- Table of Contents
- Related Documents
-
Title | Size | Download |
---|---|---|
02-ACL Commands | 129.08 KB |
l The models listed in this document are not applicable to all regions. Please consult your local sales office for the models applicable to your region.
l Support of the H3C WA series WLAN access points (APs) for commands may vary by AP model. For more information, see Feature Matrix.
l The interface types and the number of interfaces vary by AP model.
ACL Configuration Commands
acl
Syntax
acl number acl-number [ name acl-name ] [ match-order { auto | config } ]
undo acl { all | name acl-name | number acl-number }
View
System view
Default Level
2: System level
Parameters
number acl-number: Specifies the number of an IPv4 access control list (ACL):
l 100 to 199 for WLAN ACLs
l 2000 to 2999 for IPv4 basic ACLs
l 3000 to 3999 for IPv4 advanced ACLs
l 4000 to 4999 for Ethernet frame header ACLs
name acl-name: Assigns a name for the IPv4 ACL for the ease of identification. The acl-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter, and to avoid confusion, cannot be all.
match-order: Sets the order in which ACL rules are compared against packets:
l auto: Compares ACL rules in depth-first order. The depth-first order differs with ACL categories. See ACL in the ACL and QoS Configuration Guide for more information.
l config: Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher priority. If no match order is specified, the config order applies by default.
all: Deletes all IPv4 ACLs.
Description
Use the acl command to create an IPv4 ACL and enter its view. If the ACL has been created, you enter its view directly.
Use the undo acl command to delete the specified or all IPv4 ACLs.
By default, no ACL exists.
You can assign a name for an IPv4 ACL only when you create it. After creating an ACL, you can neither rename it nor remove its name, if any.
You can change match order only for ACLs that do not contain any rules.
The match-order keyword is not available for WLAN ACLs. They always use the config order. In addition, for WLAN ACLs, the name is not available.
To display any ACLs you have created, use the display acl command.
Examples
# Create IPv4 basic ACL 2000, and enter its view.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000]
# Create IPv4 basic ACL 2001, named flow, and enter its view.
<Sysname> system-view
[Sysname] acl number 2001 name flow
[Sysname-acl-basic-2001-flow]
acl copy
Syntax
acl copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name }
View
System view
Default Level
2: System level
Parameters
source-acl-number: Specifies a source IPv4 ACL that already exists by its number:
l 100 to 199 for WLAN ACLs
l 2000 to 2999 for IPv4 basic ACLs
l 3000 to 3999 for IPv4 advanced ACLs
l 4000 to 4999 for Ethernet frame header ACLs
name source-acl-name: Specifies a source IPv4 ACL that already exists by its name. The source-acl-name argument takes a case insensitive string of 1 to 32 characters.
dest-acl-number: Assigns a unique number for the IPv4 ACL you are creating. This number must be from the same ACL category as the source ACL. Available value ranges include:
l 100 to 199 for WLAN ACLs
l 2000 to 2999 for IPv4 basic ACLs
l 3000 to 3999 for IPv4 advanced ACLs
l 4000 to 4999 for Ethernet frame header ACLs
name dest-acl-name: Assigns a unique name for the IPv4 ACL you are creating. The dest-acl-name takes a case insensitive string of 1 to 32 characters. It must start with an English letter and to avoid confusion, cannot be all. For this ACL, the system automatically picks the smallest number from all available numbers in the same ACL category as the source ACL.
Description
Use the acl copy command to create an IPv4 ACL by copying an IPv4 ACL that already exists. Except the number and name (if any), the new ACL has the same configuration as the source ACL.
You can assign a name for an IPv4 ACL only when you create it. After it is created, you can neither rename it nor remove its name, if any.
The name keyword and argument combinations are not available for WLAN ACLs.
Examples
# Create IPv4 basic ACL 2002 by copying IPv4 basic ACL 2001.
<Sysname> system-view
[Sysname] acl copy 2001 to 2002
acl ipv6
Syntax
acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto | config } ]
undo acl ipv6 { all | name acl6-name | number acl6-number }
View
System view
Default Level
2: System level
Parameters
number acl6-number: Specifies the number of an IPv6 ACL:
l 2000 to 2999 for IPv6 basic ACLs
l 3000 to 3999 for IPv6 advanced ACLs
name acl6-name: Assigns a name for the IPv6 ACL for the ease of identification. The acl6-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter, and to avoid confusion, cannot be all.
match-order: Sets the order in which ACL rules are compared against packets:
l auto: Compares ACL rules in depth-first order. The depth-first order differs with ACL categories. See ACL in the ACL and QoS Configuration Guide for more information.
l config: Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has higher priority. If no match order is specified, the config order applies by default.
all: Delete all IPv6 ACLs.
