Académique Documents
Professionnel Documents
Culture Documents
Copyright 2009-2010, Hangzhou H3C Technologies Co., Ltd. and its licensors All Rights Reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
H3C,
, Aolynk,
, H3Care,
, TOP G,
SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V2G, VnG, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners.
Notice
The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
The H3C S5800&S5820X documentation set includes 11 command references, which describe the commands and command syntax options for the S5800&S5820X Release 1110. The ACL and QoS Command Reference describes ACL and QoS configuration commands. It covers the commands for creating ACLs, using ACLs for packet filtering, configuring QoS policies, and configuring common QoS techniques, such as traffic policing, traffic shaping, congestion management, and congestion avoidance. This preface includes:
z z z z z z
Audience Document Organization Conventions About the H3C S5820X&S5800 Documentation Set Obtaining Documentation Documentation Feedback
Audience
This documentation set is intended for:
z z z
Network planners Field technical support and servicing engineers Network administrators working with the S5800 and S5820X series
Document Organization
The ACL and QoS Command Reference comprises these parts:
ACL Configuration Commands Congestion Management Configuration Commands QoS Policy Configuration Commands Congestion Avoidance Configuration Commands Priority Mapping Configuration Commands Global CAR Configuration Commands GTS and Line Rate Configuration Commands Data Buffer Configuration Commands
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention Boldface italic [] Description Bold text represents commands and keywords that you enter literally as shown. Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional.
Description Braces enclose a set of required syntax choices separated by vertical bars, from which you select one. Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none. Asterisk marked braces enclose a set of required syntax choices separated by vertical bars, from which you select at least one. Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you may select multiple choices or none. The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times. A line that starts with a pound (#) sign is comments.
GUI conventions
Convention Boldface > Description Window names, button names, field names, and menu items are in Boldface. For example, the New User window appears; click OK. Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Symbols
Convention Description Means reader be careful. Improper operation may cause data loss or damage to equipment. Means a complementary description.
Category
Documents RPS User Manual LSW1FAN and LSW1BFAN Installation Manual LSW148POEM Module User Manual S5820X [ S5800 ] Series Ethernet Switches Interface Cards User Manual H3C OAP Cards User Manual H3C Low End Series Ethernet Switches Pluggable Modules Manual S5800-60C-PWR Ethernet Switch Hot Swappable Power Module Ordering Guide
Purposes Describes the appearances, features, and specifications of the RPS units available for the products. Describes the appearances, specifications, installation, and removal of the pluggable fan modules available for the products. Describes the appearance, features, installation, and removal of the pluggable PoE module available for the products. Describes the models, hardware specifications, installation, and removal of the interface cards available for the products. Describes the benefits, features, hardware specifications, installation, and removal of the OAP cards available for the products. Describes the models, appearances, and specifications of the pluggable modules available for the products. Guides you through ordering the hot-swappable power modules available for the S5800-60C-PWR switches in different cases.
Power configuration RPS Ordering Information for H3C Low-End Ethernet Switches
z
Provides the RPS and switch compatibility matrix and RPS cable specifications.
S5800 Series Ethernet Switches Quick Start S5820X Series Ethernet Switches Quick Start S5800 Series Ethernet Switches CE DOC S5820X Series Ethernet Switches CE DOC S5800 Series Ethernet Switches Quick Start S5820X Series Ethernet Switches Quick Start S5800 Series Ethernet Switches Installation Manual S5820X Series Ethernet Switches Installation Manual
Hardware installation
z
Provides regulatory information and the safety instructions that must be followed during installation.
Guides you through initial installation and setup procedures to help you quickly set up and use your device with the minimum configuration.
Category
S5800-60C-PWR Switch Video Installation Guide S5820X-28C Switch Video Installation Guide
Shows how to install the H3C S5800-60C-PWR and H3C S5820X-28C Ethernet switches.
Configuration guide Software configuration Command reference H3C Series Ethernet Switches Login Password Recovery Manual
Describe software features and configuration procedures. Provide a quick reference to all available commands. Tells how to find the lost password or recover the password when the login password is lost. Provide information about the product release, including the version history, hardware and software compatibility matrix, version upgrade information, technical support information, and software upgrading.
Release notes
Obtaining Documentation
You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] Provides hardware installation, software upgrading, and software feature configuration and maintenance documentation. [Products & Solutions] Provides information about products and technologies, as well as solutions. [Technical Support & Documents > Software Download] Provides the documentation released with the software version.
Documentation Feedback
You can e-mail your comments about product documentation to info@h3c.com. We appreciate your comments.
Table of Contents
1 ACL Configuration Commands 1-1 ACL Configuration Commands 1-1 acl 1-1 acl copy 1-2 acl ipv6 1-3 acl ipv6 copy1-4 acl ipv6 logging frequence1-4 acl ipv6 name 1-5 acl logging frequence 1-6 acl name 1-6 description 1-7 display acl1-7 display acl ipv6 1-9 display acl resource1-10 display packet-filter1-12 display time-range 1-13 packet-filter1-13 packet-filter ipv6 1-14 reset acl counter1-15 reset acl ipv6 counter 1-16 rule (Ethernet frame header ACL view)1-16 rule (IPv4 basic ACL view) 1-18 rule (IPv4 advanced ACL view) 1-19 rule (IPv6 advanced ACL view) 1-24 rule (IPv6 basic ACL view) 1-29 rule comment1-30 step1-31 time-range 1-31 2 QoS Policy Configuration Commands 2-1 Class Configuration Commands 2-1 display traffic classifier 2-1 if-match2-2 traffic classifier2-7 Traffic Behavior Configuration Commands 2-7 accounting 2-7 car 2-8 display traffic behavior2-10 filter2-11 redirect 2-11 remark dot1p 2-12 remark drop-precedence 2-13
i
remark dscp2-14 remark ip-precedence 2-15 remark local-precedence2-16 remark qos-local-id2-16 traffic behavior2-17 QoS Policy Configuration and Application Commands2-17 classifier behavior2-17 display qos policy 2-18 display qos policy global2-19 display qos policy interface 2-21 display qos vlan-policy 2-22 qos apply policy (interface view, port group view)2-24 qos apply policy (user-profile view) 2-25 qos apply policy global 2-26 qos policy 2-26 qos vlan-policy2-27 reset qos policy global2-27 reset qos vlan-policy2-28 3 Priority Mapping Configuration Commands3-1 Priority Mapping Table Configuration Commands 3-1 display qos map-table 3-1 import 3-2 qos map-table3-2 Port Priority Configuration Commands 3-3 qos priority3-3 Per-Port Priority Trust Mode Configuration Commands 3-4 display qos trust interface3-4 qos trust3-5 4 GTS and Line Rate Configuration Commands 4-1 GTS Configuration Commands4-1 display qos gts interface4-1 qos gts 4-2 Line Rate Configuration Commands4-2 display qos lr interface4-2 qos lr4-3 5 Congestion Management Configuration Commands 5-1 SP Queuing Configuration Commands5-1 display qos sp5-1 qos sp 5-1 WRR Queuing Configuration Commands 5-2 display qos wrr interface5-2 qos wrr5-3 qos wrr byte-count5-4 qos wrr group sp5-5 WFQ Configuration Commands5-5
ii
display qos wfq interface 5-5 qos bandwidth queue 5-6 qos wfq 5-7 qos wfq weight5-8 6 Congestion Avoidance Configuration Commands 6-1 WRED Configuration Commands 6-1 display qos wred interface6-1 display qos wred table6-1 qos wred table 6-3 queue 6-3 qos wred apply 6-4 7 Global CAR Configuration Commands 7-1 Global CAR Configuration Commands 7-1 car name 7-1 display qos car name 7-2 qos car aggregative7-3 qos car hierarchy7-4 reset qos car name7-5 8 Data Buffer Configuration Commands8-1 Automatic Data Buffer Configuration Commands8-1 burst-mode enable 8-1 Manual Data Buffer Configuration Commands 8-1 buffer apply8-2 buffer egress queue guaranteed 8-3 buffer egress queue shared 8-4 buffer egress shared 8-5 buffer egress total-shared 8-6 9 Index 9-1
iii
1
acl
Syntax
acl number acl-number [ name acl-name ] [ match-order { auto | config } ] undo acl { all | name acl-name | number acl-number } View System view Default Level 2: System level Parameters number acl-number: Specifies the number of an IPv4 access control list (ACL):
z z z
2000 to 2999 for IPv4 basic ACLs 3000 to 3999 for IPv4 advanced ACLs 4000 to 4999 for Ethernet frame header ACLs
name acl-name: Assigns a name for the IPv4 ACL for the ease of identification. The acl-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter, and, to avoid confusion, cannot be all. match-order: Sets the order in which ACL rules are compared against packets:
z
auto: Compares ACL rules in depth-first order. The depth-first order differs with ACL categories. See ACL Configuration in the ACL and QoS Configuration Guide for more information. config: Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher priority. If no match order is specified, the config order applies by default.
all: Deletes all IPv4 ACLs. Description Use the acl command to create an IPv4 ACL and enter its view. If the ACL has been created, you enter its view directly. Use the undo acl command to delete the specified or all IPv4 ACLs. By default, no ACL exists. You can assign a name for an IPv4 ACL only when you create it. After creating an ACL, you can neither rename it nor remove its name, if any. You can change match order only for ACLs that do not contain any rules. To display any ACLs you have created, use the display acl command. Examples # Create IPv4 basic ACL 2000, and enter its view.
1-1
# Create IPv4 basic ACL 2002, named flow, and enter its view.
<Sysname> system-view [Sysname] acl number 2002 name flow [Sysname-acl-basic-2002-flow] [Sysname-acl-basic-2002-flow]
acl copy
Syntax acl copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name } View System view Default Level 2: System level Parameters source-acl-number: Specifies a source IPv4 ACL that already exists by its number:
z z z
2000 to 2999 for IPv4 basic ACLs 3000 to 3999 for IPv4 advanced ACLs 4000 to 4999 for Ethernet frame header ACLs
name source-acl-name: Specifies a source IPv4 ACL that already exists by its name. The source-acl-name argument takes a case insensitive string of 1 to 32 characters. dest-acl-number: Assigns a unique number for the IPv4 ACL you are creating. This number must be from the same ACL category as the source ACL. Available value ranges include:
z z z
2000 to 2999 for IPv4 basic ACLs 3000 to 3999 for IPv4 advanced ACLs 4000 to 4999 for Ethernet frame header ACLs
name dest-acl-name: Assigns a unique name for the IPv4 ACL you are creating. The dest-acl-name takes a case insensitive string of 1 to 32 characters. It must start with an English letter and, to avoid confusion, cannot be all. For this ACL, the system automatically picks the smallest number from all available numbers in the same ACL category as the source ACL. Description Use the acl copy command to create an IPv4 ACL by copying an IPv4 ACL that already exists. Except the number and name (if any), the new ACL has the same configuration as the source ACL. You can assign a name for an IPv4 ACL only when you create it. After it is created, you can neither rename it nor remove its name, if any. Examples # Create ACL 2002 by copying ACL 2001.
