S1720, S2700, S5700, and S6720 V200R011C10 Command Reference
This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
ACL Configuration Commands
- Command Support
- acl ipv6 name
- acl ipv6 (system view)
- acl name
- acl (system view)
- acl threshold-alarm
- assign resource-template acl-mode
- description
- display acl
- display acl ipv6
- display acl resource
- display snmp-agent trap feature-name acle all
- display time-range
- reset acl counter
- reset acl ipv6 counter
- rule (advanced ACL view)
- rule (advanced ACL6 view)
- rule (basic ACL view)
- rule (basic ACL6 view)
- rule (layer 2 ACL view)
- rule (user-defined ACL view)
- rule (user ACL view)
- rule description
- snmp-agent trap enable feature-name acle
- step
- time-range
acl ipv6 name
Function
The acl ipv6 name command creates a named ACL6 and enters the ACL6 view.
The undo acl ipv6 name command deletes a named ACL6.
By default, no named ACL6 is created.
Format
acl ipv6 name acl6-name [ advance | basic | acl6-number ] [ match-order { auto | config } ]
undo acl ipv6 name acl6-name
Parameters
Usage Guidelines
Usage Scenario
An ACL6 is a set of rules composed of permit or deny clauses. ACL6s are mainly used in QoS. ACL6s can limit data flows to improve network performance. For example, ACL6s are configured on an enterprise network to limit video data flows, which lowers the network load and improves network performance.
Follow-up Procedure
Run the rule command to configure ACL6 rules and apply the ACL6 to services for which packets need to be filtered.
Precautions
- If only the type of a named ACL6 is specified, the number of the named ACL6 allocated by the Switch is the maximum value of the named ACL6 of the type.
- If the number and the type of a named ACL6 are not specified, the Switch considers the named ACL6 as the advanced ACL6 and allocates the maximum value as the number of the named ACL6.
After you create a named ACL6 by using the acl ipv6 name command, the ACL6 still exists even if you exit from the ACL6 view. You must run the undo acl ipv6 name acl6-name or undo acl ipv6 acl6-number command to delete the ACL6.
When you delete an ACL6 that has been referenced by other services, the services will be interrupted. Therefore, before deleting an ACL6, ensure that the ACL6 is not in use.
acl ipv6 (system view)
Function
The acl ipv6 command creates a numbered ACL6 and enters the ACL6 view.
The undo acl ipv6 command deletes a numbered ACL6.
By default, no numbered ACL6 is created.
Format
acl ipv6 [ number ] acl6-number [ match-order { auto | config } ]
undo acl ipv6 { all | [ number ] acl6-number }
Parameters
| Parameter | Description | Value |
|---|---|---|
| number | Indicates the number that identifies an ACL. | - |
| acl6-number | Specifies an ACL6 number. | The value is an integer that ranges from 2000 to 3999.
|
| match-order { auto | config } | Indicates the matching order of ACL6 rules.
The rule-id in an ACL6 rules does not indicate the priority of the rule. It indicates the rule ID and remains unchanged in auto and config mode switchover. If the match-order parameter is not specified when you create an ACL6, the default match order config is used. |
- |
| all | Indicates that all the configured ACL6s are deleted. | - |
Usage Guidelines
Usage Scenario
An ACL6 is a set of rules composed of permit or deny clauses. ACL6 rules can be referenced by modules. ACL6s are applicable to QoS. ACL6s can limit data flows to improve network performance. For example, ACL6s are configured on an enterprise network to limit video data flows, which lowers the network load and improves network performance.
Follow-up Procedure
Run the rule command to configure ACL6 rules and apply the ACL6 to services for which packets need to be filtered.
Precautions
After you create a named ACL6 using the acl ipv6 command, the ACL6 still exists even if you exit from the ACL6 view. You must run the undo acl ipv6 acl6-number command to delete the ACL6.
When you delete an ACL6 that has been referenced by other services, the services will be interrupted. Before deleting an ACL6, ensure that the ACL6 is not in use.
All ACL6s can be deleted on the device in one go, but this method is not recommended.
acl name
Function
The acl name command creates a named ACL and enters the ACL view.
The undo acl command deletes a named ACL.
By default, no ACL is created.
Format
acl name acl-name [ advance | basic | link | ucl | user | acl-number ] [ match-order { auto | config } ] (Only the S5720HI, S5720EI, S6720S-EI, and S6720EI support the ucl parameter.)
undo acl name acl-name
Parameters
Usage Guidelines
Usage Scenario
An ACL consists of a series of rules defined by multiple permit or deny clauses. ACLs are mainly applied to QoS, route filtering, and user access. The major functions of ACLs are as follows:
Limit data flows to improve network performance. For example, ACLs are configured on an enterprise network to limit video data flows, which lowers the network load and improves network performance.
Provide flow control. For example, ACLs are used to limit transmission of routing updates so that the bandwidth is saved.
Provide network access security. For example, ACLs are configured to allow specified users to access the human resource network.
Follow-up Procedure
Run the rule command to configure ACL rules and apply the ACL to services for which packets need to be filtered.
Precautions
After you create a named ACL by using the acl name command, the ACL still exists even if you exit from the ACL view. You must run the undo acl name acl-name or undo acl acl-number command to delete the ACL.
When you delete an ACL that has been referenced by other services, the services may be interrupted. Before deleting an ACL, ensure that the ACL is not in use.
The device automatically allocates a number to the named ACLs that have no number specified. The number allocated depends on the following:
- If the type of a named ACL is specified, the number of the named ACL allocated by the device is the maximum value of the named ACL of the type.
- If the number and the type of a named ACL are not specified, the device considers the named ACL as the advanced ACL and allocates the maximum value as the number of the named ACL.
The Switch does not allocate the number to a named ACL repeatedly.
acl (system view)
Function
The acl command creates an ACL with the specified number and enters the ACL view.
The undo acl command deletes a specified ACL.
By default, no ACL is created.
Format
acl [ number ] acl-number [ match-order { auto | config } ]
undo acl { [ number ] acl-number | all }
Parameters
Parameter |
Description |
Value |
|---|---|---|
number |
Specifies the number that identifies an ACL. |
- |
acl-number |
Specifies the number of an ACL. |
The value is an integer.
NOTE:
Only the S5720HI, S5720EI, S6720S-EI, and S6720EI support user ACL. |
match-order { auto | config } |
Indicates the matching order of ACL rules.
If the match-order parameter is not specified when you create an ACL, the default match order config is used. |
- |
all |
Indicates that all ACLs are deleted. |
- |
Usage Guidelines
Usage Scenario
An ACL consists of a series of rules defined by multiple permit or deny clauses. ACLs are mainly applied to QoS, route filtering, and user access. The major functions of ACLs are as follows:
Limit data flows to improve network performance. For example, ACLs are configured on an enterprise network to limit video data flows, which lowers the network load and improves network performance.
Provide flow control. For example, ACLs are used to limit transmission of routing updates so that the bandwidth is saved.
Provide network access security. For example, ACLs are configured to allow specified users to access the human resource network.
Follow-up Procedure
Run the rule command to configure ACL rules and apply the ACL to services for which packets need to be filtered.
Precautions
- After you create an ACL using the acl command, the ACL still exists even if you exit from the ACL view. You must run the undo acl acl-number command to delete the ACL.
- When you delete an ACL that has been referenced by other services, the services may be interrupted. Before deleting an ACL, ensure that the ACL is not in use.
- You are advised not to delete all ACLs because this operation may cause a service interruption.
acl threshold-alarm
Function
The acl threshold-alarm command configures the alarm threshold percentage of ACL resource usage.
The undo acl threshold-alarm command restores the default alarm threshold percentage of ACL resource usage.
By default, the lower alarm threshold percentage is 70, and the upper alarm threshold percentage is 80.
Format
acl threshold-alarm { upper-limit upper-limit | lower-limit lower-limit } *
undo acl threshold-alarm
Parameters
| Parameter | Description | Value |
|---|---|---|
| upper-limit upper-limit | Indicates the upper alarm threshold percentage of ACL resource usage. |
The value is an integer that ranges from 1 to 100. |
| lower-limit lower-limit | Indicates the lower alarm threshold percentage of ACL resource usage. |
The value is an integer that ranges from 1 to 100. |
Usage Guidelines
Usage Scenario
After the device runs ACL or ACL6 services for a period, the running ACL services occupy ACL resources. You can run the acl threshold-alarm command to set the alarm threshold percentage of ACL resources.
When the ACL resource usage (that is, the ratio of existing ACL entries to the maximum number of ACL entries supported by the device) is equivalent to or higher than the threshold, the device generates an alarm. When the ACL resource usage becomes equivalent to or lower than the lower threshold, the device generates a clear alarm.
Precautions
If you run the acl threshold-alarm command multiple times, only the latest configuration takes effect.
The upper threshold must be equivalent to or greater than the lower threshold.
assign resource-template acl-mode
Function
The assign resource-template acl-mode command sets the ACL resource allocation mode.
The undo assign resource-template acl-mode command restores the default ACL resource allocation mode.
By default, the ACL resource allocation mode is dual-ipv4-ipv6.
This command is supported only on the S5720HI.
