ACL and QoS Command Reference-Book

H3C S5820X&S5800 Series Ethernet Switches ACL and QoS Command Reference
Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com

Document Version: 6W103-20100716 Product Version: Release 1110
Copyright 2009-2010, Hangzhou H3C Technologies Co., Ltd. and its licensors All Rights Reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
H3C,
, Aolynk,
, H3Care,
, TOP G,
, IRF, NetPilot, Neocean, NeoVTL,
SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V2G, VnG, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners.
Notice
The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
The H3C S5800&S5820X documentation set includes 11 command references, which describe the commands and command syntax options for the S5800&S5820X Release 1110. The ACL and QoS Command Reference describes ACL and QoS configuration commands. It covers the commands for creating ACLs, using ACLs for packet filtering, configuring QoS policies, and configuring common QoS techniques, such as traffic policing, traffic shaping, congestion management, and congestion avoidance. This preface includes:
z z z z z z
Audience Document Organization Conventions About the H3C S5820X&S5800 Documentation Set Obtaining Documentation Documentation Feedback
Audience
This documentation set is intended for:
z z z
Network planners Field technical support and servicing engineers Network administrators working with the S5800 and S5820X series
Document Organization
The ACL and QoS Command Reference comprises these parts:
ACL Configuration Commands Congestion Management Configuration Commands QoS Policy Configuration Commands Congestion Avoidance Configuration Commands Priority Mapping Configuration Commands Global CAR Configuration Commands GTS and Line Rate Configuration Commands Data Buffer Configuration Commands
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention Boldface italic [] Description Bold text represents commands and keywords that you enter literally as shown. Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional.
Convention { x | y | ... } [ x | y | ... ] { x | y | ... } * [ x | y | ... ] * &<1-n> #
Description Braces enclose a set of required syntax choices separated by vertical bars, from which you select one. Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none. Asterisk marked braces enclose a set of required syntax choices separated by vertical bars, from which you select at least one. Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you may select multiple choices or none. The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times. A line that starts with a pound (#) sign is comments.
GUI conventions
Convention Boldface > Description Window names, button names, field names, and menu items are in Boldface. For example, the New User window appears; click OK. Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Symbols
Convention Description Means reader be careful. Improper operation may cause data loss or damage to equipment. Means a complementary description.
About the H3C S5820X&S5800 Documentation Set

The H3C S5800&S5820X documentation set also includes:
Category Product description and specifications Documents Marketing brochures Technology white papers PSR150-A [ PSR150-D ] Power Modules User Manual PSR300-12A [ PSR300-12D1 ] Power Modules User Manual PSR750-A [ PSR750-D ] Power Modules User Manual Purposes Describe product specifications and benefits. Provide an in-depth description of software features and technologies. Describes the appearances, features, specifications, installation, and removal of the pluggable 150W power modules available for the products. Describes the appearances, features, specifications, installation, and removal of the pluggable 300W power modules available for the products. Describes the appearances, features, specifications, installation, and removal of the pluggable 750W power modules available for the products.
Pluggable module description
Category
Documents RPS User Manual LSW1FAN and LSW1BFAN Installation Manual LSW148POEM Module User Manual S5820X [ S5800 ] Series Ethernet Switches Interface Cards User Manual H3C OAP Cards User Manual H3C Low End Series Ethernet Switches Pluggable Modules Manual S5800-60C-PWR Ethernet Switch Hot Swappable Power Module Ordering Guide
Purposes Describes the appearances, features, and specifications of the RPS units available for the products. Describes the appearances, specifications, installation, and removal of the pluggable fan modules available for the products. Describes the appearance, features, installation, and removal of the pluggable PoE module available for the products. Describes the models, hardware specifications, installation, and removal of the interface cards available for the products. Describes the benefits, features, hardware specifications, installation, and removal of the OAP cards available for the products. Describes the models, appearances, and specifications of the pluggable modules available for the products. Guides you through ordering the hot-swappable power modules available for the S5800-60C-PWR switches in different cases.
Power configuration RPS Ordering Information for H3C Low-End Ethernet Switches
z
Provides the RPS and switch compatibility matrix and RPS cable specifications.
S5800 Series Ethernet Switches Quick Start S5820X Series Ethernet Switches Quick Start S5800 Series Ethernet Switches CE DOC S5820X Series Ethernet Switches CE DOC S5800 Series Ethernet Switches Quick Start S5820X Series Ethernet Switches Quick Start S5800 Series Ethernet Switches Installation Manual S5820X Series Ethernet Switches Installation Manual
Hardware installation
z
Provides regulatory information and the safety instructions that must be followed during installation.
Guides you through initial installation and setup procedures to help you quickly set up and use your device with the minimum configuration.
Provides a complete guide to hardware installation and hardware specifications.
Category
Documents Pluggable SFP[SFP+][XFP] Transceiver Modules Installation Guide

z
Purposes Guides you through installing SFP/SFP+/XFP transceiver modules.
S5800-60C-PWR Switch Video Installation Guide S5820X-28C Switch Video Installation Guide
Shows how to install the H3C S5800-60C-PWR and H3C S5820X-28C Ethernet switches.
Configuration guide Software configuration Command reference H3C Series Ethernet Switches Login Password Recovery Manual
Describe software features and configuration procedures. Provide a quick reference to all available commands. Tells how to find the lost password or recover the password when the login password is lost. Provide information about the product release, including the version history, hardware and software compatibility matrix, version upgrade information, technical support information, and software upgrading.
Operations and maintenance
Release notes
Obtaining Documentation
You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] Provides hardware installation, software upgrading, and software feature configuration and maintenance documentation. [Products & Solutions] Provides information about products and technologies, as well as solutions. [Technical Support & Documents > Software Download] Provides the documentation released with the software version.
Documentation Feedback
You can e-mail your comments about product documentation to info@h3c.com. We appreciate your comments.
Table of Contents
1 ACL Configuration Commands 1-1 ACL Configuration Commands 1-1 acl 1-1 acl copy 1-2 acl ipv6 1-3 acl ipv6 copy1-4 acl ipv6 logging frequence1-4 acl ipv6 name 1-5 acl logging frequence 1-6 acl name 1-6 description 1-7 display acl1-7 display acl ipv6 1-9 display acl resource1-10 display packet-filter1-12 display time-range 1-13 packet-filter1-13 packet-filter ipv6 1-14 reset acl counter1-15 reset acl ipv6 counter 1-16 rule (Ethernet frame header ACL view)1-16 rule (IPv4 basic ACL view) 1-18 rule (IPv4 advanced ACL view) 1-19 rule (IPv6 advanced ACL view) 1-24 rule (IPv6 basic ACL view) 1-29 rule comment1-30 step1-31 time-range 1-31 2 QoS Policy Configuration Commands 2-1 Class Configuration Commands 2-1 display traffic classifier 2-1 if-match2-2 traffic classifier2-7 Traffic Behavior Configuration Commands 2-7 accounting 2-7 car 2-8 display traffic behavior2-10 filter2-11 redirect 2-11 remark dot1p 2-12 remark drop-precedence 2-13
i
remark dscp2-14 remark ip-precedence 2-15 remark local-precedence2-16 remark qos-local-id2-16 traffic behavior2-17 QoS Policy Configuration and Application Commands2-17 classifier behavior2-17 display qos policy 2-18 display qos policy global2-19 display qos policy interface 2-21 display qos vlan-policy 2-22 qos apply policy (interface view, port group view)2-24 qos apply policy (user-profile view) 2-25 qos apply policy global 2-26 qos policy 2-26 qos vlan-policy2-27 reset qos policy global2-27 reset qos vlan-policy2-28 3 Priority Mapping Configuration Commands3-1 Priority Mapping Table Configuration Commands 3-1 display qos map-table 3-1 import 3-2 qos map-table3-2 Port Priority Configuration Commands 3-3 qos priority3-3 Per-Port Priority Trust Mode Configuration Commands 3-4 display qos trust interface3-4 qos trust3-5 4 GTS and Line Rate Configuration Commands 4-1 GTS Configuration Commands4-1 display qos gts interface4-1 qos gts 4-2 Line Rate Configuration Commands4-2 display qos lr interface4-2 qos lr4-3 5 Congestion Management Configuration Commands 5-1 SP Queuing Configuration Commands5-1 display qos sp5-1 qos sp 5-1 WRR Queuing Configuration Commands 5-2 display qos wrr interface5-2 qos wrr5-3 qos wrr byte-count5-4 qos wrr group sp5-5 WFQ Configuration Commands5-5
ii
display qos wfq interface 5-5 qos bandwidth queue 5-6 qos wfq 5-7 qos wfq weight5-8 6 Congestion Avoidance Configuration Commands 6-1 WRED Configuration Commands 6-1 display qos wred interface6-1 display qos wred table6-1 qos wred table 6-3 queue 6-3 qos wred apply 6-4 7 Global CAR Configuration Commands 7-1 Global CAR Configuration Commands 7-1 car name 7-1 display qos car name 7-2 qos car aggregative7-3 qos car hierarchy7-4 reset qos car name7-5 8 Data Buffer Configuration Commands8-1 Automatic Data Buffer Configuration Commands8-1 burst-mode enable 8-1 Manual Data Buffer Configuration Commands 8-1 buffer apply8-2 buffer egress queue guaranteed 8-3 buffer egress queue shared 8-4 buffer egress shared 8-5 buffer egress total-shared 8-6 9 Index 9-1
iii
1
acl
Syntax
ACL Configuration Commands
ACL Configuration Commands
acl number acl-number [ name acl-name ] [ match-order { auto | config } ] undo acl { all | name acl-name | number acl-number } View System view Default Level 2: System level Parameters number acl-number: Specifies the number of an IPv4 access control list (ACL):
z z z
2000 to 2999 for IPv4 basic ACLs 3000 to 3999 for IPv4 advanced ACLs 4000 to 4999 for Ethernet frame header ACLs
name acl-name: Assigns a name for the IPv4 ACL for the ease of identification. The acl-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter, and, to avoid confusion, cannot be all. match-order: Sets the order in which ACL rules are compared against packets:
z
auto: Compares ACL rules in depth-first order. The depth-first order differs with ACL categories. See ACL Configuration in the ACL and QoS Configuration Guide for more information. config: Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher priority. If no match order is specified, the config order applies by default.
all: Deletes all IPv4 ACLs. Description Use the acl command to create an IPv4 ACL and enter its view. If the ACL has been created, you enter its view directly. Use the undo acl command to delete the specified or all IPv4 ACLs. By default, no ACL exists. You can assign a name for an IPv4 ACL only when you create it. After creating an ACL, you can neither rename it nor remove its name, if any. You can change match order only for ACLs that do not contain any rules. To display any ACLs you have created, use the display acl command. Examples # Create IPv4 basic ACL 2000, and enter its view.
1-1
<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000]
# Create IPv4 basic ACL 2002, named flow, and enter its view.
<Sysname> system-view [Sysname] acl number 2002 name flow [Sysname-acl-basic-2002-flow] [Sysname-acl-basic-2002-flow]
acl copy
Syntax acl copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name } View System view Default Level 2: System level Parameters source-acl-number: Specifies a source IPv4 ACL that already exists by its number:
z z z
name source-acl-name: Specifies a source IPv4 ACL that already exists by its name. The source-acl-name argument takes a case insensitive string of 1 to 32 characters. dest-acl-number: Assigns a unique number for the IPv4 ACL you are creating. This number must be from the same ACL category as the source ACL. Available value ranges include:
z z z
name dest-acl-name: Assigns a unique name for the IPv4 ACL you are creating. The dest-acl-name takes a case insensitive string of 1 to 32 characters. It must start with an English letter and, to avoid confusion, cannot be all. For this ACL, the system automatically picks the smallest number from all available numbers in the same ACL category as the source ACL. Description Use the acl copy command to create an IPv4 ACL by copying an IPv4 ACL that already exists. Except the number and name (if any), the new ACL has the same configuration as the source ACL. You can assign a name for an IPv4 ACL only when you create it. After it is created, you can neither rename it nor remove its name, if any. Examples # Create ACL 2002 by copying ACL 2001.
<Sysname> system-view [Sysname] acl copy 2001 to 2002
1-2
acl ipv6
Syntax acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto | config } ] undo acl ipv6 { all | name acl6-name | number acl6-number } View System view Default Level 2: System level Parameters number acl6-number: Specifies the number of an IPv6 ACL:
z z
2000 to 2999 for IPv6 basic ACLs 3000 to 3999 for IPv6 advanced ACLs
name acl6-name: Assigns a name for the IPv6 ACL for the ease of identification. The acl6-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter, and, to avoid confusion, cannot be all. match-order { auto | config }: Sets the order in which ACL rules are compared against packets:
z
auto: Compares ACL rules in depth-first order. The depth-first order differs with ACL categories. See ACL Configuration in the ACL and QoS Configuration Guide for more information. config: Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher priority. If no match order is specified, the config order applies by default.
all: Delete all IPv6 ACLs. Description Use the acl ipv6 command to create an IPv6 ACL and enter its ACL view. If the ACL has been created, you enter its view directly. Use the undo acl ipv6 command to delete a specified IPv6 ACL or all IPv6 ACLs. By default, no ACL exists. You can assign a name for an IPv6 ACL only when you create it. After creating an ACL, you can neither rename it, nor remove its name. You can change match order only for ACLs that do not contain any rules. To display any ACLs you have created, use the display acl ipv6 command. Examples # Create IPv6 ACL 2000 and enter its view.
<Sysname> system-view [Sysname] acl ipv6 number 2000 [Sysname-acl6-basic-2000]
## Create IPv6 basic ACL 2001 named flow, and enter its view.
<Sysname> system-view [Sysname] acl ipv6 number 2001 name flow [Sysname-acl6-basic-2001-flow]
1-3
acl ipv6 copy

Syntax acl ipv6 copy { source-acl6-number | name source-acl6-name } to { dest-acl6-number | name dest-acl6-name } View System view Default Level 2: System level Parameters source-acl6-number: Specifies a source IPv6 ACL that already exists by its number:
z z
2000 to 2999 for IPv6 basic ACLs, 3000 to 3999 for IPv6 advanced ACLs.
name source-acl6-name: Specifies a source IPv6 ACL that already exists by its name. The source-acl6-name argument takes a case insensitive string of 1 to 32 characters. dest-acl6-number: Assigns a unique number for the IPv6 ACL you are creating. This number must be from the same ACL category as the source ACL. Available value ranges include:
z z
2000 to 2999 for IPv6 basic ACLs 3000 to 3999 for IPv6 advanced ACLs
name dest-acl6-name: Assigns a unique name for the IPv6 ACL you are creating. The dest-acl6-name takes a case insensitive string of 1 to 32 characters. It must start with an English letter and, to avoid confusion, cannot be all. For this ACL, the system automatically picks the smallest number from all available numbers in the same ACL category as the source ACL. Description Use the acl ipv6 copy command to create an IPv6 ACL by copying an IPv6 ACL that already exists. Except the number and name (if any), the new ACL has the same configuration as the source ACL. You can assign a name for an IPv6 ACL only when you create it. After it is created, you can neither rename it nor remove its name, if any. Examples # Create IPv6 basic ACL 2002 by copying IPv6 basic ACL 2001.
<Sysname> system-view [Sysname] acl ipv6 copy 2001 to 2002
acl ipv6 logging frequence

Syntax acl ipv6 logging frequence frequence undo acl ipv6 logging frequence View System view
1-4
Default Level 2: System level Parameters frequence: Specifies the interval in minutes at which IPv6 packet filtering logs are generated and output. It must be a multiple of 5 and in the range 0 to 1440. To disable generating IPv6 logs, assign 0 for the argument. Description Use the acl ipv6 logging frequence command to set the interval for generating and outputting IPv6 packet filtering logs. The log information includes the number of matching IPv6 packets and the matching IPv6 ACL rules. This command logs only for IPv6 basic and advanced ACL rules that have the logging keyword. Use the undo acl ipv6 logging frequence command to restore the default. By default, the interval is 0. No IPv6 packet filtering logs are generated. Related commands: packet-filter ipv6, rule (IPv6 advanced ACL view), rule (IPv6 basic ACL view). Examples # Enable the device to generate and output IPv6 packet filtering logs at 10-minute intervals.
<Sysname> system-view [Sysname] acl ipv6 logging frequence 10
acl ipv6 name

Syntax acl ipv6 name acl6-name View System view Default Level 2: System level Parameters acl6-name: Specifies the name of an existing IPv6 ACL, a case insensitive string of 1 to 32 characters. It must start with an English letter. Description Use the acl ipv6 name command to enter the view of an existing IPv6 ACL by specifying its name. Related commands: acl ipv6. Examples # Enter the view of IPv6 ACL flow.
<Sysname> system-view [Sysname] acl ipv6 name flow [Sysname-acl6-basic-2001-flow]
1-5
acl logging frequence

Syntax acl logging frequence frequence undo acl logging frequence View System view Default Level 2: System level Parameters frequence: Specifies the interval in minutes at which IPv4 packet filtering logs are generated and output. It must be a multiple of 5 and in the range 0 to 1440. To disable generating IPv4 logs, assign 0 for the argument.. Description Use the acl logging frequence command to set the interval for generating and outputting IPv4 packet filtering logs. The log information includes the number of matching IPv4 packets and the matching IPv4 ACL rules used. This command logs only for IPv4 basic and advanced ACL rules that have the logging keyword. Use the undo acl logging frequence command to restore the default. By default, the interval is 0. No IPv4 packet filtering logs are generated. Related commands: packet-filter, rule (IPv4 advanced ACL view), rule (IPv4 basic ACL view). Examples # Enable the device to generate and output IPv4 packet filtering logs at 10-minute intervals.
<Sysname> system-view [Sysname] acl logging frequence 10
acl name
Syntax acl name acl-name View System view Default Level 2: System level Parameters acl-name: Specifies the name of an existing IPv4 ACL, which is a case insensitive string of 1 to 32 characters. It must start with an English letter. Description Use the acl name command to enter the view of an existing IPv4 ACL by specifying its name. Related commands: acl.
1-6
Examples # Enter the view of IPv4 ACL flow.

