锐捷acl调用、丢包排查（acl计数）

### 查看ACL规则
vlan88的acl

#### 查看全部acl规则
`show access-lists`
```
RuiJie#show access-lists
……
ip access-list extended deny_by_88
 5 permit ip 192.168.88.0 0.0.0.255 192.168.88.0 0.0.0.255
……
```

#### 查看指定acl的配置
```
RuiJie#con t
RuiJie(config)#ip access-list extended deny_by_88
RuiJie(config-ext-nacl)#show this

Building configuration...
!
 5 permit ip 192.168.88.0 0.0.0.255 192.168.88.0 0.0.0.255
 21 permit ip host 192.168.88.66 192.168.123.0 0.0.0.255
 50 permit ip 192.168.88.0 0.0.0.255 host 10.11.12.13
 98 permit tcp 192.168.88.0 0.0.0.255 192.168.124.0 0.0.0.255 eq 10001
 111 deny ip 192.168.88.0 0.0.0.255 192.168.0.0 0.0.255.255
 112 deny ip 192.168.88.0 0.0.0.255 172.16.0.0 0.15.255.255
 113 deny ip 192.168.88.0 0.0.0.255 10.0.0.0 0.255.255.255
 119 permit ip any any
```
### 查看ACL引入规则

全局引入acl、vlan接口下引入acl

`show access-group`
```
RuiJie#show access-group
ip access-group deny_by_88 out
Applied On Global
ip access-group deny_by_20 in
Applied On interface VLAN 20
ip access-group deny_by_66 out
ip access-group deny_by_66 in
Applied On interface VLAN 66
ip access-group deny_by_70 in
Applied On interface VLAN 70
```
上面的示例中 deny_by_88 out  是全局引入acl，各vlan都匹配规则；
deny_by_20、deny_by_66等，只在对应的vlna接口引用了。

### 修改ACL生效范围
```
#在vlan88接口下，引入acl
RuiJie(config)#in vlan 88
RuiJie(config-if-VLAN 88)#ip access-group deny_by_88 in
RuiJie(config-if-VLAN 88)#ex
#关闭全局引入acl
RuiJie(config)#no ip access-group deny_by_88 out
RuiJie(config)#
RuiJie(config)#exit
RuiJie#ping 192.168.123.123 source 192.168.88.1
Sending 5, 100-byte ICMP Echoes to 192.168.123.123, timeout is 2 seconds:
  < press Ctrl+C to break >
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/5 ms.

```

### 配置acl规则，用于统计数据包
```
#创建acl jishu（计数）
RuiJie(config)#ip access-list extended jishu
RuiJie(config-ext-nacl)#show th

Building configuration...
!
end
RuiJie(config-ext-nacl)#per ip ho 192.168.88.1 ho 192.168.123.120
RuiJie(config-ext-nacl)#per ip ho 192.168.123.120 ho 192.168.88.1
RuiJie(config-ext-nacl)#per ip an an
RuiJie(config-ext-nacl)#show th

Building configuration...
!
 10 permit ip host 192.168.88.1 host 192.168.123.120
 20 permit ip host 192.168.123.120 host 192.168.88.1
 30 permit ip any any
!
end
RuiJie(config-ext-nacl)#ex
RuiJie(config)#
RuiJie(config)#ip access-list counter jishu
RuiJie(config)#in ten 0/7
RuiJie(config-if-TenGigabitEthernet 0/7)#ip access-group jishu in
RuiJie(config-if-TenGigabitEthernet 0/7)#ip access-group jishu out
RuiJie(config-if-TenGigabitEthernet 0/7)#ex
RuiJie(config)#ex
RuiJie#clear
RuiJie#clear counters
RuiJie#ping 192.168.123.120 sou
RuiJie#ping 192.168.123.120 source 192.168.88.1 ntimes 10
Sending 10, 100-byte ICMP Echoes to 192.168.123.120, timeout is 2 seconds:
  < press Ctrl+C to break >
..........
Success rate is 0 percent (0/10).

#交换机查看数据转发统计：
RuiJie#sh access-lists
```
参考：[锐捷交换丢包定义（acl计数）](https://blog.csdn.net/gritBoys/article/details/116230882 "锐捷交换丢包定义（acl计数）")
```
RuiJie#show arp | in 192.168.123.120
Internet  192.168.123.120  32        d094.6655.aabb  arpa   VLAN 200
RuiJie#show mac | in d094.6655.aabb
 200        d094.6655.aabb       DYNAMIC  TenGigabitEthernet 0/7
RuiJie#show ll nei in ten 0/7 de
----------------------------------------------------------------------------
LLDP neighbor-information of port [TenGigabitEthernet 0/7]
----------------------------------------------------------------------------
  Neighbor index                    : 1
  Device type                       : LLDP Device
  Update time                       : 2minutes 36seconds
  Aging time                        : 1minutes 35seconds

Chassis ID type                   : MAC address
  Chassis ID                        : 0c3a.fac6.cf70
  System name                       : H3C
  System description                : H3C Comware Platform Software, Software Version 7.1.070, Release 6318P01
H3C S5024E-X
Copyright (c) 2004-2020 New H3C Technologies Co., Ltd. All rights reserved.
  System capabilities supported     : Bridge, Router
  System capabilities enabled       : Bridge, Router

Management address subtype        : ipv4
  Management address                : 192.168.90.13
  Interface numbering subtype       : ifIndex
  Interface number                  : 634
  Object identifier  
```

```
show in cou summary up
Interface       InOctets             InUcastPkts          InMulticastPkts      InBroadcastPkts
--------------- -------------------- -------------------- -------------------- --------------------
……

Interface       OutOctets            OutUcastPkts         OutMulticastPkts     OutBroadcastPkts
--------------- -------------------- -------------------- -------------------- --------------------
……
```