s5800 series

H3C s5800 series, s5820x series Configuration manual

  • Hello! I am an AI chatbot trained to assist you with the H3C s5800 series Configuration manual. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
H3C S5820X&S5800 Switch Series
ACL and QoS Configuration Guide
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Software version: Release 1211
Document version: 6W100-20110415
Copyright © 2011, Hangzhou H3C Technologies Co., Ltd. and its licensors
All rights reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
H3C,
, Aolynk, , H
3
Care,
, TOP G, , IRF, NetPilot, Neocean, NeoVTL,
SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V
2
G, V
n
G, PSPT,
XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co.,
Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
The H3C S5800&S5820X documentation set includes 12 configuration guides, which describe the
software features for the S5800&S5820X Switch Series and guide you through the software
configuration procedures. These configuration guides also provide configuration examples to help you
apply software features to different network scenarios.
The ACL and QoS Configuration Guide describes fundamentals and configuration of ACL and QoS. It
describes how to create IPv4 ACL and IPv6 ACL, use ACL for packet filtering, use QoS polices to control
traffic, and configure common QoS techniques such as traffic policing, traffic shaping, congestion
management, and congestion avoidance.
This preface includes:
Audience
Added and modified features
Conventions
About the H3C S5800&S5820X documentation set
Obtaining documentation
Technical support
Documentation feedback
Audience
This documentation is intended for:
Network planners
Field technical support and servicing engineers
Network administrators working with the S5800 and S5820X Switch Series
Added and modified features
Compared to Release1110, Release 1211 adds the following features:
Configuration guide Added and modified features
ACL
Added features:
Counting ACL rule matches performed in hardware
Configuring a start or end remark for ACL rules
QoS overview
QoS configuration approaches Added features: Applying the QoS policy to the control plane
Priority mapping
Added features: Configuring the 802.1p-to-EXP, EXP-to-802.1p and
EXP-to-drop priority mapping table
Traffic policing, traffic shaping, and
line rate
Congestion management
Added features: Configuring byte-count WRR and packet-based
WRR
Congestion avoidance
Added features: Setting the WRED exponent for average queue
length calculation
Traffic filtering
Priority marking
Added features:
Setting the drop precedence for packets
Configuring color-based priority marking
Traffic redirecting
Added features: Configuring the action to take upon the failure of a
redirect attempt
Global CAR
Class-based accounting
Data buffer
Appendix A Default priority mapping
tables
Appendix B Introduction to packet
precedences
HQoS HQoS is a newly added feature
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.
Italic Italic text represents arguments that you replace with actual values.
[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.
{ x | y | ... }
Braces enclose a set of required syntax choices separated by vertical bars, from which
you select one.
[ x | y | ... ]
Square brackets enclose a set of optional syntax choices separated by vertical bars, from
which you select one or none.
{ x | y | ... } *
Asterisk marked braces enclose a set of required syntax choices separated by vertical
bars, from which you select at least one.
[ x | y | ... ] *
Asterisk marked square brackets enclose optional syntax choices separated by vertical
bars, from which you select one choice, multiple choices, or none.
&<1-n>
The argument or keyword and argument combination before the ampersand (&) sign can
be entered 1 to n times.
# A line that starts with a pound (#) sign is comments.
GUI conventions
Convention Description
Boldface
Window names, button names, field names, and menu items are in Boldface. For
example, the New User window appears; click OK.
> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Convention Description
< > Button names are inside angle brackets. For example, click <OK>.
[ ]
Window names, menu items, data table and field names are inside square brackets. For
example, pop up the [New User] window.
/ Multi-level menus are separated by forward slashes. For example, [File/Create/Folder].
Symbols
Convention Description
WARNING
An alert that calls attention to important information that if not understood or followed can
result in personal injury.
CAUTION
An alert that calls attention to important information that if not understood or followed can
result in data loss, data corruption, or damage to hardware or software.
IMPORTANT
An alert that calls attention to essential information.
NOTE
An alert that contains additional or supplementary information.
TIP
An alert that provides helpful information.
Network topology icons
Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.
About the H3C S5800&S5820X documentation set
The H3C S5800&S5820X documentation set includes:
Category Documents Purposes
Marketing brochures Describe product specifications and benefits.
Product description and
specifications
Technology white papers
Provide an in-depth description of software features
and technologies.