Format
assign resource-template acl-mode { dual-ipv4-ipv6 | ipv4 | l2 | l2-ipv4 | l2-ipv6 } [ slot slot-id ]
undo assign resource-template acl-mode [ slot slot-id ]
Parameters
Parameter |
Description |
Value |
|---|---|---|
dual-ipv4-ipv6 |
Specifies the IPv4 and IPv6 ACL resource allocation mode. |
- |
ipv4 |
Specifies the IPv4 ACL resource allocation mode. |
- |
l2 |
Specifies the Layer 2 ACL resource allocation mode. |
- |
l2-ipv4 |
Specifies the Layer 2 IPv4 ACL resource allocation mode. |
- |
l2-ipv6 |
Specifies the Layer 2 IPv6 ACL resource allocation mode. |
- |
slot slot-id |
If slot-id is not specified, usage of ACL resources in all the stack switches is displayed. |
The value is determined based on the device configuration. |
Usage Guidelines
If the default number of ACLs for IPv4, IPv6, or Layer 2 services cannot meet service requirements, you can change the ACL resource allocation mode to increase the number of ACLs for the services. Before using this command to change the ACL resource allocation mode, consider the advantage and disadvantage of the change. For example, if the ACL resource allocation mode is changed from dual-ipv4-ipv6 to ipv4, more ACLs are supported for IPv4 services, but the number of ACLs for IPv6 and Layer 2 services reduces to 0.
| Resource Allocation Mode | Maximum Number of IPv4 ACLs | Maximum Number of Layer 2+IPv4 ACLs | Maximum Number of IPv6 ACLs | Maximum Number of Layer 2+IPv6 ACLs | Maximum Number of Layer 2 ACLs | Total Number of ACLs |
|---|---|---|---|---|---|---|
| dual-ipv4-ipv6 | 16K | 16K | 8K | 8K | 16K | 16K(IPV4)+8K(IPV6) |
| l2-ipv4 | 32K | 32K | 0 | 0 | 32K | 32K |
| l2-ipv6 | 0 | 0 | 16K | 16K | 16K | 16K |
| ipv4 | 64K | 0 | 0 | 0 | 0 | 64K |
| l2 | 0 | 0 | 0 | 0 | 64K | 64K |
Precautions
After configuring the ACL resource allocation mode, save the configuration, and restart the device for the configuration to take effect.
description
Function
The description command configures the description of an ACL.
The undo description command deletes the description of an ACL.
By default, no description is configured for an ACL.
Usage Guidelines
Usage Scenario
The description command configures the description of an ACL, for example, the usage or application scenario of the ACL. It is used to differentiate ACLs.
Prerequisites
The ACL to be described has been created.
Configuration Impact
The description command cannot be run in the ACL6 view.
If you run the description command multiple times in the same ACL view, only the latest configuration takes effect.
display acl
Parameters
| Parameter | Description | Value |
|---|---|---|
| acl-number | Specifies the number of an ACL. | The value is an integer.
NOTE:
Only the S5720HI, S5720EI, S6720S-EI, and S6720EI support user ACL. |
| name acl-name | Specifies the name of an ACL. | The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter. |
| all | Indicates all ACLs. | - |
Example
# Display configuration about the ACL named test.
<HUAWEI> display acl name test Advanced ACL test 3999, 1 rule, match-order is auto Acl's step is 5 rule 5 permit ip destination 10.10.10.1 0
# Display the ACL configuration.
<HUAWEI> display acl all Total nonempty ACL number is 1 Advanced ACL 3000, 1 rule Acl's step is 5 rule 5 permit ip dscp cs1
Item |
Description |
|---|---|
Advanced ACL test 3999, 1 rule, match-order is auto |
Advanced ACL 3999 named test that matches in the automatic order and contains one rule. |
Acl's step is 5 |
The ACL's step is 5. To set the step between ACL rule IDs, run the step command. |
rule 5 permit ip destination 10.10.10.1 0 |
Rule 5 that matches packets whose source IP address is 10.10.10.1. To modify an advanced ACL rule, run the rule (advanced ACL view) command. |
| Total nonempty ACL number is 1 | One ACL contains rules. |
Advanced ACL 3000, 1 rule |
Advanced ACL 3000 contains one rule. |
rule 5 permit ip dscp cs1 |
Rule 5 that matches packets with DSCP priorities. To modify an advanced ACL rule, run the rule (advanced ACL view) command. |
display acl ipv6
Parameters
Parameter |
Description |
Value |
|---|---|---|
acl6-number |
Specifies an ACL6 number. |
The value is an integer that ranges from 2000 to 3999. The ACL6 with a number ranging from 2000 to 2999 is a basic ACL6 and the ACL6 with a number ranging from 3000 to 3999 is an advanced ACL6. |
| name acl6-name | Displays the ACL6 with a specified name. |
The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter. |
all |
Displays the configurations of all ACL6s. |
- |
Example
# Display the configuration about the ACL6 with the number of 2000.
<HUAWEI> display acl ipv6 2000
Basic IPv6 ACL 2000, 2 rules
rule 1 permit source 4::/64
rule 0 deny source 3::/64
# Display the ACL6 configuration.
<HUAWEI> display acl ipv6 all
Total nonempty acl6 number is 1
Basic IPv6 ACL 2000, 2 rules
rule 1 permit source 4::/64
rule 0 deny source 3::/64
Item |
Description |
|---|---|
Total nonempty acl6 number is 1 |
One ACL6 contains rules. |
Basic IPv6 ACL 2000, 2 rules |
ACL6 2000, which is a basic ACL6 and has two rules. |
rule 0 deny source 3::/64 |
ACL6 rule 0, which denies packets with the source IPv6 address 3::/64. To modify a basic ACL6 rule, run the rule (rule basic acl6 view) command. |
rule 1 permit source 4::/64 |
ACL6 rule 1, which permits packets with the source IPv6 address 4::/64. To modify a basic ACL6 rule, run the rule (rule basic acl6 view) command. |
display acl resource
Usage Guidelines
Usage Scenario
- ACL entries: Each ACL entry stores an ACL rule.
- Meter/Car: a traffic control table used to limit the traffic rate. The meter/car must be used with ACL entries.
- Counter: a traffic counter table used to collect traffic statistics. The counter must be used with ACL entries.
If ACL configuration fails, all the ACL resources on the device may have been used up. You can run the display acl resource command to check whether there are available ACL resources (including ACL4 and ACL6).
Precautions
- After ACL is applied to the S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S2750EI, S5710-X-LI, S5720LI, S5720S-LI, S5700LI, S5700S-LI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI, the ACL resources are applied to both incoming and outgoing traffic. For example, if a traffic policy is applied to only the incoming traffic, the Outbound-ACL value and Inbound-ACL value in the display acl resource command output are the same.
- On the S5720-EI, S6720-EI, and S6720S-EI, ACL resources are divided in slice mode. Each slice contains a certain number of ACL resources. Different types of services apply for different slices when ACLs are applied. When ACL resource insufficiency is displayed while ACL resources are applied to a service, but the Free field shows there are still free ACL resources, this indicates that ACL resources in the slice occupied by the service are insufficient, and new slices cannot be obtained. The free resources in the Free field are ACL resources in the slice occupied by other services.
Example
# Display information about ACL resources on the Slot 0 (S5700LI is used as an example).
<HUAWEI> display acl resource slot 0
Slot 0
GigabitEthernet0/0/1 to GigabitEthernet0/0/10
Vlan-ACL Inbound-ACL Outbound-ACL Router-ACL
---------------------------------------------------------------------------
Rule Used 0 71 71 10
Rule Free 1024 421 421 522
Rule Total 1024 492 492 532
Meter Used 0 0 0 0
Meter Free 0 172 128 0
Meter Total 0 172 128 0
Counter Used 0 0 0 0
Counter Free 0 172 128 0
Counter Total 0 172 128 0
---------------------------------------------------------------------------
# Display information about ACL resources on the Slot 0 (S6720LI is used as an example).
<HUAWEI> display acl resource slot 0
Slot 0
XGigabitEthernet0/0/1 to XGigabitEthernet0/0/24
40GE0/0/1
40GE0/0/2
Vlan-ACL Inbound-ACL Outbound-ACL Reserved-ACL
---------------------------------------------------------------------------
Rule Used 0 30 30 124
Rule Free 512 2018 2018 388
Rule Total 512 2048 2048 512
Meter Used 0 0 0 0
Meter Free 0 1536 2048 0
Meter Total 0 1536 2048 0
Counter Used 0 0 0 0
Counter Free 0 1536 2048 0
Counter Total 0 1536 2048 0
---------------------------------------------------------------------------
# Display information about ACL resources on the Slot 0. (S5720HI is used as an example)
<HUAWEI> display acl resource slot 0
Slot 0
GigabitEthernet0/0/1 to GigabitEthernet0/0/48
XGigabitEthernet0/0/1 to XGigabitEthernet0/0/4
Used Free Total
-----------------------------------------------------------------------------
ACL Unallocated - - 20480
ACL Allocated 147 365 511
Vlan ACL 1 - -
Sec ACL 146 - -
EXT Unallocated - - 8192
EXT Allocated 0 0 0
Car 260 32508 32768
Counter 144 65392 65536
-----------------------------------------------------------------------------
# Display information about ACL resources on the Slot 0. (S5720EI is used as an example)
<HUAWEI> display acl resource slot 0
Slot 0
GigabitEthernet0/0/1 to GigabitEthernet0/0/48
XGigabitEthernet0/0/1 to XGigabitEthernet0/0/4
Used Free Total
----------------------------------------------------------------------------
VACL 8 2040 2048
IACL Unallocated - - 3072
IACL Allocated - - 1024
Srv ACL 10 502 512
Sec ACL 348 164 512
EACL Unallocated - - 1024
EACL Allocated - - 0
Ingress Meter 36 4060 4096
Egress Meter 0 1024 1024
Ingress Counter 155 3941 4096
Egress Counter 0 1024 1024
Ingress UDF 0 8 8
----------------------------------------------------------------------------
Item |
Description |
|---|---|
Slot |
Stack ID. |
GigabitEthernet 0/0/1 to GigabitEthernet 0/0/x XGigabitEthernet 0/0/1 to XGigabitEthernet 0/0/x |
Interface to which an ACL is applied. |
Vlan-ACL |
Inbound ACL resources delivered before Layer 2 forwarding process
starts.
