- Table of Contents
- Related Documents
-
Title | Size | Download |
---|---|---|
01-ACL commands | 240.04 KB |
ACL commands
accelerate
Use accelerate to enable ACL acceleration.
Use undo accelerate to restore the default.
Syntax
accelerate
undo accelerate
Default
ACL acceleration is disabled.
Views
IPv4 basic/advanced ACL view
IPv6 basic/advanced ACL view
Layer 2 ACL view
Predefined user roles
network-admin
Usage guidelines
CAUTION: If a large number of ACL rules exist, executing the undo accelerate command might cause the device to reach the severe CPU usage alarm threshold, which affects normal service processing. |
This command does not take effect if the ACL resources are insufficient.
ACL acceleration can be successfully enabled only if all rules in an ACL support acceleration.
You can modify, add, or delete rules for an accelerated ACL. ACL acceleration might fail when the ACL resources are insufficient or the modified or added rule does not support acceleration.
ACL acceleration is delayed for a period after an ACL rule is added, deleted, or modified. If additional rule changes occur during the delay period, the delay period starts to count again. If an ACL contains 100 or less rules, the delay period is 2 seconds. If an ACL contains more than 100 rules, the delay period is 20 seconds.
Examples
# Enable ACL acceleration for ACL 2000.
<Sysname> system-view
[Sysname] acl basic 2000
[Sysname-acl-ipv4-basic-2000] accelerate
Related commands
display acl accelerate
acl
Use acl to create an ACL and enter its view, or enter the view of an existing ACL.
Use undo acl to delete the specified or all ACLs.
Syntax
Command set 1:
acl [ ipv6 ] number acl-number [ name acl-name ] [ match-order { auto | config } ]
undo acl [ ipv6 ] number acl-number
Command set 2:
acl [ ipv6 ] { advanced | basic } { acl-number | name acl-name } [ match-order { auto | config } ]
acl mac { acl-number | name acl-name } [ match-order { auto | config } ]
acl user-defined { acl-number | name acl-name }
undo acl [ ipv6 ] { all | { advanced | basic } { acl-number | name acl-name } }
undo acl mac { all | acl-number | name acl-name }
undo acl user-defined { all | acl-number | name acl-name }
Default
No ACLs exist.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6: Specifies the IPv6 ACL type. To specify the IPv4 ACL type, do not use this keyword.
basic: Specifies the basic ACL type.
advanced: Specifies the advanced ACL type.
mac: Specifies the Layer 2 ACL type.
user-defined: Specifies the user-defined ACL type.
number acl-number: Assigns a number to the ACL. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
· 5000 to 5999 for user-defined ACLs.
name acl-name: Assigns a name to the ACL. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
match-order: Specifies the order in which ACL rules are compared against packets.
auto: Compares ACL rules in depth-first order.
config: Compares ACL rules in ascending order of rule ID. The rule with a smaller ID has a higher priority. If you do not specify a match order, the config order applies by default. The match order for the user-defined ACL can only be config.
all: Specifies all ACLs of the specified type.
Usage guidelines
If you create a numbered ACL, you can enter the view of the ACL by using either of the following commands:
· The acl [ ipv6 ] number acl-number command.
· The acl { [ ipv6 ] { advanced | basic } | mac | user-defined } acl-number command.
If you create a named ACL by using the acl [ ipv6 ] number acl-number name acl-name command, you can enter the view of the ACL by using either of the following commands:
· acl [ ipv6 ] number acl-number [ name acl-name ].
· acl { [ ipv6 ] { advanced | basic } | mac | user-defined } acl-number.
· acl { [ ipv6 ] { advanced | basic } | mac | user-defined } name acl-name.
If you create a named ACL by using the acl { [ ipv6 ] { advanced | basic } | mac | user-defined } name acl-name command, you can enter the view of the ACL by using only the command that is used to create the ACL.
You can change the match order only for ACLs that do not contain any rules.
Matching packets are forwarded through slow forwarding if an ACL rule contains match criteria or has functions enabled in addition to the following match criteria and functions:
· Source and destination IP addresses.
· Source and destination ports.
· Transport layer protocol.
· ICMP or ICMPv6 message type, message code, and message name.
· VPN instance.
· Logging.
· Time range.
Slow forwarding requires packets to be sent to the control plane for forwarding entry calculation, which affects the device forwarding performance.
Examples
# Create IPv4 basic ACL 2000 and enter its view.
<Sysname> system-view
[Sysname] acl basic 2000
[Sysname-acl-ipv4-basic-2000]
# Create IPv4 basic ACL flow and enter its view.
<Sysname> system-view
[Sysname] acl basic name flow
[Sysname-acl-ipv4-basic-flow]
# Create IPv4 advanced ACL 3000 and enter its view.
<Sysname> system-view
[Sysname] acl advanced 3000
[Sysname-acl-ipv4-adv-3000]
# Create IPv6 basic ACL 2000 and enter its view.
<Sysname> system-view
[Sysname] acl ipv6 basic 2000
[Sysname-acl-ipv6-basic-2000]
# Create IPv6 basic ACL flow and enter its view.
<Sysname> system-view
[Sysname] acl ipv6 basic name flow
[Sysname-acl-ipv6-basic-flow]
# Create IPv6 advanced ACL abc and enter its view.
<Sysname> system-view
[Sysname] acl ipv6 advanced name abc
[Sysname-acl-ipv6-adv-abc]
# Create Layer 2 ACL 4000 and enter its view.
<Sysname> system-view
[Sysname] acl mac 4000
[Sysname-acl-mac-4000]
# Create Layer 2 ACL flow and enter its view.
<Sysname> system-view
[Sysname] acl mac name flow
[Sysname-acl-mac-flow]
# Create user-defined ACL 5000 and enter its view.
<Sysname> system-view
[Sysname] acl user-defined 5000
[Sysname-acl-user-5000]
# Create user-defined ACL flow and enter its view.
<Sysname> system-view
[Sysname] acl user-defined name flow
[Sysname-acl-user-flow]
Related commands
display acl
acl copy
Use acl copy to create an ACL by copying an ACL that already exists.
Syntax
acl [ ipv6 | mac | user-defined ] copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name }
Views
System view
Predefined user roles
network-admin
Parameters
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
user-defined: Specifies the user-defined ACL type.
source-acl-number: Specifies an existing source ACL by its number. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
· 5000 to 5999 for user-defined ACLs.
name source-acl-name: Specifies an existing source ACL by its name. The source-acl-name argument is a case-insensitive string of 1 to 63 characters.
dest-acl-number: Assigns a unique number to the new ACL. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
· 5000 to 5999 for user-defined ACLs.
name dest-acl-name: Assigns a unique name to the new ACL. The dest-acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
Usage guidelines
The new ACL and the source ACL must be the same type.
The new ACL has the same properties and content as the source ACL, but uses a different number or name from the source ACL.
To specify the IPv4 ACL type, do not specify the ipv6 keyword.
Examples
# Create IPv4 basic ACL 2002 by copying IPv4 basic ACL 2001.
<Sysname> system-view
[Sysname] acl copy 2001 to 2002
# Create IPv4 basic ACL paste by copying IPv4 basic ACL test.
<Sysname> system-view
[Sysname] acl copy name test to name paste
description
Use description to configure a description for an ACL.