Description
Use the acl ipv6 command to create an IPv6 ACL and enter its ACL view. If the ACL has been created, you enter its view directly.
Use the undo acl ipv6 command to delete the specified IPv6 ACL or all IPv6 ACLs.
By default, no ACL exists.
You can assign a name for an IPv6 ACL only when you create it. After creating an ACL, you can neither rename it, nor remove its name.
You can change match order only for ACLs that do not contain any rules.
To display any ACLs you have created, use the display acl ipv6 command.
Examples
# Create IPv6 ACL 2000 and enter its view.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000]
# Create IPv6 basic ACL 2001, named flow, and enter its view.
<Sysname> system-view
[Sysname] acl ipv6 number 2001 name flow
[Sysname-acl6-basic-2001-flow]
acl ipv6 copy
Syntax
acl ipv6 copy { source-acl6-number | name source-acl6-name } to { dest-acl6-number | name dest-acl6-name }
View
System view
Default Level
2: System level
Parameters
source-acl6-number: Specifies a source IPv6 ACL that already exists by its number:
l 2000 to 2999 for IPv6 basic ACLs,
l 3000 to 3999 for IPv6 advanced ACLs.
name source-acl6-name: Specifies a source IPv6 ACL that already exists by its name. The source-acl6-name argument takes a case insensitive string of 1 to 32 characters.
dest-acl6-number: Assigns a unique number for the IPv6 ACL you are creating. This number must be from the same ACL category as the source ACL. Available value ranges include:
l 2000 to 2999 for IPv6 basic ACLs
l 3000 to 3999 for IPv6 advanced ACLs
name dest-acl6-name: Assigns a unique name for the IPv6 ACL you are creating. The dest-acl6-name takes a case insensitive string of 1 to 32 characters. It must start with an English letter and to avoid confusion, cannot be all. For this ACL, the system automatically picks the smallest number from all available numbers in the same ACL category as the source ACL.
Description
Use the acl ipv6 copy command to create an IPv6 ACL by copying an IPv6 ACL that already exists. Except the number and name (if any), the new ACL has the same configuration as the source ACL.
You can assign a name for an IPv6 ACL only when you create it. After it is created, you can neither rename it nor remove its name, if any.
Examples
# Create IPv6 basic ACL 2002 by copying IPv6 basic ACL 2001.
<Sysname> system-view
[Sysname] acl ipv6 copy 2001 to 2002
acl ipv6 name
Syntax
acl ipv6 name acl6-name
View
System view
Default Level
2: System level
Parameters
acl6-name: Specifies the name of an existing IPv6 ACL, a case insensitive string of 1 to 32 characters. It must start with an English letter.
Description
Use the acl ipv6 name command to enter the view of an existing IPv6 ACL by specifying its name.
Related commands: acl ipv6.
Examples
# Enter the view of IPv6 ACL flow.
<Sysname> system-view
[Sysname] acl ipv6 name flow
[Sysname-acl6-basic-2001-flow]
acl name
Syntax
acl name acl-name
View
System view
Default Level
2: System level
Parameters
acl-name: Specifies the name of an existing IPv4 ACL, which is a case insensitive string of 1 to 32 characters. It must start with an English letter.
Description
Use the acl name command to enter the view of an existing IPv4 ACL by specifying its name.
Related commands: acl.
Examples
# Enter the view of IPv4 ACL flow.
<Sysname> system-view
[Sysname] acl name flow
[Sysname-acl-basic-2001-flow]
description
Syntax
description text
undo description
View
WLAN ACL view, IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view
Default Level
2: System level
Parameters
text: ACL description, a case sensitive string of 1 to 127 characters.
Description
Use the description command to configure a description for an ACL.
Use the undo description command to remove the ACL description.
By default, an ACL has no ACL description.
Related commands: display acl and display acl ipv6.
Examples
# Configure a description for IPv4 basic ACL 2000.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] description This is an IPv4 basic ACL.
# Configure a description for IPv6 basic ACL 2000.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000] description This is an IPv6 basic ACL.
display acl
Syntax
display acl { acl-number | all | name acl-name }
View
Any view
Default Level
1: Monitor level
Parameters
acl-number: Specifies an IPv4 ACL by its number:
l 100 to 199 for WLAN ACLs
l 2000 to 2999 for basic ACLs
l 3000 to 3999 for advanced ACLs
l 4000 to 4999 for Ethernet frame header ACLs
all: Displays information for all IPv4 ACLs.
name acl-name: Specifies an IPv4 ACL by its name. The acl-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter.
Description
Use the display acl command to display configuration and match statistics for the specified or all IPv4 ACLs.