<Sysname> system-view [Sysname] acl copy 2001 to 2002
1-2
acl ipv6
Syntax acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto | config } ] undo acl ipv6 { all | name acl6-name | number acl6-number } View System view Default Level 2: System level Parameters number acl6-number: Specifies the number of an IPv6 ACL:
z z
2000 to 2999 for IPv6 basic ACLs 3000 to 3999 for IPv6 advanced ACLs
name acl6-name: Assigns a name for the IPv6 ACL for the ease of identification. The acl6-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter, and, to avoid confusion, cannot be all. match-order { auto | config }: Sets the order in which ACL rules are compared against packets:
z
auto: Compares ACL rules in depth-first order. The depth-first order differs with ACL categories. See ACL Configuration in the ACL and QoS Configuration Guide for more information. config: Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher priority. If no match order is specified, the config order applies by default.
all: Delete all IPv6 ACLs. Description Use the acl ipv6 command to create an IPv6 ACL and enter its ACL view. If the ACL has been created, you enter its view directly. Use the undo acl ipv6 command to delete a specified IPv6 ACL or all IPv6 ACLs. By default, no ACL exists. You can assign a name for an IPv6 ACL only when you create it. After creating an ACL, you can neither rename it, nor remove its name. You can change match order only for ACLs that do not contain any rules. To display any ACLs you have created, use the display acl ipv6 command. Examples # Create IPv6 ACL 2000 and enter its view.
<Sysname> system-view [Sysname] acl ipv6 number 2000 [Sysname-acl6-basic-2000]
## Create IPv6 basic ACL 2001 named flow, and enter its view.
<Sysname> system-view [Sysname] acl ipv6 number 2001 name flow [Sysname-acl6-basic-2001-flow]
1-3
2000 to 2999 for IPv6 basic ACLs, 3000 to 3999 for IPv6 advanced ACLs.
name source-acl6-name: Specifies a source IPv6 ACL that already exists by its name. The source-acl6-name argument takes a case insensitive string of 1 to 32 characters. dest-acl6-number: Assigns a unique number for the IPv6 ACL you are creating. This number must be from the same ACL category as the source ACL. Available value ranges include:
z z
2000 to 2999 for IPv6 basic ACLs 3000 to 3999 for IPv6 advanced ACLs
name dest-acl6-name: Assigns a unique name for the IPv6 ACL you are creating. The dest-acl6-name takes a case insensitive string of 1 to 32 characters. It must start with an English letter and, to avoid confusion, cannot be all. For this ACL, the system automatically picks the smallest number from all available numbers in the same ACL category as the source ACL. Description Use the acl ipv6 copy command to create an IPv6 ACL by copying an IPv6 ACL that already exists. Except the number and name (if any), the new ACL has the same configuration as the source ACL. You can assign a name for an IPv6 ACL only when you create it. After it is created, you can neither rename it nor remove its name, if any. Examples # Create IPv6 basic ACL 2002 by copying IPv6 basic ACL 2001.
<Sysname> system-view [Sysname] acl ipv6 copy 2001 to 2002
1-4
Default Level 2: System level Parameters frequence: Specifies the interval in minutes at which IPv6 packet filtering logs are generated and output. It must be a multiple of 5 and in the range 0 to 1440. To disable generating IPv6 logs, assign 0 for the argument. Description Use the acl ipv6 logging frequence command to set the interval for generating and outputting IPv6 packet filtering logs. The log information includes the number of matching IPv6 packets and the matching IPv6 ACL rules. This command logs only for IPv6 basic and advanced ACL rules that have the logging keyword. Use the undo acl ipv6 logging frequence command to restore the default. By default, the interval is 0. No IPv6 packet filtering logs are generated. Related commands: packet-filter ipv6, rule (IPv6 advanced ACL view), rule (IPv6 basic ACL view). Examples # Enable the device to generate and output IPv6 packet filtering logs at 10-minute intervals.
<Sysname> system-view [Sysname] acl ipv6 logging frequence 10
1-5
acl name
Syntax acl name acl-name View System view Default Level 2: System level Parameters acl-name: Specifies the name of an existing IPv4 ACL, which is a case insensitive string of 1 to 32 characters. It must start with an English letter. Description Use the acl name command to enter the view of an existing IPv4 ACL by specifying its name. Related commands: acl.
1-6
description
Syntax description text undo description View IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view Default Level 2: System level Parameters text: ACL description, a case sensitive string of 1 to 127 characters. Description Use the description command to configure a description for an ACL. Use the undo description command to remove the ACL description. By default, an ACL has no ACL description. Related commands: display acl, display acl ipv6. Examples # Configure a description for IPv4 basic ACL 2000.
<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] description This acl is used in eth 0
display acl
Syntax display acl { acl-number | all | name acl-name } [ slot slot-number ] View Any view Default Level 1: Monitor level Parameters acl-number: Specifies an IPv4 ACL by its number:
1-7
z z z
2000 to 2999 for basic ACLs 3000 to 3999 for advanced ACLs 4000 to 4999 for Ethernet frame header ACLs
all: Displays information for all IPv4 ACLs. name acl-name: Specifies an IPv4 ACL by its name. The acl-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter. slot slot-number: Displays the matching information of the IPv4 ACLs on a member device in the IRF. The slot-number argument is the member number of the device in the IRF, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF. Description Use the display acl command to display configuration and match statistics for the specified or all IPv4 ACLs. This command displays ACL rules in the config or depth-first order, whichever is configured. Examples # Display information about IPv4 ACL 2001.
<Sysname> display acl 2001 Basic ACL test acl ACL's step is 5 rule 5 permit source 1.1.1.1 0 (5 times matched) rule 5 comment This rule is used in GE 1/0/1 2001, named flow, 1 rule,
Basic ACL
2001
1-8
2000 to 2999 for basic ACLs 3000 to 3999 for advanced ACLs
all: Displays information for all IPv6 ACLs. name acl6-name: Specifies an IPv4 ACL by its name. The acl6-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter. slot slot-number: Displays the matching information of the IPv6 ACLs on a member device in the IRF. The slot-number argument is the member number of the device in the IRF, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF. Description Use the display acl ipv6 command to display the configuration and match statistics for the specified or all IPv6 ACLs. This command displays ACL rules in the config or depth-first order, whichever is configured. Examples # Display information about IPv6 ACL 2001.
<Sysname> display acl ipv6 2001 Basic IPv6 ACL test acl ACL's step is 5 rule 0 permit source 1::2/128 (5 times matched) rule 0 comment This rule is used in GE 1/0/1 2001, named flow, 1 rule,
2001
named flow
1 rule
1-9
Field
test acl
This field is not displayed when the ACL has no description or the slot slot-number combination is provided in the command.
The rule numbering step is 5. Content of rule 0 There have been five matches for the rule. Only IPv6 ACL matches
5 times matched
performed by software are counted. This field is not displayed when no packets have matched the rule. The description of ACL rule 0 is "This rule is used in GE 1/0/1."
rule 0 comment This rule is used in GE 1/0/1 This field is not displayed when the rule has no description or the slot slot-number combination is provided in the command.
If the device is an IRF member, the ACL rule usage statistics for all switches in the IRF are displayed. If the switch is not an IRF member, only the ACL rule usage statistics for it is displayed.
1-10
-------------------------------------------------------------------------------Type VFP ACL IFP ACL IFP Meter Total 2048 8192 4096 Reserved 0 2048 1024 1024 0 0 0 Configured 0 21 0 21 21 0 21 Remaining 2048 6123 3072 3051 1003 512 491
--------------------------------------------------------------------------------
Interface: GE1/0/25 to GE1/0/48, XGE1/0/49 to XGE1/0/52 -------------------------------------------------------------------------------Type Total Reserved Configured Remaining -------------------------------------------------------------------------------VFP ACL IFP ACL IFP Meter 2048 8192 4096 0 2048 1024 1024 0 0 0 0 0 0 0 0 0 0 2048 6144 3072 3072 1024 512 512
ACL indicates ACL rule resources, Meter indicates traffic policing resources,
Counter indicates traffic statistics resources, VFP indicates the count of resources that are before Layer 2 forwarding and applied in QinQ,
Type
Total number of ACL rules supported Number of reserved ACL rules Number of configured ACL rules Number of remaining ACL rules
1-11
display packet-filter
Syntax display packet-filter { { all | interface interface-type interface-number } [ inbound | outbound ] | interface vlan-interface vlan-interface-number [ inbound | outbound ] [ slot slot-number ] } View Any view Default Level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. VLAN interfaces are not supported. inbound: Specifies the inbound direction. outbound: Specifies outbound direction. interface vlan-interface vlan-interface-number: Specifies a VLAN interface by its number. slot slot-number: Specifies a member device in the IRF by its member number. The slot-number argument is the member number of the device in the IRF, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF. Description Use the display packet-filter command to display application information of ACLs for packet filtering in the inbound, outbound, or both directions of the interface. If neither the inbound keyword nor the outbound keyword is specified, the command displays application information of ACLs for packet filtering in both the inbound and outbound directions of the interface. Examples # Display the application information of ACLs for packet filtering in the inbound and outbound directions of interface GigabitEthernet 1/0/1.
<Sysname> display packet-filter interface gigabitethernet 1/0/1 Interface: GigabitEthernet1/0/1 In-bound Policy: acl 2001, Successful Out-bound Policy: acl6 2500, Fail
1-12
Description IPv4 ACL 2001 was applied successfully Failed to apply IPv6 ACL 2500
display time-range
Syntax display time-range { time-range-name | all } View Any view Default Level 1: Monitor level Parameters time-range-name: Time range name, a case insensitive string of 1 to 32 characters. It must start with an English letter. all: Displays the configuration and status of all existing time ranges. Description Use the display time-range command to display the configuration and status of a specified time range or all time ranges. Examples # Display the configuration and status of time range trname.
