HP Moonshot-45XGc Command Reference Guide

HP Moonshot-45XGc Switch

ACL and QoS

Command Reference

Part Number: 7855

Software

Document version: 5W100-20140912

07-001

version: ESS 2407

Legal and notice information

No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

ACL commands ···························································································································································· 1

acl ·············································································································································································· 1 acl copy ····································································································································································· 2 acl logging interval ·················································································································································· 3 acl name ···································································································································································· 4 description ································································································································································· 5 display acl ································································································································································· 5 display packet-filter ·················································································································································· 7 display packet-filter statistics ··································································································································· 8 display packet-filter statistics sum ························································································································ 10 display packet-filter verbose ································································································································· 11 display qos-acl resource ······································································································································· 13 packet-filter ····························································································································································· 14 packet-filter default deny ······································································································································ 15 reset acl counter ···················································································································································· 16 reset packet-filter statistics ····································································································································· 17 rule (Ethernet frame header ACL view) ··············································································································· 18 rule (IPv4 advanced ACL view) ···························································································································· 19 rule (IPv4 basic ACL view) ···································································································································· 24 rule (IPv6 advanced ACL view) ···························································································································· 25 rule (IPv6 basic ACL view) ···································································································································· 30 rule (user-defined ACL view) ································································································································ 32 rule comment ·························································································································································· 34 step ·········································································································································································· 34

QoS policy commands ·············································································································································· 36

Traffic class commands ················································································································································· 36

display traffic classifier ········································································································································· 36 if-match ··································································································································································· 37 traffic classifier ······················································································································································· 43

Traffic behavior commands ··········································································································································· 44

accounting ······························································································································································ 44 car ··········································································································································································· 44 display traffic behavior ········································································································································· 46 filter ········································································································································································· 47 nest top-most ·························································································································································· 48 redirect ··································································································································································· 48 remark customer-vlan-id ········································································································································ 49 remark dot1p ························································································································································· 50 remark drop-precedence ······································································································································ 51 remark dscp ··························································································································································· 51 remark ip-precedence ··········································································································································· 52 remark local-precedence ······································································································································ 53 remark qos-local-id ················································································································································ 54 remark service-vlan-id ··········································································································································· 54 traffic behavior ······················································································································································ 55

classifier behavior ················································································································································· 56 control-plane ·························································································································································· 57

display qos policy ················································································································································· 57 display qos policy control-plane ·························································································································· 58 display qos policy control-plane pre-defined ····································································································· 59 display qos policy global ····································································································································· 61 display qos policy interface ································································································································· 62 display qos vlan-policy ········································································································································· 63 qos apply policy (interface view, control plane view) ······················································································ 65 qos apply policy (user profile view) ···················································································································· 66 qos apply policy global ········································································································································ 67 qos policy ······························································································································································· 67 qos vlan-policy ······················································································································································· 68 reset qos policy control-plane ······························································································································ 69 reset qos policy global·········································································································································· 69 reset qos vlan-policy ·············································································································································· 70

Priority mapping commands ····································································································································· 71

Priority map commands ················································································································································· 71

display qos map-table ··········································································································································· 71 import ······································································································································································ 72 qos map-table ························································································································································ 73

Port priority commands ·················································································································································· 73

qos priority ····························································································································································· 73

Priority trust mode commands ······································································································································· 74

display qos trust interface ····································································································································· 74 qos trust ·································································································································································· 74

GTS and rate limit commands ··································································································································· 76

GTS commands ······························································································································································ 76

display qos gts interface ······································································································································· 76 qos gts ···································································································································································· 76

Rate limit commands ······················································································································································ 77

display qos lr interface ········································································································································· 77 qos lr ······································································································································································· 78

Congestion management commands ······················································································································· 80

SP commands ································································································································································· 80

display qos queue sp interface ···························································································································· 80 qos sp ····································································································································································· 80

WRR commands ····························································································································································· 81

display qos queue wrr interface ·························································································································· 81 qos wrr ··································································································································································· 82 qos wrr { byte-count | weight } ···························································································································· 83 qos wrr group sp ··················································································································································· 84

WFQ commands ···························································································································································· 85

display qos queue wfq interface·························································································································· 85 qos bandwidth queue ··········································································································································· 86 qos wfq ··································································································································································· 87 qos wfq { byte-count | weight } ··························································································································· 87 qos wfq group sp ·················································································································································· 88

Queue scheduling profile commands ·························································································································· 89

bandwidth ······························································································································································ 89 display qos qmprofile configuration ···················································································································· 90 display qos qmprofile interface ··························································································································· 91 qos apply qmprofile ·············································································································································· 92 qos qmprofile ························································································································································· 93 queue ······································································································································································ 93

Queue-based accounting commands ··························································································································· 95

display qos queue-statistics interface outbound ································································································· 95

Congestion avoidance commands···························································································································· 96

WRED commands ·························································································································································· 96

display qos wred interface ··································································································································· 96 display qos wred table ········································································································································· 97 qos wred apply ····················································································································································· 98 qos wred table ······················································································································································· 99 queue ······································································································································································ 99 queue ecn ····························································································································································· 101 queue weighting-constant ··································································································································· 101

Aggregate CAR commands ···································································································································· 103

car name ······························································································································································ 103 display qos car name ········································································································································· 103 qos car ·································································································································································· 104 reset qos car name ·············································································································································· 106

Time range commands ··········································································································································· 107

display time-range ··············································································································································· 107 time-range ···························································································································································· 107

Data buffer commands ··········································································································································· 109

buffer apply ·························································································································································· 109 buffer queue guaranteed ···································································································································· 110 buffer queue shared ············································································································································ 111 buffer total-shared ················································································································································ 112 burst-mode enable ··············································································································································· 113 display buffer ······················································································································································· 113 display buffer usage············································································································································ 115

Index ········································································································································································ 118

iii

ACL commands

acl

Use acl to create an ACL, and enter its view. If the ACL has been created, you directly enter its view.