<Sysname> system-view [Sysname] acl name flow [Sysname-acl-basic-2001-flow]
description
Syntax description text undo description View IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view Default Level 2: System level Parameters text: ACL description, a case sensitive string of 1 to 127 characters. Description Use the description command to configure a description for an ACL. Use the undo description command to remove the ACL description. By default, an ACL has no ACL description. Related commands: display acl, display acl ipv6. Examples # Configure a description for IPv4 basic ACL 2000.
<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] description This acl is used in eth 0
# Configure a description for IPv6 basic ACL 2000.

<Sysname> system-view [Sysname] acl ipv6 number 2000 [Sysname-acl6-basic-2000] description This is a IPv6 basic ACL.
display acl
Syntax display acl { acl-number | all | name acl-name } [ slot slot-number ] View Any view Default Level 1: Monitor level Parameters acl-number: Specifies an IPv4 ACL by its number:
1-7
z z z
2000 to 2999 for basic ACLs 3000 to 3999 for advanced ACLs 4000 to 4999 for Ethernet frame header ACLs
all: Displays information for all IPv4 ACLs. name acl-name: Specifies an IPv4 ACL by its name. The acl-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter. slot slot-number: Displays the matching information of the IPv4 ACLs on a member device in the IRF. The slot-number argument is the member number of the device in the IRF, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF. Description Use the display acl command to display configuration and match statistics for the specified or all IPv4 ACLs. This command displays ACL rules in the config or depth-first order, whichever is configured. Examples # Display information about IPv4 ACL 2001.
<Sysname> display acl 2001 Basic ACL test acl ACL's step is 5 rule 5 permit source 1.1.1.1 0 (5 times matched) rule 5 comment This rule is used in GE 1/0/1 2001, named flow, 1 rule,
Table 1-1 display acl command output description

Field Description Category and number of the ACL. The following field information is about IPv4 basic ACL 2001. The name of the ACL is flow. "none-" means the ACL is not named. The ACL contains one rule. The description for the ACL is "test acl". test acl This field is not displayed when the ACL has no description or the slot slot-number combination is provided in the command. ACL's step is 5 The rule numbering step is 5. There have been five matches for the rule. Only ACL matches 5 times matched performed by software are counted. This field is not displayed when no match is found. The description of ACL rule 5 is "This rule is used in GE 1/0/1." rule 5 comment This rule is used in GE 1/0/1 This field is not displayed when the rule has no description or the slot slot-number combination is provided in the command.
Basic ACL
2001
named flow 1rule
1-8
display acl ipv6

Syntax display acl ipv6 { acl6-number | all | name acl6-name } [ slot slot-number ] View Any view Default Level 1: Monitor level Parameters acl6-number: Specifies an IPv6 ACL by its number:
z z
2000 to 2999 for basic ACLs 3000 to 3999 for advanced ACLs
all: Displays information for all IPv6 ACLs. name acl6-name: Specifies an IPv4 ACL by its name. The acl6-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter. slot slot-number: Displays the matching information of the IPv6 ACLs on a member device in the IRF. The slot-number argument is the member number of the device in the IRF, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF. Description Use the display acl ipv6 command to display the configuration and match statistics for the specified or all IPv6 ACLs. This command displays ACL rules in the config or depth-first order, whichever is configured. Examples # Display information about IPv6 ACL 2001.
<Sysname> display acl ipv6 2001 Basic IPv6 ACL test acl ACL's step is 5 rule 0 permit source 1::2/128 (5 times matched) rule 0 comment This rule is used in GE 1/0/1 2001, named flow, 1 rule,
Table 1-2 display acl ipv6 command output description

Field Description Category and number of the ACL. The following field information is about this IPv6 basic ACL 2001. The name of the ACL is flow. named. The ACL contains one rule. "none-" means the ACL is not
Basic IPv6 ACL
2001
named flow
1 rule
1-9
Field
Description The description for the ACL is "test acl".
test acl
This field is not displayed when the ACL has no description or the slot slot-number combination is provided in the command.
ACL's step is 5 rule 0 permit
The rule numbering step is 5. Content of rule 0 There have been five matches for the rule. Only IPv6 ACL matches
5 times matched
performed by software are counted. This field is not displayed when no packets have matched the rule. The description of ACL rule 0 is "This rule is used in GE 1/0/1."
rule 0 comment This rule is used in GE 1/0/1 This field is not displayed when the rule has no description or the slot slot-number combination is provided in the command.
display acl resource

Syntax display acl resource [ slot slot-number ] View Any view Default Level 1: Monitor level Parameters slot slot-number: Displays the usage of ACL resources on a member device in the IRF. The slot-number argument is the member number of the device in the IRF, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF. If no IRF exists, the slot-number argument is the current device number. Description Use the display acl resource command to display the usage of ACL resources. If no slot is specified, the output statistics differ depending on whether the switch is an IRF member.
z
If the device is an IRF member, the ACL rule usage statistics for all switches in the IRF are displayed. If the switch is not an IRF member, only the ACL rule usage statistics for it is displayed.
Examples # Display the ACL resource usage on a switch.

<Sysname> display acl resource Interface: GE1/0/1 to GE1/0/24
1-10
-------------------------------------------------------------------------------Type VFP ACL IFP ACL IFP Meter Total 2048 8192 4096 Reserved 0 2048 1024 1024 0 0 0 Configured 0 21 0 21 21 0 21 Remaining 2048 6123 3072 3051 1003 512 491
--------------------------------------------------------------------------------
IFP Counter 4096 EFP ACL EFP Meter 1024 512
EFP Counter 512
Interface: GE1/0/25 to GE1/0/48, XGE1/0/49 to XGE1/0/52 -------------------------------------------------------------------------------Type Total Reserved Configured Remaining -------------------------------------------------------------------------------VFP ACL IFP ACL IFP Meter 2048 8192 4096 0 2048 1024 1024 0 0 0 0 0 0 0 0 0 0 2048 6144 3072 3072 1024 512 512
IFP Counter 4096 EFP ACL EFP Meter 1024 512
EFP Counter 512
display acl resource command output description

Field Interface Description Interface indicated by its type and number Resource type:
z z z
ACL indicates ACL rule resources, Meter indicates traffic policing resources,
Counter indicates traffic statistics resources, VFP indicates the count of resources that are before Layer 2 forwarding and applied in QinQ,
Type
IFP indicates the count of resources in the inbound direction,
EFP indicates the count of resources in the outbound direction.
Total Reserved Configured Remaining
Total number of ACL rules supported Number of reserved ACL rules Number of configured ACL rules Number of remaining ACL rules
1-11
display packet-filter
Syntax display packet-filter { { all | interface interface-type interface-number } [ inbound | outbound ] | interface vlan-interface vlan-interface-number [ inbound | outbound ] [ slot slot-number ] } View Any view Default Level 1: Monitor level Parameters all: Specifies all interfaces. interface interface-type interface-number: Specifies an interface by its type and number. VLAN interfaces are not supported. inbound: Specifies the inbound direction. outbound: Specifies outbound direction. interface vlan-interface vlan-interface-number: Specifies a VLAN interface by its number. slot slot-number: Specifies a member device in the IRF by its member number. The slot-number argument is the member number of the device in the IRF, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF. Description Use the display packet-filter command to display application information of ACLs for packet filtering in the inbound, outbound, or both directions of the interface. If neither the inbound keyword nor the outbound keyword is specified, the command displays application information of ACLs for packet filtering in both the inbound and outbound directions of the interface. Examples # Display the application information of ACLs for packet filtering in the inbound and outbound directions of interface GigabitEthernet 1/0/1.
<Sysname> display packet-filter interface gigabitethernet 1/0/1 Interface: GigabitEthernet1/0/1 In-bound Policy: acl 2001, Successful Out-bound Policy: acl6 2500, Fail
Table 1-3 display packet-filter command output description

Field Interface In-bound Policy Out-bound Policy Description Interface to which the ACL applies ACL application information in the inbound direction ACL application information in the outbound direction
1-12
Field acl 2001, Successful acl6 2500, Fail
Description IPv4 ACL 2001 was applied successfully Failed to apply IPv6 ACL 2500
display time-range
Syntax display time-range { time-range-name | all } View Any view Default Level 1: Monitor level Parameters time-range-name: Time range name, a case insensitive string of 1 to 32 characters. It must start with an English letter. all: Displays the configuration and status of all existing time ranges. Description Use the display time-range command to display the configuration and status of a specified time range or all time ranges. Examples # Display the configuration and status of time range trname.
<Sysname> display time-range trname Current time is 10:45:15 4/14/2005 Thursday Time-range : trname ( Inactive ) from 08:00 12/1/2005 to 23:59 12/31/2100
Table 1-4 display time-range command output description

Field Current time Current system time Configuration and status of the time range, including the name of the time range, its status (active or inactive), and its start time and end time. Description
Time-range
packet-filter
Syntax packet-filter { acl-number | name acl-name } { inbound | outbound } undo packet-filter { acl-number | name acl-name } { inbound | outbound }
1-13
View Ethernet interface view, VLAN interface view Default Level 2: System level Parameters acl-number: Specifies an IPv4 ACL by its number:
z z z
name acl-name: Specifies an IPv4 ACL by its name. The acl-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter. inbound: Filters incoming IPv4 packets. outbound: Filters outgoing IPv4 packets. Description Use the packet-filter command to apply an ACL to an interface to filter IPv4 packets or Ethernet frames. Use the undo packet-filter command to restore the default. By default, an interface does not filter packets and Ethernet frames. Related commands: display packet-filter. Note that you can apply only one IPv4 ACL or one Ethernet frame header ACL on an interface. To modify the ACL configured on an interface, you need to remove the previous configuration first and then configure a new ACL. Examples # Apply basic IPv4 ACL 2001 to the inbound direction of interface GigabitEthernet 1/0/1.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEtherhet1/0/1] ethernet-frame-filter 2001 inbound
# Apply advanced IPv4 ACL 3001 to the inbound direction of VLAN interface 10.
<Sysname> system-view [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] ethernet-frame-filter 3001 inbound
packet-filter ipv6
Syntax packet-filter ipv6 { acl6-number | name acl6-name } { inbound | outbound } undo packet-filter ipv6 { acl6-number | name acl6-name } { inbound | outbound } View Ethernet interface view, VLAN interface view Default Level 2: System level
1-14
Parameters acl6-number: Specifies an IPv6 ACL by its number:

z z
name acl6-name: Specifies an IPv6 ACL by its name, The acl6-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter. inbound: Filters incoming IPv6 packets outbound: Filters outgoing IPv6 packets Description Use the packet-filter ipv6 command to apply an IPv6 ACL to an interface to filter IPv6 packets. Use the undo packet-filter ipv6 command to restore the default. By default, an interface does not filter IPv6 packets. Related commands: display packet-filter ipv6. Note that you can apply only one IPv6 ACL on an interface. To modify the ACL configured on an interface, you need to remove the previous configuration first and then configure a new ACL. Examples # Apply basic IPv6 ACL 2500 to the outbound direction of interface GigabitEthernet 1/0/1.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] packet-filter ipv6 2500 outbound
# Apply advanced IPv6 ACL 3000 to the outbound direction of interface VLAN interface 20
<Sysname> system-view [Sysname] interface Vlan-interface 20 [Sysname-Vlan-interface20] packet-filter ipv6 3000 outbound
reset acl counter

Syntax reset acl counter { acl-number | all | name acl-name } View User view Default Level 2: System level Parameters acl-number: Specifies an IPv4 ACL by its number:
z z z
all: Clears statistics for all IPv4 ACLs. name acl-name: Specifies an IPv4 ACL by its name. The acl-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter.
1-15
Description Use the reset acl counter command to clear statistics for the specified or all IPv4 ACLs. Related commands: display acl. Examples # Clear statistics for IPv4 ACL 2001.
<Sysname> reset acl counter 2001
# Clear statistics for IPv4 ACL flow .

<Sysname> reset acl counter name flow
reset acl ipv6 counter

Syntax reset acl ipv6 counter { acl6-number | all | name acl6-name } View User view Default Level 2: System level Parameters acl6-number: Specifies an IPv6 ACL by its number:
z z
all: Clears statistics for all IPV6 basic and advanced ACLs. name acl6-name: Specifies an IPv6 ACL by its name. The acl6-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter. Description Use the reset acl ipv6 counter command to clear statistics for the specified or all IPv6 basic and IPv6 advanced ACLs. Examples # Clear statistics for IPv6 ACL 2001.
<Sysname> reset acl ipv6 counter 2001
# Clear statistics for
IPv6 ACL flow .
<Sysname> reset acl ipv6 counter name flow
rule (Ethernet frame header ACL view)

Syntax rule [ rule-id ] { deny | permit } [ cos vlan-pri | dest-mac dest-addr dest-mask | lsap lsap-type lsap-type-mask | source-mac sour-addr source-mask | time-range time-range-name | type protocol-type protocol-type-mask ] * undo rule rule-id View Ethernet frame header ACL view
1-16
Default Level 2: System level Parameters rule-id: Specifies a rule ID, which ranges from 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30. deny: Drops matching packets. permit: Allows matching packets to pass. cos vlan-pri: Matches an 802.1p priority. The vlan-pri argument can be a number in the range 0 to 7, or in words, best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5), voice (6), or network-management (7). dest-mac dest-addr dest-mask: Matches a destination MAC address range. The dest-addr and dest-mask arguments represent a destination MAC address and mask in H-H-H format. lsap lsap-type lsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The lsap-type argument is a 16-bit hexadecimal number that represents the encapsulation format. The lsap-type-mask argument is a 16-bit hexadecimal number that represents the LSAP mask. type protocol-type protocol-type-mask: Matches one or more protocols in the Ethernet frame header. The protocol-type argument is a 16-bit hexadecimal number that represents a protocol type in Ethernet_II and Ethernet_SNAP frames. The protocol-type-mask argument is a 16-bit hexadecimal number that represents a protocol type mask. source-mac sour-addr source-mask: Matches a source MAC address range. The sour-addr argument represents a source MAC address, and the sour-mask argument represents a mask in H-H-H format. time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case insensitive string of 1 to 32 characters. It must start with an English letter. Description Use the rule command to create or edit an Ethernet frame header ACL rule. You can edit ACL rules only when the match order is config. Use the undo rule command to delete an Ethernet frame header ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specific attributes. By default, an Ethernet frame header ACL does not contain any rule. Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail. To view rules in an ACL and their rule IDs, use the display acl command. Related commands: acl, display acl, step.
1-17
For an Ethernet frame header ACL to be referenced by a QoS policy for traffic classification, the lsap keyword is not supported.
Examples # Create a rule in ACL 4000 to deny packets with the 802.1p priority of 3.
<Sysname> system-view [Sysname] acl number 4000 [Sysname-acl-ethernetframe-4000] rule deny cos 3
rule (IPv4 basic ACL view)

