide.

priority. If you do not specify a match order, the config-order applies by default.

• If the ipv6 keyword is not specified, all ACLs refer to all IPv4 basic, IPv4 advanced, and Ethernet

frame header ACLs.

• If the ipv6 keyword is specified, all ACLs refer to all IPv6 basic and IPv6 advanced ACLs.

Usage guidelines

You can assign a name to an ACL only when you create it. After an ACL is created with a name, you cannot rename it or remove its name.

You can change the match order only for ACLs that do not contain any rules.

Examples

# Create IPv4 basic ACL 2000, and enter its view.

<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000]

# Create IPv4 basic ACL 2001 with the name flow, and enter its view.

<Sysname> system-view [Sysname] acl number 2001 name flow [Sysname-acl-basic-2001-flow]

Related commands

display acl

acl copy

Use acl copy to create an ACL by copying an ACL that already exists.

Syntax

acl [ ipv6 ] copy { source-acl-number | name source-acl-name } to { dest-acl-number | name

dest-acl-name }

Views

System view

Predefined user roles

network-admin

Parameters

ipv6: Specifies IPv6 ACLs.

source-acl-number: Specifies an existing source ACL by its number.

• 2000 to 2999 for basic ACLs.

• 3000 to 3999 for advanced ACLs.

• 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL

if the ipv6 keyword is specified.

• 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is

specified.

name source-acl-name: Specifies an existing source ACL by its name. The source-acl-name argument is a case-insensitive string of 1 to 63 characters.

dest-acl-number: Assigns a unique number to the ACL you are creating. This number must be from the same ACL category as the source ACL. If you do not specify an ACL number, the system automatically picks the smallest number from all available numbers in the same ACL category as the source ACL. Available value ranges include:

• 2000 to 2999 for basic ACLs.

• 3000 to 3999 for advanced ACLs.

• 4000 to 4999 for Ethernet frame header ACLs. You cannot create an Ethernet frame header ACL if

the ipv6 keyword is specified.

• 5000 to 5999 for user-defined ACLs. You cannot create a user-defined ACL if the ipv6 keyword is

specified.

name dest-acl-name: Assigns a unique name to the ACL you are creating. The dest-acl-name is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all. If you do not specify an ACL name, the system does not name the ACL.

Usage guidelines

The new ACL has the same properties and content as the source ACL, but not the same ACL number and name.

You can assign a name to an ACL only when you create it. After an ACL is created with a name, you cannot rename it or remove its name.

Examples

# Create IPv4 basic ACL 2002 by copying IPv4 basic ACL 2001.

<Sysname> system-view [Sysname] acl copy 2001 to 2002

acl logging interval

Use acl logging interval to set the interval for generating and outputting packet filtering logs. The log information includes the number of matching packets and the matched ACL rules.

Use undo acl logging interval to restore the default.

Syntax

acl [ ipv6 ] logging interval interval

undo acl [ ipv6 ] logging interval

Default

The interval is 0. No packet filtering logs are generated.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the interval in minutes at which packet filtering logs are generated and output. It must be a multiple of 5 and in the range of 0 to 1440. To disable generating packet filtering logs, assign 0 to the argument.

Usage guidelines

The system collects packet filtering logs only for IPv4 basic, IPv4 advanced, IPv6 basic, and IPv6 advanced ACL rules that have the logging keyword.

• When the ipv6 keyword is not specified, this command sets the interval for generating and

outputting IPv4 packet filtering logs.

• When the ipv6 keyword is specified, this command sets the interval for generating and outputting

IPv6 packet filtering logs.

Examples

# Enable the device to generate and output IPv4 packet filtering logs at 10-minute intervals.

<Sysname> system-view [Sysname] acl logging interval 10

Related commands

• rule (IPv4 advanced ACL view)

• rule (IPv4 basic ACL view)

• rule (IPv6 advanced ACL view)

• rule (IPv6 basic ACL view)

acl name

Use acl name to enter the view of an ACL that has a name.

Syntax

acl [ ipv6 ] name acl-name

Views

System view

Predefined user roles

network-admin

Parameters

acl-name: Specifies the name of an ACL, a case-insensitive string of 1 to 63 characters. It must start with an English letter. The ACL must already exist. For a basic ACL or advanced ACL, if you do not specify the

ipv6 keyword, this option specifies the name of an IPv4 basic ACL or advanced ACL. If you specify the ipv6 keyword, this option specifies the name of an IPv6 basic ACL or advanced ACL.

Examples

# Enter the view of IPv4 basic ACL flow, which already exists.

<Sysname> system-view [Sysname] acl name flow [Sysname-acl-basic-2001-flow]

# Enter the view of IPv6 basic ACL flow, which already exists.

<Sysname> system-view [Sysname] acl ipv6 name flow [Sysname-acl6-basic-2001-flow]

Related commands

acl

description

Use description to configure a description for an ACL.

Use undo description to delete an ACL description.

Syntax

description text

undo description

Default

An ACL has no description.

Views

IPv4/IPv6 basic ACL view

IPv4/IPv6 advanced ACL view

Ethernet frame header ACL view

User-defined ACL view

Predefined user roles

network-admin

Parameters

text: Configures a description for the ACL, a case-sensitive string of 1 to 127 characters.

Examples

# Configure a description for IPv4 basic ACL 2000.

<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] description This is an IPv4 basic ACL.

Related commands

display acl

Use display acl to display configuration and match statistics for ACLs.

Syntax

display acl [ ipv6 ] { acl-number | all | name acl-name }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv6: Specifies IPv6 ACLs.

acl-number: Specifies an ACL by its number.

• 2000 to 2999 for basic ACLs.

• 3000 to 3999 for advanced ACLs.

• 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL

if the ipv6 keyword is specified.

• 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is

specified.

all: Displays information about all IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs if you do not specify the ipv6 keyword, or displays information about all IPv6 basic and IPv6 advanced ACLs if you specify the ipv6 keyword.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter.

Usage guidelines

This command displays ACL rules in config or depth-first order, whichever is configured.

Examples

# Display configuration and match statistics for IPv4 basic ACL 2001.

<Sysname> display acl 2001 Basic ACL 2001, named flow, 1 rule, match-order is auto, This is an IPv4 basic ACL. ACL's step is 5 rule 5 permit source 1.1.1.1 0 (5 times matched) rule 5 comment This rule is used on FortyGigE 1/1/1.

Table 1 Command output

Field

Descri

Basic ACL 2001

named flow

1 rule The ACL contains one rule.

match-order is auto

This is an IPv4 basic ACL. Description of this ACL.

ACL's step is 5 The rule numbering step is 5.

rule 5 permit source 1.1.1.1 0 Content of rule 5.

5 times matched

rule 5 comment This rule is used on FortyGigE 1/1/1.

Category and number of the ACL. The following field information is about IPv4 basic ACL 2000.

The name of the ACL is flow. If the ACL is not named, this field displays

-none-.

The match order for the ACL is auto, which sorts ACL rules in depth-first order. This field is not present when the match order is config.

There have been five matches for the rule. The statistic counts only ACL matches performed in software.

This field is not displayed when no packets matched the rule.

Comment of ACL rule 5.

tion

display packet-filter

Use display packet-filter to display whether an ACL has been successfully applied to an interface for packet filtering.

Syntax

display packet-filter { interface [ interface-type interface-number ] [ inbound | outbound ] | interface vlan-interface vlan-interface-number [ inbound | outbound ] [ slot slot-number ] }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface [ interface-type interface-number ]: Specifies an interface by its type and number. VLAN

interfaces are not supported. If you do not specify an interface, this command displays ACL application information on all interfaces except VLAN interfaces for packet filtering.

interface vlan-interface vlan-interface-number: Specifies a VLAN interface by its number.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

slot slot-number: Specifies an IRF member device. The slot-number argument represents the ID of the IRF

member device. If you do not specify an IRF member device, this command displays ACL application information for packet filtering on the master.

Usage guidelines

If neither the inbound keyword nor the outbound keyword is specified, this command displays the ACL application information for both incoming and outgoing packet filtering.

Examples

# Display ACL application information for incoming packet filtering on interface FortyGigE 1/1/1.

<Sysname> display packet-filter interface fortygige 1/1/1 inbound Interface: FortyGigE1/1/1 In-bound policy: ACL 2001, Hardware-count ACL6 2002 IPv4 default action: Deny IPv6 default action: Deny

Table 2 Command output

Field Descri

tion

Interface Interface to which the ACL applies.

In-bound policy ACL used for filtering incoming traffic.

Out-bound policy ACL used for filtering outgoing traffic.

Field Description

ACL 2001 IPv4 basic ACL 2001 has been successfully applied.

Hardware-count Successfully enables counting ACL rule matches.

IPv4 default action

IPv6 default action

MAC default action

Packet filter default action for packets that do not match any IPv4 ACLs. This field is displayed only when the default action is deny.

Packet filter default action for packets that do not match any IPv6 ACLs. This field is displayed only when the default action is deny.

Packet filter default action for packets that do not match any Ethernet frame header ACLs. This field is displayed only when the default action is deny.

display packet-filter statistics

Use display packet-filter statistics to display match statistics of ACLs for packet filtering.

Syntax

display packet-filter statistics interface interface-type interface-number { inbound | outbound } [ [ ipv6 ] { acl-number | name acl-name } ] [ brief ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Displays the statistics of an interface specified by its type and

number.

inbound: Displays the statistics in the inbound direction.

outbound: Displays the statistics in the outbound direction.

ipv6: Specifies IPv6 ACLs.

acl-number: Specifies an ACL by its number.

• 2000 to 2999 for basic ACLs.

• 3000 to 3999 for advanced ACLs.

• 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL

if the ipv6 keyword is specified.

• 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is

specified.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to

63 characters. It must start with an English letter.

brief: Displays brief statistics.

Usage guidelines

When none of acl-number and name acl-name is specified, this command displays match statistics of all ACLs for packet filtering.

• If the ipv6 keyword is not specified, all ACLs refer to all IPv4 basic, IPv4 advanced, and Ethernet

frame header ACLs.

• If the ipv6 keyword is specified, all ACLs refer to all IPv6 basic and IPv6 advanced ACLs.

Examples

# Display match statistics of all ACLs (IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs) for incoming packet filtering on FortyGigE 1/1/1.

<Sysname> display packet-filter statistics interface fortygige 1/1/1 inbound Interface: FortyGigE1/1/1 In-bound policy: ACL 2001, Hardware-count From 2011-06-04 10:25:21 to 2011-06-04 10:35:57 rule 0 permit source 2.2.2.2 0 rule 5 permit source 1.1.1.1 0 Totally 0 packets permitted, 0 packets denied Totally 0% permitted, 0% denied

IPv4 default action: Deny

Table 3 Command output

Field Descri

Interface Interface to which the ACL applies.

In-bound policy ACL used for filtering incoming traffic.

Out-bound policy ACL used for filtering outgoing traffic.

ACL 2001 IPv4 basic ACL 2001 has been successfully applied.

Hardware-count Successfully enables counting ACL rule matches.

From 2011-06-04 10:25:21 to 2011-06-04 10:35:57

Totally 0 packets permitted, 0 packets denied

Totally 0% permitted, 0% denied Ratios of permitted and denied packets to all packets.

IPv4 default action

IPv6 default action

MAC default action

Start time and end time of the statistics.

Number of packets permitted and denied by the ACL.

Packet filter default action for packets that do not match any IPv4 ACLs. This field is displayed only when the default action is deny.

Packet filter default action for packets that do not match any IPv6 ACLs. This field is displayed only when the default action is deny.

Packet filter default action for packets that do not match any Ethernet frame header ACLs. This field is displayed only when the default action is deny.

tion

Related commands

reset packet-filter statistics

display packet-filter statistics sum

Use display packet-filter statistics sum to display accumulated packet filtering ACL statistics.

Syntax

display packet-filter statistics sum { inbound | outbound } [ ipv6 ] { acl-number | name acl-name } [ brief ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

inbound: Displays the statistics in the inbound direction.

outbound: Displays the statistics in the outbound direction.

Examples

ipv6: Specifies IPv6 ACLs.

acl-number: Specifies an ACL by its number.

• 2000 to 2999 for basic ACLs.

• 3000 to 3999 for advanced ACLs.

• 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL

if the ipv6 keyword is specified.

• 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is

specified.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter.

brief: Displays brief accumulated packet filtering ACL statistics.

# Display accumulated packet filtering ACL statistics of IPv4 basic ACL 2001 for incoming packets.

<Sysname> display packet-filter statistics sum inbound 2001 Sum: In-bound policy: ACL 2001 rule 0 permit source 2.2.2.2 0 (2 packets) rule 5 permit source 1.1.1.1 0 Totally 2 packets permitted, 0 packets denied Totally 100% permitted, 0% denied

Table 4 Command output

Field Descri

Sum Accumulated packet filtering ACL statistics.

In-bound policy Accumulated ACL statistics used for filtering incoming traffic.

Out-bound policy Accumulated ACL statistics used for filtering outgoing traffic.

ACL 2001 Accumulated ACL statistics used for IPv4 basic ACL 2001.

2 packets

Totally 2 packets permitted, 0 packets denied

Totally 100% permitted, 0% denied Ratios of permitted and denied packets to all packets.

Related commands

reset packet-filter statistics

display packet-filter verbose

Use display packet-filter verbose to display application details of ACLs for packet filtering.

Syntax

tion

Two packets matched the rule.

This field is not displayed when no packets matched the rule.

Number of packets permitted and denied by the ACL.

display packet-filter verbose interface interface-type interface-number { inbound | outbound } [ [ ipv6 ] { acl-number | name acl-name } ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

ipv6: Specifies IPv6 ACLs.

acl-number: Specifies an ACL by its number.

• 2000 to 2999 for basic ACLs.

• 3000 to 3999 for advanced ACLs.

• 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL

if the ipv6 keyword is specified.

• 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is

specified.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to

63 characters. It must start with an English letter.

slot slot-number: Specifies an IRF member device. The slot-number argument represents the ID of the IRF member device. If you do not specify an IRF member device, this command displays ACL application details for packet filtering on the master.

Usage guidelines

When none of acl-number and name acl-name is specified, this command displays application details of all ACLs for packet filtering.

• If the ipv6 keyword is not specified, all ACLs refer to all IPv4 basic, IPv4 advanced, and Ethernet

frame header ACLs.

• If the ipv6 keyword is specified, all ACLs refer to all IPv6 basic and IPv6 advanced ACLs.

Examples

# Display application details of all ACLs (IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs) for incoming packet filtering on FortyGigE 1/1/1.

<Sysname> display packet-filter verbose interface fortygige 1/1/1 inbound Interface: FortyGigE1/1/1 In-bound policy: ACL 2001, Hardware-count rule 0 permit rule 5 permit source 1.1.1.1 0

ACL6 2000, Hardware-count rule 0 permit

ACL 4000, Hardware-count

IPv4 default action: Deny

IPv6 default action: Deny

MAC default action: Deny

Table 5 Command output

Field Descri

Interface Interface to which the ACL applies.

In-bound policy ACL used for filtering incoming traffic.

Out-bound policy ACL used for filtering outgoing traffic.

ACL 2001 IPv4 basic ACL 2001 has been successfully applied.

Hardware-count Successfully enables counting ACL rule matches.

Packet filter default action for packets that do not match any IPv4

IPv4 default action

IPv6 default action

ACLs. This field is displayed only when the default action is deny.

Packet filter default action for packets that do not match any IPv6 ACLs. This field is displayed only when the default action is

deny.

tion

Field Description

MAC default action

display qos-acl resource

Use display qos-acl resource to display QoS and ACL resource usage.

