Acl 3com

H3C S5500-EI & S5500-SI Series Ethernet Switches ACL and QoS Command Reference
Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com
Copyright 2003-2010, Hangzhou H3C Technologies Co., Ltd. and its licensors All Rights Reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
H3C, , Aolynk, , H3Care, , TOP G, , IRF, NetPilot, Neocean, NeoVTL,
SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V2G, VnG, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners.
Notice
The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Environmental Protection
This product has been designed to comply with the requirements on environmental protection. The storage, use, and disposal of this product must meet the applicable national laws and regulations.
Preface
The H3C S5500-EI & S5500-SI Series documentation set includes 13 configuration guides, which describe the software features for the H3C S5500-EI & S5500-SI Series Routing Switches and guide you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios. This preface includes: Audience Conventions About the H3C S5500-EI & S5500-SI Series Documentation Set Obtaining Documentation Documentation Feedback
Audience
This documentation is intended for: Network planners Field technical support and servicing engineers Network administrators working with the S5500-EI & S5500-SI Series
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention
Boldface italic [] { x | y | ... } [ x | y | ... ] { x | y | ... } * [ x | y | ... ] * &<1-n> #
Description
Bold text represents commands and keywords that you enter literally as shown. Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which you select one. Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none. Asterisk marked braces enclose a set of required syntax choices separated by vertical bars, from which you select at least one. Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you may select multiple choices or none. The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times. A line that starts with a pound (#) sign is comments.
GUI conventions
Convention
<> [] /
Description
Button names are inside angle brackets. For example, click <OK>. Window names, menu items, data table and field names are inside square brackets. For example, pop up the [New User] window. Multi-level menus are [File/Create/Folder]. separated by forward slashes. For example,
Symbols
Convention Description
Means reader be extremely careful. Improper operation may cause bodily injury. Means reader be careful. Improper operation may cause data loss or damage to equipment. Means an action or information that needs special attention to ensure successful configuration or good performance. Means a complementary description. Means techniques helpful for you to make configuration with ease. 4
Network topology icons

Convention Description
Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
About the H3C S5500-EI & S5500-SI Series documentation set

Category
Product description and specifications
Documents
Marketing brochures Technology white papers Card datasheets Compliance and safety manual Quick start
Purposes
Describe product specifications and benefits. Provide an in-depth description of software features and technologies. Describe card specifications, features, and standards. Provides regulatory information and the safety instructions that must be followed during installation. Guides you through initial installation and setup procedures to help you quickly set up and use your device with the minimum configuration. Provides a complete guide to hardware installation and hardware specifications. Provide the hardware specifications of cards. Guides you through installing and remodeling H3C cabinets. Guides you through installing SFP/SFP+/XFP transceiver modules. Guides you through installing adjustable slider rails to a rack. Describes the hot-swappable modules available for the H3C high-end network products, their external views, and specifications. Describe software features and configuration procedures. Provide a quick reference to all available commands. Describe typical network scenarios and provide configuration examples and instructions. Explains the system log messages. Explains the trap messages. Describes the MIBs for the software release. Provide information about the product release, including the version history, hardware and software compatibility matrix, version upgrade information, technical support information, and software upgrading. Explains the error codes. 6
Installation guide Card manuals Hardware specifications and installation H3C Cabinet Installation and Remodel Introduction H3C Pluggable SFP [SFP+][XFP] Transceiver Modules Installation Guide Adjustable Slider Rail Installation Guide H3C High-End Network Products Hot-Swappable Module Manual Configuration guides Software configuration Command references Configuration examples System log messages Trap messages MIB Companion Operations and maintenance Release notes
Error code reference
Obtaining documentation
You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] Provides hardware installation, software upgrading, and software feature configuration and maintenance documentation. [Products & Solutions] Provides information about products and technologies, as well as solutions. [Technical Support & Documents > Software Download] Provides the documentation released with the software version.
Documentation feedback
You can e-mail your comments about product documentation to info@h3c.com. We appreciate your comments.
Table of Contents
Preface 3
Audience 3 Conventions 4 About the H3C S5500-EI & S5500-SI Series documentation set 6
ACL configuration commands 11

ACL configuration commands 11 acl 11 acl copy 12 acl ipv6 13 acl ipv6 copy 15 acl ipv6 logging frequence 16 acl ipv6 name 16 acl logging frequence 17 acl name 18 description 18 display acl 19 display acl ipv6 21 display acl resource 23 display time-range 25 packet-filter 26 packet-filter ipv6 27 reset acl counter 28 reset acl ipv6 counter 29 rule (Ethernet frame header ACL view) 29 rule (IPv4 advanced ACL view) 31 rule (IPv4 basic ACL view) 37 rule (IPv6 advanced ACL view) 38 rule (IPv6 basic ACL view) 42 rule comment 44 step 45 time-range 46
QoS policy configuration commands 49

Commands for defining classes 49 display traffic classifier 49 if-match 50 traffic classifier 56 Traffic behavior configuration commands 58 accounting 58
8
car 58 display traffic behavior 61 filter 62 redirect 63 remark dot1p 64 remark drop-precedence 65 remark dscp 65 remark ip-precedence 66 remark local-precedence 67 traffic behavior 67 QoS policy configuration commands 68 classifier behavior 68 display qos policy 70 display qos policy global 71 display qos policy interface 73 display qos vlan-policy 75 qos apply policy (Interface view, port group view) 78 qos apply policy (user-profile view) 80 qos apply policy global 81 qos policy 82 qos vlan-policy 83 reset qos policy global 84 reset qos vlan-policy 85 Priority mapping table configuration commands 86 display qos map-table 86 import 87 qos map-table 88 Port priority configuration commands 88 qos priority 88 Trusted packet priority type configuration commands 89 display qos trust interface 89 qos trust 90 Traffic shaping configuration commands 91 GTS configuration commands 91 display qos gts interface 91 qos gts 92 Line rate configuration commands 93 display qos lr interface 93 qos lr outbound 94 Congestion management configuration commands 95 display qos sp interface 95 display qos wfq interface 96 display qos wrr interface 97 qos bandwidth queue 99
9
qos sp 100 qos wfq 100 qos wfq weight 101 qos wrr 102 qos wrr group 103 S5500-EI only: Congestion avoidance configuration commands 104 display qos wred interface 104 display qos wred table 105 qos wred apply 106 qos wred queue table 107 queue 107
Obtaining support for your product 109

Register your product 109 Purchase value-added services 109 Troubleshoot online 109 Access software downloads 110 Telephone technical support and repair 110 Contact us 110
Acronyms 111
10
ACL configuration commands

S5500-EI only: identifies information that applies only to the S5500-EI series Ethernet switch. S5500-SI only: identifies information that applies only to the S5500-SI series Ethernet switch.
Applying an ACL for packet filtering is added in Release 2202P19 on the S5500-SI series Ethernet switches. For related commands, please refer to acl ipv6 logging frequence, acl logging frequence, packetfilter and packet-filter ipv6.
ACL configuration commands

acl
Syntax
acl number acl-number [ name acl-name ] [ match-order { auto | config } ] undo acl { all | name acl-name | number acl-number }
View
System view
Default Level
2: System level
Parameters
number acl-number: Specifies the number of an IPv4 access control list (ACL):
2000 to 2999 for IPv4 basic ACLs 3000 to 3999 for IPv4 advanced ACLs 4000 to 4999 for Ethernet frame header ACLs
name acl-name: Assigns a name for the IPv4 ACL for the ease of identification. The acl-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter, and, to avoid confusion, cannot be all.
11
match-order: Sets the order in which ACL rules are compared against packets:
auto: Compares ACL rules in depth-first order. The depth-first order differs with ACL categories. See ACL Configuration in the ACL and QoS Configuration Guide for more information. config: Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher priority. If no match order is specified, the config order applies by default.
all: Deletes all IPv4 ACLs.
Description
Use the acl command to create an IPv4 ACL and enter its view. If the ACL has been created, you enter its view directly. Use the undo acl command to delete the specified or all IPv4 ACLs. By default, no ACL exists. You can assign a name for an IPv4 ACL only when you create it. After creating an ACL, you can neither rename it nor remove its name, if any. You can change match order only for ACLs that do not contain any rules. To display any ACLs you have created, use the display acl command.
Examples
Create IPv4 basic ACL 2000, and enter its view.
<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000]
Create IPv4 basic ACL 2002, named flow, and enter its view.
<Sysname> system-view [Sysname] acl number 2002 name flow [Sysname-acl-basic-2002-flow] [Sysname-acl-basic-2002-flow]
acl copy
Syntax
acl copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-aclname }
View
System view
Default Level
2: System level
12
Parameters
source-acl-number: Specifies a source IPv4 ACL that already exists by its number:
name source-acl-name: Specifies a source IPv4 ACL that already exists by its name. The sourceacl-name argument takes a case insensitive string of 1 to 32 characters. dest-acl-number: Assigns a unique number for the IPv4 ACL you are creating. This number must be from the same ACL category as the source ACL. Available value ranges include:
name dest-acl-name: Assigns a unique name for the IPv4 ACL you are creating. The dest-aclname takes a case insensitive string of 1 to 32 characters. It must start with an English letter and, to avoid confusion, cannot be all. For this ACL, the system automatically picks the smallest number from all available numbers in the same ACL category as the source ACL.
Description
Use the acl copy command to create an IPv4 ACL by copying an IPv4 ACL that already exists. Except the number and name (if any), the new ACL has the same configuration as the source ACL. You can assign a name for an IPv4 ACL only when you create it. After it is created, you can neither rename it nor remove its name, if any.
Examples
Create ACL 2002 by copying ACL 2001.
<Sysname> system-view [Sysname] acl copy 2001 to 2002
acl ipv6
Syntax
acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto | config } ] undo acl ipv6 { all | name acl6-name | number acl6-number }
View
System view
Default Level
2: System level
13
Parameters
number acl6-number: Specifies the number of an IPv6 ACL:
2000 to 2999 for IPv6 basic ACLs 3000 to 3999 for IPv6 advanced ACLs
name acl6-name: Assigns a name for the IPv6 ACL for the ease of identification. The acl6-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter, and, to avoid confusion, cannot be all. match-order { auto | config }: Sets the order in which ACL rules are compared against packets:
auto: Compares ACL rules in depth-first order. The depth-first order differs with ACL categories. See ACL Configuration in the ACL and QoS Configuration Guide for more information. config: Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher priority. If no match order is specified, the config order applies by default.
all: Delete all IPv6 ACLs.
Description
Use the acl ipv6 command to create an IPv6 ACL and enter its ACL view. If the ACL has been created, you enter its view directly. Use the undo acl ipv6 command to delete a specified IPv6 ACL or all IPv6 ACLs. By default, no ACL exists. You can assign a name for an IPv6 ACL only when you create it. After creating an ACL, you can neither rename it, nor remove its name. You can change match order only for ACLs that do not contain any rules. To display any ACLs you have created, use the display acl ipv6 command.
Examples
Create IPv6 ACL 2000 and enter its view.
<Sysname> system-view [Sysname] acl ipv6 number 2000 [Sysname-acl6-basic-2000]
Create IPv6 basic ACL 2001 named flow, and enter its view.
<Sysname> system-view [Sysname] acl ipv6 number 2001 name flow [Sysname-acl6-basic-2001-flow]
14
acl ipv6 copy

Syntax
acl ipv6 copy { source-acl6-number | name source-acl6-name } to { dest-acl6-number | name dest-acl6-name }
View
System view
Default Level
2: System level
Parameters
source-acl6-number: Specifies a source IPv6 ACL that already exists by its number:
2000 to 2999 for IPv6 basic ACLs, 3000 to 3999 for IPv6 advanced ACLs.
name source-acl6-name: Specifies a source IPv6 ACL that already exists by its name. The sourceacl6-name argument takes a case insensitive string of 1 to 32 characters. dest-acl6-number: Assigns a unique number for the IPv6 ACL you are creating. This number must be from the same ACL category as the source ACL. Available value ranges include:
2000 to 2999 for IPv6 basic ACLs 3000 to 3999 for IPv6 advanced ACLs
name dest-acl6-name: Assigns a unique name for the IPv6 ACL you are creating. The dest-acl6name takes a case insensitive string of 1 to 32 characters. It must start with an English letter and, to avoid confusion, cannot be all. For this ACL, the system automatically picks the smallest number from all available numbers in the same ACL category as the source ACL.
Description
Use the acl ipv6 copy command to create an IPv6 ACL by copying an IPv6 ACL that already exists. Except the number and name (if any), the new ACL has the same configuration as the source ACL. You can assign a name for an IPv6 ACL only when you create it. After it is created, you can neither rename it nor remove its name, if any.
Examples
Create IPv6 basic ACL 2002 by copying IPv6 basic ACL 2001.
<Sysname> system-view [Sysname] acl ipv6 copy 2001 to 2002
15
acl ipv6 logging frequence

Syntax
acl ipv6 logging frequence frequence undo acl ipv6 logging frequence
View
System view
Default Level
2: System level
Parameters
frequence: Specifies the interval in minutes at which IPv6 packet filtering logs are generated and output. It must be a multiple of 5 and in the range 0 to 1440. To disable generating IPv6 logs, assign 0 for the argument.
Description
Use the acl ipv6 logging frequence command to set the interval for generating and outputting IPv6 packet filtering logs. The log information includes the number of matching IPv6 packets and the matching IPv6 ACL rules. This command logs only for IPv6 basic and advanced ACL rules that have the logging keyword. Use the undo acl ipv6 logging frequence command to restore the default. By default, the interval is 0. No IPv6 packet filtering logs are generated. Related commands: packet-filter ipv6, rule (IPv6 advanced ACL view), rule (IPv6 basic ACL view).
Examples
Enable the device to generate and output IPv6 packet filtering logs at 10-minute intervals.
<Sysname> system-view [Sysname] acl ipv6 logging frequence 10
acl ipv6 name

Syntax
acl ipv6 name acl6-name
View
System view
Default Level
2: System level
16
Parameters
acl6-name: Specifies the name of an existing IPv6 ACL, a case insensitive string of 1 to 32 characters. It must start with an English letter.
Description
Use the acl ipv6 name command to enter the view of an existing IPv6 ACL by specifying its name. Related commands: acl ipv6.
Examples
Enter the view of IPv6 ACL flow.
<Sysname> system-view [Sysname] acl ipv6 name flow [Sysname-acl6-basic-2001-flow]
acl logging frequence

Syntax
acl logging frequence frequence undo acl logging frequence
View
System view
Default Level
2: System level
Parameters
frequence: Specifies the interval in minutes at which IPv4 packet filtering logs are generated and output. It must be a multiple of 5 and in the range 0 to 1440. To disable generating IPv4 logs, assign 0 for the argument.
Description
Use the acl logging frequence command to set the interval for generating and outputting IPv4 packet filtering logs. The log information includes the number of matching IPv4 packets and the matching IPv4 ACL rules used. This command logs only for IPv4 basic and advanced ACL rules that have the logging keyword. Use the undo acl logging frequence command to restore the default. By default, the interval is 0. No IPv4 packet filtering logs are generated. Related commands: packet-filter, rule (IPv4 advanced ACL view), rule (IPv4 basic ACL view).
Examples
Enable the device to generate and output IPv4 packet filtering logs at 10-minute intervals.
<Sysname> system-view [Sysname] acl logging frequence 10 17
acl name
Syntax
acl name acl-name
View
System view
Default Level
2: System level
Parameters
acl-name: Specifies the name of an existing IPv4 ACL, which is a case insensitive string of 1 to 32 characters. It must start with an English letter.
Description
Use the acl name command to enter the view of an existing IPv4 ACL by specifying its name. Related commands: acl.
Examples
Enter the view of IPv4 ACL flow.
<Sysname> system-view [Sysname] acl name flow [Sysname-acl-basic-2001-flow]
description
Syntax
description text undo description
View
IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view
Default Level
2: System level
Parameters
text: ACL description, a case sensitive string of 1 to 127 characters.
Description
Use the description command to configure a description for an ACL. Use the undo description command to remove the ACL description. By default, an ACL has no ACL description. Related commands: display acl, display acl ipv6.
18
Examples
Configure a description for IPv4 basic ACL 2000.
<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] description This acl is used in eth 0
Configure a description for IPv6 basic ACL 2000.

