No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
rule (user ACL view)

rule (user ACL view)

Function

The rule command configures a user ACL rule.

The undo rule command deletes a user ACL rule.

By default, no user ACL rule is configured.

Format

  • When the parameter protocol is specified as the ICMP, the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | icmp } [ destination { destination-address destination-wildcard | any | passthrough-domain domain-string } | icmp-type { icmp-name | icmp-type icmp-code } | source { source-address source-wildcard | any } | time-range time-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | fragment ] *

  • When the parameter protocol is specified as the TCP, the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ destination { destination-address destination-wildcard | any | passthrough-domain domain-string } | destination-port { eq port | gt port | lt port | range port-start port-end } | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | fin | psh | rst | syn | urg } * | time-range time-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | fragment ] *

  • When the parameter protocol is specified as the UDP, the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | udp } [ destination { destination-address destination-wildcard | any | passthrough-domain domain-string } | destination-port { eq port | gt port | lt port | range port-start port-end } | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | fragment ] *

  • When the parameter protocol is specified as the GRE, IGMP, IP, IPINIP, or OSPF, the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any | passthrough-domain domain-string } | source { source-address source-wildcard | any } | time-range time-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | fragment ] *

  • To delete an ACL rule, run:

    undo rule rule-id [ destination | destination-port | icmp-type | source | source-port | tcp-flag | time-range | dscp | tos | precedence | fragment ] *

Parameters

Parameter

Description

Value

rule-id

Specifies the ID of an ACL rule.
  • If the specified rule ID has been created, the new rule is added to the rule with this ID, that is, the old rule is modified. If the specified rule ID does not exist, the device creates a rule and determines the position of the rule according to the ID.
  • If the rule ID is not specified, the device allocates an ID to the new rule. The rule IDs are sorted in ascending order. The device automatically allocates IDs according to the step. The step value is set by using the step command.
NOTE:

ACL rule IDs assigned automatically start from the step value. The default step is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on.

The value is an integer that ranges from 0 to 4294967294.

deny

Denies the packets that match the rule.

-

permit

Permits the packets that match the rule.

-

icmp

Indicates that the protocol type is ICMP. The value 1 indicates that ICMP is specified.

-

tcp

Indicates that the protocol type is TCP. The value 6 indicates that TCP is specified.

-

udp

Indicates that the protocol type is UDP. The value 17 indicates that UDP is specified.

-

protocol-number

Indicates the protocol type expressed by name or number.
NOTE:

Parameters in an ACL vary with the protocol type. The combination of source-port { eq port | gt port | lt port | range port-start port-end } and destination-port { eq port | gt port | lt port | range port-start port-end } is applicable to TCP and UDP only.

The value expressed by number is an integer that ranges from 1 to 255. The value expressed by name can be gre, icmp, igmp, ip, ipinip, ospf, tcp, or udp. icmp, tcp, udp, gre, igmp, ipinip, and ospf correspond to 1, 6, 17, 47, 2, 4, and 89.

source { source-address source-wildcard | any }

Indicates the source IP address of packets that match an ACL rule. If this parameter is not specified, packets with any source IP address are matched.
  • source-address: specifies the source IP address of packets.
  • source-wildcard: specifies the wildcard mask of the source IP address.
  • any: indicates any source IP address of packets. That is, the value of source-address is 0.0.0.0 and the value of source-wildcard is 255.255.255.255.

source-address: The value is in dotted decimal notation.

source-wildcard: The value is in dotted decimal notation. The wildcard mask of the source IP address can be 0, equivalent to 0.0.0.0, indicating that the source IP address is the host address.

NOTE:
The wildcard is in dotted decimal format. After the value is converted to a binary number, the value 0 indicates that the IP address needs to be matched and the value 1 indicates that the IP address does not need to be matched. The values 1 and 0 can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the website 192.168.1.x0x0xx01. The value x can be 0 or 1.

destination { destination-address destination-wildcard | any | passthrough-domain domain-string }

Indicates the destination IP address of packets that match ACL rules. If this parameter is not specified, packets with any destination IP address are matched.
  • destination-address: specifies the destination IP address of data packets.
  • destination-wildcard: specifies the wildcard mask of the destination IP address.
  • any: indicates any destination IP address of packets. That is, the value of destination-address is 0.0.0.0 and the value of destination-wildcard is 255.255.255.255.
  • passthrough-domain domain-string: indicates the destination domain name of permitted packets.
    NOTE:

    The passthrough-domain domain-string parameter is valid only when the permit parameter is specified.

destination-address: The value is in dotted decimal notation.

destination-wildcard: The value is in dotted decimal notation. The wildcard mask of the destination IP address can be 0, equivalent to 0.0.0.0, indicating that the destination IP address is the host address.

NOTE:
The wildcard is in dotted decimal format. After the value is converted to a binary number, the value 0 indicates that the IP address needs to be matched and the value 1 indicates that the IP address does not need to be matched. The values 1 and 0 can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the website 192.168.1.x0x0xx01. The value x can be 0 or 1.

domain-string: The value is a string of 3 to 137 characters.

