l The syntax of the QoS/ACL command used for service processor cards (LSB1NATB0 cards in the context of this document) is somewhat different from that for interface cards. The commands executed in VLAN view in this chapter are commands for the service processor cards.

l Service processor cards do not support Layer 2 ACL.

1.1 ACL Commands

1.1.1 acl

Syntax

acl { number acl-number | name acl-name [ advanced | basic | link ] } [ match-order { config | auto } ]

undo acl { number acl-number | name acl-name | all }

View

System view

Parameter

number acl-number: ACL number, in the range of:

2000 to 2999: Represents basic ACL.

3000 to 3999: Represents advanced ACL.

4000 to 4999: Represents Layer 2 ACL.

name acl-name: Character string, which must be started with an English letter (i.e., a-z or A-Z), and there should not be a space or quotation mark in it; case insensitive, key words all and any are not allowed to use.

advanced: Advanced ACL.

basic: Basic ACL.

link: Layer 2 ACL.

config: In configuration order during matching ACL rules.

auto: In depth-first order during matching ACL rules.

all: Deletes all ACLs (both number- and name-identified ones).

Description

Use the acl command to define a number- or name-identified ACL and enter its view.

Use the undo acl command to delete all rules of an ACL or all ACLs.

By default, the system matches ACL rules in configuration order.

Using the acl command, you can create an ACL named “acl-name”. And the type of this ACL is decided by keywords: “advanced”, ”basic” or ”link”. After entering a corresponding ACL view, no matter the ACL is identified by a number or a name, you can use the rule command to create rules of this named ACL (you can exit ACL view by using the quit command).

You can select the match-order keyword to specify whether to match ACL rules in configuration order or depth-first order (matching the rules with smaller range first). By default, the former mode is selected. You cannot modify the matching order once you specify it. To do so, you have to delete all rules of the ACL and specify a matching order for it again.

& Note:

The user-defined ACL matching order takes effect only when multiple rules of one ACL are applied at the same time. For example, an ACL has two rules. If the two rules are not applied simultaneously, even if you configure the matching order to be depth first, the switch still matches them according to their application order.

If one rule is a subset of another rule in an ACL, it is recommended to apply the rules according to the range of the specified packets. The rule with the smallest range of the specified data packets is applied first, and then other rules are applied based on this principle.

If one ACL is used, you cannot use the undo acl all command to delete any ACL.

If a certain advanced ACL has been occupied by IDS, the user cannot modify or delete it any more through commands.

Related command: rule.

Example

# Specify depth first order as the match order of number 2000 ACL.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] acl number 2000 match-order auto

1.1.2 display acl config

Syntax

display acl config { all | acl-number | acl-name }

View

Any view

Parameter

all: Displays all ACLs (both number- and name-identified ones).

acl-number: Serial number of the ACL to be displayed, in the range of 2000 to 5999.

acl-name: Name of the ACL to be displayed. String parameter which must start with an English letter ([a-z, A-Z]) and no space is allowed in it.

Description

Use the display acl config command to view the configuration details of the ACL, including all the rules, their serial numbers, quantities and number of bytes of matched packets.

The matched times here refer to the software matched times, that is, the matched times of the ACLs that needed to be processed by CPU. You can collect hardware matched times value by using the traffic-statistic command.

Example

# Display contents of all ACLs.

<H3C> display acl config all

Link ACL 4000, 1 rule,

rule 0 permit ingress any egress any

Basic ACL traffic-of-host, 1 rule,

rule 1 deny source 10.1.1.1 0 time-range H3C(0 times matched) (Active)

1.1.3 display acl remaining entry

Syntax

display acl remaining entry slot slotid

View

Any view

Parameter

slot slotid: the ID of the specified slot.

Description

Use the display acl running-packet-filter command to display the total number of ACL rules that are applied on the specified card.

Example

# Display the total number of ACL rules that are applied on the slot 5.

<H3C> display acl remaining entry slot 5

Slot: 5

Resource Total Reserved Configured Remaining Start End

Type Number Number Number Number Port Name Port Name

--------------------------------------------------------------------------

METER 256 0 0 256 GE5/1/1 GE5/1/12

METER 256 0 0 256 GE5/1/13 GE5/1/24

RULE 1024 0 0 1024 GE5/1/1 GE5/1/12

RULE 1024 0 0 1024 GE5/1/13 GE5/1/24

ACTION 1024 0 0 1024 GE5/1/1 GE5/1/12

ACTION 1024 0 0 1024 GE5/1/13 GE5/1/24

Table 1-1 The description of the information on display

Field	Description
Resource Type	Resource type METER: the resource is the flow meter resource; RULE: the resource is the rule resource; ACTION: the resource is action resource
Total Number	The total number of ACL rules that are supported by the hardware
Reserved Number	The number of the reserved ACL rules
Configured Number	The number of the ACL rules that have been configured
Remaining Number	The number of the remaining ACL rules
Start Port Name, End Port Name	The names of the start port and the end port

1.1.4 display acl running-packet-filter

Syntax

display acl running-packet-filter { all | interface interface-type interface- number | vlan vlan-id }

View

Any view

Parameter

all: Displays all the ACLs that have been applied (including the number-identified ones and name-identified ones)

interface interface-type interface-number: The port of the switch. Refer to the description in the Port Module Command Manual for details. The ACL application information on the specified port of a normal card displays when the parameter is specified.

vlan: Displays the ACL application information under the VLAN configured through the service process card.

vlan-id: the ID of the VLAN, in the range of 1-4094.

Description

Use the display acl running-packet-filter command to display the ACL application information, including the name of the ACL, the name of the sub items and the application state.

Example

# Display the ACL application information of port Ethernet3/1/1.

<H3C> display acl running-packet-filter ethernet3/1/1

Ethernet3/1/1

Inbound:

Acl 4000 rule 0 running

# Display the ACL application information of VLAN2

<H3C> display acl running-packet-filter vlan 2

Vlan 2

Inbound:

Acl 2000 rule 1 slot 6 running

1.1.5 display flow-temlate

Syntax

display flow-template [ default | interface interface-type interface-number | slot slotid | user-defined ]

View

Any view

Parameter

default: Displays the default flow template of the system.

interface interface-type interface-number: Displays the flow template applied on the specified port.

slot slotid: Displays the flow template applied on the specified card.

user-defined: Displays the user-defined flow template.

Description

Use the display flow-template command to view the detailed configuration of flow template. The configuration includes which parameters the flow template defines and which ports/cards is the flow template applied on.

H3C S9500 Series Routing Switches (hereinafter referred to as S9500 series) support two flow templates: one is user-defined; the other is the default one. If you do not input any parameter for this command, the detailed configuration of all flow templates will be displayed.

Related command: flow-template user-defined.

Example

# Display information about the default flow-template.

<H3C> display flow-template default

default flow template : ip-protocol tcp-flag sport dport icmp-type icmp-code sip 0.0.0.0 dip 0.0.0.0 vlanid

1.1.6 display time-range

Syntax

display time-range { all | name }

View

Any view

Parameter

all: Displays all time ranges.

name: Time range name, string starting with an English letter ([a-z, A-Z]) and in the range of 1 to 32 characters.

Description

Use the display time-range command to view the configuration and status of current time range. For active time range, the system shows “active” and “inactive” for inactive time range.

A delay, about one minute, exists in system’s updating ACLs, but the result of the display time-range command is based on the current time. Then there may the case where a time range have been shown active using the display time-range command, while it is still inactive in importing the ACL. You just take it as a normal case.

Related command: time-range.

Example

# Display all time ranges.

<H3C> display time-range all

Current time is 14:36:36 4-3-2003 Thursday

Time-range : hhy ( Inactive )

from 08:30 2-5-2005 to 18:00 2-19-2005

Time-range : hhy1 ( Inactive )

from 08:30 2-5-2003 to 18:00 2-19-2003

Table 1-2 Description of displayed information

Field

Description

Current time is 14:36:36 4-3-2003 Thursday

The current time of the system

Time-range : hhy ( Inactive )

from 08:30 2-5-2005 to 18:00 2-19-2005

Time range hhy. “Inactive” means that the time range is inactive currently (active means the time range is active), and the time range is from 08:30 2-5-2005 to 18:00 2-19-2005

The displayed information below is similar.

# Display time range tm1.

<H3C> display time-range tm1

Current time is 14:37:31 4-3-2003 Thursday

Time-range : tm1 ( Inactive )

from 08:30 2-5-2005 to 18:00 2-19-2005

Table 1-3 Description of displayed information

Filed

Description

Current time is 14:36:36 4-3-2003 Thursday

The current time of the system.

Time-range : tm1 ( Inactive )

from 08:30 2-5-2005 to 18:00 2-19-2005

Time range tml. “Inactive” means that the time range is inactive currently (active means the time range is active), and the time range is from 08:30 2-5-2005 to 18:00 2-19-2005

The displayed information below is similar.

1.1.7 flow-template user-defined

Syntax

flow-template user-defined

undo flow-template user-defined

View

Ethernet port view

Parameter

None.

Description

Use the flow-template user-defined command to apply the user-defined flow template to current port.

Use the undo flow-template user-defined command to cancel the applied flow template on current port.

Related command: display flow-template, flow-template user-defined slot slotid template-info.

Example

# Apply the user-defined flow template to current port Ethernet4/1/1.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface Ethernet2/1/1

[H3C-Ethernet4/1/1] flow-template user-defined

1.1.8 flow-template user-defined template-info

Syntax

flow-template user-defined slot slotid template-info

undo flow-template user-defined slot slotid

View

System view

Parameter

template-info: Information available in defining a traffic template, its value can be:

l bt-flag: BT flag bit, in the length of 6 bytes.

l c-tag-cos: 802.1p priority in the internal 802.1QTag carried by the packet, in the length of 2 bytes together with c-tag-vlanid in the flow template.

l c-tag-vlan: the VLAN ID in the internal 802.1QTag carried by the packet, in the length of 2 bytes together with c-tag-cos in the flow template.

l cos: 802.1p priority in the most external 802.1QTag carried by the packet, in the length of 2 bytes together with s-tag-vlan in the flow template.

l dip wildcard: Destination IP domain in the IP packet header, in the length of 4 bytes.

l dmac wildcard: Destination MAC domain in the Ethernet packet header, in the length of 6 bytes.

l dport: Destination port domain, in the length of 2 bytes.

l dscp: DSCP domain in the IP packet header. dscp, exp, ip-precedence and tos altogether occupy 1 byte.

l ethernet-protocol: Protocol type domain in the Ethernet packet header, in the length of 6 bytes.

l exp: EXP field in MPLS packet. dscp, exp, ip-precedence and tos altogether occupy 1 byte.

l fragment-flags: Flag field of fragment in IP packed header, no bytes in flow template.

l icmp-code: ICMP code domain, in the length of 1 byte.

l icmp-type: ICMP type domain, in the length of 1 byte.

l ip-precedence: IP priority domain in the IP packet header. dscp, exp, ip-precedence and tos altogether occupy 1 byte.

l ip-protocol: Protocol type domain in the IP packet header, in the length of 1 byte.

l s-tag-vlan: The VLAN ID in the most external 802.1QTag that the packet carries, in the length of 2 bytes together with cos in the flow template.

l sip wildcard : Source IP domain in the IP packet header, in the length of 4 bytes.

l smac wildcard: Source MAC domain in the Ethernet packet header, in the length of 6 bytes.

l sport: Source port domain, in the length of 2 bytes.

l tcp-flag: Flag domain in the TCP packet header, in the length of 1 byte.

l tos: TOS (type of service) domain in the IP packet header. dscp, exp, ip-precedence and tos altogether occupy 1 byte.

l vlanid: VLAN ID which the switch assigns to the packet , in the length of 2 bytes.

l vpn: the flow template which is pre-defined for the MPLS L2VPN, in the length of 2 bytes.

& Note:

l The above mentioned information about how many bytes a field occupies applies to traffic templates instead of IP packets. For example, DSCP field occupies one byte in flow template, but six bits in IP packets. You can determines whether the total length of template elements exceeds 16 bytes using these numbers.

l The dscp, exp, ip-precedence and tos fields jointly occupy one byte no matter you define any one of these four fields or the ip-precedence and tos field simultaneously.

l The cos and s-tag-vlan fields jointly occupy two bytes no matter you define one or both of these two fields. The c-tag-cos and c-tag-vlanid fields occupy two bytes in the same way.

l The fragment-flags field occupies no byte in flow template, so just ignore it when you determine whether the total length of template elements exceeds 16 bytes.

slot slotid: Specifies the slot on which the flow template applied.

Description

Use the flow-template user-defined slot slotid template-info command to define a flow template.

Use the undo flow-template user-defined slot slotid command to delete a flow template.

In defining a flow template, the total length of all elements should not be more than 16 bytes.

& Note:

Currently, the default flow template is as follows:

ip-protocol tcp-flag sport dport icmp-type icmp-code sip 0.0.0.0 dip 0.0.0.0 vlanid

You cannot modify or delete the default flow template, but those you have defined.

Related command: display flow-template, flow-template user-defined.