Syntax rule [ rule-id ] { deny | permit } [ fragment | logging | source { sour-addr sour-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] * undo rule rule-id [ fragment | logging | source | time-range | vpn-instance ] * View IPv4 basic ACL view Default Level 2: System level Parameters rule-id: Specifies a rule ID, which ranges from 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30. deny: Drops matching packets. permit: Allows matching packets to pass. fragment: Applies the rule only to non-first fragments. A rule without this keyword applies to both fragments and non-fragments. logging: Logs matching packets. This function is available only when the application module that uses the ACL supports the logging function. source { sour-addr sour-wildcard | any }: Matches a source address. The sour-addr sour-wildcard arguments represent a source IP address in dotted decimal notation. A wildcard mask of zeros specifies a host address. The any keyword represents any source IP address. time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case insensitive string of 1 to 32 characters. It must start with an English letter. vpn-instance vpn-instance-name: Applies the rule to packets in a VPN instance. The vpn-instance-name argument takes a case sensitive string of 1 to 31 characters. If no VPN instance is specified, the rule applies only to non-VPN packets.
1-18
Description Use the rule command to create or edit an IPv4 basic ACL rule. You can edit ACL rules only when the match order is config. Use the undo rule command to delete an entire IPv4 basic ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specific attributes By default, an IPv4 basic ACL does not contain any rule. Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail. To view rules in an ACL and their rule IDs, use the display acl all command. Related commands: acl, display acl, step.
For a basic IPv4 ACL rule to be referenced by a QoS policy for traffic classification, the logging and vpn-instance keywords are not supported.
Examples # Create a rule in ACL 2000 to deny packets sourced from 1.1.1.1.
<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule deny source 1.1.1.1 0
rule (IPv4 advanced ACL view)

Syntax rule [ rule-id ] { deny | permit } protocol [ { established | { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * } | destination { dest-addr dest-wildcard | any } | destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmp-type { icmp-type icmp-code | icmp-message } | logging | precedence precedence | reflective | source { sour-addr sour-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name | tos tos | vpn-instance vpn-instance-name ] * undo rule rule-id [ { established | { ack | fin | psh | rst | syn | urg } * } | destination | destination-port | dscp | fragment | icmp-type | logging | precedence | reflective | source | source-port | time-range | tos | vpn-instance ] * View IPv4 advanced ACL view Default Level 2: System level
1-19
Parameters rule-id: Specifies a rule ID, which ranges from 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30. deny: Drops matching packets. permit: Allows matching packets to pass. protocol: Protocol carried by IPv4. It can be a number in the range 0 to 255, or in words, gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17). Table 1-5 describes the parameters that can be specified after the protocol argument. Table 1-5 Match criteria and other rule information for IPv4 advanced ACL rules
Parameters Function Description The sour-addr sour-wildcard arguments represent a source IP address in dotted source { sour-addr sour-wildcard | any } decimal notation. An all-zero wildcard specifies Specifies a source address a host address. The any keyword specifies any source IP address. The dest-addr dest-wildcard arguments represent a destination IP address in dotted destination { dest-addr dest-wildcard | any } Specifies a destination address decimal notation. An all-zero wildcard specifies a host address. The any keyword represents any destination IP address. The precedence argument can be a number in Specifies an IP precedence value the range 0 to 7, or in words, routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), or network (7). The tos argument can be a number in the tos tos Specifies a ToS preference range 0 to 15, or in words, max-reliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1), or normal (0). The dscp argument can be a number in the range 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 dscp dscp Specifies a DSCP priority (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46).
precedence precedence
1-20
Parameters
Function
Description This function requires that the module uses the ACL supports logging. that
logging
Logs matched packets
reflective
Specifies that the rule be reflective
Not supported
The vpn-instance-name argument takes a vpn-instance vpn-instance-name Applies the rule to packets in a VPN instance case sensitive string of 1 to 31 characters. Without this combination, the rule applies to only non-VPN packets. Applies the rule to only non-first fragments Without this keyword, the rule applies to all fragments and non-fragments. The time-range-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter.
fragment
time-range time-range-name
Specifies a time range for the rule
If you provide the precedence or tos keyword in addition to the dscp keyword, only the dscp keyword takes effect.
Setting the protocol argument to tcp (6) or udp (7), you may define the parameters shown in Table 1-6.
1-21
Table 1-6 TCP/UDP-specific parameters for IPv4 advanced ACL rules

Parameters source-port operator port1 [ port2 ] Function Specifies one or more UDP or TCP source ports Description The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range 0 to 65535. port2 is needed only when the operator argument is range. TCP port numbers can be represented in these words: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp destination-port operator port1 [ port2 ] Specifies one or more UDP or TCP destination ports (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented in these words: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177). { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } *
Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG
Parameters specific to TCP. The value for each argument can be 0 or 1. The TCP flags in one rule are ANDed.
Parameters specific to TCP. established Specifies the TCP flags ACK and RST A rule with this keyword configured matches TCP connection packets with the ACK or RST flag value being 1.
Setting the protocol argument to icmp (1), you may define the parameters shown in Table 1-7.
1-22
Table 1-7 ICMP-specific parameters for IPv4 advanced ACL rules

Parameters Function Description The icmp-type argument ranges from 0 to 255. The icmp-code argument ranges from 0 icmp-type { icmp-type icmp-code | icmp-message } Specifies the ICMP message type and code to 255. The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 1-8.
Table 1-8 ICMP message names supported in IPv4 advanced ACL rules
ICMP message name echo echo-reply fragmentneed-DFset host-redirect host-tos-redirect host-unreachable information-reply information-request net-redirect net-tos-redirect net-unreachable parameter-problem port-unreachable protocol-unreachable reassembly-timeout source-quench source-route-failed timestamp-reply 8 0 3 5 5 3 16 15 5 5 3 12 3 3 11 4 3 14 Type 0 0 4 1 3 1 0 0 0 2 0 0 3 2 1 0 5 0 Code
1-23
ICMP message name timestamp-request ttl-exceeded 13 11
Type 0 0
Code
Description Use the rule command to create or edit an IPv4 advanced ACL rule. You can edit ACL rules only when the match order is config. Use the undo rule command to delete an entire IPv4 advanced ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specific attributes. By default, an IPv4 advanced ACL does not contain any rule. Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail. To view rules in an ACL and their rule IDs, use the display acl all command. Related commands: acl, display acl, step.
For an advanced IPv4 ACL to be referenced by a QoS policy for traffic classification:
z z z
The logging and vpn-instance keywords are not supported. The operator cannot be neq if the ACL is for the inbound traffic. The operator cannot be gt, lt, neq, or range if the ACL is for the outbound traffic.
Examples # Create a rule to permit TCP packets with the destination port of 80 from 129.9.0.0 to 202.38.160.0.
<Sysname> system-view [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule permit tcp source 202.38.160.0 0.0.0.255 destination-port eq 80 129.9.0.0 0.0.255.255 destination
rule (IPv6 advanced ACL view)

Syntax rule [ rule-id ] { deny | permit } protocol [ { established | { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * } | destination { dest dest-prefix | dest/dest-prefix | any } | destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmp6-type { icmp6-type icmp6-code | icmp6-message } | logging | source { source source-prefix | source/source-prefix | any } | source-port operator port1 [ port2 ] | time-range time-range-name ] *
1-24
undo rule rule-id [ { established | { ack | fin | psh | rst | syn | urg } * } | destination | destination-port | dscp | fragment | icmpv6-type | logging | source | source-port | time-range ] * View IPv6 advanced ACL view Default Level 2: System level Parameters rule-id: Specifies a rule ID, which ranges from 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30. deny: Drops matching packets. permit: Allows matching packets to pass. protocol: Matches protocol carried over IPv6. It can be a number in the range 0 to 255, or in words, gre (47), icmpv6 (58), ipv6, ipv6-ah (51), ipv6-esp (50), ospf (89), tcp (6), or udp (17). Table 1-9 describes the parameters that can be specified after the protocol argument. Table 1-9 Match criteria and other rule information for IPv6 advanced ACL rules
Parameters Function Description The source and source-prefix arguments source { source source-prefix | source/source-prefix | any } Specifies a source IPv6 address The any keyword represents any IPv6 source address. The dest and dest-prefix arguments represent destination { dest dest-prefix | dest/dest-prefix | any } a destination IPv6 address, and its prefix Specifies a destination IPv6 address The any keyword specifies any IPv6 destination address. The dscp argument can be a number in the range 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 dscp dscp Specifies a DSCP preference (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46). This function requires that the module (for logging Logs matching packets example, a firewall) that uses the ACL supports logging. length ranges from 1 to 128. represent an IPv6 source address, and its prefix length ranges from 1 to 128.
1-25
Parameters
Function Applies the rule to only non-first fragments
Description Without this keyword, the rule applies to all fragments and non-fragments. The time-range-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter.
fragment
time-range time-range-name
Specifies a time range for the rule
Setting the protocol argument to tcp or udp, you may define the parameters shown in Table 1-10. Table 1-10 TCP/UDP-specific parameters for IPv6 advanced ACL rules
Parameters source-port operator port1 [ port2 ] Function Specifies one or more UDP or TCP source ports Description The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range 0 to 65535. port2 is needed only when the operator argument is range. TCP port numbers can be represented in these words: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), destination-port operator port1 [ port2 ] Specifies one or more UDP or TCP destination ports smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented in these words: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177).
1-26
Parameters { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } *
Function
Description
Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG
Parameters specific to TCP. The value for each argument can be 0 or 1. The TCP flags in one rule are ANDed.
Parameters specific to TCP. established Specifies the TCP flags ACK and RST A rule with this keyword configured matches TCP connection packets with the ACK or RST flag value being 1.
Setting the protocol argument to icmpv6 (58), you may define the parameters shown in Table 1-11. Table 1-11 ICMPv6-specific parameters for IPv6 advanced ACL rules
Parameters Function Description The icmpv6-type argument ranges from 0 to 255. icmpv6-type { icmpv6-type icmpv6-code | icmpv6-message } Specifies the ICMPv6 message type and code The icmpv6-code argument ranges from 0 to 255. The icmpv6-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 1-12.
Table 1-12 ICMPv6 message names supported in IPv6 advanced ACL rules
ICMPv6 message name redirect echo-request echo-reply err-Header-field frag-time-exceeded hop-limit-exceeded host-admin-prohib host-unreachable neighbor-advertisement 137 128 129 4 3 3 1 1 136 Type 0 0 0 0 1 0 1 3 0 Code
1-27
ICMPv6 message name neighbor-solicitation network-unreachable packet-too-big port-unreachable router-advertisement router-solicitation unknown-ipv6-opt unknown-next-hdr 135 1 2 1 134 133 4 4
Type 0 0 0 4 0 0 2 1
Code
Description Use the rule command to create or edit an IPv6 advanced ACL rule. You can edit ACL rules only when the match order is config. Use the undo rule command to delete an entire IPv6 advanced ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specific attributes. By default, an IPv6 advanced ACL does not contain any rule. Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail. To view rules in an ACL and their rule IDs, use the display acl all command. Related commands: acl, display ipv6 acl, step.
For an advanced IPv6 ACL to be referenced by a QoS policy for traffic classification,
z z z
The logging and fragment keywords are not supported. The operator cannot be neq if the ACL is for the inbound traffic. The operator cannot be gt, lt, neq, or range if the ACL is for the outbound traffic.
Examples # Create an IPv6 ACL rule to permit TCP packets with the destination port of 80 from 2030:5060::/64 to FE80:5060::/96.
<Sysname> system-view [Sysname] acl ipv6 number 3000 [Sysname-acl6-adv-3000] rule permit tcp source 2030:5060::/64 destination fe80:5060::/96 destination-port eq 80
1-28
rule (IPv6 basic ACL view)

Syntax rule [ rule-id ] { deny | permit } [ fragment | logging | source { ipv6-address prefix-length | ipv6-address/prefix-length | any } | time-range time-range-name ] * undo rule rule-id [ fragment | logging | source | time-range ] * View IPv6 basic ACL view Default Level 2: System level Parameters rule-id: Specifies a rule ID, which ranges from 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30. deny: Drops matching packets. permit: Allows matching packets to pass. fragment: Applies the rule only to non-first fragments. A rule without this keyword applies to both fragments and non-fragments. logging: Logs matching packets. This function requires that the module (for example, a firewall) that uses the ACL supports logging. source { ipv6-address prefix-length | ipv6-address/prefix-length | any }: Matches a source address. The ipv6-address and prefix-length arguments represent a source IPv6 address and its address prefix length in the range 1 to 128. The any keyword represent any IPv6 source address. time-range time-range-name: Specifies a time range for the rule. The time-range-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter. Description Use the rule command to create or edit an IPv6 basic ACL rule. You can edit ACL rules only when the match order is config. Use the undo rule command to delete an entire IPv6 basic ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specific attributes. By default, an IPv6 basic ACL does not contain any rule. Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail. To view rules in an ACL and their rule IDs, use the display acl all command. Related commands: acl, display ipv6 acl, step.
1-29
For a basic IPv6 ACL to be referenced by a QoS policy for traffic classification, the logging and fragment keywords are not supported.
Examples # Create an IPv6 ACL rule to deny packets sourced from FE80:5060::101/128.
<Sysname> system-view [Sysname] acl ipv6 number 2000 [Sysname-acl6-basic-2000] rule deny source fe80:5060::101/128
rule comment
Syntax rule rule-id comment text undo rule rule-id comment View IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view Default Level 2: System level Parameters rule-id: Specifies the ID of an existing ACL rule. The ID ranges from 0 to 65534. text: Provides a description for the ACL rule, a case sensitive string of 1 to 127 characters. Description Use the rule comment command to configure a description for an existing ACL rule or edit its description for the ease of identification. Use the undo rule comment command to delete the ACL rule description. By default, an IPv4 ACL rule has no rule description. Related commands: display acl, display acl ipv6. Examples # Create a rule in IPv4 basic ACL 2000 and configure a description for this rule.
<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 0 deny source 1.1.1.1 0 [Sysname-acl-basic-2000] rule 0 comment This rule is used on GE 1/0/1.
# Create a rule in IPv6 basic ACL 2000 and configure a description for this rule.
<Sysname> system-view [Sysname] acl ipv6 number 2000 [Sysname-acl6-basic-2000] rule 0 permit source 1001::1 128 [Sysname-acl6-basic-2000] rule 0 comment This rule is used on GE 1/0/1.
1-30
step
Syntax step step-value undo step View IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view Default Level 2: System level Parameters step-value: ACL rule numbering step, which ranges from 1 to 20. Description Use the step command to set a rule numbering step for an ACL. Use the undo step command to restore the default. By default, the rule numbering step is 5. Related commands: display acl, display acl ipv6. Examples # Set the rule numbering step to 2 for IPv4 basic ACL 2000.
<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] step 2
# Set the rule numbering step to 2 for ACL 2000.

