No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

AR500, AR510, and AR530 V200R007

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
rule (advanced ACL6 view)

rule (advanced ACL6 view)

Function

The rule command adds or modifies an advanced ACL6 rule.

The undo rule command deletes an ACL6 rule.

By default, no advanced ACL6 rule is created.

NOTE:

AR502G-L-D-H, AR502GR-L-D-H, AR510 series do not support IPv6 ACL.

Format

  • When protocol is set to TCP, the command format of an advanced ACL6 rule is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | dscp dscp | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | fin | psh | rst | syn | urg | established } * | logging | time-range time-name | tos tos ] *

  • When protocol is set to UDP, the command format of an advanced ACL6 rule is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | udp } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | dscp dscp | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | logging | time-range time-name | tos tos ] *

  • When protocol is set to ICMPv6, the command format of an advanced ACL6 rule is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | icmpv6 } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | dscp dscp | icmp6-type { icmp6-type-name | icmp6-type icmp6-code } | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | logging | time-range time-name | tos tos ] *

  • When protocol is set to IPv6, the command format of an advanced ACL6 rule is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | ipv6 } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | dscp dscp | [ fragment | none-first-fragment ] | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | logging | time-range time-name | tos tos ] *

  • When GRE or OSPF is used, run:

    rule [ rule-id ] { deny | permit } { protocol-number | gre | ospf } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | dscp dscp | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | logging | time-range time-name | tos tos ] *

  • Rule for deleting an advanced ACL6:

    undo rule rule-id [ destination | destination-port | [ fragment | none-first-fragment ] | icmp6-type | precedence | source | source-port | logging | time-range | tos ] *

Parameters

Parameter Description Value
rule-id Specifies the ID of a rule.
  • If the specified rule ID has been created, the new rule is added to the rule with this ID, that is, the old rule is modified. If the specified rule ID does not exist, the device creates a rule and determines the position of the rule according to the ID.
  • If the rule ID is not specified, the device allocates an ID to the new rule. The rule IDs are sorted in ascending order. The device automatically allocates IDs according to the step. The step value is set by using the step command.
NOTE:

ACL6 rule IDs assigned automatically by the device starts from the step value. The default step value is 5. With this step value, the device creates ACL6 rules with IDs being 5, 10, 15, and so on.

The specified rule-id is valid only when the config mode is used. When the auto mode is used, the specified rule-id is invalid, and the device automatically assigns rule IDs to the ACL6 rules using the depth first algorithm.

The value is an integer that ranges from 0 to 4294967294.
deny Indicates to drop packets conforming to certain conditions. -
permit Indicates to forward packets conforming to certain conditions. -
tcp

Specifies the protocol type is TCP.

-
udp

Specifies the protocol type is UDP.

-
icmpv6

Specifies the protocol type is ICMPv6.

-
protocol-number Specifies the protocol type that is expressed as a name or a number. The value ranges from 1 to 255. The protocol type expressed as a name can be GRE, ICMPv6, IPv6, OSPF, TCP, and UDP.
destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } Indicates the destination address and prefix of a packet. destination-ipv6-address is expressed in hexadecimal notation. The value of prefix-length is an integer that ranges from 1 to 128. You can also use any to represent any destination address.
dscp dscp Specifies the Differentiated Services Code Point (DSCP) value.
NOTE:

The dscp dscp and precedence precedence parameters cannot be set for the same rule.

The dscp dscp and tos tos parameters cannot be set for the same rule.

The value of dscp can be an integer or a name. When the value is an integer, the value ranges from 0 to 63. When the value is a name, the value can be af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, default, or ef.
logging
Specifies the log recording the IP information, port number, and protocol type of the packets that match the rule.
NOTE:
The logging only takes effect when the traffic-filter command references ACLs.
-
fragment

Indicates that the rule is valid for all fragments. If this parameter is specified, the rule is valid for all fragments.

-
none-first-fragment

Indicates that the rule is valid for only non-initial fragments. If this parameter is specified, the rule is valid for only non-initial fragments.

NOTE:
The rules that do not contain fragment and none-first-fragment parameters are valid for all packets.
-
precedence precedence Indicates that the packets are filtered according to the precedence field. precedence can be expressed as a name or a number. The number ranges from 0 to 7.
source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } Indicates the source address and prefix of a packet. source-ipv6-address indicates the source address and is expressed in hexadecimal notation. prefix-length is an integer that ranges from 1 to 128. You can also use any to represent any source address.
destination-port { eq port | gt port | lt port | range port-start port-end }
Specifies the destination port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched. The operators are as follows:
  • eq port: equivalent to the destination port number.
  • gt port: greater than the destination port number.
  • 1t port: smaller than the destination port number.
  • range port-start port-end: destination port number range. port-start specifies the start port number. port-end specifies the end port number.