<Sysname> system-view [Sysname] acl ipv6 number 2000 [Sysname-acl6-basic-2000] description This is a IPv6 basic ACL.
display acl
Syntax
display acl { acl-number | all | name acl-name }
View
Any view
Default Level
1: Monitor level
Parameters
acl-number: Specifies an IPv4 ACL by its number:
2000 to 2999 for basic ACLs 3000 to 3999 for advanced ACLs 4000 to 4999 for Ethernet frame header ACLs
all: Displays information for all IPv4 ACLs. name acl-name: Specifies an IPv4 ACL by its name. The acl-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter.
Description
Use the display acl command to display configuration and match statistics for the specified or all IPv4 ACLs. This command displays ACL rules in the config or depth-first order, whichever is configured.
19
Examples
S5500-SI only: Display the configuration and match statistics for all IPv4 ACLs.
<Sysname> display acl all Basic ACL 2000, named flow, 2 rules, ACL's step is 5 rule 0 permit rule 5 permit source 1.1.1.1 0 (5 times matched) Basic ACL 2001, named -none-, 2 rules, match-order is auto,
ACL's step is 5 rule 10 comment This rule is used in VPN rd. rule 5 permit source 2.2.2.2 0 rule 0 permit
End S5500-SI only
S5500-EI only: Display the configuration and match statistics for all IPv4 ACLs.
<Sysname> display acl all Basic ACL 2000, named flow, 2 rules, ACL's step is 5 rule 0 permit rule 5 permit source 1.1.1.1 0 (5 times matched) rule 10 permit vpn-instance mk Basic ACL 2001, named -none-, 2 rules, match-order is auto,
ACL's step is 5 rule 10 permit vpn-instance rd rule 10 comment This rule is used in VPN rd. rule 5 permit source 2.2.2.2 0 rule 5 comment This rule is used on geth 1/0/1. rule 0 permit
End S5500-EI only
20
Table 1 display acl command output description Field

Basic ACL 2000 named flow 2 rules m-order is auto ACL's step is 5 rule 0 permit 5 times matched
Description
Category and number of the ACL. The following field information is about IPv4 basic ACL 2000. The name of the ACL is flow. "none-" means the ACL is not named. The ACL contains two rules. The match order for the ACL is auto, which sorts ACL rules in depth-first order. This field is not present when the match order is config. The rule numbering step is 5. Content of rule 0 There have been five matches for the rule. Only ACL matches performed by software are counted. This field is not displayed when no packets have matched the rule.
S5500-SI only:
rule 10 comment This rule is used in
The description of ACL rule 10 is "This rule is used
S5500-EI only:
rule 10 comment This rule is used in VPN rd.on geth 1/0/1
The description of ACL rule 10 is "This rule is used in VPN rd."on geth 1/0/1"
display acl ipv6

Syntax
display acl ipv6 { acl6-number | all | name acl6-name }
View
Any view
Default Level
1: Monitor level
Parameters
acl6-number: Specifies an IPv6 ACL by its number:
2000 to 2999 for basic ACLs 3000 to 3999 for advanced ACLs
all: Displays information for all IPv6 ACLs. name acl6-name: Specifies an IPv4 ACL by its name. The acl6-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter.
21
Description
Use the display acl ipv6 command to display the configuration and match statistics for the specified or all IPv6 ACLs. This command displays ACL rules in the config or depth-first order, whichever is configured.
Examples
Display the configuration and match statistics for all IPv6 ACLs.
<Sysname> display acl ipv6 all Basic IPv6 ACL ACL's step is 5 rule 0 permit rule 5 permit source 1::/64 rule 10 permit source 1::1/128 (5 times matched) Basic IPv6 ACL ACL's step is 5 rule 10 permit source 1::1/128 rule 10 comment This rule is used on GigabitEthernet 1/0/1. rule 5 permit source 1::/64 rule 0 permit 2001, named -none-, 3 rules, match-order is auto, 2000, named flow, 3 rules,
Table 2 display acl ipv6 command output description Field

Basic IPv6 ACL 2000 named flow 3 rules match-order is auto ACL's step is 5 rule 0 permit 5 times matched rule 10 comment This rule is used on GigabitEthernet 1/0/1.
Description
Category and number of the ACL. The following field information is about this IPv6 basic ACL 2000. The name of the ACL is flow. "none-" means the ACL is not named. The ACL contains three rules. The match order for the ACL is auto, which sorts ACL rules in depth-first order. This field is not present when the match order is config. The rule numbering step is 5. Content of rule 0 There have been five matches for the rule. Only IPv6 ACL matches performed by software are counted. This field is not displayed when no packets have matched the rule. The description of ACL rule 10 is "This rule is used on GigabitEthernet 1/0/1."
22
display acl resource

Syntax
display acl resource
View
Any view
Default Level
1: Monitor level
Parameters
S5500-EI only: slot slot-number: Displays the usage of ACL resources on the specified device in the IRF. If the slot-number argument is not specified, the usage on all devices in the IRF is displayed. If no IRF is formed, the usage on the current device is displayed. The range for the slotnumber argument depends on the number of devices and the numbering of the devices in the IRF. S5500-SI only None
Description
Use the display acl resource command to display the usage of ACL resources.
Examples
Display the ACL uses on the switch.
<Sysname> display acl resource Interface: GE1/0/1 to GE1/0/28
S5500-SI only:
------------------------------------------------------------------------------Type Total Reserved Configured Remaining ------------------------------------------------------------------------------IFP ACL IFP Meter EFP ACL EFP Meter 4096 2048 512 256 1024 512 512 0 0 0 0 0 0 0 0 0 3072 1536 1536 512 256 512
IFP Counter 2048
EFP Counter 512
End S5500-SI only
23
S5500-EI only:
------------------------------------------------------------------------------Type Total Reserved Configured Remaining ------------------------------------------------------------------------------VFP ACL IFP ACL IFP Meter EFP ACL EFP Meter 1024 4096 2048 512 256 0 1024 512 512 0 0 0 0 0 0 0 0 0 0 1024 3072 1536 1536 512 256 512
IFP Counter 2048
EFP Counter 512
End S5500-EI only
Table 3 display acl resource command output description Field

Interface
Description
Interface indicated by its type and number Resource type:
S5500-SI only: Type S5500-EI only: Type

Total Reserved Configured Remaining
IFP indicates the count of resources in the inbound direction, ACL indicates ACL rule resources, Meter indicates traffic policing resources, Counter indicates traffic statistics resources, IFP indicates the count of resources in the inbound direction, ACL indicates ACL rule resources, Meter indicates traffic policing resources, Counter indicates traffic statistics resources, VFP indicates the count of resources that are before Layer 2 forwarding and applied in QinQ, EFP indicates the count of resources in the outbound direction.
Resource type:
Total number of ACLs supported Number of reserved ACLs Number of configured ACLs Number of remaining ACLs
24
display time-range
Syntax
display time-range { time-range-name | all }
View
Any view
Default Level
1: Monitor level
Parameters
time-range-name: Time range name, a case insensitive string of 1 to 32 characters. It must start with an English letter. all: Displays the configuration and status of all existing time ranges.
Description
Use the display time-range command to display the configuration and status of a specified time range or all time ranges.
Examples
Display the configuration and status of time range trname.
<Sysname> display time-range t4 Current time is 17:12:34 4/13/2010 Tuesday Time-range : t4 ( Inactive ) 10:00 to 12:00 Mon 14:00 to 16:00 Wed from 00:00 1/1/2010 to 23:59 1/31/2010 from 00:00 6/1/2010 to 23:59 6/30/2010
Table 4 display time-range command output description Field

Current time Time-range
Description
Current system time Configuration and status of the time range, including the name of the time range, its status (active or inactive), and its start time and end time.
25
packet-filter
Syntax
S5500-SI only: packet-filter { acl-number | name acl-name } inbound | outbound } undo packet-filter { acl-number | name acl-name } inbound | S5500-EI only: outbound }
S5500-EI only: packet-filter { acl-number | name acl-name } inbound | outbound } undo packet-filter { acl-number | name acl-name } inbound | outbound }
View
Ethernet Interface view, VLAN interface view
Default Level
2: System level
Parameters
name acl-name: Specifies an IPv4 ACL by its name. The acl-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter. inbound: Filters incoming IPv4 packets. S5500-EI only: outbound: Filters outgoing IPv4 packets.
Description
Use the packet-filter command to apply an IPv4 ACL to an interface to filter IPv4 packets. Use the undo packet-filter command to restore the default. By default, an interface does not filter IPv4 packets. Related commands: display packet-filter.
26
Examples
Apply IPv4 ACL 2001 to filter inbound traffic on GigabitEthernet 1/0/1.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEtherhet1/0/1] packet-filter 2001 inbound
packet-filter ipv6
Syntax
S5500-SI only: packet-filter ipv6 { acl6-number | name acl6-name } inbound | } undo packet-filter ipv6 { acl6-number | name acl6-name } inbound | }
S5500-EI only: packet-filter ipv6 { acl6-number | name acl6-name } inbound | outbound } undo packet-filter ipv6 { acl6-number | name acl6-name } inbound | outbound }
View
Ethernet Interface view, VLAN interface view
Default Level
2: System level
Parameters
name acl6-name: Specifies an IPv6 ACL by its name, The acl6-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter. inbound: Filters incoming IPv6 packets S5500-EI only: outbound: Filters outgoing IPv6 packets
27
Description
Use the packet-filter ipv6 command to apply an IPv6 ACL to an interface to filter IPv6 packets. Use the undo packet-filter ipv6 command to restore the default. By default, an interface does not filter IPv6 packets. Related commands: display packet-filter ipv6.
Examples
Apply IPv6 ACL 2500 to filter inbound IPv6 packets on GigabitEthernet 1/0/1.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] packet-filter ipv6 2500 inbound
reset acl counter

Syntax
reset acl counter { acl-number | all | name acl-name }
View
User view
Default Level
2: System level
Parameters
all: Clears statistics for all IPv4 ACLs. name acl-name: Specifies an IPv4 ACL by its name. The acl-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter.
Description
Use the reset acl counter command to clear statistics for the specified or all IPv4 ACLs. Related commands: display acl.
Examples
Clear statistics for IPv4 ACL 2001.
<Sysname> reset acl counter 2001
Clear statistics for IPv4 ACL flow.

<Sysname> reset acl counter name flow
28
reset acl ipv6 counter

Syntax
reset acl ipv6 counter { acl6-number | all | name acl6-name }
View
User view
Default Level
2: System level
Parameters
all: Clears statistics for all IPV6 basic and advanced ACLs. name acl6-name: Specifies an IPv6 ACL by its name. The acl6-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter.
Description
Use the reset acl ipv6 counter command to clear statistics for the specified or all IPv6 basic and IPv6 advanced ACLs.
Examples
Clear statistics for IPv6 ACL 2001.
<Sysname> reset acl ipv6 counter 2001
Clear statistics for IPv6 ACL flow.

<Sysname> reset acl ipv6 counter name flow
rule (Ethernet frame header ACL view)

Syntax
rule [ rule-id ] { deny | permit } [ cos vlan-pri | dest-mac dest-addr dest-mask | lsap lsapcode lsap-wildcard | source-mac sour-addr source-mask | time-range time-range-name | type type-code type-wildcard ]* undo rule rule-id
View
Ethernet frame header ACL view
Default Level
2: System level
29
Parameters
rule-id: Specifies a rule ID, which ranges from 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30. deny: Drops matching packets. permit: Allows matching packets to pass. cos vlan-pri: Matches an 802.1p priority. The vlan-pri argument can be a number in the range 0 to 7, or in words, best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5), voice (6), or network-management (7). dest-mac dest-addr dest-mask: Matches a destination MAC address range. The dest-addr and dest-mask arguments represent a destination MAC address and mask in H-H-H format. lsap lsap-type lsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The lsaptype argument is a 16-bit hexadecimal number that represents the encapsulation format. The lsaptype-mask argument is a 16-bit hexadecimal number that represents the LSAP mask. type protocol-type protocol-type-mask: Matches one or more protocols in the Ethernet frame header. The protocol-type argument is a 16-bit hexadecimal number that represents a protocol type in Ethernet_II and Ethernet_SNAP frames. The protocol-type-mask argument is a 16-bit hexadecimal number that represents a protocol type mask. source-mac sour-addr source-mask: Matches a source MAC address range. The sour-addr argument represents a source MAC address, and the sour-mask argument represents a mask in HH-H format. time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case insensitive string of 1 to 32 characters. It must start with an English letter.
Description
Use the rule command to create or edit an Ethernet frame header ACL rule. You can edit ACL rules only when the match order is config. Use the undo rule command to delete an Ethernet frame header ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specific attributes. By default, an Ethernet frame header ACL does not contain any rule. Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail. To view rules in an ACL and their rule IDs, use the display acl all command. Related commands: acl, display acl, step.
30
For an Ethernet frame header ACL to be referenced by a QoS policy for traffic classification, the lsap keyword is not supported.
Examples
Create a rule in ACL 4000 to deny packets with the 802.1p priority of 3.
<Sysname> system-view [Sysname] acl number 4000 [Sysname-acl-ethernetframe-4000] rule deny cos 3
rule (IPv4 advanced ACL view)

Syntax
S5500-SI only: rule [ rule-id ] { deny | permit } protocol [ { established | { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * } | destination { dest-addr dest-wildcard | any } | destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmp-type { icmp-type icmp-code | icmp-message } | logging | precedence precedence | reflective | source { sour-addr sour-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name | tos tos | ] *] * undo rule rule-id [ { established | { ack | fin | psh | rst | syn | urg } * } | destination | destination-port | dscp | fragment | icmp-type | logging | precedence | reflective | source | source-port | time-range | tos |] *
S5500-EI only: rule [ rule-id ] { deny | permit } protocol [ { established | { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * } | destination { dest-addr dest-wildcard | any } | destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmp-type { icmp-type icmp-code | icmp-message } | logging | precedence precedence | reflective | source { sour-addr sour-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name | tos tos | vpn-instance vpn-instance-name ] *] * undo rule rule-id [ { established | { ack | fin | psh | rst | syn | urg } * } | destination | destination-port | dscp | fragment | icmp-type | logging | precedence | reflective | source | source-port | time-range | tos | vpn-instance ] *
View
IPv4 advanced ACL view
Default Level
2: System level
31
Parameters
rule-id: Specifies a rule ID, which ranges from 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30. deny: Drops matching packets. permit: Allows matching packets to pass. protocol: Protocol carried by IPv4. It can be a number in the range 0 to 255, or in words, gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17). Table 5 describes the parameters that can be specified after the protocol argument.
32
Table 5 Match criteria and other rule information for IPv4 advanced ACL rules Parameters
source { sour-addr sourwildcard | any }
Function
Description
The sour-addr sour-wildcard arguments represent a source IP address in dotted decimal notation. An all-zero wildcard specifies a host address. The any keyword specifies any source IP address. The dest-addr dest-wildcard arguments represent a destination IP address in dotted decimal notation. An all-zero wildcard specifies a host address. The any keyword represents any destination IP address.
Specifies a source address
destination { dest-addr dest-wildcard | any }
Specifies address
destination
precedence precedence
Specifies an IP precedence value
The precedence argument can be a number in the range 0 to 7, or in words, routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), or network (7). The tos argument can be a number in the range 0 to 15, or in words, max-reliability (2), maxthroughput (4), min-delay (8), minmonetary-cost (1), or normal (0). The dscp argument can be a number in the range 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46). This function requires that the module that uses the ACL supports logging. Not supported The vpn-instance-name argument takes a case sensitive string of 1 to 31 characters. Without this combination, the rule applies to only non-VPN packets. Without this keyword, the rule applies to all fragments and non-fragments. The time-range-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter.
tos tos
Specifies a ToS preference
dscp dscp
Specifies a DSCP priority
logging reflective
Logs matched packets Specifies that the rule be reflective Applies the rule to packets in a VPN instance Applies the rule to only nonfirst fragments time-rangeSpecifies a time range for the rule
S5500-EI only: vpninstance name fragment time-range name vpn-instance-
33
Setting the protocol argument to tcp (6) or udp (7), you may define the parameters shown in Table 6. Table 6 TCP/UDP-specific parameters for IPv4 advanced ACL rules Parameters
source-port operator port1 [ port2 ]
Function
Specifies one or more UDP or TCP source ports
Description
The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range 0 to 65535. port2 is needed only when the operator argument is range. TCP port numbers can be represented in these words: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented in these words: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbiosdgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177). Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The TCP flags in one rule are ANDed. Parameter specific to TCP. Specifies the TCP flags ACK and RST.
destination-port operator port1 [ port2 ]
Specifies one or more UDP or TCP destination ports
{ ack ack-value | fin fin-value | psh pshvalue | rst rst-value | syn syn-value | urg urg-value } *
Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG Specifies the flags for indicating the established status of a TCP connection.
established
34
Setting the protocol argument to icmp (1), you may define the parameters shown in Table 7. Table 7 ICMP-specific parameters for IPv4 advanced ACL rules Parameters Function Description
The icmp-type argument ranges from 0 to 255. icmp-type { icmp-type icmpcode | icmp-message } Specifies the ICMP type and code message The icmp-code argument ranges from 0 to 255. The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 8.
Table 8 ICMP message names supported in IPv4 advanced ACL rules ICMP message name
echo echo-reply fragmentneed-DFset host-redirect host-tos-redirect host-unreachable information-reply information-request net-redirect net-tos-redirect net-unreachable parameter-problem port-unreachable protocol-unreachable reassembly-timeout source-quench source-route-failed timestamp-reply timestamp-request ttl-exceeded
Type
8 0 3 5 5 3 16 15 5 5 3 12 3 3 11 4 3 14 13 11
Code
0 0 4 1 3 1 0 0 0 2 0 0 3 2 1 0 5 0 0 0
35
Description
Use the rule command to create or edit an IPv4 advanced ACL rule. You can edit ACL rules only when the match order is config. Use the undo rule command to delete an entire IPv4 advanced ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specific attributes. By default, an IPv4 advanced ACL does not contain any rule. Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail. To view rules in an ACL and their rule IDs, use the display acl all command. Related commands: acl, display acl, step.
For an IPv4 advanced ACL to be referenced by a QoS policy for traffic classification: The logging keyword is not supported. The operator cannot be neq. S5500-EI only: The operator cannot be gt, lt or neq if the ACL is for the outbound traffic.
Examples
Create a rule to permit TCP packets with the destination port of 80 from 129.9.0.0 to 202.38.160.0.
<Sysname> system-view [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80
36
rule (IPv4 basic ACL view)