<Sysname> system-view [Sysname] acl ipv6 number 2000 [Sysname-acl6-basic-2000] step 2
time-range
Syntax time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 } undo time-range time-range-name [ start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 ] View System view Default Level 2: System level Parameters time-range-name: Assign a name for a time range. The name is a case insensitive string of 1 to 32 characters. It must start with an English letter and, to avoid confusion, cannot be all.
1-31
start-time to end-time: Specifies a periodic time range. Both start-time and end-time are in hh:mm format (24-hour clock), and each value ranges from 00:00 to 23:59. The end time must be greater than the start time. days: Specifies the day or days of the week on which the periodic time range is valid. You may specify multiple values, in words or in digits, separated by spaces, but make sure that they do not overlap. The values are ANDed. These values can take one of the following forms:
z
A digit in the range 0 to 6, respectively for Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday. A day of a week in words, sun, mon, tue, wed, thu, fri, and sat. working-day for Monday through Friday. off-day for Saturday and Sunday. daily for the whole week.
z z z z
from time1 date1: Specifies the start time and date of an absolute time range. The time1 argument specifies the time of the day in hh:mm format (24-hour clock). Its value ranges from 00:00 to 23:59. The date1 argument specifies a date in MM/DD/YYYY or YYYY/MM/DD format, where MM is the month of the year in the range 1 to 12, DD is the day of the month with the range depending on MM, and YYYY is the year in the usual Gregorian calendar in the range 1970 to 2100. If not specified, the start time is the earliest time available in the system, 01/01/1970 00:00:00 AM. to time2 date2: Specifies the end time and date of the absolute time range. The time2 argument is in the same format as that of the time1 argument, but its value ranges from 00:00 to 24:00. The format and value range of the date2 argument are the same as those of the date1 argument. The end time must be greater than the start time. If not specified, the end time is the maximum time available in the system, 12/31/2100 24:00:00 PM. Description Use the time-range command to create a time range. Use the undo time-range command to delete a time range. By default, no time range exists. You can create a time range as follows:
z
Create a periodic time range in the start-time to end-time days format. A periodic time range recurs periodically on a day or days of the week. Create an absolute time range in the from time1 date1 to time2 date2 format. Unlike a periodic time range, an absolute time range does not recur. Create a compound time range in the start-time to end-time days from time1 date1 to time2 date2 format. A compound time range recurs on a day or days of the week only within the specified period. For example, to create a time range that is active from 08:00 to 12:00 on Monday between January 1, 2010 00:00 and December 31, 2010 23:59, use the time-range test 08:00 to 12:00 mon from 00:00 01/01/2010 to 23:59 12/31/2010 command.
You may create individual time ranges identified with the same name. They are regarded as one time range whose active period is the result of ORing periodic ones, ORing absolute ones, and ANDing periodic and absolute ones. You may create a maximum of 256 uniquely named time ranges, each with 32 periodic time ranges at most and 12 absolute time ranges at most. Related commands: display time-range.
1-32
Examples # Create a periodic time range 11, setting it to be active between 8:00 to 18:00 during working days.
<Sysname> system-view [Sysname] time-range test 8:00 to 18:00 working-day
# Create an absolute time range t2, setting it to be active in the whole year of 2010.
<Sysname> system-view [Sysname] time-range t1 from 0:0 1/1/2010 to 23:59 12/31/2010
# Create a compound time range t3, setting it to be active from 08:00 to 12:00 on Saturdays and Sundays of the year 2010.
<Sysname> system-view [Sysname] time-range t3 8:0 to 12:0 off-day from 0:0 1/1/2010 to 23:59 12/31/2010
# Create a compound time range t4, setting it to be active from 10:00 to 12:00 on Mondays and from 14:00 to 16:00 on Wednesdays in the period of January through June of the year 2010.
<Sysname> system-view [Sysname] time-range t4 10:0 to 12:0 1 from 0:0 1/1/2010 to 23:59 1/31/2010 [Sysname] time-range t4 14:0 to 16:0 3 from 0:0 6/1/2010 to 23:59 6/30/2010
1-33
2
Syntax View
QoS Policy Configuration Commands
Class Configuration Commands

display traffic classifier
display traffic classifier user-defined [ tcl-name ]
Any view Default Level 1: Monitor level Parameters user-defined: Displays user-defined classes. tcl-name: Class name, a string of 1 to 31 characters. Description Use the display traffic classifier command to display class information. If no class name is specified, information about all user-defined classes is displayed. Examples # Display information about all user-defined classes.
<Sysname> display traffic classifier user-defined User Defined Classifier Information: Classifier: USER1 Operator: AND Rule(s) : if-match ip-precedence 5
Classifier: database Operator: AND Rule(s) : if-match acl 3131
Table 2-1 display traffic classifier user-defined command output description

Field User Defined Classifier Information Classifier Operator Rule(s) Description User-defined class information Class name and its match criteria Logical relationship between match criteria Match criteria
2-1
if-match
Syntax if-match match-criteria undo if-match match-criteria undo if-match acl [ ipv6 ] { acl-number | name acl-name } [ update acl [ ipv6 ] { acl-number | name acl-name } ] View Class view Default Level 2: System level Parameters match-criteria: Match criterion. Table 2-2 shows the available criteria. acl [ ipv6 ] { acl-number | name acl-name }: Specifies an ACL currently referenced in the class by the ACL name or ACL number update acl [ ipv6 ] { acl-number | name acl-name }: Specifies a new ACL to replace the specified current ACL by the number or name of the new ACL. Table 2-2 The keyword and argument combinations for the match-criteria argument
Keyword and argument combination Matches an ACL The acl-number argument ranges from 2000 to 5999 for an IPv4 ACL, and 2000 to 3999 or 10000 to acl [ ipv6 ] { acl-number | name acl-name } 42767 for an IPv6 ACL. The acl-name is a case-insensitive string of 1 to 32 characters, which must start with an English letter from a to z or A to Z, and cannot be all to avoid confusion. any Matches all packets Matches the 802.1p priority of the customer network. customer-dot1p 8021p-list The 8021p-list argument is a list of up to eight 802.1p priority values. An 802.1p priority is in the range 0 to 7. Matches the VLAN IDs of customer networks. The vlan-id-list argument is a list of up to 8 VLAN IDs. customer-vlan-id { vlan-id-list | vlan-id1 to vlan-id2 } The vlan-id1 to vlan-id2 specifies a VLAN ID range, where the vlan-id1 must be smaller than the vlan-id2. A VLAN ID ranges from 1 to 4094. destination-mac mac-address Matches a destination MAC address Description
2-2
Keyword and argument combination
Description Matches DSCP values. The dscp-list is a list of DSCP values. A DSCP value is a number in the
dscp dscp-list
range 0 to 63 or a word representing the specific value. For the number-to-word mapping, see Table 2-4. Matches IP precedence. The ip-precedence-list
ip-precedence ip-precedence-list
argument is a list of up to 8 IP precedence values. An IP precedence ranges from 0 to 7. Matches a protocol. The protocol-name argument can be IP or IPv6. Matches a local QoS ID, which ranges from 1 to 4095. Matches the 802.1p priority of the service provider
protocol protocol-name
qos-local-id local-id-value
service-dot1p 8021p-list
network. The 8021p-list argument is a list of up to eight 802.1p priority values. An 802.1p priority is in the range 0 to 7. Matches the VLAN IDs of ISP networks. The vlan-id-list is a list of up to 8 VLAN IDs. The vlan-id1
service-vlan-id { vlan-id-list | vlan-id1 to vlan-id2 }
to vlan-id2 specifies a VLAN ID range, where the vlan-id1 must be smaller than the vlan-id2. A VLAN ID ranges from 1 to 4094.
source-mac mac-address
Matches a source MAC address
Suppose the operator of a class is AND. Note the following when using the if-match command to define matching criteria for the class:
z
If multiple matching criteria with the acl or acl ipv6 keyword specified are defined for the class, the actual logical relationship between these criteria is OR when a policy referencing the class is applied. If multiple match criteria with the customer-vlan-id or service-vlan-id keyword specified are defined for the class, the actual logical relationship between these criteria is OR.
2-3
The match criteria listed below must be unique in a class with the operator AND. Even though it is possible, avoid defining multiple if-match clauses for these match criteria or inputting multiple values for a list argument (such as the 8021p-list argument) listed below in a class. Otherwise, the QoS policy referencing the class cannot be successfully applied to interfaces.
z z z z z z
customer-dot1p 8021p-list destination-mac mac-address dscp dscp-list ip-precedence ip-precedence-list service-dot1p 8021p-list source-mac mac-address
To create multiple if-match clauses or specify multiple values for a list argument for any of the match criteria listed above, ensure that the operator of the class is OR.
A QoS policy referencing a if match customer-dot1p clause cannot be applied to outgoing traffic.
Description Use the if-match command to define a match criterion. Use the undo if-match command to remove the match criterion. When defining match criteria, note the following: When defining match criteria, use the usage guidelines described in these subsections: Defining an ACL-based match criterion Defining a criterion to match a destination or a source MAC address Defining a criterion to match DSCP values Defining a criterion to match the 802.1p priority values of the customer network or service provider network Defining a criterion to match IP precedence values Defining a criterion to match customer network VLAN IDs or service provider network VLAN IDs
Defining an ACL-based match criterion

If the ACL referenced in the if-match command does not exist, the class cannot be applied to hardware. For a class, you can reference an ACL twice by its name and number respectively with the if-match command.
Defining a criterion to match a destination or a source MAC address

You can configure multiple destination MAC address match criteria for a class.
2-4
Defining a criterion to match DSCP values

z
You can configure multiple DSCP match criteria for a class. All the defined DSCP values are automatically arranged in ascending order. You can configure up to eight DSCP values in one command line. If multiple identical DSCP values are specified, the system considers them as one. If a packet matches one of the defined DSCP values, it matches the if-match clause. To delete a criterion that matches DSCP values, the specified DSCP values must be identical with those defined in the rule (the sequence may be different).
Defining a criterion to match the 802.1p priority values of the customer network or service provider network
z
You can configure multiple 802.1p priority match criteria for a class. All the defined 802.1p values are automatically arranged in ascending order. You can configure up to eight 802.1p priority values in one command line. If the same 802.1p priority value is specified multiple times, the system considers them as one. If a packet matches one of the defined 802.1p priority values, it matches the if-match clause. To delete a criterion that matches 802.1p priority values, the specified 802.1p priority values in the command must be identical with those defined in the criterion (the sequence may be different).
Defining a criterion to match IP precedence values

z
You can configure multiple IP precedence match criteria for a class. The defined IP precedence values are automatically arranged in ascending order. You can configure up to eight IP precedence values in one command line. If the same IP precedence is specified multiple times, the system considers them as one. If a packet matches one of the defined IP precedence values, it matches the if-match clause. To delete a criterion that matches IP precedence values, the specified IP precedence values in the command must be identical with those defined in the criterion (the sequence may be different).
Defining a criterion to match customer network VLAN IDs or service provider network VLAN IDs
z
You can configure multiple VLAN ID match criteria for a class. The defined VLAN IDs are automatically arranged in ascending order. You can configure multiple VLAN IDs in one command line. If the same VLAN ID is specified multiple times, the system considers them as one. If a packet matches one of the defined VLAN IDs, it matches the if-match clause. To delete a criterion that matches VLAN IDs, the specified VLAN IDs in the command must be identical with those defined in the criterion (the sequence may be different).
Related commands: traffic classifier. Examples # Define a match criterion for class class1 to match the packets with the destination MAC address 0050-ba27-bed3.
<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match destination-mac 0050-ba27-bed3
2-5
# Define a match criterion for class class2 to match the packets with the source MAC address 0050-ba27-bed2.
<Sysname> system-view [Sysname] traffic classifier class2 [Sysname-classifier-class2] if-match source-mac 0050-ba27-bed2
# Define a match criterion for class class1 to match ACL 3101.

<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match acl 3101
# Define a match criterion for class class1 to match the ACL named flow.
<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match acl name flow
# Define a match criterion for class class1 to match IPv6 ACL 3101.
<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match ipv6 acl 3101
# Define a match criterion for class class1 to match the IPv6 ACL named flow.
<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match ipv6 acl name flow
# Define a match criterion for class class1 to match all packets.

<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match any
# Define a match criterion for class class1 to match the packets with a DSCP value of 1, 6, or 9.
<Sysname> system-view [Sysname] traffic classifier class1 operator or [Sysname-classifier-class1] if-match dscp 1 6 9
# Define a match criterion for class class1 to match the packets with an IP precedence value of 1 or 6.
<Sysname> system-view [Sysname] traffic classifier class1 operator or [Sysname-classifier-class1] if-match ip-precedence 1 6
# Define a match criterion for class class1 to match IP packets.

<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match protocol ip
# Define a match criterion for class class1 to match the packets with a customer network VLAN ID of 1, 6, or 9.
<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match customer-vlan-id 1 6 9
# Define a match criterion for class class1 to match packets with the local QoS ID 3.
<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match qos-local-id 3
# Change the match criterion of class class1 from ACL 2008 to ACL 2009.
2-6
<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] undo if-match acl 2008 update acl 2009
traffic classifier
Syntax traffic classifier tcl-name [ operator { and | or } ] undo traffic classifier tcl-name View System view Default Level 2: System level Parameters tcl-name: Specifies a class name, a string of 1 to 31 characters. operator: Sets the operator to logic AND or OR for the class. and: Specifies the logic AND operator. The class matches the packets that match all its criteria. or: Specifies the logic OR operator. The class matches the packets that match any of its criteria. Description Use the traffic classifier command to create a class and enter class view. Use the undo traffic classifier command to remove a class. By default, the operator of a class is AND. Related commands: qos policy, qos apply policy, classifier behavior. Examples # Create a class named class1.
<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1]
Traffic Behavior Configuration Commands

accounting
Syntax accounting { byte | packet } undo accounting View Traffic behavior view Default Level 2: System level Parameters byte: Counts traffic in bytes.
2-7
packets: Counts traffic in packets. Description Use the accounting command to configure the traffic accounting action in the traffic behavior. By referencing the traffic behavior in a QoS policy, you can achieve class-based accounting, with which statistics are collected on a per-traffic class basis. For example, you can define the action to collect statistics for traffic sourced from a certain IP address. Use the undo accounting command to delete the traffic accounting action. You can use the display qos policy interface command and the display qos vlan-policy command to view the related statistics. Related commands: qos policy, traffic behavior, classifier behavior. Examples # Configure traffic accounting in bytes for traffic behavior database.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] accounting byte
car
Syntax car cir committed-information-rate [ cbs committed-burst-size [ ebs excess-burst-size ] ] [ pir peak-information-rate ] [ green action ] [ red action ] [ yellow action ] [ hierarchy-car hierarchy-car-name [ mode { and | or } ] ] undo car View Traffic behavior view Default Level 2: System level Parameters cir committed-information-rate: Committed information rate (CIR) in kbps, which specifies the average traffic rate. The committed-information-rate argument ranges from 8 to 32000000 and must be a multiple of 8. cbs committed-burst-size: Committed burst size (CBS) in bytes. The committed-burst-size argument ranges from 512 to 16000000 and defaults to 512. ebs excess-burst-size: Excess burst size (EBS) in bytes. The excess-burst-size argument ranges from 0 to 16000000 and defaults to 512. pir peak-information-rate: Peak information rate (PIR) in kbps. The peak-information-rate argument ranges from 8 to 32000000, and must be a multiple of 8. green action: Action to take on packets that conform to CIR. The default is pass. red action: Action to take on packets that conforms to neither CIR nor PIR. The default is discard. yellow action: Action to take on packets that conform to PIR but not to CIR. The default is pass. action: Action to take on packets, which can be:
z
discard: Drops the packet.

2-8
z z
pass: Permits the packet to pass through. remark-dot1p-pass new-cos: Sets the 802.1p priority of the packet to new-cos and permits the packet to pass through. The new-cos argument ranges from 0 to 7. remark-dscp-pass new-dscp: Sets the DSCP value of the packet to new-dscp and permits the packet to pass through. The new-dscp argument ranges from 0 to 63. remark-lp-pass new-local-precedence: Sets the local precedence value of the packet to new-local-precedence and permits the packet to pass through. The new-local-precedence argument ranges from 0 to 7.
hierarchy-car-name: Name of the referenced hierarchical CAR. mode: Collaborating mode of the hierarchical CAR action and the common CAR action, which can be AND (the default) or OR.
z
AND mode (the and keyword), in which the traffic rate of a flow is limited by both the common CAR applied to it and the total traffic rate defined with hierarchical CAR. For example, you can use common CAR actions to limit the Internet access rates of flow 1 and flow 2 to 128 kbps each, and use a hierarchical CAR action to limit their total traffic rate to 192 kbps. Thus, when flow 1 is not present, flow 2 can access the Internet at the maximum rate, 128 kbps. If both flows are present, each flow cannot exceed its own rate limit, and the total rate cannot exceed 192 kbps. OR mode (the or keyword), in which a flow may pass through at an rate equal to the common CAR applied to it or at a higher rate if the total traffic rate of all flows does not exceed the hierarchical CAR. For example, you can use generic CAR actions to limit the rates of video flow 1 and flow 2 to 128 kbps each, and use a hierarchical CAR action to limit their total traffic rate to 512 kbps. As long as the rate of flow 1 does not exceed 128 kbps, flow 2 can pass at a rate up to 384 kbps.
Description Use the car command to configure a CAR action for the traffic behavior. Use the undo car command to remove the CAR action from the traffic behavior. Note that: if this command is configured multiple times for the same traffic behavior, the last configuration takes effect. Related commands: qos policy, traffic behavior, classifier behavior. Examples # Configure a CAR action for traffic behavior database: set CIR to 128 kbps, CBS to 50000 bytes, and EBS to 0; allow the conforming packets to pass, and mark the excess packets with DSCP value 0 and forward them.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] car cir 128 cbs 50000 ebs 0 green pass red remark-dscp-pass 0
# Configure a CAR action for traffic behavior database: set the CIR to 256 kbps, CBS to 50000 bytes, and EBS to 0; allow the conforming packets to pass, and mark excess packets with DSCP precedence 0 and forward them. In addition, reference hierarchical CAR hcar in the action, with the collaborating mode as or.
<Sysname> system-view [Sysname] traffic behavior database
2-9
[Sysname-behavior-database] car cir 256 cbs 50000 ebs 0 green pass red remark-prec-pass 0 hierarchy-car hcar mode or
display traffic behavior