<Sysname> display time-range trname Current time is 10:45:15 4/14/2005 Thursday Time-range : trname ( Inactive ) from 08:00 12/1/2005 to 23:59 12/31/2100
Time-range
packet-filter
Syntax packet-filter { acl-number | name acl-name } { inbound | outbound } undo packet-filter { acl-number | name acl-name } { inbound | outbound }
1-13
View Ethernet interface view, VLAN interface view Default Level 2: System level Parameters acl-number: Specifies an IPv4 ACL by its number:
z z z
2000 to 2999 for basic ACLs 3000 to 3999 for advanced ACLs 4000 to 4999 for Ethernet frame header ACLs
name acl-name: Specifies an IPv4 ACL by its name. The acl-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter. inbound: Filters incoming IPv4 packets. outbound: Filters outgoing IPv4 packets. Description Use the packet-filter command to apply an ACL to an interface to filter IPv4 packets or Ethernet frames. Use the undo packet-filter command to restore the default. By default, an interface does not filter packets and Ethernet frames. Related commands: display packet-filter. Note that you can apply only one IPv4 ACL or one Ethernet frame header ACL on an interface. To modify the ACL configured on an interface, you need to remove the previous configuration first and then configure a new ACL. Examples # Apply basic IPv4 ACL 2001 to the inbound direction of interface GigabitEthernet 1/0/1.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEtherhet1/0/1] ethernet-frame-filter 2001 inbound
# Apply advanced IPv4 ACL 3001 to the inbound direction of VLAN interface 10.
<Sysname> system-view [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] ethernet-frame-filter 3001 inbound
packet-filter ipv6
Syntax packet-filter ipv6 { acl6-number | name acl6-name } { inbound | outbound } undo packet-filter ipv6 { acl6-number | name acl6-name } { inbound | outbound } View Ethernet interface view, VLAN interface view Default Level 2: System level
1-14
2000 to 2999 for basic ACLs 3000 to 3999 for advanced ACLs
name acl6-name: Specifies an IPv6 ACL by its name, The acl6-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter. inbound: Filters incoming IPv6 packets outbound: Filters outgoing IPv6 packets Description Use the packet-filter ipv6 command to apply an IPv6 ACL to an interface to filter IPv6 packets. Use the undo packet-filter ipv6 command to restore the default. By default, an interface does not filter IPv6 packets. Related commands: display packet-filter ipv6. Note that you can apply only one IPv6 ACL on an interface. To modify the ACL configured on an interface, you need to remove the previous configuration first and then configure a new ACL. Examples # Apply basic IPv6 ACL 2500 to the outbound direction of interface GigabitEthernet 1/0/1.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] packet-filter ipv6 2500 outbound
# Apply advanced IPv6 ACL 3000 to the outbound direction of interface VLAN interface 20
<Sysname> system-view [Sysname] interface Vlan-interface 20 [Sysname-Vlan-interface20] packet-filter ipv6 3000 outbound
2000 to 2999 for basic ACLs 3000 to 3999 for advanced ACLs 4000 to 4999 for Ethernet frame header ACLs
all: Clears statistics for all IPv4 ACLs. name acl-name: Specifies an IPv4 ACL by its name. The acl-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter.
1-15
Description Use the reset acl counter command to clear statistics for the specified or all IPv4 ACLs. Related commands: display acl. Examples # Clear statistics for IPv4 ACL 2001.
<Sysname> reset acl counter 2001
2000 to 2999 for basic ACLs 3000 to 3999 for advanced ACLs
all: Clears statistics for all IPV6 basic and advanced ACLs. name acl6-name: Specifies an IPv6 ACL by its name. The acl6-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter. Description Use the reset acl ipv6 counter command to clear statistics for the specified or all IPv6 basic and IPv6 advanced ACLs. Examples # Clear statistics for IPv6 ACL 2001.
<Sysname> reset acl ipv6 counter 2001
Default Level 2: System level Parameters rule-id: Specifies a rule ID, which ranges from 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30. deny: Drops matching packets. permit: Allows matching packets to pass. cos vlan-pri: Matches an 802.1p priority. The vlan-pri argument can be a number in the range 0 to 7, or in words, best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5), voice (6), or network-management (7). dest-mac dest-addr dest-mask: Matches a destination MAC address range. The dest-addr and dest-mask arguments represent a destination MAC address and mask in H-H-H format. lsap lsap-type lsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The lsap-type argument is a 16-bit hexadecimal number that represents the encapsulation format. The lsap-type-mask argument is a 16-bit hexadecimal number that represents the LSAP mask. type protocol-type protocol-type-mask: Matches one or more protocols in the Ethernet frame header. The protocol-type argument is a 16-bit hexadecimal number that represents a protocol type in Ethernet_II and Ethernet_SNAP frames. The protocol-type-mask argument is a 16-bit hexadecimal number that represents a protocol type mask. source-mac sour-addr source-mask: Matches a source MAC address range. The sour-addr argument represents a source MAC address, and the sour-mask argument represents a mask in H-H-H format. time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case insensitive string of 1 to 32 characters. It must start with an English letter. Description Use the rule command to create or edit an Ethernet frame header ACL rule. You can edit ACL rules only when the match order is config. Use the undo rule command to delete an Ethernet frame header ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specific attributes. By default, an Ethernet frame header ACL does not contain any rule. Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail. To view rules in an ACL and their rule IDs, use the display acl command. Related commands: acl, display acl, step.
1-17
For an Ethernet frame header ACL to be referenced by a QoS policy for traffic classification, the lsap keyword is not supported.
Examples # Create a rule in ACL 4000 to deny packets with the 802.1p priority of 3.
<Sysname> system-view [Sysname] acl number 4000 [Sysname-acl-ethernetframe-4000] rule deny cos 3
1-18
Description Use the rule command to create or edit an IPv4 basic ACL rule. You can edit ACL rules only when the match order is config. Use the undo rule command to delete an entire IPv4 basic ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specific attributes By default, an IPv4 basic ACL does not contain any rule. Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail. To view rules in an ACL and their rule IDs, use the display acl all command. Related commands: acl, display acl, step.
For a basic IPv4 ACL rule to be referenced by a QoS policy for traffic classification, the logging and vpn-instance keywords are not supported.
Examples # Create a rule in ACL 2000 to deny packets sourced from 1.1.1.1.
<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule deny source 1.1.1.1 0
1-19
Parameters rule-id: Specifies a rule ID, which ranges from 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30. deny: Drops matching packets. permit: Allows matching packets to pass. protocol: Protocol carried by IPv4. It can be a number in the range 0 to 255, or in words, gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17). Table 1-5 describes the parameters that can be specified after the protocol argument. Table 1-5 Match criteria and other rule information for IPv4 advanced ACL rules
Parameters Function Description The sour-addr sour-wildcard arguments represent a source IP address in dotted source { sour-addr sour-wildcard | any } decimal notation. An all-zero wildcard specifies Specifies a source address a host address. The any keyword specifies any source IP address. The dest-addr dest-wildcard arguments represent a destination IP address in dotted destination { dest-addr dest-wildcard | any } Specifies a destination address decimal notation. An all-zero wildcard specifies a host address. The any keyword represents any destination IP address. The precedence argument can be a number in Specifies an IP precedence value the range 0 to 7, or in words, routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), or network (7). The tos argument can be a number in the tos tos Specifies a ToS preference range 0 to 15, or in words, max-reliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1), or normal (0). The dscp argument can be a number in the range 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 dscp dscp Specifies a DSCP priority (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46).
precedence precedence
1-20
Parameters
Function
Description This function requires that the module uses the ACL supports logging. that
logging
reflective
Not supported
The vpn-instance-name argument takes a vpn-instance vpn-instance-name Applies the rule to packets in a VPN instance case sensitive string of 1 to 31 characters. Without this combination, the rule applies to only non-VPN packets. Applies the rule to only non-first fragments Without this keyword, the rule applies to all fragments and non-fragments. The time-range-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter.
fragment
time-range time-range-name
If you provide the precedence or tos keyword in addition to the dscp keyword, only the dscp keyword takes effect.
Setting the protocol argument to tcp (6) or udp (7), you may define the parameters shown in Table 1-6.
1-21
Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG
Parameters specific to TCP. The value for each argument can be 0 or 1. The TCP flags in one rule are ANDed.
Parameters specific to TCP. established Specifies the TCP flags ACK and RST A rule with this keyword configured matches TCP connection packets with the ACK or RST flag value being 1.
Setting the protocol argument to icmp (1), you may define the parameters shown in Table 1-7.
1-22
Table 1-8 ICMP message names supported in IPv4 advanced ACL rules
ICMP message name echo echo-reply fragmentneed-DFset host-redirect host-tos-redirect host-unreachable information-reply information-request net-redirect net-tos-redirect net-unreachable parameter-problem port-unreachable protocol-unreachable reassembly-timeout source-quench source-route-failed timestamp-reply 8 0 3 5 5 3 16 15 5 5 3 12 3 3 11 4 3 14 Type 0 0 4 1 3 1 0 0 0 2 0 0 3 2 1 0 5 0 Code
1-23
Type 0 0
Code
Description Use the rule command to create or edit an IPv4 advanced ACL rule. You can edit ACL rules only when the match order is config. Use the undo rule command to delete an entire IPv4 advanced ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specific attributes. By default, an IPv4 advanced ACL does not contain any rule. Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail. To view rules in an ACL and their rule IDs, use the display acl all command. Related commands: acl, display acl, step.
For an advanced IPv4 ACL to be referenced by a QoS policy for traffic classification:
z z z
The logging and vpn-instance keywords are not supported. The operator cannot be neq if the ACL is for the inbound traffic. The operator cannot be gt, lt, neq, or range if the ACL is for the outbound traffic.
Examples # Create a rule to permit TCP packets with the destination port of 80 from 129.9.0.0 to 202.38.160.0.
<Sysname> system-view [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule permit tcp source 202.38.160.0 0.0.0.255 destination-port eq 80 129.9.0.0 0.0.255.255 destination
1-24
undo rule rule-id [ { established | { ack | fin | psh | rst | syn | urg } * } | destination | destination-port | dscp | fragment | icmpv6-type | logging | source | source-port | time-range ] * View IPv6 advanced ACL view Default Level 2: System level Parameters rule-id: Specifies a rule ID, which ranges from 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30. deny: Drops matching packets. permit: Allows matching packets to pass. protocol: Matches protocol carried over IPv6. It can be a number in the range 0 to 255, or in words, gre (47), icmpv6 (58), ipv6, ipv6-ah (51), ipv6-esp (50), ospf (89), tcp (6), or udp (17). Table 1-9 describes the parameters that can be specified after the protocol argument. Table 1-9 Match criteria and other rule information for IPv6 advanced ACL rules
Parameters Function Description The source and source-prefix arguments source { source source-prefix | source/source-prefix | any } Specifies a source IPv6 address The any keyword represents any IPv6 source address. The dest and dest-prefix arguments represent destination { dest dest-prefix | dest/dest-prefix | any } a destination IPv6 address, and its prefix Specifies a destination IPv6 address The any keyword specifies any IPv6 destination address. The dscp argument can be a number in the range 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 dscp dscp Specifies a DSCP preference (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46). This function requires that the module (for logging Logs matching packets example, a firewall) that uses the ACL supports logging. length ranges from 1 to 128. represent an IPv6 source address, and its prefix length ranges from 1 to 128.
1-25
Parameters
Description Without this keyword, the rule applies to all fragments and non-fragments. The time-range-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter.
fragment
time-range time-range-name
Setting the protocol argument to tcp or udp, you may define the parameters shown in Table 1-10. Table 1-10 TCP/UDP-specific parameters for IPv6 advanced ACL rules
Parameters source-port operator port1 [ port2 ] Function Specifies one or more UDP or TCP source ports Description The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range 0 to 65535. port2 is needed only when the operator argument is range. TCP port numbers can be represented in these words: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), destination-port operator port1 [ port2 ] Specifies one or more UDP or TCP destination ports smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented in these words: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177).
1-26
Parameters { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } *
Function
Description
Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG
Parameters specific to TCP. The value for each argument can be 0 or 1. The TCP flags in one rule are ANDed.
Parameters specific to TCP. established Specifies the TCP flags ACK and RST A rule with this keyword configured matches TCP connection packets with the ACK or RST flag value being 1.
Setting the protocol argument to icmpv6 (58), you may define the parameters shown in Table 1-11. Table 1-11 ICMPv6-specific parameters for IPv6 advanced ACL rules
Parameters Function Description The icmpv6-type argument ranges from 0 to 255. icmpv6-type { icmpv6-type icmpv6-code | icmpv6-message } Specifies the ICMPv6 message type and code The icmpv6-code argument ranges from 0 to 255. The icmpv6-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 1-12.