Syntax

display qos-acl resource [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device. The slot-number argument represents the ID of the IRF

member device. If you do not specify an IRF member device, this command displays QoS and ACL resource usage on all member devices.

Packet filter default action for packets that do not match any Ethernet frame header ACLs. This field is displayed only when the default action is deny.

Examples

# Display QoS and ACL resource usage.

<Sysname> display qos-acl resource Interfaces: XGE1/0/1 to XGE1/0/45, FGE1/1/1 to FGE1/1/4

--------------------------------------------------------------------- Type Total Reserved Configured Remaining Usage

--------------------------------------------------------------------- VFP ACL 1024 272 0 752 26% IFP ACL 2048 1664 0 384 81% IFP Meter 1024 832 0 192 81% IFP Counter 1024 832 0 192 81% EFP ACL 1024 0 0 1024 0% EFP Meter 512 0 0 512 0% EFP Counter 512 0 0 512 0%

Table 6 Command output

Field Descri

Interfaces Interface range for the resource.

tion

Field Description

Type

Total Total number of resource.

Reserved Number of reserved resource.

Configured Number of resource that has been applied.

Remaining Number of resource that you can apply.

Usage

packet-filter

Resource type:

• VFP ACL—ACL rules for local QoS ID remarking before Layer 2

forwarding.

• IFP ACL—ACL rules applied to inbound traffic.

• IFP Meter—Traffic policing rules for inbound traffic.

• IFP Counter—Traffic counting rules for inbound traffic.

• EFP Meter—Traffic policing rules for outbound traffic.

• EFP Counter—Traffic counting rules for outbound traffic.

Configured and reserved resources as a percentage of total resources. If the percentage is not an integer, this field displays the integer part. For example, if the actual usage is 50.8%, this field displays 50%.

Use packet-filter to apply an ACL to an interface to filter packets.

Use undo packet-filter to remove an ACL application from an interface.

Syntax

packet-filter [ ipv6 ] { acl-number | name acl-name } { inbound | outbound } [ hardware-count ]

undo packet-filter [ ipv6 ] { acl-number | name acl-name } { inbound | outbound }

Default

An interface does not filter packets.

Views

Layer 2/Layer 3 Ethernet interface view

VLAN interface view

S-channel interface/S-channel aggregate interface view

VSI interface/VSI aggregate interface view

Predefined user roles

network-admin

Parameters

ipv6: Specifies IPv6 ACLs.

acl-number: Specifies an ACL by its number.

• 2000 to 2999 for basic ACLs.

• 3000 to 3999 for advanced ACLs.

• 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL

if the ipv6 keyword is specified.

• 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is

specified.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter.

inbound: Filters incoming packets.

outbound: Filters outgoing packets.

hardware-count: Enables counting ACL rule matches performed in hardware. This keyword enables

match counting for all rules in an ACL, and the counting keyword in the rule command enables match counting specific to rules. If the hardware-count keyword is not specified, rule matches for the ACL are not counted.

Examples

# Apply IPv4 basic ACL 2001 to filter incoming traffic on FortyGigE 1/1/1, and enable counting ACL rule matches performed in hardware.

<Sysname> system-view [Sysname] interface fortygige 1/1/1 [Sysname-FortyGigE1/1/1] packet-filter 2001 inbound hardware-count

Related commands

• display packet-filter

• display packet-filter statistics

• display packet-filter verbose

packet-filter default deny

Use packet-filter default deny to set the packet filtering default action to deny. The packet filter denies packets that do not match any ACL rule.

Use undo packet-filter default deny to restore the default.

Syntax

packet-filter default deny

undo packet-filter default deny

Default

The packet filter permits packets that do not match any ACL rule.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The packet filter applies the default action to all ACL applications for packet filtering. The default action appears in the display command output for packet filtering.

Examples

# Set the packet filter default action to deny.

<Sysname> system-view [Sysname] packet-filter default deny

Related commands

• display packet-filter

• display packet-filter statistics

• display packet-filter verbose

reset acl counter

Use reset acl counter to clear statistics for ACLs.

Syntax

reset acl counter [ ipv6 ] { acl-number | all | name acl-name }

Views

User view

Predefined user roles

network-admin

Parameters

ipv6: Specifies IPv6 ACLs.

acl-number: Specifies an ACL by its number.

• 2000 to 2999 for basic ACLs.

• 3000 to 3999 for advanced ACLs.

• 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL

• 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is

all: Clears statistics for all IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs if you do not specify the ipv6 keyword, or clears statistics for all IPv6 basic and IPv6 advanced ACLs if you specify the

ipv6 keyword.

name acl-name: Clears statistics of an ACL specified by its name. The acl-name argument is a

case-insensitive string of 1 to 63 characters. It must start with an English letter.

Examples

# Clear statistics for IPv4 basic ACL 2001.

<Sysname> reset acl counter 2001

if the ipv6 keyword is specified.

specified.

Related commands

display acl

reset packet-filter statistics

Use reset packet-filter statistics to clear the match statistics (including the accumulated statistics) of ACLs for packet filtering.

Syntax

reset packet-filter statistics interface [ interface-type interface-number ] { inbound | outbound } [ [ ipv6 ] { acl-number | name acl-name } ]

Views

User view

Predefined user roles

network-admin

Parameters

interface [ interface-type interface-number ]: Specifies an interface by its type and number. If you do not

specify an interface, this command clears packet filtering ACL statistics on all interfaces.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

ipv6: Specifies IPv6 ACLs.

acl-number: Specifies an ACL by its number.

• 2000 to 2999 for basic ACLs.

• 3000 to 3999 for advanced ACLs.

• 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL

if the ipv6 keyword is specified.

• 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is

specified.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter.

Usage guidelines

When neither of acl-number and name acl-name is specified, this command clears the match statistics of all ACLs for packet filtering.

• If the ipv6 keyword is not specified, all ACLs refer to all IPv4 basic, IPv4 advanced, and Ethernet

frame header ACLs.

• If the ipv6 keyword is specified, all ACLs refer to all IPv6 basic and IPv6 advanced ACLs.

Examples

# Clear IPv4 basic ACL 2001 statistics for incoming packet filtering of interface FortyGigE 1/1/1.

<Sysname> reset packet-filter statistics interface fortygige 1/1/1 inbound 2001

Related commands

• display packet-filter statistics

• display packet-filter statistics sum

rule (Ethernet frame header ACL view)

Use rule to create or edit an Ethernet frame header ACL rule.

Use undo rule to delete an Ethernet frame header ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } [ cos vlan-pri | counting | dest-mac dest-address dest-mask | { lsap

lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac source-address source-mask | time-range time-range-name ] *

undo rule rule-id [ counting | time-range ] *

Default

An Ethernet frame header ACL does not contain any rule.

Views

Ethernet frame header ACL view

Predefined user roles

network-admin

Parameters

rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.

deny: Denies matching packets.

permit: Allows matching packets to pass.

cos vlan-pri: Matches an 802.1p priority. The vlan-pri argument can be a number in the range of 0 to 7, or in words, best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5), voice (6), or network-management (7).

counting: Counts the number of times the Ethernet frame header ACL rule has been matched. The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting for all rules in an ACL. If the counting keyword is not

specified, matches for the rule are not counted.

dest-mac dest-address dest-mask: Matches a destination MAC address range. The dest-address and dest-mask arguments represent a destination MAC address and mask in the H-H-H format.

lsap lsap-type lsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The lsap-type argument is a 16-bit hexadecimal number that represents the encapsulation format. The lsap-type-mask argument is a 16-bit hexadecimal number that represents the LSAP mask.

type protocol-type protocol-type-mask: Matches one or more protocols in the Ethernet frame header. The protocol-type argument is a 16-bit hexadecimal number that represents a protocol type in Ethernet_II and

Ethernet_SNAP frames. The protocol-type-mask argument is a 16-bit hexadecimal number that represents a protocol type mask.

source-mac source-address source-mask: Matches a source MAC address range. The source-address argument represents a source MAC address, and the sour-mask argument represents a mask in the H-H-H format.

time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the timer range. For more information about time range, see ACL and QoS Configuration Guide.

Usage guidelines

When an Ethernet frame header ACL with the lsap keyword specified is used for QoS traffic classification or packet filtering, the lsap-type argument must be AAAA and the lsap-type-mask argument must be FFFF. Otherwise, the ACL cannot be applied successfully.

Within an ACL, the permit or deny state ment of each ru le must be un iqu e. If the ACL rule you are creatin g or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.

You can edit ACL rules only when the match order is config.

• If you do not specify any optional keywords, the undo rule command deletes the entire rule.

• If you specify optional keywords or arguments, the undo rule command deletes the specified

attributes.

To view rules in an ACL and their rule IDs, use the display acl all command.

Examples

# Create a rule in Ethernet frame header ACL 4000 to permit ARP packets and deny RARP packets.

<Sysname> system-view [Sysname] acl number 4000 [Sysname-acl-ethernetframe-4000] rule permit type 0806 ffff [Sysname-acl-ethernetframe-4000] rule deny type 8035 ffff

Related commands

• acl

• display acl

• step

• time-range

rule (IPv4 advanced ACL view)

Use rule to create or edit an IPv4 advanced ACL rule.

Use undo rule to delete an entire IPv4 advanced ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value

| syn syn-value | urg urg-value } * | established } | counting | destination { dest-address dest-wildcard | any } | destination-port operator port1 [ port2 ] | { dscp dscp | { precedence precedence | tos tos } * } | fragment | icmp-type { icmp-type [ icmp-code ] | icmp-message } | logging | source { source-address source-wildcard | any } | source-port operator port1 [ port2 ] | time-range

time-range-name | vpn

undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | { dscp | { precedence | tos } * } | fragment | icmp-type | logging | source | source-port | time-range | vpn-instance ] *

-instance vpn-instance-name ] *

Default

An IPv4 advanced ACL does not contain any rule.

Views

IPv4 advanced ACL view

Predefined user roles

network-admin

Parameters

deny: Denies matching packets.

permit: Allows matching packets to pass.

protocol: Specifies a protocol number in the range of 0 to 255, or specifies a protocol by its name, gre (47), icmp (1) , igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17) . Th e ip keyword specifies all protocols. Table 7 d argument.

Table 7 Match criteria and other rule information for IPv4 advanced ACL rules

escribes the parameters that you can specify regardless of the value for the protocol

Parameters Function Descri

source

{ source-address source-wildcard |

any }

destination

{ dest-address dest-wildcard |

any }

counting

precedence

tos tos Specifies a ToS preference.

Specifies a source address.

Specifies a destination address.

Counts the number of times the IPv4 advanced ACL rule has been matched.

Specifies an IP precedence value.

The source-address source-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address.

The any keyword specifies any source IP address.

The dest-address dest-wildcard arguments represent a destination IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address.

The any keyword represents any destination IP address.

The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting for all ru l e s in an ACL. If the counting keyword is not specified, matches for the rule are not counted.

The precedence argument can be a number in the range of 0 to 7, or in words, routine (0), priority (1),

immediate (2), flash (3), flash-override (4), critical (5), internet (6), or network (7).

The tos argument can be a number in the range of 0 to 15, or in words, max-reliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1), or normal (0).

tion

Parameters Function Description

The dscp argument can be a number in the range of 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21

dscp dscp Specifies a DSCP priority.

(18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46).

fragment

logging Logs matching packets.

time-range

time-range-name

vpn-instance

vpn-instance-name

Applies the rule only to non-first fragments.

Specifies a time range for the rule.

Applies the rule to a VPN instance.

If you do not specify this keyword, the rule applies to all fragments and non-fragments.

This function requires that the module (for example, packet filtering) that uses the ACL supports logging.

The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the timer range.

For more information about time range, see ACL and QoS Configuration Guide.

The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.

If you do not specify a VPN instance, the rule applies only to non-VPN packets.

If the protocol argument is tcp (6) or udp (7), set the parameters shown in Table 8.

Table 8 TCP/UDP-specific parameters for IPv4 advanced ACL rules

Parameters Function Descri

The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range).

source-port operator port1 [ port2 ]

destination-port operator port1

[ port2 ]

Specifies one or more UDP or TCP source ports.

Specifies one or more UDP or TCP destination ports.

The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. port2 is needed only when the operator argument is range.

TCP port numbers can be represented as: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80).

UDP port numbers can be represented as: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65),

talk (517), tftp (69), time (37), who (513), and xdmcp (177).

tion

Parameters Function Description

{ ack ack-value | fin fin-value |

psh psh-value | rst rst-value | syn syn-value | urg urg-value } *

established

Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG.

Specifies the flags for indicating the established status of a TCP connection.

Parameters specific to TCP.

The value for each argument can be 0 (flag bit not set) or 1 (flag bit set).

The TCP flags in a rule are ANDed. For example, a rule configured with ack 0 psh 1 matches packets that have the ACK flag bit not set and the PSH flag bit set.

Parameter specific to TCP.

The rule matches TCP connection packets with the ACK or RST flag bit set.

If the protocol argument is icmp (1), set the parameters shown in Table 9.

Table 9 ICMP-specific parameters for IPv4 advanced ACL rules

Parameters Function Descri

The icmp-type argument is in the range of 0 to 255.

icmp-type { icmp-type icmp-code | icmp-message }

Specifies the ICMP message type and code.

The icmp-code argument is in the range of 0 to 255.

The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 10.

tion

Table 10 ICMP message names supported in IPv4 advanced ACL rules

ICMP messa

echo 8 0

echo-reply 0 0

fragmentneed-DFset 3 4

host-redirect 5 1

host-tos-redirect 5 3

host-unreachable 3 1

information-reply 16 0

information-request 15 0

net-redirect 5 0

net-tos-redirect 5 2

net-unreachable 3 0

parameter-problem 12 0

port-unreachable 3 3

protocol-unreachable 3 2

e name ICMP message type

ICMP message code

reassembly-timeout 11 1

source-quench 4 0

ICMP message name ICMP message type

source-route-failed 3 5

timestamp-reply 14 0

timestamp-request 13 0

ttl-exceeded 11 0

Usage guidelines

If an ACL is for QoS traffic classification or packet filtering:

• Do not specify the vpn-instance keyword if the ACL is for outbound QoS traffic classification or

outbound packet filtering.

• Do not specify neq for the operator argument.

You can edit ACL rules only when the match order is config.

• If you do not specify any optional keywords, the undo rule command deletes the entire rule.

• If you specify optional keywords or arguments, the undo rule command deletes the specified

attributes.

ICMP message code

Examples

To view rules in an ACL and their rule IDs, use the display acl all command.

# Create an IPv4 advanced ACL rule to permit TCP packets with the destination port 80 from

129.9.0.0/16 to 202.38.160.0/24.

<Sysname> system-view [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination

202.38.160.0 0.0.0.255 destination-port eq 80

# Create IPv4 advanced ACL rules to permit all IP packets but the ICMP packets destined for

192.168.1.0/24.

<Sysname> system-view [Sysname] acl number 3001 [Sysname-acl-adv-3001] rule deny icmp destination 192.168.1.0 0.0.0.255 [Sysname-acl-adv-3001] rule permit ip

# Create IPv4 advanced ACL rules to permit inbound and outbound FTP packets.

<Sysname> system-view [Sysname] acl number 3002 [Sysname-acl-adv-3002] rule permit tcp source-port eq ftp [Sysname-acl-adv-3002] rule permit tcp source-port eq ftp-data [Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp [Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp-data

# Create IPv4 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.

<Sysname> system-view [Sysname] acl number 3003 [Sysname-acl-adv-3003] rule permit udp source-port eq snmp

[Sysname-acl-adv-3003] rule permit udp source-port eq snmptrap [Sysname-acl-adv-3003] rule permit udp destination-port eq snmp [Sysname-acl-adv-3003] rule permit udp destination-port eq snmptrap

Related commands

• acl

• acl logging interval

• display acl

• step

• time-range

rule (IPv4 basic ACL view)

Use rule to create or edit an IPv4 basic ACL rule.

