Manualshelf

HP MSR2000/3000/4000 Router Series ACL and QoS Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router
31323334353637383940
31
numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is
5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
ipv4: Specifies that the offset is relative to the beginning of the IPv4 header.
ipv6: Specifies that the offset is relative to the beginning of the IPv6 header.
l2: Specifies that the offset is relative to the beginning of the Layer 2 frame header.
l4: Specifies that the offset is relative to the beginning of the Layer 4 header.
rule-string: Defines a match pattern in hexadecimal format. Its length must be a multiple of two.
rule-mask: Defines a match pattern mask in hexadecimal format. Its length must be the same as that of the
match pattern. A match pattern mask is used for ANDing the selected string of a packet.
offset: Specifies an offset in bytes after which the match operation begins.
&<1-8>: Specifies that up to eight match patterns can be defined in the ACL rule.
counting: Counts the number of times the user-defined ACL rule has been matched. The counting
keyword enables match counting specific to rules. If the counting keyword is not specified, matches for
the rule are not counted.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a
case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not
configured, the system creates the rule. However, the rule using the time range can take effect only after
you configure the timer range. For more information about time range, see ACL and QoS Configuration
Guide.
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating
or editing has the same deny or permit statement as another rule in the ACL, your creation or editing
attempt fails.
To view rules in an ACL and their rule IDs, use the display acl all command.
Examples
# Create a rule for user-defined ACL 5005 to permit packets in which the 13th and 14th bytes starting
from the Layer 2 header are 0x0806 (the ARP packets).
<Sysname> system-view
[Sysname] acl number 5005
[Sysname-acl-user-5005] rule permit l2 0806 ffff 12
Related commands
acl
display acl
time-range
rule comment
Use rule comment to add a comment about an existing ACL rule or edit its comment to make the rule easy
to understand.