|
Inbound-ACL |
Inbound ACL resources delivered after Layer 3 forwarding
process is complete.Generally, the device delivers Inbound-ACL
resources in the following situation:
|
Outbound-ACL |
ACL resources in outbound direction. The device delivers Outbound-ACL resources when the traffic policy applied to the outbound direction contains a traffic behavior which is not mirroring to observe-port. If the traffic behavior contained in the traffic policy is mirroring to observe-port, the device delivers Inbound-ACL resources. |
Router-ACL |
ACL resources used for route forwarding. NOTE:
This field is displayed only when hardware-based Layer 3 forwarding is enabled for IPv4 packets on an S2750EI, S5700-10P-LI-AC, or S5700-10P-PWR-LI-AC. |
Reserved-ACL |
ACL resources reserved for CPCAR. |
Rule Used |
Number of used ACL rules. |
Rule Free |
Number of free ACL rules. |
Rule Total |
Total number of ACL rules. |
Meter Used |
Number of used rate limiting resources. |
Meter Free |
Number of idle rate limiting resources. |
Meter Total |
Total number of rate limiting resources. |
Counter Used |
Number of used counters. |
Counter Free |
Number of free counters. |
Counter Total |
Total number of counters, including those for collecting statistics on traffic policies, VLAN traffic, VLANIF interface traffic, and packets sent to the CPU. |
Car |
Traffic monitoring resources. |
Counter |
Traffic statistics collection resources. |
Used |
Number of used resources. |
Free |
Number of free resources. |
Total |
Total number of resources. |
ACL Unallocated |
Unallocated common ACL resources. |
ACL Allocated |
Number of ACL resources:
|
EXT Unallocated |
Unallocated extended ACL resources. |
EXT Allocated |
Number of extended ACL resources:
|
VACL |
Inbound ACL resources delivered before Layer 2 forwarding process starts. |
IACL Unallocated |
Unallocated inbound ACL resources. |
IACL Allocated |
Inbound ACL resources are allocated, including:
|
EACL Unallocated |
Unallocated outbound ACL resources. |
EACL Allocated |
Outbound ACL resources are allocated, including:
|
Ingress Meter |
Inbound rate limiting resources. |
Egress Meter |
Outbound rate limiting resources. |
Ingress Counter |
Inbound statistics collection resources. |
Egress Counter |
Outbound statistics collection resources. |
Ingress UDF |
Inbound user-defined ACL resources. |
display snmp-agent trap feature-name acle all
Function
The display snmp-agent trap feature-name acle all command displays the status of all traps on the ACL module.
Usage Guidelines
Usage Scenario
After the trap function of a specified feature is enabled, you can run the display snmp-agent trap feature-name acle all command to check the status of all traps of ACL. You can use the snmp-agent trap enable feature-name acle command to enable the trap function of ACL.
Prerequisites
SNMP has been enabled. See snmp-agent.
Example
# Display all the traps of the ACL module.
<HUAWEI>display snmp-agent trap feature-name acle all
------------------------------------------------------------------------------
Feature name: ACLE
Trap number : 4
------------------------------------------------------------------------------
Trap name Default switch status Current switch status
hwAclResTotalCountExceedTrap on on
hwAclResTotalCountExceedClearTrap
on on
hwAclResThresholdExceedTrap on on
hwAclResThresholdExceedClearTrap
on on
Item |
Description |
|---|---|
Feature name |
Name of the module that the trap belongs to. |
Trap number |
Number of traps. |
Trap name |
Trap name. Traps of the ACL module include:
|
Default switch status |
Default status of the trap function:
|
Current switch status |
Status of the trap function:
|
display time-range
Function
The display time-range command displays the configuration and status of the current time range.
Usage Guidelines
To specify a time range during which ACL rules take effect, run the time-range command and reference the time range name when you configure an ACL.
Before using a time range to filter data packets, run the display time-range command to view the time range configuration to avoid duplicate time ranges.
The device updates the status of ACLs with a delay of about 30 seconds. The display time-range command adopts the current time range to determine the status of ACLs; therefore, you may find that the ACL using an active time range is inactive. This is normal.
Example
# Display the configuration and status of all time ranges.
<HUAWEI> display time-range all Current time is 14:48:13 10-17-2012 Wednesday Time-range : abc (Active) from 23:23 2012/9/9 to 23:59 2012/12/31 Total time-range number is 1
Item |
Description |
|---|---|
Current time is 14:48:13 10-17-2012 Wednesday |
The current time is Wednesday 14:48:13 10-17-2012. |
Time-range:abc (Active) |
The time range is named abc and is active. The time
range can be:
|
from 23:23 2012/9/9 to 23:59 2012/12/31 |
Time range abc is from 23:23 2012/9/9 to 23:59 2012/12/31. |
Total time-range number |
The total time-range number. |
reset acl counter
Parameters
| Parameter | Description | Value |
|---|---|---|
| name acl-name | Specifies the name of an ACL whose statistics need to be cleared. | The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter. |
| acl-number | Specifies the number of an ACL whose statistics need to be cleared. | The value is an integer.
NOTE:
Only the S5720HI, S5720EI, S6720S-EI, and S6720EI support user ACL. |
| all | Clears all the ACL statistics. | - |
Usage Guidelines
Usage Scenario
To obtain the accurate ACL statistics generated in a certain period, run the reset acl counter command to clear existing statistics and start statistics collection.
After the reset acl counter command is executed, the system does not prompt you the statistics deletion.
Before using the reset acl counter command, determine whether you intend to clear ACL statistics.
Follow-up Procedure
After running the reset acl counter command to clear the previous ACL statistics, you can use the display acl match-counter command in the diagnostic view to check ACL rules and statistics on the packets matching the ACL rules in the current period.
reset acl ipv6 counter
Parameters
Parameter |
Description |
Value |
|---|---|---|
name acl6-name |
Specifies the name of an ACL6 whose statistics need to be cleared. |
The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter. |
acl6-number |
Specifies the number of an ACL6 whose statistics need to be cleared. |
The value is an integer that ranges from 2000 to 3999.
|
all |
Clears all the ACL6 statistics. |
- |
Usage Guidelines
Usage Scenario
To obtain the accurate ACL6 statistics in a certain period, run the reset acl ipv6 counter command to clear existing statistics and start statistics collection.
Before using the reset acl ipv6 counter command, determine whether you intend to clear ACL6 statistics.
After the reset acl ipv6 counter command is executed, the system does not prompt you the statistics deletion.
Follow-up Procedure
After running the reset acl ipv6 counter command to clear the previous ACL statistics, you can use the display acl ipv6 command to view ACL rules and statistics on the packets matching the ACL rules in the current period.
rule (advanced ACL view)
Function
The rule command adds or modifies an advanced ACL rule.
The undo rule command deletes an advanced ACL rule.
By default, no advanced ACL rule is configured.
Format
When the parameter protocol is specified as the Internet Control Message Protocol (ICMP), the command format is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | icmp } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | icmp-type { icmp-name | icmp-type [ icmp-code ] } | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { protocol-number | icmp } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | icmp-type { icmp-name | icmp-type [ icmp-code ] } | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *
When the parameter protocol is specified as the Transmission Control Protocol (TCP), the command format is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { protocol-number | tcp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *
When the parameter protocol is specified as the User Datagram Protocol (UDP), the command format is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | udp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { protocol-number | udp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *
When the parameter protocol is specified as another protocol rather than GRE, IGMP, IP, IPINIP, or OSPF, the command format is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *
To delete an advanced ACL rule, run:
undo rule rule-id [ destination | destination-port | { { precedence | tos } * | dscp } | { fragment | first-fragment } | logging | icmp-type | source | source-port | tcp-flag | time-range | ttl-expired | vpn-instance ] *
- The S2750, S5700LI, and S5700S-LI do not support tos.
- Only the S5720EI, S6720S-EI, and S6720EI support ttl-expired.
The vpn-instance parameter is supported only when a software-based ACL is applied to the S5720SI, S5720S-SI, S5720EI, S5720HI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S6720EI, or S6720S-EI. For usage scenarios of software-based ACLs, see "ACL Implementations" in the S1720, S2700, S5700, and S6720 V200R011C10 Configuration Guide - Security ACL Configuration - ACL Fundamentals.
- Only the S5720EI, S5720HI, S6720S-EI, and S6720EI support first-fragment.
Parameters
Parameter |
Description |
Value |
|---|---|---|
rule-id |
Specifies the ID of an ACL rule.
NOTE:
ACL rule IDs assigned automatically start from the step value. The default step is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on. |
The value is an integer that ranges from 0 to 4294967294. |
deny |
Denies the packets that match the rule. |
- |
permit |
Permits the packets that match the rule. |
- |
icmp |
Indicates that the protocol type is ICMP. The value 1 indicates that ICMP is specified. |
- |
tcp |
Indicates that the protocol type is TCP. The value 6 indicates that TCP is specified. |
- |
udp |
Indicates that the protocol type is UDP. The value 17 indicates that UDP is specified. |
- |
| gre | Indicates that the protocol type is GRE. The value 47 indicates the GRE protocol. |
- |
| igmp | Indicates that the protocol type is IGMP. The value 2 indicates the IGMP protocol. |
- |
| ip | Indicates that the protocol type is IP. |
- |
| ipinip | Indicates that the protocol type is IPINIP. The value 4 indicates the IPINIP protocol. |
- |
| ospf | Indicates that the protocol type is OSPF. The value 89 indicates the OSPF protocol. |
- |
protocol-number |
Indicates the protocol type expressed by name or
number.