Use undo rule to delete an entire IPv4 basic ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } [ counting | fragment | logging | source { source-address source-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *

Default

An IPv4 basic ACL does not contain any rule.

Views

IPv4 basic ACL view

Predefined user roles

network-admin

Parameters

deny: Denies matching packets.

permit: Allows matching packets to pass.

counting: Counts the number of times the IPv4 basic ACL rule has been matched. The counting keyword

enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted.

fragment: Applies the rule only to non -first fragments. If you do not specify this keyword, the rule applies to both fragments and non-fragments.

logging: Logs matching packets. This function is available only when the application module (for example, packet filtering) that uses the ACL supports the logging function.

source { source-address source-wildcard | any }: Matches a source address. The source-address source-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation.

A wildcard mask of zeros specifies a host address. The any keyword represents any source IP address.

time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a

case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the timer range. For more information about time range, see ACL and QoS Configuration Guide.

vpn-instance vpn-instance-name: Applies the rule to a VPN instance. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the rule applies only to non-VPN packets.

Usage guidelines

If an ACL is for outbound QoS traffic classification or outbound packet filtering, do not specify the vpn-instance keyword.

You can edit ACL rules only when the match order is config.

• If you do not specify any optional keywords, the undo rule command deletes the entire rule.

• If you specify optional keywords or arguments, the undo rule command deletes the specified

attributes.

To view rules in an ACL and their rule IDs, use the display acl all command.

Examples

# Create a rule in IPv4 basic ACL 2000 to deny the packets from any source IP segment but 10.0.0.0/8,

172.17.0.0/16, or 192.168.1.0/24.

<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.0.0.0 0.255.255.255 [Sysname-acl-basic-2000] rule permit source 172.17.0.0 0.0.255.255 [Sysname-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 [Sysname-acl-basic-2000] rule deny source any

Related commands

• acl

• acl logging interval

• display acl

• step

• time-range

rule (IPv6 advanced ACL view)

Use rule to create or edit an IPv6 advanced ACL rule.

Use undo rule to delete an entire IPv6 advanced ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value

| syn syn-value | urg urg-value } * | established } | counting | destination { dest-address dest-prefix | dest-address/dest-prefix | any } | destination-port operator port1 [ port2 ] | dscp dscp | flow-label flow-label-value | fragment | icmp6-type { icmp6-type icmp6-code | icmp6-message } | logging | routing [ type routing-type ] | hop-by-hop [ type hop-type ] | source { source-address source-prefix | source-address/source-prefix | any } | so time-range-name | vpn-instance vpn-instance-name ] *

undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | dscp | flow-label | fragment | icmp6-type | logging | routing | hop-by-hop | source | source-port | time-range | vpn-instance ] *

Default

An IPv6 advanced ACL does not contain any rule.

Views

IPv6 advanced ACL view

Predefined user roles

network-admin

Parameters

urce-port operator port1 [ port2 ] | time-range

deny: Denies matching packets.

permit: Allows matching packets to pass.

protocol: Specifies a protocol number in the range of 0 to 255, or specifies a protocol by its name, gre (47), icmpv6 (58), ipv6, ipv6-ah (51), ipv6-esp (50), ospf (89), tcp (6), or udp (17) . Th e ipv6 keyword specifies all protocols.

You can set the protocol argument to one of the values in Table 11 to

match packets with the

corresponding IPv6 extended header.

Table 11 Protocol values of IPv6 extended headers

Value of the

0 Hop-by-Hop Options Header.

43 Routing Header.

44 Fragment Header.

50 Encapsulating Security Payload Header.

51 Authentication Header.

rotoco

argument IPv6 extended header

60 Destination Options Header.

Table 12 describes the parameters that you can specify regardless of the value for the protocol argument.

Table 12 Match criteria and other rule information for IPv6 advanced ACL rules

Parameters Function Descri

source

{ source-address source-prefix | source-address/so urce-prefix | any }

destination { dest-address

dest-prefix | dest-address/destprefix | any }

counting

dscp dscp

Specifies a source IPv6 address.

Specifies a destination IPv6 address.

Counts the number of times the IPv6 advanced ACL rule has been matched.

Specifies a DSCP preference.

The source-address and source-prefix arguments represent an IPv6 source address, and prefix length in the range of 1 to 128.

The any keyword represents any IPv6 source address.

The dest-address and dest-prefix arguments represent a destination IPv6 address, and prefix length in the range of 1 to 128.

The any keyword specifies any IPv6 destination address.

The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter ipv6 command enables match counting for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted.

The dscp argument can be a number in the range of 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or

ef (46).

tion

flow-label flow-label-value

fragment

logging Logs matching packets.

routing [ type routing-type ]

hop-by-hop [ type hop-type ]

time-range time-range-name

Specifies a flow label value in an IPv6 packet header.

Applies the rule only to non-first fragments.

Specifies an IPv6 routing header type.

Specifies an IPv6 Hop-by-Hop Options header type.

Specifies a time range for the rule.

The flow-label-value argument is in the range of 0 to

1048575.

If you do not specify this keyword, the rule applies to all fragments and non-fragments.

This function requires that the module (for example, packet filtering) that uses the ACL supports logging.

routing-type: Value of the IPv6 routing header type, in the range of 0 to 255.

If you specify the type routing-type option, the rule applies to the specified type of IPv6 routing header. Otherwise, the rule applies to all types of IPv6 routing header.

hop-type: Value of the IPv6 Hop-by-Hop Options header type, in the range of 0 to 255.

If you specify the type hop-type option, the rule applies to the specified type of IPv6 Hop-by-Hop Options header. Otherwise, the rule applies to all types of IPv6 Hop-by-Hop Options header.

For more information about time range, see ACL and QoS Configuration Guide.

Parameters Function Description

The vpn-instance-name argument is a case-sensitive string

vpn-instance

vpn-instance-name

Applies the rule to a VPN instance.

of 1 to 31 characters.

If you do not specify a VPN instance, the rule applies only to non-VPN packets.

If the protocol argument is tcp (6) or udp (17), set the parameters shown in Table 13.

Table 13 TCP/UDP-specific parameters for IPv6 advanced ACL rules

Parameters Function Descri

source-port

operator port1 [ port2 ]

destination-port operator port1 [ port2 ]

{ ack ack-value | fin fin-value |

psh psh-value | rst rst-value | syn syn-value | urg urg-value }

Specifies one or more UDP or TCP source ports.

Specifies one or more UDP or TCP destination ports.

Specifies one or more TCP flags, including ACK, FIN, PSH, RST, SYN, and URG.

The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range).

The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. port2 is needed only when the operator argument is range.

nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois

(43), and www (80).

UDP port numbers can be represented as: biff (512), bootpc bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177).

Parameters specific to TCP.

The value for each argument can be 0 (flag bit not set) or 1 (flag bit set).

The TCP flags in a rule are ANDed. For example, a rule configured with ack 0 psh 1 matches packets that have the ACK flag bit not set and the PSH flag bit set.

tion

(68),

established

Specifies the flags for indicating the established status of a TCP connection.

Parameter specific to TCP.

The rule matches TCP connection packets with the ACK or RST flag bit set.

If the protocol argument is icmpv6 (58), set the parameters shown in Table 14.

Table 14 ICMPv6-specific parameters for IPv6 advanced ACL rules

Parameters Function Descri

The icmp6-type argument is in the range of 0 to 255.

icmp6-type { icmp6-type icmp6-code | icmp6-message }

Specifies the ICMPv6 message type and code.

The icmp6-code argument is in the range of 0 to 255.

The icmp6-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 15.

tion

Table 15 ICMPv6 message names supported in IPv6 advanced ACL rules

ICMPv6 messa

echo-reply 129 0

echo-request 128 0

err-Header-field 4 0

frag-time-exceeded 3 1

hop-limit-exceeded 3 0

host-admin-prohib 1 1

host-unreachable 1 3

neighbor-advertisement 136 0

neighbor-solicitation 135 0

network-unreachable 1 0

packet-too-big 2 0

port-unreachable 1 4

redirect 137 0

router-advertisement 134 0

router-solicitation 133 0

e name ICMPv6 message type

ICMPv6 message code

unknown-ipv6-opt 4 2

unknown-next-hdr 4 1

Usage guidelines

If an ACL is for QoS traffic classification or packet filtering:

• Do not specify the fragment keyword.

• Do not specify neq for the operator argument.

• Do not specify the vpn-instance, routing, hop-by-hop, or flow-label keyword if the ACL is for

outbound QoS traffic classification or outbound packet filtering.

• Do not specify ipv6-ah for the protocol argument, nor set its value to 0, 43, 44, 51, or 60, if the ACL

is for outbound QoS traffic classification or outbound packet filtering.

If an ACL is to match information in the IPv6 packet payload, it can only match packets with one extension header. It cannot match packets with two or more extension headers or with the Encapsulating Security Payload Header.

You can edit ACL rules only when the match order is config.

• If you do not specify any optional keywords, the undo rule command deletes the entire rule.

• If you specify optional keywords or arguments, the undo rule command deletes the specified

attributes.

To view rules in an ACL and their rule IDs, use the display acl ipv6 all command.

Examples

# Create an IPv6 advanced ACL rule to permit TCP packets with the destination port 80 from 2030:5060::/64 to FE80:5060::/96.

<Sysname> system-view [Sysname] acl ipv6 number 3000 [Sysname-acl6-adv-3000] rule permit tcp source 2030:5060::/64 destination fe80:5060::/96

destination-port eq 80

# Create IPv6 advanced ACL rules to permit all IPv6 packets but the ICMPv6 packets destined for FE80:5060:1001::/48.

<Sysname> system-view [Sysname] acl ipv6 number 3001 [Sysname-acl6-adv-3001] rule deny icmpv6 destination fe80:5060:1001:: 48 [Sysname-acl6-adv-3001] rule permit ipv6

# Create IPv6 advanced ACL rules to permit inbound and outbound FTP packets.

<Sysname> system-view [Sysname] acl ipv6 number 3002 [Sysname-acl6-adv-3002] rule permit tcp source-port eq ftp [Sysname-acl6-adv-3002] rule permit tcp source-port eq ftp-data [Sysname-acl6-adv-3002] rule permit tcp destination-port eq ftp [Sysname-acl6-adv-3002] rule permit tcp destination-port eq ftp-data

# Create IPv6 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.

<Sysname> system-view [Sysname] acl ipv6 number 3003 [Sysname-acl6-adv-3003] rule permit udp source-port eq snmp [Sysname-acl6-adv-3003] rule permit udp source-port eq snmptrap [Sysname-acl6-adv-3003] rule permit udp destination-port eq snmp [Sysname-acl6-adv-3003] rule permit udp destination-port eq snmptrap

# Create IPv6 advanced ACL 3004, and configure two rules: one permits packets with the Hop-by-Hop Options header type as 5, and the other one denies packets with other Hop-by-Hop Options header types.

<Sysname> system-view [Sysname] acl ipv6 number 3004 [Sysname-acl6-adv-3004] rule permit ipv6 hop-by-hop type 5 [Sysname-acl6-adv-3004] rule deny ipv6 hop-by-hop

Related commands

• acl

• acl logging interval

• display acl

• step

• time-range

rule (IPv6 basic ACL view)

Use rule to create or edit an IPv6 basic ACL rule.

Use undo rule to delete an entire IPv6 basic ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } [ counting | fragment | logging | routing [ type routing-type ] | source { source-address source-prefix | source-address/source-prefix | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *

Default

An IPv6 basic ACL does not contain any rule.

Views

IPv6 basic ACL view

Predefined user roles

network-admin

Parameters

deny: Denies matching packets.

permit: Allows matching packets to pass.

counting: Counts the number of times the IPv6 basic ACL rule has been matched. The counting keyword

enables match counting specific to rules, and the hardware-count keyword in the packet-filter ipv6 command enables match counting for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted.

fragment: Applies the rule only to non -first fragments. If you do not specify this keyword, the rule applies to both fragments and non-fragments.

logging: Logs matching packets. This function is available only when the application module (for example, packet filtering) that uses the ACL supports the logging function.

routing [ type routing-type ]: Applies the rule to the specified type of routing header or all types of routing header. The routing-type argument specifies the value of the routing header type, which is in the range of 0 to 255. If you specify the type routing-type option, the rule applies to the specified type of routing header. Otherwise, the rule applies to any type of routing header.

source { source-address source-prefix | source-address/source-prefix | any }: Matches a source IP address. The ipv6-address and prefix-length arguments represent a source IPv6 address and address prefix length in the range of 1 to 128. The any keyword represents any IPv6 source address.

Usage guidelines

If an ACL is for QoS traffic classification or packet filtering:

• Do not specify the fragment keyword.

• Do not specify the vpn-instance or routing keyword if the ACL is for outbound QoS traffic

classification or outbound packet filtering.

You can edit ACL rules only when the match order is config.

• If you do not specify any optional keywords, the undo rule command deletes the entire rule.

• If you specify optional keywords or arguments, the undo rule command deletes the specified

attributes.

To view rules in an ACL and their rule IDs, use the display acl ipv6 all command.

Examples

# Create an IPv6 basic ACL rule to deny the packets from any source IP segment but 1001::/16, 312 4 :1123::/32, or FE80:5060:1001::/48.

<Sysname> system-view [Sysname] acl ipv6 number 2000 [Sysname-acl6-basic-2000] rule permit source 1001:: 16 [Sysname-acl6-basic-2000] rule permit source 3124:1123:: 32 [Sysname-acl6-basic-2000] rule permit source fe80:5060:1001:: 48 [Sysname-acl6-basic-2000] rule deny source any

Related commands

• acl

• acl logging interval

• display acl

• step

• time-range

rule (user-defined ACL view)

Use rule to create or edit a user-defined ACL rule.

Use undo rule to delete a user-defined ACL rule.

Syntax

rule [ rule-id ] { deny | permit } [ { l2 rule-string rule-mask offset }&<1-8> ] [ counting | time-range

time-range-name ] *

undo rule rule-id

Default

A user-defined ACL does not contain any rule.

Views

User-defined ACL view

Predefined user roles

network-admin

Parameters

deny: Denies matching packets.

permit: Allows matching packets to pass.

l2: Specifies that the offset is relative to the beginning of the Layer 2 frame header.

rule-string: Defines a match pattern in hexadecimal format. Its length must be a multiple of two.

rule-mask: Defines a match pattern mask in hexadecimal format. Its length must be the same as that of the

match pattern. A match pattern mask is used for ANDing the selected string of a packet.

offset: Specifies an offset in bytes after which the match operation begins.

&<1-8>: Specifies that up to eight match patterns can be defined in the ACL rule.

counting: Counts the number of times the user-defined ACL rule has been matched. The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted.

Usage guidelines

To view rules in an ACL and their rule IDs, use the display acl all command.

Examples

# Create a rule for user-defined ACL 5005 to permit packets in which the 13th and 14th bytes starting from the Layer 2 header are 0x0806 (the ARP packets).

<Sysname> system-view [Sysname] acl number 5005 [Sysname-acl-user-5005] rule permit l2 0806 ffff 12

Related commands

• acl

• display acl

• time-range

rule comment

Use rule comment to add a comment about an existing ACL rule or edit its comment to make the rule easy to understand.

Use undo rule comment to delete an ACL rule comment.