Pluggable module
description
PSR150-A [ PSR150-D ]
Power Modules User
Manual
Describes the appearances, features, specifications,
installation, and removal of the pluggable 150W
power modules available for the products.
PSR300-12A
[ PSR300-12D1 ] Power
Modules User Manual
Describes the appearances, features, specifications,
installation, and removal of the pluggable 300W
power modules available for the products.
PSR750-A [ PSR750-D ]
Power Modules User
Manual
Describes the appearances, features, specifications,
installation, and removal of the pluggable 750W
power modules available for the products.
RPS User Manual
Describes the appearances, features, and
specifications of the RPS units available for the
products.
LSW1FAN and
LSW1BFAN Installation
Manual
Describes the appearances, specifications,
installation, and removal of the pluggable fan
modules available for the products.
LSW148POEM Module
User Manual
Describes the appearance, features, installation,
and removal of the pluggable PoE module available
for the products.
S5820X [ S5800 ] Series
Ethernet Switches
Interface Cards User
Manual
Describes the models, hardware specifications,
installation, and removal of the interface cards
available for the products.
H3C OAP Cards User
Manual
Describes the benefits, features, hardware
specifications, installation, and removal of the OAP
cards available for the products.
H3C Low End Series
Ethernet Switches
Pluggable Modules
Manual
Describes the models, appearances, and
specifications of the pluggable modules available
for the products.
S5800-60C-PWR
Ethernet Switch Hot
Swappable Power
Module Ordering Guide
Guides you through ordering the hot-swappable
power modules available for the S5800-60C-PWR
switches in different cases.
Power configuration
RPS Ordering Information
for H3C Low-End Ethernet
Switches
Provides the RPS and switch compatibility matrix and
RPS cable specifications.
S5800 Series Ethernet
Switches Quick Start
S5820X Series
Ethernet Switches
Quick Start
S5800 Series Ethernet
Switches CE DOC
S5820X Series
Ethernet Switches CE
DOC
Provides regulatory information and the safety
instructions that must be followed during
installation.
S5800 Series Ethernet
Switches Quick Start
S5820X Series
Ethernet Switches
Quick Start
Guides you through initial installation and setup
procedures to help you quickly set up and use your
device with the minimum configuration.
Hardware installation
S5800 Series Ethernet
Provides a complete guide to hardware installation
Switches Installation
Manual
S5820X Series
Ethernet Switches
Installation Manual
and hardware specifications.
Pluggable SFP[SFP+][XFP]
Transceiver Modules
Installation Guide
Guides you through installing SFP/SFP+/XFP
transceiver modules.
S5800-60C-PWR
Switch Video
Installation Guide
S5820X-28C Switch
Video Installation
Guide
Shows how to install the H3C S5800-60C-PWR and
H3C S5820X-28C Ethernet switches.
Configuration guide
Describe software features and configuration
procedures.
Software configuration
Command reference
Provide a quick reference to all available
commands.
H3C Series Ethernet
Switches Login Password
Recovery Manual
Tells how to find the lost password or recover the
password when the login password is lost.
Operations and
maintenance
Release notes
Provide information about the product release,
including the version history, hardware and software
compatibility matrix, version upgrade information,
technical support information, and software
upgrading.
Obtaining documentation
You can access the most up-to-date H3C product documentation on the World Wide Web at
http://www.h3c.com.
Click the links on the top navigation bar to obtain different categories of product documentation:
[Technical Support & Documents > Technical Documents] – Provides hardware installation, software
upgrading, and software feature configuration and maintenance documentation.
[Products & Solutions] Provides information about products and technologies, as well as solutions.
[Technical Support & Documents > Software Download] – Provides the documentation released with the
software version.
Technical support
customer_service@h3c.com
http://www.h3c.com
Documentation feedback
You can e-mail your comments about product documentation to [email protected].