Table 1-12 ICMPv6 message names supported in IPv6 advanced ACL rules
ICMPv6 message name redirect echo-request echo-reply err-Header-field frag-time-exceeded hop-limit-exceeded host-admin-prohib host-unreachable neighbor-advertisement 137 128 129 4 3 3 1 1 136 Type 0 0 0 0 1 0 1 3 0 Code
1-27
ICMPv6 message name neighbor-solicitation network-unreachable packet-too-big port-unreachable router-advertisement router-solicitation unknown-ipv6-opt unknown-next-hdr 135 1 2 1 134 133 4 4
Type 0 0 0 4 0 0 2 1
Code
Description Use the rule command to create or edit an IPv6 advanced ACL rule. You can edit ACL rules only when the match order is config. Use the undo rule command to delete an entire IPv6 advanced ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specific attributes. By default, an IPv6 advanced ACL does not contain any rule. Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail. To view rules in an ACL and their rule IDs, use the display acl all command. Related commands: acl, display ipv6 acl, step.
For an advanced IPv6 ACL to be referenced by a QoS policy for traffic classification,
z z z
The logging and fragment keywords are not supported. The operator cannot be neq if the ACL is for the inbound traffic. The operator cannot be gt, lt, neq, or range if the ACL is for the outbound traffic.
Examples # Create an IPv6 ACL rule to permit TCP packets with the destination port of 80 from 2030:5060::/64 to FE80:5060::/96.
<Sysname> system-view [Sysname] acl ipv6 number 3000 [Sysname-acl6-adv-3000] rule permit tcp source 2030:5060::/64 destination fe80:5060::/96 destination-port eq 80
1-28
1-29
For a basic IPv6 ACL to be referenced by a QoS policy for traffic classification, the logging and fragment keywords are not supported.
Examples # Create an IPv6 ACL rule to deny packets sourced from FE80:5060::101/128.
<Sysname> system-view [Sysname] acl ipv6 number 2000 [Sysname-acl6-basic-2000] rule deny source fe80:5060::101/128
rule comment
Syntax rule rule-id comment text undo rule rule-id comment View IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view Default Level 2: System level Parameters rule-id: Specifies the ID of an existing ACL rule. The ID ranges from 0 to 65534. text: Provides a description for the ACL rule, a case sensitive string of 1 to 127 characters. Description Use the rule comment command to configure a description for an existing ACL rule or edit its description for the ease of identification. Use the undo rule comment command to delete the ACL rule description. By default, an IPv4 ACL rule has no rule description. Related commands: display acl, display acl ipv6. Examples # Create a rule in IPv4 basic ACL 2000 and configure a description for this rule.
<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 0 deny source 1.1.1.1 0 [Sysname-acl-basic-2000] rule 0 comment This rule is used on GE 1/0/1.
# Create a rule in IPv6 basic ACL 2000 and configure a description for this rule.
<Sysname> system-view [Sysname] acl ipv6 number 2000 [Sysname-acl6-basic-2000] rule 0 permit source 1001::1 128 [Sysname-acl6-basic-2000] rule 0 comment This rule is used on GE 1/0/1.
1-30
step
Syntax step step-value undo step View IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view Default Level 2: System level Parameters step-value: ACL rule numbering step, which ranges from 1 to 20. Description Use the step command to set a rule numbering step for an ACL. Use the undo step command to restore the default. By default, the rule numbering step is 5. Related commands: display acl, display acl ipv6. Examples # Set the rule numbering step to 2 for IPv4 basic ACL 2000.
<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] step 2
time-range
Syntax time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 } undo time-range time-range-name [ start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 ] View System view Default Level 2: System level Parameters time-range-name: Assign a name for a time range. The name is a case insensitive string of 1 to 32 characters. It must start with an English letter and, to avoid confusion, cannot be all.
1-31
start-time to end-time: Specifies a periodic time range. Both start-time and end-time are in hh:mm format (24-hour clock), and each value ranges from 00:00 to 23:59. The end time must be greater than the start time. days: Specifies the day or days of the week on which the periodic time range is valid. You may specify multiple values, in words or in digits, separated by spaces, but make sure that they do not overlap. The values are ANDed. These values can take one of the following forms:
z
A digit in the range 0 to 6, respectively for Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday. A day of a week in words, sun, mon, tue, wed, thu, fri, and sat. working-day for Monday through Friday. off-day for Saturday and Sunday. daily for the whole week.
z z z z
from time1 date1: Specifies the start time and date of an absolute time range. The time1 argument specifies the time of the day in hh:mm format (24-hour clock). Its value ranges from 00:00 to 23:59. The date1 argument specifies a date in MM/DD/YYYY or YYYY/MM/DD format, where MM is the month of the year in the range 1 to 12, DD is the day of the month with the range depending on MM, and YYYY is the year in the usual Gregorian calendar in the range 1970 to 2100. If not specified, the start time is the earliest time available in the system, 01/01/1970 00:00:00 AM. to time2 date2: Specifies the end time and date of the absolute time range. The time2 argument is in the same format as that of the time1 argument, but its value ranges from 00:00 to 24:00. The format and value range of the date2 argument are the same as those of the date1 argument. The end time must be greater than the start time. If not specified, the end time is the maximum time available in the system, 12/31/2100 24:00:00 PM. Description Use the time-range command to create a time range. Use the undo time-range command to delete a time range. By default, no time range exists. You can create a time range as follows:
z
Create a periodic time range in the start-time to end-time days format. A periodic time range recurs periodically on a day or days of the week. Create an absolute time range in the from time1 date1 to time2 date2 format. Unlike a periodic time range, an absolute time range does not recur. Create a compound time range in the start-time to end-time days from time1 date1 to time2 date2 format. A compound time range recurs on a day or days of the week only within the specified period. For example, to create a time range that is active from 08:00 to 12:00 on Monday between January 1, 2010 00:00 and December 31, 2010 23:59, use the time-range test 08:00 to 12:00 mon from 00:00 01/01/2010 to 23:59 12/31/2010 command.
You may create individual time ranges identified with the same name. They are regarded as one time range whose active period is the result of ORing periodic ones, ORing absolute ones, and ANDing periodic and absolute ones. You may create a maximum of 256 uniquely named time ranges, each with 32 periodic time ranges at most and 12 absolute time ranges at most. Related commands: display time-range.
1-32
Examples # Create a periodic time range 11, setting it to be active between 8:00 to 18:00 during working days.
<Sysname> system-view [Sysname] time-range test 8:00 to 18:00 working-day
# Create an absolute time range t2, setting it to be active in the whole year of 2010.
<Sysname> system-view [Sysname] time-range t1 from 0:0 1/1/2010 to 23:59 12/31/2010
# Create a compound time range t3, setting it to be active from 08:00 to 12:00 on Saturdays and Sundays of the year 2010.
<Sysname> system-view [Sysname] time-range t3 8:0 to 12:0 off-day from 0:0 1/1/2010 to 23:59 12/31/2010
# Create a compound time range t4, setting it to be active from 10:00 to 12:00 on Mondays and from 14:00 to 16:00 on Wednesdays in the period of January through June of the year 2010.
<Sysname> system-view [Sysname] time-range t4 10:0 to 12:0 1 from 0:0 1/1/2010 to 23:59 1/31/2010 [Sysname] time-range t4 14:0 to 16:0 3 from 0:0 6/1/2010 to 23:59 6/30/2010
1-33
2
Syntax View
Any view Default Level 1: Monitor level Parameters user-defined: Displays user-defined classes. tcl-name: Class name, a string of 1 to 31 characters. Description Use the display traffic classifier command to display class information. If no class name is specified, information about all user-defined classes is displayed. Examples # Display information about all user-defined classes.
<Sysname> display traffic classifier user-defined User Defined Classifier Information: Classifier: USER1 Operator: AND Rule(s) : if-match ip-precedence 5
2-1
if-match
Syntax if-match match-criteria undo if-match match-criteria undo if-match acl [ ipv6 ] { acl-number | name acl-name } [ update acl [ ipv6 ] { acl-number | name acl-name } ] View Class view Default Level 2: System level Parameters match-criteria: Match criterion. Table 2-2 shows the available criteria. acl [ ipv6 ] { acl-number | name acl-name }: Specifies an ACL currently referenced in the class by the ACL name or ACL number update acl [ ipv6 ] { acl-number | name acl-name }: Specifies a new ACL to replace the specified current ACL by the number or name of the new ACL. Table 2-2 The keyword and argument combinations for the match-criteria argument
Keyword and argument combination Matches an ACL The acl-number argument ranges from 2000 to 5999 for an IPv4 ACL, and 2000 to 3999 or 10000 to acl [ ipv6 ] { acl-number | name acl-name } 42767 for an IPv6 ACL. The acl-name is a case-insensitive string of 1 to 32 characters, which must start with an English letter from a to z or A to Z, and cannot be all to avoid confusion. any Matches all packets Matches the 802.1p priority of the customer network. customer-dot1p 8021p-list The 8021p-list argument is a list of up to eight 802.1p priority values. An 802.1p priority is in the range 0 to 7. Matches the VLAN IDs of customer networks. The vlan-id-list argument is a list of up to 8 VLAN IDs. customer-vlan-id { vlan-id-list | vlan-id1 to vlan-id2 } The vlan-id1 to vlan-id2 specifies a VLAN ID range, where the vlan-id1 must be smaller than the vlan-id2. A VLAN ID ranges from 1 to 4094. destination-mac mac-address Matches a destination MAC address Description
2-2
Description Matches DSCP values. The dscp-list is a list of DSCP values. A DSCP value is a number in the
dscp dscp-list
range 0 to 63 or a word representing the specific value. For the number-to-word mapping, see Table 2-4. Matches IP precedence. The ip-precedence-list
ip-precedence ip-precedence-list
argument is a list of up to 8 IP precedence values. An IP precedence ranges from 0 to 7. Matches a protocol. The protocol-name argument can be IP or IPv6. Matches a local QoS ID, which ranges from 1 to 4095. Matches the 802.1p priority of the service provider
protocol protocol-name
qos-local-id local-id-value
service-dot1p 8021p-list
network. The 8021p-list argument is a list of up to eight 802.1p priority values. An 802.1p priority is in the range 0 to 7. Matches the VLAN IDs of ISP networks. The vlan-id-list is a list of up to 8 VLAN IDs. The vlan-id1
to vlan-id2 specifies a VLAN ID range, where the vlan-id1 must be smaller than the vlan-id2. A VLAN ID ranges from 1 to 4094.
source-mac mac-address
Suppose the operator of a class is AND. Note the following when using the if-match command to define matching criteria for the class:
z
If multiple matching criteria with the acl or acl ipv6 keyword specified are defined for the class, the actual logical relationship between these criteria is OR when a policy referencing the class is applied. If multiple match criteria with the customer-vlan-id or service-vlan-id keyword specified are defined for the class, the actual logical relationship between these criteria is OR.