Syntax display traffic behavior user-defined [ behavior-name ] View Any view Default Level 1: Monitor level Parameters user-defined: Displays user-defined traffic behaviors. behavior-name: Behavior name. If no traffic behavior is specified, information of all user-defined behaviors is displayed. Description Use the display traffic behavior command to display traffic behavior information. Examples # Display all user-defined traffic behaviors.
<Sysname> display traffic behavior user-defined User Defined Behavior Information: Behavior: 2 Accounting enable: byte Committed Access Rate: CIR 12800 (kbps), CBS 4000 (byte), EBS 4000 (byte) Green Action: pass Red Action: discard Yellow Action: pass NetStream filter enable : permit Redirect enable: Redirect type: cpu Redirect destination: cpu Marking: Remark dot1p COS 1 Marking: Remark DSCP af12
Table 2-3 display traffic behavior user-defined command output description

Field User Defined Behavior Information Behavior Description User-defined behavior information Name of a behavior Class-based accounting mode, in packets or in bytes
Accounting enable
2-10
Field Committed Access Rate
Description Information about the CAR action NetStream configuration information. The NetStream filtering option can be permit or deny Traffic redirecting configuration information Traffic redirecting type, which can be redirecting traffic to the CPU, an interface, or the next-hop Destination for traffic redirecting, which can be an
NetStream filter enable
Redirect enable
Redirect type
Redirect destination
interface name, the IP address of the next hop, or the CPU
Marking
Priority marking information
filter
Syntax filter { deny | permit } undo filter View Traffic behavior view Default Level 2: System level Parameters deny: Drops the packets. permit: Permits the packet to pass through. Description Use the filter command to configure a traffic filtering action for the traffic behavior. Use the undo filter command to remove the traffic filtering action. Examples # Configure the traffic filtering action as deny for traffic behavior database.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] filter deny
redirect
Syntax redirect { cpu | interface interface-type interface-number | next-hop { ipv4-add1 [ ipv4-add2 ] | ipv6-add1 [ interface-type interface-number ] [ ipv6-add2 [ interface-type interface-number ] ] } } undo redirect { cpu | interface interface-type interface-number | next-hop }
2-11
View Traffic behavior view Default Level 2: System level Parameters cpu: Redirects traffic to the CPU. interface: Redirects traffic to the specified interface. interface-type interface-number: Interface specified by its type and number. next-hop: Redirects traffic to a next hop. ipv4-add1/ipv4-add2: IPv4 address of the next hop. ipv4-add2 backs up ipv4-add1. If redirecting traffic to ipv4-add1 fails, traffic is redirected to ipv4-add2. ipv6-add1/ipv6-add2: IPv6 address of the next hop. ipv6-add2 backs up ipv6-add1. If redirecting traffic to ipv6-add1 fails, traffic is redirected to ipv6-add2. interface-type interface-number specifies a VLAN-interface by its number. If the IPv6 address is a link-local address, you must specify a VLAN-interface for the IPv6 address of the next hop. If the IPv6 address is not a link-local address, you do not need to specify a VLAN-interface for the IPv6 address of the next hop. Description Use the redirect command to configure a traffic redirecting action for the traffic behavior. Use the undo redirect command to remove the traffic redirecting action.
Redirecting traffic to the CPU, redirecting traffic to an interface, and redirecting traffic to the next hop are all mutually exclusive in the same traffic behavior.
Examples # Configure the action of redirecting traffic to interface GigabitEthernet 1/0/1 for traffic behavior database.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] redirect interface gigabitethernet1/0/1
remark dot1p
Syntax remark dot1p { 8021p | customer-dot1p-trust } undo remark dot1p View Traffic behavior view
2-12
Default Level 2: System level Parameters 8021p: 802.1p priority to be marked for packets, which ranges from 0 to 7. customer-dot1p-trust: Copies the 802.1p priority value in the inner VLAN tag to the outer VLAN tag after the QoS policy is applied to a port. This keyword does not take effect on single-tagged packets. Description Use the remark dot1p command to configure the 802.1p priority marking action or the inner-to-outer tag priority copying action. Use the undo remark dot1p command to remove the action. Note that: the remark dot1p 8021p command and the remark dot1p customer-dot1p-trust command override each other, and whichever is configured last takes effect. Related commands: qos policy, traffic behavior, classifier behavior. Examples # Set the 802.1p priority to 2.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] remark dot1p 2
# Configure the inner-to-outer tag priority copying action in traffic behavior database.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] remark dot1p customer-dot1p-trust
remark drop-precedence
Syntax remark drop-precedence drop-precedence-value undo remark drop-precedence View Traffic behavior view Default Level 2: System level Parameters drop-precedence-value: Drop precedence to be marked for packets, which ranges from 0 to 2. Description Use the remark drop-precedence command to configure the drop precedence marking action. Use the undo remark drop-precedence command to remove the action. Related commands: qos policy, traffic behavior, classifier behavior. Examples # Set the drop precedence value to 2 for packets.
2-13
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] remark drop-precedence 2
remark dscp
Syntax remark dscp dscp-value undo remark dscp View Traffic behavior view Default Level 2: System level Parameters dscp-value: DSCP value, which ranges from 0 to 63 or a keyword, as shown in Table 2-4. Table 2-4 DSCP keywords and values
Keyword default af11 af12 af13 af21 af22 af23 af31 af32 af33 af41 af42 af43 cs1 cs2 cs3 cs4 DSCP value (binary) 000000 001010 001100 001110 010010 010100 010110 011010 011100 011110 100010 100100 100110 001000 010000 011000 100000 0 10 12 14 18 20 22 26 28 30 34 36 38 8 16 24 32 DSCP value (decimal)
2-14
Keyword cs5 cs6 cs7 ef
DSCP value (binary) 101000 110000 111000 101110 40 48 56 46
DSCP value (decimal)
Description Use the remark dscp command to configure the DSCP marking action. Use the undo remark dscp command to remove the action. Related commands: qos policy, traffic behavior, classifier behavior. Examples # Set the DSCP value of packets to 6.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] remark dscp 6
remark ip-precedence
Syntax remark ip-precedence ip-precedence-value undo remark ip-precedence View Traffic behavior view Default Level 2: System level Parameters ip-precedence-value: IP precedence value to be marked for packets, which ranges from 0 to 7. Description Use the remark ip-precedence command to configure the IP precedence marking action. Use the undo remark ip-precedence command to remove the action. Related commands: qos policy, traffic behavior, classifier behavior. Examples # Set the IP precedence value of packets to 6.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] remark ip-precedence 6
2-15
remark local-precedence
Syntax remark local-precedence local-precedence undo remark local-precedence View Traffic behavior view Default Level 2: System level Parameters local-precedence: Local precedence value to be marked for packets, which ranges from 0 to 7. Description Use the remark local-precedence command to configure the local precedence marking action. Use the undo remark local-precedence command to remove the action. Related commands: qos policy, traffic behavior, classifier behavior. Examples # Set the local precedence value of packets to 2.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] remark local-precedence 2
remark qos-local-id
Syntax remark qos-local-id local-id-value undo remark qos-local-id View Traffic behavior view Default Level 2: System level Parameters local-id-value: QoS local ID to be marked for packets, in the range of 1 to 4095. The local QoS IDs supported on the S5820X & S5800 series switches range from 1 to 3999. Description Use the remark qos-local-id command to configure the QoS local ID marking action. Use the undo remark qos-local-id command to remove the action. Related commands: qos policy, traffic behavior, classifier behavior. Examples # Set the QoS local ID of packets to 2.
<Sysname> system-view [Sysname] traffic behavior database
2-16
[Sysname-behavior-database] remark qos-local-id 2
traffic behavior
Syntax traffic behavior behavior-name undo traffic behavior behavior-name View System view Default Level 2: System level Parameters behavior-name: Behavior name, a string of 1 to 31 characters. Description Use the traffic behavior command to create a traffic behavior and enter traffic behavior view. Use the undo traffic behavior command to remove a traffic behavior. Related commands: qos policy, qos apply policy, classifier behavior. Examples # Create a traffic behavior named behavior1.
<Sysname> system-view [Sysname] traffic behavior behavior1 [Sysname-behavior-behavior1]
QoS Policy Configuration and Application Commands

classifier behavior
Syntax classifier tcl-name behavior behavior-name [ mode do1q-tag-manipulation ] undo classifier tcl-name View Policy view Default Level 2: System level Parameters tcl-name: Class name, a string of 1 to 31 characters. behavior-name: Behavior name, a string of 1 to 31 characters. mode dot1q-tag-manipulation: Specifies that the class-behavior association is used for the VLAN mapping function. Description Use the classifier behavior command to associate a behavior with a class in the policy.
2-17
Use the undo classifier command to remove a class from the policy. Note that:
z z
Each class in the policy can be associated with only one behavior. If the specified class and traffic behavior do not exist, the system creates a null class and a null traffic behavior. The do1q-tag-manipulation keyword only applies to many-to-one VLAN mapping
configuration. For more information about many-to-one VLAN mapping, see VLAN Mapping Configuration in the Layer 2 - LAN Switching Configuration Guide. Related commands: qos policy. Examples # Associate traffic class database with traffic behavior test in QoS policy user1.
<Sysname> system-view [Sysname] qos policy user1 [Sysname-qospolicy-user1] classifier database behavior test [Sysname-qospolicy-user1]
display qos policy

Syntax display qos policy user-defined [ policy-name [ classifier tcl-name ] ] View Any view Default Level 1: Monitor level Parameters user-defined: Displays user-defined QoS policies. policy-name: QoS policy name, which is a string of 1 to 31 characters. If no policy is specified, configuration information of all the user-defined policies is displayed. tcl-name: Class name, a string of 1 to 31 characters. Description Use the display qos policy command to display user-defined QoS policy configuration information. Examples # Display the configuration information of all the user-defined QoS policies.
<Sysname> display qos policy user-defined User Defined QoS Policy Information: Policy: test Classifier: default-class Behavior: be -noneClassifier: USER1 Behavior: USER1 Committed Access Rate: CIR 256 (kbps), CBS 15000 (byte), EBS 0 (byte)
2-18
Green Action: pass Red Action: discard
Marking: Remark IP Precedence 3
Table 2-5 display qos policy command output description

Field Policy Policy name Class name A policy can contain multiple classes. Each class is Classifier associated with a traffic behavior. A class can be configured with multiple match criteria. Refer to the traffic classifier command for related information. The behavior associated with the class above. It can Behavior be configured with multiple actions. Refer to the traffic behavior command for related information. Description
display qos policy global

Syntax display qos policy global [ slot slot-number ] [ inbound | outbound ] View Any view Default Level 1: Monitor level Parameters inbound: Displays information about the inbound global QoS policy. An inbound global QoS policy applies to the inbound direction of all ports. outbound: Displays information about the outbound global QoS policy. An outbound global QoS policy applies to the outbound direction of all ports. slot slot-number: Displays the global QoS policy configuration of the specified device in the IRF virtual device. If the slot-number argument is not specified, the global QoS policy configuration of all devices in the IRF virtual device is displayed. If no IRF virtual device is formed, the global QoS policy configuration of the current device is displayed. The range for the slot-number argument depends on the number of devices and the numbering of devices in the IRF virtual device. Description Use the display qos policy global command to display information about the QoS policy globally applied globally in the inbound or outbound direction of all ports. Note that: if no direction is specified, the global QoS policy information in both the inbound and outbound directions is displayed.
2-19
Examples # Display information about the global QoS policy applied to the incoming traffic.
<Sysname> display qos policy global inbound Direction: Inbound Policy: 1 Classifier: 2 Operator: AND Rule(s) : If-match acl 2000 Behavior: 2 Accounting Enable 20864 (Bytes) Committed Access Rate: CIR 128 (kbps), CBS 8000 (Bytes), EBS 0 (Bytes) Red Action: discard Green : 12928(Bytes) Yellow: 7936(Bytes) Red : 43904(Bytes)
Table 2-6 display qos policy global command output description

Field Description Indicates that the QoS policy is applied in the inbound direction or outbound direction Policy name and its contents Class name and its contents Logical relationship between match criteria Match criteria Name of the traffic behavior, and the actions in the traffic behavior Class-based accounting action and the collected statistics Information about traffic rate limiting Committed information rate (CIR) in kbps Committed burst size in bytes, which specifies the depth of the token bucket for holding bursty traffic Excessive burst size (EBS) in bytes, which specifies EBS the traffic exceeding CBS when two token buckets are used Red Action Green Action to take on red packets Statistics on green packets
Direction
Policy Classifier Operator Rule(s)
Behavior
Accounting
Committed Access Rate CIR
CBS
2-20
Field Yellow Red
Description Statistics on yellow packets Statistics on red packets
display qos policy interface

Syntax display qos policy interface [ interface-type interface-number ] [ inbound | outbound ] View Any view Default Level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by type and number. Description Use the display qos policy interface command to display QoS policy configuration and operational information on an interface or all interfaces. Examples # Display the QoS configuration and operational information on interface GigabitEthernet1/0/1.
<Sysname> display qos policy interface gigabitethernet 1/0/1 Interface: GigabitEthernet1/0/1 Direction: Inbound Policy: 1 Classifier: 1 Operator: AND Rule(s) : If-match acl 2000 Behavior: 1 Accounting Enable: Mirror enable: Mirror type: interface Mirror destination: GigabitEthernet1/0/2 NetStream filter enable: permit Redirect enable: Redirect type: cpu Redirect destination: cpu Marking: Remark Customer VLAN ID 100 Marking: Remark dot1p COS 2 Marking: Remark IP precedence 3 Marking: Remark qos local ID 3
2-21
Table 2-7 display qos policy interface command output description

Field Interface Description Interface type and interface number The direction in which the policy is applied to the interface Name of the policy applied to the interface Class name and the corresponding configuration information Logical relationship between match criteria in the class Match criteria in the class Behavior name and the corresponding configuration information
Direction
Policy
Classifier
Operator
Rule(s)
Behavior
display qos vlan-policy

Syntax display qos vlan-policy { name policy-name | vlan [ vlan-id ] } [ slot slot-number ] [ inbound | outbound ] View Any view Default Level 1: Monitor level Parameters name policy-name: Displays information of the VLAN QoS policy specified by its name, which is a string of 1 to 31 characters. vlan vlan-id: Displays the QoS policy applied to the VLAN specified by its ID. inbound: Displays the QoS policy applied to the incoming traffic of the VLAN specified by its ID. outbound: Displays the QoS policy applied to the outgoing traffic of the VLAN specified by its ID. slot slot-number: Displays VLAN QoS policy information about the specified device in the IRF virtual device. If the slot-number argument is not specified, the VLAN QoS policy information of all devices in the IRF virtual device is displayed. If no IRF virtual device is formed, the VLAN QoS policy information of the current device is displayed. The range for the slot-number argument depends on the number of devices and the numbering of devices in the IRF virtual device. Description Use the display qos vlan-policy command to display VLAN QoS policy information.
2-22
Note that: if no direction is specified, the VLAN QoS policy information in both the inbound and outbound directions is displayed. Examples # Display information about QoS policy test on the device numbered 6 in the IRF virtual device.
<Sysname> display qos vlan-policy name test slot 6 Policy test Vlan 200: inbound Vlan 300: outbound
Table 2-8 display qos vlan-policy command output description

Field Policy Vlan Description Name of the QoS policy ID of the VLAN where the VLAN policy is applied The QoS policy is applied to the incoming traffic of the VLAN The QoS policy is applied to the outgoing traffic of the VLAN
inbound
outbound
# Display the QoS policy applied to VLAN 2.