Example

# Define a flow template which classifies traffic by source and destination IP addresses, source and destination TCP/UDP ports, DSCP domain in the IP packet header.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] flow-template user-defined slot 3 sip 0.0.0.0 dip 0.0.0.0 sport dport dscp

1.1.9 packet-filter

Syntax

I. Command Format Which Only Applies IP Group ACL

In Ethernet port view:

packet-filter inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ]

undo packet-filter inbound ip-group { acl-number | acl-name } [ rule rule ]

In VLAN view:

packet-filter inbound ip-group { acl-number | acl-name } [ rule rule ] [ system-index index ] slot slotid

undo packet-filter inbound ip-group { acl-number | acl-name } [ rule rule ] slot slotid

II. Command Format Which Applies IP Group and Link Group ACL at Same time

In Ethernet port view:

packet-filter inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] | link-group { acl-number | acl-name } rule rule }

undo packet-filter inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } rule rule }

III. Command Format Which Only Applies Link Group ACL

In Ethernet port view:

packet-filter inbound link-group { acl-number | acl-name } [ rule rule [ system-index index ] ]

undo packet-filter inbound link-group { acl-number | acl-name } [ rule rule ]

View

Ethernet port view, VLAN view

Parameter

inbound: Performs filtering to the packets received by the interface.

ip-group { acl-number | acl-name }: Activates IP ACLs, including basic and advanced ACLs. acl-number : Sequence number of ACL, ranging from 2000 to 3999. acl-name: Name of the ACL, which must be a character string starting with an English letter (a-z or A-Z), and without any space or quotation mark in it.

link-group { acl-number | acl-name }: Activates Layer 2 ACLs. acl-number: Sequence number of ACL, ranging from 4000 to 4999. acl-name: Name of ACL, which must be a character string started with an English letter (a-z or A-Z), and without any space or quotation mark in it.

rule rule: Specifies the rule of an active ACL, ranging from 0 to 127; if not specified, all rules of ACL will be activated.

system-index index here is the system index for an ACL rule. When delivering a rule, the system assigns a globally unique index to it, for convenience of later retrieval. You can also assign a system index for it when delivering an ACL rule with this command. However, you are not recommended to manually assign a system index if not urgently necessary.

& Note:

If you remove the card with QoS/ACL configured when the system operates, the corresponding system index value is automatically released, and is then used for a newly delivered flow rule. Once the system index value is occupied, the original configuration cannot be restored even you insert the removed card back.

slot slotid: Slot number of a service processor card.

Description

Use the packet-filter command to activate an ACL.

Use the undo packet-filter command to deactivate an active ACL.

& Note:

The interface cards support the command syntax in Ethernet port view; while the service processor cards (LSB1NATB0 cards in the context of this document) support the command syntax in VLAN view because these cards have no egress port.

Before executing the packet-filter command on a service processor card, you must first configure traffic redirection in Ethernet port view to redirect packets of a specific VLAN to the service processor card.

Example

# Activate ACL 2000.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C]interface ethernet5/1/1

[H3C-Ethernet5/1/1] packet-filter inbound ip-group 2000

1.1.10 reset acl counter

Syntax

reset acl counter { all | acl-number | acl-name }

View

User view

Parameter

all: Displays all ACLs (both number- and name-identified ones).

acl-number: Serial number of the ACL, in the range of 2000 to 3999.

acl-name: ACL name, string parameter ranging from 1 to 32 bytes. It must start with an English letter ([a-z, A-Z]). No space or quotation mark is allowed in it. It is case insensitive. The keywords all is forbidden.

Description

Use the reset acl counter command to clear ACL statistics to zero.

Example

# Clear the statistics of ACL 2000.

<H3C> reset acl counter 2000

1.1.11 rule

Syntax

I. Define or delete the subrules of a basic ACL

rule [ rule-id ] { permit | deny } [ source { source-addr wildcard | any } | fragment | time-range name | vpn-instance instance-name ]*

undo rule rule-id [ source | fragment | time-range | vpn-instance instance-name ]*

II. Define or delete the subrules of an advanced ACL

rule [ rule-id ] { permit | deny } protocol [ source { source-addr wildcard | any } ] [ destination { dest-addr wildcard | any } ] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ icmp-type type code ] [ established ] [ [ precedence precedence | tos tos ]* | dscp dscp ] [ fragment ] [ bt-flag ] [ time-range name ] [ vpn-instance instance-name ]

III. Define or delete the rules of a Layer 2 ACL

rule [ rule-id ] { permit | deny } [ cos cos-value | c-tag-cos c-cos-value | exp exp-value| protocol-type | ingress { { source-vlan-id |[ to source-vlan-id-end ] | source-mac-addr source-mac-wildcard }* | c-tag-vlan c-tag-vlanid}* | any } | egress { dest-mac-addr dest-mac-wildcard | any } | s-tag-vlan s-tag-vlanid | time-range name ]*

undo rule rule-id

View

Corresponding ACL view

Parameter

rule-id: Specifies a rule number of the ACL, in the range of 0 to 127

permit: Allows qualified packets to pass.

deny: Forbids qualified packets to pass.

time-range name: Time range name, optional parameter. It means the rule takes effect in this time range.

& Note:

The following parameters are for the attributes of the packet. The ACL generates rules according to these attribute parameters.

l Parameters specific to basic ACLs:

source { source-addr wildcard | any }: source-addr wildcard specifies the source IP address and wildcard digit of source address represented in dotted decimal notation. any represents all source addresses.

fragment: It is only effective to fragmented messages and is ignored by non-fragmented messages.

vpn-instance instance-name: VPN instance name. The specified MPLS VPN packets will be identified if this parameter is selected.

l Parameters specific to advanced ACLs:

protocol: Specifies the protocol type which is represented by a name or a number. For name format, the options include icmp, igmp, tcp, udp, ip, gre, ospf, ipinip etc. The IP parameter represents all IP protocols. For number format, the value ranges from 1 to 255.

source { source-addr wildcard | any }: source-addr wildcard specifies the source IP address and wildcard digit of source address represented, in dotted decimal notation. any represents all source addresses.

destination { dest-addr wildcard | any }: dest-addr wildcard specifies the destination IP address and wildcard digit of destination address represented, in dotted decimal notation. any represents all destination addresses.

source-port operator port1 [ port2 ]: Source TCP or UDP port ID of the packet. operator means port operator, with options including eq (equal to), gt (greater than), lt (less than), neq (not equal to) and range (in the range of). Note that it appears only when the protocol parameter is set as TCP or UDP. port1 [ port2 ] stands for source TCP or UDP port ID of the packet, in characters or digits. Digital value ranges from 0 to 65535. For character options, see the port ID mnemonic symbol list. Only for the range operator, both port1 and port2 are active. For the rest operators, only port1 is required.

destination-port operator port1 [ port2 ]: Destination TCP or UDP port ID of the packet. See source-port operator port1 [ port2 ] for detailed description.

icmp-type type code: It is active when the protocol is set as icmp. type code specifies an ICMP packet. type indicates ICMP packet type, in characters or digits. The digital value ranges from 0 to 255. code is ICMP code, which is active when ICMP is selected and ICMP packet type is not expression in characters. It ranges from 0 to 255.

established: (Optional) It is effective only to the first SYN packet established by TCP and active when protocol is set as tcp.

precedence precedence: (Optional) IP priority level, in a number (ranging from 0 to 7) or a name.

tos tos: (Optional) Indicating packets are classified by TOS value, in a number (ranging 0 to 15) or a name.

dscp dscp: (Optional) Indicating packets are classified by DSCP value, in a number (ranging from 0 to 63) or a name.

fragment: It is only effective to fragmented messages and is ignored by non-fragmented messages.

bt-flag: It indicates that the rule is effective to BT data messages only. If you use this key word, the protocol in the rule must be tcp. The parameter is applicable to defining the advanced ACLs.

vpn-instance instance-name: VPN instance name. The specified MPLS VPN packets will be identified if this parameter is selected.

l Parameters specific to Layer 2 ACLs:

cos: Specifies 802.1p priority in the most external 802.1QTag carried by the packet.

cos-value: In number format (ranging 0 to 7) or just entering the priority name. See Table 1-4 for their correspondence.

Table 1-4 COS priority definition

Number	Priority name
0	best-effort
1	background
2	spare
3	excellent-effort
4	controlled-load
5	video
6	voice
7	network-management

c-tag-cos c-cos-value: Specified 802.1p priority in the internal 802.1QTag carried by the packet. Specify the same value for the c-cos-value and cos-value parameters.

protocol-type: This parameter is used to specify the protocol type carried by the Ethernet frame. The protocol type can be expressed by either a name or a hexadecimal number. When the protocol type is expressed by a name, the value can be arp, ip, ipv6, mpls, nbx, pppoe-control, pppoedata and rarp. When the protocol type is expressed by a hexadecimal number, the range is 1-FFFF.

ingress { { source-vlan-id [ to source-vlan-id-end ] | source-mac-addr source-mac-wildcard | c-tag-vlan c-tag-vlanid | any }: Source information of the packet. source-vlan-id [ to source-vlan-id-end ] shows its source VLAN or source VLAN range (identified by the external VLAN Tag of the packet ). source-mac-addr source-mac-wildcard shows source MAC address and wildcard of the source address. The two parameters jointly determine the range of the source MAC addresses in which the user is interested. The smaller the wildcard, the smaller the range of the MAC address. For example, 00e0-fc01-0101 0-0-0 specifies a MAC address: 00e0-fc01-0101, but 00e0-fc01-0101-0-0-fff specifies an address range: 00e0-fc01-0000 to 00e0-fc01-ffff.

c-tag-vlan c-tag-vlanid: Indicates the system identifies the source VLAN according to the information about VLAN ID in the internal 802.1QTag carried by the packet. any represents all packets received from all the ports.

egress { dest-mac-addr dest-mac-wildcard | any }: Destination information of the packet. dest-mac-addr dest-mac-wildcard shows destination MAC address and wildcard of the destination address. The two parameters work together to determine the range of the destination MAC addresses in which the user is interested. The smaller the wildcard, the smaller the range of the MAC address. For example, 00e0-fc01-0101 0-0-0 specifies a MAC address: 00e0-fc01-0101, but 00e0-fc01-0101-0-0-fff specifies an address range: 00e0-fc01-0000 to 00e0-fc01-ffff. any represents all packets transferred at all the ports.

s-tag-vlanid s-tag-vlanid: VLAN ID in the most exterior 802.1QTag carried by the specified packets.

Description

Use the rule command to add a rule to the ACL.

Use the undo rule command to delete a rule from the ACL.

You can define multiple rules for an ACL. Only the specified rules will be deleted if you select parameters in the undo rule command.

If you redefine an existing rule, the newly configured option automatically overwrites the corresponding option of the original rule, and the option not being redefined remains. For example:

With the original rule 0:

[acl number 2000]rule 0 permit source 10.1.1.1 0 time-range test

when redefine it as follows:

[acl number 2000]rule 0 permit source 10.1.1.2 0 fragment

it becomes:

rule 0 permit source 10.1.1.2 0 fragment time-range test

That is, the source option is replaced with 10.1.1.2, the fragment option which the original rule does not contain is added, and the time-range Test option which the original rule contains is reserved.

Caution:

l If you want to replace an existing rule, you are recommended to use the undo command to delete the original rule fist, and then reconfigure the rule. This makes sure the unwanted options are completely removed.

l If you configure a rule without providing the rule number, the system will automatically generate a new rule if the rule is not identical to any existing rules.

l The rule with the specified bt-flag cannot be used in the traffic-redirect command.

Related command: acl.

Example

# Add a rule to the advanced ACL.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C]acl number 3000

[H3C-acl-adv-3000] rule 1 permit tcp established source 1.1.1.1 0 destination 2.2.2.2 0

1.1.12 time-range

Syntax

time-range time-name { start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] | to end-time end-date }

undo time-range time-name [ start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] | to end-time end-date ]

View

System view

Parameter

time-name: Name of a particular time range, used as an import identifier.

start-time: (Optional) Starting time of the particular time range, in the format of hh:mm.

end-time: (Optional), End time of the particular time range, in the format of hh:mm.

days-of-the-week: (Optional) Indicating the particular time range takes effect on which day in a week. You can type these values:

l Number (ranging from 0 to 6);

l Monday, Tuesday, Wednesday, Thursday, Friday, Saturday or Sunday;

l Working-day: Monday through Friday inclusive;

l Off-day: Saturday and Sunday;

l daily: Every day of a week.

from start-time start-date: (Optional) Starting date of the particular time range, in the format of hh:mm YYYY/MM/DD.

to end-time end-date: (Optional) End date of the particular time range, in the format of hh:mm YYYY/MM/DD.

Description

Use the time-range command to define a time range.

Use the undo time-range command to cancel a time range.

The defined time range includes absolute time range and period time range. start-time and end-time days-of-the-week define period time range together. from start-time start-date and end-time end-date define absolute time range together.

If a time range only defines the period time range, the time range is only active within the period time range.

If a time range only defines the absolute time range, the time range is only active within the absolute time range.

If a time range defines the period time range and the absolute time range, the time range is only active when the period time range and the absolute time range are both matched. For example, a time range defines a period time range which is from 12:00 to 14:00 every Wednesday, and defines an absolute time range which is from 00:00 2004/1/1 to 23:59 2004/12/31. This time range is only active from 12:00 to 14:00 every Wednesday in 2004.

If the start time and end time are not configured, the time range is one day (00:00-24:00).

If the end time is not configured, the time range is from the day when the configuration takes effect to the biggest time supported by the system. The maximum time range supported by the system currently is from 1970/01/01 to 2100/12/31.

If you input parameters in the undo time-range command, only the content corresponding to the specified time range will be canceled.

Example

# Define a time range starting from 0:0, Jan. 1, 2000.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] time-range test from 00:00 2000/1/1

Chapter 2 QoS Commands

Caution:

l The syntax of the QoS/ACL command used for service processor cards (LSB1NATB0 cards in the context of this document) is somewhat different from that for interface cards. The command executeds in the VLAN view in this chapter are commands for the service processor cards.

l Service processor cards do not support Layer 2 ACL.

2.1 QoS Commands

2.1.1 display mirroring-group

Syntax

display mirroring-group [ groupid ]

View

Any view

Parameter

groupid: mirroring group ID, in the range of 1 to 24.

Description

Use the display mirroring-group command to view the configuration of a port mirroring group. The information displayed includes the monitored ports, direction of monitored packets, monitoring ports, etc.

Related command: mirroring-group.