Use undo description to delete an ACL description.
Syntax
description text
undo description
Default
An ACL does not have a description.
Views
IPv4 basic/advanced ACL view
IPv6 basic/advanced ACL view
Layer 2 ACL view
User-defined ACL view
Predefined user roles
network-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 127 characters.
Examples
# Configure a description for IPv4 basic ACL 2000.
<Sysname> system-view
[Sysname] acl basic 2000
[Sysname-acl-ipv4-basic-2000] description This is an IPv4 basic ACL.
Related commands
display acl
display acl
Use display acl to display ACL configuration and match statistics.
Syntax
display acl [ ipv6 | mac | user-defined ] { acl-number | all | name acl-name }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
user-defined: Specifies the user-defined ACL type.
acl-number: Specifies an ACL by its number. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
· 5000 to 5999 for user-defined ACLs.
all: Specifies all ACLs of the specified type.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.
Usage guidelines
This command displays ACL rules in config or auto order, whichever is configured.
To specify the IPv4 ACL type, do not specify the ipv6 keyword.
Examples
# Display configuration and match statistics for IPv4 basic ACL 2001.
<Sysname> display acl 2001
Basic IPv4 ACL 2001 named test, 2 rules, match-order is auto,
This is an IPv4 basic ACL.
ACL's step is 5, start ID is 0
rule 5 permit source 1.1.1.1 0
rule 5 comment This rule is used on GigabitEthernet0/0/1.
rule 10 deny source 10.0.0.101 0 counting time-range a3 (Active)
# Display configuration and match statistics for IPv4 advanced ACL 3001.
<Sysname> display acl 3001
Advanced IPv4 ACL 3001, 2 rules
ACL's step is 5, start ID is 0
rule 0 permit tcp
rule 5 permit ip source 10.0.0.100 0 (2854 times matched)
Table 1 Command output
Field |
Description |
Basic IPv4 ACL 2001 named test |
Type, number, and name of the ACL. The following field information is about IPv4 basic ACL 2001. |
2 rules |
Number of rules contained in the ACL. In this example, the ACL contains two rules. |
match-order is auto |
The match order for the ACL is auto, which sorts ACL rules in depth-first order. This field is not displayed when the match order is config. |
This is an IPv4 basic ACL. |
Description of the ACL. |
ACL's step is 5 |
The rule numbering step is 5. |
start ID is 0 |
The start rule ID is 0. |
rule 5 permit source 1.1.1.1 0 |
Content of rule 5. The rule permits packets sourced from the IP address 1.1.1.1. |
rule 5 comment This rule is used on GigabitEthernet0/0/1. |
Comment of rule 5. |
Active |
The rule that uses the time range is active. |
Inactive |
The rule that uses the time range is inactive. |
2854 times matched |
Number of times that the rule is matched. |
display acl accelerate
Use display acl accelerate to display ACL acceleration status.
Syntax
display acl accelerate { summary [ ipv6 | mac ] | verbose [ ipv6 | mac ] { acl-number | name acl-name } slot slot-number }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
summary: Displays summary information about ACL acceleration status.
verbose: Displays detailed information about ACL acceleration status.
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
acl-number: Specifies an ACL by its number. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.
slot slot-number: Specifies a card by its slot number. The specified card must be the card where the acceleration chip resides.
Usage guidelines
If you specify the verbose keyword, this command displays the ACLs for which acceleration is successfully enabled and their rules. The ACLs for which acceleration is disabled or fails to be enabled are not displayed.
Examples
# Display summary information about ACL acceleration status.
<Sysname> display acl accelerate summary
Basic IPv4 ACL 2000.
reset acl counter
Use reset acl counter to clear statistics for ACLs.
Syntax
reset acl [ ipv6 | mac | user-defined ] counter { acl-number | all | name acl-name }
Views
User view
Predefined user roles
network-admin
Parameters
ipv6: Specifies the IPv6 ACL type.
mac: Specifies the Layer 2 ACL type.
user-defined: Specifies the user-defined ACL type.
acl-number: Specifies an ACL by its number. The following are available value ranges:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
· 4000 to 4999 for Layer 2 ACLs.
· 5000 to 5999 for user-defined ACLs.
all: Clears statistics for all ACLs of the specified type.
name acl-name: Clears statistics of an ACL specified by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters.
Usage guidelines
To specify the IPv4 ACL type, do not specify the ipv6 keyword.
Examples
# Clear statistics for IPv4 basic ACL 2001.
<Sysname> reset acl counter 2001
Related commands
display acl
rule (IPv4 advanced ACL view)
Use rule to create or edit an IPv4 advanced ACL rule.
Use undo rule to delete an entire IPv4 advanced ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { object-group address-group-name | dest-address dest-wildcard | any } | destination-port { object-group port-group-name | operator port1 [ port2 ] } | { precedence precedence | tos tos } * | { precedence precedence | ecn ecn } * | { dscp dscp1 [ to dscp2 ] | ecn ecn } * | [ any-fragment | first-fragment | fragment | non-fragment | non-or-first-fragment ] | icmp-type { icmp-type [ icmp-code ] | icmp-message } | packet-length operator length-value1 [ length-value2 ] | source { object-group address-group-name | source-address source-wildcard | any } | source-port { object-group port-group-name | operator port1 [ port2 ] } | time-range time-range-name | ttl operator ttl-value1 [ ttl-value2 ] | user-group-any | vpn-instance vpn-instance-name ] *
undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | { precedence | tos } * | { precedence | ecn } * | { dscp | ecn } * | [ any-fragment | first-fragment | fragment | non-fragment | non-or-first-fragment ] | icmp-type | packet-length | source | source-port | time-range| ttl | user-group-any | vpn-instance ] *
undo rule { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { object-group address-group-name | dest-address dest-wildcard | any } | destination-port { object-group port-group-name | operator port1 [ port2 ] } | { precedence | tos } * | { precedence | ecn } * | { dscp dscp1 [ to dscp2 ] | ecn } * | [ any-fragment | first-fragment | fragment | non-fragment | non-or-first-fragment ] | icmp-type { icmp-type [ icmp-code ] | icmp-message } | packet-length operator length-value1 [ length-value2 ] | source { object-group address-group-name | source-address source-wildcard | any } | source-port { object-group port-group-name | operator port1 [ port2 ] } | time-range time-range-name | ttl operator ttl-value1 [ ttl-value2 ] | user-group-any | vpn-instance vpn-instance-name ] *
Default
No IPv4 advanced ACL rules exist.
Views
IPv4 advanced ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from the start rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
protocol: Specifies one of the following values:
· A protocol number in the range of 0 to 255.
· A protocol by its name: gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17). The ip keyword specifies all protocols.
Table 2 describes the parameters that you can specify regardless of the value for the protocol argument.