<Sysname> display qos vlan-policy vlan 2 Vlan 2
Direction: Inbound Policy: 1 Classifier: 2 Operator: AND Rule(s) : If-match acl 2000 Behavior: 2 Accounting Enable 163 (Packets) Committed Access Rate: CIR 128 (kbps), CBS 8000 (byte), EBS 0 (byte) Red Action: discard Green : 12928(Bytes) Yellow: 7936(Bytes) Red : 43904(Bytes)
Table 2-9 display qos vlan-policy command output description

Field Vlan Description ID of the VLAN where the QoS policy is applied The direction in which the QoS policy is applied for the VLAN
Direction
2-23
Field Classifier Operator Rule(s) Behavior
Description Class name and its contents Logical relationship between match criteria Match criteria Name of the behavior, and its actions Class-based accounting action and the collected statistics CAR information Committed information rate (CIR) in kbps Committed burst size (CBS) in bytes, which
Accounting
Committed Access Rate CIR
CBS
specifies the depth of the token bucket for holding bursty traffic Excessive burst size (EBS) in bytes, which specifies
EBS
the amount of traffic beyond the CBS when two token buckets are used
Red Action Green Yellow Red
Action on red packets Statistics on green packets Statistics on yellow packets Statistics on red packets
qos apply policy (interface view, port group view)

Syntax qos apply policy policy-name { inbound | outbound } undo qos apply policy { inbound | outbound } View Interface view, port group view Default Level 2: System level Parameters inbound: Inbound direction. outbound: Outbound direction. policy-name: Policy name, which is a string of 1 to 31 characters. Description Use the qos apply policy command to apply a QoS policy.
2-24
Use the undo qos apply policy command to cancel the QoS policy application. Settings in interface view are effective on the current interface. Settings in port group view are effective on all ports in the port group. Examples # Apply policy USER1 to the outgoing traffic of interface GigabitEthernet 1/0/1.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos apply policy USER1 outbound
qos apply policy (user-profile view)

Syntax qos apply policy policy-name { inbound | outbound } undo qos apply policy { inbound | outbound } View User profile view Default Level 2: System level Parameters inbound: Applies the QoS policy to the incoming traffic of online users. outbound: Applies the QoS policy to the outgoing traffic of online users. policy-name: Policy name, which is a string of 1 to 31 characters. Description Use the qos apply policy command to apply a QoS policy to a user profile. Use the undo qos apply policy command to cancel the QoS policy application. Note that:
z
If a user profile is activated, the QoS policy applied to it cannot be configured or removed, except the ACLs referenced in the QoS policy. However, when the users of the user profile are online, the referenced ACLs also cannot be modified. The QoS policy applied to a user profile becomes effective when the user-profile is activated and the corresponding users are online. Only the remark, car, and filter actions are supported in the QoS policies applied in user profile view. A null policy cannot be applied in user profile view.
Examples # Apply policy test to the outgoing traffic of the online users of user profile user. (Assume that that the QoS policy has been configured.)
<Sysname> system-view [Sysname] user-profile user [Sysname-user-profile-user] qos apply policy test outbound
2-25
qos apply policy global

Syntax qos apply policy policy-name global { inbound | outbound } undo qos apply policy global { inbound | outbound } View System view Default Level 2: System level Parameters policy-name: Policy name, which is a string of 1 to 31 characters. inbound: Applies the QoS policy to the incoming packets of all ports. outbound: Applies the QoS policy to the outgoing packets of all ports. Description Use the qos apply policy global command to apply a QoS policy globally. A global QoS policy takes effect on all inbound or outbound traffic depending on the direction in which the policy is applied. Use the undo qos apply policy global command to remove the QoS policy. Examples # Apply the QoS policy user1 to the incoming traffic globally.
<Sysname> system-view [Sysname] qos apply policy user1 global inbound
qos policy
Syntax qos policy policy-name undo qos policy policy-name View System view Default Level 2: System level Parameters policy-name: Policy name, which is a string of 1 to 31 characters. Description Use the qos policy command to create a policy and enter policy view. Use the undo qos policy command to delete a policy. A policy applied to an interface cannot be directly deleted. You must first remove the policy application before deleting the policy with the undo qos policy command. Related commands: classifier behavior, qos apply policy.
2-26
Examples # Create a policy named user1.

<Sysname> system-view [Sysname] qos policy user1 [Sysname-qospolicy-user1]
qos vlan-policy
Syntax qos vlan-policy policy-name vlan vlan-id-list { inbound | outbound } undo qos vlan-policy vlan vlan-id-list { inbound | outbound } View System view Default Level 2: System level Parameters policy-name: QoS policy name, which is a string of 1 to 31 characters. vlan-id-list: A list of up to eight VLAN IDs in the range 1 to 4094. You can input individual discontinuous VLAN IDs and VLAN ID ranges in the form of start-vlan-id to end-vlan-id, where the start VLAN ID must be smaller than the end VLAN ID. Each item in the VLAN list is separated by a space. inbound: Applies the QoS policy to the incoming packets of the specified VLAN(s). outbound: Applies the QoS policy to the outgoing packets of the specified VLAN(s). Description Use the qos vlan-policy command to apply a QoS policy to the specified VLAN(s). Use the undo qos vlan-policy command to cancel the QoS policy application to the specified VLAN(s). Examples # Apply the QoS policy test to the incoming traffic of VLAN 200, VLAN 300, VLAN 400, and VLAN 500.
<Sysname> system-view [Sysname] qos vlan-policy test vlan 200 300 400 500 inbound
reset qos policy global

Syntax reset qos policy global [ inbound | outbound ] View User view Default Level 1: Monitor level
2-27
Parameters inbound: Specifies the inbound direction. outbound: Specifies the outbound direction. Description Use the reset qos policy global command to clear the statistics of a global QoS policy. If no direction is specified, the statistics of the global QoS policies in both directions are cleared. Examples # Clear the statistics of the global QoS policy applied to the incoming traffic.
<Sysname> reset qos policy global inbound
reset qos vlan-policy

Syntax reset qos vlan-policy [ vlan vlan-id ] [ inbound | outbound ] View User view Default Level 1: Monitor level Parameters vlan-id: VLAN ID, which ranges from 1 to 4094. inbound: Clears the statistics of the QoS policy applied in the inbound direction of the specified VLAN. outbound: Clears the statistics of the QoS policy applied in the outbound direction of the specified VLAN. Description Use the reset qos vlan-policy command to clear the statistics of the QoS policy applied in a certain direction of a VLAN. Examples # Clear the statistics of QoS policies applied to VLAN 2.
<Sysname> reset qos vlan-policy vlan 2
2-28
3
Syntax View
Priority Mapping Configuration Commands
Priority Mapping Table Configuration Commands

display qos map-table
display qos map-table [ dot1p-dp | dot1p-lp | dscp-dot1p| dscp-dp | dscp-dscp ]
Any view Default Level 1: Monitor level Parameters dot1p-dp: 802.1p-to-drop priority mapping table. dot1p-lp: 802.1p-to-local priority mapping table. dscp-dot1p: DSCP-to-802.1p priority mapping table. dscp-dp: DSCP-to-drop priority mapping table. dscp-dscp: DSCP-to-DSCP priority mapping table. Description Use the display qos map-table command to display the configuration of a priority mapping table. If no priority mapping table is specified, the configuration information of all priority mapping tables is displayed. Related commands: qos map-table. Examples # Display the configuration information of the 802.1p-to-drop priority mapping table.
<Sysname> display qos map-table dot1p-dp MAP-TABLE NAME: dot1p-dp IMPORT : EXPORT 0 1 2 3 4 5 6 7 : : : : : : : : 0 0 0 0 0 0 0 0 TYPE: pre-define
3-1
Table 3-1 display qos map-table command output description

Field MAP-TABLE NAME TYPE IMPORT EXPORT Description Name of the priority mapping table Type of the priority mapping table Input values of the priority mapping table Output values of the priority mapping table
import
Syntax import import-value-list export export-value undo import { import-value-list | all } View Priority mapping table view Default Level 2: System level Parameters import-value-list: List of input values. export-value: Output value. all: Deletes all the mappings in the priority mapping table. Description Use the import command to configure a mapping from one or multiple input values to an output value. Use the undo import command to restore the specified mapping or all mappings to the default. Related commands: display qos map-table, display qos map-table color. Examples # Configure the 802.1p-to-drop priority mapping table to map 802.1p priority values 4 and 5 to drop precedence value 1.
<Sysname> system-view [Sysname] qos map-table dot1p-dp [Sysname-maptbl-dot1p-dp] import 4 5 export 1
qos map-table
Syntax qos map-table { dot1p-dp | dot1p-lp | dscp-dot1p | dscp-dp | dscp-dscp } View System view
3-2
Default Level 2: System level Parameters dot1p-dp: 802.1p-to-drop priority mapping table. dot1p-lp: 802.1p-to-local priority mapping table. dscp-dot1p: DSCP-to-802.1p priority mapping table. dscp-dp: DSCP-to-drop priority mapping table. dscp-dscp: DSCP-to-DSCP priority mapping table. Description Use the qos map-table command to enter the specified priority mapping table view. Related commands: display qos map-table. Examples # Enter the 802.1p-to-drop priority mapping table view.
<Sysname> system-view [Sysname] qos map-table dot1p-dp [Sysname-maptbl-dot1p-dp]
Port Priority Configuration Commands

qos priority
Syntax qos priority priority-value undo qos priority View Interface view, port group view Default Level 2: System level Parameters priority-value: Port priority value. The port priority is local precedence, which defaults to 0 and ranges from 0 to 7. Description Use the qos priority command to change the port priority of an interface. Use the undo qos priority command to restore the default. By default, the port priority is 0. In interface view, the setting is effective on the current interface only. In port group view, the setting is effective on all the ports in the port group. Examples # Set the port priority of interface GigabitEthernet 1/0/1 to 2.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1
3-3
[Sysname-GigabitEthernet1/0/1] qos priority 2
Per-Port Priority Trust Mode Configuration Commands

display qos trust interface
Syntax display qos trust interface [ interface-type interface-number ] View Any view Default Level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by type and number. Description Use the display qos trust interface command to display priority trust mode and port priority information of an interface. If no interface is specified, the command display priority trust mode and port priority information for all interfaces. Examples # Display the priority trust mode and port priority settings of interface GigabitEthernet 1/0/1.
<Sysname> display qos trust interface gigabitethernet 1/0/1 Interface: GigabitEthernet1/0/1 Port priority information Port priority: 0 Port priority trust type: untrust
Table 3-2 display qos trust interface command output description

Field Interface Port priority Description Interface type and interface number The port priority set for the interface Priority trust mode on the interface, which can be:
z
dscp: indicates that the DSCP precedence value of the received packets is used for priority
Port priority trust type

z
mapping dot1p: indicates that the 802.1p priority of the received packets is used for priority mapping
z
untrust: indicates that the port priority is used for priority mapping
3-4
qos trust
Syntax qos trust { dot1p | dscp } undo qos trust View Interface view, port group view Default Level 2: System level Parameters dot1p: Uses the 802.1p priority in incoming packets for priority mapping. dscp: Uses the DSCP value in incoming packets for priority mapping. Description Use the qos trust command to configure an interface to use a particular priority field carried in packets for priority mapping. Use the undo qos trust command to restore the default priority trust mode. By default, the port priority is used for priority mapping. When packets enter the device, the device assigns a set of parameters (including 802.1p priority, DSCP values, IP precedence, local precedence, and drop precedence) to the packets as configured. The local precedence and drop precedence are defined as follows:
z z
A local precedence is locally significant and corresponds to an output queue. A drop precedence is used for packet drop. The value 2 corresponds to red packets, 1 corresponds to yellow packets, and 0 corresponds to green packets.
Examples # Configure interface GigabitEthernet 1/0/1 to use the 802.1p priority in incoming packets for priority mapping.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos trust dot1p
3-5
4
Syntax View
GTS and Line Rate Configuration Commands
GTS Configuration Commands

display qos gts interface
display qos gts interface [ interface-type interface-number ]
Any view Default Level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by type and number. Description Use the display qos gts interface command to display generic traffic shaping (GTS) configuration information and operational statistics on a specified interface or all the interfaces. If no interface is specified, the GTS configuration information and operational statistics on all the interfaces are displayed. Examples # Display the GTS configuration information and operational statistics on all the interfaces.
<Sysname> display qos gts interface Interface: GigabitEthernet1/0/1 Rule(s): If-match queue 0 CIR 12800 (kbps), CBS 819200 (byte) Rule(s): If-match queue 1 CIR 12800 (kbps), CBS 819200 (byte) Rule(s): If-match queue 2 CIR 6400 (kbps), CBS 819200 (byte)
Table 4-1 display qos gts command output description

Field Interface Rule(s) CIR Description Interface type and interface number Match criteria Committed information rate (CIR) in kbps Committed burst size in bytes, which specifies the depth of the token bucket for holding bursty traffic
CBS
4-1
qos gts
Syntax qos gts queue queue-number cir committed-information-rate [ cbs committed-burst-size ] undo qos gts queue queue-number View Interface view, port group view Default Level 2: System level Parameters queue queue-number: Shapes the packets in the queue. cir committed-information-rate: Committed information rate (CIR) in kbps. The committed-information-rate argument ranges from 8 to 1048576, and must be a multiple of 8. cbs committed-burst-size: Committed burst size (CBS) in bytes. The committed-burst-size argument ranges from 512 to 16777216, and must be a multiple of 512. The default value is 8192. Description Use the qos gts command to set GTS parameters for the traffic in a specific queue. Use the undo qos gts command to remove the GTS parameters from the traffic of a specific queue or all the traffic on the interface or port group. By default, no GTS parameters are configured on an interface. Settings in interface view are effective on the current interface. Settings in port group view are effective on all ports in the port group. Examples # Configure GTS for traffic in queue 1 on GigabitEthernet 1/0/1 as follows: set CIR to 256 kbps, and CBS to 40960 bytes.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos gts queue 1 cir 256 cbs 40960
Line Rate Configuration Commands

display qos lr interface
Syntax display qos lr interface [ interface-type interface-number ] View Any view Default Level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by type and number.
4-2
Description Use the display qos lr interface command to view the line rate configuration information and operational statistics on a specified interface or all interfaces. If no interface is specified, the line rate configuration information and operational statistics on all interfaces are displayed. Examples # Display the line rate configuration information and operational statistics on all interfaces.
<Sysname> display qos lr interface Interface: GigabitEthernet1/0/1 Direction: Inbound CIR 12800 (kbps), CBS 256000 (byte) Direction: Outbound CIR 256 (kbps), CBS 40960 (byte)
Table 4-2 display qos lr command output description

Field Interface Description Interface type and interface number The direction in which the line rate configuration is applied: inbound or outbound CIR Committed information rate (CIR) in kbps Committed burst size (CBS) in bytes, which specifies the depth of the token bucket for holding bursty traffic
Direction
CBS
qos lr
Syntax qos lr { inbound | outbound } cir committed-information-rate [ cbs committed-burst-size ] undo qos lr { inbound | outbound } View Interface view, port group view Default Level 2: System level Parameters inbound: Limits the rate of incoming packets on the interface. outbound: Limits the rate of outgoing packets on the interface. cir committed-information-rate: Committed information rate (CIR). The committed-information-rate argument ranges from 8 to 1000000 and must be a multiple of 8. cbs committed-burst-size: Committed burst size (CBS). The committed-burst-size argument ranges from 512 to 16000000, and defaults to 8000.
4-3
Description Use the qos lr command to limit the rate of incoming packets or outgoing packets on the interface. Use the undo qos lr command to remove the rate limit. Settings in interface view are effective on the current interface. Settings in port group view are effective on all ports in the port group. Examples # Configure line rate for outgoing packets on interface GigabitEthernet 1/0/1 as follows: set CIR to 256 kbps and CBS to 4096 bytes.
<Sysname> system-view [Sysname] interface gigabitethernet1/0/1 [Sysname-GigabitEthernet1/0/1] qos lr outbound cir 256 cbs 4096
4-4
Congestion Management Configuration Commands

SP Queuing Configuration Commands
display qos sp
Syntax display qos sp interface [ interface-type interface-number ] View Any view Default Level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by type and number. Description Use the display qos sp interface command to view the strict priority (SP) queuing configuration of an interface. If no interface is specified, the SP queuing configuration of all the interfaces is displayed. Related commands: qos sp. Examples # Display the SP queuing configuration of interface GigabitEthernet 1/0/1.
<Sysname> display qos sp interface gigabitethernet 1/0/1 Interface: GigabitEthernet1/0/1 Output queue: Strict-priority queue
Table 5-1 display qos sp interface command output description

Field Interface Output queue Strict-priority queue Description Interface type and interface number Pattern of the current output queue SP queuing is used for queue scheduling
qos sp
Syntax qos sp
5-1
undo qos sp View Interface view, port group view Default Level 2: System level Parameters None Description Use the qos sp command to configure SP queuing on an interface. Use the undo qos sp command to restore the default. The default queuing algorithm on an interface is WRR queuing. Settings in interface view are effective on the current interface. Settings in port group view are effective on all ports in the port group. Related commands: display qos sp interface. Examples # Enable SP queuing on interface GigabitEthernet 1/0/1.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos sp
WRR Queuing Configuration Commands

display qos wrr interface
Syntax display qos wrr interface [ interface-type interface-number ] View Any view Default Level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by type and number. Description Use the display qos wrr interface command to display the weighted round robin (WRR) queuing configuration on an interface. If no interface is specified, the WRR queuing configuration of all the interfaces is displayed. Related commands: qos wrr. Examples # Display the WRR queuing configuration of interface GigabitEthernet 1/0/1.
<Sysname> display qos wrr interface gigabitethernet 1/0/1
5-2
Interface: GigabitEthernet1/0/1 Output queue: Weighted round robin queue Queue ID Group Byte-count ------------------------------------0 1 2 3 4 5 6 7 1 1 1 1 1 1 1 sp 1 2 3 4 5 9 13 N/A
Table 5-2 display qos wrr interface command output description