Example

# Display the parameter configuration of a port mirroring group.

<H3C> display mirroring-group

mirroring-group 1 inbound Ethernet6/1/1 mirrored-to Ethernet6/1/2

2.1.2 display qos conform-level

Syntax

display qos conform-level [ conform-level-value ] { dscp-policed-service-map [ dscp-list ] | exp-policed-service-map | local-precedence-cos-map }

View

Any view

Parameter

conform-level-value: Conform level, in the range of 0 to 2. If you type value(s) for this parameter, then only the specified conform-level DSCP items will be displayed. Otherwise, the system displays the whole mapping connection.

dscp-policed-service-map [ dscp-list ]: Displays “DSCP + Conform-level —> Service-parameter” mapping table. dscp-list: DSCP value, which can be a single value or values, for example, you can type single DSCP value “46”, or DSCP values “0 8 10 16” (a space is required between two values). If you type value(s) for this parameter, then only the specified DSCP items will be displayed. Otherwise, the system displays the whole mapping connection. DSCP value is in the range of 0 to 63.

exp-policed-service-map: Displays “EXP + Conform-level —> Service-parameter” mapping table. EXP is MPLS priority of MPLS packets.

local-precedence-cos-map: Displays ”Local-precedence + Conform-level —> Priority” mapping table

Description

Use the display qos conform-level command to view the “DSCP + Conform-level —> Service-parameter” mapping table, “EXP + Conform-level —> Service-parameter” mapping table and “Local-precedence + Conform-level —> Priority” mapping table.

Example

# Display the “DSCP + Conform-level —> Service-parameter” mapping table.

<H3C> display qos conform-level 0 dscp-policed-service-map

Conform-level 0 :

Dscp-policed-service Map :

dscp : dscp exp cos local-precedence drop-precedence

--------------------------------------------------------------------------

0 : 0 0 0 0 0

8 : 8 1 1 1 0

10 : 10 1 1 1 0

16 : 16 2 2 2 0

18 : 18 2 2 2 0

24 : 24 3 3 3 0

26 : 26 3 3 3 0

32 : 32 4 4 4 0

34 : 34 4 4 4 0

40 : 40 5 5 5 0

46 : 46 5 5 5 0

48 : 48 6 6 6 0

56 : 56 7 7 7 0

# Display the “EXP + Conform-level —> Service-parameter” mapping table.

<H3C> display qos conform-level 0 exp-policed-service-map

conform-level 0 :

exp : dscp exp cos local-precedence drop-precedence

--------------------------------------------------------------------------

0 : 2 0 0 0 0

1 : 10 1 1 1 0

2 : 18 2 2 2 0

3 : 26 3 3 3 0

4 : 34 4 4 4 0

5 : 42 5 5 5 0

6 : 50 6 6 6 0

7 : 58 7 7 7 0

# Display the “Local-precedence + Conform-level —> Priority” mapping table.

<H3C> display qos conform-level 0 local-precedence-cos-map

conform-level 0 :

local-precedence : 0 1 2 3 4 5 6 7

--------------------------------------------------------------------------

cos : 0 1 2 3 4 5 6 7

2.1.3 display qos cos-drop-precedence-map

Syntax

display qos cos-drop-precedence-map

View

Any view

Parameter

None

Description

Use the display qos cos-drop-precedence-map command to view the “CoS—> Drop-precedence” mapping table.

Example

# Display the “CoS—> Drop-precedence” mapping table.

<H3C> display qos cos-drop-precedence-map

cos-drop-precedence-map:

cos : 0 1 2 3 4 5 6 7

-------------------------------------------------------------------

drop-precedence : 2 2 1 1 1 1 0 0

2.1.4 display qos cos-local-precedence-map

Syntax

display qos cos-local-precedence-map

View

Any view

Parameter

None

Description

Use the display qos cos-local-precedence-map command to view the “CoS —> Local –precedence” mapping table.

Example

# Display the “CoS —> Local –precedence” mapping table.

<H3C> display qos cos-local-precedence-map

cos-local-precedence-map:

cos : 0 1 2 3 4 5 6 7

--------------------------------------------------------------------------

local-precedence : 2 0 1 3 4 5 6 7

2.1.5 display qos-interface all

Syntax

display qos-interface [ interface- type interface-number ] all

View

Any view

Parameter

interface-type interface-number: Port of the switch, for detailed description, please refer to Command Manual – Port.

Description

Use the display qos-interface all command to view the QoS configuration of all ports, including drop mode, queue scheduling, traffic shaping etc. If you specify port IDs, only their QoS configuration will be displayed, including drop mode, queue scheduling, traffic shaping etc.

Example

# Display all the QoS configurations of the port Ethernet2/1/3.

<H3C> display qos-interface Ethernet2/1/3 all

Ethernet2/1/3 Port Shaping: Disable

0 kbps, 0 burst, 256 queue-depth

QID: status max-rate(kbps) burst-size(Kbyte) queue-depth

-------------------------------------------------------------------

0 : Disable 0 0 128

1 : Disable 0 0 128

2 : Disable 0 0 128

3 : Disable 0 0 128

4 : Disable 0 0 128

5 : Disable 0 0 128

6 : Disable 0 0 128

7 : Disable 0 0 128

Ethernet2/1/3 Drop-mode: tail-drop, params index: 0

Ethernet2/1/3 Port scheduling:

QID: scheduling-group weight

-----------------------------------

0 : sp 0

1 : sp 0

2 : sp 0

3 : sp 0

4 : sp 0

5 : sp 0

6 : sp 0

7 : sp 0

2.1.6 display qos-interface drop-mode

Syntax

display qos-interface [ interface-type interface-number ] drop-mode

View

Any view

Parameter

interface-type interface-number: Port of the switch, for detailed description, please refer to Command Manual – Port.

Description

Use the display qos-interface drop-mode command to view drop mode configuration of outbound queues at a port. If no port is specified, drop mode configuration of all ports will be displayed.

Related command: drop-mode.

Example

# Display drop mode and parameters of the port Ethernet2/1/2.

<H3C> display qos-interface Ethernet2/1/2 drop-mode

Ethernet2/1/2 Drop-mode: tail-drop, params index: 0

2.1.7 display qos-interface mirrored-to

Syntax

display qos-interface [ interface -type interface-number ] mirrored-to

View

Any view

Parameter

interface-type interface-number: Port of the switch, for detailed description, please refer to Command Manual – Port.

Description

Use the display qos-interface mirrored-to command to view traffic mirroring configuration of a port.

Related command: mirrored-to.

Example

# Display traffic mirroring configuration.

<H3C> display qos-interface mirrored-to

GigabitEthernet2/1/1: mirrored-to

Inbound:

Matches: Acl 2020 rule 0 running

Mirrored to: cpu

2.1.8 display qos-interface queue-scheduler

Syntax

display qos-interface [ interface -type interface-number ] queue-scheduler

View

Any view

Parameter

interface-type interface-number: Port of the switch, for detailed description, please refer to Command Manual – Port.

Description

Use the display qos-interface queue-scheduler command to view queue scheduling mode and parameters of a port. If no port is specified, queue scheduling mode and the parameters of all ports will be displayed.

Related command: queue-scheduler.

Example

# Display queue scheduling mode and parameters.

<H3C> display qos-interface queue-scheduler

Ethernet5/1/1 Port scheduling:

QID: scheduling-group weight

-----------------------------------

0 : sp 0

1 : sp 0

2 : sp 0

3 : wrr , group1 25

4 : sp 0

5 : wrr , group2 30

6 : sp 0

7 : sp 0

Ethernet5/1/ Port scheduling:

QID: scheduling-group weight

-----------------------------------

0 : sp 0

1 : sp 0

2 : sp 0

3 : sp 0

4 : sp 0

5 : sp 0

6 : sp 0

…

2.1.9 display qos-interface traffic-limit

Syntax

display qos-interface [ interface -type interface-number ] traffic-limit

View

Any view

Parameter

interface-type interface-number: Port of the switch, for detailed description, please refer to Command Manual – Port.

Description

Use the display qos-interface traffic-limit command to view the parameter setting of traffic rate limitation, including the target ACL, committed average rate, committed burst size (CBS), maximum burst size (MBS), peak rate and the related monitoring actions etc.

Related command: traffic-limit.

Example

# Display parameter configuration of traffic rate limitation,.

<H3C> display qos-interface traffic-limit

GigabitEthernet2/1/1: traffic-limit

Inbound:

Matches: Acl 2020 rule 0 running

Committed Information Rate: 1000 Kbps

Committed Burst Size: 1000 byte(s)

Excess Burst Size: 1000 byte(s)

Peak Information Rate: 0 Kbps

2.1.10 display qos-interface traffic-priority

Syntax

display qos-interface [ interface-type interface-number ] traffic-priority

View

Any view

Parameter

interface-type interface-number: Port of the switch, for detailed description, please refer to Command Manual – Port.

Description

Use the display qos-interface traffic-priority command to view traffic priority configuration of a port, including the target ACL, priority type, priority values etc.

Related command: traffic-priority.

Example

# Display traffic priority marking configuration.

<H3C> display qos-interface traffic-priority

GigabitEthernet2/1/1: traffic-priority

Inbound:

Matches: Acl 2021 rule 0 running

Priority action: remark-policed-service, dscp: 20

2.1.11 display qos-interface traffic-redirect

Syntax

display qos-interface [ interface-type interface-number ] traffic-redirect

View

Any view

Parameter

interface-type interface-number: Port of the switch, for detailed description, please refer to Command Manual – Port.

Description

Use the display qos-interface traffic-redirect command to view traffic redirection configuration of a port, including the target ACL, target port etc.

Related command: traffic-redirect.

Example

# Display traffic redirection configuration.

<H3C> display qos-interface traffic-redirect

GigabitEthernet3/1/1: traffic-redirect

Inbound:

Matches: Acl 2020 rule 0 running

Redirected to: next-hop 1.1.1.1

2.1.12 display qos-interface traffic-shape

Syntax

display qos-interface [ interface-type interface-number ] traffic-shape

View

Any view

Parameter

interface-type interface-number: Port of the switch, for detailed description, please refer to Command Manual – Port.

Description

Use the display qos-interface traffic-shape command to view traffic shaping configuration of a port, including the maximum rate, MBS (in units of kbyte), the maximum queue length. If no port is specified, traffic shaping configuration of all ports will be displayed.

Example

# Display traffic shaping configuration.

<H3C> display qos-interface Ethernet2/1/3 traffic-shape

Ethernet2/1/3 Port Shaping: Disable

0 kbps, 0 burst, 256 queue-depth

QID: status max-rate(kbps) burst-size(Kbyte) queue-depth

-------------------------------------------------------------------

0 : Disable 0 0 128

1 : Disable 0 0 128

2 : Disable 0 0 128

3 : Disable 0 0 128

4 : Disable 0 0 128

5 : Disable 0 0 128

6 : Disable 0 0 128

7 : Disable 0 0 128

2.1.13 display qos-interface traffic-statistic

Syntax

display qos-interface [ interface-type interface-number ] traffic-statistic

View

Any view

Parameter

interface-type interface-number: Port of the switch, for detailed description, please refer to Command Manual – Port.

Description

Use the display qos-interface traffic-statistic command to view traffic statistics of a port, including the target ACL, number of calculated packets etc.

Related command: traffic-statistics.

Example

# Display traffic statistics information on port GigabitEthernet7/1/1..

<H3C> display qos-interface GigabitEthernet7/1/1 traffic-statistic

GigabitEthernet7/1/1: traffic-statistic

Inbound:

Matches: Acl 2000 rule 0 running

12002688 bytes (green 1270244416 byte(s), yellow 1895874880 byte(s), red 704683968 byte(s) )

3333270 packets (green 0 byte(s), yellow 0 byte(s), red 0 byte(s) )

2.1.14 display qos-vlan all

Syntax

display qos-vlan [ vlan-id ] all

View

Any view

Parameter

vlan-id: ID of a VLAN, in the range of 1 to 4094.

Description

Use the display qos-vlan all command to display the QoS configuration (including the configuration of priority marking, traffic policing, and traffic redirection) information about one specific VLAN (with vlan-id parameter) or all VLANs (without vlan-id parameter) on the switch.

Example

# Display all the QoS parameter configurations of all the VLANs.

<H3C> display qos-vlan all

Vlan 1 traffic-limit

Inbound:

There is no configuration.

Vlan 1 traffic-priority

Inbound:

There is no configuration.

Vlan 1 traffic-redirect

Inbound:

There is no configuration.

Vlan 2 traffic-limit

Inbound:

Matches: Acl 2000 rule 1 running

Committed Information Rate: 8192 Kbps

Committed Burst Size: 10000 byte(s)

Excess Burst Size: 20000 byte(s)

Peak Information Rate: 0 Kbps

Exceed action: drop

Vlan 2 traffic-priority

Inbound:

Matches: Acl 2000 rule 1 running

Priority action: remark-policed-service, untrusted, dscp: 13, cos: 6, local

-precedence: 6, drop-priority: 1

Vlan 2 traffic-redirect

Inbound:

Matches: Acl 2000 rule 1 running

Redirected to: next-hop 1.1.1.1

2.1.15 display qos-vlan traffic-limit

Syntax

display qos-vlan [ vlan-id ] traffic-limit

View

Any view

Parameter

vlan-id: ID of a VLAN, in the range of 1 to 4094.

Description

Use the display qos-vlan traffic-limit command to display the parameter configuration for traffic limit, including the configuration information about related ACL and policing actions.

Related command: traffic-limit and traffic-params.

Example

# Display the parameter configuration of traffic limit.

<H3C> display qos-vlan traffic-limit

Vlan 1 traffic-limit

Inbound:

There is no configuration.

Vlan 2 traffic-limit

Inbound:

Matches: Acl 2000 rule 3 running

Committed Information Rate: 8192 Kbps

Committed Burst Size: 10000 byte(s)

Excess Burst Size: 20000 byte(s)

Peak Information Rate: 0 Kbps

Exceed action: drop

2.1.16 display qos-vlan traffic-priority

Syntax

display qos-vlan [ vlan-id ] traffic-priority

View

Any view

Parameter

vlan-id: ID of a VLAN, in the range of 1 to 4094.