2-3
The match criteria listed below must be unique in a class with the operator AND. Even though it is possible, avoid defining multiple if-match clauses for these match criteria or inputting multiple values for a list argument (such as the 8021p-list argument) listed below in a class. Otherwise, the QoS policy referencing the class cannot be successfully applied to interfaces.
z z z z z z
customer-dot1p 8021p-list destination-mac mac-address dscp dscp-list ip-precedence ip-precedence-list service-dot1p 8021p-list source-mac mac-address
To create multiple if-match clauses or specify multiple values for a list argument for any of the match criteria listed above, ensure that the operator of the class is OR.
A QoS policy referencing a if match customer-dot1p clause cannot be applied to outgoing traffic.
Description Use the if-match command to define a match criterion. Use the undo if-match command to remove the match criterion. When defining match criteria, note the following: When defining match criteria, use the usage guidelines described in these subsections: Defining an ACL-based match criterion Defining a criterion to match a destination or a source MAC address Defining a criterion to match DSCP values Defining a criterion to match the 802.1p priority values of the customer network or service provider network Defining a criterion to match IP precedence values Defining a criterion to match customer network VLAN IDs or service provider network VLAN IDs
2-4
You can configure multiple DSCP match criteria for a class. All the defined DSCP values are automatically arranged in ascending order. You can configure up to eight DSCP values in one command line. If multiple identical DSCP values are specified, the system considers them as one. If a packet matches one of the defined DSCP values, it matches the if-match clause. To delete a criterion that matches DSCP values, the specified DSCP values must be identical with those defined in the rule (the sequence may be different).
Defining a criterion to match the 802.1p priority values of the customer network or service provider network
z
You can configure multiple 802.1p priority match criteria for a class. All the defined 802.1p values are automatically arranged in ascending order. You can configure up to eight 802.1p priority values in one command line. If the same 802.1p priority value is specified multiple times, the system considers them as one. If a packet matches one of the defined 802.1p priority values, it matches the if-match clause. To delete a criterion that matches 802.1p priority values, the specified 802.1p priority values in the command must be identical with those defined in the criterion (the sequence may be different).
You can configure multiple IP precedence match criteria for a class. The defined IP precedence values are automatically arranged in ascending order. You can configure up to eight IP precedence values in one command line. If the same IP precedence is specified multiple times, the system considers them as one. If a packet matches one of the defined IP precedence values, it matches the if-match clause. To delete a criterion that matches IP precedence values, the specified IP precedence values in the command must be identical with those defined in the criterion (the sequence may be different).
Defining a criterion to match customer network VLAN IDs or service provider network VLAN IDs
z
You can configure multiple VLAN ID match criteria for a class. The defined VLAN IDs are automatically arranged in ascending order. You can configure multiple VLAN IDs in one command line. If the same VLAN ID is specified multiple times, the system considers them as one. If a packet matches one of the defined VLAN IDs, it matches the if-match clause. To delete a criterion that matches VLAN IDs, the specified VLAN IDs in the command must be identical with those defined in the criterion (the sequence may be different).
Related commands: traffic classifier. Examples # Define a match criterion for class class1 to match the packets with the destination MAC address 0050-ba27-bed3.
<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match destination-mac 0050-ba27-bed3
2-5
# Define a match criterion for class class2 to match the packets with the source MAC address 0050-ba27-bed2.
<Sysname> system-view [Sysname] traffic classifier class2 [Sysname-classifier-class2] if-match source-mac 0050-ba27-bed2
# Define a match criterion for class class1 to match the ACL named flow.
<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match acl name flow
# Define a match criterion for class class1 to match IPv6 ACL 3101.
<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match ipv6 acl 3101
# Define a match criterion for class class1 to match the IPv6 ACL named flow.
<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match ipv6 acl name flow
# Define a match criterion for class class1 to match the packets with a DSCP value of 1, 6, or 9.
<Sysname> system-view [Sysname] traffic classifier class1 operator or [Sysname-classifier-class1] if-match dscp 1 6 9
# Define a match criterion for class class1 to match the packets with an IP precedence value of 1 or 6.
<Sysname> system-view [Sysname] traffic classifier class1 operator or [Sysname-classifier-class1] if-match ip-precedence 1 6
# Define a match criterion for class class1 to match the packets with a customer network VLAN ID of 1, 6, or 9.
<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match customer-vlan-id 1 6 9
# Define a match criterion for class class1 to match packets with the local QoS ID 3.
<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match qos-local-id 3
# Change the match criterion of class class1 from ACL 2008 to ACL 2009.
2-6
<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] undo if-match acl 2008 update acl 2009
traffic classifier
Syntax traffic classifier tcl-name [ operator { and | or } ] undo traffic classifier tcl-name View System view Default Level 2: System level Parameters tcl-name: Specifies a class name, a string of 1 to 31 characters. operator: Sets the operator to logic AND or OR for the class. and: Specifies the logic AND operator. The class matches the packets that match all its criteria. or: Specifies the logic OR operator. The class matches the packets that match any of its criteria. Description Use the traffic classifier command to create a class and enter class view. Use the undo traffic classifier command to remove a class. By default, the operator of a class is AND. Related commands: qos policy, qos apply policy, classifier behavior. Examples # Create a class named class1.
<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1]
packets: Counts traffic in packets. Description Use the accounting command to configure the traffic accounting action in the traffic behavior. By referencing the traffic behavior in a QoS policy, you can achieve class-based accounting, with which statistics are collected on a per-traffic class basis. For example, you can define the action to collect statistics for traffic sourced from a certain IP address. Use the undo accounting command to delete the traffic accounting action. You can use the display qos policy interface command and the display qos vlan-policy command to view the related statistics. Related commands: qos policy, traffic behavior, classifier behavior. Examples # Configure traffic accounting in bytes for traffic behavior database.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] accounting byte
car
Syntax car cir committed-information-rate [ cbs committed-burst-size [ ebs excess-burst-size ] ] [ pir peak-information-rate ] [ green action ] [ red action ] [ yellow action ] [ hierarchy-car hierarchy-car-name [ mode { and | or } ] ] undo car View Traffic behavior view Default Level 2: System level Parameters cir committed-information-rate: Committed information rate (CIR) in kbps, which specifies the average traffic rate. The committed-information-rate argument ranges from 8 to 32000000 and must be a multiple of 8. cbs committed-burst-size: Committed burst size (CBS) in bytes. The committed-burst-size argument ranges from 512 to 16000000 and defaults to 512. ebs excess-burst-size: Excess burst size (EBS) in bytes. The excess-burst-size argument ranges from 0 to 16000000 and defaults to 512. pir peak-information-rate: Peak information rate (PIR) in kbps. The peak-information-rate argument ranges from 8 to 32000000, and must be a multiple of 8. green action: Action to take on packets that conform to CIR. The default is pass. red action: Action to take on packets that conforms to neither CIR nor PIR. The default is discard. yellow action: Action to take on packets that conform to PIR but not to CIR. The default is pass. action: Action to take on packets, which can be:
z
z z
pass: Permits the packet to pass through. remark-dot1p-pass new-cos: Sets the 802.1p priority of the packet to new-cos and permits the packet to pass through. The new-cos argument ranges from 0 to 7. remark-dscp-pass new-dscp: Sets the DSCP value of the packet to new-dscp and permits the packet to pass through. The new-dscp argument ranges from 0 to 63. remark-lp-pass new-local-precedence: Sets the local precedence value of the packet to new-local-precedence and permits the packet to pass through. The new-local-precedence argument ranges from 0 to 7.
hierarchy-car-name: Name of the referenced hierarchical CAR. mode: Collaborating mode of the hierarchical CAR action and the common CAR action, which can be AND (the default) or OR.
z
AND mode (the and keyword), in which the traffic rate of a flow is limited by both the common CAR applied to it and the total traffic rate defined with hierarchical CAR. For example, you can use common CAR actions to limit the Internet access rates of flow 1 and flow 2 to 128 kbps each, and use a hierarchical CAR action to limit their total traffic rate to 192 kbps. Thus, when flow 1 is not present, flow 2 can access the Internet at the maximum rate, 128 kbps. If both flows are present, each flow cannot exceed its own rate limit, and the total rate cannot exceed 192 kbps. OR mode (the or keyword), in which a flow may pass through at an rate equal to the common CAR applied to it or at a higher rate if the total traffic rate of all flows does not exceed the hierarchical CAR. For example, you can use generic CAR actions to limit the rates of video flow 1 and flow 2 to 128 kbps each, and use a hierarchical CAR action to limit their total traffic rate to 512 kbps. As long as the rate of flow 1 does not exceed 128 kbps, flow 2 can pass at a rate up to 384 kbps.
Description Use the car command to configure a CAR action for the traffic behavior. Use the undo car command to remove the CAR action from the traffic behavior. Note that: if this command is configured multiple times for the same traffic behavior, the last configuration takes effect. Related commands: qos policy, traffic behavior, classifier behavior. Examples # Configure a CAR action for traffic behavior database: set CIR to 128 kbps, CBS to 50000 bytes, and EBS to 0; allow the conforming packets to pass, and mark the excess packets with DSCP value 0 and forward them.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] car cir 128 cbs 50000 ebs 0 green pass red remark-dscp-pass 0
# Configure a CAR action for traffic behavior database: set the CIR to 256 kbps, CBS to 50000 bytes, and EBS to 0; allow the conforming packets to pass, and mark excess packets with DSCP precedence 0 and forward them. In addition, reference hierarchical CAR hcar in the action, with the collaborating mode as or.
<Sysname> system-view [Sysname] traffic behavior database
2-9
[Sysname-behavior-database] car cir 256 cbs 50000 ebs 0 green pass red remark-prec-pass 0 hierarchy-car hcar mode or
Accounting enable
2-10
Description Information about the CAR action NetStream configuration information. The NetStream filtering option can be permit or deny Traffic redirecting configuration information Traffic redirecting type, which can be redirecting traffic to the CPU, an interface, or the next-hop Destination for traffic redirecting, which can be an
Redirect enable
Redirect type
Redirect destination
Marking
filter
Syntax filter { deny | permit } undo filter View Traffic behavior view Default Level 2: System level Parameters deny: Drops the packets. permit: Permits the packet to pass through. Description Use the filter command to configure a traffic filtering action for the traffic behavior. Use the undo filter command to remove the traffic filtering action. Examples # Configure the traffic filtering action as deny for traffic behavior database.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] filter deny
redirect
Syntax redirect { cpu | interface interface-type interface-number | next-hop { ipv4-add1 [ ipv4-add2 ] | ipv6-add1 [ interface-type interface-number ] [ ipv6-add2 [ interface-type interface-number ] ] } } undo redirect { cpu | interface interface-type interface-number | next-hop }
2-11
View Traffic behavior view Default Level 2: System level Parameters cpu: Redirects traffic to the CPU. interface: Redirects traffic to the specified interface. interface-type interface-number: Interface specified by its type and number. next-hop: Redirects traffic to a next hop. ipv4-add1/ipv4-add2: IPv4 address of the next hop. ipv4-add2 backs up ipv4-add1. If redirecting traffic to ipv4-add1 fails, traffic is redirected to ipv4-add2. ipv6-add1/ipv6-add2: IPv6 address of the next hop. ipv6-add2 backs up ipv6-add1. If redirecting traffic to ipv6-add1 fails, traffic is redirected to ipv6-add2. interface-type interface-number specifies a VLAN-interface by its number. If the IPv6 address is a link-local address, you must specify a VLAN-interface for the IPv6 address of the next hop. If the IPv6 address is not a link-local address, you do not need to specify a VLAN-interface for the IPv6 address of the next hop. Description Use the redirect command to configure a traffic redirecting action for the traffic behavior. Use the undo redirect command to remove the traffic redirecting action.