Field Interface Output queue Queue ID Description Interface type and interface number Pattern of the current output queue ID of a queue Number of the group to which a queue is assigned. By default, all queues belong to group 1. Queue weight based on which queues are scheduled. N/A indicates that the queue uses the SP queuing.
Group
Weight
qos wrr
Syntax qos wrr undo qos wrr View Interface view, port group view Default Level 2: System level Parameters None Description Use the qos wrr command to enable WRR queuing on the interface. Use the undo qos wrr command to disable WRR queuing on the interface. The default queuing algorithm on an interface is WRR queuing. Settings in interface view are effective on the current interface. Settings in port group view are effective on all ports in the port group.
5-3
Before performing WRR configuration, you must enable WRR queuing on an interface by using the qos wrr command. Examples # Enable WRR queuing on interface GigabitEthernet 1/0/1.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos wrr
qos wrr byte-count

Syntax qos wrr queue-id group 1 byte-count schedule-value undo qos wrr queue-id group 1 byte-count View Interface view, port group view Default Level 2: System level Parameters queue-id: Queue ID, in the range of 0 to 7. 1: Assigns the queue to group 1. byte-count schedule-value: Specifies the number of bytes to be sent from the queue during a cycle. The schedule-value argument ranges from 1 to 15. Description Use the qos wrr byte-count command to configure or modify the WRR queuing parameters for a queue on the interface. Use the undo qos wrr byte-count command to restore the default WRR queuing parameters for a queue on the interface. For queues configured as WRR queues on an interface, the interface uses WRR scheduling. Other queues on the interface use the default WRR scheduling weight and belong to the default WRR priority group. Settings in interface view are effective on the current interface. Settings in port group view are effective on all ports in the port group. Related commands: display qos wrr interface. Examples # Enable WRR queuing on interface GigabitEthernet 1/0/1, configure the scheduling weight as 10 for queue 0, and assign queue 0 to group 1.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos wrr [Sysname-GigabitEthernet1/0/1] qos wrr 0 group 1 byte-count 10
5-4
qos wrr group sp

Syntax qos wrr queue-id group sp undo qos wrr queue-id group sp View Interface view, port group view Default Level 2: System level Parameters queue-id: Queue ID, in the range of 0 to 7. sp: Strict priority (SP) queuing algorithm. Description Use the qos wrr group sp command to configure SP+WRR queuing on the interface and assign a queue to the SP group. Use the undo qos wrr group sp command to remove a queue on the interface from the SP group. Before configuring this command on an interface, make sure that WRR queuing is enabled on the interface. An SP group differs from a common WRR priority group. Queues in an SP group are scheduled by using the SP queuing algorithm, and not the WRR queuing algorithm. Settings in interface view are effective on the current interface only. Settings in port group view are effective on all the ports in the port group. Related commands: display qos wrr interface. Examples # Enable WRR queuing on GigabitEthernet 1/0/1, and assign queue 0 to the SP group.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos wrr [Sysname-GigabitEthernet1/0/1] qos wrr 0 group sp
WFQ Configuration Commands

display qos wfq interface
Syntax display qos wfq interface [ interface-type interface-number ] View Any view Default Level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by type and number.
5-5
Description Use the display qos wfq interface command to display the weighted fair queuing (WFQ) configuration on an interface. If no interface is specified, the WFQ configuration of all the interfaces is displayed. Related commands: qos wfq. Examples # Display the WFQ configuration of interface GigabitEthernet 1/0/1.
<Sysname> display qos wfq interface gigabitethernet 1/0/1 Interface: GigabitEthernet1/0/1 Output queue: Hardware weighted fair queue Queue ID 0 1 2 3 4 5 6 7 1 1 1 1 1 1 1 1 Weight Min-Bandwidth 64 64 64 64 64 64 64 64
------------------------------------------------
Table 5-3 display qos wfq interface command output description

Field Interface Output queue Queue ID Weight Min-Bandwidth Description Interface type and interface number Pattern of the current output queue ID of a queue Queue scheduling weight Minimum guaranteed bandwidth
qos bandwidth queue

Syntax qos bandwidth queue queue-id min bandwidth-value undo qos bandwidth queue queue-id [ min bandwidth-value ] View Interface view, port group view Default Level 2: System level Parameters queue-id: Queue ID, in the range of 0 to 7.
5-6
bandwidth-value: Minimum guaranteed bandwidth (in kbps), which is the minimum bandwidth guaranteed for a queue when the port is congested. The range for the bandwidth-value argument is from 64 to 1048576. Description Use the qos bandwidth queue command to set the minimum guaranteed bandwidth for a specified queue on the port/port group. Use the undo qos bandwidth queue command to cancel the configuration. Settings in interface view are effective on the current interface. Settings in port group view are effective on all ports in the port group. Examples # Set the minimum guaranteed bandwidth to 100 kbps for queue 0 on interface GigabitEthernet 1/0/1.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos wfq [Sysname-GigabitEthernet1/0/1] qos bandwidth queue 0 min 100
qos wfq
Syntax qos wfq undo qos wfq View Interface view, port group view Default Level 2: System level Parameters None Description Use the qos wfq command to enable WFQ on an interface. Use the undo qos wfq command to restore the default queuing algorithm on an interface. The default queuing algorithm on an interface is WRR queuing. Settings in interface view are effective on the current interface. Settings in port group view are effective on all ports in the port group. Examples # Enable WFQ on interface GigabitEthernet 1/0/1.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos wfq
5-7
qos wfq weight

Syntax qos wfq queue-id weight schedule-value undo qos wfq queue-id weight View Interface view, port group view Default Level 2: System level Parameters queue-id: Queue ID, in the range of 0 to 7. schedule-value: Scheduling weight of the queue. The value range for the schedule-value argument is from 1 to 15. Description Use the qos wfq weight command to configure a scheduling weight for an WFQ queue on the interface. Use the undo qos wfq weight command to restore the default scheduling weight for an WFQ queue on the interface. By default, the scheduling weight of each queue is 1. Settings in interface view are effective on the current interface. Settings in port group view are effective on all ports in the port group. Related commands: display qos wfq interface, qos bandwidth queue. Examples # Configure the scheduling weight as 10 for WFQ queue 0 on interface GigabitEthernet 1/0/1.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos wfq [Sysname-GigabitEthernet1/0/1] qos wfq 0 weight 10
5-8
6
Syntax View
Congestion Avoidance Configuration Commands
WRED Configuration Commands

display qos wred interface
display qos wred interface [ interface-type interface-number ]
Any view Default Level 1: Monitor level Parameters interface-type interface-number: Specifies an interface by type and number. Description Use the display qos wred interface command to display the WRED configuration and statistics of an interface. If no interface is specified, the WRED configuration and statistics of all interfaces are displayed. Examples # Display the WRED configuration and statistics of interface GigabitEthernet 1/0/1.
<Sysname> display qos wred interface gigabitethernet 1/0/1 Interface: GigabitEthernet1/0/1 Current WRED configuration: Applied WRED table name: test
Table 6-1 display qos wred interface command output description

Field Interface Applied WRED table name Description Interface type and interface number Name of the WRED table applied
display qos wred table

Syntax display qos wred table [ table-name ] View Any view
6-1
Default Level 1: Monitor level Parameters table-name: Name of the WRED table to be displayed. Description Use the display qos wred table command to display the WRED table configuration information. If no WRED table name is specified, the configuration of all WRED tables is displayed. Examples # Display the configuration of WRED table 1.
<Sysname> display qos wred table 1 Table Name: 1 Table Type: Queue based WRED QID: gmin gmax gprob ymin ymax yprob rmin rmax rprob ----------------------------------------------------------------------0 1 2 3 4 5 6 7 100 100 100 100 100 100 100 100 1000 1000 1000 1000 1000 1000 1000 1000 10 10 10 10 10 10 10 10 100 100 100 100 100 100 100 100 1000 1000 1000 1000 1000 1000 1000 1000 10 10 10 10 10 10 10 10 100 100 100 100 100 100 100 100 1000 1000 1000 1000 1000 1000 1000 1000 10 10 10 10 10 10 10 10
Table 6-2 display qos wred table command output description

Field Table name Table type QID Description Name of a WRED table Type of a WRED table ID of the queue Lower threshold configured for green packets, with a drop precedence value of 0 Upper threshold configured for green packets, with a drop precedence value of 0 Drop probability configured for green packets, with a drop precedence value of 0 Lower threshold configured for yellow packets, with a drop precedence value of 1 Upper threshold configured for yellow packets, with a drop precedence value of 1 Drop probability configured for yellow packets, with a drop precedence value of 1 6-2
gmin
gmax
gprob
ymin
ymax
yprob
Field
Description Lower threshold configured for red packets, with a drop precedence value of 2 Upper threshold configured for red packets, with a drop precedence value of 2 Drop probability configured for red packets, with a drop precedence value of 2
rmin
rmax
rprob
qos wred table

Syntax qos wred queue table table-name undo qos wred table table-name View System view Default Level 2: System level Parameters queue: Creates a queue-based table. Packets are dropped based on the queue when congestion occurs. table table-name: Specifies a name for the table. Description Use the qos wred table command to create a WRED table and enter WRED table view. Use the undo qos wred table command to remove a WRED table. By default, no global WRED table is created. A WRED table in use cannot be removed. Related commands: qos wfq, qos wred enable, display qos wred interface. Examples # Create a queue-based WRED table named table1.
<Sysname> system-view [Sysname] qos wred queue table table1 [Sysname-wred-table-table1]
queue
Syntax queue queue-value [ drop-level drop-level ] low-limit low-limit high-limit high-limit
[ discard-probability discard-prob ] undo queue { queue-value | all }
6-3
View WRED table view Default Level 2: System level Parameters queue-value: Queue number, in the range of 0 to 7. drop-level drop-level: Drop level, in the range of 0 to 2. If this argument is not specified, the subsequent configuration takes effect on the packets in the queue regardless of the drop level. low-limit low-limit: Lower limit, which is 100 by default. The range for the low-limit argument is from 0 to 8000. high-limit high-limit: Upper limit, which is 1000 by default. The range for the high-limit argument is from 0 to 8000. discard-probability discard-prob: Specifies the drop probability in percentage, in the range of 0 to 100. When the queue length is within the lower limit and upper limit, the switch drops packets based on the drop probability. Description Use the queue command to configure the drop-related parameters for a specified queue in the queue-based WRED table. Use the undo queue command to restore the default. By default, the global queue-based WRED table uses the following parameters: lower limit 100, upper limit 1000, and drop probability 10. Related commands: qos wred table. Examples # Modify the drop-related parameters for packets with drop level 1 in queue 1 in WRED table queue-table1 as follows: lower limit 120, upper limit 300, and drop probability 20.
<Sysname> system-view [Sysname] qos wred queue table queue-table1 [Sysname-wred-table-queue-table1] [Sysname-wred-table-queue-table1] queue 1 drop-level 1 low-limit 120 high-limit 300 discard-probability 20
qos wred apply

Syntax qos wred apply table-name undo qos wred apply View Interface view, port group view Default Level 2: System level
6-4
Parameters table-name: Name of a global WRED table. Description Use the qos wred apply command to apply a global WRED table on a port/port group. Use the undo qos wred apply command to restore the default. By default, the tail drop mode is used on a port. In interface view, the setting is effective on the current port only. In port group view, the setting is effective on all the ports in the port group. Related commands: display qos wred interface, display qos wred table, qos wred table. Examples # Apply the queue-based WRED table queue-table1 to the interface GigabitEthernet 1/0/1.
<Sysname> system-view [Sysname] interface GigabitEthernet1/0/1 [Sysname-GigabitEthernet1/0/1] qos wred apply queue-table1
6-5
7
Syntax
Global CAR Configuration Commands
Global CAR Configuration Commands

car name
car name car-name [ hierarchy-car hierarchy-car-name [ mode { and | or } ] ] undo car View Traffic behavior view Default Level 2: System level Parameters car-name: Name of an aggregation CAR action. hierarchy-car-name: Name of the referenced hierarchical CAR action. mode: Collaborating mode of the hierarchical CAR action and the aggregation CAR action, which can be AND (the default) or OR. If the collaborating mode is not specified, the AND mode applies.
z
AND mode (the and keyword), in which the traffic rate of a flow is limited by both the aggregation CAR applied to it and the total traffic rate defined by the hierarchical CAR. For example, you can use aggregation CAR actions to limit the Internet access rates of flow 1 and flow 2 to 128 kbps each, and use a hierarchical CAR action to limit their total traffic rate to 192 kbps. When flow 1 is not present, flow 2 can access the Internet at the maximum rate, 128 kbps. If both flows are present, each flow cannot exceed its own rate limit, and the total rate cannot exceed 192 kbps. OR mode (the or keyword), in which a flow may pass through at a rate equal to the aggregation CAR applied to it or a higher rate if the total traffic rate of all flows does not exceed the hierarchical CAR. For example, you can use aggregation CAR actions to limit the rates of video flow 1 and flow 2 to 128 kbps each, and then use a hierarchical CAR action to limit their total traffic rate to 512 kbps. Thus, as long as the rate of flow 1 does not exceed 128 kbps, flow 2 can pass at a rate up to 384 kbps.
Description Use the car name command to configure the traffic behavior to reference an aggregation CAR action. Use the undo car command to remove the aggregation CAR action from the traffic behavior. Examples # Configure traffic behavior be1 to reference aggregation CAR aggcar-1 and hierarchical CAR hcar, with the collaborating mode as or.
<Sysname> system-view [Sysname] traffic behavior be1 [Sysname-behavior-be1] car name aggcar-1 hierarchy-car hcar mode or
7-1
display qos car name

Syntax display qos car name [ car-name ] View Any view Default Level 1: Monitor level Parameters car-name: Name of a global CAR action, which can be an aggregation CAR action or a hierarchical CAR action. Description Use the display qos car name command to display the configuration and statistics of a specified global CAR action. If no CAR action is specified, the configuration and statistics of all global CAR actions are displayed. Examples # Display global CAR configuration.
<Sysname> display qos car name Name: agg Mode: aggregative CIR 256(kbps) CBS: 1024(byte) EBS: 0(byte) PIR: 4096(kbps) Green Action: pass Yellow Action: pass Red Action: discard Green packet 0(Bytes), 0(Pkts) Red packet 0(Bytes), 0(Pkts)
Name: hcar Mode: hierarchy CIR 1024(kbps) CBS: 8192(byte) Green packet 0(Bytes), 0(Pkts) Red packet 0(Bytes), 0(Pkts)
Table 7-1 display qos car name command output description

Field Name Description Name of the CAR action Type of the CAR action, which can be: Mode
z z
aggregative: Aggregation CAR hierarchy: Hierarchical CAR
CIR CBS EBS PIR
Parameters for the aggregation CAR action
7-2
Field
Description Action to take on packets, which can be:
Green Action
z z z
discard: Drops the packet pass: Permits the packet to pass through remark-dot1p-pass new-cos: Sets the 802.1p priority value of the packet to new-cos and permits the packet to pass through
Yellow Action
remark-dscp-pass new-dscp: Sets the DSCP value of the packet to new-dscp and permits the packet to pass through
Red Action
remark-lp-pass new-local-precedence: Sets the local precedence of the packet to
new-local-precedence and permits the packet to pass through Green packet Red packet Statistics on green packets Statistics on red packets
qos car aggregative

