packet-filter
Use packet-filter to apply an ACL to an interface to filter packets.
Use undo packet-filter to remove an ACL from an interface.
Syntax
packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } { inbound | outbound } [ hardware-count ] [ share-mode ]
undo packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } { inbound | outbound }
Default
No ACL is applied to an interface to filter packets.
Views
Layer 2 Ethernet interface view
Layer 2 aggregate interface view
Layer 3 Ethernet interface view
Layer 3 Ethernet subinterface view
Layer 3 aggregate interface view
VLAN interface view
VSI interface view
Predefined user roles
network-admin
Parameters
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
user-defined: Specifies the user-defined ACL type.
acl-number: Specifies an ACL by its number. The following are available value ranges:
2000 to 2999 for basic ACLs.
3000 to 3999 for advanced ACLs.
4000 to 4999 for Layer 2 ACLs.
5000 to 5999 for user-defined ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.
inbound: Filters incoming packets.
outbound: Filters outgoing packets.
hardware-count: Enables counting ACL rule matches performed in hardware. If you do not specify this keyword, rule matches for the ACL are not counted in hardware.
share-mode: Applies the ACL in sharing mode to a Layer 2 or Layer 3 Ethernet interface. In this mode, all interfaces on the device with the same ACL applied in one direction share one QoS and ACL resource.
Usage guidelines
To specify the IPv4 ACL type, do not specify the ipv6, mac, or user-defined keyword.
The hardware-count keyword in this command enables match counting for all rules in an ACL, and the counting keyword in the rule command enables match counting specific to rules.
To make sure all interfaces on an interface card with the same ACL applied in one direction share one QoS and ACL resource, do not configure both the hardware-count and share-mode keywords.
To disable the extended mode or ACL rule match counting in hardware when resources are insufficient, you must execute the undo packet-filter command and then reconfigure the packet-filter command without specifying the extension or hardware-count keyword.
To disable the extended mode or ACL rule match counting in hardware when resources are sufficient, you can directly reconfigure the packet-filter command without specifying the extension or hardware-count keyword.
To the same direction of an interface, you can apply a maximum of four ACLs: one IPv4 ACL, one IPv6 ACL, one Layer 2 ACL, and one user-defined ACL.
You can use the packet-filter command in VLAN interface view or the packet-filter vlan-interface command in system view to configure packet filtering in one direction of a VLAN interface. You cannot configure both of them in one direction of a VLAN interface.
If you specify the share-mode keyword when applying an ACL to an interface, follow these restrictions and guidelines:
You can apply multiple ACLs to one direction of an interface. However, you can apply only one ACL with the share-mode keyword specified to one direction of an interface.
You cannot change the sharing mode dynamically after an ACL is applied to an interface. To change the sharing mode for an applied ACL, you must remove the ACL from the interface, and then reapply the ACL with or without the share-mode keyword specified.
An IPv4 ACL takes effect on only matching Layer 3 packets if the ACL is applied to the outbound direction of an interface. It does not take effect on matching Layer 2 packets.
An IPv6 ACL rule takes effect on only matching Layer 3 packets if the following conditions exist:
The dscp dscp option is configured in a rule of the ACL.
The ACL is applied to the outbound direction of an interface.
An IPv6 ACL cannot be applied to the outbound direction of an interface if the source IPv6 address and destination IPv6 address match criteria are configured in the rule.
Examples
# Apply IPv4 basic ACL 2001 to filter incoming traffic on Ten-GigabitEthernet 1/0/1, and enable counting ACL rule matches performed in hardware.
<Sysname> system-view [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] packet-filter 2001 inbound hardware-count
Related commands
display packet-filter
display packet-filter statistics
display packet-filter verbose