Use undo acl to delete the specified or all ACLs.

Syntax

acl [ ipv6 ] number acl-number [ name acl-name ] [ match-order { auto | config } ]

undo acl [ ipv6 ] { all | name acl-name | number acl-number }

Default

No ACL exists.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6: Specifies IPv6 ACLs.

number acl-number: Specifies the number of an ACL.

• 2000 to 2999 for basic ACLs.

• 3000 to 3999 for advanced ACLs.

• 4000 to 4999 for Ethernet frame header ACLs. You cannot create an Ethernet frame header ACL if

• 5000 to 5999 for user-defined ACLs. You cannot create a user-defined ACL if the ipv6 keyword is

name acl-name: Assigns a name to the ACL for easy identification. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.

match-order: Sets the order in which ACL rules are compared against packets.

• auto: Compares ACL rules in depth-first order. The depth-first order varies by ACL category. For

• config: Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher

all: Specifies all ACLs.

the ipv6 keyword is specified.

specified.

more information, see ACL and QoS Configuration Guide.

priority. If you do not specify a match order, the config-order applies by default.

• If the ipv6 keyword is not specified, all ACLs refer to all IPv4 basic, IPv4 advanced, and Ethernet

frame header ACLs.

• If the ipv6 keyword is specified, all ACLs refer to all IPv6 basic and IPv6 advanced ACLs.

Usage guidelines

You can assign a name to an ACL only when you create it. After an ACL is created with a name, you cannot rename it or remove its name.

You can change the match order only for ACLs that do not contain any rules.

Examples

# Create IPv4 basic ACL 2000, and enter its view.

<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000]

# Create IPv4 basic ACL 2001 with the name flow, and enter its view.

<Sysname> system-view [Sysname] acl number 2001 name flow [Sysname-acl-basic-2001-flow]

Related commands

display acl

acl copy

Use acl copy to create an ACL by copying an ACL that already exists.

Syntax

acl [ ipv6 ] copy { source-acl-number | name source-acl-name } to { dest-acl-number | name

dest-acl-name }

Views

System view

Predefined user roles

network-admin

Parameters

ipv6: Specifies IPv6 ACLs.

source-acl-number: Specifies an existing source ACL by its number.

• 2000 to 2999 for basic ACLs.

• 3000 to 3999 for advanced ACLs.

• 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL

if the ipv6 keyword is specified.

• 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is

specified.

name source-acl-name: Specifies an existing source ACL by its name. The source-acl-name argument is a case-insensitive string of 1 to 63 characters.

dest-acl-number: Assigns a unique number to the ACL you are creating. This number must be from the same ACL category as the source ACL. If you do not specify an ACL number, the system automatically picks the smallest number from all available numbers in the same ACL category as the source ACL. Available value ranges include:

• 2000 to 2999 for basic ACLs.

• 3000 to 3999 for advanced ACLs.

• 4000 to 4999 for Ethernet frame header ACLs. You cannot create an Ethernet frame header ACL if

the ipv6 keyword is specified.

• 5000 to 5999 for user-defined ACLs. You cannot create a user-defined ACL if the ipv6 keyword is

specified.

name dest-acl-name: Assigns a unique name to the ACL you are creating. The dest-acl-name is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all. If you do not specify an ACL name, the system does not name the ACL.

Usage guidelines

The new ACL has the same properties and content as the source ACL, but not the same ACL number and name.

You can assign a name to an ACL only when you create it. After an ACL is created with a name, you cannot rename it or remove its name.

Examples

# Create IPv4 basic ACL 2002 by copying IPv4 basic ACL 2001.

<Sysname> system-view [Sysname] acl copy 2001 to 2002

acl logging interval

Use acl logging interval to set the interval for generating and outputting packet filtering logs. The log information includes the number of matching packets and the matched ACL rules.

Use undo acl logging interval to restore the default.

Syntax

acl [ ipv6 ] logging interval interval

undo acl [ ipv6 ] logging interval

Default

The interval is 0. No packet filtering logs are generated.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the interval in minutes at which packet filtering logs are generated and output. It must be a multiple of 5 and in the range of 0 to 1440. To disable generating packet filtering logs, assign 0 to the argument.

Usage guidelines

The system collects packet filtering logs only for IPv4 basic, IPv4 advanced, IPv6 basic, and IPv6 advanced ACL rules that have the logging keyword.

• When the ipv6 keyword is not specified, this command sets the interval for generating and

outputting IPv4 packet filtering logs.

• When the ipv6 keyword is specified, this command sets the interval for generating and outputting

IPv6 packet filtering logs.

