Configuring 5-Tuple Packet Discarding Statistics Using the CLI
This section describes how to configure 5-tuple packet discarding statistics using the CLI.
Context
To configure 5-tuple packet discarding statistics can affect the device performance to some extent, please be cautious.
After locating network problems is complete, please stop collecting packet drop statistics and clear configuration.
Procedure
- Run the system-view command to enter the system view.
- Run the acl [ number ] acl-number [ vpn-instance vpn-instance-name ] command to create an advanced ACL.
The acl-number of an advanced ACL ranges from 3000 to 3999.
- Run the rule [ rule-id ] permit { udp | tcp } source source-ip-address source-wildcard source-port source-port destination destination-ip-address destination-wildcard destination-port destination-port or rule [ rule-id ] permit { icmp | gre | igmp | ip | ipinip | ospf | sctp | protocol } source source-ip-address source-wildcard destination destination-ip-address destination-wildcard command to configure an advanced ACL based on the 5-tuple (protocol, source/destination IP address, and source/destination port).
- Run the quit command to return to the system view.
- Run the diagnose command to access the diagnose view.
- Run the firewall statistics acl acl-number [ all-systems ]command to bind the packet statistics collection function with the ACL.
If you run the firewall statistics acl acl-number command for multiple times, the configuration at the last time takes effect.
- Enable the 5-tuple packet statistics function.
- Enable the IPv4 5-tuple packet statistics function:
Run the firewall statistics acl acl-number timeout aging-time [ all-systems ] enable command to enable the IPv4 5-tuple packet statistics function and sets the packet statistics aging time.
- Enable the IPv6 5-tuple packet statistics function:
Run the firewall ipv6 statistics acl acl-number [ timeout aging-time ] [ all-systems ] enable command to enable the IPv6 5-tuple packet statistics function and sets the packet statistics aging time.
By default, the 5-tuple packet statistics collection function is disabled. The configured statistics collection condition range is large, which affects the device performance. Therefore, you are advised to configure a refined IP address or port number.
- Enable the IPv4 5-tuple packet statistics function:
- Optional: Enable 5-tuple packet statistics collection for GRE inner packets.
Run the firewall statistics tunnel-protocol gre enable command to enable 5-tuple packet statistics collection for GRE inner packets. After that, you can view statistics about GRE inner packets (5-tuples of original packets). Outer GRE packets are not counted. This enables you to view key information about GRE packets, helping you locate and analyze faults.
By default, 5-tuple packet statistics collection for GRE inner packets is disabled. That is, only statistics on outer packets are collected.
- View 5-tuple packet statistics information.
- To view IPv4 5-tuple packet statistics information, run the display firewall statistics acl command.
- To view IPv6 5-tuple packet statistics information, run the display firewall ipv6 statistics acl command.
The FW also supports the display firewall statistics acl fast-forwarding command to display statistics on hardware fast forwarded IPv4 packets.
Follow-up Procedure
After fault location ends, run the undo firewall statistics acl command to disable the 5-tuple packet statistics collection function to prevent adverse impact on the device performance.