Description

Use the display qos-vlan traffic-priority command to display the priority marking configuration, including the ACL associated with the traffic priority marking, the type and value of the priority marking.

Related command: traffic-priority.

Example

# Display the priority marking configuration.

<H3C> display qos-vlan traffic-priority

Vlan 1 traffic-priority

Inbound:

There is no configuration.

Vlan 2 traffic-priority

Inbound:

Matches: Acl 2000 rule 1 running

Priority action: remark-policed-service, untrusted, dscp: 13, cos: 6, local-precedence: 6, drop-priority: 1

2.1.17 display qos-vlan traffic-redirect

Syntax

display qos-vlan [ vlan-id ] traffic-redirect

View

Any view

Parameter

vlan-id: ID of a VLAN, in the range of 1 to 4094.

Description

Use the display qos-vlan traffic-redirect command to display the parameter configuration for traffic redirection, including the related ACL and the destination port of the traffic redirection.

Related command: traffic-redirect.

Example

# Display the parameter configuration for a traffic redirection.

<H3C> display qos-vlan 2 traffic-redirect

Vlan 2 traffic-redirect

Inbound:

Matches: Acl 2000 rule 1 running

Redirected to: next-hop 1.1.1.1

2.1.18 display traffic-params

Syntax

display traffic-params [ traffic-index ]

View

Any view

Parameter

traffic-index: Traffic parameter index, in the range of 0 to 173 and defaulting to 1.

Description

Use the display traffic-params command to display the parameter configuration for traffic policing, including cir, cbs, ebs, pir, and so on.

Related command: traffic-params.

Example

# Display the parameter configuration for traffic policing.

<H3C> display traffic-params 1

traffic parameters configuration list:

index : cir (Kbps) cbs (byte) ebs (byte) pir(Kbps)

--------------------------------------------------------------------------

0 : 20000 5000 5000 30000

2.1.19 drop-mode

Syntax

drop-mode { tail-drop | wred } [ wred-index ]

undo drop-mode

View

Ethernet port view

Parameter

tail-drop: Tail drop mode.

wred: WRED drop mode.

wred-index: WRED index, in the range of 0 to 3. By default, it is 0. If you type nothing for this parameter, the system will use the parameters specified when WRED index is 0.

Description

Use the drop-mode command to configure drop mode for a port.

Use the undo drop-mode command to restore the default drop mode, i.e. tail drop mode.

By default, tail drop mode is selected.

In the case of network congestion, the switch drops packets to release system resources. And then no packets are put into long-delay queues. The following two drop modes are available:

l Tail drop mode: different queues (red, yellow and green) are allocated with different drop thresholds. When these thresholds are exceeded respectively, excessive packets will be dropped.

l WRED drop mode: Drop precedence is taken into account in drop action. When only min-thresholds of red, yellow and green packets are exceeded, packets between min-thresholds and max-thresholds are dropped randomly at a given slope. But when max-thresholds of red, yellow and green packets are exceeded, all excessive packets will be dropped.

Example

# Set the port Ethernet3/1/1 in WRED drop mode; import WRED 0 as the threshold.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C]interface Ethernet3/1/1

[H3C-Ethernet3/1/1] drop-mode wred 0

2.1.20 dscp

Syntax

dscp dscp-list : dscp-value exp-value cos-value local-precedence-value drop-precedence

undo dscp dscp-list

View

Conform level view

Parameter

dscp-list: Original DSCP value, which can be a single value or several values, in the range of 0 to 63. For example, you can type single DSCP value “46”, or DSCP values “0 8 10 16” (space is required between two values).

dscp-value: Modified DSCP value, in the range of 0 to 63.

exp-value: Modified EXP value, in the range of 0 to 7. EXP is MPLS priority of MPLS packets.

cos-value: Modified 802.1p priority value, in the range of 0 to 7

local-precedence-value: Modified local precedence value, in the range of 0 to 7.

drop-precedence: Modified drop precedence value, in the range of 0 to 2.

Description

Use the dscp command to configure the “DSCP + Conform-level —> Service-parameter” mapping table of current conform level.

Use the undo dscp command to restore default configuration of the “DSCP + Conform-level —> Service- parameter” mapping table.

After entering conform level view, you can configure the “DSCP + Conform-level —> Service-parameter” mapping table of the corresponding level. For example, you can enter conform level 0 view and configure the “DSCP + Conform-level 0 —> Service-parameter” mapping table.

Example

# Configure the " DSCP + Conform-level 0 —> Service-parameter ” mapping table.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C]qos conform-level 0

[H3C-conform-level-0] dscp 0: 0 0 0 0 0

[H3C-conform-level-0] dscp 8 10 : 8 0 1 1 0

[H3C-conform-level-0] dscp 16 18: 16 0 2 2 0

[H3C-conform-level-0] dscp 24 26 : 24 0 3 3 0

[H3C-conform-level-0] dscp 32 34 : 32 0 4 4 0

[H3C-conform-level-0] dscp 40 46: 40 0 5 5 0

[H3C-conform-level-0] dscp 48 : 48 0 6 6 0

[H3C-conform-level-0] dscp 56 : 56 0 7 7 0

The configured mapping table:

Table 2-1 “ DSCP + Conform-level —> Service-parameter ” mapping table

DSCP	CL	Policed-DSCP	Policed-exp	Policed-802.1p	Policed-Localprec	Policed-DropPrecedence
0	0	0	0	0	0	0
8	0	8	0	1	1	0
10	0	8	0	1	1	0
16	0	16	0	2	2	0
18	0	16	0	2	2	0
24	0	24	0	3	3	0
26	0	24	0	3	3	0
32	0	32	0	4	4	0
34	0	32	0	4	4	0
40	0	40	0	5	5	0
46	0	40	0	5	5	0
48	0	48	0	6	6	0
56	0	56	0	7	7	0

2.1.21 exp

Syntax

exp exp-list : dscp-value exp-value cos-value local-precedence-value drop-precedence

undo exp exp-list

View

Conform level view

Parameter

exp-list: Original EXP value, which can be a single value or several values, in the range of 0 to 7. For example, you can type single EXP value “2”, or EXP values “2 3 4” (space is required between values). EXP is MPLS priority of MPLS packets.

dscp-value: Modified DSCP value, in the range of 0 to 63.

exp-value: Modified EXP value, in the range of 0 to 7. EXP is MPLS priority of MPLS packets.

cos-value: Modified 802.1p priority value, in the range of 0 to 7.

local-precedence-value: Modified local precedence value, in the range of 0 to 7.

drop-precedence: Modified drop precedence value, in the range of 0 to 2.

Description

Use the exp command to configure the “EXP + Conform-level —> Service-parameter” mapping table of current conform level.

Use the undo exp command to restore default configuration of the “EXP + Conform-level —> Service-parameter” mapping table.

After entering conform level view, you can configure the “EXP + Conform-level —> Service-parameter” mapping table of the corresponding level. For example, you can enter conform level 0 view and configure the “EXP + Conform-level 0 —> Service-parameter” mapping table.

Example

# Configure the “EXP + Conform-level 0 —> Service-parameter” mapping table.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C]qos conform-level 0

[H3C-conform-level-0] exp 0: 0 0 0 0 0

2.1.22 local-precedence

Syntax

local-precedence cos-value0 cos-value1 cos-value2 cos-value3 cos-value4 cos-value5 cos-value6 cos-value7

undo local-precedence

View

Conform level view

Parameter

cos-value0: 802.1p priority value corresponding to Local-precedence 0, in the range of 0 to 7.

cos-value1: 802.1p priority value corresponding to Local-precedence 1, in the range of 0 to 7.

cos-value2: 802.1p priority value corresponding to Local-precedence 2, in the range of 0 to 7.

cos-value3: 802.1p priority value corresponding to Local-precedence 3, in the range of 0 to 7.

cos-value4: 802.1p priority value corresponding to Local-precedence 4, in the range of 0 to 7.

cos-value5: 802.1p priority value corresponding to Local-precedence 5, in the range of 0 to 7.

cos-value6: 802.1p priority value corresponding to Local-precedence 6, in the range of 0 to 7.

cos-value7: 802.1p priority value corresponding to Local-precedence 7, in the range of 0 to 7.

Description

Use the local-precedence command to configure the “Local-precedence + Conform-level —> 802.1p priority” mapping table of current conform level.

Use the undo local-precedence command to restore default configuration of the “Local-precedence + Conform-level —> 802.1p priority” mapping table.

After entering conform level view, you can configure the “ Local-precedence + Conform-level —> 802.1p priority ” mapping table of the corresponding level. For example, you can enter conform level 0 view and configure the “ Local-precedence + Conform-level 0 —> 802.1p priority “ mapping table.

Example

# Configure the “Local-precedence + Conform-level 0 —> 802.1p priority” mapping table.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C]qos conform-level 0

[H3C-conform-level-0] local-precedence 0 1 2 3 5 5 6 7

The configured mapping table:

Table 2-2 Local-precedence + Conform-level —> 802.1p priority ” mapping table

Local-precedence	Conform-level	802.1p
0	0	0
1	0	1
2	0	2
3	0	3
4	0	5
5	0	5
6	0	6
7	0	7

2.1.23 mirrored-to

Syntax

I. Command Format Which Only Applies IP Group ACL

mirrored-to inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] cpu

undo mirrored-to inbound ip-group { acl-number | acl-name } [ rule rule ]

II. Command Format Which Applies IP Group and Link Group ACL at Same time

mirrored-to inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] | link-group { acl-number | acl-name } rule rule } cpu

undo mirrored-to inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } rule rule }

III. Command Format Which Only Applies Link Group ACL

mirrored-to inbound link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] cpu

undo mirrored-to inbound link-group { acl-number | acl-name } [ rule rule ]

View

Ethernet port view

Parameter

inbound: Mirrors inbound packets at the port.

ip-group { acl-number | acl-name }: Activates IP ACLs, including basic and advanced ACLs. acl-number: Sequence number of ACL, ranging from 2000 to 3999. acl-name: Name of the ACL, which must be a character string starting with an English letter (a-z or A-Z), and without any space or quotation mark in it.

rule rule: Specifies the rule of an active ACL, ranging from 0 to 127; if not specified, all rules of ACL will be activated.

& Note:

l If you remove the card with QoS/ACL configured when the system operates, the corresponding system index value is automatically released, and is then used for a newly delivered flow rule. Once the system index value is occupied, the original configuration cannot be restored even you insert the removed card back.

l If the specified system-index is 0, the system selects the index automatically.

cpu: Mirrors traffic to the CPU.

Description

Use the mirrored-to command to activate an ACL and mirror data streams to the CPU. Use the undo mirrored-to command to remove traffic mirroring setting.

This configuration is only applicable to the packets which match the permitted rules in the ACL.

Related command: display qos-interface mirrored-to.

Example

# Mirror the packets which match the permitted rules in the ACL 2000 to the CPU.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C]interface Ethernet2/1/1

[H3C-Ethernet2/1/1] mirrored-to inbound ip-group 2000 cpu

2.1.24 mirroring-group

Syntax

mirroring-group groupid { inbound | outbound } mirroring-port-list mirrored-to monitor-port

undo mirroring-group groupid

View

System view

Parameter

groupid: mirroring group ID, in the range of 1 to 24

inbound: Monitors only the inbound packets at the port.

outbound: Monitors only the outbound packets at the port.

mirroring-port-list: Ethernet port list, including multiple Ethernet ports, in the form of port-list = { interface-type interface-number } &<1-8>. &<1-8> means the parameter can be typed eight times at most.

mirrored-to monitor-port: Specifies monitoring port.

Description

Use the mirroring-group command to configure a mirroring group for the port.

Use the undo mirroring-group command to remove mirroring group setting.

The switch supports multiple-to-one mirroring, that is, copying the packets at several ports to the monitoring port. For S9500 series, you can complete port mirroring setting by configuring mirroring groups. Each mirroring group may contain one monitoring port and several monitored ports. You can also specify the direction of the monitored packets.

S9500 series support up to 24 mirroring groups at a port.

Related command: display mirroring-group.

& Note:

S9500 series support cross-card mirroring, that is, the monitoring and monitored ports can be at different cards.

Consider these issues when configuring port mirroring:

l For intra-card mirroring, only one monitoring port can be configured for the mirroring groups in the same direction.

l For cross-card mirroring, only one monitoring port (which is on another card) can be configured for the mirroring groups in the same direction.

l You can only configure eight monitored ports for all the mirroring groups in transmit group.

l One port can act as mirroring port and mirrored port at the same time for different mirroring group.

More issues for the GV48 card:

l For the mirroring (including inbound port mirroring and outbound port mirroring) on the same GV48 card, only one monitoring port is allowed.

l For all mirroring groups configured in the system, only one monitoring port is allowed on the same GV48 card.

Related command: display mirroring-group.

Example

# Configure mirroring group 1, the monitored ports are Ethernet3/1/1 to Ethernet3/1/3, and the monitoring port is Ethernet3/1/4, monitoring only inbound packets.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] mirroring-group 1 inbound ethernet 3/1/1 ethernet 3/1/2 ethernet 3/1/3 mirrored-to ethernet 3/1/4

If the mirroring-group has been configured, the system will prompt “The mirroring-group has been configured!”

2.1.25 priority

Syntax

priority priority-level

undo priority

View

Ethernet port view

Parameter

priority-level: Port priority value, in the range of 0 to 7. By default, it is 0.

Description

Use the priority command to set the default local precedence value for a port.

Use the undo priority command to restore the default value of local precedence.

After receiving a packet, the switch allocates a set of service parameters to it according to a specific rule. The procedure to obtain local precedence: First obtain it according to the “CoS —>Local-precedence” mapping table. If failed, the system uses the default local precedence of the port as that for the packet.