This command displays ACL rules in config or depth-first order, whichever is configured.
Examples
# Display the configuration and match statistics for all IPv4 ACLs.
<Sysname> display acl all
Basic ACL 2000, named flow, 3 rules,
ACL's step is 5
rule 0 permit
rule 5 permit source 1.1.1.1 0 (2 times matched)
Basic ACL 2001, named -none-, 3 rules, match-order is auto,
ACL's step is 5
rule 5 permit source 2.2.2.2 0
rule 0 permit
Table 1-1 display acl command output description
Field |
Description |
Basic ACL 2000 |
Category and number of the ACL. The following field information is about IPv4 basic ACL 2000. |
named flow |
The name of the ACL is flow. "-none-" means the ACL is not named. This field is not present for a WLAN ACL. |
3 rules |
The ACL contains three rules. |
match-order is auto |
The match order for the ACL is auto, which sorts ACL rules in depth-first order. This field is not present when the match order is config. |
ACL's step is 5 |
The rule numbering step is 5. |
rule 0 permit |
Content of rule 0 |
5 times matched |
There have been five matches for the rule. The statistic counts only ACL matches performed by software. This field is not displayed when no packets have matched the rule. |
No statistics resource |
Resources are not enough for counting matches for the IPv4 rules. |
Uncompleted |
Applying the rule to hardware failed. |
display acl ipv6
Syntax
display acl ipv6 { acl6-number | all | name acl6-name }
View
Any view
Default Level
1: Monitor level
Parameters
acl6-number: Specifies an IPv6 ACL by its number:
l 2000 to 2999 for IPv6 basic ACLs
l 3000 to 3999 for IPv6 advanced ACLs
all: Displays information for all IPv6 ACLs.
name acl6-name: Specifies an IPv6 ACL by its name. The acl6-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter.
Description
Use the display acl ipv6 command to display the configuration and match statistics for the specified or all IPv6 ACLs.
This command displays ACL rules in config or depth-first order, whichever is configured.
Examples
# Display the configuration and match statistics for all IPv6 ACLs.
<Sysname> display acl ipv6 all
Basic IPv6 ACL 2000, named flow, 3 rules,
ACL's step is 5
rule 0 permit
rule 5 permit source 1::/64
rule 10 permit source 1::1/128 (2 times matched)
Basic IPv6 ACL 2001, named -none-, 3 rules, match-order is auto,
ACL's step is 5
rule 10 permit source 1::1/128
rule 10 comment This rule is used on Ethernet 1/0/1.
rule 5 permit source 1::/64
rule 0 permit
Table 1-2 display acl ipv6 command output description
Field |
Description |
Basic IPv6 ACL 2000 |
Category and number of the ACL. The following field information is about this IPv6 basic ACL 2000. |
named flow |
The name of the ACL is flow. "-none-" means the ACL is not named. |
3 rules |
The ACL contains three rules. |
match-order is auto |
The match order for the ACL is auto, which sorts ACL rules in depth-first order. This field is not present when the match order is config. |
ACL's step is 5 |
The rule numbering step is 5. |
rule 0 permit |
Content of rule 0 |
5 times matched |
There have been five matches for the rule. The statistic counts only IPv6 ACL matches performed by software. This field is not displayed when no packets have matched the rule. |
No statistics resource |
Resources are not enough for counting matches for the IPv6 ACL rules. |
Uncompleted |
Apply the rule to hardware failed. |
rule 10 comment This rule is used on Ethernet 1/0/1. |
The description of ACL rule 10 is "This rule is used on Ethernet 1/0/1." |
display time-range
Syntax
display time-range { time-range-name | all }
View
Any view
Default Level
1: Monitor level
Parameters
time-range-name: Specifies a time range name, which is a case insensitive string of 1 to 32 characters. It must start with an English letter.
all: Displays the configuration and status of all existing time ranges.
Description
Use the display time-range command to display the configuration and status of the specified or all time ranges.
Examples
# Display the configuration and status of time range t4.
<Sysname> display time-range t4
Current time is 17:12:34 4/13/2010 Tuesday
Time-range : t4 ( Inactive )
10:00 to 12:00 Mon
14:00 to 16:00 Wed
from 00:00 1/1/2010 to 23:59 1/31/2010
from 00:00 6/1/2010 to 23:59 6/30/2010
Table 1-3 display time-range command output description
Field |
Description |
Current time |
Current system time |
Time-range |
Configuration and status of the time range, including its name, status (active or inactive), and start time and end time. |
reset acl counter
Syntax
reset acl counter { acl-number | all | name acl-name }
View
User view
Default Level
2: System level
Parameters
acl-number: Specifies an IPv4 ACL by its number:
l 100 to 199 for WLAN ACLs
l 2000 to 2999 for IPv4 basic ACLs
l 3000 to 3999 for IPv4 advanced ACLs
l 4000 to 4999 for Ethernet frame header ACLs
all: Clears statistics for all IPv4 ACLs.
name acl-name: Specifies an IPv4 ACL by its name. The acl-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter.