Redirecting traffic to the CPU, redirecting traffic to an interface, and redirecting traffic to the next hop are all mutually exclusive in the same traffic behavior.
Examples # Configure the action of redirecting traffic to interface GigabitEthernet 1/0/1 for traffic behavior database.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] redirect interface gigabitethernet1/0/1
remark dot1p
Syntax remark dot1p { 8021p | customer-dot1p-trust } undo remark dot1p View Traffic behavior view
2-12
Default Level 2: System level Parameters 8021p: 802.1p priority to be marked for packets, which ranges from 0 to 7. customer-dot1p-trust: Copies the 802.1p priority value in the inner VLAN tag to the outer VLAN tag after the QoS policy is applied to a port. This keyword does not take effect on single-tagged packets. Description Use the remark dot1p command to configure the 802.1p priority marking action or the inner-to-outer tag priority copying action. Use the undo remark dot1p command to remove the action. Note that: the remark dot1p 8021p command and the remark dot1p customer-dot1p-trust command override each other, and whichever is configured last takes effect. Related commands: qos policy, traffic behavior, classifier behavior. Examples # Set the 802.1p priority to 2.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] remark dot1p 2
# Configure the inner-to-outer tag priority copying action in traffic behavior database.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] remark dot1p customer-dot1p-trust
remark drop-precedence
Syntax remark drop-precedence drop-precedence-value undo remark drop-precedence View Traffic behavior view Default Level 2: System level Parameters drop-precedence-value: Drop precedence to be marked for packets, which ranges from 0 to 2. Description Use the remark drop-precedence command to configure the drop precedence marking action. Use the undo remark drop-precedence command to remove the action. Related commands: qos policy, traffic behavior, classifier behavior. Examples # Set the drop precedence value to 2 for packets.
2-13
remark dscp
Syntax remark dscp dscp-value undo remark dscp View Traffic behavior view Default Level 2: System level Parameters dscp-value: DSCP value, which ranges from 0 to 63 or a keyword, as shown in Table 2-4. Table 2-4 DSCP keywords and values
Keyword default af11 af12 af13 af21 af22 af23 af31 af32 af33 af41 af42 af43 cs1 cs2 cs3 cs4 DSCP value (binary) 000000 001010 001100 001110 010010 010100 010110 011010 011100 011110 100010 100100 100110 001000 010000 011000 100000 0 10 12 14 18 20 22 26 28 30 34 36 38 8 16 24 32 DSCP value (decimal)
2-14
Description Use the remark dscp command to configure the DSCP marking action. Use the undo remark dscp command to remove the action. Related commands: qos policy, traffic behavior, classifier behavior. Examples # Set the DSCP value of packets to 6.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] remark dscp 6
remark ip-precedence
Syntax remark ip-precedence ip-precedence-value undo remark ip-precedence View Traffic behavior view Default Level 2: System level Parameters ip-precedence-value: IP precedence value to be marked for packets, which ranges from 0 to 7. Description Use the remark ip-precedence command to configure the IP precedence marking action. Use the undo remark ip-precedence command to remove the action. Related commands: qos policy, traffic behavior, classifier behavior. Examples # Set the IP precedence value of packets to 6.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] remark ip-precedence 6
2-15
remark local-precedence
Syntax remark local-precedence local-precedence undo remark local-precedence View Traffic behavior view Default Level 2: System level Parameters local-precedence: Local precedence value to be marked for packets, which ranges from 0 to 7. Description Use the remark local-precedence command to configure the local precedence marking action. Use the undo remark local-precedence command to remove the action. Related commands: qos policy, traffic behavior, classifier behavior. Examples # Set the local precedence value of packets to 2.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] remark local-precedence 2
remark qos-local-id
Syntax remark qos-local-id local-id-value undo remark qos-local-id View Traffic behavior view Default Level 2: System level Parameters local-id-value: QoS local ID to be marked for packets, in the range of 1 to 4095. The local QoS IDs supported on the S5820X & S5800 series switches range from 1 to 3999. Description Use the remark qos-local-id command to configure the QoS local ID marking action. Use the undo remark qos-local-id command to remove the action. Related commands: qos policy, traffic behavior, classifier behavior. Examples # Set the QoS local ID of packets to 2.
<Sysname> system-view [Sysname] traffic behavior database
2-16
traffic behavior
Syntax traffic behavior behavior-name undo traffic behavior behavior-name View System view Default Level 2: System level Parameters behavior-name: Behavior name, a string of 1 to 31 characters. Description Use the traffic behavior command to create a traffic behavior and enter traffic behavior view. Use the undo traffic behavior command to remove a traffic behavior. Related commands: qos policy, qos apply policy, classifier behavior. Examples # Create a traffic behavior named behavior1.
<Sysname> system-view [Sysname] traffic behavior behavior1 [Sysname-behavior-behavior1]
2-17
Use the undo classifier command to remove a class from the policy. Note that:
z z
Each class in the policy can be associated with only one behavior. If the specified class and traffic behavior do not exist, the system creates a null class and a null traffic behavior. The do1q-tag-manipulation keyword only applies to many-to-one VLAN mapping
configuration. For more information about many-to-one VLAN mapping, see VLAN Mapping Configuration in the Layer 2 - LAN Switching Configuration Guide. Related commands: qos policy. Examples # Associate traffic class database with traffic behavior test in QoS policy user1.
<Sysname> system-view [Sysname] qos policy user1 [Sysname-qospolicy-user1] classifier database behavior test [Sysname-qospolicy-user1]
2-18
2-19
Examples # Display information about the global QoS policy applied to the incoming traffic.
<Sysname> display qos policy global inbound Direction: Inbound Policy: 1 Classifier: 2 Operator: AND Rule(s) : If-match acl 2000 Behavior: 2 Accounting Enable 20864 (Bytes) Committed Access Rate: CIR 128 (kbps), CBS 8000 (Bytes), EBS 0 (Bytes) Red Action: discard Green : 12928(Bytes) Yellow: 7936(Bytes) Red : 43904(Bytes)
Direction
Behavior
Accounting
CBS
2-20
2-21
Direction
Policy
Classifier
Operator
Rule(s)
Behavior
2-22
Note that: if no direction is specified, the VLAN QoS policy information in both the inbound and outbound directions is displayed. Examples # Display information about QoS policy test on the device numbered 6 in the IRF virtual device.
<Sysname> display qos vlan-policy name test slot 6 Policy test Vlan 200: inbound Vlan 300: outbound
inbound
outbound
Direction: Inbound Policy: 1 Classifier: 2 Operator: AND Rule(s) : If-match acl 2000 Behavior: 2 Accounting Enable 163 (Packets) Committed Access Rate: CIR 128 (kbps), CBS 8000 (byte), EBS 0 (byte) Red Action: discard Green : 12928(Bytes) Yellow: 7936(Bytes) Red : 43904(Bytes)
Direction
2-23
Description Class name and its contents Logical relationship between match criteria Match criteria Name of the behavior, and its actions Class-based accounting action and the collected statistics CAR information Committed information rate (CIR) in kbps Committed burst size (CBS) in bytes, which
Accounting
CBS
specifies the depth of the token bucket for holding bursty traffic Excessive burst size (EBS) in bytes, which specifies
EBS
the amount of traffic beyond the CBS when two token buckets are used
Action on red packets Statistics on green packets Statistics on yellow packets Statistics on red packets
Use the undo qos apply policy command to cancel the QoS policy application. Settings in interface view are effective on the current interface. Settings in port group view are effective on all ports in the port group. Examples # Apply policy USER1 to the outgoing traffic of interface GigabitEthernet 1/0/1.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos apply policy USER1 outbound
If a user profile is activated, the QoS policy applied to it cannot be configured or removed, except the ACLs referenced in the QoS policy. However, when the users of the user profile are online, the referenced ACLs also cannot be modified. The QoS policy applied to a user profile becomes effective when the user-profile is activated and the corresponding users are online. Only the remark, car, and filter actions are supported in the QoS policies applied in user profile view. A null policy cannot be applied in user profile view.
Examples # Apply policy test to the outgoing traffic of the online users of user profile user. (Assume that that the QoS policy has been configured.)
<Sysname> system-view [Sysname] user-profile user [Sysname-user-profile-user] qos apply policy test outbound
2-25
qos policy
Syntax qos policy policy-name undo qos policy policy-name View System view Default Level 2: System level Parameters policy-name: Policy name, which is a string of 1 to 31 characters. Description Use the qos policy command to create a policy and enter policy view. Use the undo qos policy command to delete a policy. A policy applied to an interface cannot be directly deleted. You must first remove the policy application before deleting the policy with the undo qos policy command. Related commands: classifier behavior, qos apply policy.
2-26
qos vlan-policy
Syntax qos vlan-policy policy-name vlan vlan-id-list { inbound | outbound } undo qos vlan-policy vlan vlan-id-list { inbound | outbound } View System view Default Level 2: System level Parameters policy-name: QoS policy name, which is a string of 1 to 31 characters. vlan-id-list: A list of up to eight VLAN IDs in the range 1 to 4094. You can input individual discontinuous VLAN IDs and VLAN ID ranges in the form of start-vlan-id to end-vlan-id, where the start VLAN ID must be smaller than the end VLAN ID. Each item in the VLAN list is separated by a space. inbound: Applies the QoS policy to the incoming packets of the specified VLAN(s). outbound: Applies the QoS policy to the outgoing packets of the specified VLAN(s). Description Use the qos vlan-policy command to apply a QoS policy to the specified VLAN(s). Use the undo qos vlan-policy command to cancel the QoS policy application to the specified VLAN(s). Examples # Apply the QoS policy test to the incoming traffic of VLAN 200, VLAN 300, VLAN 400, and VLAN 500.
<Sysname> system-view [Sysname] qos vlan-policy test vlan 200 300 400 500 inbound
2-27
Parameters inbound: Specifies the inbound direction. outbound: Specifies the outbound direction. Description Use the reset qos policy global command to clear the statistics of a global QoS policy. If no direction is specified, the statistics of the global QoS policies in both directions are cleared. Examples # Clear the statistics of the global QoS policy applied to the incoming traffic.
<Sysname> reset qos policy global inbound
2-28
3
Syntax View
Any view Default Level 1: Monitor level Parameters dot1p-dp: 802.1p-to-drop priority mapping table. dot1p-lp: 802.1p-to-local priority mapping table. dscp-dot1p: DSCP-to-802.1p priority mapping table. dscp-dp: DSCP-to-drop priority mapping table. dscp-dscp: DSCP-to-DSCP priority mapping table. Description Use the display qos map-table command to display the configuration of a priority mapping table. If no priority mapping table is specified, the configuration information of all priority mapping tables is displayed. Related commands: qos map-table. Examples # Display the configuration information of the 802.1p-to-drop priority mapping table.