Example

# Set the defaulted local precedence value of the port Ethernet3/1/1 as 7.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C]interface e thernet3/1/1

[H3C-Ethernet3/1/1] priority 7

2.1.26 qos conform-level

Syntax

qos conform-level conform-level-value

View

System view

Parameter

conform-level conform-level-value: Conform level, in the range of 0 to 2 inclusive.

Description

Use the qos conform-level command to create a conform level and enter it.

There are three conform levels available, numbered as 0, 1 and 2. Type the conform level value and you can enter the corresponding view. In the conform level view, you can configure the “DSCP + Conform-level —> Service-parameter” mapping table, “EXP + Conform-level —> Service-parameter” mapping table and the “Local-precedence + Conform-level —>802.1p” mapping table.

Example

# Create the conform level 0 view and enter it.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] qos conform-level 0

[H3C-conform-level-0]

2.1.27 qos cos-drop-precedence-map

Syntax

qos cos-drop-precedence-map cos0-map-drop-prec cos1-map-drop-prec cos2-map-drop-prec cos3-map-drop-prec cos4-map-drop-prec cos5-map-drop-prec cos6-map-drop-prec cos7-map-drop-prec

undo qos cos-drop-precedence-map

View

System view

Parameter

cos0-map-drop-prec: Mapping value from CoS 0 to drop precedence, in the range of 0 to 2.

cos1-map-drop-prec: Mapping value from CoS 1 to drop precedence, in the range of 0 to 2.

cos2-map-drop-prec: Mapping value from CoS 2 to drop precedence, in the range of 0 to 2.

cos3-map-drop-prec: Mapping value from CoS 3 to drop precedence, in the range of 0 to 2.

cos4-map-drop-prec: Mapping value from CoS 4 to drop precedence, in the range of 0 to 2.

cos5-map-drop-prec: Mapping value from CoS 5 to drop precedence, in the range of 0 to 2.

cos6-map-drop-prec: Mapping value from CoS 6 to drop precedence, in the range of 0 to 2.

cos7-map-drop-prec: Mapping value from CoS 7 to drop precedence, in the range of 0 to 2.

Description

Use the qos cos-drop-precedence-map command to configure the “CoS —> Drop-precedence” mapping table.

Use the undo qos cos-drop-precedence-map command to restore the default values of the “CoS —> Drop-precedence” mapping table.

The system provides “CoS —> Drop-precedence” mapping table as the default value.

Table 2-3 Default “CoS —> Drop-precedence” mapping table

CoS Value	Drop-precedence
0	0
1	0
2	0
3	0
4	0
5	0
6	0
7	0

After receiving a packet, the switch allocates a set of service parameters to it according to a specific rule. The service parameters, including CoS value, local precedence and drop level, are determined according to the packet 802.1p priority value. CoS value is the packet 802.1p priority value, while local and drop precedence values are obtained according to the “CoS —> Local-precedence” mapping table and the “CoS —> Drop-precedence” mapping table. You can modify the CoS —> Drop-precedence mapping table using this command.

Example

# Configure the “CoS —> Drop-precedence” mapping table.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] qos cos-drop-precedence-map 2 2 1 1 1 0 0 0

Modified “CoS —> Drop-precedence” mapping table is shown as follows.

Table 2-4 Modified “CoS —> Drop-precedence” mapping table

CoS Value	Drop-precedence
0	2
1	2
2	1
3	1
4	1
5	0
6	0
7	0

2.1.28 qos cos-local-precedence-map

Syntax

qos cos-local-precedence-map cos0-map-local-prec cos1-map-local-prec cos2-map-local-prec cos3-map-local-prec cos4-map-local-prec cos5-map-local-prec cos6-map-local-prec cos7-map-local-prec

undo qos cos-local-precedence-map

View

System view

Parameter

cos0-map-local-prec: Mapping value from CoS 0 to local precedence, in the range of 0 to 7.

cos1-map-local-prec: Mapping value from CoS 1 to local precedence, in the range of 0 to 7.

cos2-map-local-prec: Mapping value from CoS 2 to local precedence, in the range of 0 to 7.

cos3-map-local-prec: Mapping value from CoS 3 to local precedence, in the range of 0 to 7.

cos4-map-local-prec: Mapping value from CoS 4 to local precedence, in the range of 0 to 7.

cos5-map-local-prec: Mapping value from CoS 5 to local precedence, in the range of 0 to 7.

cos6-map-local-prec: Mapping value from CoS 6 to local precedence, in the range of 0 to 7.

cos7-map-local-prec: Mapping value from CoS 7 to local precedence, in the range of 0 to 7.

Description

Use the qos cos-local-precedence-map command to configure the “CoS —> Local-precedence” mapping table.

Use the undo qos cos-local-precedence-map command to restore the default values of the “CoS —> Local-precedence” mapping table.

The system provides “CoS —> Local-precedence” mapping table as the default value.

Table 2-5 Default “CoS —> Local-precedence” mapping connection

CoS Value	Local Precedence
0	2
1	0
2	1
3	3
4	4
5	5
6	6
7	7

After receiving a packet, the switch allocates a set of service parameters to it according to a specific rule. The service parameters, including CoS value, local precedence and drop level, are determined according to the packet 802.1p priority value. CoS value is the packet 802.1p priority value, while local and drop precedence values are obtained according to the “CoS —> Local-precedence” mapping table and the “CoS —> Drop-precedence” mapping table. You can modify the “CoS —> Local-precedence” mapping table using this command.

Example

# Configure the “CoS —> Local-precedence” mapping table

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] qos cos-local-precedence-map 0 1 2 3 4 5 6 7

Configured “CoS —> Local-precedence” mapping table:

Table 2-6 Configured “CoS —> Local-precedence” mapping table

CoS Value	Local Precedence
0	0
1	1
2	2
3	3
4	4
5	5
6	6
7	7

2.1.29 queue

Syntax

queue queue-id green-min-threshhold green-max-threshhold green-max-prob yellow-min-threshhold yellow-max-threshhold yellow-max-prob red-min-threshhold red-max-threshhold red-max-prob exponent

undo queue queue-id

View

WRED index view

Parameter

queue-id: Outbound queue ID, in the range of 0 to 7

green-min-threshhold: Minimum queue length to trigger random green packet dropping, in the range of 0 to 65535. It must be a multiple of 256 bytes.

green-max-threshhold: Queue length to trigger complete green packet dropping, in the range of 0 to 65535. It must be a multiple of 256 bytes.

green-max-prob: Maximum drop probability for green packets, in the range of 1 to 15.

yellow-min-threshhold: Minimum queue length to trigger random yellow packet dropping, in the range of 0 to 65535. It must be a multiple of 256 bytes.

yellow-max-threshhold: Queue length to trigger complete yellow packet dropping, in the range of 0 to 65535. It must be a multiple of 256 bytes.

yellow-max-prob: Maximum drop probability for yellow packets, in the range of 1 to 15.

red-min-threshhold: Minimum queue length to trigger random red packet dropping, in the range of 0 to 65535. It must be a multiple of 256 bytes.

red-max-threshhold: Queue length to trigger complete red packet dropping, in the range of 0 to 65535. It must be a multiple of 256 bytes.

red-max-prob: Maximum drop probability for green packets, in the range of 1 to 15.

exponent: Weight for calculating average queue length, in the range of 1 to 15. By default, it is 9.

Description

Use the queue command to configure parameters for a WRED index.

Use the undo queue command to restore the default parameters for the WRED index.

The switch provides four sets of default WRED parameters, respectively numbered as 0, 1, 2 and 3. Each set includes 80 parameters, 10 parameters for each of the eight queues. The ten parameters are green-min-threshhold, yellow-min-threshhold, red-min-threshhold, green-max-threshhold, yellow-max-threshhold, red-max-threshhold, green-max-prob, yellow-max-prob, red-max-prob and exponent. You can use the command to modify the parameters of a specific WRED index.

Example

# Configure parameters for WRED 0: queue-id is 7; green-min-threshold is 150; green-max-threshold is 500; green-max-prob is 5; yellow-min-threshold is 100; yellow-max-threshold is 150; yellow-max-prob is 10; red-min-threshold is 50; red-max-threshold is 100; red-max-prob is 15; exponent is 10.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C]wred 0

[H3C-wred-0] queue 7 150 500 5 100 150 10 50 100 15 10

2.1.30 queue-scheduler

Syntax

queue-scheduler wrr { group1 { queue-id queue-weight } &<1-8> | group2 { queue-id queue-weight } &<1-8> }*

undo queue-scheduler [ queue-id ] &<1-8>

View

Ethernet port view

Parameter

wrr: Weighted round robin algorithm.

group1: Adds the queue to WRR priority group 1.

group2: Adds the queue to WRR priority group 2.

queue-id: Outbound queue ID, in the range of 0 to 7.

queue-weight: Queue weight, in the range of 1 to 255.

&<1-8>: You can input the queue-id and queue-weight parameters eight times at most.

Description

Use the queue-scheduler command to choose queue scheduling algorithm and parameters.

Use the undo queue-scheduler command to restore the default setting, SP algorithm.

By default, SP algorithm is selected for all outbound queues at a port.

The switch supports eight outbound queues at a port, with different scheduling algorithms for them. You can configure these queues into different scheduling groups: SP group, WRR priority group 1 and group 2. For example, you can set queues 6 and 7 into SP group, queues 0, 1 and 2 into WRR priority group 1 and queues 3, 4 and 5 into WRR priority group 2. Then a queue will be selected respectively for theses three groups according to their own scheduling algorithms. Then these three selected queues will scheduled in SP algorithm.

The queue weight is based on bandwidth. For example, if queues 0, 1 and 2 belong to WRR priority group 1 and their weight is respectively as 20, 20 and 30, then in process, the proportion of their respective weight in the whole bandwidth is 20:20:30

Example

# Set queues 0 to 5 in WRR algorithm, queues 0, 1 and 2 belong to group 1, with weight respectively as 20, 20 and 30; queues 3, 4 and 5 belong to group 2, with weight respectively as 20, 20 and 40. Set queues 6 and 7 in SP algorithm, the default one.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C]interface e thernet3/1/1

[H3C-Ethernet3/1/1] queue-scheduler wrr group1 0 20 1 20 2 30 group2 3 20 4 20 5 40

2.1.31 reset traffic-statistic

Syntax

reset traffic-statistic inbound { { ip-group { acl-number | acl-name } rule rule | link-group { acl-number | acl-name } }* | { ip-group { acl-number | acl-name } | link-group { acl-number | acl-name } rule rule }* | ip-group { acl-number | acl-name } rule rule link-group { acl-number | acl-name } rule rule }

View

Ethernet port view

Parameter

inbound: Clears statistics of the inbound packets at the port.

ip-group { acl-number | acl-name }: Activates IP ACLs, including basic and advanced ACLs. acl-number: Sequence number of ACL, ranging from 2000 to 3999. acl-name: Name of the ACL, which must be a character string starting with an English letter (a-z or A-Z), and without any space or quotation mark in it.

rule rule: Specifies the subitem of an active ACL, ranging from 0 to 127; if not specified, all subitems of ACL will be activated.

Description

Use the reset traffic-statistic command to clear statistics of all traffic or traffic of a specific ACL.

Table 2-7 Comparison between two statistics clearing commands

Command	Description
reset acl counter	Clears ACL statistics. This command is for the ACLs that perform filtering and traffic classification to the packets processed by software. The cases for software to import ACLs include ACL importing for routing policy, ACL importing for registered user control. The ACL ID available here is in the range of 2000 to 3999.
reset traffic-statistic	Clear traffic statistics. This command is for the ACLs sent to hardware for packet filtering and traffic classification. This command usually clears the statistics collected with the traffic-statistic command.

Example

# Clear traffic statistics of the ACL 4000.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C]interface e thernet3/1/1

[H3C-Ethernet3/1/1] reset traffic-statistic inbound link-group 4000

2.1.32 traffic-limit

Syntax

I. Command format which only applies IP group ACL

In Ethernet port view:

traffic-limit inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] [ tc-index index ] cir cbs ebs [ pir ] [ conform { { remark-cos | remark-drop-priority }* | remark-policed-service } ] [ exceed { forward | drop } ]

undo traffic-limit inbound ip-group { acl-number | acl-name } [ rule rule ]

In VLAN view:

traffic-limit inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] traffic-index index ] [ conform { { remark-cos | remark-policed-service } ] [ exceed { forward | drop } ] slot slotid

undo traffic-limit inbound ip-group { acl-number | acl-name } [ rule rule ] slot slotid

II. Command format which applies IP group and link group ACL at the same time

In Ethernet port view:

traffic-limit inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] | link-group { acl-number | acl-name } rule rule } [ tc-index index ] cir cbs ebs [ pir ] [ conform { { remark-cos | remark-drop-priority }* | remark-policed-service } ] [ exceed { forward | drop } ]

undo traffic-limit inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } rule rule }

III. Command format which only applies link group ACL

In Ethernet port view:

traffic-limit inbound link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] [ tc-index index ] cir cbs ebs [ pir ] [ conform { { remark-cos | remark-drop-priority }* | remark-policed-service } ] [ exceed { forward | drop } ]

undo traffic-limit inbound link-group { acl-number | acl-name } [ rule rule ]

View

Ethernet port view, VLAN view

Parameter

inbound: Sets traffic limitation for the inbound packets at the port.

rule rule: Specifies the subitem of an active ACL, ranging from 0 to 127; if not specified, all subitems of ACL will be activated.

tc-index index: Index value of traffic conditioner, ranging from 0 to 12288. If you configured the same index value to different traffic rules during traffic policy configuration, then the sum of these traffics is restricted by the configured traffic policy parameter. For example, configure cir of the traffic that matches rule 1 to 10 kbps, and that of the rule 2 to 10 kbps too; and both of the rules have the same index value of traffic conditioner, then the sum of the average rates of rule 1 and rule 2 is restricted to 10 kbps.