We appreciate your comments.
i
Contents
ACL configuration ························································································································································ 1
ACL overview ····································································································································································1
ACL applications on the switch·······························································································································1
ACL categories ·························································································································································2
ACL numbering and naming···································································································································2
Match order ······························································································································································2
ACL rule numbering ·················································································································································3
Implementing time-based ACL rules························································································································4
IPv4 fragment filtering with ACLs····························································································································4
ACL configuration task list················································································································································4
Configuring an ACL··························································································································································4
Configuring a time range ········································································································································4
Configuring a basic ACL ·········································································································································5
Configuring an advanced ACL·······························································································································7
Configuring an Ethernet frame header ACL ··········································································································9
Configuring a start or end remark······················································································································· 10
Copying an ACL···················································································································································· 11
Packet filtering with ACLs ····································································································································· 11
Displaying and maintaining ACLs································································································································ 12
ACL configuration examples········································································································································· 13
IPv4 ACL application configuration example····································································································· 13
IPv6 ACL application configuration example····································································································· 14
QoS overview·····························································································································································16
Introduction to QoS························································································································································ 16
QoS service models ······················································································································································· 16
Best-effort service model ······································································································································· 16
IntServ model ························································································································································· 16
DiffServ model ······················································································································································· 17
QoS techniques overview ············································································································································· 17
Applying QoS techniques in a network·············································································································· 17
QoS processing flow in a device ························································································································ 18
QoS configuration approaches·································································································································19
QoS configuration approach overview ······················································································································· 19
Non-policy approach············································································································································ 19
Policy approach····················································································································································· 19
Configuring a QoS policy············································································································································· 19
Defining a class ····················································································································································· 20
Defining a traffic behavior ··································································································································· 22
Defining a policy ··················································································································································· 22
Applying the QoS policy······································································································································ 23
Displaying and maintaining QoS policies·········································································································· 26
Priority mapping configuration ·································································································································28
Priority mapping overview ············································································································································ 28
Introduction to priority mapping ·························································································································· 28
Introduction to priorities········································································································································ 28
Priority mapping tables········································································································································· 29
Priority trust mode on a port································································································································· 29
ii
Priority mapping procedure ································································································································· 29
Priority mapping configuration task list ······················································································································· 31
Configuring priority mapping······································································································································· 32
Configuring a priority mapping table ················································································································· 32
Configuring a port to trust packet priority for priority mapping ······································································ 32
Changing the port priority of an interface·········································································································· 33
Displaying and maintaining priority mapping············································································································ 33
Priority mapping configuration examples···················································································································· 33
Priority trust mode and port priority configuration example············································································· 33
Priority mapping table and priority marking configuration example ······························································ 34
Traffic policing, traffic shaping, and line rate configuration ··················································································38
Traffic policing, traffic shaping, and line rate overview···························································································· 38
Traffic evaluation and token buckets··················································································································· 38
Traffic policing······················································································································································· 39
Traffic shaping ······················································································································································· 40
Line rate·································································································································································· 41
Configuring traffic policing··········································································································································· 42
Configuring GTS ···························································································································································· 43
Configuring the line rate ··············································································································································· 43
Displaying and maintaining traffic policing, GTS, and line rate·············································································· 44
Congestion management configuration ···················································································································45
Congestion management overview······························································································································ 45
Causes, impacts, and countermeasures·············································································································· 45
Congestion management techniques ·················································································································· 46
Configuring SP queuing ················································································································································ 48
Configuration procedure ······································································································································ 48
Configuration example ········································································································································· 49
Configure WRR queuing ··············································································································································· 49
Configuration procedure ······································································································································ 49
Configuration example ········································································································································· 50
Configuring WFQ queuing··········································································································································· 50
Configuration procedure ······································································································································ 50
Configuration example ········································································································································· 51
Configuring SP+WRR queues ······································································································································· 51
Configuration procedure ······································································································································ 51
Configuration example ········································································································································· 52
Congestion avoidance···············································································································································53
Congestion avoidance overview·································································································································· 53
Traditional packet drop policy····························································································································· 53
RED and WRED ····················································································································································· 53
Introduction to WRED configuration ···························································································································· 54
WRED configuration approaches························································································································ 54
Introduction to WRED parameters ······················································································································· 54