NOTE:
Parameters in an ACL vary with the protocol type. The combination of source-port { eq port | gt port | lt port | range port-start port-end } and destination-port { eq port | gt port | lt port | range port-start port-end } is applicable to TCP and UDP only. |
The value expressed by number is an integer that ranges from 1 to 255. |
destination { destination-address destination-wildcard | any } |
Indicates the destination IP address of packets
that match ACL rules. If this parameter is not specified, packets
with any destination IP address are matched.
|
destination-address: The value is in dotted decimal notation. destination-wildcard: The value is in dotted decimal notation. The wildcard mask of the destination IP address can be 0, equivalent to 0.0.0.0, indicating that the destination IP address is the host address. NOTE:
The
wildcard is in dotted decimal format. After the value is converted
to a binary number, the value 0 indicates that the IP address needs
to be matched and the value 1 indicates that the IP address does not
need to be matched. The values 1 and 0 can be discontinuous. For example,
the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent
the website 192.168.1.x0x0xx01. The value x can be 0 or 1. |
icmp-type { icmp-name | icmp-type [ icmp-code ] } |
Indicates the type and code of ICMP packets, which
are valid only when the protocol of packets is ICMP. If this parameter
is not specified, all types of ICMP packets are matched.
|
icmp-type is an integer that ranges from 0 to 255. icmp-code is an integer that ranges from 0 to 255. Table 14-8 lists the mapping between ICMP names and ICMP types and codes. |
source { source-address source-wildcard | any } |
Indicates the source IP address of packets that
match an ACL rule. If this parameter is not specified, packets with
any source IP address are matched.
|
source-address: The value is in dotted decimal notation. source-wildcard: The value is in dotted decimal notation. The wildcard mask of the source IP address can be 0, equivalent to 0.0.0.0, indicating that the source IP address is the host address. NOTE:
The wildcard is
in dotted decimal format. After the value is converted to a binary
number, the value 0 indicates that the IP address needs to be matched
and the value 1 indicates that the IP address does not need to be
matched. The values 1 and 0 can be discontinuous. For example, the
IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the
website 192.168.1.x0x0xx01. The value x can be 0 or 1. |
tcp-flag |
Indicates the SYN Flag in the TCP packet header. |
- |
ack |
Indicates that the SYN Flag type in the TCP packet header is ack (010000). |
- |
established |
Indicates that the SYN Flag type in the TCP packet header is ack(010000) or rst(000100). |
- |
fin |
Indicates that the SYN Flag type in the TCP packet header is fin (000001). |
- |
psh |
Indicates that the SYN Flag type in the TCP packet header is psh (001000). |
- |
rst |
Indicates that the SYN Flag type in the TCP packet header is rst (000100). |
- |
syn |
Indicates that the SYN Flag type in the TCP packet header is syn (000010). |
- |
urg |
Indicates that the SYN Flag type in the TCP packet header is urg (100000). |
- |
time-range time-name |
Specifies the name of a time range during which ACL rules take effect. If this parameter is not specified, ACL rules take effect at any time. |
The value is a string of 1 to 32 characters. |
destination-port { eq port | gt port | lt port | range port-start port-end } |
Specifies the destination port of UDP or TCP packets.
The value is valid only when the protocol of packets is TCP or UDP.
If this parameter is not specified, TCP or UDP packets with any destination
port are matched. The operators are as follows:
|
The value of port can be a name or a number.
The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535. |
source-port { eq port | gt port | lt port | range port-start port-end } |
Specifies the source port of UDP or TCP packets.
The value is valid only when the protocol of packets is TCP or UDP.
If this parameter is not specified, TCP or UDP packets with any source
port are matched. The operators are as follows:
|
The value of port can be a name or a number.
The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535. |
dscp dscp |
Specifies the value of a Differentiated Services Code Point (DSCP). NOTE:
The dscp dscp and precedence precedence parameters cannot be set for the same rule. The dscp dscp and tos tos parameters cannot be set for the same rule. |
The value is an integer or a name.
|
tos tos |
Indicates that packets are filtered according to the Type of Service (ToS). |
The value is an integer or a name.
|
precedence precedence |
Indicates that packets are filtered based on the precedence field. precedence specifies the precedence value. |
The value ranges from 0 to 7. The values 0 to 7 correspond to routine, priority, immediate, flash, flash-override, critical, internet, and network. |
fragment |
Indicates that the rule is valid for only non-initial fragments. If this parameter is specified, the rule is valid for only non-initial fragments. |
- |
first-fragment |
Indicates that the rule is valid for only initial fragments. If this parameter is specified, the rule is valid for only initial fragments. |
- |
logging |
Logs IP information of packets that match the rule. NOTE:
The logging parameter takes effect for incoming packets in either of the following
scenarios:
In addition, for the S1720GFR, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S2750EI, S5700LI, S5700S-LI, S5710-X-LI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI, deny must be specified for the logging parameter to take effect. |
- |
ttl-expired |
Matches packets with the TTL value 1. If this keyword is not specified, the ACL rule matches packets with any TTL value. |
- |
vpn-instance vpn-instance-name |
Specifies the name of a VPN instance. NOTE:
If the vpn-instance parameter is not specified, the switch matches packets from both public and private networks against ACL. |
The value must be an existing VPN instance name. |
ToS Name |
Value |
ToS Name |
Value |
|---|---|---|---|
normal |
0 |
max-reliability |
2 |
min-monetary-cost |
1 |
max-throughput |
4 |
min-delay |
8 |
- |
- |
icmp-name |
icmp-type |
icmp-code |
|---|---|---|
Echo |
8 |
0 |
Echo-reply |
0 |
0 |
Parameter-problem |
12 |
0 |
Port-unreachable |
3 |
3 |
Protocol-unreachable |
3 |
2 |
Reassembly-timeout |
11 |
1 |
Source-quench |
4 |
0 |
Source-route-failed |
3 |
5 |
Timestamp-reply |
14 |
0 |
Timestamp-request |
13 |
0 |
Ttl-exceeded |
11 |
0 |
Fragmentneed-DFset |
3 |
4 |
Host-redirect |
5 |
1 |
Host-tos-redirect |
5 |
3 |
Host-unreachable |
3 |
1 |
Information-reply |
16 |
0 |
Information-request |
15 |
0 |
Net-redirect |
5 |
0 |
Net-tos-redirect |
5 |
2 |
Net-unreachable |
3 |
0 |
Usage Guidelines
Usage Scenario
An advanced ACL matches packets based on information such as source and destination IP addresses, source and destination port numbers, and protocol types.
The rule command defines the time range and flexibly configures the time ACL rules take effect.
Prerequisites
An ACL has been created before the rule is configured.
Precautions
If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.
To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.
To configure both the precedence precedence and tos tos parameters, set the two parameters consecutively in the command.
The undo rule command deletes an ACL rule even if the ACL rule is referenced. (If a simplified traffic policy references a specified rule in an ACL, this command does not take effect.) Before deleting a rule, ensure that the rule is not being referenced.
Error: The fragment cannot be configured together with the source-port, destination-port, icmp-type and tcp-flag.
Example
# Add a rule to ACL 3000 to filter ICMP packets.
<HUAWEI> system-view [HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule 1 permit icmp
# Delete a rule from ACL 3000.
<HUAWEI> system-view [HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] undo rule 1
# Add a rule to ACL 3000 to filter IGMP packets.
<HUAWEI> system-view [HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule 2 permit igmp
# Add a rule to ACL 3000 to filter packets with DSCP priorities.
<HUAWEI> system-view [HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule 3 permit ip dscp cs1
# Add a rule to ACL 3001 to filter all the IP packets sent from hosts at 10.9.0.0 to hosts at 10.38.160.0.
<HUAWEI> system-view [HUAWEI] acl 3001 [HUAWEI-acl-adv-3001] rule permit ip source 10.9.0.0 0.0.255.255 destination 10.38.160.0 0.0.0.255
# Add a rule to ACL 3001 to filter the packets with source UDP port number 128 from 10.9.8.0 to 10.38.160.0.
<HUAWEI> system-view [HUAWEI] acl 3001 [HUAWEI-acl-adv-3001] rule permit udp source 10.9.8.0 0.0.0.255 destination 10.38.160.0 0.0.0.255 destination-port eq 128
rule (advanced ACL6 view)
Function
The rule command adds or modifies an advanced ACL6 rule.
The undo rule command deletes an advanced CL6 rule.
By default, no advanced ACL6 rule is created.