Table 2 Match criteria and other rule information for IPv4 advanced ACL rules
Parameters |
Function |
Description |
source { object-group address-group-name | source-address source-wildcard | any } |
Specifies a source address. |
The source-address source-wildcard arguments specify a source IP address and a wildcard mask in dotted decimal notation. An all-zero wildcard represents a host address. The any keyword specifies any source IP address. |
destination { object-group address-group-name | dest-address dest-wildcard | any } |
Specifies a destination address. |
The dest-address dest-wildcard arguments specify a destination IP address and a wildcard mask in dotted decimal notation. An all-zero wildcard mask represents a host address. The any keyword represents any destination IP address. |
counting |
Enables rule match counting in software. |
The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting in hardware for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted in software. |
precedence precedence |
Specifies an IP precedence value. |
The precedence argument can be a number in the range of 0 to 7, or in words: routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), or network (7). |
tos tos |
Specifies a ToS preference. |
The tos argument can be a number in the range of 0 to 15, or in words: max-reliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1), or normal (0). |
ecn ecn |
Specifies an ECN value. |
The ecn argument is a number in the range of 0 to 3. The last two bits in the differentiated services (DS) field of the IP header are defined for use by ECN. For more information about the DS field and ECN, see congestion avoidance configuration in ACL and QoS Configuration Guide. |
dscp dscp1 [ to dscp2 ] |
Specifies a DSCP priority. |
The dscp argument can be a number in the range of 0 to 63, or in words: af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46). The to dscp2 option is used to specify a DSCP value range. The value for the dscp2 argument must be greater than or equal to the value for the dscp1 argument. |
any-fragment |
Applies the rule to any fragments. |
If you do not specify any fragment-related parameters, the rule applies to all fragments and non-fragments. |
first-fragment |
Applies the rule to first fragments. |
If you do not specify any fragment-related parameters, the rule applies to all fragments and non-fragments. |
fragment |
Applies the rule only to non-first fragments. |
If you do not specify this keyword, the rule applies to all fragments and non-fragments. |
non-fragment |
Applies the rule only to non-fragments. |
If you do not specify any fragment-related parameters, the rule applies to all fragments and non-fragments. |
non-or-first-fragment |
Applies the rule only to non-fragments and first fragments. |
If you do not specify any fragment-related parameters, the rule applies to all fragments and non-fragments. |
packet-length operator length-value1 [ length-value2 ] |
Matches the packet length in the Total Length field in the IPv4 packet header. |
The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The length-value1 and length-value2 arguments are packet length values in the range of 0 to 65535 bytes. The length-value2 argument is needed only when the operator argument is range. |
time-range time-range-name |
Specifies a time range for the rule. |
The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide. |
user-group-any |
Matches packets from users in any user group. |
This option takes effect in ACLs used by QoS policy, packet filtering, and policy-based routing. This option takes effect on PPPoE and portal online users. |
ttl operator ttl-value1 [ ttl-value2 ] |
Specifies one or more TTL values. |
The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The ttl-value1 and ttl-value2 arguments are TTL values in the range of 1 to 255. The ttl-value2 argument is needed only when the operator argument is range. |
vpn-instance vpn-instance-name |
Applies the rule to an MPLS L3VPN instance. |
The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, whether the rule applies to VPN packets varies by feature. See the description for the feature that uses ACLs. |
If the protocol argument is tcp (6) or udp (17), set the parameters shown in Table 3.
Table 3 TCP/UDP-specific parameters for IPv4 advanced ACL rules
Parameters |
Function |
Description |
source-port { object-group port-group-name | operator port1 [ port2 ] } |
Specifies one or more UDP or TCP source ports. |
The port-group-name argument specifies an object group of ports. The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. The port2 argument is needed only when the operator argument is range. TCP port numbers can be represented as: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), dns (53), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented as: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177). |
destination-port { object-group port-group-name | operator port1 [ port2 ] } |
Specifies one or more UDP or TCP destination ports. |
|
{ ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * |
Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG. |
Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The TCP flags in a rule are ORed. For example, a rule configured with ack 0 psh 1 matches both packets that have the ACK flag bit not set and packets that have the PSH flag bit set. |
established |
Specifies the flags for indicating the established status of a TCP connection. |
Parameter specific to TCP. The rule matches TCP connection packets with the ACK or RST flag bit set. |
If the protocol argument is icmp (1), set the parameters shown in Table 4.
Table 4 ICMP-specific parameters for IPv4 advanced ACL rules
Parameters |
Function |
Description |
icmp-type { icmp-type icmp-code | icmp-message } |
Specifies the ICMP message type and code. |
The icmp-type argument is in the range of 0 to 255. The icmp-code argument is in the range of 0 to 255. The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 5. |
Table 5 ICMP message names supported in IPv4 advanced ACL rules
ICMP message name |
ICMP message type |
ICMP message code |
echo |
8 |
0 |
echo-reply |
0 |
0 |
fragmentneed-DFset |
3 |
4 |
host-redirect |
5 |
1 |
host-tos-redirect |
5 |
3 |
host-unreachable |
3 |
1 |
information-reply |
16 |
0 |
information-request |
15 |
0 |
net-redirect |
5 |
0 |
net-tos-redirect |
5 |
2 |
net-unreachable |
3 |
0 |
parameter-problem |
12 |
0 |
port-unreachable |
3 |
3 |
protocol-unreachable |
3 |
2 |
reassembly-timeout |
11 |
1 |
source-quench |
4 |
0 |
source-route-failed |
3 |
5 |
timestamp-reply |
14 |
0 |
timestamp-request |
13 |
0 |
ttl-exceeded |
11 |
0 |
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
The object group you specify when creating or editing a rule must already exist. Otherwise, the rule will not be created or changed.
You can edit ACL rules only when the match order is config.
To view the existing IPv4 basic and advanced ACL rules, use the display acl all command.
The undo rule rule-id command without any optional parameters deletes an entire rule. If you specify optional parameters, the undo rule rule-id command deletes the specified attributes for the rule.
The undo rule { deny | permit } command can only be used to delete an entire rule. You must specify all the attributes of the rule for the command.
Examples
# Create an IPv4 advanced ACL rule to permit TCP packets with the destination port 80 from 129.9.0.0/16 to 202.38.160.0/24.
<Sysname> system-view
[Sysname] acl advanced 3000
[Sysname-acl-ipv4-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80
# Create IPv4 advanced ACL rules to permit all IP packets but the ICMP packets destined for 192.168.1.0/24.
<Sysname> system-view
[Sysname] acl advanced 3001
[Sysname-acl-ipv4-adv-3001] rule deny icmp destination 192.168.1.0 0.0.0.255
[Sysname-acl-ipv4-adv-3001] rule permit ip
# Create IPv4 advanced ACL rules to permit inbound and outbound FTP packets.
<Sysname> system-view
[Sysname] acl advanced 3002
[Sysname-acl-ipv4-adv-3002] rule permit tcp source-port eq ftp
[Sysname-acl-ipv4-adv-3002] rule permit tcp source-port eq ftp-data
[Sysname-acl-ipv4-adv-3002] rule permit tcp destination-port eq ftp
[Sysname-acl-ipv4-adv-3002] rule permit tcp destination-port eq ftp-data
# Create IPv4 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.
<Sysname> system-view
[Sysname] acl advanced 3003
[Sysname-acl-ipv4-adv-3003] rule permit udp source-port eq snmp
[Sysname-acl-ipv4-adv-3003] rule permit udp source-port eq snmptrap
[Sysname-acl-ipv4-adv-3003] rule permit udp destination-port eq snmp
[Sysname-acl-ipv4-adv-3003] rule permit udp destination-port eq snmptrap
# Create an IPv4 advanced ACL rule to permit IPv4 packets of users in user group users.
<Sysname> system-view
[Sysname] acl advanced 3004
[Sysname-acl-ipv4-adv-3004] rule permit ip user-group users
# Create an IPv4 advanced ACL rule to permit VXLAN packets whose inner source IP address is in subnet 192.168.1.0/24.
<Sysname> system-view
[Sysname] acl advanced 3004
[Sysname-acl-ipv4-adv-3004] rule permit vxlan inner-protocol ip inner-source 192.168.1.0 0.0.0.255
Related commands
acl
display acl
packet-filter (interface view) (Security Command Reference)
packet-filter global (Security Command Reference)
packet-filter vlan (Security Command Reference)
step
time-range
rule (IPv4 basic ACL view)
Use rule to create or edit an IPv4 basic ACL rule.