& Note:

l The parameters of traffic policy must be the same if you configure the same tc-index for different traffic; otherwise the system prompts you for the wrong configuration; when the tc-index is 0, it means that the system will select an index value automatically.

l If you remove the card with QoS/ACL configured when the system operates, the corresponding system index value is automatically released and is then used for a newly delivered flow rule. Once the system index value is occupied, the original configuration cannot be restored even you insert the removed card back.

cir: Committed information rate in Kbps.

cbs: Committed burst size in bytes.

ebs: Excess burst size in bytes.

pir: Peak information rate in Kbps.

conform: Optional parameter used to set the action to be taken when the traffic does not exceed the set value.

remark-cos: Sets new 802.1p priority value for the packet according to its conform level and local precedence.

remark-drop-priority: Sets drop precedence value for the packet according to its conform level.

remark-policed-service: Sets new service parameters for the packet according to its conform level and DSCP value.

exceed: Optional parameter to set action for the case when traffic threshold is exceeded.

l forward: Forwards the packet.

l drop: Drops the packet.

traffic-index index: Traffic index.

slot slotid: Slot number of a service processor card.

Description

Use the traffic-limit command to activate an ACL and set traffic limitation to take different actions for the packets within and beyond the preset traffic threshold.

Use the undo traffic-limit command to remove traffic limitation setting.

This command is only applicable to the packets which match the permitted rules in the ACL.

It is required that CIR is less than or equal to PIR and CBS is less than or equal to EBS. You are recommended to configure CBS and EBS to numbers that are 100 to 150 times of CIR.

For the same traffic, you cannot select both the remark-cos and remark-policed-service keywords, or both the remark-drop-priority and remark-policed-service keywords.

Before selecting the remark-policed-service keyword, you must make sure you have configured the DSCP + Conform-Level —> Service parameter mapping table. Before selecting the remark-cos keyword, you must ensure you have configured the Local-precedence + Conform-level—> 802.1p priority mapping table. For details about the two mapping tables, see the qos conform-level, dscp and local-precedence commands.

& Note:

l The interface cards support the command syntax in Ethernet port view; while the service processor cards (LSB1NATB0 cards in the context of this document) support the command syntax in VLAN view.

l Before executing the traffic-limit command on a service processor card, you must first configure traffic redirection in Ethernet port view to redirect Layer 3 packets of a specific VLAN to the service processor card.

Example

# Set traffic limitation for the packets match the permitted rules in the ACL 4000: CIR is 200 kbps, CBS is 2000 bytes, EBS is 2500 bytes, drop the excessive packets.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C]interface ethernet2/1/1

[H3C] traffic-limit inbound link-group 4000 200 2000 2500 conform remark-policed-service exceed drop

2.1.33 traffic-params

Syntax

traffic-params traffic-index cir commited-info-rate cbs commited-base-size ebs exceed-base-size [ pir peak-info-rate ]

View

System view

Parameter

traffic-index: Traffic parameter index, in the range of 0 to 173.

cir commited-info-rate: Committed average information rate in Kbps.

cbs commited-burst-size: Committed burst size in bytes.

ebs exceed-burst-size: Maximum burst size in bytes.

pir peak-info-rate: Peak information rate in Kbps.

Description

Use the traffic-params command to set the traffic parameters required by the traffic-limit command used on the service processor card.

The requirements for setting these parameters are: cir<pir and cbs<=ebs.

Related command: display traffic-params.

Example

# Set the traffic parameter index to 10, committed average information rate to 8192 Kbps, committed burst size to 2000 bytes, and the maximum bust size to 2500 bytes.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] traffic-params 10 cir 8192 cbs 2000 ebs 2500

2.1.34 traffic-priority

Syntax

I. Command Format Which Only Applies IP Group ACL

In Ethernet port view:

traffic-priority inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] { auto | remark-policed-service { trust-dscp | dscp dscp-value | untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level } }

undo traffic-priority inbound ip-group { acl-number | acl-name } [ rule rule ]

In VLAN view:

undo traffic-priority inbound ip-group { acl-number | acl-name } [ rule rule ] slot slotid

II. Command Format Which Applies IP Group and Link Group ACL at Same time

In Ethernet port view:

traffic-priority inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] | link-group { acl-number | acl-name } rule rule } { auto | remark-policed-service { trust-dscp | dscp dscp-value | untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level } }

undo traffic-priority inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } rule rule }

III. Command Format Which Only Applies Link Group ACL

In Ethernet port view:

traffic-priority inbound link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] { auto | remark-policed-service { trust-dscp | dscp dscp-value | untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level } }

undo traffic-priority inbound link-group { acl-number | acl-name } [ rule rule ]

View

Ethernet port view, VLAN view

Parameter

inbound: Sets traffic priority for inbounds packets at the port.

ip-group { acl-number | acl-name }: Activates IP ACLs, including basic and advanced ACLs. acl-number: Sequence number of ACL, ranging from 2000 to 3999. acl-name: Name of the ACL, which must be a character string starting with an English letter (a-z or A-Z), and without any space or quotation mark in it.

rule rule: Specifies the subitem of an active ACL, ranging from 0 to 127; if not specified, all subitems of ACL will be activated.

auto: Chooses the service parameters allocated automatically by the switch.

remark-policed-service: Reallocates service parameters.

trust-dscp: Reallocates service parameters according to packet DSCP values.

dscp dscp-value: Reallocates service parameters according to user’s DSCP values or EXP values. For IP packets, dscp-value is the specified DSCP priority value (six bits in the packet header) and in the range of 0 to 63; for MPLS packets, other than that the dscp-value stands for their DSCP priority value, the three high-order bits of the value represent the EXP flag field. Set the EXP value when defining the dscp-value.

untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level: Customizes a set of service parameters. For IP packets, dscp-value is the specified DSCP priority value (six bits in the packet header) and in the range of 0 to 63; for MPLS packets, other than that the dscp-value stands for their DSCP priority value, the three high-order bits of the value represent the EXP flag field. Set the EXP value when defining the dscp-value; local-precedence is local precedence, in number (ranging 0 to 7) or name; cos-value is 802.1p priority, in number (ranging 0 to 7) or name; drop-level is drop level, in number (ranging 0 to 2) or name.

& Note:

The mapping relationship between dscp-value and EXP is:

l When the S9500 switch is used as the ingress PE device, for the IP packets, EXP is matched according to the “DSCP+Conform-Level—service parameters” mapping table; for TCP and UDP packets, the value of EXP is the lower 3 bits of dscp-value.

l When the S9500 switch is used as the ingress P, the value of EXP is the lower 3 bits of the dscp-value.

slot slotid: Slot number of a service processor card.

Description

Use the traffic-priority command to activate an ACL and choose a set of service parameters for the matched traffic (only available to permitted ACL rules).

Use the undo traffic-priority command to remove service parameter setting.

The system can set service parameters for the matched traffic in one of following modes:

1) Employ the service parameters automatically allocated by the switch. Upon receiving a packet, the switch allocates a set of service parameters for it according to a specific rule. To choose this mode, you should select the auto keyword in this command.

2) Choose service parameters from the “DSCP + Conform-Level —> Service-parameter” mapping table according to packet DSCP value and conform level. To choose this mode, you should select the remark-policed-service trust-dscp keyword in this command.

3) Choose service parameters from the “ DSCP + Conform-Level —> Service-parameter ” mapping table or “ EXP + Conform-Level —> Service-parameter ” mapping table according to user’s DSCP priority or EXP value of MPLS packets and packet conform level. To choose this mode, you should select the remark-policed-service dscp dscp-value parameter in this command.

4) Customize a set of service parameters. To choose this mode, you should select the remark-policed-service untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level parameter in this command.

& Note:

l The interface cards support the command syntax in Ethernet port view; while the service processor cards (LSB1NATB0 cards in the context of this document) support the command syntax in VLAN view.

l Before executing the traffic-priority command on a service processor card, you must first configure traffic redirection in Ethernet port view to redirect Layer 3 packets of a specific VLAN to the service processor card.

l The “DSCP + Conform-Level —> Service-parameter” mapping table and “ EXP + Conform-Level —> Service-parameter ” mapping table here is that for the conform level 0.

l Before selecting the second or third mode, you should make sure that you have configured the “DSCP + Conform-Level —> Service-parameter” mapping table and “ EXP + Conform-Level —> Service-parameter ” mapping table. For more information about this mapping table, see the qos conform-level, dscp and exp commands.

Related command: display qos-interface traffic-priority.

Example

# Choose auto service parameters for the packets which match the permitted rules in the ACL 4000.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C]interface e thernet5/1/2

[H3C-Ethernet5/1/2] traffic-priority inbound link-group 4000 auto

2.1.35 traffic-redirect

Syntax

I. Command Format Which Only Applies IP Group ACL

In Ethernet port view:

traffic-redirect inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] { cpu | interface interface-type interface-number destination-vlan { l2-vpn | l3-vpn } | next-hop ip-addr1 [ ip-addr2 ] | slot slotid vlanid [ join-vlan ]}

undo traffic-redirect inbound ip-group { acl-number | acl-name } [ rule rule ]

In VLAN view:

traffic-redirect inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] { cpu | next-hop ip-addr1 [ip-addr2] } slot slotid

undo traffic-redirect inbound ip-group { acl-number | acl-name } [ rule rule ] slot slotid

II. Command Format Which Applies IP Group and Link Group ACL at Same time

In Ethernet port view:

traffic-redirect inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule [ system-index index ] } { cpu | interface interface-type interface-number destination-vlan { l2-vpn | l3-vpn } | next-hop ip-addr1 [ ip-addr2 ] | slot slotid vlanid }

undo traffic-redirect inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } rule rule [ join-vlan ] }

or undo traffic-redirect inbound link-group { acl-number | acl-name } { rule rule ip-group { acl-number | acl-name } | ip-group { acl-number | acl-name } rule rule }

III. Command Format Which Only Applies Link Group ACL

In Ethernet port view:

traffic-redirect inbound link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] { cpu | interface interface-type interface-number destination-vlan { l2-vpn |l3-vpn } | next-hop ip-addr1 [ ip-addr2 ] | slot slotid vlanid [ join-vlan ] }

undo traffic-redirect inbound link-group { acl-number | acl-name } [ rule rule ]

View

Ethernet port view, VLAN view

Parameter

ip-group { acl-number | acl-name }: Activates IP ACLs, including basic and advanced ACLs. acl-number : Sequence number of ACL, ranging from 2000 to 3999. acl-name: Name of the ACL, which must be a character string starting (1 to 32 characters) with an English letter (a-z or A-Z), and without any space or quotation mark in it.

link-group { acl-number | acl-name }: Activates Layer 2 ACLs. acl-number: Sequence number of ACL, ranging from 4000 to 4999. acl-name: Name of ACL, which must be a character string (1 to 32 characters) started with an English letter (a-z or A-Z), and without any space or quotation mark in it.

rule rule: Specifies the rule of an active ACL, ranging from 0 to 127; if not specified, all rules of ACL will be activated.

cpu: Redirects packets to the CPU.

interface interface-type interface-number destination-vlan { l2-vpn | l3-vpn : Redirects packets to the specified Ethernet port. interface-number and interface-type together can define a port. destination-vlan { l2-vpn | l3-vpn } is used to redirect MPLS packets. l2-vpn means that MPLS l2-vpn packets are allowed to pass, and l3-vpn means that MPLS l3-vpn packets are allowed to pass. destination-vlan must be the VLAN where the destination port belongs to.

next-hop ip-addr1 [ ip-addr2 ]: Redirects packets to the specified IP address. You can define two IP addresses at a stoke, but the first one is with higher priority. That is, the system redirects packets to the second IP address only if the first one is unreachable.

slot slotid: Redirects packets to the specified service processor card.

vlanid: Specifies the VLAN of the packets to be redirected.

join-vlan: if this key word is specified, and if redirection is enabled, the system will add the port into the destination-vlan automatically; if redirection is disabled, the system will remove the port from VLAN, if the last join-vlan enabled redirection in VLAN is deleted. This field should be specified in the redirection applications related to MPLS (such as VPLS, L3VPN and interchangeably plugged cards). Only the Ethernet and GigabitEthernet port views support join-vlan currently.

Description

Use the traffic-redirect command to activate an ACL and configure traffic redirection. Use the undo traffic-redirect command to remove traffic redirection setting.

You can redirect packets to the CPU, a specified Ethernet port, a specified IP address or a specified slot.

& Note:

l The Interface cards support the command syntax in Ethernet port view; while the service processor cards (LSB1NATB0 cards in the context of this document) support the command syntax in VLAN view.

l Before executing the traffic-redirect command on a service processor card, you must first configure traffic redirection in Ethernet port view to redirect Layer 3 packets of a specific VLAN to the service processor card.

l Traffic redirection setting is only available for the permitted rules in the ACL.

l The packet redirected to the CPU cannot be forwarded normally.

l You can achieve policy route by selecting the next-hop keyword in this command.

l Multicast packets are not allowed to be redirected to the service processor cards.

Related command: display qos-interface traffic-redirect. Refer to the “VLAN&QinQ” section in the manual for the information on the traffic-redirect { nested-vlan | modified-vlan } command.

Example

# Configure traffic redirection on the interface cards for packets that match the permit rules in ACL 4000: packets are redirected to the port Ethernet5/1/1.the destination-vlan ID is 4094, L3 VPN packet is permitted..