<Sysname> display qos map-table dot1p-dp MAP-TABLE NAME: dot1p-dp IMPORT : EXPORT 0 1 2 3 4 5 6 7 : : : : : : : : 0 0 0 0 0 0 0 0 TYPE: pre-define
3-1
import
Syntax import import-value-list export export-value undo import { import-value-list | all } View Priority mapping table view Default Level 2: System level Parameters import-value-list: List of input values. export-value: Output value. all: Deletes all the mappings in the priority mapping table. Description Use the import command to configure a mapping from one or multiple input values to an output value. Use the undo import command to restore the specified mapping or all mappings to the default. Related commands: display qos map-table, display qos map-table color. Examples # Configure the 802.1p-to-drop priority mapping table to map 802.1p priority values 4 and 5 to drop precedence value 1.
<Sysname> system-view [Sysname] qos map-table dot1p-dp [Sysname-maptbl-dot1p-dp] import 4 5 export 1
qos map-table
Syntax qos map-table { dot1p-dp | dot1p-lp | dscp-dot1p | dscp-dp | dscp-dscp } View System view
3-2
Default Level 2: System level Parameters dot1p-dp: 802.1p-to-drop priority mapping table. dot1p-lp: 802.1p-to-local priority mapping table. dscp-dot1p: DSCP-to-802.1p priority mapping table. dscp-dp: DSCP-to-drop priority mapping table. dscp-dscp: DSCP-to-DSCP priority mapping table. Description Use the qos map-table command to enter the specified priority mapping table view. Related commands: display qos map-table. Examples # Enter the 802.1p-to-drop priority mapping table view.
<Sysname> system-view [Sysname] qos map-table dot1p-dp [Sysname-maptbl-dot1p-dp]
3-3
dscp: indicates that the DSCP precedence value of the received packets is used for priority
mapping dot1p: indicates that the 802.1p priority of the received packets is used for priority mapping
z
untrust: indicates that the port priority is used for priority mapping
3-4
qos trust
Syntax qos trust { dot1p | dscp } undo qos trust View Interface view, port group view Default Level 2: System level Parameters dot1p: Uses the 802.1p priority in incoming packets for priority mapping. dscp: Uses the DSCP value in incoming packets for priority mapping. Description Use the qos trust command to configure an interface to use a particular priority field carried in packets for priority mapping. Use the undo qos trust command to restore the default priority trust mode. By default, the port priority is used for priority mapping. When packets enter the device, the device assigns a set of parameters (including 802.1p priority, DSCP values, IP precedence, local precedence, and drop precedence) to the packets as configured. The local precedence and drop precedence are defined as follows:
z z
A local precedence is locally significant and corresponds to an output queue. A drop precedence is used for packet drop. The value 2 corresponds to red packets, 1 corresponds to yellow packets, and 0 corresponds to green packets.
Examples # Configure interface GigabitEthernet 1/0/1 to use the 802.1p priority in incoming packets for priority mapping.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos trust dot1p
3-5
4
Syntax View
Any view Default Level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by type and number. Description Use the display qos gts interface command to display generic traffic shaping (GTS) configuration information and operational statistics on a specified interface or all the interfaces. If no interface is specified, the GTS configuration information and operational statistics on all the interfaces are displayed. Examples # Display the GTS configuration information and operational statistics on all the interfaces.
<Sysname> display qos gts interface Interface: GigabitEthernet1/0/1 Rule(s): If-match queue 0 CIR 12800 (kbps), CBS 819200 (byte) Rule(s): If-match queue 1 CIR 12800 (kbps), CBS 819200 (byte) Rule(s): If-match queue 2 CIR 6400 (kbps), CBS 819200 (byte)
CBS
4-1
qos gts
Syntax qos gts queue queue-number cir committed-information-rate [ cbs committed-burst-size ] undo qos gts queue queue-number View Interface view, port group view Default Level 2: System level Parameters queue queue-number: Shapes the packets in the queue. cir committed-information-rate: Committed information rate (CIR) in kbps. The committed-information-rate argument ranges from 8 to 1048576, and must be a multiple of 8. cbs committed-burst-size: Committed burst size (CBS) in bytes. The committed-burst-size argument ranges from 512 to 16777216, and must be a multiple of 512. The default value is 8192. Description Use the qos gts command to set GTS parameters for the traffic in a specific queue. Use the undo qos gts command to remove the GTS parameters from the traffic of a specific queue or all the traffic on the interface or port group. By default, no GTS parameters are configured on an interface. Settings in interface view are effective on the current interface. Settings in port group view are effective on all ports in the port group. Examples # Configure GTS for traffic in queue 1 on GigabitEthernet 1/0/1 as follows: set CIR to 256 kbps, and CBS to 40960 bytes.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos gts queue 1 cir 256 cbs 40960
Description Use the display qos lr interface command to view the line rate configuration information and operational statistics on a specified interface or all interfaces. If no interface is specified, the line rate configuration information and operational statistics on all interfaces are displayed. Examples # Display the line rate configuration information and operational statistics on all interfaces.
<Sysname> display qos lr interface Interface: GigabitEthernet1/0/1 Direction: Inbound CIR 12800 (kbps), CBS 256000 (byte) Direction: Outbound CIR 256 (kbps), CBS 40960 (byte)
Direction
CBS
qos lr
Syntax qos lr { inbound | outbound } cir committed-information-rate [ cbs committed-burst-size ] undo qos lr { inbound | outbound } View Interface view, port group view Default Level 2: System level Parameters inbound: Limits the rate of incoming packets on the interface. outbound: Limits the rate of outgoing packets on the interface. cir committed-information-rate: Committed information rate (CIR). The committed-information-rate argument ranges from 8 to 1000000 and must be a multiple of 8. cbs committed-burst-size: Committed burst size (CBS). The committed-burst-size argument ranges from 512 to 16000000, and defaults to 8000.
4-3
Description Use the qos lr command to limit the rate of incoming packets or outgoing packets on the interface. Use the undo qos lr command to remove the rate limit. Settings in interface view are effective on the current interface. Settings in port group view are effective on all ports in the port group. Examples # Configure line rate for outgoing packets on interface GigabitEthernet 1/0/1 as follows: set CIR to 256 kbps and CBS to 4096 bytes.
<Sysname> system-view [Sysname] interface gigabitethernet1/0/1 [Sysname-GigabitEthernet1/0/1] qos lr outbound cir 256 cbs 4096
4-4
qos sp
Syntax qos sp
5-1
undo qos sp View Interface view, port group view Default Level 2: System level Parameters None Description Use the qos sp command to configure SP queuing on an interface. Use the undo qos sp command to restore the default. The default queuing algorithm on an interface is WRR queuing. Settings in interface view are effective on the current interface. Settings in port group view are effective on all ports in the port group. Related commands: display qos sp interface. Examples # Enable SP queuing on interface GigabitEthernet 1/0/1.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos sp
5-2
Interface: GigabitEthernet1/0/1 Output queue: Weighted round robin queue Queue ID Group Byte-count ------------------------------------0 1 2 3 4 5 6 7 1 1 1 1 1 1 1 sp 1 2 3 4 5 9 13 N/A
Group
Weight
qos wrr
Syntax qos wrr undo qos wrr View Interface view, port group view Default Level 2: System level Parameters None Description Use the qos wrr command to enable WRR queuing on the interface. Use the undo qos wrr command to disable WRR queuing on the interface. The default queuing algorithm on an interface is WRR queuing. Settings in interface view are effective on the current interface. Settings in port group view are effective on all ports in the port group.
5-3
Before performing WRR configuration, you must enable WRR queuing on an interface by using the qos wrr command. Examples # Enable WRR queuing on interface GigabitEthernet 1/0/1.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos wrr
5-4
5-5
Description Use the display qos wfq interface command to display the weighted fair queuing (WFQ) configuration on an interface. If no interface is specified, the WFQ configuration of all the interfaces is displayed. Related commands: qos wfq. Examples # Display the WFQ configuration of interface GigabitEthernet 1/0/1.
<Sysname> display qos wfq interface gigabitethernet 1/0/1 Interface: GigabitEthernet1/0/1 Output queue: Hardware weighted fair queue Queue ID 0 1 2 3 4 5 6 7 1 1 1 1 1 1 1 1 Weight Min-Bandwidth 64 64 64 64 64 64 64 64
------------------------------------------------
5-6
bandwidth-value: Minimum guaranteed bandwidth (in kbps), which is the minimum bandwidth guaranteed for a queue when the port is congested. The range for the bandwidth-value argument is from 64 to 1048576. Description Use the qos bandwidth queue command to set the minimum guaranteed bandwidth for a specified queue on the port/port group. Use the undo qos bandwidth queue command to cancel the configuration. Settings in interface view are effective on the current interface. Settings in port group view are effective on all ports in the port group. Examples # Set the minimum guaranteed bandwidth to 100 kbps for queue 0 on interface GigabitEthernet 1/0/1.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos wfq [Sysname-GigabitEthernet1/0/1] qos bandwidth queue 0 min 100
qos wfq
Syntax qos wfq undo qos wfq View Interface view, port group view Default Level 2: System level Parameters None Description Use the qos wfq command to enable WFQ on an interface. Use the undo qos wfq command to restore the default queuing algorithm on an interface. The default queuing algorithm on an interface is WRR queuing. Settings in interface view are effective on the current interface. Settings in port group view are effective on all ports in the port group. Examples # Enable WFQ on interface GigabitEthernet 1/0/1.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos wfq
5-7
5-8
6
Syntax View
Any view Default Level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by type and number. Description Use the display qos wred interface command to display the WRED configuration and statistics of an interface. If no interface is specified, the WRED configuration and statistics of all interfaces are displayed. Examples # Display the WRED configuration and statistics of interface GigabitEthernet 1/0/1.
<Sysname> display qos wred interface gigabitethernet 1/0/1 Interface: GigabitEthernet1/0/1 Current WRED configuration: Applied WRED table name: test
6-1
Default Level 1: Monitor level Parameters table-name: Name of the WRED table to be displayed. Description Use the display qos wred table command to display the WRED table configuration information. If no WRED table name is specified, the configuration of all WRED tables is displayed. Examples # Display the configuration of WRED table 1.
<Sysname> display qos wred table 1 Table Name: 1 Table Type: Queue based WRED QID: gmin gmax gprob ymin ymax yprob rmin rmax rprob ----------------------------------------------------------------------0 1 2 3 4 5 6 7 100 100 100 100 100 100 100 100 1000 1000 1000 1000 1000 1000 1000 1000 10 10 10 10 10 10 10 10 100 100 100 100 100 100 100 100 1000 1000 1000 1000 1000 1000 1000 1000 10 10 10 10 10 10 10 10 100 100 100 100 100 100 100 100 1000 1000 1000 1000 1000 1000 1000 1000 10 10 10 10 10 10 10 10
gmin
gmax
gprob
ymin
ymax
yprob
Field
Description Lower threshold configured for red packets, with a drop precedence value of 2 Upper threshold configured for red packets, with a drop precedence value of 2 Drop probability configured for red packets, with a drop precedence value of 2
rmin
rmax
rprob
queue
Syntax queue queue-value [ drop-level drop-level ] low-limit low-limit high-limit high-limit
6-3
View WRED table view Default Level 2: System level Parameters queue-value: Queue number, in the range of 0 to 7. drop-level drop-level: Drop level, in the range of 0 to 2. If this argument is not specified, the subsequent configuration takes effect on the packets in the queue regardless of the drop level. low-limit low-limit: Lower limit, which is 100 by default. The range for the low-limit argument is from 0 to 8000. high-limit high-limit: Upper limit, which is 1000 by default. The range for the high-limit argument is from 0 to 8000. discard-probability discard-prob: Specifies the drop probability in percentage, in the range of 0 to 100. When the queue length is within the lower limit and upper limit, the switch drops packets based on the drop probability. Description Use the queue command to configure the drop-related parameters for a specified queue in the queue-based WRED table. Use the undo queue command to restore the default. By default, the global queue-based WRED table uses the following parameters: lower limit 100, upper limit 1000, and drop probability 10. Related commands: qos wred table. Examples # Modify the drop-related parameters for packets with drop level 1 in queue 1 in WRED table queue-table1 as follows: lower limit 120, upper limit 300, and drop probability 20.