Syntax

rule rule-id comment text

undo rule rule-id comment

Default

An ACL has not rule comment.

Views

IPv4/IPv6 basic ACL view

IPv4/IPv6 advanced ACL view

Ethernet frame header ACL view

User-defined ACL view

Predefined user roles

network-admin

Parameters

rule-id: Specifies an ACL rule ID in the range of 0 to 65534. The ACL rule must already exist.

text: Specifies a comment about the ACL rule, a case-sensitive string of 1 to 127 characters.

Examples

# Create a rule for IPv4 basic ACL 2000, and add a comment about the rule.

<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 0 deny source 1.1.1.1 0 [Sysname-acl-basic-2000] rule 0 comment This rule is used for telnet.

Related commands

display acl

step

Use step to set a rule numbering step for an ACL.

Use undo step to restore the default.

Syntax

step step-value

Default

undo step

The rule numbering step is five.

Views

IPv4/IPv6 basic ACL view

IPv4/IPv6 advanced ACL view

Ethernet frame header ACL view

Predefined user roles

network-admin

Parameters

step-value: ACL rule numbering step in the range of 1 to 20.

Usage guidelines

The rule numbering step sets the increment by which the system numbers rules automatically. For example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between two rules. Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6, and 8.

Examples

# Set the rule numbering step to 2 for IPv4 basic ACL 2000.

<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] step 2

Related commands

display acl

QoS policy commands

Traffic class commands

display traffic classifier

Use display traffic classifier to display traffic classes.

Syntax

display traffic classifier user-defined [ classifier-name ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

Examples

user-defined: Displays user-defined traffic classes.

classifier-name: Specifies a traffic class by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a traffic class, this command displays all traffic classes.

slot slot-number: Specifies an IRF member device by its member ID (slot number). If you do not specify an IRF member device, this command displays traffic classes on all IRF member devices.

# Display all user-defined traffic classes.

<Sysname> display traffic classifier user-defined

User-defined classifier information:

Classifier: 1 (ID 100) Operator: AND Rule(s) : If-match acl 2000

Classifier: 2 (ID 101) Operator: AND Rule(s) : If-match protocol ipv6

Classifier: 3 (ID 102) Operator: AND Rule(s) :

-none-

Table 16 Command output

Field Descri

Classifier Traffic class name and its match criteria.

Operator

Rule(s) Match criteria.

if-match

Use if-match to define a match criterion.

Use undo if-match to delete a match criterion.

Syntax

if-match match-criteria

undo if-match match-criteria

Default

No match criterion is configured.

Views

tion

Match operator you set for the traffic class. If the operator is AND, the traffic class matches the packets that match all its match criteria. If the operator is OR, the traffic class matches the packets that match any of its match criteria.

Traffic class view

Predefined user roles

network-admin

Parameters

match-criteria: Specifies a match criterion. Table 17 shows the available match criteria.

Table 17 Available match criteria

tion Description

acl [ ipv6 ] { acl-number | name

acl-name }

any Matches all packets.

control-plane protocol

protocol-name&<1-8>

Matches an ACL.

The acl-number argument has the following value ranges:

• 2000 to 3999 for IPv4 ACLs.

• 2000 to 3999 for IPv6 ACLs.

• 4000 to 4999 for Ethernet frame header ACLs.

• 5000 to 5999 for user-defined ACLs.

The acl-name argument is a case-insensitive string of 1 to 63 characters, which must start with an English letter. To avoid confusion, the argument cannot be all.

Matches control plane protocols.

The protocol-name&<1-8> argument specifies a space-separated list of up to eight system-defined control plane protocols. For available system-defined control plane protocols, see Table 18.

tion Description

control-plane protocol-group protocol-group-name

customer-dot1p dot1p-value&<1-8>

customer-vlan-id vlan-id-list

destination-mac mac-address Matches a destination MAC address.

dscp dscp-value&<1-8>

ip-precedence

ip-precedence-value&<1-8>

Matches a control plane protocol group.

The protocol-group-name argument can be critical, important, management, monitor, normal, or redirect.

Matches 802.1p priority values in inner VLAN tags of double-tagged packets.

The dot1p-value&<1-8> argument specifies a space-separated list of up to eight 802.1p priority values. The value range for the dot1p-value argument is 0 to 7.

Matches VLAN IDs in inner VLAN tags of double-tagged packets.

The vlan-id-list argument specifies a space-separated list of up to 10 VLAN items. Each item specifies a VLAN or a range of VLANs in the form of vlan-id1 to vlan-id2. The value for vlan-id2 must be equal to or greater than

the value for vlan-id1. The value range for the vlan-id argument is 1 to 4094.

Matches DSCP values.

The dscp-value&<1-8> argument specifies a space-separated list of up to eight DSCP values. The value range for the dscp-value argument is 0 to 63 or keywords shown in Table 20.

Matches IP precedence values.

The ip-precedence-value&<1-8> argument specifies a space-separated list of up to eight IP precedence values. The value range for the ip-precedence-value argument is 0 to 7.

protocol protocol-name

qos-local-id local-id-value

service-dot1p

dot1p-value&<1-8>

service-vlan-id vlan-id-list

source-mac mac-address Matches a source MAC address.

Matches a protocol.

The protocol-name argument can be IP or IPv6.

Matches a local QoS ID in the range of 1 to 4095. The switch supports local QoS IDs in the range of 1 to 3999.

Matches 802.1p priority values in outer VLAN tags.

The dot1p-value&<1-8> argument specifies a space-separated list of up to eight 802.1p priority values. The value range for the dot1p-value argument is 0 to 7.

Matches VLAN IDs in outer VLAN tags.

Table 18 Available system-defined control plane protocols

Protocol Descri

arp ARP packets

arp-snooping ARP snooping packets

tion

bfd BFD packets

bgp BGP packets

Protocol Descri

bgp4+ IPv6 BGP packets

bpdu-tunnel BPDU tunnel packets

dhcp DHCP packets

dhcp-snooping DHCP snooping packets

dhcp6 IPv6 DHCP packets

dldp DLDP packets

dot1x 802.1X packets

mvrp MVRP packets (including GVRP packets)

hop limit expires ICMPv6 time exceeded packets

http HTTP packets

https HTTPS packets

icmp ICMP packets

icmp6 ICMP snooping packets

igmp IGMP packets

ip-option IPv4 packets with the Options field

tion

ipv6-option IPv6 packets with the Options field

isis IS-IS packets

lacp LACP packets

lldp LLDP packets

ospf-multicast OSPF multicast packets

ospf-unicast OSPF unicast packets

ospf3-multicast OSPFv3 multicast packets

ospf3-unicast OSPFv3 unicast packets

radius RADIUS packets

snmp SNMP packets

ssh SSH packets

stp STP packets

tacacs TACACS packets

telnet Telnet packets

ttl expires ICMP time exceeded packets

vrrp VRRP packets

vrrp6 IPv6 VRRP packets

Usage guidelines

When an ACL is referenced by a QoS policy for traffic classification, the action (permit or deny) in the ACL is ignored, and the actions in the associated traffic behavior are performed.

If a class that uses the AND operator has multiple if-match acl, if-match acl ipv6, if-match customer-vlan-id or if-match service-vlan-id clauses, a packet that matches any of the clauses matches the class.

To successfully execute the traffic behavior associated with a traffic class that uses the AND operator, define only one if-match clause for any of the following match criteria, and enter only one value for any of the following list arguments (for example, the 8021p-list argument):

• customer-dot1p 8021p-list.

• destination-mac mac-address.

• dscp dscp-list.

• ip-precedence ip-precedence-list.

• service-dot1p 8021p-list.

• source-mac mac-address.

• control-plane protocol protocol-name.

To create multiple if-match clauses for these match criteria or specify multiple values for the list arguments, specify the operator of the class as OR and use the if-match command multiple times.

If a match criterion includes the if-match control-plane protocol or if-match control-plane protocol-group clause, the QoS policy that references this match criterion can be applied only to the control plane.

Defining an ACL-based match criterion

• If the ACL referenced in the if-match command does not exist, the relevant QoS policy cannot be

applied normally.

• You can configure multiple ACLs for a class.

• For a traffic class, you can reference an ACL twice by its name and number with the if-match

command, respectively.

Defining a criterion to match a destination MAC address

You can configure multiple destination MAC address match criteria for a traffic class.

Defining a criterion to match a source MAC address

You can configure multiple source MAC address match criteria for a traffic class.

Defining a criterion to match DSCP values

• You can configure multiple DSCP match criteria for a traffic class. All defined DSCP values are

automatically sorted in ascending order.

• To delete a criterion that matches DSCP values, the specified DSCP values must be identical with

those defined in the criterion (the sequence can be different).

Defining a criterion to match 802.1p priority values in inner or outer VLAN tags

• You can configure multiple 802.1p priority match criteria for a traffic class. All the defined 802.1p

values are automatically arranged in ascending order.

• To delete a criterion that matches 802.1p priority values, the specified 802.1p priority values in the

command must be identical with those defined in the criterion (the sequence can be different).

Defining a criterion to match IP precedence values

• You can configure multiple IP precedence match criteria for a traffic class. The defined IP

precedence values are automatically arranged in ascending order.

• To delete a criterion that matches IP precedence values, the specified IP precedence values in the

command must be identical with those defined in the criterion (the sequence can be different).

Defining a criterion to match VLAN IDs in inner or outer VLAN tags

• You can configure multiple VLAN ID match criteria for a traffic class. The defined VLAN IDs are

automatically arranged in ascending order.

• You can configure multiple VLAN IDs in one command line. If the same VLAN ID is specified

multiple times, the system considers the VLAN IDs as one. If a packet matches one of the defined VLAN IDs, it matches the if-match clause.

• To delete a criterion that matches VLAN IDs, the specified VLAN IDs in the command must be

identical with those defined in the criterion (the sequence can be different).

• You can use the VLAN ID in the outer VLAN tag to match single-tagged packets.

Defining a criterion to match control plane protocols

• You can configure multiple control plane protocol match criteria for a traffic class.

• This criterion cannot coexist with other criteria in a traffic class. Otherwise, the relevant QoS policy

cannot be applied normally.

• You can configure multiple control plane protocols in one command line. If the same control plane

protocol is specified multiple times, the system considers them as one. If a packet matches one of the defined control plane protocols, it matches the if-match clause.

• To delete a criterion that matches control plane protocols, the specified control plane protocols in

the command must be identical with those defined in the criterion (the sequence can be different).

Examples

# Define a match criterion for traffic class class1 to match the packets with their destination MAC addresses being 0050-ba27-bed3.

<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match destination-mac 0050-ba27-bed3

# Define a match criterion for traffic class class2 to match the packets with their source MAC addresses being 0050-ba27-bed2.

<Sysname> system-view [Sysname] traffic classifier class2 [Sysname-classifier-class2] if-match source-mac 0050-ba27-bed2

# Define a match criterion for traffic class class1 to match double-tagged packets with 802.1p priority 3 in inner VLAN tags.

<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match customer-dot1p 3

# Define a match criterion for traffic class class1 to match the packets with 802.1p priority 5 in outer VLAN tags.

<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match service-dot1p 5

# Define a match criterion for traffic class class1 to match the advanced ACL 3101.

<Sysname> system-view [Sysname] traffic classifier class1

[Sysname-classifier-class1] if-match acl 3101

# Define a match criterion for traffic class class1 to match the ACL named flow.

<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match acl name flow

# Define a match criterion for traffic class class1 to match the advanced IPv6 ACL 3101.

<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match acl ipv6 3101

# Define a match criterion for traffic class class1 to match the IPv6 ACL named flow.

<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match acl ipv6 name flow

# Define a match criterion for traffic class class1 to match all packets.

<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match any

# Define a match criterion for traffic class class1 to match the packets with their DSCP values being 1, 6, or 9.

<Sysname> system-view [Sysname] traffic classifier class1 operator or [Sysname-classifier-class1] if-match dscp 1 [Sysname-classifier-class1] if-match dscp 6 [Sysname-classifier-class1] if-match dscp 9

# Define a match criterion for traffic class class1 to match the packets with their IP precedence values being 1 or 6.

<Sysname> system-view [Sysname] traffic classifier class1 operator or [Sysname-classifier-class1] if-match ip-precedence 1 [Sysname-classifier-class1] if-match ip-precedence 6

# Define a match criterion for traffic class class1 to match IP packets.

<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match protocol ip

# Define a match criterion for traffic class class1 to match double-tagged packets with VLAN ID 1, 6, or 9 in inner VLAN tags.

<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match customer-vlan-id 1 6 9

# Define a match criterion for traffic class class1 to match the packets with VLAN ID 2, 7, or 10 in outer VLAN tags.

<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match service-vlan-id 2 7 10

# Define a match criterion for traffic class class1 to match the packets with a local QoS ID of 3.

<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match qos-local-id 3

# Define a match criterion for traffic class class1 to match ARP protocol packets.

<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match control-plane protocol arp

# Define a match criterion for traffic class class1 to match packets of the protocols in protocol group normal.

<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match control-plane protocol-group normal

traffic classifier

Use traffic classifier to create a traffic class and enter traffic class view.

Use undo traffic classifier to delete a traffic class.

Syntax

traffic classifier classifier-name [ operator { and | or } ]

undo traffic classifier classifier-name

Default

No traffic class exists.

Views

System view

Predefined user roles

network-admin

Parameters

classifier-name: Specifies a traffic class name, a case-sensitive string of 1 to 31 characters.

operator: Sets the operator to logic AND (the default) or OR for the traffic class.

and: Specifies the logic AND operator. The traffic class matches the packets that match all its criteria.

or: Specifies the logic OR operator. The traffic class matches the packets that match any of its criteria.

Examples

# Create a traffic class class1.

<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1]

Related commands

display traffic classifier

Traffic behavior commands

accounting

Use accounting to configure a traffic accounting action in a traffic behavior.

Use undo accounting to delete the action.

Syntax

accounting [ byte | packet ] *

undo accounting

Default

No traffic accounting action is configured.

Views

Traffic behavior view

Predefined user roles

network-admin

Parameters

byte: Counts traffic in bytes.

Examples

car

Syntax

Default

packet: Counts traffic in packets.

# Configure a traffic accounting action in traffic behavior database to count traffic in bytes.

<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] accounting byte

Use car to configure a CAR action in a traffic behavior.

Use undo car to delete the action.

car cir committed-information-rate [ cbs committed-burst-size [ ebs excess-burst-size ] ] [ green action | red action | yellow action ] *

car cir committed-information-rate [ cbs committed-burst-size ] pir peak-information-rate [ ebs excess-burst-size ] [ green action | red action | yellow action ] *

undo car

Views

No CAR action is configured.

Traffic behavior view

Predefined user roles

network-admin

Parameters

cir committed-information-rate: Specifies the committed information rate (CIR) in kbps, which specifies an

average traffic rate. The value range for the committed-information-rate argument is an integral multiple of 8 between 8 and 160000000.

cbs committed-burst-size: Specifies the committed burst size (CBS) in bytes. The value range for the committed-burst-size argument is an integral multiple of 512 between 512 and 256000000. The default

value for this argument is the product of 62.5 and the CIR and must be an integral multiple of 512. When the product is not an integral multiple of 512, it is rounded up to the nearest integral multiple of 512. A default value greater than 256000000 is converted to 256000000.

ebs excess-burst-size: Specifies the excess burst size (EBS) in bytes. The value range for the excess-burst-size argument is an integral multiple of 512 between 0 and 256000000, and the default

value is 512.

pir peak-information-rate: Specifies the peak information rate (PIR) in kbps. The value range for the peak-information-rate argument is an integral multiple of 8 between 8 and 160000000. If the PIR is

configured, two rates are used for traffic policing. Otherwise, one rate is used.

green action: Specifies the action to take on packets that conform to CIR. The default setting is pass.

red action: Specifies the action to take on the packet that conforms to neither CIR nor PIR. The default setting is discard.

yellow action: Action to take on packets that conform to PIR but not to CIR. The default setting is pass.

action: Sets the action to take on the packet:

• discard: Drops the packet.