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C]interface e thernet5/1/2

[H3C-Ethernet5/1/2] traffic-redirect inbound link-group 4000 interface ethernet5/1/1 4094 l3-vpn

# Configure traffic redirection on a service processor card for packets that match the permit rules in ACL 3000.

1) Redirect the packets of VLAN4 that match the permit rules in ACL 3000 to a service processor card in Ethernet port view.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C]interface e thernet5/1/2

[H3C-Ethernet5/1/2] traffic-redirect inbound ip-group 3000 slot 2 4

2) Redirect the packets that are distributed to the service processor card to the next hop 202.119.85.1 and 202.119.95.1 in VLAN view.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] vlan 4

[H3C-vlan4] traffic-redirect inbound ip-group 3000 next-hop 202.119.85.1 202.119.95.1 slot 2

2.1.36 traffic-shape

Syntax

traffic-shape [ queue queue-id ] max-rate burst-size

undo traffic-shape [ queue queue-id ]

View

Ethernet port view

Parameter

queue queue-id: Specifies queue ID, in the range of 0 to 7.

max-rate: Maximum traffic rate in Kbps of the port.

burst-size: Burst size in KB. Its value should be the integer of 4.

Description

Use the traffic-shape command to enable traffic shaping.

Use the undo traffic-shape command to cancel traffic shaping.

The switch supports both shaping traffic based on port (shaping all traffic at the port) and shaping the traffic in a specified queue at the port. You can achieve the former mode by specifying no queue ID or the latter mode by specifying queue ID.

Example

# Shape the traffic in the outbound queue 2 at the port: maximum rate 500 Kbps, burst size 12 Kbytes.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C]interface e thernet3/1/1

[H3C-Ethernet3/1/1] traffic-shape queue 2 500 12

2.1.37 traffic-statistic

Syntax

I. Command Format Which Only Applies IP Group ACL

traffic-statistic inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] [ tc-index index ]

undo traffic-statistic inbound ip-group { acl-number | acl-name } [ rule rule ]

II. Command Format Which Only Applies Link Group ACL

traffic-statistic inbound link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] [ tc-index index ]

undo traffic-statistic inbound link-group { acl-number | acl-name } [ rule rule ]

View

Ethernet port view

Parameter

inbound: Sets traffic statistics for inbound packets at the port.

ip-group { acl-number | acl-name }: Activates IP ACLs, including basic and advanced ACLs. acl-number: Sequence number of ACL, ranging from 2000 to 3999. acl-name: Name of the ACL, which must be a character string starting with an English letter (a-z or A-Z), and without any space or quotation mark in it.

rule rule: Specifies the rules of an active ACL, ranging from 0 to 127; if not specified, all rules of ACL will be activated.

tc-index index: Index value of traffic conditioner, ranging from 0 to 12288. If you configured the same index value to different traffic rules during traffic statistic configuration, then the statistic of these traffics is performed.

Description

Use the traffic-statistic command to activate an ACL and run traffic statistics (only available for the permitted rules in the ACL).

Use the undo traffic-statistic command to cancel traffic statistics.

The traffic-statistic command only counts the hardware matching times in packet forwarding. You can view the statistics using the display qos-interface traffic-statistic commands.

Related command: display qos-interface traffic-statistic.

Example

# Run traffic statistics for the packets which match the permitted rules in the ACL 2000.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C]interface e thernet3/1/1

[H3C-Ethernet3/1/1] traffic-statistic inbound ip-group 2000

2.1.38 wred

Syntax

wred wred-index

undo wred wred-index

View

System view

Parameter

wred-index: WRED index, in the range of 0 to 3.

Description

Use the wred command to create a WRED index view and enter it.

Use the undo wred command to restore the default WRED parameters.

The switch provides four sets of default WRED parameters, respectively numbered as 0, 1, 2 and 3. The ten parameters for a port are green-min-threshhold, yellow-min-threshhold, red-min-threshhold, green-max-threshhold, yellow-max-threshhold, red-max-threshhold, green-max-prob, yellow-max-prob, red-max-prob and exponent. Red, yellow and green packets respectively refer to those with drop precedent levels 2, 1 and 0.

Example

# Create WRED 0 view and enter it.

[H3C] wred 0

[H3C-wred-0]

Chapter 3 ACL Control Commands to Control Login Users

3.1 The ACL Control Commands to Control Login Users

3.1.1 acl

Syntax

acl acl-number1 { inbound | outbound }

undo acl acl-number1 { inbound | outbound }

acl acl-number2 inbound

undo acl acl-number2 inbound

View

User interface view

Parameter

acl-number1: Numbers of basic number-based ACLs and advanced ACLs, ranging from 2,000 to 3,999.

acl-number2: Number of number-based Layer 2 ACL, ranging from. from 4,000 to 4,999.

inbound: Performs ACL control to the users who access the local switch using Telnet or SSH.

outbound: Performs ACL control to the users who access other switches from the local switch using Telnet or SSH.

Description

Use the acl command to apply an ACL to implement the ACL control to the users accessing through Telnet or SSH.

Use the undo acl command to remove the ACL control configured for users accessing through Telnet or SSH.

& Note:

l You can only apply number-based ACLs to implement the ACL control to users accessing through Telnet or SSH.

l When you use a basic or advanced ACL to implement the ACL control to the users accessing through Telnet or SSH, incoming/outgoing connecting requests are restricted based on the source or destination IP addresses. Therefore, when you use the rules of a basic or advanced ACL, only the source IP address and its mask, the destination IP address and its mask, and the time-range parameter in them are valid. Similarly, when you use Layer 2 ACLs to implement the ACL control to the users accessing through Telnet or SSH, incoming/outgoing requests are restricted based on the source MAC addresses. Therefore, when you use the rules of a Layer 2 ACL, only the source MAC address and its mask and the time-range parameter are valid.

l When you use a Layer 2 ACL to implement ACL control to the users accessing through Telnet or SSH, only incoming requests are restricted.

l If a user fails to log in due to ACL restriction, the system logs the failure, including the IP address, login method, user interface index value and the cause.

By default, the system does not restrict incoming/outgoing requests.

Example

# Perform ACL control to the users who access the local switch through Telnet (assuming that ACL 2000 is previously created).

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] user-interface vty 0 4

[H3C-user-interface-vty0-4] acl 2000 inbound

3.1.2 snmp-agent community

Syntax

snmp-agent community { read | write } community-name [ mib-view view-name ] [ acl acl-number ]

undo snmp-agent community community-name

View

System view

Parameter

read: Indicates that this community name has the read-only right within the specified view.

write: Indicates that this community name has the read-write right within the specified view.

community-name: Community name, consisting of 1 to 32 characters.

mib-view: Set the MIB view name which can be accessed by the community name.

view-name: MIB view name, consisting of 1 to 32 characters.

acl acl-number: The number identifier of basic number-based ACLs, ranging from 2000 to 2999.

Description

Use the snmp-agent community command to set the community access name, permit the access to the switch using SNMP, and reference the ACL to perform ACL control to the network management users by acl-number.

Use the undo snmp-agent community command to remove the setting of community access name.

By default, SNMPV1 and SNMPV2C use community name to perform access.

Example

# Set the community name as “test”, permit the user to perform read-only access by using this community name, and reference the ACL 2000 to perform ACL control to the network management users (basic ACL 2000 has already been defined ).

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] snmp-agent community read test acl 2000

3.1.3 snmp-agent group

Syntax

snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ]

undo snmp-agent group { v1 | v2c } group-name

snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ]

undo snmp-agent group v3 group-name [ authentication | privacy ]

View

System view

Parameter

v1: V 1 security mode.

v2c: V 2 security mode.

v3: V 3 security mode.

group-name: Group name, ranging from 1 to 32 bytes.

authentication: With this parameter, the system will authenticate SNMP data without encrypting it.

privacy: Authenticates and encrypts packets.

read-view: Sets read-only view.

read-view: Name of read-only view, ranging from 1 to 32 bytes.

write-view: Permits to set read-write view.

write-view: Name of read-write view, ranging from 1 to 32 bytes.

notify-view: Sets notify view.

notify-view: Name of notify view, ranging from 1 to 32 bytes.

acl acl-number: Number identifier of basic number-based ACLs, ranging from 2000 to 2999.

Description

Use the snmp-agent group command to configure a new SNMP group and reference the ACL to perform ACL control to the network management users by acl acl-number. Use the undo snmp-agent group command to remove a specified SNMP group.

Example

# Create a SNMP group “test”, and reference the ACL 2001 to perform ACL control to the network management users (basic ACL 2001 has already been defined).

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] snmp-agent group v1 test acl 2001

3.1.4 snmp-agent usm-user

Syntax

snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ]

undo snmp-agent usm-user { v1 | v2c } user-name group-name

snmp-agent usm-user v3 user-name group-name [ authentication-mode { md5 | sha } auth-password ] [ privacy des56 priv-password ] [ acl acl-number ]

undo snmp-agent usm-user v3 user-name group-name { local | engineid engineid-string }

View

System view

Parameter

v1: V 1 security mode.

v2c: V 2 security mode.

v3: V 3 security mode.

user-name: User name, ranging from 1 to 32 bytes.

group-name: Corresponding group name of the user, ranging from 1 to 32 bytes.

authentication-mode: Specifies the security level to “to be authenticated”

md5: Specifies the authentication protocol as HMAC-MD5-96.

sha: Specifies the authentication protocol as HMAC-SHA-96.

auth-password: Authentication password, character string, ranging from 1 to 64 bytes.

privacy: Specifies the security level as encryption.

des56: Specifies the DES encryption protocol.

priv-password: Encryption password, character string, ranging from 1 to 64 bytes.

acl acl-number: Number identifier of basic number-based ACLs, ranging from 2000 to 2999.

local: Local entity user.

engineid: Specifies the engine ID related to the user.

engineid-string: Engine ID character string.

Description

Use the snmp-agent usm-user command to add a new user to an SNMP group, and reference the ACL to perform ACL control to the network management users by acl acl-number.

Use the undo snmp-agent usm-user command to remove the user from the related SNMP group as well as the configuration of the ACL control of the user.

Example

# Add a user “test” to the SNMP group “testgroup”. Specify the security level to “to be authenticated”, the authentication protocol to HMAC-MD5-96 and the authentication password to “H3C”, and reference the ACL 2002 to perform ACL control to the network management users (basic ACL 2002 has already been defined).

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] snmp-agent usm-user v3 test testgroup authentication-mode md5 H3C acl 2002

Chapter 4 VLAN-ACL Configuration Commands

4.1 VLAN-ACL Configuration Commands

The VLAN-ACL configuration is subject to the following limitations:

1) Limitations on flow templates:

l The system only applies VLAN-ACL to ports with the default flow template applied. The applied ACL rule field must be specified by the default flow template.

l If no port in a VLAN has ACL rules applied to, the system checks all ports in the VLAN when applying an ACL rule in VLAN view and prohibits the ACL rule from being applied if a port in the VLAN has a customized flow template applied to.

l If a VLAN-ACL is applied to some of the ports in a VLAN, a port with a customized flow template applied to can be added to the VLAN. But the system will fail to apply the VLAN-ACL to the newly added port. That is, you can apply the VLAN-ACL in VLAN view to all the ports in the VLAN except the newly added one. However, when the self-defined flow template is deleted under the port, the system will apply QACL rules in the VLAN to the new port automatically.

l You will fail to apply the self-defined flow template of a port with a VLAN-ACL already applied to a customized flow template.

2) If both a VLAN and one of its ports have QACL rules applied, only those applied to the port work. In this case, the VLAN-ACL takes effect only after the QACL rules applied to the port are removed and the flow template applied to the port changes to the default flow template.

3) When the VLAN contains no ports, the system is prohibited from applying VLAN-ACL (including adding and deleting rules).

4) Two ports differing in VLAN-ACL configuration cannot be aggregated dynamically.

5) A VLAN-ACL is prohibited from being applied to a VLAN bounded to POS ports. That is, VLAN-ACL is prohibited from being applied to POS ports.

4.1.1 A VLAN-ACL is prohibited from being applied to a VLAN containing MPLS intermixing ports. Similarly, a VLAN with a VLAN-ACL applied to is prohibited from being used for MPLS intermixing.mirrored-to

Syntax

mirrored-to inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] cpu

undo mirrored-to inbound ip-group { acl-number | acl-name } [ rule rule ]

View

VLAN view

Parameter

inbound: Mirrors inbound packets at the port.

ip-group { acl-number | acl-name }: Activates IP ACLs, including basic and advanced ACLs. acl-number: Sequence number of ACL, ranging from 2000 to 3999. acl-name: Name of the ACL, which must be a character string starting with an English letter (a-z or A-Z), and without any space or quotation mark in it.

rule rule: Specifies the subitem of an active ACL, ranging from 0 to 127; if not specified, all subitems of ACL will be activated.

system-index index: Specifies the system index value of the rule which will be indexed during operation. After delivering a rule, the system automatically assigns a globally unique index value to the rule. When using the mirrored-to command to deliver a rule, you can also specify a system index value for the rule. In general, you are not recommended to specify this parameter manually.

cpu: Mirrors traffic to the CPU.

Description

Use the mirrored-to command to activate an ACL and mirror matching data streams in VLAN to the CPU.

Use the undo mirrored-to command to remove traffic mirroring setting.

This configuration is only applicable to the packets which match the permit rules in the ACL.

Example

# Mirror to the CPU the packets which are received by a port in VLAN2 and match the permit rules in the ACL 2000.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] vlan 2

[H3C-vlan2] mirrored-to inbound ip-group 2000 cpu

4.1.2 packet-filter

Syntax

packet-filter inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ]

undo packet-filter inbound ip-group { acl-number | acl-name } [ rule rule ]

View

VLAN view

Parameter

inbound: Mirrors inbound packets at the port.

ip-group { acl-number | acl-name }: Activates IP ACLs, including basic and advanced ACLs. acl-number: Sequence number of ACL, ranging from 2000 to 3999. acl-name: Name of the ACL, which must be a character string starting with an English letter (a-z or A-Z), and without any space or quotation mark in it.

rule rule: Specifies the subitem of an active ACL, ranging from 0 to 127; if not specified, all subitems of ACL will be activated.

system-index index: Specifies the system index value of the rule which will be indexed during operation. After delivering a rule, the system automatically assigns a globally unique index value to the rule. When using this command to deliver a rule, you can also specify a system index value for the rule. In general, you are not recommended to specify this parameter manually.