Examples

# Enable the device to generate and output IPv4 packet filtering logs at 10-minute intervals.

<Sysname> system-view [Sysname] acl logging interval 10

Related commands

• rule (IPv4 advanced ACL view)

• rule (IPv4 basic ACL view)

• rule (IPv6 advanced ACL view)

• rule (IPv6 basic ACL view)

acl name

Use acl name to enter the view of an ACL that has a name.

Syntax

acl [ ipv6 ] name acl-name

Views

System view

Predefined user roles

network-admin

Parameters

acl-name: Specifies the name of an ACL, a case-insensitive string of 1 to 63 characters. It must start with an English letter. The ACL must already exist. For a basic ACL or advanced ACL, if you do not specify the

ipv6 keyword, this option specifies the name of an IPv4 basic ACL or advanced ACL. If you specify the ipv6 keyword, this option specifies the name of an IPv6 basic ACL or advanced ACL.

Examples

# Enter the view of IPv4 basic ACL flow, which already exists.

<Sysname> system-view [Sysname] acl name flow [Sysname-acl-basic-2001-flow]

# Enter the view of IPv6 basic ACL flow, which already exists.

<Sysname> system-view [Sysname] acl ipv6 name flow [Sysname-acl6-basic-2001-flow]

Related commands

acl

description

Use description to configure a description for an ACL.

Use undo description to delete an ACL description.

Syntax

description text

undo description

Default

An ACL has no description.

Views

IPv4/IPv6 basic ACL view

IPv4/IPv6 advanced ACL view

Ethernet frame header ACL view

User-defined ACL view

Predefined user roles

network-admin

Parameters

text: Configures a description for the ACL, a case-sensitive string of 1 to 127 characters.

Examples

# Configure a description for IPv4 basic ACL 2000.

<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] description This is an IPv4 basic ACL.

Related commands

display acl

Use display acl to display configuration and match statistics for ACLs.

Syntax

display acl [ ipv6 ] { acl-number | all | name acl-name }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv6: Specifies IPv6 ACLs.

acl-number: Specifies an ACL by its number.

• 2000 to 2999 for basic ACLs.

• 3000 to 3999 for advanced ACLs.

• 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL

if the ipv6 keyword is specified.

• 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is

specified.

all: Displays information about all IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs if you do not specify the ipv6 keyword, or displays information about all IPv6 basic and IPv6 advanced ACLs if you specify the ipv6 keyword.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter.

Usage guidelines

This command displays ACL rules in config or depth-first order, whichever is configured.

Examples

# Display configuration and match statistics for IPv4 basic ACL 2001.

<Sysname> display acl 2001 Basic ACL 2001, named flow, 1 rule, match-order is auto, This is an IPv4 basic ACL. ACL's step is 5 rule 5 permit source 1.1.1.1 0 (5 times matched) rule 5 comment This rule is used on FortyGigE 1/1/1.

Table 1 Command output

Field

Descri

Basic ACL 2001

named flow

1 rule The ACL contains one rule.

match-order is auto

This is an IPv4 basic ACL. Description of this ACL.

ACL's step is 5 The rule numbering step is 5.

rule 5 permit source 1.1.1.1 0 Content of rule 5.

5 times matched

rule 5 comment This rule is used on FortyGigE 1/1/1.

Category and number of the ACL. The following field information is about IPv4 basic ACL 2000.

The name of the ACL is flow. If the ACL is not named, this field displays

-none-.

The match order for the ACL is auto, which sorts ACL rules in depth-first order. This field is not present when the match order is config.

There have been five matches for the rule. The statistic counts only ACL matches performed in software.

This field is not displayed when no packets matched the rule.

Comment of ACL rule 5.

tion

display packet-filter

Use display packet-filter to display whether an ACL has been successfully applied to an interface for packet filtering.

Syntax

display packet-filter { interface [ interface-type interface-number ] [ inbound | outbound ] | interface vlan-interface vlan-interface-number [ inbound | outbound ] [ slot slot-number ] }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface [ interface-type interface-number ]: Specifies an interface by its type and number. VLAN

interfaces are not supported. If you do not specify an interface, this command displays ACL application information on all interfaces except VLAN interfaces for packet filtering.

interface vlan-interface vlan-interface-number: Specifies a VLAN interface by its number.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

slot slot-number: Specifies an IRF member device. The slot-number argument represents the ID of the IRF

member device. If you do not specify an IRF member device, this command displays ACL application information for packet filtering on the master.

Usage guidelines

If neither the inbound keyword nor the outbound keyword is specified, this command displays the ACL application information for both incoming and outgoing packet filtering.

Examples

# Display ACL application information for incoming packet filtering on interface FortyGigE 1/1/1.

<Sysname> display packet-filter interface fortygige 1/1/1 inbound Interface: FortyGigE1/1/1 In-bound policy: ACL 2001, Hardware-count ACL6 2002 IPv4 default action: Deny IPv6 default action: Deny

Table 2 Command output

Field Descri

tion

Interface Interface to which the ACL applies.

In-bound policy ACL used for filtering incoming traffic.

Out-bound policy ACL used for filtering outgoing traffic.

Field Description

ACL 2001 IPv4 basic ACL 2001 has been successfully applied.

Hardware-count Successfully enables counting ACL rule matches.