Syntax
S5500-SI only: rule [ rule-id ] { deny | permit } [ fragment | logging | source { sour-addr sour-wildcard | any } | time-range time-range-name | ] *] * undo rule rule-id [ fragment | logging | source | time-range ] *
S5500-EI only: rule [ rule-id ] { deny | permit } [ fragment | logging | source { sour-addr sour-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *] * undo rule rule-id [ fragment | logging | source | time-range | vpn-instance ] *
View
IPv4 basic ACL view
Default Level
2: System level
Parameters
rule-id: Specifies a rule ID, which ranges from 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30. deny: Drops matching packets. permit: Allows matching packets to pass. fragment: Applies the rule only to non-first fragments. A rule without this keyword applies to both fragments and non-fragments. logging: Logs matching packets. This function is available only when the application module (such as the firewall) that uses the ACL supports the logging function. source { sour-addr sour-wildcard | any }: Matches a source address. The sour-addr sourwildcard arguments represent a source IP address in dotted decimal notation. A wildcard mask of zeros specifies a host address. The any keyword represents any source IP address. time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case insensitive string of 1 to 32 characters. It must start with an English letter.
S5500-EI only: vpn-instance vpn-instance-name: Applies the rule to packets in a VPN instance. The vpn-instance-name argument takes a case sensitive string of 1 to 31 characters. If no VPN instance is specified, the rule applies only to non-VPN packets.
37
Description
Use the rule command to create or edit an IPv4 basic ACL rule. You can edit ACL rules only when the match order is config. Use the undo rule command to delete an entire IPv4 basic ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specific attributes By default, an IPv4 basic ACL does not contain any rule. Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail. To view rules in an ACL and their rule IDs, use the display acl all command. Related commands: acl, display acl, step.
For an IPv4 basic ACL rule to be referenced by a QoS policy for traffic classification, the logging keyword is not supported.
Examples
Create a rule in ACL 2000 to deny packets sourced from 1.1.1.1.
<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule deny source 1.1.1.1 0
rule (IPv6 advanced ACL view)

Syntax
rule [ rule-id ] { deny | permit } protocol [ { established | { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * } | destination { dest destprefix | dest/dest-prefix | any } | destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmp6-type { icmp6-type icmp6-code | icmp6-message } | logging | source { source source-prefix | source/source-prefix | any } | source-port operator port1 [ port2 ] | time-range time-range-name ] * undo rule rule-id [ { established | { ack | fin | psh | rst | syn | urg } * } | destination | destination-port | dscp | fragment | icmpv6-type | logging | source | sourceport | time-range ] *
View
IPv6 advanced ACL view
Default Level
2: System level
38
Parameters
rule-id: Specifies a rule ID, which ranges from 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30. deny: Drops matching packets. permit: Allows matching packets to pass. protocol: Matches protocol carried over IPv6. It can be a number in the range 0 to 255, or in words, gre (47), icmpv6 (58), ipv6, ipv6-ah (51), ipv6-esp (50), ospf (89), tcp (6), or udp (17). Table 9 describes the parameters that can be specified after the protocol argument. Table 9 Match criteria and other rule information for IPv6 advanced ACL rules Parameters
source { source sourceprefix | source/sourceprefix | any }
Function
Description
The source and source-prefix arguments represent an IPv6 source address, and its prefix length ranges from 1 to 128. The any keyword represents any IPv6 source address. The dest and dest-prefix arguments represent a destination IPv6 address, and its prefix length ranges from 1 to 128. The any keyword specifies any IPv6 destination address. The dscp argument can be a number in the range 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46). This function requires that the module (for example, a firewall) that uses the ACL supports logging. Without this keyword, the rule applies to all fragments and non-fragments. The time-range-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter.
Specifies a source IPv6 address
destination { dest destprefix | dest/dest-prefix | any }
Specifies address
destination
IPv6
dscp dscp
Specifies a DSCP preference
logging
Logs matching packets Applies the rule to only non-first fragments Specifies a time range for the rule
fragment time-range time-rangename
39
Setting the protocol argument to tcp or udp, you may define the parameters shown in Table 10. Table 10 TCP/UDP-specific parameters for IPv6 advanced ACL rules Parameters
source-port operator port1 [ port2 ]
Function
Specifies one or more UDP or TCP source ports
Description
The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range 0 to 65535. port2 is needed only when the operator argument is range. TCP port numbers can be represented in these words: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented in these words: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacsds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177).
destination-port operator port1 [ port2 ]
Specifies one or more UDP or TCP destination ports
{ ack ack-value | fin fin-value | psh pshvalue | rst rst-value | syn syn-value | urg urg-value } * established
Specifies one or more TCP flags, including ACK, FIN, PSH, RST, SYN, and URG Specifies the TCP flags ACK and RST
Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The TCP flags in one rule are ANDed. Parameter specific to TCP. Specifies the TCP flags ACK and RST.
40
Setting the protocol argument to icmpv6 (58), you may define the parameters shown in Table 11. Table 11 ICMPv6-specific parameters for IPv6 advanced ACL rules Parameters Function Description
The icmpv6-type argument ranges from 0 to 255. icmpv6-type { icmpv6type icmpv6-code | icmpv6-message } Specifies the ICMPv6 message type and code The icmpv6-code argument ranges from 0 to 255. The icmpv6-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 12.
Table 12 ICMPv6 message names supported in IPv6 advanced ACL rules ICMPv6 message name
redirect echo-request echo-reply err-Header-field frag-time-exceeded hop-limit-exceeded host-admin-prohib host-unreachable neighbor-advertisement neighbor-solicitation network-unreachable packet-too-big port-unreachable router-advertisement router-solicitation unknown-ipv6-opt unknown-next-hdr
Type
137 128 129 4 3 3 1 1 136 135 1 2 1 134 133 4 4
Code
0 0 0 0 1 0 1 3 0 0 0 0 4 0 0 2 1
41
Description
Use the rule command to create or edit an IPv6 advanced ACL rule. You can edit ACL rules only when the match order is config. Use the undo rule command to delete an entire IPv6 advanced ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specific attributes. By default, an IPv6 advanced ACL does not contain any rule. Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail. To view rules in an ACL and their rule IDs, use the display acl all command. Related commands: acl, display ipv6 acl, step.
For an IPv6 advanced ACL to be referenced by a QoS policy for traffic classification, The logging and fragment keywords are not supported. The operator cannot be neq S5500-EI only: The operator cannot be gt, lt, or neq if the ACL is for the outbound traffic. S5500-EI only: The operator cannot be gt, lt, or neq if the ACL is for the outbound traffic.
Examples
Create an IPv6 ACL rule to permit TCP packets with the destination port of 80 from 2030:5060::/64 to FE80:5060::/96.
<Sysname> system-view [Sysname] acl ipv6 number 3000 [Sysname-acl6-adv-3000] rule permit tcp source 2030:5060::/64 destination fe80:5060::/96 destination-port eq 80
rule (IPv6 basic ACL view)

Syntax
rule [ rule-id ] { deny | permit } [ fragment | logging | source { ipv6-address prefixlength | ipv6-address/prefix-length | any } | time-range time-range-name ] * undo rule rule-id [ fragment | logging | source | time-range ] *
View
IPv6 basic ACL view
42
Default Level
2: System level
Parameters
rule-id: Specifies a rule ID, which ranges from 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30. deny: Drops matching packets. permit: Allows matching packets to pass. fragment: Applies the rule only to non-first fragments. A rule without this keyword applies to both fragments and non-fragments. logging: Logs matching packets. This function requires that the module (for example, a firewall) that uses the ACL supports logging. source { ipv6-address prefix-length | ipv6-address/prefix-length | any }: Matches a source address. The ipv6-address and prefix-length arguments represent a source IPv6 address and its address prefix length in the range 1 to 128. The any keyword represent any IPv6 source address. time-range time-range-name: Specifies a time range for the rule. The time-range-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter.
Description
Use the rule command to create or edit an IPv6 basic ACL rule. You can edit ACL rules only when the match order is config. Use the undo rule command to delete an entire IPv6 basic ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specific attributes. By default, an IPv6 basic ACL does not contain any rule. Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail. To view rules in an ACL and their rule IDs, use the display acl all command. Related commands: acl, display ipv6 acl, step.
43
For an IPv6 basic ACL to be referenced by a QoS policy for traffic classification, the logging and fragment keywords are not supported.
Examples
Create an IPv6 ACL rule to deny packets sourced from FE80:5060::101/128.
<Sysname> system-view [Sysname] acl ipv6 number 2000 [Sysname-acl6-basic-2000] rule deny source fe80:5060::101/128
rule comment
Syntax
rule rule-id comment text undo rule rule-id comment
View
IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view,
Default Level
2: System level
Parameters
rule-id: Specifies the ID of an existing ACL rule. The ID ranges from 0 to 65534. text: Provides a description for the ACL rule, a case sensitive string of 1 to 127 characters.
Description
Use the rule comment command to configure a description for an existing ACL rule or edit its description for the ease of identification. Use the undo rule comment command to delete the ACL rule description. By default, an IPv4 ACL rule has no rule description. Related commands: display acl, display acl ipv6.
44
Examples
Create a rule in IPv4 basic ACL 2000 and configure a description for this rule.
<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 0 deny source 1.1.1.1 0 [Sysname-acl-basic-2000] rule 0 comment This rule is used on GigabitEthernet 1/0/1.
Create a rule in IPv6 basic ACL 2000 and configure a description for this rule.
<Sysname> system-view [Sysname] acl ipv6 number 2000 [Sysname-acl6-basic-2000] rule 0 permit source 1001::1 128 [Sysname-acl6-basic-2000] rule 0 comment This rule is used on GigabitEthernet 1/0/1.
step
Syntax
step step-value undo step
View
IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view
Default Level
2: System level
Parameters
step-value: ACL rule numbering step, which ranges from 1 to 20.
Description
Use the step command to set a rule numbering step for an ACL. Use the undo step command to restore the default. By default, the rule numbering step is 5. Related commands: display acl, display acl ipv6.
45
Examples
Set the rule numbering step to 2 for IPv4 basic ACL 2000.
<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] step 2
Set the rule numbering step to 2 for ACL 2000.

<Sysname> system-view [Sysname] acl ipv6 number 2000 [Sysname-acl6-basic-2000] step 2
time-range
Syntax
time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 } undo time-range time-range-name [ start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 ]
View
System view
Default Level
2: System level
Parameters
time-range-name: Assign a name for a time range. The name is a case insensitive string of 1 to 32 characters. It must start with an English letter and, to avoid confusion, cannot be all. start-time to end-time: Specifies a periodic time range. Both start-time and end-time are in hh:mm format (24-hour clock), and each value ranges from 00:00 to 23:59. The end time must be greater than the start time. days: Specifies the day or days of the week on which the periodic time range is valid. You may specify multiple values, in words or in digits, separated by spaces, but make sure that they do not overlap. The values are ANDed. These values can take one of the following forms:
A digit in the range 0 to 6, respectively for Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday. A day of a week in words, sun, mon, tue, wed, thu, fri, and sat. working-day for Monday through Friday. off-day for Saturday and Sunday. daily for the whole week.
46
from time1 date1: Specifies the start time and date of an absolute time range. The time1 argument specifies the time of the day in hh:mm format (24-hour clock). Its value ranges from 00:00 to 23:59. The date1 argument specifies a date in MM/DD/YYYY or YYYY/MM/DD format, where MM is the month of the year in the range 1 to 12, DD is the day of the month with the range depending on MM, and YYYY is the year in the usual Gregorian calendar in the range 1970 to 2100. If not specified, the start time is the earliest time available in the system, 01/01/1970 00:00:00 AM. to time2 date2: Specifies the end time and date of the absolute time range. The time2 argument is in the same format as that of the time1 argument, but its value ranges from 00:00 to 24:00. The format and value range of the date2 argument are the same as those of the date1 argument. The end time must be greater than the start time. If not specified, the end time is the maximum time available in the system, 12/31/2100 24:00:00 PM.
Description
Use the time-range command to create a time range. Use the undo time-range command to delete a time range. By default, no time range exists. You can create a time range as follows:
Create a periodic time range in the start-time to end-time days format. A periodic time range recurs periodically on a day or days of the week. Create an absolute time range in the from time1 date1 to time2 date2 format. Unlike a periodic time range, an absolute time range does not recur. Create a compound time range in the start-time to end-time days from time1 date1 to time2 date2 format. A compound time range recurs on a day or days of the week only within the specified period. For example, to create a time range that is active from 08:00 to 12:00 on Monday between January 1, 2010 00:00 and December 31, 2010 23:59, use the time-range test 08:00 to 12:00 mon from 00:00 01/01/2010 to 23:59 12/31/2010 command.
You may create individual time ranges identified with the same name. They are regarded as one time range whose active period is the result of ORing periodic ones, ORing absolute ones, and ANDing periodic and absolute ones. You may create a maximum of 256 uniquely named time ranges, each with 32 periodic time ranges at most and 12 absolute time ranges at most. Related commands: display time-range.
47
Examples
Create a periodic time range 11, setting it to be active between 8:00 to 18:00 during working days.
<Sysname> system-view [Sysname] time-range test 8:00 to 18:00 working-day
Create an absolute time range t2, setting it to be active in the whole year of 2010.
<Sysname> system-view [Sysname] time-range t1 from 0:0 1/1/2010 to 23:59 12/31/2010
Create a compound time range t3, setting it to be active from 08:00 to 12:00 on Saturdays and Sundays of the year 2010.
<Sysname> system-view [Sysname] time-range t3 8:0 to 12:0 off-day from 0:0 1/1/2010 to 23:59 12/31/2010
Create a compound time range t4, setting it to be active from 10:00 to 12:00 on Mondays and from 14:00 to 16:00 on Wednesdays in the period of January through June of the year 2010.
<Sysname> system-view [Sysname] time-range t4 10:0 to 12:0 1 from 0:0 1/1/2010 to 23:59 1/31/2010 [Sysname] time-range t4 14:0 to 16:0 3 from 0:0 6/1/2010 to 23:59 6/30/2010
48
QoS policy configuration commands

S5500-EI only: identifies information that applies only to the S5500-EI series Ethernet switch. S5500-SI only: identifies information that applies only to the S5500-SI series Ethernet switch.
S5500-SI only: Applying a QoS policy globally is added in Release 2202P19 on the S5500-SI series Ethernet switches. For the related commands, see display qos policy global, qos apply policy global, and reset qos policy global.
Commands for defining classes

display traffic classifier
Syntax
S5500-SI only: display traffic classifier user-defined [ tcl]
S5500-EI only: display traffic classifier user-defined [ tcl classifier-name ]
View
Any view
Default Level
1: Monitor level
Parameters
S5500-SI only: Tcl
S5500-EI only: Tcl classifier-name: Class name, a string of 1 to 31 characters.
49
Description
Use the display traffic classifier command to display the information about a class. If no class name is specified, information about all user-defined classes is displayed.
Examples
Display the information about the user-defined classes.
<Sysname> display traffic classifier user-defined User Defined Classifier Information: Classifier: p Operator: AND Rule(s) : If-match acl 2001
Table 13 display traffic classifier user-defined command output description Field

User Defined Classifier Information Classifier Operator Rule
Description
The information about the user-defined classes is displayed. Class name and its contents, which could be of multiple types Logical relationship among the classification rules Classification rules
if-match
Syntax
if-match match-criteria undo if-match match-criteria undo if-match acl [ ipv6 ] { acl-number | name acl-name } [ update acl [ ipv6 ] { aclnumber | name acl-name } ]
View
Class view
Default Level
2: System Level
50
Parameters
match-criteria: Matching rule to be defined. Table 13 describes the available forms of this argument. acl [ ipv6 ] { acl-number | name acl-name }: Specifies an ACL currently referenced in the class by the ACL name or ACL number update acl [ ipv6 ] { acl-number | name acl-name }: Specifies a new ACL to replace the specified current ACL by the number or name of the new ACL.
Table 14 The keyword and argument combinations for the match-criteria argument S5500-EI only: Field
acl { access-list-number name acl-name } |
Description
Specifies to match an IPv4 ACL specified by its number or name. The accesslist-number argument specifies an ACL by its number, which ranges from 2000 to 4999; the name acl-name keyword-argument combination specifies an ACL by its name. Specifies to match an IPv6 ACL specified by its number or name. The accesslist-number argument specifies an ACL by its number, which ranges from 2000 to 3999; the name acl-name keyword-argument combination specifies an ACL by its name. Match all packets. Match the 802.1p priority of the customer network. The 8021p-list argument is a list of up to eight 802.1p priority values. An 802.1p priority is in the range 0 to 7. Match the VLAN IDs of customer networks. The vlan-id-list is a list of up to 8 VLAN IDs. The vlan-id1 to vlan-id2 specifies a VLAN ID range, where the vlan-id1 must be smaller than the vlan-id2. A VLAN ID is in the range of 1 to 4094. Match DSCP values. The dscp-list is a list of DSCP values. A DSCP value is a number in the range 0 to 63 or a word representing the specific value. macipMatch a destination MAC address. Match IP precedence. The ip-precedence-list is a list of up to 8 IP precedence values. An IP precedence is in the range of 0 to 7. Match a protocol. The protocol-name can be IP or IPv6. Match the 802.1p priority of the service provider network. The 8021p-list argument is a list of up to eight 802.1p priority values. An 802.1p priority is in the range 0 to 7. Match the VLAN IDs of ISP networks. The vlan-id-list is a list of up to 8 VLAN IDs. The vlan-id1 to vlan-id2 specifies a VLAN ID range, where the vlan-id1 must be smaller than the vlan-id2. A VLAN ID is in the range of 1 to 4094. Match a source MAC address. 51
acl ipv6 { access-list-number | name acl-name } any customer-dot1p 8021p-list
customer-vlan-id vlan-id-list
dscp dscp-list destination-mac address ip-precedence precedence-list protocol protocol-name service-dot1p 8021p-list
service-vlan-id vlan-id-list source-mac mac-address
S5500-SI only: Form Description