Description
Use the reset acl counter command to clear statistics for the specified or all IPv4 ACLs.
Related commands: display acl.
Examples
# Clear statistics for IPv4 basic ACL 2001.
<Sysname> reset acl counter 2001
# Clear statistics for IPv4 ACL flow.
<Sysname> reset acl counter name flow
reset acl ipv6 counter
Syntax
reset acl ipv6 counter { acl6-number | all | name acl6-name }
View
User view
Default Level
2: System level
Parameters
acl6-number: Specifies an IPv6 ACL by its number:
l 2000 to 2999 for IPv6 basic ACLs
l 3000 to 3999 for IPv6 advanced ACLs
all: Clears statistics for all IPV6 basic and advanced ACLs.
name acl6-name: Specifies an IPv6 ACL by its name. The acl6-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter.
Description
Use the reset acl ipv6 counter command to clear statistics for the specified or all IPv6 basic and IPv6 advanced ACLs.
Related commands: display acl ipv6.
Examples
# Clear statistics for IPv6 basic ACL 2001.
<Sysname> reset acl ipv6 counter 2001
# Clear statistics for IPv6 ACL flow.
<Sysname> reset acl ipv6 counter name flow
rule (Ethernet frame header ACL view)
Syntax
rule [ rule-id ] { deny | permit } [ cos vlan-pri | dest-mac dest-addr dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac sour-addr source-mask | time-range time-range-name ] *
undo rule rule-id time-range
View
Ethernet frame header ACL view
Default Level
2: System level
Parameters
rule-id: Specifies a rule ID, which ranges from 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
cos vlan-pri: Matches an 802.1p priority. The vlan-pri argument can be a number in the range 0 to 7, or in words, best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5), voice (6), or network-management (7).
dest-mac dest-addr dest-mask: Matches a destination MAC address range. The dest-addr and dest-mask arguments represent a destination MAC address and mask in H-H-H format.
lsap lsap-type lsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The lsap-type argument is a 16-bit hexadecimal number that represents the encapsulation format. The lsap-type-mask argument is a 16-bit hexadecimal number that represents the LSAP mask.
type protocol-type protocol-type-mask: Matches one or more protocols in the Ethernet frame header. The protocol-type argument is a 16-bit hexadecimal number that represents a protocol type in Ethernet_II and Ethernet_SNAP frames. The protocol-type-mask argument is a 16-bit hexadecimal number that represents a protocol type mask.
source-mac sour-addr source-mask: Matches a source MAC address range. The sour-addr argument represents a source MAC address, and the sour-mask argument represents a mask in H-H-H format.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case insensitive string of 1 to 32 characters. It must start with an English letter.
Description
Use the rule command to create or edit an Ethernet frame header ACL rule. You can edit ACL rules only when the match order is config.
Use the undo rule command to delete an Ethernet frame header ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specific attributes.
By default, an Ethernet frame header ACL does not contain any rule.
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail.
To view rules in an ACL and their rule IDs, use the display acl all command.
Related commands: acl, display acl, and step.
Examples
# Create a rule in ACL 4000 to deny packets with the 802.1p priority of 3.
<Sysname> system-view
[Sysname] acl number 4000
[Sysname-acl-ethernetframe-4000] rule deny cos 3
rule (IPv4 advanced ACL view)
Syntax
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | destination { dest-addr dest-wildcard | any } | destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmp-type { icmp-type icmp-code | icmp-message } | logging | precedence precedence | reflective | source { sour-addr sour-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name | tos tos ] *
undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | destination | destination-port | dscp | fragment | icmp-type | logging | precedence | reflective | source | source-port | time-range | tos ] *
View
IPv4 advanced ACL view
Default Level
2: System level
Parameters
rule-id: Specifies a rule ID, which ranges from 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
protocol: Protocol carried by IPv4. It can be a number in the range 0 to 255, or in words, gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17). Table 1-4 describes the parameters that can be specified after the protocol argument.