Syntax qos car car-name aggregative cir committed-information-rate [ cbs committed-burst-size [ ebs excess-burst-size ] ] [ pir peek-information-rate ] [ red action ] undo qos car car-name View System view Default Level 2: System level Parameters car-name: Name of the aggregation CAR action. aggregative: Indicates that the global CAR action is aggregative. cir committed-information-rate: Committed information rate (CIR) in kbps. The committed-information-rate argument ranges from 8 to 32000000, and must be a multiple of 8. cbs committed-burst-size: Committed burst size (CBS). The committed-burst-size argument ranges from 512 to 16000000, and defaults to 512. ebs excess-burst-size: Excess burst size (EBS) in bytes. The excess-burst-size argument ranges from 0 to 16000000, and defaults to 512. pir peak-information-rate: Peak information rate (PIR) in kbps. The peak-information-rate argument ranges from 8 to 32000000, and must be a multiple of 8.
7-3
green action: Specifies the action to take on packets that conform to CIR. The default is pass. yellow action: Specifies the action to take on packets that conform to PIR but not to CIR. The default is pass. red action: Specifies the action to take on packets that conforms to neither CIR nor PIR. The default is discard. action: Action to take on packets, which can be:
z z z
discard: Drops the packet. pass: Permits the packet to pass through. remark-dot1p-pass new-cos: Sets the 802.1p priority value of the packet to new-cos and permits the packet to pass through. The new-cos argument ranges from 0 to 7. remark-dscp-pass new-dscp: Sets the DSCP value of the packet to new-dscp and permits the packet to pass through. The new-dscp argument ranges from 0 to 63.
Description Use the qos car aggregative command to configure an aggregation CAR action. Use the undo qos car command to remove an aggregation CAR action. An aggregation CAR action does not take effect until it is applied to an interface or referenced in a policy. Examples # Configure the aggregation CAR action aggcar-1 as follows: set CIR to 256 kbps, CBS to 4096 bytes, and drop red packets.
<Sysname> system-view [Sysname] qos car aggcar-1 aggregative cir 256 cbs 4096 red discard
qos car hierarchy

Syntax qos car car-name hierarchy cir committed-information-rate [ cbs committed-burst-size ] undo qos car car-name View System view Default Level 2: System level Parameters car-name: Name of the hierarchical CAR action, which is a string of 1 to 31 characters. hierarchy: Indicates that the global CAR action is a hierarchical CAR action. cir committed-information-rate: Committed information rate (CIR) in kbps. The committed-information-rate argument ranges from 8 to 32000000, and must be a multiple of 8. cbs committed-burst-size: Specifies the committed burst size (CBS) in bytes. The CBS specifies the allowed size of bursty traffic when the actual average rate is no greater than CIR. The CBS ranges from 4096 to 16000000, and defaults to 4096.
7-4
Description Use the qos car hierarchy command to configure a hierarchical CAR action. Use the undo qos car command to remove a hierarchical CAR action. A hierarchical CAR action takes effect only after it is referenced in a QoS policy. Examples # Configure the hierarchical CAR action hierarchy as follows: set CIR to 256 kbps and CBS to 8192 bytes.
<Sysname> system-view [Sysname] qos car hcar hierarchy cir 256 cbs 8192
reset qos car name

Syntax reset qos car name [ car-name ] View User view Default Level 2: System level Parameters car-name: Name of a global CAR action. Description Use the reset qos car name command to clear the statistics of the specified global CAR action. Note that, if no car-name is specified, the statistics of all the global CAR actions are cleared. Examples # Clear the statistics of the global CAR action aggcar-1.
<Sysname> reset qos car name aggcar-1
7-5
8
Syntax
Data Buffer Configuration Commands
Automatic Data Buffer Configuration Commands

burst-mode enable
burst-mode enable undo burst-mode enable View System view Default Level 2: System level Parameters None Description Use the burst-mode enable command to enable the burst function. Use the undo burst-mode enable command to disable the burst function. By default, the burst function is disabled. The burst function allows the switch to automatically determine the shared resource size, the minimum guaranteed resource size for each queue, the maximum shared resource size for each queue, and the maximum shared resource size per port. The function optimizes the packet buffering scheme to enhance forwarding performance.
The burst-mode enable command cannot work in conjunction with any manual data buffer configuration commands.
Examples # Enable the burst function.

<Sysname> system-view [Sysname] burst-mode enable
Manual Data Buffer Configuration Commands
8-1
The data buffer configuration is complicated and significantly impacts the forwarding performance of a device. You should not modify the data buffer parameters unless you are sure that your device will benefit from the change. If a larger buffer is needed, it is recommended that you enable the burst function to automatically allocate buffer. The commands in this section are mutually exclusive with the burst-mode enable command.
buffer apply
Syntax buffer apply undo buffer apply View System view Default Level 2: System level Parameters None Description Use the buffer apply command to apply the configured data buffer settings. Use the undo buffer apply command to restore the default. Table 8-1 shows the default data buffer allocation schemes of the S5820X and the S5800 series switches. Table 8-1 Default data buffer allocation schemes of the S5820X and the S5800 series switches
Minimum Hardware platform Resource type Shared resource size guaranteed resource size per queue Cell resource S5800 series switches Packet resource S5820X series switches 70% 12% 6% 33% 69% 12% Maximum shared resource size per queue 6% Maximum shared resource size per port 33%
Cell resource
62%
12%
6%
33%
8-2
The S5820X series switches do not support the packet resource.
Examples # Apply the data buffer settings.

<Sysname> system-view [Sysname] buffer apply
buffer egress queue guaranteed

Syntax buffer egress [ slot slot-number ] { cell | packet } queue queue-id guaranteed ratio ratio undo buffer egress [ slot slot-number ] { cell | packet } queue queue-id guaranteed View System view Default Level 2: System level Parameters slot slot-number: Specifies an IRF member device number. For a standalone device, the slot-number argument can only be 1. In an IRF virtual device, with slot-number specified, this command configures the buffer resource of the member device specified by slot-number; without slot-number specified, this command configures the buffer resource of the master device in the IRF virtual device. cell: Configures the minimum guaranteed resource size for a queue in the cell resource. packet: Configures the minimum guaranteed resource size for a queue in the packet resource. This keyword is not available on an S5820X series switch. queue-id: Specifies the ID of the queue to be configured, in the range of 0 to 7. ratio: Sets the minimum guaranteed resource size for the specified queue as a percentage of the dedicated buffer per port in the range of 0 to 100. Description Use the buffer egress queue guaranteed command to configure the minimum guaranteed resource size for a queue in the cell resource or packet resource. Use the undo buffer egress queue guaranteed command to restore the default. By default, the minimum guaranteed resource size for a queue is 12% of the dedicated buffer of the port in both the cell resource and the packet resource. The minimum guaranteed resource settings of a queue take effect globally, and apply to the queue with the same number on each port. As the dedicated resource of a port is shared by eight queues, modifying the minimum guaranteed resource size for a queue can affect the other queues. The system automatically allocates the remaining dedicated resource among all queues that have not been manually assigned a minimum
8-3
guaranteed resource space. For example, if you set the minimum guaranteed resource size to 30% for a queue, the other seven queues will each share 10% of the remaining dedicated resource of the port. Examples # Configure 20% of the dedicated buffer per port as the minimum guaranteed resource for queue 0 in the cell resource.
<Sysname> system-view [Sysname] buffer egress cell queue 0 guaranteed ratio 20
# In an IRF virtual device, configure 15% of the dedicated buffer per port as the minimum guaranteed resource for queue 0 in the cell resource on member device 2.
<Sysname> system-view [Sysname] buffer egress slot 2 cell queue 0 guaranteed ratio 15
buffer egress queue shared

Syntax buffer egress [ slot slot-number ] { cell | packet } queue queue-id shared ratio ratio undo buffer egress [ slot slot-number ] { cell | packet } queue queue-id shared View System view Default Level 2: System level Parameters slot slot-number: Specifies an IRF member device number. For a standalone device, the slot-number argument can only be 1. In an IRF virtual device, with slot-number specified, this command configures the buffer resource of the member device specified by slot-number; without slot-number specified, this command configures the buffer resource of the master device in the IRF virtual device. cell: Configures the maximum shared resource size for a queue in the cell resource. packet: Configures the maximum shared resource size for a queue in the packet resource. This keyword is not available on an S5820X series switch. queue-id: Specifies the ID of the queue to be configured, in the range of 0 to 7. ratio: Sets the maximum shared resource size for the specified queue as a percentage of the shared resource in the range of 0 to 100. Description Use the buffer egress queue shared command to configure the maximum shared resource size for a queue in the cell resource or packet resource. Use the undo buffer egress queue shared command to restore the default. By default, the maximum shared resource size for a queue is 6% of the shared resource in both the cell resource and the packet resource.
8-4
The maximum shared resource settings of a queue take effect globally, and apply to the queue with the same number on each port.
Examples # Set the maximum shared resource size for queue 0 to 10% in the cell resource.
<Sysname> system-view [Sysname] buffer egress cell queue 0 shared ratio 10
# In an IRF virtual device, set the maximum shared resource size of queue 0 to 5% in the cell resource on member device 2.
<Sysname> system-view [Sysname] buffer egress slot 2 cell queue 0 shared ratio 5
buffer egress shared

Syntax buffer egress [ slot slot-number ] { cell | packet } shared ratio ratio undo buffer egress [ slot slot-number ] { cell | packet } shared View System view Default Level 2: System level Parameters slot slot-number: Specifies an IRF member device number. For a standalone device, the slot-number argument can only be 1. In an IRF virtual device, with slot-number specified, this command configures the buffer resource of the member device specified by slot-number; without slot-number specified, this command configures the buffer resource of the master device in the IRF virtual device. cell: Configures the maximum shared resource size per port in the cell resource. packet: Configures the maximum shared resource size per port in the packet resource. This keyword is not available on an S5820X switch. ratio: Sets the maximum shared resource size per port as a percentage of the shared resource in the range of 0 to 100. Description Use the buffer egress shared command to configure the maximum shared resource size per port in the cell resource or packet resource. Use the undo buffer egress shared command to restore the default. By default, the maximum shared resource size per port is 33% of the shared resource in both the cell resource and the packet resource. Examples # Set the maximum shared resource size per port to 30% in the cell resource.
8-5
<Sysname> system-view [Sysname] buffer egress cell shared ratio 30
# In an IRF virtual device, set the maximum shared resource size per port to 40% in the cell resource on member device 2.
<Sysname> system-view [Sysname] buffer egress slot 2 cell shared ratio 40
buffer egress total-shared

Syntax buffer egress [ slot slot-number ] { cell | packet } total-shared ratio ratio undo buffer egress [ slot slot-number ] { cell | packet } total-shared View System view Default Level 2: System level Parameters slot slot-number: Specifies an IRF member device number. For a standalone device, the slot-number argument can only be 1. In an IRF virtual device, with slot-number specified, this command configures the buffer resource of the member device specified by slot-number; without slot-number specified, this command configures the buffer resource of the master device in the IRF virtual device. cell: Configures the shared resource size in the cell buffer. packet: Configures the shared resource size in the cell buffer. This keyword is not available on an S5820X series switch. ratio: Sets the shared resource size as a percentage of the cell resource or packet resource in the range of 0 to 100. Description Use the buffer egress total-shared command to configure the shared resource size in the cell resource or packet resource. Use the undo buffer egress total-shared command to restore the default. By default, on an S5800 series switch, 69% of the cell resource is the shared resource and 70% of the packet resource is the shared resource; on an S5820X series switch, 62% of the cell resource is the shared resource. Examples # Set 50% of the cell resource as the shared resource.
<Sysname> system-view [Sysname] buffer egress cell total-shared ratio 50
# In an IRF virtual device, set 65% of the cell resource as the shared resource on member device 2.
<Sysname> system-view [Sysname] buffer egress slot 2 cell total-shared ratio 65
8-6
9
A
Index ABCDEFGHIJKLMNOPQRSTUVWXYZ
display qos map-table 3-1
accounting 2-7 acl copy 1-2 1-4 1-4
display qos policy global 2-19 display qos policy interface display qos policy display qos sp 5-1 2-18 2-21
acl ipv6 copy
acl ipv6 logging frequence acl ipv6 name acl ipv6 1-3 1-6 1-5
display qos trust interface 3-4 display qos vlan-policy 2-22
acl logging frequence acl name acl B buffer apply 8-2 1-1 1-6
display qos wfq interface 5-5 display qos wred interface6-1 display qos wred table 6-1
display qos wrr interface 5-2 display time-range 8-3 1-13 2-10 2-1
display traffic behavior display traffic classifier E F filter G 2-11 8-4
buffer egress queue guaranteed buffer egress queue shared buffer egress shared 8-5 buffer egress total-shared 8-6 burst-mode enable C car name car 2-8 2-17 7-1 8-1
H I if-match import 3-2 J K L M N O P

9-1
classifier behavior D description 1-7 display acl ipv6 1-9
2-2
display acl resource 1-10 display acl 1-7 display packet-filter 1-12 display qos car name 7-2 display qos gts interface 4-1 display qos lr interface 4-2
packet-filter ipv6 1-14 packet-filter 1-13 Q qos apply policy (interface view, port group view) 2-24 qos apply policy (user-profile view) 2-25 qos apply policy global qos bandwidth queue qos car aggregative 7-3 qos car hierarchy qos gts qos lr 4-3 qos map-table qos policy 2-26 qos priority 3-3 qos sp 5-1 qos trust 3-5 3-2 4-2 7-4 2-26 5-6
rule (Ethernet frame header ACL view) 1-16 rule (IPv4 advanced ACL view) 1-19 rule (IPv4 basic ACL view) 1-18
rule (IPv6 advanced ACL view) 1-24 rule (IPv6 basic ACL view) rule comment S step T time-range 1-31 traffic behavior 2-17 traffic classifier 2-7 U V W X Y Z 1-31 1-30 1-29
qos vlan-policy 2-27 qos wfq weight 5-8 qos wfq 5-7
qos wred apply 6-4 qos wred table 6-3 qos wrr byte-count qos wrr group sp qos wrr queue 6-3 R redirect 2-11 2-12 5-3 5-4 5-5
remark dot1p
remark drop-precedence 2-13 remark dscp 2-14 2-15
remark ip-precedence
remark local-precedence 2-16 remark qos-local-id 2-16 reset acl counter 1-15 1-16
reset acl ipv6 counter reset qos car name 7-5 reset qos policy global reset qos vlan-policy 2-28
2-27
9-2

ACL and QoS Command Reference-Book

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

ACL and QoS Command Reference-Book

Transféré par

Droits d'auteur :

Formats disponibles

H3C S5820X&S5800 Series Ethernet Switches ACL and QoS Command Reference

Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com

, IRF, NetPilot, Neocean, NeoVTL,

Convention { x | y | ... } [ x | y | ... ] { x | y | ... } * [ x | y | ... ] * &<1-n> #

About the H3C S5820X&S5800 Documentation Set

Pluggable module description

Provides a complete guide to hardware installation and hardware specifications.

Documents Pluggable SFP[SFP+][XFP] Transceiver Modules Installation Guide

Purposes Guides you through installing SFP/SFP+/XFP transceiver modules.

Operations and maintenance

ACL Configuration Commands

ACL Configuration Commands

<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000]

acl ipv6 copy

acl ipv6 logging frequence

acl ipv6 name

acl logging frequence

Examples # Enter the view of IPv4 ACL flow.

# Configure a description for IPv6 basic ACL 2000.

Table 1-1 display acl command output description

named flow 1rule

display acl ipv6

Table 1-2 display acl ipv6 command output description

Basic IPv6 ACL

Description The description for the ACL is "test acl".

ACL's step is 5 rule 0 permit

display acl resource

Examples # Display the ACL resource usage on a switch.

IFP Counter 4096 EFP ACL EFP Meter 1024 512

EFP Counter 512

IFP Counter 4096 EFP ACL EFP Meter 1024 512

EFP Counter 512

display acl resource command output description

IFP indicates the count of resources in the inbound direction,

EFP indicates the count of resources in the outbound direction.

Total Reserved Configured Remaining

Table 1-3 display packet-filter command output description

Field acl 2001, Successful acl6 2500, Fail

Table 1-4 display time-range command output description

Parameters acl6-number: Specifies an IPv6 ACL by its number:

reset acl counter

# Clear statistics for IPv4 ACL flow .

reset acl ipv6 counter

# Clear statistics for

IPv6 ACL flow .

<Sysname> reset acl ipv6 counter name flow

rule (Ethernet frame header ACL view)

rule (IPv4 basic ACL view)

rule (IPv4 advanced ACL view)

Logs matched packets

Specifies that the rule be reflective

Specifies a time range for the rule

Table 1-6 TCP/UDP-specific parameters for IPv4 advanced ACL rules

Table 1-7 ICMP-specific parameters for IPv4 advanced ACL rules

ICMP message name timestamp-request ttl-exceeded 13 11

rule (IPv6 advanced ACL view)

Function Applies the rule to only non-first fragments

Specifies a time range for the rule

rule (IPv6 basic ACL view)

# Set the rule numbering step to 2 for ACL 2000.

QoS Policy Configuration Commands

Class Configuration Commands

display traffic classifier user-defined [ tcl-name ]