The value of port can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535 in eq port, from 0 to 65535 in gt port, and from 0 to 65535 in lt port.

The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535.

source-port { eq port | gt port | lt port | range port-start port-end }
Specifies the source port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched. The operators are as follows:
  • eq port: equivalent to the source port number.
  • gt port: greater than the source port number.
  • 1t port: smaller than the source port number.
  • range port-start port-end: source port number range. port-start specifies the start port number. port-end specifies the end port number.

The value of port can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535 in eq port, from 0 to 65535 in gt port, and from 0 to 65535 in lt port.

The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535.

icmp6-type { icmp6-type-name | icmp6-type icmp6-code } Indicates that the type and code of ICMPv6 packets, which is effective only when the packet protocol is ICMP. If this parameter is not specified, all ICMP packets are matched.

icmp6-type: indicates the type of ICMP messages. The value ranges from 0 to 255.

icmp6-code: indicates the type of ICMP messages. The value ranges from 0 to 255.

The value of icmp6-type-name and the corresponding ICMP-Type and ICMP-Code are as Table 14-49.

tcp-flag

Indicates the SYN Flag in the TCP packet header.

-
ack Specifies the type of the SYN Flag in the TCP packet header is ack(010000). -
fin Specifies the type of the SYN Flag in the TCP packet header is fin(000001). -
psh Specifies the type of the SYN Flag in the TCP packet header is psh(001000). -
rst Specifies the type of the SYN Flag in the TCP packet header is rst(000100). -
syn Specifies the type of the SYN Flag in the TCP packet header is syn(000010). -
urg Specifies the type of the SYN Flag in the TCP packet header is urg(100000). -
established Indicates that the SYN Flag type in the TCP packet header is ack(010000) or rst(000100). -
time-range time-name Indicates that the configured ACL6 rule is effective only in the specified time range. time-name indicates the name of the time range during which the ACL6 rule takes effect.
NOTE:

When you specify the time-range parameter to reference a time range to the ACL6, if the specified time-name does not exit, the ACL6 does not take effect.

The value of time-name is a string of 1 to 32 characters.
tos tos Indicates that packets are filtered according to the Type of Service (ToS).
The value is an integer or a name.
  • The value ranges from 0 to 15 when it is an integer.
  • When the value is a name, the value can be normal, min-monetary-cost, max-reliability, max-throughput, or min-delay. Table 14-47 describes the mapping between ToS names and values.
Table 14-49  Values of icmp6-type-name and the corresponding ICMP-Type and ICMP-Code

icmp6-type-name

icmp-type

icmp-code

Redirect

137

0

Echo

128

0

Echo-reply

129

0

Err-Header-field

4

0

Frag-time-exceeded

3

1

Hop-limit-exceeded

3

0

Host-admin-prohib

1

1

Host-unreachable

1

3

Neighbor-advertisement

136

0

Neighbor-solicitation

135

0

Network-unreachable

1

0

Packet-too-big

2

0

Port-unreachable

1

4

Router-advertisement

134

0

Router-solicitation

133

0

Unknown-ipv6-opt

4

2

Unknown-next-hdr

4

1

Views

Advanced ACL6 view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Advanced ACL6s classify data packets based on the source IP address, destination IP address, source port number, destination port number, and protocol type.

The rule command defines the time range and flexibly configures the time ACL6 rules take effect.

Prerequisites

An ACL6 has been created before the rule is configured.

Precautions

If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.

To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result may be incorrect.

To configure both the precedence precedence and tos tos parameters, set the two parameters consecutively in the command.

When you use the undo rule command to delete an ACL6 rule, the rule ID must exist. If the rule ID is unknown, you can use the display acl ipv6 command to view the rule ID.

The undo rule command deletes an ACL6 rule even if the ACL6 rule is referenced. Exercise caution when you run the undo rule command.

Example

# Add a rule to ACL6 3000 to deny the packets with the source UDP port number that is greater than 128 from fc00:1::1 to fc00:3::1.

<Huawei> system-view
[Huawei] acl ipv6 3000
[Huawei-acl6-adv-3000] rule deny udp source fc00:1::1 64 destination fc00:3::1 64 destination-port gt 128
# Add a rule to ACL6 3000 to filter tcp-flag packets.
<Huawei> system-view
[Huawei] acl ipv6 3000
[Huawei-acl6-adv-3000] rule permit tcp tcp-flag established
Translation
Download
Updated: 2019-02-18

Document ID: EDOC1000097293

Views: 35537

Downloads: 101

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next