Matches an ACL The acl-number argument ranges from 2000 to 4999 for an IPv4 ACL, and 2000 to 3999 for an IPv6 ACL. acl [ ipv6 ] { acl-number | name acl-name } The acl-name argument is a case-insensitive string of 1 to 32 characters, which must start with an English letter from a to z or A to Z, and cannot be all to avoid confusion. Matches all packets Matches the 802.1p priority of the customer network. The 8021p-list argument is a list of up to eight 802.1p priority values. An 802.1p priority ranges from 0 to 7. Matches the VLAN IDs of customer networks. The vlanid-list argument is a list of up to 8 VLAN IDs. The vlanid1 to vlan-id2 specifies a VLAN ID range, where the vlan-id1 must be smaller than the vlan-id2. A VLAN ID ranges from 1 to 4094. Matches a destination MAC address Matches DSCP values. The dscp-list argument is a list of up to 8 DSCP values. A DSCP value can be a number from 0 to 63 or any keyword in Error! Reference source not found.. Matches IP precedence. The ip-precedence-list argument is a list of up to 8 IP precedence values. An IP precedence ranges from 0 to 7. Matches a protocol. The protocol-name argument can be IP or IPv6. Matches the 802.1p priority of the service provider network. The 8021p-list argument is a list of up to eight 802.1p priority values. An 802.1p priority ranges from 0 to 7. Matches the VLAN IDs of ISP networks. The vlan-id-list is a list of up to 8 VLAN IDs. The vlan-id1 to vlan-id2 specifies a VLAN ID range, where the vlan-id1 must be smaller than the vlan-id2. A VLAN ID ranges from 1 to 4094. Matches a source MAC address
any
customer-dot1p 8021p-list
customer-vlan-id { vlan-id-list | vlan-id1 to vlan-id2 }
destination-mac mac-address
dscp dscp-list
ip-precedence ip-precedence-list
protocol protocol-name
service-dot1p 8021p-list
service-vlan-id { vlan-id-list | vlan-id1 to vlan-id2 }
source-mac mac-address
52
Suppose the logical relationship between classification rules is and. Note the following when using the ifmatch command to define matching rules. If multiple matching rules with the acl or acl ipv6 keyword specified are defined in a class, the actual logical relationship between these rules is or when the policy is applied. If multiple matching rules with the customer-vlan-id or service-vlan-id keyword specified are defined in a class, the actual logical relationship between these rules is or.
The matching criteria listed below must be unique in a traffic class with the operator being AND. Therefore, even though you can define multiple if-match clauses for these matching criteria or input multiple values for a list argument (such as the 8021p-list argument) listed below in a traffic class, avoid doing that. Otherwise, the QoS policy referencing the class cannot be applied to interfaces successfully. customer-dot1p 8021p-list destination-mac mac-address dscp dscp-list ip-precedence ip-precedence-list service-dot1p 8021p-list source-mac mac-address To create multiple if-match clauses or specify multiple values for a list argument for any of the matching criteria listed above, ensure that the operator of the class is OR.
Description
Use the if-match command to define a match criterion. Use the undo if-match command to remove the match criterion. When defining match criteria, note the following: Define an ACL-based match criterion Define a criterion to match a destination MAC address or a source MAC address. Define a criterion to match DSCP values Define a criterion to match the 802.1p priority values of the customer network or service provider network Define a criterion to match IP precedence values Define a criterion to match customer network VLAN IDs or service provider network VLAN IDs
53
Define an ACL-based match criterion
If the ACL referenced in the if-match command does not exist, the class cannot be applied to hardware. For a class, you can reference an ACL twice by its name and number respectively with the ifmatch command.
Define a criterion to match a destination MAC address or a source MAC address.

You can configure multiple destination MAC address or source MAC address match criteria in a class.
Define a criterion to match DSCP values
You can configure multiple DSCP match criteria in a class. All the defined DSCP values are arranged in ascending order automatically. You can configure up to eight DSCP values in one command line. If multiple identical DSCP values are specified, the system considers them as one. If a packet matches one of the defined DSCP values, it is considered matching the if-match clause. To delete a criterion matching DSCP values, the specified DSCP values must be identical with those defined in the rule (sequence may be different).
Define a criterion to match the 802.1p priority values of the customer network or service provider network
You can configure multiple 802.1p priority match criteria in a class. All the defined 802.1p values are arranged in ascending order automatically. You can configure up to eight 802.1p priority values in one command line. If the same 802.1p priority value is specified multiple times, the system considers them as one. If a packet matches one of the defined 802.1p priority values, it is considered matching the ifmatch clause. To delete a criterion matching 802.1p priority values, the specified 802.1p priority values in the command must be identical with those defined in the criterion (sequence may be different).
Define a criterion to match IP precedence values
You can configure multiple IP precedence match criteria in a class. The defined IP precedence values are arranged automatically in ascending order. You can configure up to eight IP precedence values in one command line. If the same IP precedence is specified multiple times, the system considers them as one. If a packet matches one of the defined IP precedence values, it is considered matching the if-match clause. To delete a criterion matching IP precedence values, the specified IP precedence values in the command must be identical with those defined in the criterion (sequence may be different).
54
Define a criterion to match customer network VLAN IDs or service provider network VLAN IDs
You can configure multiple VLAN ID match criteria in a class. The defined VLAN IDs are automatically arranged in ascending order. You can configure multiple VLAN IDs in one command line. If the same VLAN ID is specified multiple times, the system considers them as one. If a packet matches one of the defined VLAN IDs, it is considered matching the if-match clause. To delete a criterion matching VLAN IDs, the specified VLAN IDs in the command must be identical with those defined in the criterion (sequence may be different).
Related commands: traffic classifier.
Examples
Define a rule for class1 to match the packets with their destination MAC addresses being 0050ba27-bed3.
<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1] if-match destination-mac 0050-ba27-bed3
Define a rule for class2 to match the packets with their source MAC addresses being 0050-ba27bed2.
<Sysname> system-view [Sysname] traffic classifier class2 [Sysname-classifier-class2] if-match source-mac 0050-ba27-bed2
Define a rule for class3 to match the advanced IPv4 ACL 3101.
<Sysname> system-view [Sysname] traffic classifier class3 [Sysname-classifier-class3] if-match acl 3101
Define a rule for class4 to match the advanced IPv6 ACL 3101.
<Sysname> system-view [Sysname] traffic classifier class4 [Sysname-classifier-class4] if-match acl ipv6 3101
Define a rule for class5 to match all the packets.

<Sysname> system-view [Sysname] traffic classifier class5 [Sysname-classifier-class5] if-match any
Define a rule for class6 to match the packets with their DSCP precedence values being 1.
<Sysname> system-view [Sysname] traffic classifier class6 [Sysname-classifier-class6] if-match dscp 1
Define a rule for class7 to match the packets with their IP precedence values being 1.
<Sysname> system-view [Sysname] traffic classifier class7 55
[Sysname-classifier-class7] if-match ip-precedence 1
Define a rule for class8 to match IP packets.

<Sysname> system-view [Sysname] traffic classifier class8 [Sysname-classifier-class8] if-match protocol ip
Define a rule for class9 to match the packets with the customer network 802.1p precedence 2.
<Sysname> system-view [Sysname] traffic classifier class9 [Sysname-classifier-class9] if-match customer-dot1p 2
Define a rule for class10 to match the packets with the service provider network 802.1p precedence 5.
<Sysname> system-view [Sysname] traffic classifier class10 [Sysname-classifier-class10] if-match service-dot1p 5
Define a rule for class11 to match the packets of customer VLAN 1024.
<Sysname> system-view [Sysname] traffic classifier class11 [Sysname-classifier-class11] if-match customer-vlan-id 1024
Define a rule for class12 to match the packets of service VLAN 1000.
<Sysname> system-view [Sysname] traffic classifier class12 [Sysname-classifier-class12] if-match service-vlan-id 1000
traffic classifier
Syntax
traffic classifier classifier-name [ operator { and | or } ] undo traffic classifier classifier-name
View
System view
Default Level
2: System Level
56
Parameters
S5500-SI only: tcl-name: Specifies a class name, a string of 1 to 31 characters. operator: Sets the operator to logic AND or OR for the class. and: Specifies the logic AND operator. The class matches the packets that match all its criteria. or: Specifies the logic OR operator. The class matches the packets that match any of its criteria.
S5500-EI only: and: Specifies the relationship among the rules in the class as logic AND. That is, a packet is matched only when it matches all the rules defined for the class. or: Specifies the relationship among the rules in the class as logic OR. That is, a packet is matched if it matches a rule defined for the class. classifier-name: Name of the class to be created.
Description
Use the traffic classifier command to create a class. This command also leads you to class view. Use the undo traffic classifier command to remove a class. By default, the relationship between match criteria is and.
S5500-EI only: Related commands: qos policy, qos apply policy, classifier behavior.
Examples
Create a class named class1.
<Sysname> system-view [Sysname] traffic classifier class1 [Sysname-classifier-class1]
57
Traffic behavior configuration commands

accounting
Syntax
accounting undo accounting
View
Traffic behavior view
Default Level
2: System Level
Parameters
None
Description
Use the accounting command to enable traffic accounting for the traffic behavior. Use the undo accounting command to disable traffic accounting. You can use the display qos policy interface command and the display qos vlan-policy command to view the related statistics information. Related commands: qos policy, traffic behavior, classifier behavior.
Examples
Configure the traffic accounting action for a traffic behavior.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] accounting
car
Syntax
car cir committed-information-rate [ cbs committed-burst-size [ ebs excess-burst-size ] ] [ pir peak-information-rate ] [ green action ] [ red action ] [ yellow action ] undo car
View
Default Level
2: System Level
58
Parameters
cir committed-information-rate: Specifies the committed information rate (CIR) in kbps. The committed-information-rate argument ranges from 64 to 32000000 and must be a multiple of 64. cbs committed-burst-size: Specifies the committed burst size (CBS) in bytes. The committed-burstsize argument ranges from 4000 to 16000000, the default is 4000. ebs excess-burst-size: Specifies excess burst size (EBS) in bytes. The excess-burst-size argument ranges from 0 to 16000000, the default is 4000. pir peak-information-rate: Specifies the peak information rate (PIR) in kbps. The Table 16 peakinformation-rate argument ranges from 64 to 32000000 and must be a multiple of 64. green action: Specifies the action to be conducted for the traffic conforming to CIR. The action argument can be:
discard: Drops the packets. pass: Forwards the packets.
remark-dscp-pass new-dscp: Marks the packets with a new DSCP precedence and forwards them to their destinations. The new-dscp argument is in the range 0 to 63. This argument can also be the keywords listed in Table 14. Table 15 DSCP keywords and values Keyword
default af11 af12 af13 af21 af22 af23 af31 af32 af33 af41 af42 af43 cs1 cs2 cs3 cs4 cs5
DSCP value (binary)

000000 001010 001100 001110 010010 010100 010110 011010 011100 011110 100010 100100 100110 001000 010000 011000 100000 101000 59
DSCP value (decimal)

0 10 12 14 18 20 22 26 28 30 34 36 38 8 16 24 32 40
Keyword
cs6 cs7 ef
DSCP value (binary)

110000 111000 101110
DSCP value (decimal)

48 56 46
By default, packets conforming to CIR are forwarded. red action: Specifies the action to be conducted for the traffic conforms to neither CIR nor PIR. The action argument can be:
discard: Drops the packets. pass: Forwards the packets. remark-dscp-pass new-dscp: Marks the packets with a new DSCP precedence and forwards them to their destinations. The new-dscp argument is a number in the range of 0 to 63 or the keywords listed in Error! Reference source not found..
By default, packets conforming to neither CIR nor PIR are dropped. yellow action: Specifies the action to be conducted for the traffic conforms to PIR but does not conform to CIR. The action argument can be:
discard: Drops the packets. pass: Forwards the packets. remark-dscp-pass new-dscp: Marks the packets with a new DSCP precedence and forwards them to their destinations. The new-dscp argument is a number in the range of 0 to 63 or the keywords listed in Error! Reference source not found..
By default, packets conforming to PIR but not conforming to CIR are forwarded.
Description
Use the car command to configure a CAR policy for the traffic behavior. Use the undo car command to remove a CAR policy from the traffic behavior. Note that: if this command is configured multiple times for the same traffic behavior, the last configuration takes effect. Related commands: qos policy, traffic behavior, classifier behavior.
Examples
Configure a CAR policy for a traffic behavior database. When the traffic rate is lower than 6400 kbps, packets are forwarded normally. When the traffic rate exceeds 6400 kbps, the packets beyond 6400 kbps are dropped.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] car cir 6400 red discard
60
display traffic behavior

Syntax
display traffic behavior user-defined [ behavior-name ]
View
Any view
Default Level
1: Monitor level
Parameters
behavior-name: Name of a user defined traffic behavior.
Description
Use the display traffic behavior command to display the information about a user defined traffic behavior. If no behavior name is provided, this command displays the information about all the user-defined behaviors.
Examples
Display the information about all the user defined traffic behaviors.
<Sysname> display traffic behavior user-defined User Defined Behavior Information: Behavior: test Marking: Remark dot1p COS 4 Committed Access Rate: CIR 64 (kbps), CBS 4000 (byte), EBS 4000 (byte), PIR 640 (kbps) Green Action: pass Red Action: discard Yellow Action: pass
61
Table 16 display traffic behavior user-defined command output description Field