• pass: Permits the packet to pass through.

• remark-dot1p-pass new-cos: Sets the 802.1p priority value of the 802.1p packet to new-cos and

permits the packet to pass through. The new-cos argument is in the range of 0 to 7.

• remark-dscp-pass new-dscp: Sets the DSCP value of the packet to new-dscp and permits the packet

to pass through. The new-dscp argument is in the range of 0 to 63.

• remark-lp-pass new-local-precedence: Sets the local precedence value of the packet to

new-local-precedence and permits the packet to pass through. The new-local-precedence argument

is in the range of 0 to 7.

Usage guidelines

A QoS policy that references the traffic behavior can be applied in either the inbound direction or outbound direction of an interface.

If you configure the car command multiple times in the same traffic behavior, the most recent configuration takes effect.

Examples

# Configure a CAR action in traffic behavior database as follows:

• Set the CIR to 200 kbps, CBS to 51200 bytes, and EBS to 0.

• Transmit the conforming packets, and mark the excess packets with DSCP value 0 and transmit

them.

<Sysname> system-view [Sysname] traffic behavior database

[Sysname-behavior-database] car cir 200 cbs 51200 ebs 0 green pass red remark-dscp-pass 0

display traffic behavior

Use display traffic behavior to display traffic behaviors.

Syntax

display traffic behavior user-defined [ behavior-name ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

user-defined: Displays user-defined traffic behaviors.

behavior-name: Specifies a traffic behavior by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a traffic behavior, this command displays all traffic behaviors.

Examples

slot slot-number: Specifies an IRF member device by its member ID (slot number). If you do not specify an

IRF member device, this command displays traffic behaviors on all IRF member devices.

# Display all user-defined traffic behaviors.

<Sysname> display traffic behavior user-defined

User-defined behavior information:

Behavior: 1 (ID 100) Marking: Remark dscp 3 Committed Access Rate: CIR 128 (kbps), CBS 8192 (Bytes), EBS 512 (Bytes) Green action : pass Yellow action : pass Red action : discard

Behavior: 2 (ID 101) Accounting enable: Packet Filter enable: Permit Marking: Remark dot1p 4 Redirecting: Redirect to the CPU

Behavior: 3 (ID 102)

-none-

Table 19 Command output

Field Descri

Behavior Name and contents of a traffic behavior.

Marking Information about priority marking.

Remark dscp Action of setting the DSCP value for packets.

Committed Access Rate Information about the CAR action.

CIR CIR in kbps, which specifies the average traffic rate.

CBS

EBS

Green action Action to take on green packets.

Yellow action Action to take on yellow packets.

Red action Action to take on red packets.

Accounting enable Traffic accounting action.

Filter enable Traffic filtering action.

None No other traffic behavior is configured.

CBS in bytes, which specifies the amount of bursty traffic allowed at a time.

EBS in bytes, which specifies the amount of traffic exceeding CBS when two token buckets are used.

tion

filter

Use filter to configure a traffic filtering action in a traffic behavior.

Use undo filter to delete the action.

Syntax

filter { deny | permit }

undo filter

Default

No traffic filtering action is configured.

Views

Traffic behavior view

Predefined user roles

network-admin

Parameters

deny: Drops packets.

permit: Transmits the packets.

Examples

# Configure a traffic filtering action as deny in traffic behavior database.

<Sysname> system-view [Sysname] traffic behavior database

[Sysname-behavior-database] filter deny

nest top-most

Use nest top-most to configure a VLAN tag adding action in a traffic behavior.

Use undo nest top-most to delete the action.

Syntax

nest top-most vlan vlan-id

undo nest top-most

Default

No VLAN tag adding action is configured.

Views

Traffic behavior view

Predefined user roles

network-admin

Parameters

vlan-id vlan-id: Specifies the ID of the VLAN tag to be added. The vlan-id argument is in the range of 1

to 4094.

Usage guidelines

If a QoS policy contains a VLAN tag adding action, apply it only to the incoming traffic of an interface.

If the traffic behavior already contains a VLAN tag adding action, the new one overwrites the old one.

Examples

# Configure traffic behavior b1 to add VLAN tag 123.

<Sysname> system-view [Sysname] traffic behavior b1 [Sysname-behavior-b1] nest top-most vlan 123

redirect

Use redirect to configure a traffic redirecting action in the traffic behavior.

Use undo redirect to delete action.

Syntax

redirect { cpu | interface interface-type interface-number }

undo redirect { cpu | interface interface-type interface-number }

Default

Views

No traffic redirecting action is configured.

Traffic behavior view

Predefined user roles

network-admin

Parameters

cpu: Redirects traffic to the CPU.

interface: Redirects traffic to an interface.

interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

Redirecting traffic to the CPU and redirecting traffic to an interface are mutually exclusive with each other in the same traffic behavior. The most recently configured redirecting action takes effect.

Examples

# Configure redirecting traffic to FortyGigE 1/1/1 in traffic behavior database.

<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] redirect interface FortyGigE 1/1/1

Related commands

• classifier behavior

• qos policy

• traffic behavior

remark customer-vlan-id

Use remark customer-vlan-id to configure a CVLAN marking action in a traffic behavior.

Use undo remark customer-vlan-id to delete the action.

Syntax

remark customer-vlan-id vlan-id

undo remark customer-vlan-id

Default

No CVLAN marking action is configured.

Views

Traffic behavior view

Predefined user roles

network-admin

Parameters

vlan-id: Specifies a CVLAN ID in the range of 1 to 4094.

Examples

# Configure traffic behavior b1 to mark matching packets with CVLAN 111.

<Sysname> system-view [Sysname] traffic behavior b1 [Sysname-behavior-b1] remark customer-vlan-id 111

remark dot1p

Use remark dot1p to configure an 802.1p priority marking action or an inner-to-outer tag priority copying action in a traffic behavior..

Use undo remark dot1p to delete the action.

Syntax

remark [ green | red | yellow ] dot1p dot1p-value

undo remark [ green | red | yellow ] dot1p

remark dot1p customer-dot1p-trust

undo remark dot1p

Default

No 802.1p priority marking action or inner-to-outer tag priority copying action is configured.

Views

Traffic behavior view

Predefined user roles

network-admin

Parameters

green: Specifies green packets.

red: Specifies red packets.

yellow: Specifies yellow packets.

dot1p-value: Specifies the 802.1p priority to be marked for packets, in the range of 0 to 7.

customer-dot1p-trust: Copies the 802.1p priority value in the inner VLAN tag to the outer VLAN tag after the QoS policy is applied to an interface.

Usage guidelines

The remark dot1p dot1p-value and remark dot1p customer-dot1p-trust commands are mutually exclusive. The most recent configuration of them takes effect.

The remark dot1p customer-dot1p-trust command does not take effect on single-tagged packets.

Examples

# Configure traffic behavior database to mark matching traffic with 802.1p 2.

<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] remark dot1p 2

# Configure an inner-to-outer tag priority copying action in traffic behavior database.

<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] remark dot1p customer-dot1p-trust

remark drop-precedence

Use remark drop-precedence to configure a drop priority marking action in a traffic behavior..

Use undo remark drop-precedence to delete the action.

Syntax

remark drop-precedence drop-precedence-value

undo remark drop-precedence

Default

No drop priority marking action is configured.

Views

Traffic behavior view

Predefined user roles

network-admin

Parameters

drop-precedence-value: Specifies the drop priority to be marked for packets. This argument is in the range of 0 to 2.

Usage guidelines

The command applies only to incoming traffic.

Examples

# Configure traffic behavior database to mark matching traffic with drop priority 2.

<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] remark drop-precedence 2

remark dscp

Use remark dscp to configure a DSCP marking action in a traffic behavior..

Use undo remark dscp to delete the action.

Syntax

remark [ green | red | yellow ] dscp dscp-value

undo [ green | red | yellow ] remark dscp

Default

No DSCP marking action is configured.

Views

Traffic behavior view

Predefined user roles

network-admin

Parameters

green: Specifies green packets.

red: Specifies red packets.

yellow: Specifies yellow packets.

dscp-value: DSCP value, which can be a number from 0 to 63 or a keyword in Table 20.

Table 20 DSCP keywor

word DSCP value (binary) DSCP value (decimal)

default 000000 0

af11 001010 10

af12 001100 12

af13 001110 14

af21 010010 18

af22 010100 20

af23 010110 22

af31 011010 26

af32 011100 28

af33 011110 30

af41 100010 34

af42 100100 36

af43 100110 38

cs1 001000 8

ds and values

cs2 010000 16

cs3 011000 24

cs4 100000 32

cs5 101000 40

cs6 110000 48

cs7 111000 56

ef 101110 46

Examples

# Configure traffic behavior database to mark matching traffic with DSCP 6.

<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] remark dscp 6

remark ip-precedence

Use remark ip-precedence to configure an IP precedence marking action in a traffic behavior..

Use undo remark ip-precedence to delete the action.

Syntax

remark ip-precedence ip-precedence-value

undo remark ip-precedence

Default

No IP precedence marking action is configured.

Views

Traffic behavior view

Predefined user roles

network-admin

Parameters

ip-precedence-value: Specifies the IP precedence value to be marked for packets, in the range of 0 to 7.

Examples

# Set the IP precedence to 6 for packets.

<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] remark ip-precedence 6

remark local-precedence

Use remark local-precedence to configure a local precedence marking action in a traffic behavior..

Use undo remark local-precedence to delete the action.

Syntax

remark [ green | red | yellow ] local-precedence local-precedence-value

undo remark [ green | red | yellow ] local-precedence

Default

No local precedence marking action is configured.

Views

Traffic behavior view

Predefined user roles

network-admin

Parameters

green: Specifies green packets.

red: Specifies red packets.

yellow: Specifies yellow packets.

Examples

local-precedence-value: Sets the local precedence to be marked for packets, in the range of 0 to 7.

# Configure traffic behavior database to mark matching traffic with local precedence 2.

<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] remark local-precedence 2

remark qos-local-id

Use remark qos-local-id to configure a local QoS ID marking action in a traffic behavior.

Use undo remark qos-local-id to delete the action.

Syntax

remark qos-local-id local-id-value

undo remark qos-local-id

Default

No local QoS ID marking action is configured.

Views

Traffic behavior view

Predefined user roles

network-admin

Parameters

local-id-value: Specifies the local QoS ID to be marked for packets. The value range for this argument is 1 to 4095. The switch supports local QoS IDs in the range of 1 to 3999.

Usage guidelines

Remarking local QoS IDs combines different traffic classes into one new class, which is indicated by a local QoS ID. You can configure a traffic behavior for this new class to implement two levels of actions on a traffic class.

Remarking local QoS IDs applies only to the incoming traffic.

Examples

# Configure the action of marking packet with local QoS ID 2.

<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] remark qos-local-id 2

remark service-vlan-id

Use remark service-vlan-id to configure an SVLAN marking action in a traffic behavior.

Use undo remark service-vlan-id to delete the action.

Syntax

Default

remark service-vlan-id vlan-id

undo remark service-vlan-id

No SVLAN marking action is configured.

Views

Traffic behavior view

Predefined user roles

network-admin

Parameters

vlan-id: Specifies an SVLAN ID in the range of 1 to 4094.

Examples

# Configure traffic behavior b1 to mark matching packets with SVLAN 222.

<Sysname> system-view [Sysname] traffic behavior b1 [Sysname-behavior-b1] remark service-vlan-id 222

traffic behavior

Use traffic behavior to create a traffic behavior and enter traffic behavior view.

Use undo traffic behavior to delete a traffic behavior.

Syntax

traffic behavior behavior-name

undo traffic behavior behavior-name

Default

No traffic behavior exists.

Views

System view

Predefined user roles

network-admin

Parameters

behavior-name: Sets a traffic behavior name, a case-sensitive string of 1 to 31 characters.

Examples

# Create a traffic behavior named behavior1.

<Sysname> system-view [Sysname] traffic behavior behavior1 [Sysname-behavior-behavior1]

Related commands

display traffic behavior

QoS policy commands

classifier behavior

Use classifier behavior to associate a traffic behavior with a traffic class in a QoS policy.

Use undo classifier to remove a traffic class from the QoS policy.

Syntax

classifier classifier-name behavior behavior-name [ mode dcbx | insert-before before-classifier-name ] *

undo classifier classifier-name

Default

No traffic behavior is associated with a traffic class.

Views

QoS policy view

Predefined user roles

network-admin

Parameters

classifier-name: Specifies a traffic class by its name, a case-sensitive string of 1 to 31 characters.

behavior-name: Specifies a traffic behavior by its name, a case-sensitive string of 1 to 31 characters.

mode dcbx: Specifies that the class-behavior association applies only to DCBX. For more information about DCBX, see Layer 2—LAN Switching Configuration Guide.

insert-before before-classifier-name: Inserts the new traffic class before an existing traffic class in the QoS policy. The before-classifier-name argument specifies an existing traffic class by its name, a case-sensitive string of 1 to 31 characters. If you do not specify the insert-before before-classifier-name option, the new traffic class is placed at the end of the QoS policy.

Usage guidelines

A traffic class can be associated with only one traffic behavior in a QoS policy.

If the specified traffic class or traffic behavior does not exist, the system defines a null traffic class or traffic behavior.

You cannot change the position of an existing traffic class in a QoS policy.

Examples

# Associate traffic class database with traffic behavior test in QoS policy user1.

<Sysname> system-view [Sysname] qos policy user1 [Sysname-qospolicy-user1] classifier database behavior test

# Associate the traffic class database with the traffic behavior test in the QoS policy user1, and insert the traffic class database before an existing traffic class class-a.

<Sysname> system-view [Sysname] qos policy user1 [Sysname-qospolicy-user1] classifier database behavior test insert-before class-a

Related commands

qos policy

control-plane

Use control-plane to enter control plane view.

Syntax

control-plane slot slot-number

Views

System view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies an IRF member device by its member ID (slot number).

Examples

# Enter control plane view of IRF member device 1.

<Sysname> system-view [Sysname] control-plane slot 1 [Sysname-cp-slot1]

display qos policy

Use display qos policy to display user-defined QoS policies.

Syntax

display qos policy user-defined [ policy-name [ classifier classifier-name ] ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

user-defined: Displays user-defined QoS policies.

policy-name: Specifies a QoS policy by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a QoS policy, this command displays all user-defined QoS policies.

classifier classifier-name: Specifies a traffic class by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a traffic class, this command displays all traffic classes.

slot slot-number: Specifies an IRF member device by its member ID (slot number). If you do not specify an IRF member device, this command displays QoS policies on all IRF member devices.

Examples

# Display all user-defined QoS policies.

<Sysname> display qos policy user-defined

User-defined QoS policy information:

Policy: 1 (ID 100) Classifier: 1 (ID 100) Behavior: 1 Marking: Remark dscp 3 Committed Access Rate: CIR 128 (kbps), CBS 8192 (Bytes), EBS 512 (Bytes) Green action : pass Yellow action : pass Red action : discard Classifier: 2 (ID 101) Behavior: 2 Accounting enable: Packet Filter enable: Permit Marking: Remark dot1p 4 Classifier: 3 (ID 102) Behavior: 3

-none-

display qos policy control-plane

Use display qos policy control-plane to display the QoS policy applied to a control plane.