IPv4 default action

IPv6 default action

MAC default action

Packet filter default action for packets that do not match any IPv4 ACLs. This field is displayed only when the default action is deny.

Packet filter default action for packets that do not match any IPv6 ACLs. This field is displayed only when the default action is deny.

Packet filter default action for packets that do not match any Ethernet frame header ACLs. This field is displayed only when the default action is deny.

display packet-filter statistics

Use display packet-filter statistics to display match statistics of ACLs for packet filtering.

Syntax

display packet-filter statistics interface interface-type interface-number { inbound | outbound } [ [ ipv6 ] { acl-number | name acl-name } ] [ brief ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Displays the statistics of an interface specified by its type and

number.

inbound: Displays the statistics in the inbound direction.

outbound: Displays the statistics in the outbound direction.

ipv6: Specifies IPv6 ACLs.

acl-number: Specifies an ACL by its number.

• 2000 to 2999 for basic ACLs.

• 3000 to 3999 for advanced ACLs.

• 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL

if the ipv6 keyword is specified.

• 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is

specified.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to

63 characters. It must start with an English letter.

brief: Displays brief statistics.

Usage guidelines

When none of acl-number and name acl-name is specified, this command displays match statistics of all ACLs for packet filtering.

• If the ipv6 keyword is not specified, all ACLs refer to all IPv4 basic, IPv4 advanced, and Ethernet

frame header ACLs.

• If the ipv6 keyword is specified, all ACLs refer to all IPv6 basic and IPv6 advanced ACLs.

Examples

# Display match statistics of all ACLs (IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs) for incoming packet filtering on FortyGigE 1/1/1.

<Sysname> display packet-filter statistics interface fortygige 1/1/1 inbound Interface: FortyGigE1/1/1 In-bound policy: ACL 2001, Hardware-count From 2011-06-04 10:25:21 to 2011-06-04 10:35:57 rule 0 permit source 2.2.2.2 0 rule 5 permit source 1.1.1.1 0 Totally 0 packets permitted, 0 packets denied Totally 0% permitted, 0% denied

IPv4 default action: Deny

Table 3 Command output

Field Descri

Interface Interface to which the ACL applies.

In-bound policy ACL used for filtering incoming traffic.

Out-bound policy ACL used for filtering outgoing traffic.

ACL 2001 IPv4 basic ACL 2001 has been successfully applied.

Hardware-count Successfully enables counting ACL rule matches.

From 2011-06-04 10:25:21 to 2011-06-04 10:35:57

Totally 0 packets permitted, 0 packets denied

Totally 0% permitted, 0% denied Ratios of permitted and denied packets to all packets.

IPv4 default action

IPv6 default action

MAC default action

Start time and end time of the statistics.

Number of packets permitted and denied by the ACL.

Packet filter default action for packets that do not match any IPv4 ACLs. This field is displayed only when the default action is deny.

Packet filter default action for packets that do not match any IPv6 ACLs. This field is displayed only when the default action is deny.

Packet filter default action for packets that do not match any Ethernet frame header ACLs. This field is displayed only when the default action is deny.

tion

Related commands

reset packet-filter statistics

display packet-filter statistics sum

Use display packet-filter statistics sum to display accumulated packet filtering ACL statistics.

Syntax

display packet-filter statistics sum { inbound | outbound } [ ipv6 ] { acl-number | name acl-name } [ brief ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

inbound: Displays the statistics in the inbound direction.

outbound: Displays the statistics in the outbound direction.

Examples

ipv6: Specifies IPv6 ACLs.

acl-number: Specifies an ACL by its number.

• 2000 to 2999 for basic ACLs.

• 3000 to 3999 for advanced ACLs.

• 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL

if the ipv6 keyword is specified.

• 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is

specified.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter.

brief: Displays brief accumulated packet filtering ACL statistics.

# Display accumulated packet filtering ACL statistics of IPv4 basic ACL 2001 for incoming packets.

<Sysname> display packet-filter statistics sum inbound 2001 Sum: In-bound policy: ACL 2001 rule 0 permit source 2.2.2.2 0 (2 packets) rule 5 permit source 1.1.1.1 0 Totally 2 packets permitted, 0 packets denied Totally 100% permitted, 0% denied

Table 4 Command output

Field Descri

Sum Accumulated packet filtering ACL statistics.

In-bound policy Accumulated ACL statistics used for filtering incoming traffic.

Out-bound policy Accumulated ACL statistics used for filtering outgoing traffic.

ACL 2001 Accumulated ACL statistics used for IPv4 basic ACL 2001.

2 packets

Totally 2 packets permitted, 0 packets denied

Totally 100% permitted, 0% denied Ratios of permitted and denied packets to all packets.

Related commands

reset packet-filter statistics

display packet-filter verbose

Use display packet-filter verbose to display application details of ACLs for packet filtering.

Syntax

tion

Two packets matched the rule.

This field is not displayed when no packets matched the rule.

Number of packets permitted and denied by the ACL.

display packet-filter verbose interface interface-type interface-number { inbound | outbound } [ [ ipv6 ] { acl-number | name acl-name } ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

ipv6: Specifies IPv6 ACLs.

acl-number: Specifies an ACL by its number.

• 2000 to 2999 for basic ACLs.

• 3000 to 3999 for advanced ACLs.

