No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R011C10 NETCONF YANG API Reference

This document describes the NETCONF API functions supported by the switch, including the data model and samples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ACL Rule Management

ACL Rule Management

This section describes the configuration model of ACL rule management and provides examples of XML packets.

Data Model

The configuration model files for ACL rule management are ietf-acl.yang and huawei-acl.yang.

Table 2-219  ACL Rule management

Object

Description

Value

Remarks

/ietf-acl:access-lists/access-list/access-control-list-name

Indicates the name or ID of an advanced ACL.

  • Name: The value is a string of 1 to 64 case-sensitive characters without spaces and must begin with a letter.
  • ID: The value is an integer that ranges from 3000 to 3999.

N/A

/ietf-acl:access-lists/access-list/access-control-list-type

Indicates the ACL type.

The value is IP-access-control-list.

N/A

/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/rule-name

Indicates the name of an ACL rule.

The value is an integer that ranges from 0 to 4294967294.

N/A

/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/actions

Indicates the action in the ACL rule:
  • deny indicates that the packets matching the ACL rule will be discarded.
  • permit indicates that the packets matching the ACL rule will be forwarded properly.

The value can be spaces or left empty.

The action in an ACL rule depends on the content of access-control-list.

/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/dscp

Indicates the Differentiated Services Code Point (DSCP).

The value can be an integer or a name. When it is an integer, the value ranges from 0 to 63. When it is a name, the value can be af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, default, or ef.

N/A

/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/protocol

Indicates the type of protocol packets matching the ACL rule.

The value is an integer that ranges from 1 or 255. Common types are as following:
  • 1: ICMP packets
  • 2: IGMP packets
  • 4: IPINIP packets
  • 6: TCP packets
  • 17: UDP packets
  • 47: GRE packets
  • 89: OSPF packets

N/A

  • /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/source-port-range/lower-port
  • /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/source-port-range/upper-port

Indicates the source port of the UDP or TCP packets matching the ACL rule. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched.

lower-port indicates the start port number, and upper-port indicates the end port number. The two parameters specify a source port number range.

The value of lower-port or upper-port can be a port name or a port number. The port number ranges from 0 to 65535.

The value of upper-port must be greater than or equal to the value of lower-port.

  • /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/destination-port-range/lower-port
  • /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/destination-port-range/upper-port

Indicates the destination port of the UDP or TCP packets matching the ACL rule. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched.

lower-port indicates the start port number, and upper-port indicates the end port number. The two parameters specify a destination port number range.

The value of lower-port or upper-port can be a port name or a port number. The port number ranges from 0 to 65535.

The value of upper-port must be greater than or equal to the value of lower-port.

/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/source-ipv4-network

Indicates the source addresses of packets that match the ACL rule. If no source address is specified, the packets with any source address are matched.

The value is in the format of source-address/source-wildcard.
  • source-address indicates a source IP address in dotted decimal notation.
  • source-wildcard specifies the wildcard of the source IP address in dotted decimal notation. The wildcard of the source IP address can be 0, which is equivalent to 0.0.0.0, indicating that the source IP address is a host address.

N/A

/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/destination-ipv4-network

Indicates the destination addresses of packets that match the ACL rule. If no destination address is specified, the packets with any destination address are matched.

The value is in the format of destination-address/destination-wildcard.
  • destination-address indicates a destination IP address in dotted decimal notation.
  • destination-wildcard specifies the wildcard of the destination IP address in dotted decimal notation. The wildcard of the destination IP address can be 0, which is equivalent to 0.0.0.0, indicating that the destination IP address is a host address.

N/A

/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/huawei-acl:time-range

Indicates the time range name of an existing ACL rule.

The value is a string of 1 to 32 characters.

N/A

Configuring an ACL Rule

This section describes how to configure, modify, and delete an ACL rule using the edit-config method.

