No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
rule (layer 2 ACL view)

rule (layer 2 ACL view)

Function

The rule command adds or modifies a Layer 2 ACL rule.

The undo rule command deletes a Layer 2 ACL rule.

By default, there is no rule in the related Layer 2 ACL view.

Format

rule [ rule-id ] { permit | deny } [ l2-protocol type-value [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | source-mac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value | time-range time-name ] *

undo rule rule-id

Parameters

Parameter

Description

Value

rule-id

Specifies the ID of an ACL rule.
  • If the specified rule ID has been created, the new rule overwrites the old rule. If the specified rule ID does not exist, the device creates a rule and determines the position of the rule according to the ID.
  • If the rule ID is not specified, the device allocates an ID to the new rule. The rule IDs are sorted in ascending order. The device automatically allocates IDs according to the step. The step value is set by using the step command.
NOTE:

ACL rule IDs assigned automatically by the device starts from the step value. The default step value is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on.

The specified rule-id is valid only when the config mode is used. When the auto mode is used, the specified rule-id is invalid, and the device automatically assigns rule IDs to the ACL rules using the depth first algorithm.

The value is an integer that ranges from 0 to 4294967294.

deny

Denies the packets that match a rule.

-

permit

Permits the packets that match a rule.

-

l2-protocol type-value [ type-mask ]

Indicates the type of a Layer 2 protocol. This parameter corresponds to the Ethernet type of Ethernet_II frames and the type-code domain of Ethernet_SNAP frames.

  • type-value: specifies the type value of a Layer 2 protocol.
  • type-mask: specifies the type mask of a Layer 2 protocol.
type-value can be a hexadecimal number of 3 to 6 bits that ranges from 0x600 to 0xFFFF or the following protocol name:
  • ARP, corresponding to 0x0806
  • IP, corresponding to 0x0800
  • RARP, corresponding to 0x8035

The default value of type-mask is 0xffff.

destination-mac dest-mac-address [ dest-mac-mask ]

Specifies the destination MAC address of packets that matches ACL rules. If the parameter is not specified, packets with any destination address are matched.
  • dest-mac-address specifies the destination MAC address of packets.
  • dest-mac-mask specifies the mask of the destination MAC address of packets.

dest-mac-address and dest-mac-mask are both in the format of H-H-H. Each H stands for one to four hexadecimal digits. The default value of the dest-mac-mask is ffff-ffff-ffff.

You can obtain the required destination MAC address range by specifying source-mac-address and source-mac-mask. For example, 00e0-fc01-0101 ffff-ffff-ffff specifies a MAC address 00e0-fc01-0101, whereas 00e0-fc01-0101 ffff-ffff-0000 specifies a MAC address range from 00e0-fc01-0000 to 00e0-fc01-ffff.

source-mac source-mac-address [ source-mac-mask ]

Specifies the source MAC address of packets that matches ACL rules. If this parameter is not specified, the packets with any source MAC address are matched.
  • source-mac-address specifies the source MAC address of packets.
  • source-mac-mask specifies the mask of the source MAC address of packets. If this parameter is not specified, the mask is ffff-ffff-ffff.

source-mac-address and source-mac-mask are both in the format of H-H-H. Each H stands for one to four hexadecimal digits. The default value of the source-mac-mask is ffff-ffff-ffff.

You can obtain the required source MAC address range by specifying source-mac-address and source-mac-mask. For example, 00e0-fc01-0101 ffff-ffff-ffff specifies a MAC address 00e0-fc01-0101, whereas 00e0-fc01-0101 ffff-ffff-0000 specifies a MAC address range from 00e0-fc01-0000 to 00e0-fc01-ffff.

vlan-id vlan-id [ vlan-id-mask ]

Indicates the outer VLAN ID contained in a packet that matches the rule.

  • vlan-id: specifies the number of the VLAN ID.
  • vlan-id-mask: specifies the mask of the VLAN ID. If this parameter is not specified, the mask is 0xFFF.

The value of vlan-id is an integer ranging from 1 to 4094.

The value of the vlan-id-mask is a hexadecimal number ranging from 0x0 to 0xFFF. The default value is 0xFFF.

8021p 802.1p-value

Indicates the 802.1p priority in the outer VLAN tag of a packet that matches the rule.

The value is an integer ranging from 0 to 7.

time-range time-name

Defines the time range during which an ACL rule is valid. time-name specifies the name of a time range.

NOTE:

When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL does not take effect.

The value of time-name is a string of 1 to 32 characters.

Views

layer 2 ACL view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A Layer 2 ACL matches packets based on Layer 2 information of the packets, such as source MAC addresses, destination MAC addresses, and Layer 2 protocol types.

The rule command defines the time range and flexibly configures the time when the ACL rules take effect.

Prerequisites

An ACL has been created before the rule is configured.

Precautions

If the specified rule ID already exists, the new rule overwrites the old rule no matter whether the rules conflict.

To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result may be incorrect.

When you use the undo rule command to delete an ACL rule, the rule ID must exist. If the rule ID is unknown, you can use the display acl command to view the rule ID.

The undo rule command deletes an ACL rule even if the ACL rule is referenced. Exercise caution when you run the undo rule command.

Example

# Add a rule to ACL 4001 to match packets with the destination MAC address being 0000-0000-0001, source MAC address being 0000-0000-0002, and the value of the Layer 2 protocol type being 0x0800.

<Huawei> system-view
[Huawei] acl 4001
[Huawei-acl-L2-4001] rule permit destination-mac 0000-0000-0001 source-mac 0000-0000-0002 l2-protocol 0x0800
Translation
Download
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 49222

Downloads: 102

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next