• 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL

if the ipv6 keyword is specified.

• 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is

specified.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to

63 characters. It must start with an English letter.

slot slot-number: Specifies an IRF member device. The slot-number argument represents the ID of the IRF member device. If you do not specify an IRF member device, this command displays ACL application details for packet filtering on the master.

Usage guidelines

When none of acl-number and name acl-name is specified, this command displays application details of all ACLs for packet filtering.

• If the ipv6 keyword is not specified, all ACLs refer to all IPv4 basic, IPv4 advanced, and Ethernet

frame header ACLs.

• If the ipv6 keyword is specified, all ACLs refer to all IPv6 basic and IPv6 advanced ACLs.

Examples

# Display application details of all ACLs (IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs) for incoming packet filtering on FortyGigE 1/1/1.

<Sysname> display packet-filter verbose interface fortygige 1/1/1 inbound Interface: FortyGigE1/1/1 In-bound policy: ACL 2001, Hardware-count rule 0 permit rule 5 permit source 1.1.1.1 0

ACL6 2000, Hardware-count rule 0 permit

ACL 4000, Hardware-count

IPv4 default action: Deny

IPv6 default action: Deny

MAC default action: Deny

Table 5 Command output

Field Descri

Interface Interface to which the ACL applies.

In-bound policy ACL used for filtering incoming traffic.

Out-bound policy ACL used for filtering outgoing traffic.

ACL 2001 IPv4 basic ACL 2001 has been successfully applied.

Hardware-count Successfully enables counting ACL rule matches.

Packet filter default action for packets that do not match any IPv4

IPv4 default action

IPv6 default action

ACLs. This field is displayed only when the default action is deny.

Packet filter default action for packets that do not match any IPv6 ACLs. This field is displayed only when the default action is

deny.

tion

Field Description

MAC default action

display qos-acl resource

Use display qos-acl resource to display QoS and ACL resource usage.

Syntax

display qos-acl resource [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device. The slot-number argument represents the ID of the IRF

member device. If you do not specify an IRF member device, this command displays QoS and ACL resource usage on all member devices.

Packet filter default action for packets that do not match any Ethernet frame header ACLs. This field is displayed only when the default action is deny.

Examples

# Display QoS and ACL resource usage.

<Sysname> display qos-acl resource Interfaces: XGE1/0/1 to XGE1/0/45, FGE1/1/1 to FGE1/1/4

--------------------------------------------------------------------- Type Total Reserved Configured Remaining Usage

--------------------------------------------------------------------- VFP ACL 1024 272 0 752 26% IFP ACL 2048 1664 0 384 81% IFP Meter 1024 832 0 192 81% IFP Counter 1024 832 0 192 81% EFP ACL 1024 0 0 1024 0% EFP Meter 512 0 0 512 0% EFP Counter 512 0 0 512 0%

Table 6 Command output

Field Descri

Interfaces Interface range for the resource.

tion

Field Description

Type

Total Total number of resource.

Reserved Number of reserved resource.

Configured Number of resource that has been applied.

Remaining Number of resource that you can apply.

Usage

packet-filter

Resource type:

• VFP ACL—ACL rules for local QoS ID remarking before Layer 2

forwarding.

• IFP ACL—ACL rules applied to inbound traffic.

• IFP Meter—Traffic policing rules for inbound traffic.

• IFP Counter—Traffic counting rules for inbound traffic.

• EFP Meter—Traffic policing rules for outbound traffic.

• EFP Counter—Traffic counting rules for outbound traffic.

Configured and reserved resources as a percentage of total resources. If the percentage is not an integer, this field displays the integer part. For example, if the actual usage is 50.8%, this field displays 50%.

Use packet-filter to apply an ACL to an interface to filter packets.

Use undo packet-filter to remove an ACL application from an interface.

Syntax

packet-filter [ ipv6 ] { acl-number | name acl-name } { inbound | outbound } [ hardware-count ]

undo packet-filter [ ipv6 ] { acl-number | name acl-name } { inbound | outbound }

Default

An interface does not filter packets.

Views

Layer 2/Layer 3 Ethernet interface view

VLAN interface view

S-channel interface/S-channel aggregate interface view

VSI interface/VSI aggregate interface view

Predefined user roles

network-admin

Parameters

ipv6: Specifies IPv6 ACLs.

acl-number: Specifies an ACL by its number.

• 2000 to 2999 for basic ACLs.

• 3000 to 3999 for advanced ACLs.

• 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL

if the ipv6 keyword is specified.

• 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is

specified.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter.

inbound: Filters incoming packets.

outbound: Filters outgoing packets.

hardware-count: Enables counting ACL rule matches performed in hardware. This keyword enables

match counting for all rules in an ACL, and the counting keyword in the rule command enables match counting specific to rules. If the hardware-count keyword is not specified, rule matches for the ACL are not counted.

Examples

# Apply IPv4 basic ACL 2001 to filter incoming traffic on FortyGigE 1/1/1, and enable counting ACL rule matches performed in hardware.

<Sysname> system-view [Sysname] interface fortygige 1/1/1 [Sysname-FortyGigE1/1/1] packet-filter 2001 inbound hardware-count

Related commands

• display packet-filter

• display packet-filter statistics

• display packet-filter verbose

packet-filter default deny

Use packet-filter default deny to set the packet filtering default action to deny. The packet filter denies packets that do not match any ACL rule.