Use undo rule to delete an entire IPv4 basic ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } [ counting | fragment | logging | source { object-group address-group-name | source-address source-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *
undo rule rule-id [ counting | fragment | logging | source | time-range | vpn-instance ] *
undo rule { deny | permit } [ counting | fragment | logging | source { object-group address-group-name | source-address source-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *
Default
No IPv4 basic ACL rules exist.
Views
IPv4 basic ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from the start rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
counting: Enables rule match counting in software. If you do not specify this keyword, matches for the rule are not counted in software.
fragment: Applies the rule only to non-first fragments. If you do not specify this keyword, the rule applies to both fragments and non-fragments.
logging: Logs the number of matching packets. This feature is available only when the application module (for example, packet filtering) that uses the ACL supports the logging feature.
source { object-group address-group-name | source-address source-wildcard | any }: Matches a source address. The object-group address-group-name option specifies an object group of source IP addresses. The source-address and source-wildcard arguments specify a source IP address and a wildcard mask in dotted decimal notation. A wildcard mask of zeros represents a host address. The any keyword represents any source IP address.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide.
vpn-instance vpn-instance-name: Applies the rule to an MPLS L3VPN instance. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, whether the rule applies to VPN packets varies by feature. See the description for the feature that uses ACLs.
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
You can edit ACL rules only when the match order is config.
To view the existing IPv4 basic and advanced ACL rules, use the display acl all command.
The undo rule rule-id command without any optional parameters deletes an entire rule. If you specify optional parameters, the undo rule rule-id command deletes the specified attributes for the rule.
The undo rule { deny | permit } command can only be used to delete an entire rule. You must specify all the attributes of the rule for the command.
The counting keyword in this command enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting in hardware for all rules in an ACL. For more information about the packet-filter command , see packet filter commands in Security Command Reference.
Examples
# Create a rule in IPv4 basic ACL 2000 to deny the packets from any source IP subnet but 10.0.0.0/8, 172.17.0.0/16, or 192.168.1.0/24.
<Sysname> system-view
[Sysname] acl basic 2000
[Sysname-acl-ipv4-basic-2000] rule permit source 10.0.0.0 0.255.255.255
[Sysname-acl-ipv4-basic-2000] rule permit source 172.17.0.0 0.0.255.255
[Sysname-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255
[Sysname-acl-ipv4-basic-2000] rule deny source any
Related commands
acl
display acl
packet-filter (interface view) (Security Command Reference)
packet-filter global (Security Command Reference)
packet-filter vlan (Security Command Reference)
step
time-range
rule (IPv6 advanced ACL view)
Use rule to create or edit an IPv6 advanced ACL rule.
Use undo rule to delete an entire IPv6 advanced ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { object-group address-group-name | dest-address dest-prefix | dest-address/dest-prefix | any } | destination-port { object-group port-group-name | operator port1 [ port2 ] } | dscp dscp | ecn ecn | flow-label flow-label-value | [ any-fragment | first-fragment | fragment | non-fragment | non-or-first-fragment ] | icmp6-type { icmp6-type icmp6-code | icmp6-message } | packet-length operator length-value1 [ length-value2 ] | routing [ type routing-type ] | hop-by-hop [ type hop-type ] | source { object-group address-group-name | source-address source-prefix | source-address/source-prefix | any } | source-port { object-group port-group-name | operator port1 [ port2 ] } | time-range time-range-name | ttl operator ttl-value1 [ ttl-value2 ]| user-group-any | vpn-instance vpn-instance-name ] *
undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | dscp | ecn | flow-label | [ any-fragment | first-fragment | fragment | non-fragment | non-or-first-fragment ] | icmp6-type | packet-length | routing | hop-by-hop | source | source-port | time-range | ttl | user-group-any | vpn-instance] *
undo rule { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { object-group address-group-name | dest-address dest-prefix | dest-address/dest-prefix | any } | destination-port { object-group port-group-name | operator port1 [ port2 ] } | dscp dscp | ecn ecn | flow-label flow-label-value | [ any-fragment | first-fragment | fragment | non-fragment | non-or-first-fragment ] | icmp6-type { icmp6-type icmp6-code | icmp6-message } | packet-length operator length-value1 [ length-value2 ] | routing [ type routing-type ] | hop-by-hop [ type hop-type ] | source { object-group address-group-name | source-address source-prefix | source-address/source-prefix | any } | source-port { object-group port-group-name | operator port1 [ port2 ] } | time-range time-range-name | ttl operator ttl-value1 [ ttl-value2 ] | user-group-any | vpn-instance vpn-instance-name ] *
Default
No IPv6 advanced ACL rules exist.
Views
IPv6 advanced ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from the start rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
protocol: Specifies one of the following values:
· A protocol number in the range of 0 to 255.
· A protocol name: gre (47), icmpv6 (58), ipv6, ipv6-ah (51), ipv6-esp (50), ospf (89), tcp (6), or udp (17). The ipv6 keyword specifies all protocols.
Table 6 describes the parameters that you can specify regardless of the value for the protocol argument.