User Defined Behavior Information Behavior Marking Committed Access Rate CIR CBS EBS PIR Green Action Red Action Yellow Action
Description
The information about user defined traffic behaviors is displayed Name of a traffic behavior, which can be of multiple types Information about priority marking Information about traffic rate limit Committed information rate in bytes Committed burst size in bytes Excessive burst size in bytes Peak information rate in bytes Action conducted to packets conforming to CIR Action conducted for packets conforming to neither CIR nor PIR Action conducted to packets conforming to PIR but not conforming to CIR
filter
Syntax
filter { deny | permit } undo filter
View
Default Level
2: System Level
Parameters
deny: Drops packets. permit: Forwards packets.
Description
Use the filter command to configure traffic filtering action for a traffic behavior. Use the undo filter command to remove the traffic filtering action. Related commands: qos policy, traffic behavior, classifier behavior.
62
Examples
Configure traffic filtering action for a traffic behavior.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] filter deny
redirect
Syntax
redirect { cpu | interface interface-type interface-number | next-hop { ipv4-add1 [ ipv4add2 ] | ipv6-add1 [ interface-type interface-number ] [ ipv6-add2 [ interface-type interfacenumber ] ] } } undo redirect { cpu | interface interface-type interface-number | next-hop }
View
Default Level
2: System Level
Parameters
cpu: Redirects traffic to the CPU. interface interface-type interface-number: Redirects traffic to an interface identified by its type and number. S5500-EI only: next-hop: Specifies the next hop to redirect the traffic to. ipv4-add1/ipv4-add2: IPv4 address of the next hop. ipv4-add2 is the backup of ipv4-add1, that is, if redirecting traffic to ipv4-add1 fails, traffic will be redirected to ipv4-add2. ipv6-add1/ipv6-add2: IPv6 address of the next hop. ipv6-add2 is the backup of ipv6-add1, that is, if redirecting traffic to ipv6-add1 fails, traffic will be redirected to ipv6-add2. interface-type interface-number specifies a VLAN-interface by its number. If the IPv6 address is a link-local address, you must specify a VLAN-interface for the IPv6 address of the next hop; if the IPv6 address is not a link-local address, you need not specify a VLAN-interface for the IPv6 address of the next hop. End S5500-EI only
63
Description
Use the redirect command to configure traffic redirecting action for a traffic behavior. Use the undo redirect command to remove the traffic redirecting action.
The action of redirecting traffic to CPU, the action of redirecting traffic to an interface, and the action of redirecting traffic to the next hop are mutually exclusive with each other in the same traffic behavior.
Related commands: qos policy, traffic behavior, classifier behavior.
Examples
Configure the redirecting action to redirect traffic to GigabitEthernet 1/0/1 port.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] redirect interface gigabitethernet 1/0/1
remark dot1p
Syntax
remark dot1p 8021p undo remark dot1p
View
Default Level
2: System Level
Parameters
8021p: 802.1p precedence to be set for packets, in the range 0 to 7.
Description
Use the remark dot1p command to configure the action of setting the specified 802.1p priority for packets. Use the undo remark dot1p command to remove the action.
When the remark dot1p command is used together with the remark local-precedence command, the 802.1p precedence to be set for packets must be the same as the local precedence to be set for packets. Otherwise, the corresponding policy cannot be applied successfully. Related commands: qos policy, traffic behavior, classifier behavior.
64
Examples
Configure the action to set 802.1p precedence to 2 for a traffic behavior.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] remark dot1p 2
remark drop-precedence
Syntax
remark drop-precedence drop-precedence-value undo remark drop-precedence
View
Default Level
2: System Level
Parameters
drop-precedence-value: Drop precedence to be set for packets, in the range 0 to 2.
Description
Use the remark drop-precedence command to configure the action of setting the specified drop precedence for packets. Use the undo remark drop-precedence command to remove the action. Related commands: qos policy, traffic behavior, classifier behavior.
Examples
Configure the action to set drop precedence to 2 for a traffic behavior.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] remark drop-precedence 2
remark dscp
Syntax
remark dscp dscp-value undo remark dscp
View
Default Level
2: System Level
65
Parameters
dscp-value: DSCP precedence to be set for packets, in the range of 0 to 63. This argument can also be the keywords listed in Error! Reference source not found..
Description
Use the remark dscp command to configure the action of setting DSCP precedence for a traffic behavior. Use the undo remark dscp command to remove the action of setting DSCP precedence. Related commands: qos policy, traffic behavior, classifier behavior.
Examples
Configure the action to set DSCP precedence to 6 for a traffic behavior.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] remark dscp 6
remark ip-precedence
Syntax
remark ip-precedence ip-precedence-value undo remark ip-precedence
View
Default Level
2: System Level
Parameters
ip-precedence-value: IP precedence to be set for packets, in the range of 0 to 7.
Description
Use the remark ip-precedence command to configure the action of setting IP precedence for a traffic behavior. Use the undo remark ip-precedence command to remove the action of setting IP precedence. Related commands: qos policy, traffic behavior, classifier behavior.
Examples
Configure the action to set IP precedence to 6 for a traffic behavior.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] remark ip-precedence 6
66
remark local-precedence
Syntax
remark local-precedence local-precedence undo remark local-precedence
View
Default Level
2: System Level
Parameters
local-precedence: Local precedence to be set for packets, in the range of 0 to 7.
Description
Use the remark local-precedence command to configure the action of setting the specified local precedence for packets. Use the undo remark local-precedence command to remove the action.
When the remark dot1p command is used together with the remark local-precedence command, the 802.1p precedence to be set for packets must be the same as the local precedence to be set for packets. Otherwise, the corresponding policy cannot be applied successfully. Related commands: qos policy, traffic behavior, classifier behavior.
Examples
Configure the action to set local precedence to 2 for a traffic behavior.
<Sysname> system-view [Sysname] traffic behavior database [Sysname-behavior-database] remark local-precedence 2
traffic behavior
Syntax
traffic behavior behavior-name undo traffic behavior behavior-name
View
System view
Default Level
2: System Level
67
Parameters
behavior-name: Name of the traffic behavior to be created, a case-sensitive string of 1 to 31 characters. No spaces are allowed in a traffic behavior name.
Description
Use the traffic behavior command to create a traffic behavior and enter traffic behavior view. Use the undo traffic behavior command to remove a traffic behavior. Related commands: qos policy, qos apply policy, classifier behavior.
Examples
Define a traffic behavior named behavior1.
<Sysname> system-view [Sysname] traffic behavior behavior1 [Sysname-behavior-behavior1]
QoS policy configuration commands

classifier behavior
Syntax
S5500-SI only: classifier classifier-name behavior behavior-name undo classifier classifier-name
S5500-EI only: classifier classifier-name behavior behavior-name [mode do1q-tag-manipulation ] undo classifier classifier-name
View
Policy view
Default Level
2: System Level
Parameters
S5500-SI only: classifier-name: Name of an existing class, a case-sensitive string of 1 to 31 characters. No spaces are allowed in a class name. behaviorname: Name of an existing traffic behavior, a case-sensitive string of 1 to 31 characters. No spaces are allowed in a behavior name.
68
S5500-EI only: classifier-name: Name of an existing class, a case-sensitive string of 1 to 31 characters. No spaces are allowed in a class name. behaviorname: Name of an existing traffic behavior, a case-sensitive string of 1 to 31 characters. No spaces are allowed in a behavior name. mode dot1q-tag-manipulation: Specifies that the classifier-behavior association is used for the many-to-one VLAN mapping function.
Description
Use the classifier behavior command to associate a traffic behavior with a class. Use the undo classifier command to remove a class from a policy. S5500-EI only: :
Each class in the policy can be associated with only one behavior. If the class and traffic behavior specified for the command do not exist, the system creates a null class and a null traffic behavior. The do1q-tag-manipulation keyword is applicable to only many-to-one VLAN mapping configuration. For information about many-to-one VLAN mapping, see VLAN Mapping Configuration in the Layer 2 - LAN Switching Configuration Guide.
Related commands: qos policy. End S5500-EI only
In a QoS policy with multiple class-to-traffic-behavior associations, if the action of creating an outer VLAN tag, the action of setting customer network VLAN ID, or the action of setting service provider network VLAN ID is configured in a traffic behavior, we recommend you not to configure any other action in this traffic behavior. Otherwise, the QoS policy may not function as expected after it is applied.
Examples
Associate traffic class database with traffic behavior test in QoS policy user1.
<Sysname> system-view [Sysname] qos policy user1 [Sysname-qospolicy-user1] classifier database behavior test [Sysname-qospolicy-user1]
69
display qos policy

Syntax
display qos policy user-defined [ policy-name [ classifier classifier-name ] ]
View
Any view
Default Level
1: Monitor level
Parameters
policy-name: Policy name, a case-sensitive string of 1 to 31 characters. No spaces are allowed in a policy name. If no policy is specified, the configuration of all user defined policies is displayed. classifier-name: Name of a class in the policy, a case-sensitive string of 1 to 31 characters. No spaces are allowed in a class name. If no class is specified, all the classes in the policy are specified.
Description
Use the display qos policy command to display user-defined QoS policy configuration information.
Examples
Display the configuration of all the user specified policies.
<Sysname> display qos policy user-defined User Defined QoS Policy Information: Policy: test Classifier: test Behavior: test Accounting Enable Committed Access Rate: CIR 64 (kbps), CBS 4000 (byte), EBS 4000 (byte), PIR 640 (kbps) Green Action: pass Red Action: discard Yellow Action: pass
70
Table 17 display qos policy command output description S5500-SI only: Field
Policy Classifier Behavior
Description
Policy name Class name and the corresponding configuration information Traffic behavior name and the corresponding configuration information
S5500-EI only: Field

Policy
Description
Policy name Class name
Classifier
A policy can contain multiple classes, and each class is associated with a traffic behavior. A class can be configured with multiple match criteria. Refer to the traffic classifier command for related information. Behavior associated with the class. A behavior is associated with a class. It can be configured with multiple actions. Refer to the traffic behavior command for related information.
Behavior
display qos policy global

Syntax
display qos policy global [ slot slot-number ] [ inbound | outbound ]
View
Any view
Default Level
1: Monitor level
Parameters
inbound: Displays the QoS policy applied globally in the inbound direction of all ports. S5500-EI only: outbound: Displays the QoS policy applied globally in the outbound direction of all ports. slot slot-number: Displays the global QoS policy configuration of the specified device in the IRF. If the slot-number argument is not specified, the global QoS policy configuration of all devices in the IRF is displayed. If no IRF is formed, the global QoS policy configuration of the current device is displayed. The range for the slot-number argument depends on the number of devices and the numbering of the devices in the IRF. End S5500-EI only
71
Description
Use the display qos policy global command to display information about the QoS policy applied globally in the inbound or outbound direction of all ports. Note that: if no direction is specified, the global QoS policy information in both the inbound and outbound directions is displayed.
Examples
Display information about the global QoS policy in the inbound direction.
<Sysname> display qos policy global inbound Direction: Inbound Policy: abc_policy Classifier: abc Operator: AND Rule(s) : If-match dscp cs1 Behavior: abc Committed Access Rate: CIR 640 (kbps), CBS 4000 (byte), EBS 4000 (byte) Green Action: pass Red Action: discard Yellow Action: pass Green : 0(Packets)
Table 18 display qos policy global command output description Field

Direction Policy Classifier Operator Rule(s) Behavior Committed Access Rate CIR CBS EBS
Description
Indicates that the QoS policy is applied to the incoming or outgoing traffic Policy name and its contents Class name and its contents. Failed indicates that the policy is not successfully applied Logical relationship between match criteria Match criteria Name of the traffic behavior, and the actions in the traffic behavior Information about traffic rate limiting Committed information rate (CIR) in kbps Committed burst size in bytes, that is, the depth of the token bucket for holding bursty traffic Excessive burst size (EBS) in bytes, that is, the traffic exceeding CBS when two token buckets are adopted 72
Field
Green Action Red Action Yellow Action Green
Description
Action to take on green packets Action to take on red packets Action to take on yellow packets Statistics about green packets
display qos policy interface

Syntax
display qos policy interface [ interface-type interface-number ] [ inbound | outbound ]
View
Any view
Default Level
1: Monitor level
Parameters
interface-type: Port type. interface-number: Port number. inbound: Specifies the inbound direction. S5500-EI only: outbound: Specifies the outbound direction.
Description
Use the display qos policy interface command to display the configuration and statistics information about the policy applied on a port. If no interface is provided, the configuration and statistics information about the policies applied on all the ports is displayed.
73
Examples
Display the configuration and statistics information about the policy applied to port GigabitEthernet 1/0/1.
<Sysname> display qos policy interface Interface: /0/1 Direction: Inbound Policy: abc_policy Classifier: abc Operator: AND Rule(s) : If-match dscp cs1 Behavior: abc Committed Access Rate: CIR 64 (kbps), CBS 4000 (byte), EBS 4000 (byte) Green Action: pass Red Action: discard Yellow Action: pass Green : 0(Packets) 1/0/1
Table 19 display qos policy interface command output description Field

Interface Direction Policy Classifier Operator Rule(s) Behavior
Description
Interface type and interface number The direction in which the policy is applied to the interface Name of the policy applied to the interface Class name and corresponding configuration information Failed indicates that the policy is not successfully applied Logical relationship between match criteria in the class Match criteria in the class Behavior name and corresponding configuration information
74
display qos vlan-policy

Syntax
S5500-SI only: display qos vlan-policy { name policy-name | vlan [ vlan-id ] } [ slot slot-number ] [ inbound]
S5500-EI only: display qos vlan-policy { name policy-name | vlan [ vlan-id ] } [ slot slot-number ] [ inbound | outbound ]
View
Any view
Default Level
1: Monitor level
Parameters
name policy-name: Specifies to display the information about the VLAN policy with the specified name, a case-sensitive string of 1 to 31 characters. No spaces are allowed in a VLAN policy name. vlan vlan-id: Specifies to display the information about the VLAN policy applied to the specified VLAN. If no VLAN ID is specified, the VLAN policy information of all VLANs is displayed. S5500-EI only: inbound: Displays the QoS policy applied to the incoming traffic of the VLAN specified by its ID. outbound: Displays the QoS policy applied to the outgoing traffic of the VLAN specified by its ID. slot-number: Specifies to display VLAN QoS policy information about the specified device in the IRF. If the slot-number argument is not specified, the VLAN QoS policy information of all devices in the IRF is displayed. If no IRF is formed, the VLAN QoS policy information of the current device is displayed. The range for the slot-number argument depends on the number of devices and the numbering of the devices in the IRF. End S5500-EI only
Description
Use the display qos vlan-policy command to display VLAN QoS policy information. Note that: if no direction is specified, the VLAN QoS policy information in both the inbound and outbound directions is displayed.
75
Examples
Display the information about the VLAN QoS policy test.
<Sysname> display qos vlan-policy name test Policy test Vlan 300: inbound
Table 20 display qos vlan-policy command output description Field

Policy Vlan 300 inbound
Description
Name of the VLAN policy ID of the VLAN where the VLAN policy is applied VLAN policy is applied in the inbound direction of the VLAN.
Display the information about the VLAN policy applied to VLAN 300.
<Sysname> display qos vlan-policy vlan 300 Vlan 300 Direction: Inbound Policy: test Classifier: test Operator: AND Rule(s) : If-match customer-vlan-id 3 Behavior: test Accounting Enable: 0 (Packets) Committed Access Rate: CIR 6400 (kbps), CBS 4000 (byte), EBS 4000 (byte) Green Action: pass Red Action: discard Yellow Action: pass Green : 0(Packets)
76
Table 21 display qos vlan-policy command output description S5500-SI only: Field
Vlan 300 Inbound Classifier Operator Rule(s) Behavior Accounting Committed Access Rate CIR CBS EBS Green Action Red Action Yellow Action Green
Description
ID of the VLAN where the QoS policy is applied The direction in which the QoS policy is applied for the VLAN. Class name and its contents Logical relationship between match criteria Match criteria Name of the behavior, and its actions Traffic accounting status: enabled or disabled CAR information Committed information rate (CIR) in kbps Committed burst size (CBS) in bytes, that is, the depth of the token bucket for holding bursty traffic Excessive burst size (EBS) in bytes, that is, the amount of traffic beyond the CBS when two token buckets are adopted Action on green packets Action on red packets Action on yellow packets Statistics about green packets
77

Vlan 300 Inbound Classifier Operator Rule(s) Behavior Accounting Committed Access Rate CIR CBS EBS Green Action Red Action Yellow Action Green
Description
ID of the VLAN where the QoS policy is applied The direction in which the QoS policy is applied for the VLAN. Class name and its contents Logical relationship between match criteria Match criteria Name of the behavior, and its actions Traffic accounting status: enabled or disabled CAR information Committed information rate (CIR) in kbps Committed burst size (CBS) in bytes, that is, the depth of the token bucket for holding bursty traffic Excessive burst size (EBS) in bytes, that is, the amount of traffic beyond the CBS when two token buckets are adopted Action on green packets Action on red packets Action on yellow packets Statistics about green packets
qos apply policy (Interface view, port group view)

Syntax
qos apply policy policy-name { inbound | outbound } undo qos apply policy { inbound | outbound }
View
Ethernet interface view, port group view
Default Level
2: System Level
Parameters
inbound: Specifies the inbound direction. outbound: Specifies the outbound direction. policy-name: Specifies a QoS policy name, a case-sensitive string of 1 to 31 characters. No spaces are allowed in a QoS policy name.
78
Description
Use the qos apply policy command to apply a QoS policy on a port or a port group. Use the undo qos apply policy command to remove the policy applied on a port or a port group. S5500-EI only: When you apply a policy by using the qos apply policy command, whether or not the inbound/outbound keyword can take effect depends on the actions defined in the traffic behavior, as described in Table 22. Table 22 The support for the inbound direction and the outbound direction Action
Traffic accounting CAR Traffic filtering Traffic mirroring Configuring the outer VLAN tag Traffic redirecting Remarking the customer network VLAN ID for packets Remarking the 802.1p precedence for packets Remarking the drop precedence for packets Remarking the DSCP precedence for packets Remarking the IP precedence for packets Remarking the local precedence for packets Remarking the service provider network VLAN ID for packets
Inbound
Supported Supported Supported Supported Supported Supported Not supported Supported Supported Supported Supported Supported Supported
Outbound
Supported Supported Supported Supported Not supported Not supported Supported Supported Not supported Supported Supported Not supported Supported
End S5500-EI only
Examples
Apply the policy named test in the inbound direction of GigabitEthernet1/0/1 port.
<Sysname> system-view [Sysname] interface 1/0/1 [Sysname-/0/1] qos apply policy test inbound
79
qos apply policy (user-profile view)

Syntax
qos apply policy policy-name { inbound | outbound } undo qos apply policy { inbound | outbound }
View
User profile view
Default Level
2: System level
Parameters
inbound: Applies the QoS policy to the incoming traffic of online users. outbound: Applies the QoS policy to the outgoing traffic of online users. policy-name: Policy name, a string of 1 to 31 characters.
Description
Use the qos apply policy command to apply a QoS policy to a user profile. Use the undo qos apply policy command to remove the QoS policy. Note that:
If a user profile is activated, the QoS policy, except the ACLs referenced in the QoS policy, applied to it cannot be configured or removed. When the users of the user profile are online, the referenced ACLs cannot be modified either. The QoS policy applied to a user profile takes effect when the user-profile is activated and the corresponding users are online. Only the remark, car, and filter actions are supported in the QoS policies applied in user profile view. A null policy cannot be applied in user profile view.