Configuring WRED ························································································································································ 54
Configuration procedure ······································································································································ 55
Configuration example ········································································································································· 55
Displaying and maintaining WRED ····························································································································· 56
Traffic filtering configuration ·····································································································································57
Traffic filtering overview ················································································································································ 57
Configuring traffic filtering············································································································································ 57
Traffic filtering configuration example························································································································· 58
Network requirements··········································································································································· 58
iii
Configuration procedure ······································································································································ 58
Priority marking configuration···································································································································59
Priority marking overview·············································································································································· 59
Color-based priority marking configuration ················································································································ 59
Packet coloring methods······································································································································· 59
Color-based priority marking configuration ······································································································· 60
Configuring priority marking ········································································································································ 60
Priority marking configuration examples····················································································································· 63
Priority marking configuration example·············································································································· 63
QoS-local-ID marking configuration example ···································································································· 65
Example for configuring priority marking based on colors obtained through traffic policing······················ 66
Traffic redirecting configuration································································································································68
Traffic redirecting overview ·········································································································································· 68
Configuring traffic redirecting ······································································································································ 68
Global CAR configuration·········································································································································70
Global CAR overview···················································································································································· 70
Aggregation CAR·················································································································································· 70
Hierarchical CAR··················································································································································· 70
Configuring aggregation CAR ····································································································································· 71
Configuration procedure ······································································································································ 71
Configuration example ········································································································································· 71
Configuring hierarchical CAR ······································································································································ 72
Displaying and maintaining global CAR configuration····························································································· 72
Global CAR configuration examples ··························································································································· 73
Aggregation CAR configuration example ·········································································································· 73
AND-mode hierarchical CAR configuration example ······················································································· 74
OR-mode hierarchical CAR configuration example ·························································································· 75
Class-based accounting configuration······················································································································77
Class-based accounting overview ································································································································ 77
Configuring class-based accounting ···························································································································· 77
Displaying and maintaining traffic accounting··········································································································· 78
Class-based accounting configuration example ········································································································· 78
Class-based accounting configuration example ································································································ 78
Data buffer configuration ··········································································································································80
Introduction to the data buffer ······································································································································ 80
Data buffer ····························································································································································· 80
Data buffer allocation ··········································································································································· 80
How the shared resource is used························································································································· 81
Configuring the data buffer ·········································································································································· 82
Data buffer configuration approaches················································································································ 82
Using the burst function to configure the data buffer setup ·············································································· 82
Manually configuring the data buffer setup ······································································································· 82
HQoS configuration···················································································································································86
Prerequisites···································································································································································· 86
Overview········································································································································································· 86
How HQoS works on the S5800 Switch Series ································································································ 86
HQoS concepts······················································································································································ 88
HQoS configuration task list ········································································································································· 89
Configuring a forwarding profile································································································································· 90
Configuring a forwarding group·································································································································· 91
Creating a forwarding group ······························································································································ 91
iv
Nesting a forwarding group ································································································································ 91
Configuring a scheduler policy ···································································································································· 92
Configuration guidelines ······································································································································ 92
Configuration procedure ······································································································································ 93
Instantiating a forwarding group·································································································································· 93
Instantiation modes ··············································································································································· 93
Configuration guidelines ······································································································································ 93
Configuration procedure ······································································································································ 94
Applying a scheduler policy to a port ························································································································· 95
HQoS-capable ports on the S5800 Switch Series ···························································································· 95
Configuration guidelines ······································································································································ 95
Configuration prerequisites ·································································································································· 95
Configuration procedure ······································································································································ 95
Copying a forwarding group ······································································································································· 96
Copying a scheduler policy·········································································································································· 96
Displaying and maintaining HQoS······························································································································ 96
HQoS configuration example······································································································································· 97
Appendix A Default priority mapping tables········································································································ 103
Appendix B Introduction to packet precedences·································································································· 105
IP precedence and DSCP values ································································································································105
802.1p priority·····························································································································································106
EXP values·····································································································································································107
Index ········································································································································································ 108
1
ACL configuration
This chapter includes these sections:
ACL overview
ACL configuration task list
Configuring an ACL
Configuring a time range
Configuring a basic ACL
Configuring an advanced ACL
Configuring an Ethernet frame header ACL
Configuring a start or end remark
Copying an ACL
Packet filtering with ACLs
Displaying and maintaining ACLs
ACL configuration examples
NOTE:
Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document.
The Layer 3 Ethernet interface in this document refers to the Ethernet port that can perform IP routin
g
and
inter-VLAN routing. You can set an Ethernet port as a Layer 3 Ethernet interface by using the port
link-mode route command (see the
Layer 2LAN Switching Configuration Guide
).
ACL overview
An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on
criteria such as source IP address, destination IP address, and port number.
ACLs are primarily used for packet filtering. A packet filter drops packets that match a deny rule and
permits packets that match a permit rule. ACLs are also used by many modules, for example, QoS and
IP routing, for traffic classification and identification.