Table 6 Match criteria and other rule information for IPv6 advanced ACL rules
Parameters |
Function |
Description |
source { object-group address-group-name | source-address source-prefix | source-address/source-prefix | any } |
Specifies a source IPv6 address. |
The source-address argument specifies an IPv6 source address. The source-prefix argument specifies a prefix length in the range of 1 to 128. The any keyword represents any IPv6 source address. |
destination { object-group address-group-name | dest-address dest-prefix | dest-address/dest-prefix | any } |
Specifies a destination IPv6 address. |
The dest-address argument specifies a destination IPv6 address. The dest-prefix argument specifies a prefix length in the range of 1 to 128. The any keyword represents any IPv6 destination address. |
counting |
Enables rule match counting in software. |
The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting in hardware for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted in software. For more information about the packet-filter command , see packet filter commands in Security Command Reference. |
dscp dscp |
Specifies a DSCP preference. |
The dscp argument can be a number in the range of 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46). |
ecn ecn |
Specifies an ECN value. |
The ecn argument is an integer in the range of 0 to 3. This value represents the last two bits (ECN field) in the differentiated services (DS) field of the IP header. For more information about the DS field and ECN, see QoS configuration in ACL and QoS Configuration Guide. |
flow-label flow-label-value |
Specifies a flow label value in an IPv6 packet header. |
The flow-label-value argument is in the range of 0 to 1048575. |
any-fragment |
Applies the rule to any fragments. |
If you do not specify any fragment-related parameters, the rule applies to all fragments and non-fragments. |
first-fragment |
Applies the rule to first fragments. |
If you do not specify any fragment-related parameters, the rule applies to all fragments and non-fragments. |
fragment |
Applies the rule only to non-first fragments. |
If you do not specify this keyword, the rule applies to all fragments and non-fragments. |
non-fragment |
Applies the rule only to non-fragments. |
If you do not specify any fragment-related parameters, the rule applies to all fragments and non-fragments. |
non-or-first-fragment |
Applies the rule only to non-fragments and first fragments. |
If you do not specify any fragment-related parameters, the rule applies to all fragments and non-fragments. |
routing [ type routing-type ] |
Specifies an IPv6 routing header type. |
routing-type: Value of the IPv6 routing header type, in the range of 0 to 255. If you specify the type routing-type option, the rule applies to the specified type of IPv6 routing header. If you do not specify the type routing-type option, the rule applies to all types of IPv6 routing headers. |
hop-by-hop [ type hop-type ] |
Specifies an IPv6 Hop-by-Hop Options header type. |
hop-type: Value of the IPv6 Hop-by-Hop Options header type, in the range of 0 to 255. If you specify the type hop-type option, the rule applies to the specified type of IPv6 Hop-by-Hop Options header. If you do not specify the type hop-type option, the rule applies to all types of IPv6 Hop-by-Hop Options header. |
time-range time-range-name |
Specifies a time range for the rule. |
The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide. |
user-group-any |
Matches packets from users in any user group. |
This option takes effect in ACLs used by QoS policy, packet filtering, and policy-based routing. This option takes effect on PPPoE and portal online users. |
packet-length operator length-value1 [ length-value2 ] |
Matches the packet length, including the IPv6 basic header, IPv6 extension header, and payload. |
The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The length-value1 and length-value2 arguments are packet length values in the range of 0 to 65535 bytes. The length-value2 argument is needed only when the operator argument is range. |
ttl operator ttl-value1 [ ttl-value2 ] |
Matches the TTL in the Hot Limit field in the IPv6 packet header. |
The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The ttl-value1 and ttl-value2 arguments are TTL values in the range of 1 to 255. The ttl-value2 argument is needed only when the operator argument is range. |
vpn-instance vpn-instance-name |
Applies the rule to an MPLS L3VPN instance. |
The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, whether the rule applies to VPN packets varies by feature. See the description for the feature that uses ACLs. |
If the protocol argument is tcp (6) or udp (17), set the parameters shown in Table 7.
Table 7 TCP/UDP-specific parameters for IPv6 advanced ACL rules
Parameters |
Function |
Description |
source-port { object-group port-group-name | operator port1 [ port2 ] } |
Specifies one or more UDP or TCP source ports. |
The port-group-name argument specifies an object group of ports. The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. The port2 argument is needed only when the operator argument is range. TCP port numbers can be represented as: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), dns (53), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented as: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177). |
destination-port { object-group port-group-name | operator port1 [ port2 ] } |
Specifies one or more UDP or TCP destination ports. |
|
{ ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * |
Specifies one or more TCP flags, including ACK, FIN, PSH, RST, SYN, and URG. |
Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The TCP flags in a rule are ORed. For example, a rule configured with ack 0 psh 1 matches both packets that have the ACK flag bit not set and packets that have the PSH flag bit set. |
established |
Specifies the flags for indicating the established status of a TCP connection. |
Parameter specific to TCP. The rule matches TCP connection packets with the ACK or RST flag bit set. |
If the protocol argument is icmpv6 (58), set the parameters shown in Table 8.
Table 8 ICMPv6-specific parameters for IPv6 advanced ACL rules
Parameters |
Function |
Description |
icmp6-type { icmp6-type icmp6-code | icmp6-message } |
Specifies the ICMPv6 message type and code. |
The icmp6-type argument is in the range of 0 to 255. The icmp6-code argument is in the range of 0 to 255. The icmp6-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 9. |
Table 9 ICMPv6 message names supported in IPv6 advanced ACL rules
ICMPv6 message name |
ICMPv6 message type |
ICMPv6 message code |
echo-reply |
129 |
0 |
echo-request |
128 |
0 |
err-Header-field |
4 |
0 |
frag-time-exceeded |
3 |
1 |
hop-limit-exceeded |
3 |
0 |
host-admin-prohib |
1 |
1 |
host-unreachable |
1 |
3 |
neighbor-advertisement |
136 |
0 |
neighbor-solicitation |
135 |
0 |
network-unreachable |
1 |
0 |
packet-too-big |
2 |
0 |
port-unreachable |
1 |
4 |
redirect |
137 |
0 |
router-advertisement |
134 |
0 |
router-solicitation |
133 |
0 |
unknown-ipv6-opt |
4 |
2 |
unknown-next-hdr |
4 |
1 |
Usage guidelines
If an IPv6 advanced ACL is used for outbound QoS traffic classification or outbound packet filtering, do not specify the flow-label parameter.
Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
The object group you specify when creating or editing a rule must already exist. Otherwise, the rule will not be created or changed.
You can edit ACL rules only when the match order is config.
To view the existing IPv6 basic and advanced ACL rules, use the display acl ipv6 all command.
The undo rule rule-id command without any optional parameters deletes an entire rule. If you specify optional parameters, the undo rule rule-id command deletes the specified attributes for a rule.
The undo rule { deny | permit } command can only be used to delete an entire rule. You must specify all the attributes of the rule for the command.
Examples
<Sysname> system-view
[Sysname] acl ipv6 advanced 3000
[Sysname-acl-ipv6-adv-3000] rule permit tcp source 2030:5060::/64 destination fe80:5060::/96 destination-port eq 80
# Create IPv6 advanced ACL rules to permit all IPv6 packets but the ICMPv6 packets destined for FE80:5060:1001::/48.
<Sysname> system-view
[Sysname] acl ipv6 advanced 3001
[Sysname-acl-ipv6-adv-3001] rule deny icmpv6 destination fe80:5060:1001:: 48
[Sysname-acl-ipv6-adv-3001] rule permit ipv6
# Create IPv6 advanced ACL rules to permit inbound and outbound FTP packets.
<Sysname> system-view
[Sysname] acl ipv6 advanced 3002
[Sysname-acl-ipv6-adv-3002] rule permit tcp source-port eq ftp
[Sysname-acl-ipv6-adv-3002] rule permit tcp source-port eq ftp-data
[Sysname-acl-ipv6-adv-3002] rule permit tcp destination-port eq ftp
[Sysname-acl-ipv6-adv-3002] rule permit tcp destination-port eq ftp-data
# Create IPv6 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.
<Sysname> system-view
[Sysname] acl ipv6 advanced 3003
[Sysname-acl-ipv6-adv-3003] rule permit udp source-port eq snmp
[Sysname-acl-ipv6-adv-3003] rule permit udp source-port eq snmptrap
[Sysname-acl-ipv6-adv-3003] rule permit udp destination-port eq snmp
[Sysname-acl-ipv6-adv-3003] rule permit udp destination-port eq snmptrap
# Create IPv6 advanced ACL 3004, and configure two rules: one permits packets with the Hop-by-Hop Options header type as 5, and the other one denies packets with other Hop-by-Hop Options header types.