Use undo packet-filter default deny to restore the default.

Syntax

packet-filter default deny

undo packet-filter default deny

Default

The packet filter permits packets that do not match any ACL rule.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The packet filter applies the default action to all ACL applications for packet filtering. The default action appears in the display command output for packet filtering.

Examples

# Set the packet filter default action to deny.

<Sysname> system-view [Sysname] packet-filter default deny

Related commands

• display packet-filter

• display packet-filter statistics

• display packet-filter verbose

reset acl counter

Use reset acl counter to clear statistics for ACLs.

Syntax

reset acl counter [ ipv6 ] { acl-number | all | name acl-name }

Views

User view

Predefined user roles

network-admin

Parameters

ipv6: Specifies IPv6 ACLs.

acl-number: Specifies an ACL by its number.

• 2000 to 2999 for basic ACLs.

• 3000 to 3999 for advanced ACLs.

• 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL

• 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is

all: Clears statistics for all IPv4 basic, IPv4 advanced, and Ethernet frame header ACLs if you do not specify the ipv6 keyword, or clears statistics for all IPv6 basic and IPv6 advanced ACLs if you specify the

ipv6 keyword.

name acl-name: Clears statistics of an ACL specified by its name. The acl-name argument is a

case-insensitive string of 1 to 63 characters. It must start with an English letter.

Examples

# Clear statistics for IPv4 basic ACL 2001.

<Sysname> reset acl counter 2001

if the ipv6 keyword is specified.

specified.

Related commands

display acl

reset packet-filter statistics

Use reset packet-filter statistics to clear the match statistics (including the accumulated statistics) of ACLs for packet filtering.

Syntax

reset packet-filter statistics interface [ interface-type interface-number ] { inbound | outbound } [ [ ipv6 ] { acl-number | name acl-name } ]

Views

User view

Predefined user roles

network-admin

Parameters

interface [ interface-type interface-number ]: Specifies an interface by its type and number. If you do not

specify an interface, this command clears packet filtering ACL statistics on all interfaces.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

ipv6: Specifies IPv6 ACLs.

acl-number: Specifies an ACL by its number.

• 2000 to 2999 for basic ACLs.

• 3000 to 3999 for advanced ACLs.

• 4000 to 4999 for Ethernet frame header ACLs. You cannot specify an Ethernet frame header ACL

if the ipv6 keyword is specified.

• 5000 to 5999 for user-defined ACLs. You cannot specify a user-defined ACL if the ipv6 keyword is

specified.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter.

Usage guidelines

When neither of acl-number and name acl-name is specified, this command clears the match statistics of all ACLs for packet filtering.

• If the ipv6 keyword is not specified, all ACLs refer to all IPv4 basic, IPv4 advanced, and Ethernet

frame header ACLs.

• If the ipv6 keyword is specified, all ACLs refer to all IPv6 basic and IPv6 advanced ACLs.

Examples

# Clear IPv4 basic ACL 2001 statistics for incoming packet filtering of interface FortyGigE 1/1/1.

<Sysname> reset packet-filter statistics interface fortygige 1/1/1 inbound 2001

Related commands

• display packet-filter statistics

• display packet-filter statistics sum

rule (Ethernet frame header ACL view)

Use rule to create or edit an Ethernet frame header ACL rule.

Use undo rule to delete an Ethernet frame header ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } [ cos vlan-pri | counting | dest-mac dest-address dest-mask | { lsap

lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac source-address source-mask | time-range time-range-name ] *

undo rule rule-id [ counting | time-range ] *

Default

An Ethernet frame header ACL does not contain any rule.

Views

Ethernet frame header ACL view

Predefined user roles

network-admin

Parameters

rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.

deny: Denies matching packets.

permit: Allows matching packets to pass.

cos vlan-pri: Matches an 802.1p priority. The vlan-pri argument can be a number in the range of 0 to 7, or in words, best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5), voice (6), or network-management (7).

counting: Counts the number of times the Ethernet frame header ACL rule has been matched. The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting for all rules in an ACL. If the counting keyword is not

specified, matches for the rule are not counted.

dest-mac dest-address dest-mask: Matches a destination MAC address range. The dest-address and dest-mask arguments represent a destination MAC address and mask in the H-H-H format.

lsap lsap-type lsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The lsap-type argument is a 16-bit hexadecimal number that represents the encapsulation format. The lsap-type-mask argument is a 16-bit hexadecimal number that represents the LSAP mask.

type protocol-type protocol-type-mask: Matches one or more protocols in the Ethernet frame header. The protocol-type argument is a 16-bit hexadecimal number that represents a protocol type in Ethernet_II and

Ethernet_SNAP frames. The protocol-type-mask argument is a 16-bit hexadecimal number that represents a protocol type mask.

source-mac source-address source-mask: Matches a source MAC address range. The source-address argument represents a source MAC address, and the sour-mask argument represents a mask in the H-H-H format.

time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the timer range. For more information about time range, see ACL and QoS Configuration Guide.

Usage guidelines

When an Ethernet frame header ACL with the lsap keyword specified is used for QoS traffic classification or packet filtering, the lsap-type argument must be AAAA and the lsap-type-mask argument must be FFFF. Otherwise, the ACL cannot be applied successfully.