Table 1-4 Match criteria and other rule information for IPv4 advanced ACL rules
Parameters |
Function |
Description |
source { sour-addr sour-wildcard | any } |
Specifies a source address |
The sour-addr sour-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address. The any keyword specifies any source IP address. |
destination { dest-addr dest-wildcard | any } |
Specifies a destination address |
The dest-addr dest-wildcard arguments represent a destination IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address. The any keyword represents any destination IP address. |
precedence precedence |
Specifies an IP precedence value |
The precedence argument can be a number in the range 0 to 7, or in words, routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), or network (7). |
tos tos |
Specifies a ToS preference |
The tos argument can be a number in the range 0 to 15, or in words, max-reliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1), or normal (0). |
dscp dscp |
Specifies a DSCP priority |
The dscp argument can be a number in the range 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46). |
logging |
Logs matching packets |
This function requires that the module that uses the ACL supports logging. |
reflective |
Specifies that the rule be reflective |
A rule with the reflective keyword can be defined only for TCP, UDP, or ICMP packets and can only be a permit statement. |
fragment |
Applies the rule to only non-first fragments |
Without this keyword, the rule applies to all fragments and non-fragments. |
time-range time-range-name |
Specifies a time range for the rule |
The time-range-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter. |
If you provide the precedence or tos keyword in addition to the dscp keyword, only the dscp keyword takes effect.
Setting the protocol argument to tcp (6) or udp (7), you may set the parameters shown in Table 1-5.
Table 1-5 TCP/UDP-specific parameters for IPv4 advanced ACL rules
Parameters |
Function |
Description |
source-port operator port1 [ port2 ] |
Specifies one or more UDP or TCP source ports |
The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range 0 to 65535. port2 is needed only when the operator argument is range. TCP port numbers can be represented in these words: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented in these words: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177). |
destination-port operator port1 [ port2 ] |
Specifies one or more UDP or TCP destination ports |
|
{ ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * |
Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG |
Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The relationship between the TCP flags in a rule is AND. |
established |
Specifies the flags for indicating the established status of a TCP connection |
Parameter specific to TCP. |
Setting the protocol argument to icmp (1), you may set the parameters shown in Table 1-6.
Table 1-6 ICMP-specific parameters for IPv4 advanced ACL rules
Parameters |
Function |
Description |
icmp-type { icmp-type icmp-code | icmp-message } |
Specifies the ICMP message type and code |
The icmp-type argument ranges from 0 to 255. The icmp-code argument ranges from 0 to 255. The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 1-7. |
Table 1-7 ICMP message names supported in IPv4 advanced ACL rules
ICMP message name |
ICMP message type |
ICMP message code |
echo |
8 |
0 |
echo-reply |
0 |
0 |
fragmentneed-DFset |
3 |
4 |
host-redirect |
5 |
1 |
host-tos-redirect |
5 |
3 |
host-unreachable |
3 |
1 |
information-reply |
16 |
0 |
information-request |
15 |
0 |
net-redirect |
5 |
0 |
net-tos-redirect |
5 |
2 |
net-unreachable |
3 |
0 |
parameter-problem |
12 |
0 |
port-unreachable |
3 |
3 |
protocol-unreachable |
3 |
2 |
reassembly-timeout |
11 |
1 |
source-quench |
4 |
0 |
source-route-failed |
3 |
5 |
timestamp-reply |
14 |
0 |
timestamp-request |
13 |
0 |
ttl-exceeded |
11 |
0 |
Description
Use the rule command to create or edit an IPv4 advanced ACL rule. You can edit ACL rules only when the match order is config.
Use the undo rule command to delete an entire IPv4 advanced ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specific attributes.
By default, an IPv4 advanced ACL does not contain any rule.
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail.
To view rules in an ACL and their rule IDs, use the display acl all command.
Related commands: acl, display acl, and step.
Examples
# Create an IPv4 advanced ACL rule to permit TCP packets with the destination port of 80 from 129.9.0.0/16 to 202.38.160.0/24.
<Sysname> system-view
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80
rule (IPv4 basic ACL view)
Syntax
rule [ rule-id ] { deny | permit } [ fragment | logging | source { sour-addr sour-wildcard | any } | time-range time-range-name ] *
undo rule rule-id [ fragment | logging | source | time-range ] *
View
IPv4 basic ACL view
Default Level
2: System level
Parameters
rule-id: Specifies a rule ID, which ranges from 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
fragment: Applies the rule only to non-first fragments. A rule without this keyword applies to both fragments and non-fragments.
logging: Logs matching packets. This function is available only when the application module that uses the ACL supports the logging function.
source { sour-addr sour-wildcard | any }: Matches a source address. The sour-addr sour-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation. A wildcard mask of zeros specifies a host address. The any keyword represents any source IP address.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case insensitive string of 1 to 32 characters. It must start with an English letter.
vpn-instance vpn-instance-name: Applies the rule to packets in a VPN instance. The vpn-instance-name argument takes a case sensitive string of 1 to 31 characters. If no VPN instance is specified, the rule applies only to non-VPN packets.