<Sysname> system-view
[Sysname] acl ipv6 advanced 3004
[Sysname-acl-ipv6-adv-3004] rule permit ipv6 hop-by-hop type 5
[Sysname-acl-ipv6-adv-3004] rule deny ipv6 hop-by-hop
# Create an IPv6 advanced ACL rule to permit IPv6 packets of users in user group users.
<Sysname> system-view
[Sysname] acl ipv6 advanced 3005
[Sysname-acl-ipv6-adv-3005] rule permit ipv6 user-group users
# Create an IPv6 advanced ACL rule to permit first fragments of IPv6 packets.
<Sysname> system-view
[Sysname] acl advanced 3005
[Sysname-acl-ipv6-adv-3005] rule permit ip first-fragment
# Create an IPv6 advanced ACL rule to permit non-fragments.
<Sysname> system-view
[Sysname] acl advanced 3005
[Sysname-acl-ipv6-adv-3005] rule permit ip non-fragment
# Create an IPv6 advanced ACL rule to permit non-fragments and first fragments of IPv6 packets.
<Sysname> system-view
[Sysname] acl advanced 3005
[Sysname-acl-ipv6-adv-3005] rule permit ip non-or-first-fragment
# Create an IPv6 advanced ACL rule to permit all fragments of IPv6 packets.
<Sysname> system-view
[Sysname] acl advanced 3005
[Sysname-acl-ipv6-adv-3005] rule permit ip any-fragment
# Create an IPv6 advanced ACL rule to permit IPv6 packets from any user group.
<Sysname> system-view
[Sysname] acl ipv6 advanced 3006
[Sysname-acl-ipv6-adv-3006] rule permit ipv6 user-group-any
# Create an IPv6 advanced ACL rule to permit UDP packets with TTL value100.
<Sysname> system-view
[Sysname] acl ipv6 advanced 3007
[Sysname-acl-ipv6-adv-3007] rule permit udp ttl eq 100
# Create an IPv6 advanced ACL rule to permit 100-byte UDP packets.
<Sysname> system-view
[Sysname] acl ipv6 advanced 3008
[Sysname-acl-ipv6-adv-3008] rule permit udp packet-length eq 100
Related commands
acl
display acl
packet-filter (interface view) (Security Command Reference)
packet-filter global (Security Command Reference)
packet-filter vlan (Security Command Reference)
step
time-range
rule (IPv6 basic ACL view)
Use rule to create or edit an IPv6 basic ACL rule.
Use undo rule to delete an entire IPv6 basic ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } [ counting | fragment | routing [ type routing-type ] | source { object-group address-group-name | source-address source-prefix | source-address/source-prefix | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *
undo rule rule-id [ counting | fragment | routing | source | time-range | vpn-instance ] *
undo rule { deny | permit } [ counting | fragment | routing [ type routing-type ] | source { object-group address-group-name | source-address source-prefix | source-address/source-prefix | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *
Default
No IPv6 basic ACL rules exist.
Views
IPv6 basic ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from the start rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
counting: Enables rule match counting in software. If you do not specify this keyword, matches for the rule are not counted in software.
fragment: Applies the rule only to non-first fragments. If you do not specify this keyword, the rule applies to both fragments and non-fragments.
routing [ type routing-type ]: Applies the rule to the specified type of IPv6 routing header or all types of IPv6 routing headers. The routing-type argument specifies the value of the IPv6 routing header type, in the range of 0 to 255. If you do not specify the type routing-type option, the rule applies to all types of IPv6 routing headers.
source { object-group address-group-name | source-address source-prefix | source-address/source-prefix | any }: Matches a source IPv6 address. The object-group address-group-name option specifies an object group of source IPv6 addresses. The source-address argument specifies a source IPv6 address. The source-prefix argument specifies an address prefix length in the range of 1 to 128. The any keyword represents any IPv6 source address.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide.
vpn-instance vpn-instance-name: Applies the rule to an MPLS L3VPN instance. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, whether the rule applies to VPN packets varies by feature. See the description for the feature that uses ACLs.
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
The object group you specify when creating or editing a rule must already exist. Otherwise, the rule will not be created or changed.
You can edit ACL rules only when the match order is config.
To view the existing IPv6 basic and advanced ACL rules, use the display acl ipv6 all command.
The undo rule rule-id command without any optional parameters deletes an entire rule. If you specify optional parameters, the undo rule rule-id command deletes the specified attributes for a rule.
The undo rule { deny | permit } command can only be used to delete an entire rule. You must specify all the attributes of the rule for the command.
The counting keyword in this command enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting in hardware for all rules in an ACL. For more information about the packet-filter command , see packet filter commands in Security Command Reference.
Examples
# Create an IPv6 basic ACL rule to deny the packets from any source IP subnet but 1001::/16, 3124:1123::/32, or FE80:5060:1001::/48.
<Sysname> system-view
[Sysname] acl ipv6 basic 2000
[Sysname-acl-ipv6-basic-2000] rule permit source 1001:: 16
[Sysname-acl-ipv6-basic-2000] rule permit source 3124:1123:: 32
[Sysname-acl-ipv6-basic-2000] rule permit source fe80:5060:1001:: 48
[Sysname-acl-ipv6-basic-2000] rule deny source any
Related commands
acl
display acl
packet-filter (interface view) (Security Command Reference)
packet-filter global (Security Command Reference)
packet-filter vlan (Security Command Reference)
step
time-range
rule (Layer 2 ACL view)
Use rule to create or edit a Layer 2 ACL rule.
Use undo rule to delete an entire Layer 2 ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } [ cos dot1p | counting | dest-mac dest-address dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac source-address source-mask | time-range time-range-name ] *
undo rule rule-id [ counting | time-range ] *
undo rule { deny | permit } [ cos dot1p | counting | dest-mac dest-address dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac source-address source-mask | time-range time-range-name ] *
Default
No Layer 2 ACL rules exist.
Views
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from the start rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
cos dot1p: Matches an 802.1p priority. The 802.1p priority can be specified by one of the following values:
· A priority number in the range of 0 to 7.
· A priority name: best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5), voice (6), or network-management (7).
counting: Enables rule match counting in software. If you do not specify this keyword, matches for the rule are not counted in software.
dest-mac dest-address dest-mask: Matches a destination MAC address range. The dest-address and dest-mask arguments represent a destination MAC address and mask in the H-H-H format.
lsap lsap-type lsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The lsap-type argument is a hexadecimal number that represents the encapsulation format. The value range for the lsap-type argument is 0 to ffff. The lsap-type-mask argument is a hexadecimal number that represents the LSAP mask. The value range for the lsap-type-mask argument is 0 to ffff.
type protocol-type protocol-type-mask: Matches one or more protocols in the Layer 2. The protocol-type argument is a hexadecimal number that represents a protocol type in Ethernet_II and Ethernet_SNAP frames. The value range for the protocol-type argument is 0 to ffff. The protocol-type-mask argument is a hexadecimal number that represents a protocol type mask. The value range for the protocol-type-mask argument is 0 to ffff.
source-mac source-address source-mask: Matches a source MAC address range. The source-address argument represents a source MAC address, and the sour-mask argument represents a mask in the H-H-H format.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide.