Syntax

display qos policy control-plane slot slot-number

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID (slot number).

Examples

# Display the QoS policy applied to the control plane of IRF member device 1.

<Sysname> display qos policy control-plane slot 1

Control plane

Direction: Inbound

Policy: 1

Classifier: 1 Operator: AND Rule(s) : If-match acl 2000 Behavior: 1 Marking: Remark dscp 3 Committed Access Rate: CIR 128 (kbps), CBS 8192 (Bytes), EBS 512 (Bytes) Green action : pass Yellow action : pass Red action : discard Green packets : 0 (Packets) 0 (Bytes) Red packets : 0 (Packets) 0 (Bytes) Classifier: 2 Operator: AND Rule(s) : If-match protocol ipv6 Behavior: 2 Accounting enable: 0 (Packets) Filter enable: Permit

Table 21 Command output

Field Descri

Direction Inbound direction on the control plane.

Green packets Statistics about green packets.

Red packets Statistics about red packets.

tion

For the description of other fields, see Table 16 and Table 19.

display qos policy control-plane pre-defined

Use display qos policy control-plane pre-defined to display the predefined QoS policy applied to a control plane.

Syntax

display qos policy control-plane pre-defined [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID (slot number). If you do not specify an

IRF member device, this command displays predefined QoS policies applied to control planes on all IRF member devices.

Examples

# Display the predefined QoS policy applied to the control plane of IRF member device 1.

<Sysname> display qos policy control-plane pre-defined slot 1 Pre-defined policy information slot 1 Protocol Priority Bandwidth (kbps) Group IS-IS 37 512 critical VRRP 40 768 important OSPF Multicast 35 256 critical OSPF Unicast 35 256 critical IGMP 19 512 important OSPFv3 Unicast 34 256 critical OSPFv3 Multicast 34 256 critical VRRPv6 40 768 important ARP 8 256 normal DHCP Snooping 17 256 redirect DHCP 15 256 normal

802.1x 9 128 important STP 43 256 critical LACP 38 64 critical MVRP 11 256 critical BGP 27 256 critical ICMP 9 640 monitor TTL Expires 20 64 normal IPOPTION 20 64 normal BGPv6 26 256 critical Hop Limit Expires 13 64 normal IPOPTIONv6 13 64 normal LLDP 25 128 important DLDP 24 64 critical TELNET 10 512 management SSH 10 512 management HTTP 10 64 management HTTPS 10 64 management TACACS 10 64 management RADIUS 10 64 management SNMP 4 512 management ARP Snooping 10 256 redirect ICMPv6 1 512 monitor DHCPv6 12 256 normal BFD 10 512 critical

Table 22 Command output

Field Descri

Pre-defined policy information Contents of the predefined control plane QoS policy.

Protocol System-defined control plane protocol.

Group Control plane protocol group.

display qos policy global

Use display qos policy global to display global QoS policies.

Syntax

display qos policy global [ slot slot-number ] [ inbound | outbound ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

tion

inbound: Displays the inbound global QoS policy. An inbound global QoS policy applies to the

incoming traffic globally.

outbound: Displays the outbound global QoS policy. An outbound global QoS policy applies to the outgoing traffic globally.

slot slot-number: Specifies an IRF member device by its member ID (slot number). If you do not specify an IRF member device, this command displays global QoS policies on the master device.

Usage guidelines

If you do not specify a direction, this command displays both inbound and outbound global QoS policies.

Examples

# Display the inbound global QoS policy.

<Sysname> display qos policy global inbound

Direction: Inbound

Policy: 1 Classifier: 1 Operator: AND Rule(s) : If-match acl 2000 Behavior: 1 Marking: Remark dscp 3 Committed Access Rate:

CIR 128 (kbps), CBS 8192 (Bytes), EBS 512 (Bytes)

Green action : pass Yellow action : pass Red action : discard Green packets : 0 (Packets) Red packets : 0 (Packets) Classifier: 2 Operator: AND Rule(s) : If-match protocol ipv6 Behavior: 2 Accounting enable: 0 (Packets) Filter enable: Permit Marking: Remark dot1p 4

Table 23 Command output

Field Descri

Direction Direction (inbound or outbound ) in which the QoS policy is applied.

Green packets Statistics about green packets.

Red packets Statistics about red packets.

tion

For the description of other fields, see Table 16 and Table 19.

display qos policy interface

Use display qos policy interface to display QoS policies applied to interfaces.

Syntax

display qos policy interface [ interface-type interface-number ] [ inbound | outbound ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface-type interface-number: Specifies an interface by its type and number.

inbound: Displays QoS policies applied to incoming traffic.

outbound: Displays QoS policies applied to outgoing traffic.

Usage guidelines

If you do not specify a direction, this command displays QoS policies applied to incoming traffic and QoS policies applied to outgoing traffic.

Examples

# Display the QoS policy applied to the incoming traffic of FortyGigE 1/1/1.

<Sysname> display qos policy interface FortyGigE 1/1/1 inbound

Interface: FortyGigE1/1/1

Direction: Inbound

Policy: 1 Classifier: 1 Operator: AND Rule(s) : If-match acl 2000 Behavior: 1 Marking: Remark dscp 3 Committed Access Rate: CIR 128 (kbps), CBS 8192 (Bytes), EBS 512 (Bytes) Green action: pass Yellow action: pass Red action: discard Green packets: 0 (Packets) Red packets: 0 (Packets) Classifier: 2 Operator: AND Rule(s) : If-match protocol ipv6 Behavior: 2 Accounting Enable: 0 (Packets) Filter Enable: Permit Marking: Remark dot1p 1

Table 24 Command output

Field Descri

Direction Direction in which the QoS policy is applied to the interface.

Green packets Traffic statistics for green packets.

Red packets Traffic statistics for red packets.

tion

For the description of other fields, see Table 16 and Table 19.

display qos vlan-policy

Use display qos vlan-policy to display QoS policies applied to VLANs.

Syntax

display qos vlan-policy { name policy-name | vlan [ vlan-id ] } [ slot slot-number ] [ inbound | outbound ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name policy-name: Specifies a QoS policy by its name, a case-sensitive string of 1 to 31 characters.

vlan vlan-id: Specifies a VLAN by its ID.

inbound: Displays QoS policies applied to incoming traffic.

outbound: Displays QoS policies applied to outgoing traffic.

slot slot-number: Specifies an IRF member device by its member ID (slot number). If you do not specify an

IRF member device, this command displays QoS policies applied to VLANs on the master device.

Usage guidelines

If you do not specify a direction, this command displays QoS policies applied to VLANs in both inbound and outbound directions.

Examples

# Display QoS policies applied to VLAN 2.

<Sysname> display qos vlan-policy vlan 2 Vlan 2

Direction: Outbound

Policy: 1 Classifier: 1 Operator: AND Rule(s) : If-match acl 2000 Behavior: 1 Marking: Remark dscp 3 Committed Access Rate: CIR 128 (kbps), CBS 8192 (Bytes), EBS 512 (Bytes) Green action: pass Yellow action: pass Red action: discard Green packets: 0(Packets) Red packets: 0(Packets) Classifier: 2 Operator: AND Rule(s) : If-match protocol ipv6 Behavior: 2 Accounting enable: 0 (Packets) Filter enable: Permit Marking:

Remark dot1p 1

Classifier: 3 Operator: AND Rule(s) : -none Behavior: 3

-none-

Table 25 Command output

Field Descri

Direction Direction in which the QoS policy is applied for the VLAN.

Green packets Statistics about green packets.

Red packets Statistics about red packets.

tion

For the description of other fields, see Table 16 and Table 19.

qos apply policy (interface view, control plane view)

Use qos apply policy to apply a QoS policy.

Use undo qos apply policy to remove an applied QoS policy.

Syntax

qos apply policy policy-name { inbound | outbound }

undo qos apply policy policy-name { inbound | outbound }

Default

No QoS policy is applied to an interface or control plane.

Views

Control plane view

Layer 2 Ethernet interface view

Layer 3 Ethernet interface view

S-channel aggregate interface view

S-channel interface view

VSI aggregate interface view

VSI interface view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a QoS policy name, a case-sensitive string of 1 to 31 characters.

inbound: Applies the QoS policy to the incoming traffic of an interface or control plane.

outbound: Applies the QoS policy to the outgoing traffic of an interface.

Usage guidelines

For information about S-channel interfaces, S-channel aggregate interfaces, VSI interfaces, and VSI aggregate interfaces, see EVB Configuration Guide.

Examples

# Apply QoS policy USER1 to the outgoing traffic of FortyGigE 1/1/1.

<Sysname> system-view [Sysname] interface FortyGigE 1/1/1 [Sysname-FortyGigE1/1/1] qos apply policy USER1 outbound

# Apply QoS policy aaa to the incoming traffic of the control plane of IRF member device 1.

<Sysname> system-view [Sysname] control-plane slot 1 [Sysname-cp-slot1] qos apply policy aaa inbound

# Apply QoS policy USER1 to the outgoing traffic of interface S-Channel 1/1/1:1.

<Sysname> system-view [Sysname] interface S-Channel 1/1/1:1 [Sysname-S-Channel1/1/1:1] qos apply policy USER1 outbound

# Apply QoS policy USER1 to the incoming traffic of interface Schannel-Aggregation 1:1.

<Sysname> system-view [Sysname] interface Schannel-Aggregation 1:1 [Sysname-Schannel-Aggregation1:1] qos apply policy USER1 inbound

qos apply policy (user profile view)

Use qos apply policy to apply a QoS policy to a user profile.

Use undo qos apply policy to remove an applied QoS policy.

Syntax

qos apply policy policy-name { inbound | outbound }

undo qos apply policy policy-name { inbound | outbound }

Default

No QoS policy is applied to a user profile.

Views

User profile view

Predefined user roles

network-admin

Parameters

inbound: Applies the QoS policy to the incoming traffic (traffic sent by online users) of a user profile.

outbound: Applies the QoS policy to the outgoing traffic (traffic received by online users) of a user

profile.

policy-name: Specifies a QoS policy by its name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

Deleting a user profile also removes QoS policies applied to it.

The QoS policy applied to a user profile takes effect only after the QoS policy is successfully issued to the driver.

Examples

# Apply QoS policy test to the outgoing traffic of user profile user.

<Sysname> system-view [Sysname] user-profile user [Sysname-user-profile-user] qos apply policy test outbound

qos apply policy global

Use qos apply policy global to apply a QoS policy globally.

Use undo qos apply policy global to remove the QoS policy.

Syntax

qos apply policy policy-name global { inbound | outbound }

undo qos apply policy policy-name global { inbound | outbound }

Default

No QoS policy is applied globally.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: QoS policy name, a case-sensitive string of 1 to 31 characters.

inbound: Applies the QoS policy to the incoming packets on all interfaces.

outbound: Applies the QoS policy to the outgoing packets on all interfaces.

Usage guidelines

A global QoS policy takes effect on all incoming or outgoing traffic depending on the direction in which the QoS policy is applied.

Examples

# Apply the QoS policy user1 to the incoming traffic globally.

<Sysname> system-view [Sysname] qos apply policy user1 global inbound

qos policy

Use qos policy to create a QoS policy and enter QoS policy view.

Syntax

Use undo qos policy to delete a QoS policy.

qos policy policy-name

undo qos policy policy-name

Default

No QoS policy is configured.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: QoS policy name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

To use the undo qos policy command to delete a QoS policy that has been applied to an object, you must first remove it from the object.

Examples

# Define QoS policy user1.

<Sysname> system-view [Sysname] qos policy user1 [Sysname-qospolicy-user1]

Related commands

• classifier behavior

• qos apply policy

• qos apply policy global

• qos vlan-policy

qos vlan-policy

Use qos vlan-policy to apply a QoS policy to the specified VLANs.

Use undo qos vlan-policy to remove the QoS policy from the specified VLANs.

Syntax

qos vlan-policy policy-name vlan vlan-id-list { inbound | outbound }

undo qos vlan-policy policy-name vlan vlan-id-list { inbound | outbound }

Default

No QoS policy is applied to a VLAN.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a QoS policy name, a case-sensitive string of 1 to 31 characters.

vlan-id-list: Specifies a list of up to eight VL AN IDs. A V LAN I D is in the ran ge of 1 to 4094. You can enter

individual discontinuous VLAN IDs and VLAN ID ranges in the form of start-vlan-id to end-vlan-id where

the start VLAN ID must be smaller than the end VLAN ID. Each item in the VLAN list is separated by a space. You can specify up to eight VLAN IDs.

inbound: Applies the QoS policy to the incoming packets in the specified VLANs.

outbound: Applies the QoS policy to the outgoing packets in the specified VLANs.

Examples

# Apply the QoS policy test to the incoming traffic of VLAN 200, VLAN 300, VLAN 400, and VLAN

500.

<Sysname> system-view [Sysname] qos vlan-policy test vlan 200 300 400 500 inbound

reset qos policy control-plane

Use reset qos policy control-plane to clear statistics for the QoS policy applied to the control plane.

Syntax

reset qos policy control-plane slot slot-number

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies an IRF member device by its member ID (slot number).

Examples

# Clear the statistics of the QoS policy applied to the control plane of IRF member device 3.

<Sysname> reset qos policy control-plane slot 3

reset qos policy global

Use reset qos policy global to clear the statistics of a global QoS policy.

Syntax

reset qos policy global [ inbound | outbound ]

Views

User view

Predefined user roles

network-admin

Parameters

inbound: Clears the statistics of the global QoS policy applied to incoming traffic globally.

outbound: Clears the statistics of the global QoS policy applied to outgoing traffic globally.

Usage guidelines

If you do not specify a direction, this command clears the statistics of the global QoS policies in both directions.

Examples

# Clear the statistics of the global QoS policy applied to the incoming traffic globally.

<Sysname> reset qos policy global inbound

reset qos vlan-policy

Use reset qos vlan-policy to clear statistics for QoS policies applied to VLANs.

Syntax

reset qos vlan-policy [ vlan vlan-id ] [ inbound | outbound ]

Views

User view

Predefined user roles

network-admin

Parameters

vlan vlan-id: Specifies a VLAN by its ID in the range of 1 to 4094.

inbound: Clears statistics for QoS policies applied to incoming traffic.

outbound: Clears statistics for QoS policies applied to outgoing traffic.

Usage guidelines

If you do not specify a direction, this command clears statistics of QoS policies in both directions.

Examples

# Clear statistics for QoS policies applied to VLAN 2.

<Sysname> reset qos vlan-policy vlan 2

Priority mapping commands

Priority map commands

display qos map-table

Use display qos map-table to display the configuration of a priority map.

Syntax

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

The switch provides the following types of priority map.

Table 26 Priority maps

Priorit

dot1p-dp 802.1p-drop priority map.

dot1p-exp 802.1p-EXP priority map.

dot1p-lp 802.1p-local priority map.

dscp-dot1p DSCP-802.1p priority map.

dscp-dp DSCP-drop priority map.

dscp-dscp DSCP-DSCP priority map.

exp-dot1p EXP-802.1p priority map.

exp-dp EXP-to-drop priority map.

Usage guidelines

If you do not specify a priority map, this command displays the configuration of all priority maps.

Examples

mappin

Description

# Display the configuration of the 802.1p-local priority map.

<Sysname> display qos map-table dot1p-lp MAP-TABLE NAME: dot1p-lp TYPE: pre-define IMPORT : EXPORT 0 : 2

1 : 0

2 : 1 3 : 3 4 : 4 5 : 5 6 : 6 7 : 7

Table 27 Command output

import

Use import to configure mappings for a priority map.