Description
Use the rule command to create or edit an IPv4 basic ACL rule. You can edit ACL rules only when the match order is config.
Use the undo rule command to delete an entire IPv4 basic ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specific attributes.
By default, an IPv4 basic ACL does not contain any rule.
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail.
To view rules in an ACL and their rule IDs, use the display acl all command.
Related commands: acl, display acl, and step.
Examples
# Create a rule in IPv4 basic ACL 2000 to deny packets sourced from 1.1.1.1/32.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule deny source 1.1.1.1 0
rule (IPv6 advanced ACL view)
Syntax
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | destination { dest dest-prefix | dest/dest-prefix | any } | destination-port operator port1 [ port2 ] | dscp dscp | fragment | icmp6-type { icmp6-type icmp6-code | icmp6-message } | logging | source { source source-prefix | source/source-prefix | any } | source-port operator port1 [ port2 ] | time-range time-range-name ] *
undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | dscp | fragment | icmp6-type | logging | source | source-port | time-range ] *
View
IPv6 advanced ACL view
Default Level
2: System level
Parameters
rule-id: Specifies a rule ID, which ranges from 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
protocol: Matches protocol carried over IPv6. It can be a number in the range 0 to 255, or in words, gre (47), icmpv6 (58), ipv6, ipv6-ah (51), ipv6-esp (50), ospf (89), tcp (6), or udp (17). Table 1-8 describes the parameters that can be specified after the protocol argument.
Table 1-8 Match criteria and other rule information for IPv6 advanced ACL rules
Parameters |
Function |
Description |
source { source source-prefix | source/source-prefix | any } |
Specifies a source IPv6 address |
The source and source-prefix arguments represent an IPv6 source address, and prefix length that ranges from 1 to 128. The any keyword represents any IPv6 source address. |
destination { dest dest-prefix | dest/dest-prefix | any } |
Specifies a destination IPv6 address |
The dest and dest-prefix arguments represent a destination IPv6 address, and prefix length that ranges from 1 to 128. The any keyword specifies any IPv6 destination address. |
dscp dscp |
Specifies a DSCP preference |
The dscp argument can be a number in the range 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46). |
logging |
Logs matching packets |
This function requires that the module that uses the ACL supports logging. |
fragment |
Applies the rule to only non-first fragments |
Without this keyword, the rule applies to all fragments and non-fragments. |
time-range time-range-name |
Specifies a time range for the rule |
The time-range-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter. |
Setting the protocol argument to tcp (6) or udp (17), you may set the parameters shown in Table 1-9.
Table 1-9 TCP/UDP-specific parameters for IPv6 advanced ACL rules
Parameters |
Function |
Description |
source-port operator port1 [ port2 ] |
Specifies one or more UDP or TCP source ports |
The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range 0 to 65535. port2 is needed only when the operator argument is range. TCP port numbers can be represented in these words: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented in these words: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177). |
destination-port operator port1 [ port2 ] |
Specifies one or more UDP or TCP destination ports |
|
{ ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * |
Specifies one or more TCP flags, including ACK, FIN, PSH, RST, SYN, and URG |
Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The relationship between the TCP flags in a rule is AND. |
established |
Specifies the flags for indicating the established status of a TCP connection |
Parameter specific to TCP. |
Setting the protocol argument to icmpv6 (58), you may set the parameters shown in Table 1-10.
Table 1-10 ICMPv6-specific parameters for IPv6 advanced ACL rules
Parameters |
Function |
Description |
icmp6-type { icmp6-type icmp6-code | icmp6-message } |
Specifies the ICMPv6 message type and code |
The icmp6-type argument ranges from 0 to 255. The icmp6-code argument ranges from 0 to 255. The icmp6-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 1-11. |
Table 1-11 ICMPv6 message names supported in IPv6 advanced ACL rules
ICMPv6 message name |
ICMPv6 message type |
ICMPv6 message code |
echo-reply |
129 |
0 |
echo-request |
128 |
0 |
err-Header-field |
4 |
0 |
frag-time-exceeded |
3 |
1 |
hop-limit-exceeded |
3 |
0 |
host-admin-prohib |
1 |
1 |
host-unreachable |
1 |
3 |
neighbor-advertisement |
136 |
0 |
neighbor-solicitation |
135 |
0 |
network-unreachable |
1 |
0 |
packet-too-big |
2 |
0 |
port-unreachable |
1 |
4 |
redirect |
137 |
0 |
router-advertisement |
134 |
0 |
router-solicitation |
133 |
0 |
unknown-ipv6-opt |
4 |
2 |
unknown-next-hdr |
4 |
1 |
Description
Use the rule command to create or edit an IPv6 advanced ACL rule. You can edit ACL rules only when the match order is config.