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
You can edit ACL rules only when the match order is config.
To view the existing Layer 2 ACL rules, use the display acl mac all command.
The undo rule rule-id command without any optional parameters deletes an entire rule. If you specify optional parameters, the undo rule rule-id command deletes the specified attributes for the rule.
The undo rule { deny | permit } command can only be used to delete an entire rule. You must specify all the attributes of the rule for the command.
The counting keyword in this command enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting in hardware for all rules in an ACL. For more information about the packet-filter command , see packet filter commands in Security Command Reference.
Examples
# Create a rule in Layer 2 ACL 4000 to permit ARP packets and deny RARP packets.
<Sysname> system-view
[Sysname] acl mac 4000
[Sysname-acl-mac-4000] rule permit type 0806 ffff
[Sysname-acl-mac-4000] rule deny type 8035 ffff
# Create a rule in Layer 2 ACL 4001 to permit VXLAN packets whose VXLAN ID is 300.
<Sysname> system-view
[Sysname] acl mac 4001
[Sysname-acl-mac-4001] rule permit vxlan vxlan-id 300
Related commands
acl
display acl
packet-filter (interface view) (Security Command Reference)
packet-filter global (Security Command Reference)
packet-filter vlan (Security Command Reference)
step
time-range
rule (user-defined ACL view)
Use rule to create or edit a user-defined ACL rule.
Use undo rule to delete a user-defined ACL rule.
Syntax
Command set 1:
rule [ rule-id ] { deny | permit } [ { { ipv4 | ipv6 | l2 | l4 }rule-string rule-mask offset }&<1-8> ] [ counting | time-range time-range-name ] *
undo rule rule-id
undo rule { deny | permit } [ { { ipv4 | ipv6 | l2 | l4 } rule-string rule-mask offset }&<1-8> ] [ counting | time-range time-range-name ] *
Command set 2:
rule [ rule-id ] { deny | permit } [ ipv6-protocol ] protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | destination { dest-address dest-wildcard | any } | destination-port { operator port1 [ port2 ] } | { { precedence precedence | tos tos } * | { precedence precedence | ecn ecn } * | dscp dscp | ecn ecn } * } | source { source-address source-wildcard | any } | source-port { operator port1 [ port2 ] } | udf-format ] * [ { { ipv4 | ipv6 | l2 | l4 | l5 } rule-string rule-mask offset }&<1-8> ] [ counting | time-range time-range-name ] *
undo rule rule-id [ ipv6-protocol ] [ { { ack | fin | psh | rst | syn | urg } * | established } | destination | destination-port | | { { precedence | tos } * | { precedence | ecn } * | { dscp | ecn } * } | source | source-port | udf-format | vpn-instance vpn-instance-name | ipv4 | ipv6 | l2 | l4 | l5 | counting | time-range ] *
undo rule { deny | permit } [ ipv6-protocol ] protocol [ { { ack | fin | psh | rst | syn | urg } * | established } | destination { dest-address dest-wildcard | any } | destination-port { operator port1 [ port2 ] } | { { precedence precedence | tos tos } * | { precedence precedence | ecn ecn } * | { dscp dscp | ecn ecn } * }| source { source-address source-wildcard | any } | source-port { operator port1 [ port2 ] } | udf-format | vpn-instance vpn-instance-name ] * [ { { ipv4 | ipv6 | l2 | l4 | l5 } rule-string rule-mask offset }&<1-8> ] [ counting | time-range time-range-name ] *
Command set 3:
rule [ rule-id ] { deny | permit } dual-stack { tcp | udp } [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | destination any | destination-port { operator port1 [ port2 ] } | source any | source-port { operator port1 [ port2 ] } | vpn-instance vpn-instance-name ] * [ counting | time-range time-range-name ] *
undo rule [ rule-id ] { deny | permit } dual-stack { tcp | udp } [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | destination any | destination-port { operator port1 [ port2 ] } | source any | source-port { operator port1 [ port2 ] } | vpn-instance vpn-instance-name ] * [ counting | time-range time-range-name ] *
Default
No user-defined ACL rules exist.
Views
User-defined ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from the start rule ID. The numbering step for user-defined ACLs is fixed at 5. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
l2: Specifies that the offset is relative to the beginning of the Layer 2 frame header.
l4: Specifies that the offset is relative to the beginning of the Layer 4 header.
l5: Specifies that the offset is relative to the beginning of the Layer 5 header.
rule-string: Defines a match pattern in hexadecimal format. Its length must be a multiple of two.
rule-mask: Defines a match pattern mask in hexadecimal format. Its length must be the same as that of the match pattern. A match pattern mask is used for ANDing the selected string of a packet.
offset: Specifies an offset in bytes after which the match operation begins.
&<1-8>: Specifies that up to eight match patterns can be defined in the ACL rule.
counting: Enables rule match counting in software. If you do not specify this keyword, matches for the rule are not counted in software.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the time range. For more information about time range, see ACL and QoS Configuration Guide.
ipv6-protocol: Matches IPv6 packets. If you specify this parameter, do not specify the ipv4 keyword in the command. If you do not specify this parameter, the command matches IPv4 packets, and do not specify the ipv6 keyword in the command.
protocol: Specifies one of the following values:
· For IPv4:
¡ A protocol number in the range of 0 to 255.
¡ A protocol by its name: gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17). The ip keyword specifies all protocols.
· For IPv6:
¡ A protocol number in the range of 0 to 255.
¡ A protocol by its name: gre (47), icmpv6 (58), ipv6, ipv6-ah (51), ipv6-esp (50), ospf (89), tcp (6), or udp (17). The ipv6 keyword specifies all protocols.
If the protocol argument is tcp (6), set the parameters shown in Table 10.
Table 10 TCP-specific parameters for user-defined ACL rules
Parameters |
Function |
Description |
ack ack-value |
Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG. |
The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The TCP flags in a rule are ORed. For example, a rule configured with ack 0 psh 1 matches both packets that have the ACK flag bit not set and packets that have the PSH flag bit set. |
fin fin-value |
||
psh psh-value |
||
rst rst-value |
||
syn syn-value |
||
urg urg-value |
||
established |
Specifies the flags for indicating the established status of a TCP connection. |
The rule matches TCP connection packets with the ACK or RST flag bit set. |
precedence precedence: Specifies an IP precedence value in the range of 0 to 7 or specifies one of the following keywords: routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), and network (7).
tos tos: Specifies a ToS value in the range of 0 to 15 or specifies one of the following keywords: max-reliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1), and normal (0).
dscp dscp: Specifies a DSCP value, which can be a number from 0 to 63 or a keyword in Table 11.
Table 11 DSCP keywords and values
Keyword |
DSCP value (binary) |
DSCP value (decimal) |
af11 |
001010 |
10 |
af12 |
001100 |
12 |
af13 |
001110 |
14 |
af21 |
010010 |
18 |
af22 |
010100 |
20 |
af23 |
010110 |
22 |
af31 |
011010 |
26 |
af32 |
011100 |
28 |
af33 |
011110 |
30 |
af41 |
100010 |
34 |
af42 |
100100 |
36 |
af43 |
100110 |
38 |
cs1 |
001000 |
8 |
cs2 |
010000 |
16 |
cs3 |
011000 |
24 |
cs4 |
100000 |
32 |
cs5 |
101000 |
40 |
cs6 |
110000 |
48 |
cs7 |
111000 |
56 |
default |
000000 |
0 |
ef |
101110 |
46 |
ecn ecn: Specifies an ECN value in the range of 0 to 3. The last two bits in the differentiated services (DS) field of the IP header are defined for use by ECN. For more information about the DS field and ECN, see QoS configuration in ACL and QoS Configuration Guide.
source { source-address source-wildcard | any }: Specifies a source IP address.