Table 2-220  Configuring an ACL rule

Operation

XPATH

edit-config:create

edit-config:replace

edit-config:delete

  • /ietf-acl:access-lists/access-list/access-control-list-name
  • /ietf-acl:access-lists/access-list/access-control-list-type
  • /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry

Data Requirement 1: Creating an ACL Rule for Matching TCP Protocol Packets

Item

Data

Description

ACL name

test1

Create an ACL named test1.

ACL type

IP-access-control-list

Set the ACL type to IP-access-control-list.

ACL rule name

1

Set the ACL rule name to 1.

Action in the ACL rule

NA

Discard packets that match the ACL rule.

Type of protocol packets matching the ACL rule

6

Specify TCP protocol packets to match the ACL rule.

Source port of the TCP packets matching the ACL rule

lower-port: 1

upper-port: N/A

Specify port 1 to any port as the source port range of TCP packets that match the ACL rule.

Destination port of the TCP packets matching the ACL rule

lower-port: 1

upper-port: 3

Specify ports 1 to 3 as the destination port range of TCP packets that match the ACL rule.

Source addresses of packets that match the ACL rule

10.1.1.1/16

Specify 10.1.1.1/16 as the source addresses of packets that match the ACL rule.

Destination addresses of packets that match the ACL rule

10.2.1.1/24

Specify 10.2.1.1/24 as the destination addresses of packets that match the ACL rule.

DSCP

0

Set the DSCP value to 0 for the ACL rule.

Name of the time range within which the ACL rule takes effect

abc

Apply the ACL rule in a time range named abc.

Request example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="5" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <access-control-list:access-lists xmlns:access-control-list="urn:ietf:params:xml:ns:yang:ietf-acl">
        <access-control-list:access-list>
          <access-control-list:access-control-list-name>test1</access-control-list:access-control-list-name>
          <access-control-list:access-control-list-type>IP-access-control-list</access-control-list:access-control-list-type>
          <access-control-list:access-list-entries>
            <access-control-list:access-list-entry>
              <access-control-list:rule-name>1</access-control-list:rule-name>
              <access-control-list:matches>
                <access-control-list:source-port-range>
                  <access-control-list:lower-port>1</access-control-list:lower-port>
                </access-control-list:source-port-range>
                <access-control-list:destination-port-range>
                  <access-control-list:lower-port>1</access-control-list:lower-port>
                  <access-control-list:upper-port>3</access-control-list:upper-port>
                </access-control-list:destination-port-range>
                <access-control-list:dscp>0</access-control-list:dscp>
                <access-control-list:protocol>6</access-control-list:protocol>
                <access-control-list:destination-ipv4-network>10.2.1.1/24</access-control-list:destination-ipv4-network>
                <access-control-list:source-ipv4-network>10.1.1.1/16</access-control-list:source-ipv4-network>
              </access-control-list:matches>
		   <access-control-list:actions>
                <access-control-list:deny></access-control-list:deny>
              </access-control-list:actions>
              <hw-acl:time-range xmlns:hw-acl="urn:huawei:params:xml:ns:yang:huawei-acl">abc</hw-acl:time-range>
            </access-control-list:access-list-entry>
          </access-control-list:access-list-entries>
        </access-control-list:access-list>
      </access-control-list:access-lists>
    </config>
  </edit-config>
</rpc>

Response example

Sample of successful response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="3">
  <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="7">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>

Data Requirement 2: Modifying the Destination Port Number Range in an ACL Rule

The following provides only the item to be modified. For other items, see data requirement 1.

Item

Data

Description

Destination port of the TCP packets matching the ACL rule

lower-port: 1

upper-port: 6

Modify the destination port range of TCP packets that match the ACL rule from ports 1 to 3 to ports 1 to 6.