Examples
Apply policy test to the outgoing traffic of the users online. (Assume that that the QoS policy has been configured.)
<Sysname> system-view [Sysname] user-profile user [Sysname-user-profile-user] qos apply policy test outbound
80
qos apply policy global

Syntax
S5500-SI only: qos apply policy policy-name global { inbound } undo qos apply policy global { inbound }
S5500-EI only: qos apply policy policy-name global { inbound | outbound } undo qos apply policy global { inbound | outbound }
View
System view
Default Level
2: System Level
Parameters
S5500-SI only: policy-name: Policy name, a case-sensitive string of 1 to 31 characters. No spaces are allowed in a QoS policy name. inbound: Applies the QoS policy to the incoming packets on all ports.
S5500-EI only: policy-name: Policy name, a case-sensitive string of 1 to 31 characters. No spaces are allowed in a QoS policy name. inbound: Applies the QoS policy to the incoming packets on all ports. outbound: Applies the QoS policy to the outgoing packets on all ports.
81
Description
Use the qos apply policy global command to apply a QoS policy globally. A QoS policy applied globally takes effect on all inbound or outbound traffic depending on the direction in which the policy is applied. Use the undo qos apply policy global command to cancel the global application of the QoS policy. Note that, when you apply a QoS policy with the qos apply policy global command, support for the inbound/outbound keyword depends on the actions defined in the traffic behavior, as described in Table 22.
Examples
Apply the QoS policy user1 in the inbound direction globally.
<Sysname> system-view [Sysname] qos apply policy user1 global inbound
qos policy
Syntax
qos policy policy-name undo qos policy policy-name
View
System view
Default Level
2: System Level
Parameters
policy-name: Name of the policy to be created, a case-sensitive string of 1 to 31 characters. No spaces are allowed in a policy name.
Description
Use the qos policy command to create a policy. This command also leads you to policy view. Use the undo qos policy command to remove a policy. To remove a policy that is currently applied on a port, you need to disable it on the port first. Related commands: classifier behavior, qos apply policy.
Examples
Create a policy named user1.
<Sysname> system-view [Sysname] qos policy user1 [Sysname-qospolicy-user1]
82
qos vlan-policy
Syntax
S5500-SI only: qos vlan-policy policy-name vlan vlan-id-list { inbound } undo qos vlan-policy vlan vlan-id-list { inbound }
S5500-EI only: qos vlan-policy policy-name vlan vlan-id-list { inbound | outbound } undo qos vlan-policy vlan vlan-id-list { inbound | outbound }
View
System view
Default Level
2: System Level
Parameters
policy-name: Policy name, a case-sensitive string of 1 to 31 characters. No spaces are allowed in a policy name. vlan-id-list: List of VLAN IDs, presented in the form of vlan-id to vlan-id or discontinuous VLAN IDs. Up to eight VLAN IDs can be specified at a time. inbound: Specifies to apply the VLAN policy in the inbound direction of the VLAN. S5500-EI only: outbound: Specifies to apply the VLAN policy in the outbound direction of the VLAN.
Description
Use the qos vlan-policy command to apply the VLAN policy to the specific VLAN(s). Use the undo qos vlan-policy command to remove the VLAN policy from the specific VLAN(s). Note that, when you apply a QoS policy with the qos vlan-policy command, support for the inbound/outbound keyword varies with the actions defined in the traffic behavior, as described in Table 22.
Do not apply policies to a VLAN and the ports in the VLAN at the same time.
83
Examples
Apply the VLAN policy named test in the inbound direction of VLAN 200, VLAN 300, VLAN 400, VLAN 500, VLAN 600, VLAN 700, VLAN 800, and VLAN 900.
<Sysname> system-view [Sysname] qos vlan-policy test vlan 200 300 400 500 600 700 800 900 inbound
reset qos policy global

Syntax
S5500-SI only: reset qos policy global [ inbound]
S5500-EI only: reset qos policy global [ inbound | outbound ]
View
User view
Default Level
1: Monitor level
Parameters
inbound: Specifies the inbound direction. S5500-EI only: outbound: Specifies the outbound direction.
Description
Use the reset qos vlan-policy command to clear the statistics of a global QoS policy. If no direction is specified, all global QoS policy statistics are cleared.
Examples
Clear the statistics of the global QoS policy in the inbound direction.
<Sysname> reset qos policy global inbound
84
reset qos vlan-policy

Syntax
S5500-SI only: reset qos vlan-policy [ vlan vlan-id ] [ inbound]
S5500-EI only: reset qos vlan-policy [ vlan vlan-id ] [ inbound | outbound ]
View
User view
Default Level
1: Monitor level
Parameters
vlan-id: VLAN ID, in the range 1 to 4,094. inbound: Clears the QoS policy statistics in the inbound direction of the specified VLAN. S5500-EI only: outbound: Clears the QoS policy statistics in the outbound direction of the specified VLAN.
Description
Use the reset qos vlan-policy command to clear the statistics information about VLAN QoS policies. If no VLAN ID is specified, QoS policy statistics of all VLANs are cleared.
Examples
Clear the statistics information about the QoS policy applied to VLAN 2.
<Sysname> reset qos vlan-policy vlan 2
85
Priority mapping table configuration commands

display qos map-table
Syntax
display qos map-table [ dot1p-dp | dot1p-lp | dscp-dot1p| dscp-dp | dscp-dscp ]
View
Any view
Default Level
1: Monitor level
Parameters
dot1p-dp: 802.1p-to-drop priority mapping table. dot1p-lp: 802.1p-to-local priority mapping table. dscp-dot1p: DSCP-to-802.1p priority mapping table. dscp-dp: DSCP-to-drop priority mapping table. dscp-dscp: DSCP-to-DSCP priority mapping table.
Description
Use the display qos map-table command to display the configuration of a priority mapping table. If no priority mapping table is specified, the configuration information of all priority mapping tables is displayed. Related commands: qos map-table.
Examples
Display the configuration of the 802.1p-to-drop priority mapping table.
<Sysname> display qos map-table dot1p-dp MAP-TABLE NAME: dot1p-dp IMPORT 0 1 2 3 4 5 6 7 : : : : : : : : : EXPORT 2 2 2 1 1 1 0 0 TYPE: pre-define
86
Table 23 display qos map-table command output description Field

MAP-TABLE NAME TYPE IMPORT EXPORT
Description
Name of the priority mapping table Type of the priority mapping table Input values of the priority mapping table Output values of the priority mapping table
import
Syntax
import import-value-list export export-value undo import { import-value-list | all }
View
Priority mapping table view
Default Level
2: System Level
Parameters
import-value-list: List of input values. export-value: Output value. all: Deletes all the mappings in the priority mapping table.
Description
Use the import command to configure a mapping from one or multiple input values to an output value. Use the undo import command to restore the specified or all mappings to the default mappings. Note that, you cannot configure to map any DSCP value to drop precedence 1. Related commands: display qos map-table.
Examples
Configure the 802.1p-to-drop priority mapping table to map 802.1p priority values 4 and 5 to drop precedence 1.
<Sysname> system-view [Sysname] qos map-table dot1p-dp [Sysname-maptbl-dot1p-dp] import 4 5 export 1
87
qos map-table
Syntax
qos map-table { dot1p-dp | dot1p-lp | dscp-dot1p | dscp-dp | dscp-dscp }
View
System view
Default Level
2: System Level
Parameters
dot1p-dp: 802.1p-to-drop priority mapping table. dot1p-lp: 802.1p-to-local priority mapping table. dscp-dot1p: DSCP-to-802.1p priority mapping table. dscp-dp: DSCP-to-drop priority mapping table. dscp-dscp: DSCP-to-DSCP priority mapping table.
Description
Use the qos map-table command to enter specific priority mapping table view. Related commands: display qos map-table.
Examples
Enter the 802.1p-to-drop priority mapping table view.
<Sysname> system-view [Sysname] qos map-table dot1p-dp [Sysname-maptbl-dot1p-dp]
Port priority configuration commands

qos priority
Syntax
qos priority priority-value undo qos priority
View
Default Level
2: System Level
Parameters
priority-value: Port priority to be configured, which defaults to 0 and ranges from 0 to 7.
88
Description
Use the qos priority command to set the port priority for a port. Use the undo qos priority command to restore the default port priority. By default, the port priority is 0. Note that, if a port receives packets without an 802.1q tag, the switch takes the priority of the receiving port as the 802.1p precedence of the packets and then searches the dot1p-dp/lp mapping table for the local/drop precedence for the packets according to the priority of the receiving port.
Examples
Set the port priority of GigabitEthernet1/0/1 port to 2.
<Sysname> system-view [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos priority 2
Trusted packet priority type configuration commands

display qos trust interface
Syntax
display qos trust interface [ interface-type interface-number ]
View
Any view
Default Level
1: Monitor level
Parameters
interface-type: Port type. interface-number: Port number.
Description
Use the display qos trust interface command to display the trusted packet priority type and priority of an interface. If no interface is specified, the trusted packet priority types on all interfaces are displayed.
89
Examples
Display the port priority trust mode of GigabitEthernet1/0/1 port.
<Sysname> display qos trust interface GigabitEthernet 1/0/1 Interface: GigabitEthernet1/0/1 Port priority information Port priority :0 Port priority trust type : dscp
Table 24 display qos trust interface command output description Field

Interface Port priority
Description
Port name, comprising of port type and port number Port priority Port priority trust mode
Port priority trust type
dscp indicates that the DSCP precedence of the received packets is trusted dot1p indicates that the 802.1p priority of the received packets is trusted untrust indicates that the port priority is trusted
qos trust
Syntax
qos trust { dot1p | dscp } undo qos trust
View
Default Level
2: System Level
Parameters
dot1p: Trusts the 802.1p priority and uses this priority for priority mapping. dscp: Trusts the DSCP values and uses DSCP values for priority mapping.
Description
Use the qos trust command to configure the trusted packet priority type on an interface. Use the undo qos trust command to restore the default. By default, the port priority is trusted.
90
Examples
Specify to trust the DSCP precedence carried in packets on GigabitEthernet1/0/1 port.
<Sysname> system-view [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos trust dscp
Traffic Shaping is added in Release 2202P19 on the S5500-SI series Ethernet switches. For the related commands, see display qos gts interface and qos gts.
Traffic shaping configuration commands GTS configuration commands

display qos gts interface
Syntax
display qos gts interface [ interface-type interface-number ]
View
Any view
Default Level
1: Monitor level
Parameters
Description
Use the display qos gts interface command to view generic traffic shaping (GTS) configuration information and operational statistics on a specified interface or all the interfaces. If no interface is specified, the GTS configuration information and operational statistics on all the interfaces are displayed.
91
Examples
Display traffic shaping configuration information of all ports.
<Sysname> display qos gts interface Interface: GigabitEthernet1/0/1 Rule(s): If-match queue 2 CIR 640 (kbps), CBS 40960 (byte)
Table 25 display qos gts command output description Field

Interface Rule(s) CIR CBS
Description
Port name identified by port type and port number Match criteria. If-match queue 2 indicates that traffic shaping is performed for traffic in queue 2. Committed information rate (CIR) in kbps Committed burst size (CBS) in bytes, that is, the depth of the token bucket for holding bursty traffic
qos gts
Syntax
qos gts queue queue-number cir committed-information-rate [ cbs committed-burst-size ] undo qos gts queue queue-number
View
Default Level
2: System level
Parameters
queue queue-number: Specifies a queue by its number, which ranges from 0 to 7. cir committed-information-rate: Specifies the committed information rate (CIR) in kbps, which must be a multiple of 64, and CIR ranges from 64 to 16777216. cbs committed-burst-size: Specifies the CBS (in bytes), which ranges from 4096 to 16777216 and must be a multiple of 4096. If the cbs keyword is not specified, the default CBS is 62.5 ms committed-information-rate and must be a multiple of 4096. If 62.5 ms committed-information-rate is not a multiple of 4096, the default CBS is the multiple of 4096 that is bigger than and nearest to 62.5 ms committedinformation-rate. The maximum CBS is 16777216. For example, if the CIR is 640 kbps, then 62.5 ms CIR is 62.5 ms 640 = 40000. As 40000 is not a multiple of 4096, 40960, which is the multiple of 4096 that is bigger than and nearest to 40000, is taken as the default CBS.
92
Description
Use the qos gts command to configure traffic shaping. Use the undo qos gts command to remove the traffic shaping configuration. In Ethernet interface view, the configuration takes effect on the current port. In port group view, the configuration takes effect on all ports in the port group.
Examples
Configure traffic shaping on GigabitEthernet 1/0/1 to limit the outgoing traffic rate of queue 2 to 640 kbps.
<Sysname> system-view [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos gts queue 2 cir 640
Line rate configuration commands

display qos lr interface
Syntax
display qos lr interface [ interface-type interface-number ]
View
Any view
Default Level
1: Monitor level
Parameters
Description
Use the display qos lr interface command to view the line rate configuration information and operational statistics on a specified interface or all the interfaces. If no interface is specified, the line rate configuration information and operational statistics on all the interfaces are displayed.
Examples
Display the line rate configuration and statistics information of all the interfaces.
<Sysname> display qos lr interface Interface: GigabitEthernet1/0/1 Direction: Outbound CIR 6400 (kbps), CBS 400000 (byte)
93
Table 26 display qos lr command output description S5500-SI only: Field

Interface Direction CIR CBS
Description
Port name, composed of port type and port number Specify the direction of limited rate as outbound Committed information rate, in kbps Committed burst size, in byte

Interface Direction CIR CBS
Description
Interface type and interface number r The direction in which the line rate configuration is applied Committed information rate, in kbps s Committed burst size (CBS) in bytes, that is, the depth of the token bucket for holding bursty traffic
qos lr outbound
Syntax
qos lr outbound cir committed-information-rate [ cbs committed-burst-size ] undo qos lr outbound
View
Default Level
2: System Level
Parameters
outbound: Limits the rate of the outbound traffic. cir committed-information-rate: Specifies the committed information rate (CIR) in kbps. The range of CIR varies with port types as follows:
GigabitEthernet port: 64 to 1000000 Ten-GigabitEthernet port: 64 to 10000000
94
Note that the committed-information-rate argument must be a multiple of 64. cbs committed-burst-size: Specifies the committed burst size in bytes.

Description
The committed-burst-size argument ranges from 4000 to 16000000. If the cbs keyword is not used, the system uses the default committed burst size, that is, 62.5 ms x committed-information-rate, or 16000000 if the multiplication is more than 16000000.
S5500-SI only: Use the qos lr command to limit the rate of outbound traffic via physical interfaces. Use the undo qos lr command to cancel the limit.
S5500-EI only: Use the qos lr outbound command to limit the rate of outbound traffic via physical interfaces. Use the undo qos lr outbound command to cancel the limit.
Examples
Limit the outbound traffic rate on GigabitEthernet 1/0/1 within 640 kbps.
<Sysname> system-view [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos lr outbound cir 640
Congestion management configuration commands

display qos sp interface
Syntax
display qos sp interface [ interface-type interface-number ]
View
Any view
Default Level
1: Monitor level
95
Parameters
Description
Use the display qos sp interface command to display the strict priority (SP) queuing configuration on a specified port. If no port is specified, this command displays the SP queuing configuration on all ports. Related commands: qos sp.
Examples
Display the SP queuing configuration on GigabitEthernet 1/0/1.
<Sysname> display qos sp interface GigabitEthernet 1/0/1 Interface: GigabitEthernet1/0/1 Output queue: Strict-priority queue
display qos wfq interface

Syntax
display qos wfq interface [ interface-type interface-number ]
View
Any view
Default Level
1: Monitor level
Parameters
Description
Use the display qos wfq interface command to display the configuration of Weighted Fair Queuing (WFQ) queues of a port. If no port number is specified, the command displays the configurations of WFQ queues of all ports. Related commands: qos wfq.
96
Examples
Display the configuration of the WFQ queues on port GigabitEthernet 1/0/1.
<Sysname> display qos wfq interface GigabitEthernet 1/0/1 Interface: GigabitEthernet1/0/1 Output queue: Hardware weighted fair queue Queue ID 0 1 2 3 4 5 6 7 Weight 1 2 4 6 8 10 12 14 Min-Bandwidth 64 64 64 64 64 64 64 64 ------------------------------------------------
Table 27 display qos wfq interface command output description Field

Interface Output queue Queue ID Weight Min-Bandwidth
Description
Port name, composed of port type and port number The type of the current output queue ID of the queue The weight of each queue during scheduling. Minimum guaranteed bandwidth of the queue
display qos wrr interface

Syntax
display qos wrr interface [ interface-type interface-number ]
View
Any view
Default Level
1: Monitor level
Parameters
97
Description
Use the display qos wrr interface command to display the configuration of weighted round robin (WRR) queues of a port. If no port number is specified, the command displays the configurations of WRR queues of all ports. Related commands: qos wrr.
Examples
Display the configuration of WRR queues of GigabitEthernet 1/0/1.
<Sysname> display qos wrr interface Interface: gigabitethernet1/0/1 Output queue: Queue ID 0 1 2 3 4 5 6 7 Weighted round robin queue Weight N/A N/A 3 4 5 6 7 8 Group sp sp 1 1 1 1 1 1 1/0/1
-------------------------------------
Table 28 display qos wrr interface command output description Field

Interface Output queue Queue ID Group Weight
Description
Port name, composed of port type and port number The type of the current output queue ID of the queue Group ID, indicating which group a queue belongs to. The weight of each queue during scheduling. N/A indicates that SP queue scheduling algorithm is adopted.
98
qos bandwidth queue