Use the undo rule command to delete an entire IPv6 advanced ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specific attributes.
By default, an IPv6 advanced ACL does not contain any rule.
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail.
To view rules in an ACL and their rule IDs, use the display acl ipv6 all command.
Related commands: acl ipv6, display ipv6 acl, and step.
Examples
# Create an IPv6 ACL rule to permit TCP packets with the destination port of 80 from 2030:5060::/64 to FE80:5060::/96.
<Sysname> system-view
[Sysname] acl ipv6 number 3000
[Sysname-acl6-adv-3000] rule permit tcp source 2030:5060::/64 destination fe80:5060::/96 destination-port eq 80
rule (IPv6 basic ACL view)
Syntax
rule [ rule-id ] { deny | permit } [ fragment | logging | source { ipv6-address prefix-length | ipv6-address/prefix-length | any } | time-range time-range-name ] *
undo rule rule-id [ fragment | logging | source | time-range ] *
View
IPv6 basic ACL view
Default Level
2: System level
Parameters
rule-id: Specifies a rule ID, which ranges from 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
fragment: Applies the rule only to non-first fragments. A rule without this keyword applies to both fragments and non-fragments.
logging: Logs matching packets. This function requires that the module that uses the ACL supports logging.
source { ipv6-address prefix-length | ipv6-address/prefix-length | any }: Matches a source IP address. The ipv6-address and prefix-length arguments represent a source IPv6 address and address prefix length in the range 1 to 128. The any keyword represents any IPv6 source address.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument takes a case insensitive string of 1 to 32 characters. It must start with an English letter.
Description
Use the rule command to create or edit an IPv6 basic ACL rule. You can edit ACL rules only when the match order is config.
Use the undo rule command to delete an entire IPv6 basic ACL rule or some attributes in the rule. If no optional keywords are provided, you delete the entire rule. If optional keywords or arguments are provided, you delete the specific attributes.
By default, an IPv6 basic ACL does not contain any rule.
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail.
To view rules in an ACL and their rule IDs, use the display acl ipv6 all command.
Related commands: acl ipv6, display ipv6 acl, and step.
Examples
# Create an IPv6 basic ACL rule to deny packets sourced from FE80:5060::101/128.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000] rule deny source fe80:5060::101/128
rule (WLAN ACL view)
Syntax
rule [ rule-id ] { permit | deny } [ ssid ssid-name ]
undo rule rule-id
View
WLAN ACL view
Default Level
2: system level
Parameters
rule-id: Specifies a rule ID, which ranges from 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID takes the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
ssid-name: Specifies an SSID name, which is a case sensitive string of 1 to 32 alphanumeric characters. Spaces are allowed.
Description
Use the rule command to create or edit a WLAN ACL rule.
Use the undo rule command to delete an entire WLAN ACL rule.
By default, a WLAN ACL does not contain any rule.
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt will fail.
To view rules in an ACL and their rule IDs, use the display acl all command.
Related commands: acl, display acl, and step.
Examples
# Create a rule for WLAN ACL 100 to permit packets with the SSID name of user1 and apply this ACL to user interface VTY 0 to restrict user access.
<Sysname> system-view
[Sysname] acl number 100
[Sysname-acl-wlan-100] rule permit ssid user1
[Sysname-acl-wlan-100] quit
[Sysname] user-interface vty 0
[Sysname-ui-vty0] acl 100 inbound
rule comment
Syntax
rule rule-id comment text
undo rule rule-id comment
View
WLAN ACL view, IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view
Default Level
2: System level
Parameters
rule-id: Specifies the ID of an existing ACL rule. The ID ranges from 0 to 65534.
text: Provides a description for the ACL rule, a case sensitive string of 1 to 127 characters.
Description
Use the rule comment command to configure a description for an existing ACL rule or edit its description for the ease of identification.
Use the undo rule comment command to delete the ACL rule description.
By default, an IPv4 ACL rule has no rule description.
Related commands: display acl and display acl ipv6.
Examples
# Create a rule in IPv4 basic ACL 2000 and configure a description for this rule.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule 0 deny source 1.1.1.1 0
[Sysname-acl-basic-2000] rule 0 comment This rule is used on Ethernet 1/0/1.
# Create a rule in IPv6 basic ACL 2000 and configure a description for this rule.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000] rule 0 permit source 1001::1 128
[Sysname-acl6-basic-2000] rule 0 comment This rule is used on Ethernet 1/0/1.
step
Syntax
step step-value
undo step
View
WLAN ACL view, IPv4 basic/advanced ACL view, IPv6 basic/advanced ACL view, Ethernet frame header ACL view
Default Level
2: System level
Parameters
step-value: ACL rule numbering step, which ranges from 1 to 20.