Format
When protocol is set to TCP, the command format of an advanced ACL6 rule is as follows:
rule [ rule-id ] { deny | permit } { tcp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { tcp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *
When protocol is set to UDP, the command format of an advanced ACL6 rule is as follows:
rule [ rule-id ] { deny | permit } { udp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { udp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *
When protocol is set to ICMPv6, the command format of an advanced ACL6 rule is as follows:
rule [ rule-id ] { deny | permit } { icmpv6 | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | icmp6-type { icmp6-type-name | icmp6-type [ icmp6-code ] } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { icmpv6 | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | icmp6-type { icmp6-type-name | icmp6-type [ icmp6-code ] } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *
When protocol is set to other protocols, the command format of an advanced ACL6 rule is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | gre | ipv6 | ospf } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { protocol-number | gre | ipv6 | ospf } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *
To delete an advanced ACL6 rule, run:
undo rule rule-id [ destination | destination-port | routing [ routing-type routing-type ] | { fragment | first-fragment } | icmp6-type | logging | { { precedence | tos } * | dscp } | routing | source | source-port | tcp-flag | time-range | vpn-instance ] *
The vpn-instance parameter is supported only when a software-based ACL is applied to the S5720SI, S5720S-SI, S5720EI, S5720HI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S6720EI, or S6720S-EI. For usage scenarios of software-based ACLs, see "ACL Implementations" in the S1720, S2700, S5700, and S6720 V200R011C10 Configuration Guide - Security ACL Configuration - ACL Fundamentals.
- Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support destination, routing [ routing-type routing-type ] and first-fragment.
- Only the S5730SI, S6720SI, S5720EI, S5720HI, S6720EI, and S6720S-EI support dscp, precedence, and tos.
Parameters
Parameter |
Description |
Value |
|---|---|---|
| rule-id | Specifies the ID of a rule.
|
The value is an integer that ranges from 0 to 2047. |
| deny | Indicates to drop packets conforming to certain conditions. | - |
| permit | Indicates to forward packets conforming to certain conditions. | - |
| tcp | Specifies the protocol type is TCP. |
- |
| udp | Specifies the protocol type is UDP. |
- |
| icmpv6 | Specifies the protocol type is ICMPv6. |
- |
| protocol-number | Specifies the protocol type that is expressed as a name or a number. | The value ranges from 1 to 255. The protocol type expressed as a name can be GRE, ICMPv6, IPv6, OSPF, TCP, and UDP. |
| destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | Indicates the destination address and prefix of a packet. | destination-ipv6-address is expressed in hexadecimal notation. The value of prefix-length is an integer that ranges from 1 to 128. You can also use any to represent any destination address. |
| destination destination-ipv6-address postfix postfix-length | Indicates the destination address and the length of destination address postfix. | destination-ipv6-address indicates the destination address and is expressed in hexadecimal notation. postfix-length is an integer that ranges from 1 to 64. |
| dscp dscp | Specifies the Differentiated Services Code Point (DSCP)
value. NOTE:
The dscp dscp and precedence precedence parameters cannot be set for the same rule. The dscp dscp and tos tos parameters cannot be set for the same rule. |
The value of dscp can be an integer or a name. When the value is an integer, the value ranges from 0 to 63. When the value is a name, the value can be af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, default, or ef. |
| routing [ routing-type routing-type ] | Specifies the IPv6 header in ACL6. The routing-type parameter specifies the routing-type field in the IPv6 header. | The value of routing-type is an integer that ranges from 0 to 255. |
| fragment | Indicates that the rule is valid for only non-first fragmented packets. | - |
| first-fragment | Indicates that the rule is valid for only initial fragmented packets. | - |
| logging | Logs IP information of packets that match the rule. NOTE:
The logging parameter takes effect for incoming packets in either of the following
scenarios:
In addition, for the S1720GFR, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S2750EI, S5700LI, S5700S-LI, S5710-X-LI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI, deny must be specified for the logging parameter to take effect. |
- |
| precedence precedence | Indicates that the packets are filtered according to the precedence field. | precedence can be expressed as a name or a number. The value ranges from 0 to 7. |
| source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | Indicates the source address and prefix of a packet. | source-ipv6-address indicates the source address and is expressed in hexadecimal notation. prefix-length is an integer that ranges from 1 to 128. You can also use any to represent any source address. |
| source source-ipv6-address postfix postfix-length | Indicates the source address and the length of source address postfix. | source-ipv6-address indicates the source address and is expressed in hexadecimal notation. postfix-length is an integer that ranges from 1 to 64. |
| destination-port { eq port | gt port | lt port | range port-start port-end } | Specifies the destination port of UDP or TCP packets.
The value is valid only when the protocol of packets is TCP or UDP.
If this parameter is not specified, TCP or UDP packets with any destination
port are matched. The operators are as follows:
|
The value of port can be a name or a number.
The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535. |
| source-port { eq port | gt port | lt port | range port-start port-end } | Specifies the source port of UDP or TCP packets.
The value is valid only when the protocol of packets is TCP or UDP.
If this parameter is not specified, TCP or UDP packets with any source
port are matched. The operators are as follows:
|
The value of port can be a name or a number.
The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535. |
| icmp6-type { icmp6-type-name | icmp6-type [ icmp6-code ] } | Indicates that the type and code of ICMPv6 packets, which is effective only when the packet protocol is ICMP. If this parameter is not specified, all ICMP packets are matched. | icmp6-type: indicates the type of ICMP messages. The value ranges from 0 to 255. icmp6-code: indicates the type of ICMP messages. The value ranges from 0 to 255. The value of icmp6-type-name and the corresponding ICMP-Type and ICMP-Code are as Table 14-10. |
| tcp-flag | Indicates the SYN Flag in the TCP packet header. |
- |
| ack | Specifies the type of the SYN Flag in the TCP packet header is ack(010000). | - |
| established | Specifies the type of the SYN Flag in the TCP packet header is ack(010000) or rst(000100). | - |
| fin | Specifies the type of the SYN Flag in the TCP packet header is fin(000001). | - |
| psh | Specifies the type of the SYN Flag in the TCP packet header is psh(001000). | - |
| rst | Specifies the type of the SYN Flag in the TCP packet header is rst(000100). | - |
| syn | Specifies the type of the SYN Flag in the TCP packet header is syn(000010). | - |
| urg | Specifies the type of the SYN Flag in the TCP packet header is urg(100000). | - |
| time-range time-name | Indicates that the configured ACL6 rule is effective only in the specified time range. time-name indicates the name of the time range during which the ACL6 rule takes effect. | The value of time-name is a string of 1 to 32 characters. |
| tos tos | Indicates that packets are filtered according to the Type of Service (ToS). | The value is an integer or a name.
|
| vpn-instance vpn-instance-name | Specifies the name of a VPN instance. NOTE:
If the vpn-instance parameter is not specified, the switch matches packets from both public and private networks against ACL. |
The value must be an existing VPN instance name. |
ToS Name |
Value |
ToS Name |
Value |
|---|---|---|---|
normal |
0 |
max-reliability |
2 |
min-monetary-cost |
1 |
max-throughput |
4 |
min-delay |
8 |
- |
- |
icmp6-type-name |
icmp-type |
icmp-code |
|---|---|---|
Redirect |
137 |
0 |
Echo |
128 |
0 |
Echo-reply |
129 |
0 |
Err-Header-field |
4 |
0 |
Frag-time-exceeded |
3 |
1 |
Hop-limit-exceeded |
3 |
0 |
Host-admin-prohib |
1 |
1 |
Host-unreachable |
1 |
3 |
Neighbor-advertisement |
136 |
0 |
Neighbor-solicitation |
135 |
0 |
Network-unreachable |
1 |
0 |
Packet-too-big |
2 |
0 |
Port-unreachable |
1 |
4 |
Router-advertisement |
134 |
0 |
Router-solicitation |
133 |
0 |
Unknown-ipv6-opt |
4 |
2 |
Unknown-next-hdr |
4 |
1 |
Usage Guidelines
Usage Scenario
Advanced ACL6s classify data packets based on the source IP address, destination IP address, source port number, destination port number, and protocol type.
The rule command defines the time range and flexibly configures the time ACL6 rules take effect.
Prerequisites
An ACL6 has been created before the rule is configured.
Precautions
If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.
To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.
To configure both the precedence precedence and tos tos parameters, set the two parameters consecutively in the command.
When you use the undo rule command to delete an ACL6 rule, the rule ID must exist. If the rule ID is unknown, you can use the display acl ipv6 command to view the rule ID.
The undo rule command deletes an ACL6 rule even if the ACL6 rule is referenced. Use this command with caution, especially when you delete an ACL rule that has been referenced.
The parameter fragment cannot be set together with source-port, destination-port, icmp6-type, and tcp-flag.
rule (basic ACL view)
Function
The rule command adds or modifies a basic ACL rule.
The undo rule command deletes a basic ACL rule.
By default, no rule is configured for a basic ACL.
Format
rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | fragment | logging | time-range time-name | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } [ source { source-address source-wildcard | any } | fragment | logging | time-range time-name | vpn-instance vpn-instance-name ] *
undo rule rule-id [ fragment | logging | source | time-range | vpn-instance ] *
The vpn-instance parameter is supported only when a software-based ACL is applied to the S5720SI, S5720S-SI, S5720EI, S5720HI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S6720EI, or S6720S-EI. For usage scenarios of software-based ACLs, see "ACL Implementations" in the S1720, S2700, S5700, and S6720 V200R011C10 Configuration Guide - Security ACL Configuration - ACL Fundamentals.
Parameters
Parameter |
Description |
Value |
|---|---|---|
rule-id |
Specifies the ID of an ACL rule.