<Sysname> system-view [Sysname] qos wred queue table queue-table1 [Sysname-wred-table-queue-table1] [Sysname-wred-table-queue-table1] queue 1 drop-level 1 low-limit 120 high-limit 300 discard-probability 20
6-4
Parameters table-name: Name of a global WRED table. Description Use the qos wred apply command to apply a global WRED table on a port/port group. Use the undo qos wred apply command to restore the default. By default, the tail drop mode is used on a port. In interface view, the setting is effective on the current port only. In port group view, the setting is effective on all the ports in the port group. Related commands: display qos wred interface, display qos wred table, qos wred table. Examples # Apply the queue-based WRED table queue-table1 to the interface GigabitEthernet 1/0/1.
<Sysname> system-view [Sysname] interface GigabitEthernet1/0/1 [Sysname-GigabitEthernet1/0/1] qos wred apply queue-table1
6-5
7
Syntax
car name car-name [ hierarchy-car hierarchy-car-name [ mode { and | or } ] ] undo car View Traffic behavior view Default Level 2: System level Parameters car-name: Name of an aggregation CAR action. hierarchy-car-name: Name of the referenced hierarchical CAR action. mode: Collaborating mode of the hierarchical CAR action and the aggregation CAR action, which can be AND (the default) or OR. If the collaborating mode is not specified, the AND mode applies.
z
AND mode (the and keyword), in which the traffic rate of a flow is limited by both the aggregation CAR applied to it and the total traffic rate defined by the hierarchical CAR. For example, you can use aggregation CAR actions to limit the Internet access rates of flow 1 and flow 2 to 128 kbps each, and use a hierarchical CAR action to limit their total traffic rate to 192 kbps. When flow 1 is not present, flow 2 can access the Internet at the maximum rate, 128 kbps. If both flows are present, each flow cannot exceed its own rate limit, and the total rate cannot exceed 192 kbps. OR mode (the or keyword), in which a flow may pass through at a rate equal to the aggregation CAR applied to it or a higher rate if the total traffic rate of all flows does not exceed the hierarchical CAR. For example, you can use aggregation CAR actions to limit the rates of video flow 1 and flow 2 to 128 kbps each, and then use a hierarchical CAR action to limit their total traffic rate to 512 kbps. Thus, as long as the rate of flow 1 does not exceed 128 kbps, flow 2 can pass at a rate up to 384 kbps.
Description Use the car name command to configure the traffic behavior to reference an aggregation CAR action. Use the undo car command to remove the aggregation CAR action from the traffic behavior. Examples # Configure traffic behavior be1 to reference aggregation CAR aggcar-1 and hierarchical CAR hcar, with the collaborating mode as or.
<Sysname> system-view [Sysname] traffic behavior be1 [Sysname-behavior-be1] car name aggcar-1 hierarchy-car hcar mode or
7-1
Name: hcar Mode: hierarchy CIR 1024(kbps) CBS: 8192(byte) Green packet 0(Bytes), 0(Pkts) Red packet 0(Bytes), 0(Pkts)
7-2
Field
Green Action
z z z
discard: Drops the packet pass: Permits the packet to pass through remark-dot1p-pass new-cos: Sets the 802.1p priority value of the packet to new-cos and permits the packet to pass through
Yellow Action
remark-dscp-pass new-dscp: Sets the DSCP value of the packet to new-dscp and permits the packet to pass through
Red Action
new-local-precedence and permits the packet to pass through Green packet Red packet Statistics on green packets Statistics on red packets
7-3
green action: Specifies the action to take on packets that conform to CIR. The default is pass. yellow action: Specifies the action to take on packets that conform to PIR but not to CIR. The default is pass. red action: Specifies the action to take on packets that conforms to neither CIR nor PIR. The default is discard. action: Action to take on packets, which can be:
z z z
discard: Drops the packet. pass: Permits the packet to pass through. remark-dot1p-pass new-cos: Sets the 802.1p priority value of the packet to new-cos and permits the packet to pass through. The new-cos argument ranges from 0 to 7. remark-dscp-pass new-dscp: Sets the DSCP value of the packet to new-dscp and permits the packet to pass through. The new-dscp argument ranges from 0 to 63.
Description Use the qos car aggregative command to configure an aggregation CAR action. Use the undo qos car command to remove an aggregation CAR action. An aggregation CAR action does not take effect until it is applied to an interface or referenced in a policy. Examples # Configure the aggregation CAR action aggcar-1 as follows: set CIR to 256 kbps, CBS to 4096 bytes, and drop red packets.
<Sysname> system-view [Sysname] qos car aggcar-1 aggregative cir 256 cbs 4096 red discard
7-4
Description Use the qos car hierarchy command to configure a hierarchical CAR action. Use the undo qos car command to remove a hierarchical CAR action. A hierarchical CAR action takes effect only after it is referenced in a QoS policy. Examples # Configure the hierarchical CAR action hierarchy as follows: set CIR to 256 kbps and CBS to 8192 bytes.
<Sysname> system-view [Sysname] qos car hcar hierarchy cir 256 cbs 8192
7-5
8
Syntax
burst-mode enable undo burst-mode enable View System view Default Level 2: System level Parameters None Description Use the burst-mode enable command to enable the burst function. Use the undo burst-mode enable command to disable the burst function. By default, the burst function is disabled. The burst function allows the switch to automatically determine the shared resource size, the minimum guaranteed resource size for each queue, the maximum shared resource size for each queue, and the maximum shared resource size per port. The function optimizes the packet buffering scheme to enhance forwarding performance.
The burst-mode enable command cannot work in conjunction with any manual data buffer configuration commands.
8-1
The data buffer configuration is complicated and significantly impacts the forwarding performance of a device. You should not modify the data buffer parameters unless you are sure that your device will benefit from the change. If a larger buffer is needed, it is recommended that you enable the burst function to automatically allocate buffer. The commands in this section are mutually exclusive with the burst-mode enable command.
buffer apply
Syntax buffer apply undo buffer apply View System view Default Level 2: System level Parameters None Description Use the buffer apply command to apply the configured data buffer settings. Use the undo buffer apply command to restore the default. Table 8-1 shows the default data buffer allocation schemes of the S5820X and the S5800 series switches. Table 8-1 Default data buffer allocation schemes of the S5820X and the S5800 series switches
Minimum Hardware platform Resource type Shared resource size guaranteed resource size per queue Cell resource S5800 series switches Packet resource S5820X series switches 70% 12% 6% 33% 69% 12% Maximum shared resource size per queue 6% Maximum shared resource size per port 33%
Cell resource
62%
12%
6%
33%
8-2
8-3
guaranteed resource space. For example, if you set the minimum guaranteed resource size to 30% for a queue, the other seven queues will each share 10% of the remaining dedicated resource of the port. Examples # Configure 20% of the dedicated buffer per port as the minimum guaranteed resource for queue 0 in the cell resource.
<Sysname> system-view [Sysname] buffer egress cell queue 0 guaranteed ratio 20
# In an IRF virtual device, configure 15% of the dedicated buffer per port as the minimum guaranteed resource for queue 0 in the cell resource on member device 2.
<Sysname> system-view [Sysname] buffer egress slot 2 cell queue 0 guaranteed ratio 15
8-4
The maximum shared resource settings of a queue take effect globally, and apply to the queue with the same number on each port.
Examples # Set the maximum shared resource size for queue 0 to 10% in the cell resource.
<Sysname> system-view [Sysname] buffer egress cell queue 0 shared ratio 10
# In an IRF virtual device, set the maximum shared resource size of queue 0 to 5% in the cell resource on member device 2.
<Sysname> system-view [Sysname] buffer egress slot 2 cell queue 0 shared ratio 5
# In an IRF virtual device, set the maximum shared resource size per port to 40% in the cell resource on member device 2.
<Sysname> system-view [Sysname] buffer egress slot 2 cell shared ratio 40
# In an IRF virtual device, set 65% of the cell resource as the shared resource on member device 2.
<Sysname> system-view [Sysname] buffer egress slot 2 cell total-shared ratio 65
8-6
9
A
Index ABCDEFGHIJKLMNOPQRSTUVWXYZ
display qos map-table 3-1
display qos policy global 2-19 display qos policy interface display qos policy display qos sp 5-1 2-18 2-21
acl ipv6 logging frequence acl ipv6 name acl ipv6 1-3 1-6 1-5
acl logging frequence acl name acl B buffer apply 8-2 1-1 1-6
display qos wfq interface 5-5 display qos wred interface6-1 display qos wred table 6-1
display qos wrr interface 5-2 display time-range 8-3 1-13 2-10 2-1
buffer egress queue guaranteed buffer egress queue shared buffer egress shared 8-5 buffer egress total-shared 8-6 burst-mode enable C car name car 2-8 2-17 7-1 8-1
2-2
display acl resource 1-10 display acl 1-7 display packet-filter 1-12 display qos car name 7-2 display qos gts interface 4-1 display qos lr interface 4-2
packet-filter ipv6 1-14 packet-filter 1-13 Q qos apply policy (interface view, port group view) 2-24 qos apply policy (user-profile view) 2-25 qos apply policy global qos bandwidth queue qos car aggregative 7-3 qos car hierarchy qos gts qos lr 4-3 qos map-table qos policy 2-26 qos priority 3-3 qos sp 5-1 qos trust 3-5 3-2 4-2 7-4 2-26 5-6
rule (Ethernet frame header ACL view) 1-16 rule (IPv4 advanced ACL view) 1-19 rule (IPv4 basic ACL view) 1-18
rule (IPv6 advanced ACL view) 1-24 rule (IPv6 basic ACL view) rule comment S step T time-range 1-31 traffic behavior 2-17 traffic classifier 2-7 U V W X Y Z 1-31 1-30 1-29
qos vlan-policy 2-27 qos wfq weight 5-8 qos wfq 5-7
qos wred apply 6-4 qos wred table 6-3 qos wrr byte-count qos wrr group sp qos wrr queue 6-3 R redirect 2-11 2-12 5-3 5-4 5-5
remark dot1p
remark ip-precedence
remark local-precedence 2-16 remark qos-local-id 2-16 reset acl counter 1-15 1-16
reset acl ipv6 counter reset qos car name 7-5 reset qos policy global reset qos vlan-policy 2-28
2-27
9-2