ACL applications on the switch
An ACL is implemented in hardware or software, depending on the module that uses it. If the module, the
packet filter or QoS module for example, is implemented in hardware, the ACL is applied to hardware
to process traffic. If the module, the routing or user interface access control module (Telnet, SNMP, or web)
for example, is implemented in software, the ACL is applied to software to process traffic.
The user interface access control module denies packets that do not match any ACL. Some modules, QoS
for example, ignore the permit or deny action in ACL rules and do not base their drop or forwarding
decisions on the action set in ACL rules. See the specific module for information about ACL application.
2
ACL categories
Category ACL number IP version Match criteria
IPv4 Source IPv4 address
Basic ACLs 2000 to 2999
IPv6 Source IPv6 address
IPv4
Source IPv4 address, destination IPv4 address,
protocols over IPv4, and other Layer 3 and Layer
4 header fields
Advanced ACLs 3000 to 3999
IPv6
Source IPv6 address, destination IPv6 address,
protocols over IPv6, and other Layer 3 and Layer
4 header fields
Ethernet frame
header ACLs
4000 to 4999 IPv4 and IPv6
Layer 2 header fields, such as source and
destination MAC addresses, 802.1p priority,
and link layer protocol type
ACL numbering and naming
Each ACL category has a unique range of ACL numbers. When creating an ACL, you must assign it a
number for identification. In addition, you can assign the ACL a name for the ease of identification. After
creating an ACL with a name, you cannot rename it or delete its name.
For an Ethernet frame header, the ACL number and name must be globally unique. For an IPv4 basic or
advanced ACL, its ACL number and name must be unique among all IPv4 ACLs, and for an IPv6 basic
or advanced ACL, among all IPv6 ACLs. You can assign an IPv4 ACL the same number and name as an
IPv6 ACL.
Match order
The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops the
match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting
rules, the matching result and action to take depend on the rule order.
The following ACL match orders are available:
config—Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a
rule with a higher ID. If you use this approach, carefully check the rule content and order.
auto—Sorts ACL rules in depth-first order. Depth-first ordering ensures that any subset of a rule is
always matched before the rule.
Table 1 lists the sequence of tie breakers that depth-first ordering
uses to sort rules for each type of ACL.
Table 1 Sort ACL rules in depth-first order
ACL category Sequence of tie breakers
IPv4 basic ACL
1. VPN instance
2. More 0s in the source IP address wildcard (more 0s means a narrower IP
address range)
3. Smaller rule ID
3
ACL category Sequence of tie breakers
IPv4 advanced ACL
1. VPN instance
2. Specific protocol type rather than IP (IP represents any protocol over IP)
3. More 0s in the source IP address wildcard mask
4. More 0s in the destination IP address wildcard
5. Narrower TCP/UDP service port number range
6. Smaller ID
IPv6 basic ACL
1. Longer prefix for the source IP address (a longer prefix means a narrower IP
address range)
2. Smaller ID
IPv6 advanced ACL
1. Specific protocol type rather than IP (IP represents any protocol over IPv6)
2. Longer prefix for the source IPv6 address
3. Longer prefix for the destination IPv6 address
4. Narrower TCP/UDP service port number range
5. Smaller ID
Ethernet frame header ACL
1. More 1s in the source MAC address mask (more 1s means a smaller MAC
address)
2. More 1s in the destination MAC address mask
3. Smaller ID
NOTE:
A wildcard mask, also called an "inverse mask," is a 32-bit binary and represented in dotted decimal
notation. In contrast to a network mask, the 0 bits in a wildcard mask represent 'do care' bits, and
the 1
bits represent 'don’t care' bits. If the 'do care' bits in an IP address are identical to the 'do care'
bits in an
IP address criterion, the IP address matches the criterion. All 'don’t care'
bits are i
g
nored. The 0s and 1s
in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a valid wildcard mask.
ACL rule numbering
What is the ACL rule numbering step
If you do not assign an ID for the rule you are creating, the system automatically assigns it a rule ID. The
rule numbering step sets the increment by which the system automatically numbers rules. For example, the
default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are
numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between
two rules.
By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of
inserting rules in an ACL. This feature is important for a config order ACL, where ACL rules are matched
in ascending order of rule ID.
Automatic rule numbering and renumbering
The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to
the current highest rule ID, starting with 0.