NOTE:
ACL rule IDs assigned automatically by the device starts from the step value. The default step value is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on. |
The value is an integer that ranges from 0 to 4294967294. |
deny |
Denies the packets that match the rule. |
- |
permit |
Permits the packets that match a rule. |
- |
| source { source-address source-wildcard | any } | Indicates the source IP address of packets that
match an ACL rule. If this parameter is not specified, packets with
any source IP address are matched.
|
source-address : The value is in dotted decimal notation. source-wildcard: The value is in dotted decimal notation. The wildcard mask of the source IP address can be 0, equivalent to 0.0.0.0, indicating that the source IP address is the host address. NOTE:
The wildcard is
in dotted decimal format. After the value is converted to a binary
number, the value 0 indicates that the IP address needs to be matched
and the value 1 indicates that the IP address does not need to be
matched. The values 1 and 0 can be discontinuous. For example, the
IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the
website 192.168.1.x0x0xx01. The value x can be 0 or 1. |
vpn-instance vpn-instance-name |
Specifies the name of a VPN instance. NOTE:
If the vpn-instance parameter is not specified, the switch matches packets from both public and private networks against ACL. |
The value must be an existing VPN instance name. |
fragment |
Indicates that the rule is valid for only non-first fragmented packets. If fragment is contained, the rule is valid for non-first fragmented packets and invalid for non-fragmented packets and first fragmented packet. NOTE:
Rules that do not contain fragment are
valid for all the packets. |
- |
logging |
Logs IP information of packets that match the rule. NOTE:
The logging parameter takes effect for incoming packets in either of the following
scenarios:
In addition, for the S1720GFR, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S2750EI, S5700LI, S5700S-LI, S5710-X-LI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI, deny must be specified for the logging parameter to take effect. |
- |
time-range time-name |
Specifies the name of a time range during which ACL rules take effect. If this parameter is not specified, ACL rules take effect at any time. NOTE:
When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL cannot be bound to the specified time range. |
The value is a string of 1 to 32 characters. |
Usage Guidelines
Usage Scenario
A basic ACL matches packets based on information such as source IP addresses, fragment flags, and time ranges.
The rule command defines the time range and flexibly configures the time ACL rules take effect.
Prerequisites
An ACL has been created before the rule is configured.
Precautions
If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.
To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.
The undo rule command deletes an ACL rule even if the ACL rule is referenced. Use this command with caution, especially when you delete an ACL rule that has been referenced.
rule (basic ACL6 view)
Function
The rule command adds or modifies basic ACL6 rules.
The undo rule command deletes a basic CL6 rule.
By default, there is no basic ACL6 rule.
Format
rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } [ fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *
undo rule rule-id [ fragment | logging | source | time-range | vpn-instance ] *
The vpn-instance parameter is supported only when a software-based ACL is applied to the S5720SI, S5720S-SI, S5720EI, S5720HI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S6720EI, or S6720S-EI. For usage scenarios of software-based ACLs, see "ACL Implementations" in the S1720, S2700, S5700, and S6720 V200R011C10 Configuration Guide - Security ACL Configuration - ACL Fundamentals.
Parameters
Parameter |
Description |
Value |
|---|---|---|
| rule-id | Specifies the ID of a rule.
|
The value is an integer that ranges from 0 to 2047. |
| deny | Indicates to drop packets conforming to certain conditions. | - |
| permit | Indicates to forward packets conforming to certain conditions. | - |
| fragment | Indicates that the rule is valid for only non-first fragmented packets. | - |
| logging | Logs IP information of packets that match the rule. NOTE:
The logging parameter takes effect for incoming packets in either of the following
scenarios:
In addition, for the S1720GFR, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S2750EI, S5700LI, S5700S-LI, S5710-X-LI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI, deny must be specified for the logging parameter to take effect. |
- |
| source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length } | Indicates the source address and prefix of a packet. | source-ipv6-address indicates the source address and is expressed in hexadecimal notation. prefix-length is an integer that ranges from 1 to 128. |
| source source-ipv6-address postfix postfix-length | Indicates the source address and the length of source address postfix. | source-ipv6-address indicates the source address and is expressed in hexadecimal notation. postfix-length is an integer that ranges from 1 to 64. |
| any | Indicates any source address. | - |
| time-range time-name | Indicates that the configured ACL6 rule is effective
only in the specified time range. time-name indicates the name
of the time range during which the ACL6 rule takes effect. NOTE:
When you specify the time-range parameter to reference a time range to the ACL6, if the specified time-name does not exit, the ACL6 does not take effect. |
The value of time-name is a string of 1 to 32 characters. |
| vpn-instance vpn-instance-name | Specifies the name of a VPN instance. NOTE:
If the vpn-instance parameter is not specified, the switch matches packets from both public and private networks against ACL. |
The value must be an existing VPN instance name. |
Usage Guidelines
Usage Scenario
A basic ACL6 matches packets based on information such as source IP addresses, fragment flags, and time ranges.
Prerequisites
An ACL6 has been created before the rule is configured.
Precautions
If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.
To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.
When you use the undo rule command to delete an ACL6 rule, the rule ID must exist. If the rule ID is unknown, you can use the display acl ipv6 command to view the rule ID.
The undo rule command deletes an ACL6 rule even if the ACL6 rule is referenced. Use this command with caution, especially when you delete an ACL rule that has been referenced.
rule (layer 2 ACL view)
Function
The rule command adds or modifies a Layer 2 ACL rule.
The undo rule command deletes a Layer 2 ACL rule.
By default, there is no rule in the related Layer 2 ACL view.
Format
rule [ rule-id ] { permit | deny } [ [ ether-ii | 802.3 | snap ] | l2-protocol type-value [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | source-mac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value | cvlan-id cvlan-id [ cvlan-id-mask ] | cvlan-8021p 802.1p-value | double-tag | time-range time-name ] *
undo rule { permit | deny } [ [ ether-ii | 802.3 | snap ] | l2-protocol type-value [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | source-mac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value | cvlan-id cvlan-id [ cvlan-id-mask ] | cvlan-8021p 802.1p-value | double-tag | time-range time-name ] *
undo rule rule-id
The S1720GFR, S1720GW, S1720GWR, S1720GW-E, S1720GWR-E, S2720EI, S2750EI, S5720SI, S5720S-SI, S5710-X-LI, S5720LI, S5720S-LI, S5700LI, and S5700S-LI do not support cvlan-id cvlan-id [ cvlan-id-mask ], cvlan-8021p 802.1p-value, and double-tag.
The S1720X, S1720X-E, S6720LI, S5730SI, S5730S-EI, S6720S-LI, S6720SI, and S6720S-SI do not support cvlan-8021p 802.1p-value.
Parameters
Parameter |
Description |
Value |
|---|---|---|
rule-id |
Specifies the ID of an ACL rule.
NOTE:
ACL rule IDs assigned automatically by the device starts from the step value. The default step value is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on. |
The value is an integer that ranges from 0 to 4294967294. |
deny |
Denies the packets that match a rule. |
- |
permit |
Permits the packets that match a rule. |
- |
ether-ii | 802.3 | snap |
Indicates the encapsulation format of a packet that matches
the rule.
NOTE:
|
- |
l2-protocol type-value [ type-mask ] |
Indicates the type of a Layer 2 protocol. This parameter corresponds to the Ethernet type of Ethernet_II frames and the type-code domain of Ethernet_SNAP frames.
|
type-value can be a hexadecimal number of 3 to 6
bits that ranges from 0x0000 to 0xFFFF or
the following protocol name:
The default value of type-mask is 0xffff. |
destination-mac dest-mac-address [ dest-mac-mask ] |
Specifies the destination MAC address of packets that matches
ACL rules.
|
dest-mac-address and dest-mac-mask are both in the format of H-H-H. Each H stands for one to four hexadecimal digits. The default value of the dest-mac-mask is ffff-ffff-ffff. You can obtain the required destination MAC address range by specifying source-mac-address and source-mac-mask. For example, 00e0-fc01-0101 ffff-ffff-ffff specifies a MAC address 00e0-fc01-0101, whereas 00e0-fc01-0101 ffff-ffff-0000 specifies a MAC address range from 00e0-fc01-0000 to 00e0-fc01-ffff. |
source-mac source-mac-address [ source-mac-mask ] |
Specifies the source MAC address of packets that matches
ACL rules.
|
source-mac-address and source-mac-mask are both in the format of H-H-H. Each H stands for one to four hexadecimal digits. The default value of the source-mac-mask is ffff-ffff-ffff. You can obtain the required source MAC address range by specifying source-mac-address and source-mac-mask. For example, 00e0-fc01-0101 ffff-ffff-ffff specifies a MAC address 00e0-fc01-0101, whereas 00e0-fc01-0101 ffff-ffff-0000 specifies a MAC address range from 00e0-fc01-0000 to 00e0-fc01-ffff. |
vlan-id vlan-id [ vlan-id-mask ] |
Indicates the outer VLAN ID contained in a packet that matches the rule.
|
The value of vlan-id is an integer ranging from 1 to 4094. The value of the vlan-id-mask is a hexadecimal number ranging from 0x0 to 0xFFF. The default value is 0xFFF. |
8021p 802.1p-value |
Indicates the 802.1p priority in the outer VLAN tag of a packet that matches the rule. |
The value is an integer ranging from 0 to 7. |
cvlan-id cvlan-id [ cvlan-id-mask ] |
Indicates the inner VLAN ID of a packet that matches the rule.
|
The value of cvlan-id is an integer ranging from 1 to 4094. The value of the cvlan-id-mask is a hexadecimal number ranging from 0x0 to 0xFFF. The default value is 0xFFF. |
cvlan-8021p 802.1p-value |
Indicates the 802.1p priority in the inner VLAN tag of a packet that matches the rule. |
The value is an integer ranging from 0 to 7. |
double-tag |
Indicates that only packets with double tags match the rule. |
- |
time-range time-name |
Defines the time range during which an ACL rule is valid. time-name specifies the name of a time range. NOTE:
When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL cannot be bound to the specified time range. |
The value of time-name is a string of 1 to 32 characters. |
Usage Guidelines
Usage Scenario
A Layer 2 ACL matches packets based on Layer 2 information of the packets, such as source MAC addresses, destination MAC addresses, and Layer 2 protocol types.