· The source-address source-wildcard arguments specify a source IP address and a wildcard mask in dotted decimal notation. An all-zero wildcard represents a host address.
· The any keyword specifies any source IP address.
destination { dest-address dest-wildcard | any }: Specifies a destination IP address.
· The dest-address dest-wildcard arguments specify a destination IP address and a wildcard mask in dotted decimal notation. An all-zero wildcard represents a host address.
· The any keyword specifies any destination IP address.
source-port { operator port1 [ port2 ] }: Specifies one or more source TCP or UDP ports.
· The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range).
· The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. The port2 argument is needed only when the operator argument is range.
destination-port { operator port1 [ port2 ] }: Specifies one or more destination TCP or UDP ports.
· The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range).
· The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. The port2 argument is needed only when the operator argument is range.
udf-format: Specifies the packet format. The following packet formats are supported:
· ifa—Matches INT packets.
· raw_ip—Matches all packets except for GRE, ICMP, IGMP, IPinIP, OSPF, TCP, and UDP packets.
vpn-instance vpn-instance-name: Applies the rule to an MPLS L3VPN instance. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. For an ACL used to filter packets, if you do not specify a VPN instance, the rule applies only to non-VPN packets. For an ACL used by other features, if you do not specify a VPN instance, the implementation varies by feature. For more information, see the configuration guide of the feature.
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating or editing has the same deny or permit statement as another rule in the ACL, the rule will not be created or changed.
If the rule ID has been used when you create a rule:
· For command set 1, the new rule overwrites the existing rule.
· For command set 2, the contents in the new rule are incrementally added to the existing rule.
To view the existing user-defined ACL rules, use the display acl user-defined all command.
Both the undo rule rule-id command and the undo rule { deny | permit } command delete an entire rule. When you use the undo rule { deny | permit } command, you must specify all the attributes of the rule. The undo rule { deny | permit } command can be used to delete rules created by using scripts, which have no rule IDs.
For command set 2:
· In addition to use-defined strings, a rule can use the source IP address, destination IP address, port number, and protocol type to match packets.
· To match INT packets, follow these rules:
¡ To match TCP INT packets, specify tcp for the protocol argument.
¡ To match UDP INT packets, specify udp for the protocol argument.
¡ Specify ifa for the udf-format argument, and specify l5 for offset purposes.
· To match TCP packets, specify tcp for the protocol argument, and specify l5 for offset purposes.
· To match UDP packets, specify udp for the protocol argument, and specify l5 for offset purposes.
· To match IP packets, specify ip for the protocol argument, and specify l4 for offset purposes.
· To match VXLAN packets, specify udp for the protocol argument, and specify vxlan for the udf-format argument.
· You can use the undo rule rule-id command to delete some attributes of the rule by specifying keywords in the command or delete the entire rule without specifying any keywords.
The counting keyword in this command enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting in hardware for all rules in an ACL. For more information about the packet-filter command , see packet filter commands in Security Command Reference.
Examples
# Create a rule for user-defined ACL 5005 to permit ARP packets where the 12th and 13th bytes starting from the Layer 2 header are 0x0806.
<Sysname> system-view
[Sysname] acl user-defined 5005
[Sysname-acl-user-5005] rule permit l2 0806 ffff 12
# Create a rule for user-defined ACL 5005 to allow VXLAN packets to pass through.
<Sysname> system-view
[Sysname] acl user-defined 5005
[Sysname-acl-user-5005] rule permit udp vxlan
# Create a rule for user-defined ACL 5005 to allow hosts in subnet 2030:5060::/64 to establish connections with destination port 80 on hosts in subnet FE80:5060::/96.
<Sysname> system-view
[Sysname] acl user-defined 5005
[Sysname-acl-user-5005] rule permit ipv6-protocol tcp source 2030:5060::/64 destination fe80:5060::/96 destination-port eq 80
# Create a rule for user-defined ACL 5009 to allow the TCP packets with the ACK bit set to pass through.
<Sysname> system-view
[Sysname] acl user-defined 5009
[Sysname-acl-user-5009] rule permit tcp ack 1
# Create a rule for user-defined ACL 5010 to allow the IPv4 and IPv6 packets with source UDP port number 100.
<Sysname> system-view
[Sysname] acl user-defined 5010
[Sysname-acl-user-5010] rule permit dual-stack udp source-port eq 100
Related commands
acl
display acl
packet-filter (interface view) (Security Command Reference)
packet-filter global (Security Command Reference)
packet-filter vlan (Security Command Reference)
time-range
rule comment
Use rule comment to configure a comment for an ACL rule.
Use undo rule comment to delete an ACL rule comment.
Syntax
rule rule-id comment text
undo rule rule-id comment
Default
A rule does not have a comment.
Views
IPv4 basic/advanced ACL view
IPv6 basic/advanced ACL view
Layer 2 ACL view
User-defined ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies an ACL rule ID in the range of 0 to 65534. The ACL rule must already exist.
text: Specifies a comment about the ACL rule, a case-sensitive string of 1 to 127 characters.
Usage guidelines
This command adds a comment to a rule if the rule does not have a comment. It modifies the comment for a rule if the rule already has a comment.
Examples
# Create a rule for IPv4 basic ACL 2000, and add a comment about the rule.
<Sysname> system-view
[Sysname] acl basic 2000
[Sysname-acl-ipv4-basic-2000] rule 0 deny source 1.1.1.1 0
[Sysname-acl-ipv4-basic-2000] rule 0 comment This rule is used on gigabitethernet 0/0/1.
Related commands
display acl
step
Use step to set a rule numbering step for an ACL.
Use undo step to restore the default.
Syntax
step step-value [ start start-value ]
undo step
Default
The rule numbering step is 5, and the start rule ID is 5.
Views
IPv4 basic/advanced ACL view
IPv6 basic/advanced ACL view
Layer 2 ACL view
Predefined user roles
network-admin
Parameters
step-value: Specifies the ACL rule numbering step in the range of 1 to 20.
start start-value: Specifies the start rule ID in the range of 0 to 20.
Usage guidelines
The rule numbering step sets the increment by which the system numbers rules automatically. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from the start rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is 12, the rule is numbered 15.
The wider the numbering step, the more rules you can insert between two rules. Whenever the step or start rule ID changes, the rules are renumbered, starting from the start rule ID. For example, if there are five rules numbered 0, 5, 9, 10, and 15, changing the step from 5 to 2 causes the rules to be renumbered 5, 7, 9, 11, and 13.
Examples
# Set the rule numbering step to 2 for IPv4 basic ACL 2000.
<Sysname> system-view
[Sysname] acl basic 2000
[Sysname-acl-ipv4-basic-2000] step 2
Related commands
display acl