The value of domain-string must meet the following requirements:
  • The value cannot contain two consecutive dots (..).
  • If you use the fuzzy match function, the first character can be set to *, and * can only be used as the first character of the domain name.

icmp-type { icmp-name | icmp-type icmp-code }

Indicates the type and code of ICMP packets, which are valid only when the protocol of packets is ICMP. If this parameter is not specified, all types of ICMP packets are matched.
  • icmp-name: specifies the name of ICMP packets.
  • icmp-type: specifies the type of ICMP packets.
  • icmp-code: specifies the code of ICMP packets.

icmp-type is an integer that ranges from 0 to 255.

icmp-code is an integer that ranges from 0 to 255.

NOTE:

Table 14-51 lists the mapping between ICMP names and ICMP types and codes.

source-port { eq port | gt port | lt port | range port-start port-end }

Specifies the source port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched. The operators are as follows:
  • eq port: equal operator.
  • gt port: greater than operator.
  • 1t port: smaller than operator.
  • range port-start port-end: within the range.port-start specifies the start port number.port-end specifies the end port number.

The value of port can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535 in eq port, from 0 to 65535 in gt port, and from 0 to 65535 in lt port.

The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535.

destination-port { eq port | gt port | lt port | range port-start port-end }

Specifies the destination port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched. The operators are as follows:
  • eq port: equal operator.
  • gt port: greater than operator.
  • 1t port: smaller than operator.
  • range port-start port-end: within the range. port-start specifies the start port number. port-end specifies the end port number.

The value of port can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535 in eq port, from 0 to 65535 in gt port, and from 0 to 65535 in lt port.

The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535.

tcp-flag

Indicates the SYN Flag in the TCP packet header.

-

ack

Indicates that the SYN Flag type in the TCP packet header is ack (010000).

-

fin

Indicates that the SYN Flag type in the TCP packet header is fin (000001).

-

psh

Indicates that the SYN Flag type in the TCP packet header is psh (001000).

-

rst

Indicates that the SYN Flag type in the TCP packet header is rst (000100).

-

syn

Indicates that the SYN Flag type in the TCP packet header is syn (000010).

-

urg

Indicates that the SYN Flag type in the TCP packet header is urg (100000).

-

time-range time-name

Specifies the name of a time range during which ACL rules take effect.

If this parameter is not specified, ACL rules take effect at any time.

NOTE:

When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL does not take effect.

The value is a string of 1 to 32 characters.

dscp dscp

Specifies the value of a Differentiated Services Code Point (DSCP).

NOTE:

The dscp dscp and precedence precedence parameters cannot be set for the same rule.

The dscp dscp and tos tos parameters cannot be set for the same rule.

The value is an integer or a name.
  • The value ranges from 0 to 63 when it is an integer.
  • When it is a name, the value can be af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, default, or ef.

tos tos

Indicates that packets are filtered according to the Type of Service (ToS).

The value is an integer or a name.
  • The value ranges from 0 to 15 when it is an integer.
  • When the value is a name, the value can be normal, min-monetary-cost, max-reliability, max-throughput, or min-delay. Table 14-50 describes the mapping between ToS names and values.

precedence precedence

Indicates that packets are filtered based on the precedence field. precedence specifies the precedence value.

The value ranges from 0 to 7. The values 0 to 7 correspond to routine, priority, immediate, flash, flash-override, critical, internet, and network.

fragment

Indicates that the rule is valid for all fragments. If this parameter is specified, the rule is valid for all fragments.

-

Table 14-50  Mapping between ToS names and values

ToS Name

Value

ToS Name

Value

normal

0

max-reliability

2

min-monetary-cost

1

max-throughput

4

min-delay

8

-

-

Table 14-51  Mapping between ICMP names and ICMP types and codes

icmp-name

icmp-type

icmp-code

Echo

8

0

Echo-reply

0

0

Fragmentneed-DFset

3

4

Host-redirect

5

1

Host-tos-redirect

5

3

Host-unreachable

3

1

Information-reply

16

0

Information-request

15

0

Net-redirect

5

0

Net-tos-redirect

5

2

Net-unreachable

3

0

Parameter-problem

12

0

Port-unreachable

3

3

Protocol-unreachable

3

2

Reassembly-timeout

11

1

Source-quench

4

0

Source-route-failed

3

5

Timestamp-reply

14

0

Timestamp-request

13

0

Ttl-exceeded

11

0

Views

User ACL view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A user ACL matches packets based on information such as source IP addresses, destination IP addresses, source port numbers, destination port numbers, and protocol types.

Currently, the user ACL can only be applied to the NAC feature.

Precautions

If the specified rule ID already exists and the new rule conflicts with the original rule, the conflicting part in the old rule will be replaced.

When you use the undo rule command to delete an ACL rule, the rule ID must exist. If the rule ID is unknown, you can use the display acl command to view the rule ID.

The undo rule command deletes an ACL rule even if the ACL rule is referenced. Exercise caution when you run the undo rule command.

The passthrough-domain domain-string parameter can specify the name of the domain in which packets can pass. When you attempt to use a UC browser to visit the domain addresses (website addresses) in the whitelist, you may fail to access the websites or response is slow.

Example

# Add a rule to ACL 6000 to match all IP packets with destination domain name www.huawei.com.

<Huawei> system-view
[Huawei] acl 6000
[Huawei-acl-ucl-6000] rule permit ip destination passthrough-domain www.huawei.com

# Add a rule to ACL 6000 to match all IP packets with destination domain name *.huawei.com.

<Huawei> system-view
[Huawei] acl 6000
[Huawei-acl-ucl-6000] rule permit ip destination passthrough-domain *.huawei.com
Translation
Download
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 91571

Downloads: 124

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next