For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10,
and 12, the newly defined rule will be numbered 15. If the ACL does not contain any rule, the first rule will
be numbered 0.
4
Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules
numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2,
4, 6 and 8.
Implementing time-based ACL rules
You can implement ACL rules based on the time of day by applying a time range to them. A time-based
ACL rule takes effect only in any time periods specified by the time range.
The following basic types of time range are available:
Periodic time range—Recurs periodically on a day or days of the week.
Absolute time range—Represents only a period of time and does not recur.
You may apply a time range to ACL rules before or after you create it. However, the rules using the time
range can take effect only after you define the time range.
IPv4 fragment filtering with ACLs
By default, an ACL packet filter on the switch matches all fragments to prevent attackers from fabricating
fragments. To improve efficiency, you can configure the fragment keyword to apply an IPv4 ACL rule only
to non-first fragments.
ACL configuration task list
Complete the following tasks to configure an IPv4 ACL:
Task Remarks
Configuring a time range Optional
Configuring an IPv4 basic ACL
Configuring an IPv6 basic ACL
Configuring an IPv4 advanced ACL
Configuring an IPv6 Advanced ACL
Configuring an Ethernet frame header ACL
Required
Configure at least one task.
Configuring a start or end remark Optional
Copying an ACL Optional
Packet filtering with ACLs Optional
Configuring an ACL
Configuring a time range
Follow these steps to configure a time range:
To do… Use the command… Remarks
Enter system view
system-view ––
5
To do… Use the command… Remarks
Configure a time range
time-range time-range-name
{ start-time to end-time days [ from
time1 date1 ] [ to time2 date2 ] |
from time1 date1 [ to time2 date2 ]
| to time2 date2 }
Required
By default, no time range exists.
Repeat this command with the
same time range name to create
multiple statements for a time
range.
You can create multiple statements in a time range. The active period of a time range is calculated as
follows:
1. Combining all periodic statements
2. Combining all absolute statements
3. Taking the intersection of the two statement sets as the active period of the time range
You can create a maximum of 256 time ranges, each with a maximum of 32 periodic statements and 12
absolute statements.
Configuring a basic ACL
Configuring an IPv4 basic ACL
IPv4 basic ACLs match packets based only on source IP addresses.
Follow these steps to configure an IPv4 basic ACL:
To do… Use the command… Remarks
Enter system view
system-view ––
Create an IPv4 basic ACL and
enter its view
acl number acl-number [ name
acl-name ] [ match-order { auto |
config } ]
Required
By default, no ACL exists.
IPv4 basic ACLs are numbered in
the range 2000 to 2999.
You can use the acl name acl-name
command to enter the view of a
named IPv4 ACL.
Configure a description for the
IPv4 basic ACL
description text
Optional
By default, an IPv4 basic ACL has
no ACL description.
Set the rule numbering step step step-value
Optional
5 by default.
6
To do… Use the command… Remarks
Create or edit a rule
rule [ rule-id ] { deny | permit }
[ counting | fragment | logging |
source { sour-addr sour-wildcard |
any } | time-range
time-range-name | vpn-instance
vpn-instance-name ] *
Required
By default, an IPv4 basic ACL does
not contain any rule.
To create or edit multiple rules,
repeat this step.
If the ACL is for QoS traffic
classification, do not specify the
vpn-instance keyword. This
keyword can cause ACL
application failure. The logging
and counting keywords (even if
specified) do not take effect for
QoS policies.
Configure or edit a rule description
rule rule-id comment text
Optional
By default, an IPv4 ACL rule has no
rule description.
Enable counting ACL rule matches
performed in hardware
hardware-count enable
Optional
Disabled by default.
When the ACL is referenced by a
QoS policy, this command does
not take effect.
Configuring an IPv6 basic ACL
Follow these steps to configure an IPv6 basic ACL:
To do… Use the command… Remarks
Enter system view
system-view ––
Create an IPv6 basic ACL view and
enter its view
acl ipv6 number acl6-number
[ name acl6-name ] [ match-order
{ auto | config } ]
Required
By default, no ACL exists.
IPv6 basic ACLs are numbered in
the range 2000 to 2999.
You can use the acl ipv6 name
acl6-name command to enter the
view of a named IPv6 ACL.
Configure a description for the
IPv6 basic ACL
description text
Optional
By default, an IPv6 basic ACL has
no ACL description.