The rule command defines the time range and flexibly configures the time when the ACL rules take effect.
Prerequisites
An ACL has been created before the rule is configured.
Precautions
If the specified rule ID already exists, the new rule overwrites the old rule no matter whether the rules conflict.
To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.
The undo rule command deletes an ACL rule even if the ACL rule is referenced. Use this command with caution, especially when you delete an ACL rule that has been referenced.
Example
# Add a rule to ACL 4001 to match packets with the destination MAC address being 0000-0000-0001, source MAC address being 0000-0000-0002, and the value of the Layer 2 protocol type being 0x0800.
<HUAWEI> system-view [HUAWEI] acl 4001 [HUAWEI-acl-L2-4001] rule permit destination-mac 0000-0000-0001 source-mac 0000-0000-0002 l2-protocol 0x0800
rule (user-defined ACL view)
Function
The rule command adds and modifies a rule in the related UCL view.
The undo rule command deletes an ACL rule.
By default, there is no rule in the related advanced UCL view.
Format
rule [ rule-id ] { deny | permit } [ [ l2-head | ipv4-head | ipv6-head | l4-head ] { rule-string rule-mask offset } &<1-8> | time-range time-name ] *
undo rule { deny | permit } [ [ l2-head | ipv4-head | ipv6-head | l4-head ] { rule-string rule-mask offset } &<1-8> | time-range time-name ] *
undo rule rule-id
The S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S2750EI, S5720SI, S5720S-SI, S5710-X-LI, S5720LI, S5720S-LI, S5700LI, S5700S-LI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI do not support &<1-8> and ipv6-head.
Parameters
Parameter |
Description |
Value |
|---|---|---|
rule-id |
Specifies the ID of an ACL rule.
NOTE:
ACL rule IDs assigned automatically start from the step value. The default step is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on. |
The value is an integer that ranges from 0 to 4294967294. |
deny |
Denies the packets that match a rule. |
- |
permit |
Permits the packets that match a rule. |
- |
l2-head | ipv4-head | ipv6-head | l4-head |
Indicates the position from which the offset starts.
|
- |
rule-string |
Specifies the customized rule string. |
The value is a string of 3 to 10 characters. The string is in hexadecimal notation. The maximum length of the string is 4 bytes. NOTE:
The rule command in the user-defined ACL view matches four bytes each time. When the matching field length is smaller than four bytes, add 0 to the field. |
rule-mask |
Specifies the mask of the rule string. |
The value is a string of 3 to 10 characters. The string is in hexadecimal notation. The maximum length of the string is 4 bytes. When the mask bit of the customized character string is 1, the ACL matches the bit. When the mask bit of the customized character string is 0, the ACL does not match the bit. |
offset |
Specifies the value of the offset. |
The value is an integer, in bytes. The value of the offset
varies with the offset position.
|
time-range time-name |
Defines the time range during which an ACL rule takes effect. time-name specifies the name of the time range during which an ACL rule takes effect. |
The value is a string of 1 to 32 characters. |
Usage Guidelines
Usage Scenario
A user-defined ACL defines rules by setting the offset position and value of the packet. The user-defined ACL is applicable to matching rules of a traffic classifier.
The rule command defines the time range and flexibly configures the time when the ACL rules take effect.
The user-defined ACL is applicable to only the incoming traffic.
Prerequisites
An ACL must be created before the rule is configured.
Precautions
- If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule. To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.
- To change the offset in a user-defined ACL rule, delete and reconfigure the ACL rule.
- The undo rule command deletes an ACL rule even if the ACL rule is referenced. Use this command with caution, especially when you delete an ACL rule that has been referenced.
When specifying an ACL rule to match offset bytes in the Layer 2 header on the S5730SI, S5730S-EI, S6720-56C-PWH-SI-AC, or S6720-56C-PWH-SI, add a tag first if the ACL rule will be applied on a GE electrical interface through which packets having no tag pass.
rule (user ACL view)
Function
The rule command configures a user ACL rule.
The undo rule command deletes a user ACL rule.
By default, no user ACL rule is configured.
Only the S5720EI, S5720HI, S6720S-EI, and S6720EI support this command.
Format
When the parameter protocol is specified as the ICMP, the command format is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | icmp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | icmp-type { icmp-name | icmp-type [ icmp-code ] } | time-range time-name | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { protocol-number | icmp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | icmp-type { icmp-name | icmp-type [ icmp-code ] } | time-range time-name | vpn-instance vpn-instance-name ] *
When the parameter protocol is specified as the TCP, the command format is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { protocol-number | tcp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *
When the parameter protocol is specified as the UDP, the command format is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | udp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { protocol-number | udp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *
When the parameter protocol is specified as the GRE, IGMP, IP, IPINIP, or OSPF, the command format is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | time-range time-name | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | time-range time-name | vpn-instance vpn-instance-name ] *
To delete an ACL rule, run:
undo rule rule-id
The S5720EI, S6720S-EI, and S6720EI do not support destination { fqdn fqdn-name }, ucl-group { destination-ucl-group-index | name destination-ucl-group-name }, and vpn-instance vpn-instance-name.
Only the S5720HI supports the source and destination parameters in [ source ] ucl-group and [ destination ] ucl-group.
Parameters
Parameter |
Description |
Value |
|---|---|---|
rule-id |
Specifies the ID of an ACL rule.
NOTE:
ACL rule IDs assigned automatically start from the step value. The default step is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on. |
The value is an integer that ranges from 0 to 4294967294. |
deny |
Denies the packets that match the rule. |
- |
permit |
Permits the packets that match the rule. |
- |
icmp |
Indicates that the protocol type is ICMP. The value 1 indicates that ICMP is specified. |
- |
tcp |
Indicates that the protocol type is TCP. The value 6 indicates that TCP is specified. |
- |
udp |
Indicates that the protocol type is UDP. The value 17 indicates that UDP is specified. |
- |
| gre | Indicates that the protocol type is GRE. The value 47 indicates the GRE protocol. |
- |
| igmp | Indicates that the protocol type is IGMP. The value 2 indicates the IGMP protocol. |
- |
| ip | Indicates that the protocol type is IP. |
- |
| ipinip | Indicates that the protocol type is IPINIP. The value 4 indicates the IPINIP protocol. |
- |
| ospf | Indicates that the protocol type is OSPF. The value 89 indicates the OSPF protocol. |
- |
protocol-number |
Indicates the protocol type expressed by number. |
The value expressed by number is an integer that ranges from 1 to 255. |
source { { source-address source-wildcard | any } | { [ source ] ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * |
Indicates the source IP address of packets that
match an ACL rule. If this parameter is not specified, packets with
any source IP address are matched.
|
|
destination { { { destination-address destination-wildcard | any } | { [ destination ] ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } |
Indicates the destination IP address of packets
that match ACL rules. If this parameter is not specified, packets
with any destination IP address are matched.
|
|
icmp-type { icmp-name | icmp-type [ icmp-code ] } |
Indicates the type and code of ICMP packets, which
are valid only when the protocol of packets is ICMP. If this parameter
is not specified, all types of ICMP packets are matched.
|
icmp-type is an integer that ranges from 0 to 255. icmp-code is an integer that ranges from 0 to 255. NOTE:
Table 14-11 lists the mapping between ICMP names and ICMP types and codes. |
source-port { eq port | gt port | lt port | range port-start port-end } |
Specifies the source port of UDP or TCP packets.
The value is valid only when the protocol of packets is TCP or UDP.
If this parameter is not specified, TCP or UDP packets with any source
port are matched. The operators are as follows:
|
The value of port can be a name or a number.
The value of port-start and port-end can be a name or an integer. When the value is expressed as an integer, it ranges from 0 to 65535. |
destination-port { eq port | gt port | lt port | range port-start port-end } |
Specifies the destination port of UDP or TCP packets.
The value is valid only when the protocol of packets is TCP or UDP.
If this parameter is not specified, TCP or UDP packets with any destination
port are matched. The operators are as follows:
|
The value of port can be a name or a number.