Description
Use the step command to set a rule numbering step for an ACL. The rule numbering step sets the increment by which the system numbers rules automatically. For example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between two rules. Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6 and 8.
Use the undo step command to restore the default.
The default rule numbering step is 5. After you restore the default numbering step by the undo step command, the rules are renumbered in the step of 5.
Related commands: display acl and display acl ipv6.
Examples
# Set the rule numbering step to 2 for IPv4 basic ACL 2000.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] step 2
# Set the rule numbering step to 2 for IPv6 basic ACL 2000.
<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000] step 2
time-range
Syntax
time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 }
undo time-range time-range-name [ start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 ]
View
System view
Default Level
2: System level
Parameters
time-range-name: Assigns a name for a time range. The name is a case insensitive string of 1 to 32 characters. It must start with an English letter and to avoid confusion, cannot be all.
start-time to end-time: Specifies a periodic time range. Both start-time and end-time are in hh:mm format (24-hour clock), and each value ranges from 00:00 to 23:59. The end time must be greater than the start time.
days: Specifies the day or days of the week on which the periodic time range is valid. You may specify multiple values, in words or in digits, separated by spaces, but make sure that they do not overlap. The values are ANDed. These values can take one of the following forms:
l A digit in the range 0 to 6, respectively for Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday.
l A day of a week in words, sun, mon, tue, wed, thu, fri, and sat.
l working-day for Monday through Friday.
l off-day for Saturday and Sunday.
l daily for the whole week.
from time1 date1: Specifies the start time and date of an absolute time range. The time1 argument specifies the time of the day in hh:mm format (24-hour clock). Its value ranges from 00:00 to 23:59. The date1 argument specifies a date in MM/DD/YYYY or YYYY/MM/DD format, where MM is the month of the year in the range 1 to 12, DD is the day of the month with the range depending on MM, and YYYY is the year in the usual Gregorian calendar in the range 1970 to 2100. If not specified, the start time is the earliest time available in the system, 01/01/1970 00:00 AM.
to time2 date2: Specifies the end time and date of the absolute time range. The time2 argument is in the same format as that of the time1 argument, but its value ranges from 00:00 to 24:00. The format and value range of the date2 argument are the same as those of the date1 argument. The end time must be greater than the start time. If not specified, the end time is the maximum time available in the system, 12/31/2100 24:00 PM.
Description
Use the time-range command to create a time range.
Use the undo time-range command to delete a time range.
By default, no time range exists.
You can create a time range as follows:
l Create a periodic time range in the start-time to end-time days format. A periodic time range recurs periodically on a day or days of the week.
l Create an absolute time range in the from time1 date1 to time2 date2 format. Unlike a periodic time range, an absolute time range does not recur.
l Create a compound time range in the start-time to end-time days from time1 date1 to time2 date2 format. A compound time range recurs on a day or days of the week only within the specified period. For example, to create a time range that is active from 08:00 to 12:00 on Monday between January 1, 2010 00:00 and December 31, 2010 23:59, use the time-range test 08:00 to 12:00 mon from 00:00 01/01/2010 to 23:59 12/31/2010 command.
You may create individual time ranges identified with the same name. They are regarded as one time range whose active period is the result of ORing periodic ones, ORing absolute ones, and ANDing periodic and absolute ones.
You may create a maximum of 256 uniquely named time ranges, each with 32 periodic time ranges at most and 12 absolute time ranges at most.
Related commands: display time-range.
Examples
# Create a periodic time range t1, setting it to be active between 8:00 to 18:00 during working days.
<Sysname> system-view
[Sysname] time-range t1 8:0 to 18:0 working-day
# Create an absolute time range t2, setting it to be active in the whole year of 2010.
<Sysname> system-view
[Sysname] time-range t2 from 0:0 1/1/2010 to 23:59 12/31/2010
# Create a compound time range t3, setting it to be active from 08:00 to 12:00 on Saturdays and Sundays of the year 2010.
<Sysname> system-view
[Sysname] time-range t3 8:0 to 12:0 off-day from 0:0 1/1/2010 to 23:59 12/31/2010
# Create a compound time range t4, setting it to be active from 10:00 to 12:00 on Mondays and from 14:00 to 16:00 on Wednesdays in the period of January through June of the year 2010.
<Sysname> system-view
[Sysname] time-range t4 10:0 to 12:0 1 from 0:0 1/1/2010 to 23:59 1/31/2010
[Sysname] time-range t4 14:0 to 16:0 3 from 0:0 6/1/2010 to 23:59 6/30/2010