Syntax
qos bandwidth queue queue-id min bandwidth-value undo qos bandwidth queue queue-id [ min bandwidth-value ]
View
Default Level
2: System level
Parameters
queue-id: Queue ID, in the range of 0 to 7. bandwidth-value: Minimum guaranteed bandwidth (in kbps), that is, the minimum bandwidth guaranteed for a queue when the port is congested. The range for the bandwidth-value argument is 64 to 1048576.
Description
Use the qos bandwidth queue command to set the minimum guaranteed bandwidth for a specified queue on the port or ports in the port group. Use the undo qos bandwidth queue command to remove the configuration. By default, the minimum guaranteed bandwidth of a queue is 64 kbps. Note that:

Examples
In Ethernet interface view, the configuration takes effect only on the current port; in port group view, the configuration takes effect on all ports in the port group. To configure minimum guaranteed bandwidth for queues on a port/port group, enable WFQ on the port/port group first.
Set the minimum guaranteed bandwidth to 100 kbps for queue 0 on GigabitEthernet 1/0/1.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-gigabitethernet 1/0/1] qos wfq [Sysname-gigabitethernet1/0/1] qos bandwidth queue 0 min 100
99
qos sp
Syntax
qos sp undo qos sp
View
Default Level
2: System Level
Parameters
None
Description
Use the qos sp command to configure SP queuing on the current port. Use the undo qos sp command to restore the default queuing algorithm on the port. By default, all the ports adopt the WRR queue scheduling algorithm, with the weight values assigned to queue 0 through queue 7 being 1, 2, 3, 4, 5, 9, 13, and 15. Related commands: display qos sp interface.
Examples
Configure SP queuing on GigabitEthernet1/0/1.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-gigabitethernet1/0/1] qos sp
qos wfq
Syntax
qos wfq undo qos wfq
View
Default Level
2: System Level
Parameters
None
100
Description
Use the qos wfq command to enable weighted fair queuing (WFQ) on a port or port group. Use the undo qos wfq command to restore the default. By default, all the ports adopt the WRR queue scheduling algorithm, with the weight values assigned to queue 0 through queue 7 being 1, 2, 3, 4, 5, 9, 13, and 15. Related commands: display qos wrr interface.
Examples
Enable WFQ on GigabitEthernet 1/0/1.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-gigabitethernet1/0/1] qos wfq
qos wfq weight

Syntax
qos wfq queue-id weight schedule-value undo qos wfq queue-id weight
View
Default Level
2: System Level
Parameters
queue-id: ID of the queue, in the range of 0 to 7. weight schedule-value: Specifies the scheduling weight of a queue, ranges from 0 to 15, and each queue is allocated with part of the allocable bandwidth based on its scheduling weight.
Description
Use the qos wfq command to enable weighted fair queuing (WFQ) on a port or port group and configure a scheduling weight for the specified queue. Use the undo qos wfq command to restore the default. On a WFQ-enable port/port group, the scheduling weight of a queue is 1 by default. Related commands: display qos wfq interface, qos bandwidth queue.
101
Examples
Enable WFQ on GigabitEthernet 1/0/1 and assign weight values 1, 2, 4, 6, 8, 10, 12, and 14 to queues 0 through 7.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-gigabitethernet1/0/1] qos wfq [Sysname-gigabitethernet1/0/1] qos wfq 0 weight 1 [Sysname-gigabitethernet1/0/1] qos wfq 1 weight 2 [Sysname-gigabitethernet1/0/1] qos wfq 2 weight 4 [Sysname-gigabitethernet1/0/1] qos wfq 3 weight 6 [Sysname-gigabitethernet1/0/1] qos wfq 4 weight 8 [Sysname-gigabitethernet1/0/1] qos wfq 5 weight 10 [Sysname-gigabitethernet1/0/1] qos wfq 6 weight 12 [Sysname-gigabitethernet1/0/1] qos wfq 7 weight 14
qos wrr
Syntax
qos wrr undo qos wrr
View
Default Level
2: System Level
Parameters
None
Description
Use the qos wrr command to enable weighted round robin (WRR) on a port or port group. Use the undo qos wrr command to restore the default. By default, all the ports adopt the WRR queue scheduling algorithm, with the weight values assigned to queue 0 through queue 7 being 1, 2, 3, 4, 5, 9, 13, and 15. Related commands: display qos wrr interface.
Examples
Enable WRR on GigabitEthernet 1/0/1.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-gigabitethernet1/0/1] qos wrr
102
qos wrr group

Syntax
qos wrr queue-id group { sp | group-id weight schedule-value } undo qos wrr
View
Default Level
2: System Level
Parameters
queue-id: ID of the queue, in the range of 0 to 7. group-id: It can only be 1. weight schedule-value: Specifies the scheduling weight of a queue, rang from 1 to 15. sp: Configures SP queuing.
Description
Use the qos wrr command to configure Weighted Round Robin (WRR) queue scheduling algorithm or the SP + WRR queue scheduling algorithm on a port or port group. Use the undo qos wrr command to restore the default queue-scheduling algorithm on the port. By default, all the ports adopt the WRR queue scheduling algorithm, with the weight values assigned to queue 0 through queue 7 being 1, 2, 3, 4, 5, 9, 13, and 15. As required, you can configure part of the queues on the port to adopt the SP queue-scheduling algorithm and parts of queues to adopt the WRR queue-scheduling algorithm. Through adding the queues on a port to the SP scheduling group and WRR scheduling group (namely, group 1), the SP + WRR queue scheduling is implemented. During the queue scheduling process, the queues in the SP scheduling group is scheduled preferentially. When no packet is to be sent in the queues in the SP scheduling group, the queues in the WRR scheduling group are scheduled. The queues in the SP scheduling group are scheduled according to the strict priority of each queue, while the queues in the WRR queue scheduling group are scheduled according the weight value of each queue. Related commands: display qos wrr interface.
103
Examples
Configure SP+WRR queue scheduling algorithm on GigabitEthernet 1/0/1 as follows: assign queue 0, queue 1, queue 2, and queue 3 to the SP scheduling group; and assign queue 4, queue 5, queue 5, and queue 7 to WRR scheduling group, with the weight 2, 4, 6, and 8.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-gigabitethernet1/0/1] qos wrr [Sysname-gigabitethernet1/0/1] qos wrr 0 group sp [Sysname-gigabitethernet1/0/1] qos wrr 1 group sp [Sysname-gigabitethernet1/0/1] qos wrr 2 group sp [Sysname-gigabitethernet1/0/1] qos wrr 3 group sp [Sysname-gigabitethernet1/0/1] qos wrr 4 group 1 weight 2 [Sysname-gigabitethernet1/0/1] qos wrr 5 group 1 weight 4 [Sysname-gigabitethernet1/0/1] qos wrr 6 group 1 weight 6 [Sysname-gigabitethernet1/0/1] qos wrr 7 group 1 weight 8
S5500-EI only: Congestion avoidance configuration commands

display qos wred interface
Syntax
display qos wred interface [ interface-type interface-number ]
View
Any view
Default Level
1: Monitor level
Parameters
Description
Use the display qos wred interface command to display the WRED configuration of a port. If no port number is specified, the command displays the WRED configurations of all ports. Related commands: qos wred apply.
104
Examples
Display the WRED configuration of GigabitEthernet 1/0/1.
<Sysname> display qos wred interface GigabitEthernet 1/0/1 Interface: GigabitEthernet1/0/1 Current WRED configuration: Applied WRED table name: queue-table1
display qos wred table

Syntax
display qos wred table [ table-name ]
View
Any view
Default Level
1: Monitor level
Parameters
table-name: Name of the WRED table to be displayed, a string of 1 to 32 characters.
Description
Use the display qos wred table command to display the WRED table configuration information. If no WRED table name is specified, the configuration of all the WRED tables is displayed. Related commands: queue.
Examples
Display the configuration of WRED table queue-table1.
<Sysname> display qos wred table queue-table1 Table Name: queue-table1 Table Type: Queue based WRED QID: 0 1 2 3 4 5 6 7 gmin 10 10 10 10 10 10 10 10 gmax NA NA NA NA NA NA NA NA gprob 10 10 10 10 10 10 10 10 ymin 10 10 10 10 10 10 10 10 ymax NA NA NA NA NA NA NA NA yprob 10 10 10 10 10 10 10 10 105 ----------------------------------------------
Table 29 display qos wred table command output description Field

Table name Table type QID gmin gmax gprob ymin ymax yprob
Description
Name of a WRED table Type of a WRED table ID of the queue Lower threshold configured for green packets, whose drop precedence is 0 Upper threshold configured for green packets, whose drop precedence is 0 Drop probability slope configured for green packets, whose drop precedence is 0 Lower threshold configured for yellow packets, whose drop precedence is 1 Upper threshold configured for yellow packets, whose drop precedence is 1 Drop probability slope configured for yellow packets, whose drop precedence is 1
qos wred apply

Syntax
qos wred apply table-name undo qos wred apply
View
Default Level
2: System Level
Parameters
table-name: Name of a global WRED table, a string of 1 to 32 characters.
Description
Use the qos wred apply command to apply a WRED table to the current port or port group. Use the undo qos wred apply command to cancel the application. By default, no WRED table is applied to any port or port group. Related commands: display qos wred interface.
Examples
Apply the WRED table queue-table1 to port GigabitEthernet 1/0/1.
<Sysname> system-view [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos wred apply queue-table1
106
qos wred queue table

Syntax
qos wred queue table table-name undo qos wred table table-name
View
System view
Default Level
2: System Level
Parameters
table table-name: Specifies a name for the table, a string of 1 to 32 characters.
Description
Use the qos wred queue table command to create a WRED table and enter WRED table view. Use the undo qos wred table command to remove a WRED table. By default, no WRED table is created. A WRED table in use cannot be removed. Related commands: queue.
Examples
Create a WRED table named queue-table1.
<Sysname> system-view [Sysname] qos wred queue table queue-table1 [Sysname-wred-table-queue-table1]
queue
Syntax
queue queue-id [ drop-level drop-level ] low-limit low-limit [ discard-probability discardprob ] undo queue { queue-id | all }
View
WRED table view
Default Level
2: System Level
107
Parameters
queue-id: ID of the queue, in the range of 0 to 7. drop-level drop-level: Specifies a drop level, in the range of 0 to 1. If this argument is not specified, the subsequent configuration takes effect on the packets in the queue regardless of the drop level. low-limit low-limit: Specifies a lower threshold. When the queue length exceeds the lower threshold, WRED begins to drop packets. The low-limit argument ranges from 0 to 100 and defaults to 10. discard-probability discard-prob: Specifies the discard-prob argument, which ranges from 0 to 128 and defaults to 10. Each drop level is configured with an independent drop probability. The actual drop probability is the reciprocal of the discard-prob argument. The argument corresponds to the drop probability as follows:

Description
0 corresponds to 100% 1 through 8 corresponds to 1/8 9 through 16 corresponds to 1/16 17 through 32 corresponds to 1/32 33 through 64 corresponds to 1/64 65 through 128 corresponds to 1/128
Use the queue command to configure the drop-related parameters for a specified queue in the WRED table. Use the undo queue command to restore the default. By default, the lower threshold is 10 and the discard-prob argument is 10 for all the drop levels in the WRED table. Related commands: qos wred queue table.
Examples
Modify drop parameters for queue 1 in the WRED table queue-table1: set the lower threshold to 10 and the discard-prob argument to 30 for packets with drop level 1 in queue 1.
<Sysname> system-view [Sysname] qos wred queue table queue-table1 [Sysname-wred-table-queue-table1] queue 1 drop-level 1 low-limit 10 discardprobability 30
End S5500-EI only
108
Obtaining support for your product

Register your product
Warranty and other service benefits start from the date of purchase, so it is important to register your product quickly to ensure you get full use of the warranty and other service benefits available to you. Warranty and other service benefits are enabled through product registration. Register your product at http://www.h3cnetworks.com, go to Support, Product Registration. Support services are based on accounts that you create or have authorization to access. First time users must apply for a user name and password that provides access to a number of eSupport features including Product Registration, Repair Services, and Service Request. If you have trouble registering your product, please contact 3Com Global Services for assistance.
Purchase value-added services

To enhance response times or extend warranty benefits, contact 3Com or your authorized reseller. Value-added services like ExpressSM and GuardianSM can include 24x7 telephone technical support, software upgrades, onsite assistance or advance hardware replacement. Experienced engineers are available to manage your installation with minimal disruption to your network. Expert assessment and implementation services are offered to fill resource gaps and ensure the success of your networking projects. More information on 3Com maintenance and Professional Services is available at http://www.h3cnetworks.com. Contact your authorized reseller or 3Com for a complete list of the value-added services available in your area.
Troubleshoot online
You will find support tools posted on the web site at http://www.h3cnetworks.com/ under Support, Knowledgebase. The Knowledgebase helps you troubleshoot H3C products. This query-based interactive tool contains thousands of technical solutions.
109
Access software downloads

Software Updates are the bug fix / maintenance releases for the version of software initially purchased with the product. In order to access these Software Updates you must first register your product on the web site at http://www.h3cnetworks.com, go to Support, Product Registration. First time users will need to apply for a user name and password. A link to software downloads can be found at http://www.h3cnetworks.com, under Support, Drivers and downloads. Software Upgrades are the software releases that follow the software version included with your original product. In order to access upgrades and related documentation you must first purchase a service contract from 3Com or your reseller.
Telephone technical support and repair