The value of port-start and port-end can be a name or an integer. When the value is expressed as an integer, it ranges from 0 to 65535. |
tcp-flag |
Indicates the SYN Flag in the TCP packet header. |
- |
ack |
Indicates that the SYN Flag type in the TCP packet header is ack (010000). |
- |
established |
Indicates that the SYN Flag type in the TCP packet header is ack(010000) or rst(000100). |
- |
fin |
Indicates that the SYN Flag type in the TCP packet header is fin (000001). |
- |
psh |
Indicates that the SYN Flag type in the TCP packet header is psh (001000). |
- |
rst |
Indicates that the SYN Flag type in the TCP packet header is rst (000100). |
- |
syn |
Indicates that the SYN Flag type in the TCP packet header is syn (000010). |
- |
urg |
Indicates that the SYN Flag type in the TCP packet header is urg (100000). |
- |
time-range time-name |
Specifies the name of a time range during which ACL rules take effect. If this parameter is not specified, ACL rules take effect at any time. NOTE:
When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL cannot be bound to the specified time range. |
The value is a string of 1 to 32 characters. |
vpn-instance vpn-instance-name |
Specifies the name of a VPN instance on the inbound interface. |
The value must be an existing VPN instance name. |
icmp-name |
icmp-type |
icmp-code |
|---|---|---|
Echo |
8 |
0 |
Echo-reply |
0 |
0 |
Fragmentneed-DFset |
3 |
4 |
Host-redirect |
5 |
1 |
Host-tos-redirect |
5 |
3 |
Host-unreachable |
3 |
1 |
Information-reply |
16 |
0 |
Information-request |
15 |
0 |
Net-redirect |
5 |
0 |
Net-tos-redirect |
5 |
2 |
Net-unreachable |
3 |
0 |
Parameter-problem |
12 |
0 |
Port-unreachable |
3 |
3 |
Protocol-unreachable |
3 |
2 |
Reassembly-timeout |
11 |
1 |
Source-quench |
4 |
0 |
Source-route-failed |
3 |
5 |
Timestamp-reply |
14 |
0 |
Timestamp-request |
13 |
0 |
Ttl-exceeded |
11 |
0 |
Usage Guidelines
Usage Scenario
A user ACL defines rules to filter IPv4 packets based on the source IP addresses or source User Control List (UCL) groups, destination IP addresses or destination UCL groups, IP protocol types, ICMP types, TCP source/destination port numbers, UDP source/destination port numbers, and time ranges.
Currently, the user ACL can only be applied to the UCL groups of the NAC feature. To control the network access rights of users based on user groups, you can perform the following operations: configure a UCL group, associate user ACL rules with the UCL group so that the ACL rules apply to all users in the user group, configure packet filtering based on user ACL to make the ACL take effect, and then apply the UCL group to the AAA service scheme.
Prerequisites
If the ucl-group name source-ucl-group-name or ucl-group name destination-ucl-group-name parameter is configured for a rule, the source and destination UCL groups must have been created by the ucl-group command.
Precautions
If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.
The undo rule command deletes an ACL rule even if the ACL rule is referenced. (If a simplified traffic policy references a specified rule in an ACL, this command does not take effect.) Before deleting a rule, ensure that the rule is not being referenced.
rule description
Function
The rule description command configures the description of an ACL rule.
The undo rule description command deletes the description of an ACL rule.
By default, no description is configured for an ACL rule.
Parameters
Parameter |
Description |
Value |
|---|---|---|
rule-id |
Specifies the ID of an ACL rule. |
|
description description |
Specifies the description of an ACL rule. You can configure the description to record an ACL rule in detail. |
The value is a character string and contains a maximum of 127 characters. |
Usage Guidelines
Application Scenarios
The rule-id parameter identifies a rule, but cannot describe the meaning and usage of the rule. The description with a character string can be used to solve the problem.
Prerequisites
The ACL rule has been created. If the ACL rule does not exist, the system displays an error message when you run this command.
Precautions
If the rule description command is run repeatedly, the latest configuration takes effect.
After you run the undo rule rule-id command, the rule and rule description are deleted.
Example
# Configure the description for rule 5 in acl 2001, which permits the packets from 192.168.32.1.
<HUAWEI> system-view [HUAWEI] acl 2001 [HUAWEI-acl-basic-2001] rule 5 permit source 192.168.32.1 0 [HUAWEI-acl-basic-2001] rule 5 description permit 192.168.32.1 [HUAWEI-acl-basic-2001] display acl 2001 Basic ACL 2001, 1 rule Acl's step is 5 rule 5 permit source 192.168.32.1 0 rule 5 description permit 192.168.32.1
snmp-agent trap enable feature-name acle
Function
The snmp-agent trap enable feature-name acle command enables the trap function for the ACL module.
The undo snmp-agent trap enable feature-name acle command disables the trap function for the ACL module.
By default, the trap function is enabled for the ACL module.
Format
snmp-agent trap enable feature-name acle [ trap-name { hwaclresthresholdexceedcleartrap | hwaclresthresholdexceedtrap | hwaclrestotalcountexceedcleartrap | hwaclrestotalcountexceedtrap } ]
undo snmp-agent trap enable feature-name acle [ trap-name { hwaclresthresholdexceedcleartrap | hwaclresthresholdexceedtrap | hwaclrestotalcountexceedcleartrap | hwaclrestotalcountexceedtrap } ]
Parameters
Parameter |
Description |
Value |
|---|---|---|
trap-name |
Enables or disables the trap function for the specified event. |
- |
hwaclresthresholdexceedcleartrap |
Enables the device to send a Huawei-property trap sent when the ACL resource usage on the device falls below the lower alarm threshold (percentage). |
- |
hwaclresthresholdexceedtrap |
Enables the device to send a Huawei-property trap sent when the ACL resource usage on the device exceeds the upper alarm threshold (percentage). |
- |
hwaclrestotalcountexceedcleartrap |
Enables the device to send a Huawei-property trap sent when the ACL resource usage on the device reaches 100%, and then falls below 100% and stays below 100% for a period of time. |
- |
hwaclrestotalcountexceedtrap |
Enables the device to send a Huawei-property trap sent when the ACL resource usage on the device reaches 100%. |
- |
Usage Guidelines
When the trap function is enabled, the device generates traps during running and sends traps to the NMS through SNMP. When the trap function is not enabled, the device does not generate traps and the SNMP module does not send traps to the NMS.
You can specify trap-name to enable the trap function for one or more events.
step
Function
The step command sets the step between ACL rule IDs.
The undo step command restores the default step between ACL rule IDs.
By default, the step between ACL rule IDs is 5.
Usage Guidelines
Usage Scenario
The step is the difference between rule IDs when the system automatically assigns rule IDs. For example, if the ACL step value is set to 5, rules are numbered 5, 10, 15, and so on.
To add a rule between existing rules, you need to reset the step. For example, an ACL in config mode contains three rules with IDs being 5, 10, and 15. To insert a new rule after rule 5 (the first rule), run the rule 7 xxxx command to insert rule 7.
If the step value is changed, ACL rule IDs are arranged automatically. For example, if the original rule IDs are 5, 10, and 15, the rule IDs become 2, 4, and 6 after you change the step value to 2.
The undo step command can be used to realign ACL rule IDs immediately based on the default step. For example, ACL rule group 3001 contains four rules with IDs being 1, 3, 5, and 7, and the step is 2. After the undo step command is executed, the rule IDs become 5, 10, 15, and 20 and the step value is restored to 5.
Prerequisites
An ACL has been created by running the acl command.
Precautions
The ACL6 does not support the step.
time-range
Function
The time-range command sets a time range.
The undo time-range command deletes a time range.
By default, no time range is set.
Format
time-range time-name { start-time to end-time { days } &<1-7> | from time1 date1 [ to time2 date2 ] }
undo time-range time-name [ start-time to end-time { days } &<1-7> | from time1 date1 [ to time2 date2 ] ]
Parameters
Parameter |
Description |
Value |
|---|---|---|
time-name |
Specifies the name of a time range. |
The value is a string of case-sensitive characters without spaces and must begin with a letter. The value ranges from 1 to 32. To avoid confusion, do not use "all" as the name of a time range. |
start-time |
Specify the start time of a time range. |
The format is hh:mm.
|
end-time |
Specify the end time of a time range. |
The format is hh:mm.
|
days |
Specifies the date on which the time range takes effect. |
The value can be one of the following:
|
from time1 date1 |
Specifies the time for the time range to take effect. |
time1 is in the format of hh:mm.
|
to time2 date2 |
Specifies the end of a time range. |
The formats time2 and date2 are the same as those of the start time. The end time must be later than the start time. If the end time is not set, the device takes the maximum value allowed by the system. |
Usage Guidelines
Usage Scenario
If some services or functions need to be started at intervals or periodically, you can run the time-range command to set the time range. When configuring ACL or ACL6 rules, you can reference the names of time ranges.
- Relative time range (periodic time range): It is specified by start-time and end-time. The weekday when the time range takes effect is determined by days.
- Absolute time range: It is specified by from and to. The absolute time range can be used to limit the periodic time range.
- Time range 1: 01.01.2010 00:00 to 31.12.2010 23:59 (absolute time range)
- Time range 2: 8:00 to 18:00 from Monday to Friday (periodic time range)
- Time range 3: 14:00 to 18:00 on Saturday and Sunday (periodic time range)
Precautions
There may be a time difference of no more than 10 seconds between the configured time range and the time range that actually takes effect.
Example
# Set a time range named test that takes effect from 2010-01-01 00:00 to 2010-12-31 23:59.
<HUAWEI> system-view [HUAWEI] time-range test from 0:0 2010/1/1 to 23:59 2010/12/31
# Set a time range named test that takes effect at 8:00-18:00 from Monday to Friday.
<HUAWEI> system-view [HUAWEI] time-range test 8:00 to 18:00 working-day
# Set a time range named test that takes effect from 14:00 to 18:00 on every Saturday and Sunday.
<HUAWEI> system-view [HUAWEI] time-range test 14:00 to 18:00 off-day
- Command Support
- acl ipv6 name
- acl ipv6 (system view)
- acl name
- acl (system view)
- acl threshold-alarm
- assign resource-template acl-mode
- description
- display acl
- display acl ipv6
- display acl resource
- display snmp-agent trap feature-name acle all
- display time-range
- reset acl counter
- reset acl ipv6 counter
- rule (advanced ACL view)
- rule (advanced ACL6 view)
- rule (basic ACL view)
- rule (basic ACL6 view)
- rule (layer 2 ACL view)
- rule (user-defined ACL view)
- rule (user ACL view)
- rule description
- snmp-agent trap enable feature-name acle
- step
- time-range