Description

Use the packet-filter command to activate the ACLs in VLAN.

Use the undo packet-filter command to deactivate an active ACL.

Example

# Activate ACL 2000 of each port in VLAN 2.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] vlan 2

[H3C-vlan2] packet-filter inbound ip-group 2000

4.1.3 traffic-limit

Syntax

undo traffic-limit inbound ip-group { acl-number | acl-name } [ rule rule ]

View

VLAN view

Parameter

inbound: Implements traffic policing for data packets received on the port.

ip-group { acl-number | acl-name }: Activates the ACL identified by the acl-number or acl-name argument. The ACL here can be a basic ACL or an advanced ACL. acl-number: Sequence number of the ACL, ranging from 2000 to 3999. acl-name: Name of the ACL, a string beginning with character a-z or A-Z. Note that this argument cannot contain spaces or quotation marks.

rule rule: Specifies the rule identified by the rule argument of the ACL. The rule argument ranges from 0 to 127. Without this keyword, this command applies to all rules of the ACL.

system-index index: Specifies the system index value of the rule. Normally, an applied rule is assigned a globally unique index value automatically for being indexed. You can also specify the index value for the rule. In general, you are not recommended to specify this parameter manually.

tc-index index: The traffic control index. If the same index is configured under different flow rules when you configure the traffic policing, the total traffic of all these flows will be limited by the configured flow policing parameters. For example, the cir value of the flow of match rule 1 is configured to be 10kbps, and that of match rule 2 is configured to be 10kbps. The tc-index values of the two rules are the same at the same time. Then the sum of the average rate of the flow matching rule 1 and the flow matching rule 2 will be limited to 10kbps.

& Note:

When you specifies the same tc-index value for different flows, the parameter settings of the traffic policing action must be consistent completely; otherwise the system will prompt errors; when the tc-index is set to 0, it means that the system will select the index automatically.

cir: Committed information rate in Kbps.

cbs: Committed burst size in bytes.

ebs: Excess burst size in bytes.

pir: Peak information rate in Kbps.

remark-cos: Sets new 802.1p priority value for the packet according to its conform-level and local precedence.

remark-drop-priority: Sets drop precedence value for the packet according to its conform-level.

remark-policed-service: Sets new service parameters for the packet according to its conform-level and DSCP priority value.

exceed: Optional parameter, used to set the action to be taken when traffic threshold is exceeded.

forward: Forwards the packet.

drop: Drops the packet.

Description

Use the traffic-limit command to activate ACL flow identification to perform flow limit for the matching data flow in the VLAN and perform different actions on the packets withinin the flow limit and those beyond the flow limit.

Use the undo traffic-limit command to undo the flow limit.

Use the command to perform flow limit on the packets matching the specified ACL (only available to the rules whose action is permit in the ACL).

When the parameter is set, it is required that cir<=pir,cbs<=ebs. It is recommended to set the values of cbs and ebs 100-150 times of the value of cir.

The setting of tc-index is subject to the following limitations:

l remark-cos and remark-policed-service cannot be set at the same time for the same data flow, neither can remark-drop-priority and remark-policed-service.

l You need to configure the “DSCP+Conform-level à Service parameter” mapping table before configuring the remark-policed-service action; you need to configure the “Local-precedence + Conform-level à 802.1p priority” mapping table before configuring the remark-cos action. Refer to the qos control-level, dscp, local-precedence command for the descriptions of the two mapping tables.

Example

# Perform flow limit on packets received on the ports in VLAN 2 if they match the permit rule in ACL3000. Set the CIR to 2000 kbps, the CBS to 2000 bytes and the EBS to 2500 bytes. Drop packets when this threshold is exceeded.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] vlan 2

[H3C-vlan2] traffic-limit inbound ip-group 3000 200 2000 2500 conform remark-policed-service exceed drop

4.1.4 traffic-priority

Syntax

undo traffic-priority inbound ip-group { acl-number | acl-name } [ rule rule ]

View

VLAN view

Parameter

inbound: Sets priority for packets received on the port.

rule rule: Specifies the rule identified by the rule argument of the ACL. The rule argument ranges from 0 to 127. Without this keyword, this command applies to all rules of the ACL.

system-index index: Specifies the system index value of the rule. Normally, a applied rule is assigned a globally unique index value automatically for being indexed. You can also specify the index value for the rule. In general, you are not recommended to specify this parameter manually.

auto: Chooses the service parameters allocated automatically by the switch.

remark-policed-service: Reallocates service parameters.

trust-dscp: Reallocates service parameters according to the DSCP values carried by packets.

dscp dscp-value: Reallocates service parameters according to customized DSCP values or EXP values. For IP packets, dscp-value is the DSCP priority (six bits in length in the packet header) ranging from 0 to 63 and is set by users. For MPLS packets, the dscp-value argument indicates the DSCP priority. In addition, the least three bits of the value also act as the EXP flag field, which is set simultaneously when the user specifies the dscp-value argument.

untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level: Customizes a set of service parameters. For IP packets, dscp-value is the DSCP priority (six bits in length in the packet header) ranging from 0 to 63 and is set by users. For MPLS packets, the dscp-value indicates the DSCP priority value. In additional, the least three bits of the value alao acts as the EXP flag field, which is set simultaneously when the user specifies the dscp-value argument. The local-precedence argument is local precedence, in the range of 0 to 7. The cos-value argument is 802.1p priority, in the range of 0 to 7. The drop-level argument is drop level, in the range of 0 to 2.

Description

Use the traffic-priority command to activate an ACL for flow classification and choose a set of service parameters for the matched flow in VLAN (only available to ACL rules that permit packets).

Use the undo traffic-priority command to remove service parameters for the specified flow.

The system can perform the following operations to the service parameters of the matched flow:

1) Employ the service parameters automatically allocated by the switch. Upon receiving a packet, the switch allocates a set of service parameters for it according to a specific rule. To choose this mode, specify the auto keyword when executing this command.

2) Choose service parameters from the “DSCP + Conform-Level —> Service-parameter” mapping table according to the DSCP priority and conform level of the packet. To choose this mode, specify the remark-policed-service trust-dscp keyword when executing this command.

3) Choose service parameters from the “ DSCP + Conform-Level —> Service-parameter ” mapping table and “EXP + Conform-Level —> Service-parameter ” mapping table according to Conform-Level and customized DSCP priorities and EXP values of MPLS packets. To choose this mode, specify the remark-policed-service dscp dscp-value when executing this command.

4) Specify a set of service parameters. To choose this mode, specify remark-policed-service untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level parameter when executing this command.

& Note:

l The “DSCP + Conform-Level —> Service-parameter” mapping table and “EXP + Conform-Level —> Service-parameter” mapping table here are mapping tables with the Conform-Level of 0.

l Before selecting the second or third mode listed above, make sure the “DSCP + Conform-Level —> Service-parameter” mapping table and “EXP + Conform-Level —> Service-parameter” mapping table already exist. For more information about these mapping tables, refer to the qos conform-level, dscp, and exp commands.

Example

# Choose automatically-allocated service parameters for the packets matching the rules that permit packets in the ACL 3000 in the data flow that the ports in VLAN receives.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] vlan 2

[H3C-vlan2] traffic-priority inbound ip-group 3000 auto

4.1.5 traffic-redirect

Syntax

traffic-redirect inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] { cpu | next-hop ip-addr1 [ ip-addr2 ] }

undo traffic-redirect inbound ip-group { acl-number | acl-name } [ rule rule ]

View

VLAN view

Parameter

ip-group { acl-number | acl-name }: Activates IP ACLs, including basic and advanced ACLs. acl-number: Sequence number of ACL, ranging from 2000 to 3999. acl-name: Name of the ACL, which must be a character string starting with an English letter (a-z or A-Z), and without any space or quotation mark in it.

rule rule: Specifies the subitem of an active ACL, ranging from 0 to 127; if not specified, all subitems of ACL will be activated.

system-index index: Specifies the system index value of the rule which will be indexed during operation. After delivering a rule, the system automatically assigns a globally unique index value to the rule. When using this command to deliver a rule, you can also specify a system index value for the rule. In general, you are not recommended to specify this parameter manually.

cpu: Redirects packets to the CPU.

next-hop ip-addr1 [ ip-addr2 ]: Redirects packets to the specified IP address. You can define two IP addresses at a stoke. The system redirects packets to the first IP address if the fist IP address has higher priority. However, if the first one is unreachable, the system automatically redirects packets to the second IP address.

Description

Use the traffic-redirect command to activate an ACL and configure traffic redirection for the matching data flow in VLAN (only available to permit ACL rules).

Use the undo traffic-redirect command to remove traffic redirection setting.

You can redirect packets to the CPU or a specified IP address.

& Note:

l Traffic redirection setting is only available for the permit rules in the ACL.

l The packet redirected to the CPU cannot be forwarded normally.

l You can achieve policy route by selecting the next-hop keyword in this command.

Example

# Redirect to the CPU the packets of VLAN2 that match the permit rules in ACL 3000.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] vlan 2

[H3C-vlan2] traffic-redirect inbound ip-group 3000 cpu

4.1.6 traffic-statistic

Syntax

traffic-statistic inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ]

undo traffic-statistic inbound ip-group { acl-number | acl-name } [ rule rule ]

View

VLAN view

Parameter

ip-group { acl-number | acl-name }: Activates IP ACLs, including basic and advanced ACLs. acl-number: Sequence number of ACL, ranging from 2000 to 3999. acl-name: Name of the ACL, which must be a character string starting with an English letter (a-z or A-Z), and without any space or quotation mark in it.

rule rule: Specifies the subitem of an active ACL, ranging from 0 to 127; if not specified, all subitems of ACL will be activated.

system-index index: Specifies the system index value of the rule which will be indexed during operation. After delivering a rule, the system automatically assigns a globally unique index value to the rule. When using this command to deliver a rule, you can also specify a system index value for the rule. In general, you are not recommended to specify this parameter manually.

Description

Use the traffic-statistic command to activate an ACL and run traffic statistics for the matching data flow in VLAN (only available for the permit rules in the ACL).

Use the undo traffic-statistic command to cancel traffic statistics.

The statistics information contains the hardware matching times in packet forwarding.

Example

# In VLAN 2, run traffic statistics for the packets which match the permit rules in ACL 2000.

[H3C-vlan2] traffic-statistic inbound ip-group 2000

4.1.7 port can-access vlan-acl

Syntax

port can-access vlan-acl vlan vlan-id

View

Ethernet port view

Parameter

vlan-id: VLAN ID, in the range of 1 to 4,094.

Description

Use the port can-access vlan-acl command to synchronize VLAN-ACL configuration of the specified VLAN to the port.

When being added to a VLAN, a port automatically synchronizes VLAN-ACL configuration of the VLAN. The synchronization fails if system resources are not enough. In this case, you can delete part of configuration of the card and then use this command to manually synchronize the ACL rules applied to the VLAN to the specified port.

Example

# Synchronize ACL configuration of VLAN 5 to Ethernet3/1/1 port manually.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface Ethernet3/1/1

[H3C-Ethernet3/1/1]port can-access vlan-acl vlan 5

4.1.8 display vlan-acl-member-ports

Syntax

display vlan-acl-member-ports vlan vlan-id

View

Any view

Parameter

vlan-id: VLAN ID, in the range of 1 to 4,094.

Description

Use the display vlan-acl-member-ports command to view in this VLAN the ports with the ACL configuration of the VLAN synchronized to.

When a port is added to a VLAN, you may fail to synchronize the VLAN-ACL configuration of the VLAN because the resources are not enough or user-defined flow templates are applied to ports. You can use this command to view the ports to which the ACL rule configured on the specified VLAN is applied.

Example

# View the ports to which the ACL rule configured on VLAN 5 is applied.

<H3C>display vlan-acl-member-ports vlan 5

Vlan-acl member port(s):

Ethernet2/1/11 Ethernet2/1/20 Ethernet2/1/21

Ethernet2/1/22 Ethernet2/1/23 Ethernet2/1/24

Ethernet2/1/25 Ethernet2/1/40

H3C S9500 Series Routing Switches Command Manual-(V1.01)

1.1.3 display acl remaining entry

1.1.4 display acl running-packet-filter

1.1.6 display time-range

I. Command Format Which Only Applies IP Group ACL

II. Command Format Which Applies IP Group and Link Group ACL at Same time

III. Command Format Which Only Applies Link Group ACL

I. Define or delete the subrules of a basic ACL

II. Define or delete the subrules of an advanced ACL

III. Define or delete the rules of a Layer 2 ACL

2.1 QoS Commands

2.1.6 display qos-interface drop-mode

2.1.19 drop-mode

I. Command Format Which Only Applies IP Group ACL

II. Command Format Which Applies IP Group and Link Group ACL at Same time

III. Command Format Which Only Applies Link Group ACL

I. Command format which only applies IP group ACL

II. Command format which applies IP group and link group ACL at the same time

III. Command format which only applies link group ACL

I. Command Format Which Only Applies IP Group ACL

II. Command Format Which Applies IP Group and Link Group ACL at Same time

III. Command Format Which Only Applies Link Group ACL

2.1.35 traffic-redirect

I. Command Format Which Only Applies IP Group ACL

II. Command Format Which Applies IP Group and Link Group ACL at Same time

III. Command Format Which Only Applies Link Group ACL

I. Command Format Which Only Applies IP Group ACL

II. Command Format Which Only Applies Link Group ACL

3.1.1 acl

3.1.2 snmp-agent community

4.1.1 A VLAN-ACL is prohibited from being applied to a VLAN containing MPLS intermixing ports. Similarly, a VLAN with a VLAN-ACL applied to is prohibited from being used for MPLS intermixing.mirrored-to

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us