To enable telephone support and other service benefits, you must first register your product at http://www.h3cnetworks.com/ Warranty and other service benefits start from the date of purchase, so it is important to register your product quickly to ensure you get full use of the warranty and other service benefits available to you. When you contact 3Com for assistance, please have the following information ready: Product model name, part number, and serial number Proof of purchase, if you have not pre-registered your product A list of system hardware and software, including revision level Diagnostic error messages Details about recent configuration changes, if applicable To send a product directly to 3Com for repair, you must first obtain a return authorization number (RMA). Products sent to 3Com, without authorization numbers clearly marked on the outside of the package, will be returned to the sender unopened, at the senders expense. If your product is registered and under warranty, you can obtain an RMA number online at http://www.h3cnetworks.com under support, Repair & Replacement Request. First time users will need to apply for a user name and password.
Contact us
3Com offers telephone, e-mail and internet access to technical support and repair services. To access these services for your region, use the appropriate telephone number, URL or e-mail address. Find a current directory of contact information posted on the web http://www.h3cnetworks.com under Support, Technical Support Contact. site at
110
Acronyms
#ABCDEFGHIKLMNOPQRSTUVWXZ
Acronym
# 10GE A AAA ABC ABR AC ACK ACL ACS ADSL AES AF AFI ALG AM AMB ANSI AP ARP AS ASBR ASCII ASE ASIC ASM ASN AT AT Authentication, Authorization and Accounting Activity Based Costing Area Border Router Alternating Current Acknowledgement Access Control List Auto-Configuration Server Asymmetric Digital Subscriber Line Advanced Encryption Standard Assured Forwarding Address Family Identifier (and Authority and Format Identifier) Application Layer Gateway Accounting Management Active Main Board American National Standard Institute Access Point Address Resolution Protocol Autonomous System Autonomous System Boundary Router American Standard Code for Information Interchange Application Service Element or Autonomous System External Application Specific Integrated Circuit Any-Source Multicast Auxiliary Signal Network Advanced Technology Adjacency Table 111 Ten-GigabitEthernet Return
Full spelling
Return
Acronym
ATM AUX AVF B BAS BC BDR BE BFD BGP BIMS BOOTP BPDU BRI BSR BT BS BT C C-BSR C-RP CA CA CAR CBS CBT CBQ CBR CBT CCITT CCM CDP CE CF-Card
Full spelling
Asynchronous Transfer Mode Auxiliary (port) Active Virtual Forwarder Return Broadband access server Bearer Control Backup Designated Router Best Effort Bidirectional Forwarding Detection Border Gateway Protocol Branch Intelligent Management System Bootstrap Protocol Bridge Protocol Data Unit Basic Rate Interface Bootstrap Router BitTorrent BSR State Burst Tolerance Return Candidate Bootstrap Router Candidate Rendezvous Point Call Appearance Certificate Authority Committed Access Rate Committed Burst Size Core-Based Tree Class Based Queuing Constant Bit Rate Core-Based Tree International Telephone and Telegraph Consultative Committee Continuity Check Message Cisco Discovery Protocol Customer Edge, Customer Edge Device Compact Flash Card 112
Acronym
CFD CFM CHAP CIDR CIR CIST CLI CLV CLNP CPE CPOS CPS CPU CQ CR CRC CRL CR-LSP CR-LDP CSMA/CD CSNP CSPF CST CT CV CVLAN D DAD DAR DCE DD DDN DES DHCP
Full spelling
Connectivity Fault Detection Configuration File Management Challenge Handshake Authentication Protocol Classless Inter-Domain Routing Committed Information Rate Common and Internal Spanning Tree Command Line Interface Code/Length/Value Connectionless Network Protocol Customer Premise Equipment Channelized POS Certification Practice Statement Central Processing Unit Custom Queuing Carriage Return Cyclic Redundancy Check Certificate revocation list Constraint-based Routing LSP Constraint-based Routing LDP Carrier Sense Multiple Access/Collision Detect Complete Sequence Number Packet Constraint Shortest Path First Common Spanning Tree Call Transfer Connectivity Verification Customer Virtual Local Area Network Return Duplicate Address Detection Deeper Application Recognition Data Circuit-terminal Equipment Database Description Digital Data Network Data Encryption Standard Dynamic Host Configuration Protocol 113
Acronym
DiffServ DIS DLCI DLDP DN DNS DoD DoS DR DSA DSCP DSP DSTE DTE DU DUID DUID-LL D-V DVMRP DWDM E EACL EAD EAP EAPOL EAPOR EBGP EBS EF EGP ES ES-IS F FCoE
Full spelling
Differentiated Service Designated Intermediate System Data Link Connection Identifier Device Link Detection Protocol Distinguished name Domain Name System Downstream on Demand Denial of Service Designated Router Digital Signature Algorithm Differentiated Services Code point Priority Digital Signal Processor (and Domain Specific Part) DiffServ Aware TE Data Terminal Equipment Downstream Unsolicited DHCP Unique Identifier DUID Based Link Layer Address Distance Vector Routing Algorithm Distance Vector Multicast Routing Protocol Dense Wavelength Division Multiplexing Return Enhanced ACL Endpoint Admission Defense Extensible Authentication Protocol Extensible Authentication Protocol over LAN EAP over RADIUS External Border Gateway Protocol Excess Burst Size Expedited Forwarding Exterior Gateway Protocol End System End System-Intermediate System Return Fabric Channel over Ethernet 114
Acronym
FC FCS FDB FDDI FDI FEC FFD FF FG FIB FIFO FQDN FR FRR FRTT FSM FT FTP G GARP GE GR GRE GTS GVRP H HA HABP HDLC HEC HMAC HO-DSP HoPE HoVPN
Full spelling
Forwarding Class Frame Check Sequence Forwarding Database Fiber Distributed Data Interface Forward Defect Indication Forwarding Equivalence Class Fast Failure Detection Fixed filter Forwarding Group Forwarding information base First In First Out Full Qualified Domain Name Frame Relay Fast Reroute Fairness Round Trip Time Finite State Machine Functional Test File Transfer Protocol Return Generic Attribute Registration Protocol Gigabit Ethernet Graceful Restart Generic Routing Encapsulation Generic Traffic Shaping GARP VLAN Registration Protocol Return High Availability HW Authentication Bypass Protocol High-level Data Link Control Header Error Control Hash-based Message Authentication Code High Order Part of Domain Specific Part Hierarchy of PE Hierarchy of VPN 115
Acronym
HQoS HSB HTTP HTTPS H-VPLS HVRP HWTACACS I IA IANA IBGP IBM ICMP ICPIF ICMPv6 ID IDI IDP IEEE IETF IGMP IGMP-Snooping IGP IIH ILM ILS iMC IN IntServ IP IPC IPng IPSec IPTN
Full spelling
Hierarchical Quality of Service Hot Standby Hyper Text Transport Protocol HTTP Security Hierarchy of VPLS Hierarchy VLAN Register Protocol HUAWEI Terminal Access Controller Access Control System Return Incoming Access or Identity Association Internet Assigned Number Authority Internal Border Gateway Protocol International Business Machines Internet Control Message Protocol Calculated Planning Impairment Factor Internet Control Message Protocol for IPv6 Identification/Identity Initial Domain Identifier Initial Domain Part Institute of Electrical and Electronics Engineers Internet Engineering Task Force Internet Group Management Protocol Internet Group Management Protocol Snooping Interior Gateway Protocol IS-to-IS Hello Protocol Data Unit Incoming Label Map Internet Locator Service Intelligent Management Center Intelligent Network Integrated Service Internet Protocol Inter-Process Communication IP Next Generation IP Security IP Phone Telephony Network 116
Acronym
IPv6 IPX IRDP IRF IS ISATAP ISDN IS-IS ISO ISP ISSU IST ITU-T K KB KEK L L2TP L2VPN L3VPN LACP LACPDU LAN LAPB LB LBM LBR LCP LDAP LDP LER LFIB LIB
Full spelling
Internet protocol version 6 Internet Packet Exchange ICMP Router Discovery Protocol Intelligent Resilient Framework or Intermediate Routing Function Intermediate System Intra-Site Automatic Tunnel Addressing Protocol Integrated Services Digital Network Intermediate System-to-Intermediate information exchange protocol System intra-domain routing
International Organization for Standardization Internet service provider In Service Software Upgrade Internal Spanning Tree International Telecommunication Standardization Sector Union Telecommunication Return Kilobyte Key-encrypting key Return Layer 2 Tunneling Protocol Layer 2 Virtual Private Network Layer 3 Virtual Private Network Link Aggregation Control Protocol Link Aggregation Control Protocol Data Unit Local Area Network Link Access Procedure, Balanced Loopback Loopback Message Loopback Reply Link Control Protocol Lightweight Directory Access Protocol Label Distribution Protocol Label Edge Router Label Forwarding Information Base Label Information Base 117
Acronym
LLC LLDP LLDPDU LLS LLSP-CDP LOC LOG LR LRTT LS LSA LSAck LSDB LSP LSPAGENT LSPDU LSPM LSR LSR LSR-ID LSU LT LTM LTR LVF M MA MAC MAD MAFV MAN MaxBC MBGP MCE
Full spelling
Link Layer Control Link Layer Discovery Protocol Link Layer Discovery Protocol Data Units Link-Local Signaling Link Layer Discovery Protocol-Cisco Discovery Protocol Loss of continuity Call Logging Line Rate Loop Round Trip Time Link State Link State Advertisement Link State Acknowledgment Link State Database Label Switch Path (and Link State Packet) Label Switched Path AGENT Link State Protocol Data Unit Label Switch Path Management Link State Request or Label Switching Route Label Switch Router Label Switch Router Identity Link State Update Linktrace Lintrace Message Linktrace Reply Message Listening Virtual Forwarder Return Maintenance Association Media Access Control Multi-Active Detection MAC-based Auth-Fail VLAN Metropolitan Area Network Max Bandwidth Constraints Multicast Border Gateway Protocol Multi-VPN instance Customer Edge 118
Acronym
MD MD5 MDI MDS MDT MD5 MED MEP MFF MGV MIB MIP MLD MLD-Snooping MMC MODEM MOS MP MP-BGP MPE MP-group MPLS MPLSFW MPM MSC MSDP MSOH MSTI MSTP MT MTBF MTI MTTR MTU
Full spelling
Multicast Domain, Maintenance Domain Message-Digest 5 Medium Dependent Interface Message-Digest Algorithm 5 Multicast Distribution Tree Message-Digest Algorithm 5 Multi-Exit Discriminator Maintenance Association End Point MAC Forced Forwarding Mac-based guest VLAN Management Information Base Maintenance Association Intermediate Point Multicast Listener Discovery Protocol Multicast Listener Discovery Snooping Meet-Me Conference Modulator/Demodulator Mean Opinion Scores Multilink PPP, Maintenance Point Multiprotocol extensions for BGP-4 Middle-level PE Multilink Point to Point Protocol group Multiprotocol Label Switching Multi-protocol Label Switch Forward Multicast Port Management Mobile Switching Center Multicast Source Discovery Protocol Multiplex Section Overhead Multi-Spanning Tree Instance Multiple Spanning Tree Protocol Multicast Tunnel Mean Time Between Failure Multicast Tunnel Interface Mean Time To Repair Maximum Transmission Unit 119
Acronym
MVRF N NA NAPT NAPT-PT NAS NAT NBMA NBT NCP ND NDA NDC NDP NET NetBIOS NHLFE NLB NLPID NLRI NMS NPDU NPE NQA NS NSAP NSC N-SEL NSR NSSA NTDP NTK NTP O
Full spelling
Multicast VPN Routing and Forwarding Return Neighbor Advertisement Network Address Port Translation Network Address Port Translation Protocol Translation Network Access Server Net Address Translation Non Broadcast Multi-Access NetBIOS over TCP/IP Network Control Protocol Neighborhood discovery NetStream Data Analyzer Network Data Collector Neighbor Discovery Protocol Network Entity Title Network Basic Input/Output System Next Hop Label Forwarding Entry Network Load Balancing Network Layer Protocol Identifier Network Layer Reachability Information Network Management Station Network Protocol Data Unit Network Provider Edge Network Quality Analyzer Neighbor Solicitation Network Service Access Point NetStream Collector NSAP Selector Non-Stop Routing Not-So-Stubby Area Neighbor Topology Discovery Protocol Need to Know Network Time Protocol Return 120
Acronym
OAM OAMPDU OC-3 OID OL OOB OS OSI ORF OSPF OUI P P P2MP P2P PAP PAFV PBR PCB PCM PD PDU PE PGV PHP PHY PIM PIM-DM PIM-SM PIR PKCS PKI PLR PMTU
Full spelling
Operation Administration and Maintenance OAM Protocol Data Units OC-3 Object Identifier Optical Line Out of Band Operating system Open Systems Interconnection Outbound Route Filter Open Shortest Path First Organizationally Unique Identifier Return Provider Point to MultiPoint Point To Point Password Authentication Protocol Port-based Auth-Fail VLAN Policy-Based Route Printed Circuit Board Pulse Code Modulation Powered Device, Prefix Delegation or Pure Data Protocol Data Unit Provider Edge, Provider Edge Device Port-based Guest VLAN Penultimate Hop Popping Physical Layer Protocol Independent Multicast Protocol Independent Multicast-Dense Mode Protocol Independent Multicast-Sparse Mode Peak Information Rate Public Key Cryptography Standards Public Key Infrastructure Point of Local Repair Path MTU 121
Acronym
PoE POP POS PPP PPTP PPVPN PQ PRC PRI PS PSE PSNP PTMP or P2MP PTP or P2P PVC PW PXE Q QACL QinQ QoS QQIC QRV R RA RADIUS RALM RAM RD RD RED RFC RIB RID
Full spelling
Power over Ethernet Point Of Presence Packet Over SDH Point-to-Point Protocol Point to Point Tunneling Protocol Provider-provisioned Virtual Private Network Priority Queuing Primary Reference Clock Primary Rate Interface Protection Switching Power Sourcing Equipment Partial Sequence Number Packet Point-to-Multipoint Point-to-Point Permanent Virtual Channel Pseudo wires Pre-boot Execution Environment Return QoS/ACL 802.1Q in 802.1Q Quality of Service Querier's Query Interval Code Querier's Robustness Variable Return Registration Authority or Router Advertisement Remote Authentication Dial in User Service RADIUS Authenticated Login using MAC-address Random-Access Memory Routing Domain Router Distinguisher Random Early Detection Request For comments Routing Information Base Router ID 122
Acronym
RIP RIPng RM RMON ROM RP RPC RPF RPR RPT RR RRPP RRPPD RS RSA RSB RSOH RSTP RSVP RSVP-TE RT RTCP RTE RTP RTP S SA SAFI SBM SCEP SCFF SD SDH SE
Full spelling
Routing Information Protocol RIP next generation Route Management Remote Monitoring Read Only Memory Rendezvous Point Remote Procedure Call Reverse Path Forwarding Resilient Packet Ring Rendezvous Point Tree Route Reflector Rapid Ring Protection Protocol Rapid Ring Protection Protocol Data Unit Router Solicitation Revest-Shamir-Adleman Algorithm Reservation State Block Regenerator Section Overhead Rapid Spanning Tree Protocol Resource Reservation Protocol Resource Reservation Protocol Traffic Engineering Route Target Real-time Transport Control Protocol Route Table Entry Real-time Transport Protocol Real-time Transport Protocol Return Source Active or Suppress Advertisement Subsequent Address Family Identifier Sub-network Bandwidth Management Simple Certificate Enrollment Protocol Single Choke Fairness Frame Signal Degrade Synchronous Digital Hierarchy Shared explicit 123
Acronym
SEL SETS SF SFM SFTP SHA1 Share-MDT SIP Site-of-Origin SLA SMB SMTP SNAP SNMP SNP SNPA SOH SONET SOO SP SPE SPF SPT SRPT SRPU SSH SSM SSM ST STelnet STM-1 STM-16 STM-16c STM-4c
Full spelling
Selector Synchronous Equipment Timing Source Sampling Frequency Source-Filtered Multicast Secure FTP Secure Hash Algorithm 1 Share-Multicast Distribution Tree Session Initiation Protocol Site-of-Origin Service Level Agreement Standby Main Board Simple Mail Transfer Protocol Sub Network Access Point Simple Network Management Protocol Sequence Number Packet Sub-network Points of Attachment Section Overhead Synchronous Optical Network Site-of-Origin Strict Priority Queuing Superstratum PE/Sevice Provider-end PE Shortest Path First Shortest Path Tree Sub-ring Packet Tunnel Switching and Routing Processing Unit Secure Shell Synchronization Status Marker Source-Specific Multicast Shared Tree Secure Telnet SDH Transport Module -1 SDH Transport Module -16 SDH Transport Module -16c SDH Transport Module -4c 124
Acronym
STP SVC SVLAN Switch-MDT SYN T TA TACACS TDM TCP TCN TE TEDB TFTP TLS TLV ToS TP TPID TRIP TS TTL TTY U U/L UDP UPE URL URPF USM V VBR VCI VE
Full spelling
Spanning Tree Protocol Signaling Virtual Connection Service Provider Virtual Local Area Network Switch-Multicast Distribution Tree Synchronize Return Terminal Adapter Terminal Access Controller Access Control System Time Division Multiplexing Transmission Control Protocol Topology Change Notification Traffic Engineering Traffic Engineering Database Trivial File Transfer Protocol Transparent LAN Service Type-Length-Value Type of Service Traffic Policing Tag Protocol Identifier Trigger RIP Traffic Shaping Time to Live True Type Terminal Return Universal/Local User Datagram Protocol Under-layer PE or User-end PE Uniform Resource Locators Unicast Reverse Path Forwarding User-Based Security Model Return Variable Bit Rate Virtual Channel Identifier Virtual Ethernet 125
Acronym
VF VFS VLAN VLL VOD VoIP VOS VPDN VPDN VPI VPLS VPN VRID VRRP VSI VT VTY W WAN WFQ WINS WLAN WRED WRR WTR WWW X XGE Z ZBR
Full spelling
Virtual Forwarder Virtual File System Virtual Local Area Network Virtual Leased Lines Video On Demand Voice over IP Virtual Operate System Virtual Private Dial-up Network Virtual Private Data Network Virtual Path Identifier Virtual Private Local Switch Virtual Private Network Virtual Router ID Virtual Router Redundancy Protocol Virtual Switch Interface Virtual Tributary Virtual Type Terminal Return Wide Area Network Weighted Fair Queuing Windows Internet Naming Service Wireless Local Area Network Weighted Random Early Detection Weighted Round Robin Wait-to-Restore World Wide Web Return Ten-GigabitEthernet Return Zone Border Router
126

Acl 3com

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Acl 3com

Încărcat de

Drepturi de autor:

Formate disponibile

H3C S5500-EI & S5500-SI Series Ethernet Switches ACL and QoS Command Reference

Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com

Network topology icons

About the H3C S5500-EI & S5500-SI Series documentation set

Error code reference

ACL configuration commands 11

QoS policy configuration commands 49

Obtaining support for your product 109

ACL configuration commands

ACL configuration commands

all: Deletes all IPv4 ACLs.

all: Delete all IPv6 ACLs.

acl ipv6 copy

acl ipv6 logging frequence

acl ipv6 name

acl logging frequence

Configure a description for IPv6 basic ACL 2000.

End S5500-SI only

End S5500-EI only

Table 1 display acl command output description Field

The description of ACL rule 10 is "This rule is used

display acl ipv6

Table 2 display acl ipv6 command output description Field

display acl resource

IFP Counter 2048

EFP Counter 512

End S5500-SI only

IFP Counter 2048

EFP Counter 512

End S5500-EI only

Table 3 display acl resource command output description Field

S5500-SI only: Type S5500-EI only: Type

Table 4 display time-range command output description Field

reset acl counter

Clear statistics for IPv4 ACL flow.

reset acl ipv6 counter

Clear statistics for IPv6 ACL flow.

rule (Ethernet frame header ACL view)

rule (IPv4 advanced ACL view)

Specifies a source address

destination { dest-addr dest-wildcard | any }

Specifies an IP precedence value

Specifies a ToS preference

Specifies a DSCP priority

S5500-EI only: vpninstance name fragment time-range name vpn-instance-

destination-port operator port1 [ port2 ]

Specifies one or more UDP or TCP destination ports

rule (IPv4 basic ACL view)

rule (IPv6 advanced ACL view)

Specifies a source IPv6 address

destination { dest destprefix | dest/dest-prefix | any }

Specifies a DSCP preference

fragment time-range time-rangename

destination-port operator port1 [ port2 ]

Specifies one or more UDP or TCP destination ports

rule (IPv6 basic ACL view)

Set the rule numbering step to 2 for ACL 2000.

QoS policy configuration commands

Commands for defining classes

S5500-EI only: display traffic classifier user-defined [ tcl classifier-name ]

S5500-EI only: Tcl classifier-name: Class name, a string of 1 to 31 characters.

Table 13 display traffic classifier user-defined command output description Field