Set the rule numbering step step step-value
Optional
5 by default
7
To do… Use the command… Remarks
Create or edit a rule
rule [ rule-id ] { deny | permit }
[ counting | fragment | logging |
source { ipv6-address prefix-length
| ipv6-address/prefix-length |
any } | time-range
time-range-name ] *
Required
By default, an IPv6 basic ACL does
not contain any rule.
To create or edit multiple rules,
repeat this step.
If the ACL is for QoS traffic
classification, do not specify the
fragment keyword. This keyword
can cause ACL application failure.
The logging and counting
keywords (even if specified) do not
take effect for QoS.
Configure or edit a rule description
rule rule-id comment text
Optional
By default, an IPv6 basic ACL rule
has no rule description.
Enable counting ACL rule matches
performed in hardware
hardware-count enable
Optional
Disabled by default.
When the ACL is referenced by a
QoS policy, this command does
not take effect.
Configuring an advanced ACL
Configuring an IPv4 advanced ACL
IPv4 advanced ACLs match packets based on source and destination IP addresses, protocols over IP, and
other protocol header information, such as TCP/UDP source and destination port numbers, TCP flags,
ICMP message types, and ICMP message codes.
IPv4 advanced ACLs also allow you to filter packets based on these priority criteria: type of service (ToS),
IP precedence, and differentiated services codepoint (DSCP) priority.
Compared to IPv4 basic ACLs, IPv4 advanced ACLs allow more flexible and accurate filtering.
Follow these steps to configure an IPv4 advanced ACL:
To do… Use the command… Remarks
Enter system view
system-view ––
Create an IPv4 advanced ACL and
enter its view
acl number acl-number [ name
acl-name ] [ match-order { auto |
config } ]
Required
By default, no ACL exists.
IPv4 advanced ACLs are
numbered in the range 3000 to
3999.
You can use the acl name acl-name
command to enter the view of a
named IPv4 ACL.
Configure a description for the
IPv4 advanced ACL
description text
Optional
By default, an IPv4 advanced ACL
has no ACL description.
8
To do… Use the command… Remarks
Set the rule numbering step step step-value
Optional
5 by default.
Create or edit a rule
rule [ rule-id ] { deny | permit }
protocol [ { { ack ack-value | fin
fin-value | psh psh-value | rst
rst-value | syn syn-value | urg
urg-value } * | established } |
counting | destination { dest-addr
dest-wildcard | any } |
destination-port operator port1
[ port2 ] | dscp dscp | fragment |
icmp-type { icmp-type icmp-code |
icmp-message } | logging |
precedence precedence | reflective
| source { sour-addr sour-wildcard
| any } | source-port operator
port1 [ port2 ] | time-range
time-range-name | tos tos |
vpn-instance vpn-instance-name ] *
Required
By default, an IPv4 advanced ACL
does not contain any rule.
To create or edit multiple rules,
repeat this step.
The reflective keyword is not
supported.
If the ACL is for packet filtering, the
operator argument cannot be neq.
If the ACL is for QoS traffic
classification, do not specify the
vpn-instance keyword or specify
neq for the operator argument. The
keywords can cause ACL
application failure.
The logging and counting
keywords (even if specified) do not
take effect for QoS.
Configure or edit a rule description
rule rule-id comment text
Optional
By default, an IPv4 advanced ACL
rule has no rule description.
Enable counting ACL rule matches
performed in hardware
hardware-count enable
Optional
Disabled by default.
When the ACL is referenced by a
QoS policy, this command does
not take effect.
Configuring an IPv6 Advanced ACL
IPv6 advanced ACLs match packets based on the source IPv6 address, destination IPv6 address,
protocol carried over IPv6, and other protocol header fields such as the TCP/UDP source port number,
TCP/UDP destination port number, ICMP message type, and ICMP message code.
Compared to IPv6 basic ACLs, IPv6 advanced ACLs allow more flexible and accurate filtering.
Follow these steps to configure an IPv6 advanced ACL:
To do… Use the command… Remarks
Enter system view
system-view ––
Create an IPv6 advanced ACL
and enter its view
acl ipv6 number acl6-number [ name
acl6-name ] [ match-order { auto |
config } ]
Required
By default, no ACL exists.
IPv6 advanced ACLs are
numbered in the range 3000 to
3999.
You can use the acl ipv6 name
acl6-name command to enter the
view of a named IPv6 ACL.
/