[x]

ACL commands > packet-filter

 

 Next

packet-filter

Use packet-filter to apply an ACL to an interface to filter packets.

Use undo packet-filter to remove an ACL from an interface.

Syntax

packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } { inbound | outbound } [ hardware-count ] [ share-mode ]

undo packet-filter [ ipv6 | mac | user-defined ] { acl-number | name acl-name } { inbound | outbound }

Default

No ACL is applied to an interface to filter packets.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Layer 3 Ethernet interface view

Layer 3 Ethernet subinterface view

Layer 3 aggregate interface view

VLAN interface view

VSI interface view

Predefined user roles

network-admin

Parameters

ipv6: Specifies the IPv6 ACL type.

mac: Specifies the Layer 2 ACL type.

user-defined: Specifies the user-defined ACL type.

acl-number: Specifies an ACL by its number. The following are available value ranges:

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.

inbound: Filters incoming packets.

outbound: Filters outgoing packets.

hardware-count: Enables counting ACL rule matches performed in hardware. If you do not specify this keyword, rule matches for the ACL are not counted in hardware.

share-mode: Applies the ACL in sharing mode to a Layer 2 or Layer 3 Ethernet interface. In this mode, all interfaces on the device with the same ACL applied in one direction share one QoS and ACL resource.

Usage guidelines

To specify the IPv4 ACL type, do not specify the ipv6, mac, or user-defined keyword.

The hardware-count keyword in this command enables match counting for all rules in an ACL, and the counting keyword in the rule command enables match counting specific to rules.

To make sure all interfaces on an interface card with the same ACL applied in one direction share one QoS and ACL resource, do not configure both the hardware-count and share-mode keywords.

To disable the extended mode or ACL rule match counting in hardware when resources are insufficient, you must execute the undo packet-filter command and then reconfigure the packet-filter command without specifying the extension or hardware-count keyword.

To disable the extended mode or ACL rule match counting in hardware when resources are sufficient, you can directly reconfigure the packet-filter command without specifying the extension or hardware-count keyword.

To the same direction of an interface, you can apply a maximum of four ACLs: one IPv4 ACL, one IPv6 ACL, one Layer 2 ACL, and one user-defined ACL.

You can use the packet-filter command in VLAN interface view or the packet-filter vlan-interface command in system view to configure packet filtering in one direction of a VLAN interface. You cannot configure both of them in one direction of a VLAN interface.

If you specify the share-mode keyword when applying an ACL to an interface, follow these restrictions and guidelines:

An IPv4 ACL takes effect on only matching Layer 3 packets if the ACL is applied to the outbound direction of an interface. It does not take effect on matching Layer 2 packets.

An IPv6 ACL rule takes effect on only matching Layer 3 packets if the following conditions exist:

An IPv6 ACL cannot be applied to the outbound direction of an interface if the source IPv6 address and destination IPv6 address match criteria are configured in the rule.

Examples

# Apply IPv4 basic ACL 2001 to filter incoming traffic on Ten-GigabitEthernet 1/0/1, and enable counting ACL rule matches performed in hardware.

<Sysname> system-view
[Sysname] interface ten-gigabitethernet 1/0/1
[Sysname-Ten-GigabitEthernet1/0/1] packet-filter 2001 inbound hardware-count

Related commands

display packet-filter

display packet-filter statistics

display packet-filter verbose

prev

 

up

 next

display qos-acl resource 

home

 packet-filter continuous enable

© Copyright 2017 Hewlett Packard Enterprise Development LP