Use undo import to restore the specified or all mappings to the default for a priority map.

Syntax

import import-value-list export export-value

undo import { import-value-list | all }

Default

The default priority maps are used. For more information, see ACL and QoS Configuration Guide.

Views

Field Descri

MAP-TABLE NAME Name of the priority map.

TYPE Type of the priority map.

IMPORT Input values of the priority map.

EXPORT Output values of the priority map.

tion

Priority map view

Predefined user roles

network-admin

Parameters

import-value-list: Specifies a list of input values.

export-value: Specifies the output value.

all: Restores all mappings in the priority map to the default.

Examples

# Configure the 802.1p-local priority map to map 802.1p priority values 4 and 5 to local precedence 1.

<Sysname> system-view [Sysname] qos map-table dot1p-lp [Sysname-maptbl-dot1p-lp] import 4 5 export 1

Related commands

display qos map-table

qos map-table

Use qos map-table to enter the specified priority map view.

Syntax

qos map-table { dot1p-dp | dot1p-exp | dot1p-lp | dscp-dot1p| dscp-dp | dscp-dscp | exp-dot1p | exp-dp }

Views

System view

Predefined user roles

network-admin

Parameters

For the description of the keywords, see Table 26.

Examples

# Enter the 802.1p-local priority map view.

<Sysname> system-view [Sysname] qos map-table dot1p-lp [Sysname-maptbl-dot1p-lp]

Related commands

• display qos map-table

• import

Port priority commands

qos priority

Use qos priority to change the port priority of an interface.

Use undo qos priority to restore the default.

Syntax

qos priority priority-value

undo qos priority

Default

The port priority is 0.

Views

Layer 2 Ethernet interface view, Layer 3 Ethernet interface view

Predefined user roles

network-admin

Parameters

priority-value: Specifies the port priority value in the range of 0 to 7.

Examples

# Set the port priority of FortyGigE 1/1/1 to 2.

<Sysname> system-view [Sysname] interface FortyGigE 1/1/1 [Sysname-FortyGigE1/1/1] qos priority 2

Related commands

display qos trust interface

Priority trust mode commands

display qos trust interface

Use display qos trust interface to display priority trust mode and port priority information on an interface.

Syntax

display qos trust interface [ interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays priority trust mode and port priority information of all interfaces.

Examples

# Display the priority trust mode and port priority information of FortyGigE 1/1/1.

<Sysname> display qos trust interface FortyGigE 1/1/1 Interface: FortyGigE1/1/1 Port priority information Port priority: 0 Port priority trust type: none

Table 28 Command output

Field Descri

Interface Interface type and interface number.

Port priority Port priority set for the interface.

tion

Port priority trust type

Priority trust mode on the interface: dot1p, dscp, or none. If the trust mode is none, the port priority is used for priority mapping.

qos trust

Use qos trust to configure the priority trust mode for an interface.

Use undo qos trust to restore the default priority trust mode.

Syntax

qos trust { dot1p | dscp }

undo qos trust

Default

An interface does not trust any packet priority.

Views

Layer 2 Ethernet interface view, Layer 3 Ethernet interface view

Predefined user roles

network-admin

Parameters

dot1p: Uses the 802.1p priority in incoming packets for priority mapping.

dscp: Uses the DSCP value in incoming packets for priority mapping.

Examples

# Set the trusted packet priority type to 802.1p priority on FortyGigE 1/1/1.

<Sysname> system-view [Sysname] interface FortyGigE 1/1/1 [Sysname-FortyGigE1/1/1] qos trust dot1p

Related commands

display qos trust interface

GTS and rate limit commands

GTS commands

display qos gts interface

Use display qos gts interface to view generic traffic shaping (GTS) configuration of interfaces.

Syntax

display qos gts interface [ interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays the GTS configuration of all interfaces.

Examples

# Display the GTS configuration of all interfaces.

<Sysname> display qos gts interface Interface: FortyGigE1/1/1 Rule: If-match queue 1 CIR 128 (kbps), CBS 8192 (Bytes) Rule: If-match queue 2 CIR 256 (kbps), CBS 16384 (Bytes)

Table 29 Command output

Field Descri

Interface Interface type and interface number.

Rule Match criteria.

CIR CIR in kbps, which specifies the average traffic rate.

CBS CBS in bytes, which specifies the amount of bursty traffic allowed at a time.

tion

qos gts

Use qos gts to set GTS parameters for traffic of a traffic class or all the traffic on an interface.

Use qos gts to set GTS parameters for the packets in a queue.

Use undo qos gts to remove GTS parameters for traffic of a queue on an interface.

Syntax

qos gts queue queue-id cir committed-information-rate [ cbs committed-burst-size ]

undo qos gts queue queue-id

Default

No GTS parameters are configured on an interface.

Views

Layer 2 Ethernet interface view, Layer 3 Ethernet interface view

Predefined user roles

network-admin

Parameters

queue queue-id: Specifies a queue by its ID in the range of 0 to 7.

cir committed-information-rate: Specifies the CIR in kbps. The value range for the

committed-information-rate argument is 8 to 41943040 for 40-GE interfaces, in integral multiples of 8.

cbs committed-burst-size: Specifies the CBS in bytes. The value range for the committed-burst-size argument is an integral multiple of 512 between 512 and 16777216. The default value for this argument is the product of 62.5 and the CIR and must be an integral mult iple of 512. If the product is not an integ ral multiple of 512, it is rounded up to the nearest integral multiple of 512.

Examples

# Shape the packets in queue 1 on FortyGigE 1/1/1. The GTS parameters are as follows: CIR is 6400 kbps and CBS is 51200 bytes.

<Sysname> system-view [Sysname] interface FortyGigE 1/1/1 [Sysname-FortyGigE1/1/1] qos gts queue 1 cir 6400 cbs 51200

Rate limit commands

display qos lr interface

Use display qos lr interface to display the rate limit configuration of interfaces.

Syntax

display qos lr interface [ interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays the rate limit configuration of all interfaces.

Examples

# Display the rate limit configuration of all interfaces.

<Sysname> display qos lr interface Interface: FortyGigE1/1/1 Direction: Outbound CIR 12800 (kbps), CBS 800256 (Bytes)

Interface: FortyGigE1/1/2 Direction: Outbound CIR 25600 (kbps), CBS 1600000 (Bytes)

Table 30 Command output

qos lr

Syntax

Default

Views

Field Descri

Interface Interface type and interface number.

Direction Direction to which the rate limit configuration is applied: inbound or outbound.

CIR CIR in kbps, which specifies the average traffic rate.

CBS CBS in bytes, which specifies the amount of bursty traffic allowed at a time.

tion

Use qos lr to limit the rate of packets on an interface.

Use undo qos lr to remove rate limit settings on an interface.

qos lr { inbound | outbound } cir committed-information-rate [ cbs committed-burst-size ]

undo qos lr { inbound | outbound }

Rate limit is not configured on an interface.

Layer 2 Ethernet interface view, Layer 3 Ethernet interface view

Predefined user roles

network-admin

Parameters

inbound: Limits the rate of incoming packets on the interface.

outbound: Limits the rate of outgoing packets on the interface.

cir committed-information-rate: Specifies the CIR in kbps. The value range for the

committed-information-rate argument is 8 to 41943040 for 40-GE interfaces, in integral multiples of 8.

Examples

cbs committed-burst-size: Specifies the CBS in bytes. The value range for the committed-burst-size

argument is an inte gral multiple of 512 between 512 and 134217728. The default value for this argument is the product of 62.5 and the CIR and must be an integral mult iple of 512. If the product is not an integ ral multiple of 512, it is rounded up to the nearest integral multiple of 512.

# Limit the rate of outgoing packets on FortyGigE 1/1/1, with CIR 25600 kbps and CBS 512000 bytes.

<Sysname> system-view [Sysname] interface FortyGigE 1/1/1 [Sysname-FortyGigE1/1/1] qos lr outbound cir 25600 cbs 512000

Congestion management commands

SP commands

display qos queue sp interface

Use display qos queue sp interface to display the SP queuing configuration of an interface.

Syntax

display qos queue sp interface [ interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays the SP queuing configuration of all the interfaces.

Examples

# Display the SP queuing configuration of FortyGigE 1/1/1.

<Sysname> display qos queue sp interface FortyGigE 1/1/1 Interface: FortyGigE1/1/1 Output queue: Strict Priority queuing

Table 31 Command output

qos sp

Use qos sp to configure SP queuing on an interface.

Field Descri

Interface Interface type and interface number.

Output queue Type of the current output queue.

tion

Use undo qos sp to restore the default.

Syntax

qos sp

undo qos sp

Default

An interface uses the WRR queuing algorithm.

Views

Layer 2 Ethernet interface view, Layer 3 Ethernet interface view

Predefined user roles

network-admin

Examples

# Enable SP queuing on FortyGigE 1/1/1.

<Sysname> system-view [Sysname] interface FortyGigE 1/1/1 [Sysname-FortyGigE1/1/1] qos sp

Related commands

display qos queue sp interface

WRR commands

display qos queue wrr interface

Use display qos queue wrr interface to display the WRR queuing configuration on an interface.

Syntax

display qos queue wrr interface [ interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays the WRR queuing configuration of all the interfaces.

Examples

# Display the WRR queuing configuration of FortyGigE 1/1/1.

<Sysname> display qos queue wrr interface FortyGigE 1/1/1 Interface: FortyGigE1/1/1 Output queue: Weighted Round Robin queuing Queue ID Group Byte-count

----------------------------------------- be 1 1 af1 1 2 af2 1 3 af3 1 4 af4 1 5

ef 1 9 cs6 1 13 cs7 1 15

Table 32 Command output

Field Descri

Interface Interface type and interface number.

Output queue Type of the current output queue.

Queue ID ID of a queue.

Group

Weight

qos wrr

Use qos wrr to enable WRR queuing and specify the weight type for an interface.

Use undo qos wrr to disable WRR queuing and restore the default queue scheduling algorithm for an interface.

Syntax

qos wrr { byte-count | weight }

undo qos wrr { byte-count | weight }

tion

Number of the group a queue is assigned to. By default, all queues belong to group

Packet-based queue scheduling weight of a queue. N/A is displayed for a queue that uses the SP queue scheduling algorithm.

Default

An interface uses the byte-count WRR queuing algorithm, and queues 0 through 7 have weights of 1, 2, 3, 4, 5, 9, 13, and 15, respectively.

Views

Layer 2 Ethernet interface view, Layer 3 Ethernet interface view

Predefined user roles

network-admin

Parameters

byte-count: Allocates bandwidth to queues in terms of bytes.

weight: Allocates bandwidth to queues in terms of packets.

Usage guidelines

You must use the qos wrr command to enable WRR queuing before you can configure WRR queuing parameters for a queue on an interface.

Examples

# Enable weight-based WRR queuing on FortyGigE 1/1/1.

<Sysname> system-view [Sysname] interface FortyGigE 1/1/1 [Sysname-FortyGigE1/1/1] qos wrr weight

# Enable byte-count WRR queuing on FortyGigE 1/1/1.

<Sysname> system-view [Sysname] interface FortyGigE 1/1/1 [Sysname-FortyGigE1/1/1] qos wrr byte-count

Related commands

display qos queue wrr interface

qos wrr { byte-count | weight }

Use qos wrr { byte-count | weight } to configure the WRR queuing parameters for a queue on an interface.

Use undo qos wrr to restore the default WRR queuing parameters of a queue on an interface.

Syntax

qos wrr queue-id group { 1 | 2 } { byte-count | weight } schedule-value

undo qos wrr queue-id

Default

An interface uses the byte-count WRR queuing algorithm, and queues 0 through 7 are in WRR group 1, with their weights of 1, 2, 3, 4, 5, 9, 13, and 15, respectively.

Views

Layer 2 Ethernet interface view, Layer 3 Ethernet interface view

Predefined user roles

network-admin

Parameters

queue-id: Specifies a queue by its ID. The value is an integer in the range of 0 to 7 or a keyword listed in Table 33.

oup { 1 | 2 }: Specifies WRR group 1 or 2. If you do not specify a group, group 1 applies.

byte-count: Allocates bandwidth to queues in terms of bytes.

weight: Allocates bandwidth to queues in terms of packets.

schedule-value: Specifies a scheduling weight for the specified queue in WRR queuing, in the range of 1 to 15.

Usage guidelines

You must use the qos wrr command to enable WRR queuing before you can configure WRR queuing parameters for a queue on an interface.

The queue-id argument can be either a number or a keyword. Table 33 sh

Table 33 The number-keyword map for the

queue-id

ows the number-keyword map.

argument

Number Ke

0 be

1 af1

2 af2

word

Number Keyword

3 af3

4 af4

5 ef

6 cs6

7 cs7

Examples

# Enable byte-count WRR queui ng on FortyGigE 1/1/ 1, assign queue 0, with the scheduli ng weight 10, to WRR group 1, and assign queue 1, with the scheduling weight 5, to WRR group 2.

<Sysname> system-view [Sysname] interface FortyGigE 1/1/1 [Sysname-FortyGigE1/1/1] qos wrr byte-count [Sysname-FortyGigE1/1/1] qos wrr 0 group 1 byte-count 10 [Sysname-FortyGigE1/1/1] qos wrr 1 group 2 byte-count 5

Related commands

• display qos queue wrr interface

• qos wrr

qos wrr group sp

Use qos wrr group sp to assign a queue to the SP group.

Use undo qos wrr group sp to restore the default.

Syntax

qos wrr queue-id group sp

undo qos wrr queue-id

Default

An interface uses the byte-count WRR queuing algorithm, and all the queues are in WRR group 1.

Views

Layer 2 Ethernet interface view, Layer 3 Ethernet interface view

Predefined user roles

network-admin

Parameters

queue-id: Specifies a queue by its ID. The value is an integer in the range of 0 to 7 or a keyword listed in Table 33.

sp: As

signs a queue to the SP group, which uses the SP queue scheduling algorithm.

Usage guidelines

You must use the qos wrr command to enable WRR queuing before you can configure this command on an interface.

This command is available only on a WRR-enabled interface. Queues in the SP group are scheduled with SP. The SP group has higher scheduling priority than the WRR group. Queues in a WRR group are scheduled according to user-configured weights, and WRR groups are scheduled at a 1:1 ratio.

Examples

# Enable packet-based WRR queuing on FortyGigE 1/1/1, and assign queue 0 to the SP group.

<Sysname> system-view [Sysname] interface FortyGigE 1/1/1 [Sysname-FortyGigE1/1/1] qos wrr weight [Sysname-FortyGigE1/1/1] qos wrr 0 group sp

Related commands

• display qos queue wrr interface

• qos wrr

WFQ commands

display qos queue wfq interface

Use display qos queue wfq interface to display the WFQ configuration on an interface.

Syntax

display qos queue wfq interface [ interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays the WFQ configuration of all the interfaces.

Examples

# Display the WFQ configuration of FortyGigE 1/1/1.

<Sysname> display qos queue wfq interface FortyGigE 1/1/1 Interface: FortyGigE1/1/1 Output queue: Hardware Weighted Fair Queuing Queue ID Group Byte-count Min-Bandwidth

--------------------------------------------------------------- be 1 1 64 af1 1 1 64 af2 1 1 64 af3 1 1 64 af4 1 1 64 ef 1 1 64 cs6 1 1 64

cs7 1 1 64

Table 34 Command output

Field Descri

Interface Interface type and interface number.

Output queue Type of the current output queue.

Queue ID ID of a queue.

Group

Byte-count Byte-count scheduling weight of the queue.