Within an ACL, the permit or deny state ment of each ru le must be un iqu e. If the ACL rule you are creatin g or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.

You can edit ACL rules only when the match order is config.

• If you do not specify any optional keywords, the undo rule command deletes the entire rule.

• If you specify optional keywords or arguments, the undo rule command deletes the specified

attributes.

To view rules in an ACL and their rule IDs, use the display acl all command.

Examples

# Create a rule in Ethernet frame header ACL 4000 to permit ARP packets and deny RARP packets.

<Sysname> system-view [Sysname] acl number 4000 [Sysname-acl-ethernetframe-4000] rule permit type 0806 ffff [Sysname-acl-ethernetframe-4000] rule deny type 8035 ffff

Related commands

• acl

• display acl

• step

• time-range

rule (IPv4 advanced ACL view)

Use rule to create or edit an IPv4 advanced ACL rule.

Use undo rule to delete an entire IPv4 advanced ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value

| syn syn-value | urg urg-value } * | established } | counting | destination { dest-address dest-wildcard | any } | destination-port operator port1 [ port2 ] | { dscp dscp | { precedence precedence | tos tos } * } | fragment | icmp-type { icmp-type [ icmp-code ] | icmp-message } | logging | source { source-address source-wildcard | any } | source-port operator port1 [ port2 ] | time-range

time-range-name | vpn

undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | { dscp | { precedence | tos } * } | fragment | icmp-type | logging | source | source-port | time-range | vpn-instance ] *

-instance vpn-instance-name ] *

Default

An IPv4 advanced ACL does not contain any rule.

Views

IPv4 advanced ACL view

Predefined user roles

network-admin

Parameters

deny: Denies matching packets.

permit: Allows matching packets to pass.

protocol: Specifies a protocol number in the range of 0 to 255, or specifies a protocol by its name, gre (47), icmp (1) , igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17) . Th e ip keyword specifies all protocols. Table 7 d argument.

Table 7 Match criteria and other rule information for IPv4 advanced ACL rules

escribes the parameters that you can specify regardless of the value for the protocol

Parameters Function Descri

source

{ source-address source-wildcard |

any }

destination

{ dest-address dest-wildcard |

any }

counting

precedence

tos tos Specifies a ToS preference.

Specifies a source address.

Specifies a destination address.

Counts the number of times the IPv4 advanced ACL rule has been matched.

Specifies an IP precedence value.

The source-address source-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address.

The any keyword specifies any source IP address.

The dest-address dest-wildcard arguments represent a destination IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address.

The any keyword represents any destination IP address.

The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting for all ru l e s in an ACL. If the counting keyword is not specified, matches for the rule are not counted.

The precedence argument can be a number in the range of 0 to 7, or in words, routine (0), priority (1),

immediate (2), flash (3), flash-override (4), critical (5), internet (6), or network (7).

The tos argument can be a number in the range of 0 to 15, or in words, max-reliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1), or normal (0).

tion

Parameters Function Description

The dscp argument can be a number in the range of 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21

dscp dscp Specifies a DSCP priority.

(18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46).

fragment

logging Logs matching packets.

time-range

time-range-name

vpn-instance

vpn-instance-name

Applies the rule only to non-first fragments.

Specifies a time range for the rule.

Applies the rule to a VPN instance.

If you do not specify this keyword, the rule applies to all fragments and non-fragments.

This function requires that the module (for example, packet filtering) that uses the ACL supports logging.

The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the timer range.

For more information about time range, see ACL and QoS Configuration Guide.

The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.

If you do not specify a VPN instance, the rule applies only to non-VPN packets.

If the protocol argument is tcp (6) or udp (7), set the parameters shown in Table 8.

Table 8 TCP/UDP-specific parameters for IPv4 advanced ACL rules

Parameters Function Descri

The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range).

source-port operator port1 [ port2 ]

destination-port operator port1

[ port2 ]

Specifies one or more UDP or TCP source ports.

Specifies one or more UDP or TCP destination ports.

The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. port2 is needed only when the operator argument is range.

TCP port numbers can be represented as: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80).

UDP port numbers can be represented as: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65),

talk (517), tftp (69), time (37), who (513), and xdmcp (177).

tion

Parameters Function Description

{ ack ack-value | fin fin-value |

psh psh-value | rst rst-value | syn syn-value | urg urg-value } *

established

Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG.

Specifies the flags for indicating the established status of a TCP connection.

Parameters specific to TCP.

The value for each argument can be 0 (flag bit not set) or 1 (flag bit set).

The TCP flags in a rule are ANDed. For example, a rule configured with ack 0 psh 1 matches packets that have the ACK flag bit not set and the PSH flag bit set.

Parameter specific to TCP.

The rule matches TCP connection packets with the ACK or RST flag bit set.

If the protocol argument is icmp (1), set the parameters shown in Table 9.

Table 9 ICMP-specific parameters for IPv4 advanced ACL rules

Parameters Function Descri

The icmp-type argument is in the range of 0 to 255.

icmp-type { icmp-type icmp-code | icmp-message }

Specifies the ICMP message type and code.

The icmp-code argument is in the range of 0 to 255.