Request example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="8" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <access-control-list:access-lists xmlns:access-control-list="urn:ietf:params:xml:ns:yang:ietf-acl">
        <access-control-list:access-list>
          <access-control-list:access-control-list-name>test1</access-control-list:access-control-list-name>
          <access-control-list:access-control-list-type>IP-access-control-list</access-control-list:access-control-list-type>
          <access-control-list:access-list-entries>
            <access-control-list:access-list-entry>
              <access-control-list:rule-name>1</access-control-list:rule-name>
              <access-control-list:matches>
                <access-control-list:source-port-range>
                  <access-control-list:lower-port>1</access-control-list:lower-port>
                </access-control-list:source-port-range>
                <access-control-list:destination-port-range>
                  <access-control-list:lower-port>1</access-control-list:lower-port>
                  <access-control-list:upper-port xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="replace">6</access-control-list:upper-port>
                </access-control-list:destination-port-range>
                <access-control-list:dscp>0</access-control-list:dscp>
                <access-control-list:protocol>6</access-control-list:protocol>
                <access-control-list:destination-ipv4-network>10.2.1.1/24</access-control-list:destination-ipv4-network>
                <access-control-list:source-ipv4-network>10.1.1.1/16</access-control-list:source-ipv4-network>
              </access-control-list:matches>
              <hw-acl:time-range xmlns:hw-acl="urn:huawei:params:xml:ns:yang:huawei-acl">abc</hw-acl:time-range>
            </access-control-list:access-list-entry>
          </access-control-list:access-list-entries>
        </access-control-list:access-list>
      </access-control-list:access-lists>
    </config>
  </edit-config>
</rpc>

Response example

Sample of successful response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="3">
  <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="4">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Service process failed.</error-message>
    <error-info>Error on node /ietf-acl:access-lists/access-list[access-control-list-name="test1"]</error-info>
  </rpc-error>
</rpc-reply>

Data Requirement 3: Canceling the Upper Destination Port Number Limit in an ACL Rule

The following provides only the item to be modified. For other items, see data requirement 1.

Item

Data

Description

Destination port of the TCP packets matching the ACL rule

lower-port: 1

upper-port: N/A

Modify the destination port range of TCP packets that match the ACL rule to port 1 to any port.

Request example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="9" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <access-control-list:access-lists xmlns:access-control-list="urn:ietf:params:xml:ns:yang:ietf-acl">
        <access-control-list:access-list>
          <access-control-list:access-control-list-name>test1</access-control-list:access-control-list-name>
          <access-control-list:access-control-list-type>IP-access-control-list</access-control-list:access-control-list-type>
          <access-control-list:access-list-entries>
            <access-control-list:access-list-entry>
              <access-control-list:rule-name>1</access-control-list:rule-name>
              <access-control-list:matches>
                <access-control-list:source-port-range>
                  <access-control-list:lower-port>1</access-control-list:lower-port>
                </access-control-list:source-port-range>
                <access-control-list:destination-port-range>
                  <access-control-list:lower-port>1</access-control-list:lower-port>
                  <access-control-list:upper-port xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="delete">6</access-control-list:upper-port>
                </access-control-list:destination-port-range>
                <access-control-list:dscp>0</access-control-list:dscp>
                <access-control-list:protocol>6</access-control-list:protocol>
                <access-control-list:destination-ipv4-network>10.2.1.1/24</access-control-list:destination-ipv4-network>
                <access-control-list:source-ipv4-network>10.1.1.1/16</access-control-list:source-ipv4-network>
              </access-control-list:matches>
              <hw-acl:time-range xmlns:hw-acl="urn:huawei:params:xml:ns:yang:huawei-acl">abc</hw-acl:time-range>
            </access-control-list:access-list-entry>
          </access-control-list:access-list-entries>
        </access-control-list:access-list>
      </access-control-list:access-lists>
    </config>
  </edit-config>
</rpc>

Response example

Sample of successful response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="3">
  <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="7">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>edit operation failed.</error-message>
  </rpc-error>
</rpc-reply>
Translation
Download
Updated: 2019-09-23

Document ID: EDOC1000178028

Views: 4948

Downloads: 0

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next