Min-Bandwidth Minimum guaranteed bandwidth.

qos bandwidth queue

Use qos bandwidth queue to set the minimum guaranteed bandwidth for a queue on an interface.

Use undo qos bandwidth queue to restore the default.

Syntax

qos bandwidth queue queue-id min bandwidth-value

undo qos bandwidth queue queue-id

Default

tion

Number of the WFQ group that holds the queue. By default, all queues are in group 1.

The minimum guaranteed bandwidth is 64 kbps.

Views

Layer 2 Ethernet interface view, Layer 3 Ethernet interface view

Predefined user roles

network-admin

Parameters

queue-id: Specifies a queue by its ID. The value is an integer in the range of 0 to 7 or a keyword listed in Table 33.

min band

width-value: Specifies the minimum guaranteed bandwidth in kbps. The value range for the

bandwidth-value argument is 8 to 40000000 for 40-GE interfaces.

Usage guidelines

You must use the qos wfq command to enable WFQ before you can configure this command on an interface.

Examples

# Set the minimum guaranteed bandwidth to 100 kbps for queue 0 on FortyGigE 1/1/1.

<Sysname> system-view [Sysname] interface FortyGigE 1/1/1 [Sysname-FortyGigE1/1/1] qos wfq weight [Sysname-FortyGigE1/1/1] qos bandwidth queue 0 min 100

Related commands

qos wfq

Use qos wfq to enable WFQ and specify the WFQ weight type on an interface.

Use undo qos wfq to disable WFQ and restore the default queuing algorithm on an interface.

Syntax

qos wfq { byte-count | weight }

undo qos wfq { byte-count | weight }

Default

An interface uses the byte-count WRR queuing algorithm, and all the queues are in the WRR group.

Views

Layer 2 Ethernet interface view, Layer 3 Ethernet interface view

Predefined user roles

network-admin

Parameters

byte-count: Allocates bandwidth to queues in terms of bytes.

weight: Allocates bandwidth to queues in terms of packets.

Usage guidelines

You must use the qos wfq command to enable WFQ before you can configure WFQ queuing parameters for a queue on an interface.

Examples

# Enable weight-based WFQ on FortyGigE 1/1/1.

<Sysname> system-view [Sysname] interface FortyGigE 1/1/1 [Sysname-FortyGigE1/1/1] qos wfq weight

# Enable byte-count WFQ on FortyGigE 1/1/1.

<Sysname> system-view [Sysname] interface FortyGigE 1/1/1 [Sysname-FortyGigE1/1/1] qos wfq byte-count

Related commands

display qos queue wfq interface

qos wfq { byte-count | weight }

Use qos wfq { byte-count | weight } to assign a queue to a WFQ group with a certain scheduling weight.

Use undo qos wfq to restore the default.

Syntax

qos wfq queue-id group { 1 | 2 } { byte-count | weight } schedule-value

undo qos wfq queue-id

Default

When WFQ queuing is used on an interface, all the queues are in WFQ group 1 and have a weight of

Views

Layer 2 Ethernet interface view, Layer 3 Ethernet interface view

Predefined user roles

network-admin

Parameters

queue-id: Specifies a queue by its ID. The value is an integer in the range of 0 to 7 or a keyword listed in Table 33.

oup { 1 | 2 }: Specifies WFQ group 1 or 2. If you do not specify a group, group 1 applies.

byte-count: Allocates bandwidth to queues in terms of bytes.

weight: Allocates bandwidth to queues in terms of packets.

schedule-value: Specifies a scheduling weight for the specified queue in WFQ queuing, in the range of 1 to 15.

Usage guidelines

You must use the qos wfq command to enable WFQ first before you configure this command.

Examples

# Enable byte-count WFQ on interface FortyGigE 1/1/1, assign queue 0, with the scheduling weight 10, to WFQ group 1, and assign queue 1, with the scheduling weight 5, to WFQ group 2.

<Sysname> system-view [Sysname] interface FortyGigE 1/1/1 [Sysname-FortyGigE1/1/1] qos wfq byte-count [Sysname-FortyGigE1/1/1] qos wfq 0 group 1 byte-count 10 [Sysname-FortyGigE1/1/1] qos wfq 1 group 2 byte-count 5

Related commands

• display qos queue wfq interface

• qos bandwidth queue

• qos wfq

qos wfq group sp

Use qos wfq group sp to assign a queue to the SP group.

Syntax

Default

Use undo qos wfq group sp to restore the default.

qos wfq queue-id group sp

undo qos wfq queue-id

When WFQ queuing is used on an interface, all the queues are in the WFQ group.

Views

Layer 2 Ethernet interface view, Layer 3 Ethernet interface view

Predefined user roles

network-admin

Parameters

queue-id: Specifies a queue by its ID. The value is an integer in the range of 0 to 7 or a keyword listed in Table 33.

sp: As

signs a queue to the SP group, which uses the SP queue scheduling algorithm.

Usage guidelines

You must use the qos wfq command to enable WFQ first before you configure this command.

With this SP+WFQ queuing method, the system schedules traffic as follows:

1. The system schedules the traffic conforming to the minimum guaranteed bandwidth in each WFQ

group and schedules the traffic of the two WFQ groups in the ratio of 1:1 in a round robin manner.

2. The system uses SP to schedule queues in the SP group.

3. If there is remaining bandwidth, the system schedules the traffic of queues in each WFQ group

based on their weights and schedules the traffic of the two WFQ groups in the ratio of 1:1 ratio in a round robin manner.

Examples

# Enable weight-based WFQ on FortyGigE 1/1/1, and assign queue 0 to the SP group.

<Sysname> system-view [Sysname] interface FortyGigE 1/1/1 [Sysname-FortyGigE1/1/1] qos wfq weight [Sysname-FortyGigE1/1/1] qos wfq 0 group sp

Related commands

• display qos queue wfq interface

• qos bandwidth queue

• qos wfq

Queue scheduling profile commands

bandwidth

Use bandwidth to configure the minimum guaranteed bandwidth for a WFQ queue.

Use undo bandwidth to restore the default.

Syntax

Default

bandwidth queue queue-id min bandwidth-value

undo bandwidth queue queue-id

The minimum guaranteed bandwidth of a WFQ queue is 64 kbps.

Views

Queue scheduling profile view

Predefined user roles

network-admin

Parameters

queue-id: Specifies a queue by its ID. The value can be an integer in the range of 0 to 7 or a keyword listed in Table 33.

min band kbps.

Usage guidelines

You must configure a queue as a WFQ queue before you can configure the minimum guaranteed bandwidth for the queue.

The minimum guaranteed bandwidth is the minimum bandwidth guaranteed for a WFQ queue when the interface is congested.

Examples

# Configure the minimum guaranteed bandwidth as 100 kbps for queue 0 in the queue scheduling profile myprofile.

<Sysname> system-view [Sysname] qos qmprofile myprofile [Sysname-qmprofile-myprofile] queue 0 wfq group 1 weight 1 [Sysname-qmprofile-myprofile] bandwidth queue 0 min 100

Related commands

• display qos qmprofile interface

• qos qmprofile

• queue

width-value: Specifies the minimum guaranteed bandwidth in the range of 8 to 100000000

display qos qmprofile configuration

Use display qos qmprofile configuration to display the configuration of queue scheduling profiles.

Syntax

display qos qmprofile configuration [ profile-name ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

profile-name: Specifies a queue scheduling profile by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a queue scheduling profile, this command displays the configuration of all queue scheduling profiles.

Examples

slot slot-number: Specifies an IRF member device. The slot-number argument represents the ID of the IRF

member device. If you do not specify an IRF member device, this command displays the configuration of queue scheduling profiles on the master.

# Display the configuration of the queue scheduling profile myprofile.

<Sysname> display qos qmprofile configuration myprofile Queue management profile: myprofile (ID 1) Queue ID Type Group Schedule-unit Schedule-value Bandwidth

--------------------------------------------------------------------------- be WFQ 1 weight 1 64 af1 SP N/A N/A N/A N/A af2 WFQ 1 weight 1 1000 af3 SP N/A N/A N/A N/A af4 SP N/A N/A N/A N/A ef SP N/A N/A N/A N/A cs6 SP N/A N/A N/A N/A cs7 SP N/A N/A N/A N/A

Table 35 Command output

Field Descri

Queue management profile Queue scheduling profile name.

Queue scheduling type:

Type

• SP.

• WRR.

tion

• WFQ.

Group

Schedule unit

Schedule value

Bandwidth Minimum guaranteed bandwidth for the queue.

Priority group to which the queue belongs.

N/A indicates that this field is ignored.

Scheduling unit:

• weight or byte-count for WRR and WFQ.

• N/A for SP.

N/A indicates that this field is ignored.

This field indicates:

• Number of packets for the weight scheduling unit.

• Number of bytes for the byte-count scheduling unit.

N/A indicates that this field is ignored.

display qos qmprofile interface

Use display qos qmprofile interface to display queue scheduling profiles applied to interfaces.

Syntax

display qos qmprofile interface [ interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays the queue scheduling profiles applied to all interfaces.

Examples

# Display the queue scheduling profile applied to FortyGigE 1/1/1.

<Sysname> display qos qmprofile interface FortyGigE 1/1/1 Interface: FortyGigE1/1/1 Queue management profile: myprofile

Table 36 Command output

Field Descri

Interface Interface name.

Queue management profile Name of the queue scheduling profile applied to the interface.

qos apply qmprofile

Use qos apply qmprofile to apply a queue scheduling profile to an interface.

Use undo qos apply qmprofile to remove an applied queue scheduling profile from an interface.

Syntax

qos apply qmprofile profile-name

undo qos apply qmprofile

Default

No queue scheduling profile is applied to an interface.

Views

Layer 2 Ethernet interface view, Layer 3 Ethernet interface view

Predefined user roles

tion

network-admin

Parameters

profile-name: Specifies a queue scheduling profile by its name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

You can apply only one queue scheduling profile to each interface.

Examples

# Apply the queue scheduling profile myprofile to FortyGigE 1/1/1.

<Sysname> system-view [Sysname] interface FortyGigE 1/1/1 [Sysname-FortyGigE1/1/1] qos apply qmprofile myprofile

Related commands

display qos qmprofile interface

qos qmprofile

Use qos qmprofile to create a queue scheduling profile and enter queue scheduling profile view.

Use undo qos qmprofile to delete a user-defined queue scheduling profile.

Syntax

qos qmprofile profile-name

undo qos qmprofile profile-name

Default

No user-defined queue scheduling profile exists.

Views

System view

Predefined user roles

network-admin

Parameters

profile-name: Specifies the name of the queue scheduling profile, a case-sensitive string of 1 to 31 characters.

Usage guidelines

To delete a queue scheduling profile already applied to an interface, first remove it from the interface.

Examples

# Create a queue scheduling profile named myprofile and enter queue scheduling profile view.

<Sysname> system-view [Sysname] qos qmprofile myprofile [Sysname-qmprofile-myprofile]

Related commands

• display qos qmprofile interface

• queue

queue

Use queue to configure scheduling parameters for a queue.

Use undo queue to restore the default.

Syntax

queue queue-id { sp | wfq group group-id { byte-count | weight } schedule-value | wrr group group-id

{ byte-count | weight } schedule-value }

undo queue queue-id

Default

A queue uses SP queuing.

Views

Queue scheduling profile view

Predefined user roles

network-admin

Parameters

queue-id: Specifies a queue by its ID in the range of 0 to 7.

sp: Enables SP for the queue.

wfq: Enables WFQ for the queue.

wrr: Enables WRR for the queue.

group group-id: Specifies a WFQ or WRR group by its ID. The value range is 1 and 2.

byte-count: Allocates bandwidth to queues in terms of bytes.

weight: Allocates bandwidth to queues in terms of packets.

schedule-value: Specifies the number of bytes or packets sent each time, in the range of 1 to 127.

Usage guidelines

The queue-id argument can be either a number or a keyword. Table 33 shows the number-keyword map.

Examples

# Create a queue scheduling profile named myprofile, and configure queue 0 to use SP.

<Sysname> system-view [Sysname] qos qmprofile myprofile [Sysname-qmprofile-myprofile] queue 0 sp

# Create a queue scheduling profile named myprofile. Configure queue 1 to meet the following requirements:

• The WRR queuing is used.

• The WRR group is group 1.

• The number of packets sent each time is 10.

<Sysname> system-view [Sysname] qos qmprofile myprofile [Sysname-qmprofile-myprofile] queue 1 wrr group 1 weight 10

Related commands

• display qos qmprofile interface

• qos qmprofile

Queue-based accounting commands

display qos queue-statistics interface outbound

Use display qos queue-statistics interface outbound to display queue-based outgoing traffic statistics for interfaces.

Syntax

display qos queue-statistics interface [ interface-type interface-number ] outbound

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays the outgoing traffic statistics for all interfaces.

Examples

# Display queue-based outgoing traffic statistics for FortyGigE 1/1/1.

<Sysname> display qos queue-statistics interface FortyGigE 1/1/1 outbound Interface: FortyGigE 1/1/1 Direction: outbound Forwarded: 1087 packets, 98466 bytes Dropped: 0 packets, 0 bytes Queue 0 Forwarded: 0 packets, 0 bytes, 0 pps, 0 bps Dropped: 0 packets, 0 bytes Current queue length: 0 packets Queue 1 Forwarded: 0 packets, 0 bytes, 0 pps, 0 bps Dropped: 0 packets, 0 bytes Current queue length: 0 packets Queue 2 Forwarded: 0 packets, 0 bytes, 0 pps, 0 bps Dropped: 0 packets, 0 bytes Current queue length: 0 packets Queue 3 Forwarded: 0 packets, 0 bytes, 0 pps, 0 bps Dropped: 0 packets, 0 bytes Current queue length: 0 packets Queue 4 Forwarded: 0 packets, 0 bytes, 0 pps, 0 bps Dropped: 0 packets, 0 bytes Current queue length: 0 packets

HP Moonshot-45XGc Command Reference Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

ACL commands

acl copy

acl logging interval

acl name

description

display acl

display packet-filter

display packet-filter statistics

display packet-filter statistics sum

display packet-filter verbose

display qos-acl resource

packet-filter

packet-filter default deny

reset acl counter

reset packet-filter statistics

rule (Ethernet frame header ACL view)

rule (IPv4 advanced ACL view)

rule (IPv4 basic ACL view)

rule (IPv6 advanced ACL view)

rule (IPv6 basic ACL view)

rule (user-defined ACL view)

rule comment

step

QoS policy commands

Traffic class commands

display traffic classifier

if-match

Defining an ACL-based match criterion

Defining a criterion to match a destination MAC address

Defining a criterion to match a source MAC address

Defining a criterion to match DSCP values

Defining a criterion to match 802.1p priority values in inner or outer VLAN tags

Defining a criterion to match IP precedence values

Defining a criterion to match VLAN IDs in inner or outer VLAN tags

Defining a criterion to match control plane protocols

Examples

traffic classifier

Traffic behavior commands

accounting

display traffic behavior

filter

nest top-most

redirect

remark customer-vlan-id

remark dot1p

remark drop-precedence

remark dscp

remark ip-precedence

remark local-precedence

remark qos-local-id

remark service-vlan-id

traffic behavior

QoS policy commands

classifier behavior

control-plane

display qos policy

display qos policy control-plane

display qos policy control-plane pre-defined

display qos policy global

display qos policy interface

display qos vlan-policy

qos apply policy (interface view, control plane view)

qos apply policy (user profile view)

qos apply policy global

qos policy

qos vlan-policy

reset qos policy control-plane

reset qos policy global

reset qos vlan-policy

Priority mapping commands

Priority map commands

display qos map-table

import

qos map-table

Port priority commands