The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 10.

tion

Table 10 ICMP message names supported in IPv4 advanced ACL rules

ICMP messa

echo 8 0

echo-reply 0 0

fragmentneed-DFset 3 4

host-redirect 5 1

host-tos-redirect 5 3

host-unreachable 3 1

information-reply 16 0

information-request 15 0

net-redirect 5 0

net-tos-redirect 5 2

net-unreachable 3 0

parameter-problem 12 0

port-unreachable 3 3

protocol-unreachable 3 2

e name ICMP message type

ICMP message code

reassembly-timeout 11 1

source-quench 4 0

ICMP message name ICMP message type

source-route-failed 3 5

timestamp-reply 14 0

timestamp-request 13 0

ttl-exceeded 11 0

Usage guidelines

If an ACL is for QoS traffic classification or packet filtering:

• Do not specify the vpn-instance keyword if the ACL is for outbound QoS traffic classification or

outbound packet filtering.

• Do not specify neq for the operator argument.

You can edit ACL rules only when the match order is config.

• If you do not specify any optional keywords, the undo rule command deletes the entire rule.

• If you specify optional keywords or arguments, the undo rule command deletes the specified

attributes.

ICMP message code

Examples

To view rules in an ACL and their rule IDs, use the display acl all command.

# Create an IPv4 advanced ACL rule to permit TCP packets with the destination port 80 from

129.9.0.0/16 to 202.38.160.0/24.

<Sysname> system-view [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination

202.38.160.0 0.0.0.255 destination-port eq 80

# Create IPv4 advanced ACL rules to permit all IP packets but the ICMP packets destined for

192.168.1.0/24.

<Sysname> system-view [Sysname] acl number 3001 [Sysname-acl-adv-3001] rule deny icmp destination 192.168.1.0 0.0.0.255 [Sysname-acl-adv-3001] rule permit ip

# Create IPv4 advanced ACL rules to permit inbound and outbound FTP packets.

<Sysname> system-view [Sysname] acl number 3002 [Sysname-acl-adv-3002] rule permit tcp source-port eq ftp [Sysname-acl-adv-3002] rule permit tcp source-port eq ftp-data [Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp [Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp-data

# Create IPv4 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.

<Sysname> system-view [Sysname] acl number 3003 [Sysname-acl-adv-3003] rule permit udp source-port eq snmp

[Sysname-acl-adv-3003] rule permit udp source-port eq snmptrap [Sysname-acl-adv-3003] rule permit udp destination-port eq snmp [Sysname-acl-adv-3003] rule permit udp destination-port eq snmptrap

Related commands

• acl

• acl logging interval

• display acl

• step

• time-range

rule (IPv4 basic ACL view)

Use rule to create or edit an IPv4 basic ACL rule.

Use undo rule to delete an entire IPv4 basic ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } [ counting | fragment | logging | source { source-address source-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *

Default

An IPv4 basic ACL does not contain any rule.

Views

IPv4 basic ACL view

Predefined user roles

network-admin

Parameters

deny: Denies matching packets.

permit: Allows matching packets to pass.

counting: Counts the number of times the IPv4 basic ACL rule has been matched. The counting keyword

enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted.

fragment: Applies the rule only to non -first fragments. If you do not specify this keyword, the rule applies to both fragments and non-fragments.

logging: Logs matching packets. This function is available only when the application module (for example, packet filtering) that uses the ACL supports the logging function.

source { source-address source-wildcard | any }: Matches a source address. The source-address source-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation.

A wildcard mask of zeros specifies a host address. The any keyword represents any source IP address.

time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a

case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the timer range. For more information about time range, see ACL and QoS Configuration Guide.

vpn-instance vpn-instance-name: Applies the rule to a VPN instance. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the rule applies only to non-VPN packets.

Usage guidelines

If an ACL is for outbound QoS traffic classification or outbound packet filtering, do not specify the vpn-instance keyword.

You can edit ACL rules only when the match order is config.

• If you do not specify any optional keywords, the undo rule command deletes the entire rule.

• If you specify optional keywords or arguments, the undo rule command deletes the specified

attributes.

To view rules in an ACL and their rule IDs, use the display acl all command.

Examples

# Create a rule in IPv4 basic ACL 2000 to deny the packets from any source IP segment but 10.0.0.0/8,

172.17.0.0/16, or 192.168.1.0/24.

<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.0.0.0 0.255.255.255 [Sysname-acl-basic-2000] rule permit source 172.17.0.0 0.0.255.255 [Sysname-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 [Sysname-acl-basic-2000] rule deny source any

Related commands

• acl

• acl logging interval

• display acl

• step

• time-range

rule (IPv6 advanced ACL view)

Use rule to create or edit an IPv6 advanced ACL rule.

Use undo rule to delete an entire IPv6 advanced ACL rule or some attributes in the rule.

+ 94 hidden pages

HP Moonshot-45XGc Command Reference Guide

Contents

ACL commands

acl copy

acl logging interval

acl name

description

display acl

display packet-filter

display packet-filter statistics

display packet-filter statistics sum

display packet-filter verbose

display qos-acl resource

packet-filter

packet-filter default deny

reset acl counter

reset packet-filter statistics

rule (Ethernet frame header ACL view)

rule (IPv4 advanced ACL view)

rule (IPv4 basic ACL view)

rule (IPv6 advanced ACL view)