No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

S1720, S2700, S5700, and S6720 V200R011C10

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ACL Configuration Commands

ACL Configuration Commands

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

acl ipv6 name

Function

The acl ipv6 name command creates a named ACL6 and enters the ACL6 view.

The undo acl ipv6 name command deletes a named ACL6.

By default, no named ACL6 is created.

Format

acl ipv6 name acl6-name [ advance | basic | acl6-number ] [ match-order { auto | config } ]

undo acl ipv6 name acl6-name

Parameters

Parameter

Description

Value

acl6-name

Specifies the name of an ACL6.

The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter.

advance

Indicates an advanced ACL6.

-

basic

Indicates a basic ACL6.

-

acl6-number

Specifies the number of an ACL6.

The value is an integer that ranges from 2000 to 3999.

  • The value of a basic ACL6 ranges from 2000 to 2999.
  • The value of an advanced ACL6 ranges from 3000 to 3999.
match-order { auto | config }

Indicates the matching order of ACL6 rules.

  • auto:

    indicates that ACL6 rules are matched based on the depth first principle.

    If the ACL rules are of the same depth first order, they are matched in ascending order of rule IDs.

  • config: indicates that ACL6 rules are matched based on the configuration order.

The rule-id in an ACL6 rules does not indicate the priority of the rule. It indicates the rule ID and remains unchanged in auto and config mode switchover.

If the match-order parameter is not specified when you create an ACL6, the default match order config is used.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An ACL6 is a set of rules composed of permit or deny clauses. ACL6s are mainly used in QoS. ACL6s can limit data flows to improve network performance. For example, ACL6s are configured on an enterprise network to limit video data flows, which lowers the network load and improves network performance.

Follow-up Procedure

Run the rule command to configure ACL6 rules and apply the ACL6 to services for which packets need to be filtered.

Precautions

The Switch allocates a number to named ACL6s that have no specified number. The number allocated depends on the following:
  • If only the type of a named ACL6 is specified, the number of the named ACL6 allocated by the Switch is the maximum value of the named ACL6 of the type.
  • If the number and the type of a named ACL6 are not specified, the Switch considers the named ACL6 as the advanced ACL6 and allocates the maximum value as the number of the named ACL6.

After you create a named ACL6 by using the acl ipv6 name command, the ACL6 still exists even if you exit from the ACL6 view. You must run the undo acl ipv6 name acl6-name or undo acl ipv6 acl6-number command to delete the ACL6.

When you delete an ACL6 that has been referenced by other services, the services will be interrupted. Therefore, before deleting an ACL6, ensure that the ACL6 is not in use.

Example

# Create basic ACL6 2001 named test2.

<HUAWEI> system-view
[HUAWEI] acl ipv6 name test2 2001
Related Topics

acl ipv6 (system view)

Function

The acl ipv6 command creates a numbered ACL6 and enters the ACL6 view.

The undo acl ipv6 command deletes a numbered ACL6.

By default, no numbered ACL6 is created.

Format

acl ipv6 [ number ] acl6-number [ match-order { auto | config } ]

undo acl ipv6 { all | [ number ] acl6-number }

Parameters

Parameter Description Value
number Indicates the number that identifies an ACL. -
acl6-number Specifies an ACL6 number.

The value is an integer that ranges from 2000 to 3999.

  • The value of a basic ACL6 ranges from 2000 to 2999.
  • The value of an advanced ACL6 ranges from 3000 to 3999.
match-order { auto | config }

Indicates the matching order of ACL6 rules.

  • auto:

    indicates that ACL6 rules are matched based on the depth first principle.

    If the ACL rules are of the same depth first order, they are matched in ascending order of rule IDs.

  • config: indicates that ACL6 rules are matched based on the configuration order.

The rule-id in an ACL6 rules does not indicate the priority of the rule. It indicates the rule ID and remains unchanged in auto and config mode switchover.

If the match-order parameter is not specified when you create an ACL6, the default match order config is used.

-
all Indicates that all the configured ACL6s are deleted. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An ACL6 is a set of rules composed of permit or deny clauses. ACL6 rules can be referenced by modules. ACL6s are applicable to QoS. ACL6s can limit data flows to improve network performance. For example, ACL6s are configured on an enterprise network to limit video data flows, which lowers the network load and improves network performance.

Follow-up Procedure

Run the rule command to configure ACL6 rules and apply the ACL6 to services for which packets need to be filtered.

Precautions

After you create a named ACL6 using the acl ipv6 command, the ACL6 still exists even if you exit from the ACL6 view. You must run the undo acl ipv6 acl6-number command to delete the ACL6.

When you delete an ACL6 that has been referenced by other services, the services will be interrupted. Before deleting an ACL6, ensure that the ACL6 is not in use.

All ACL6s can be deleted on the device in one go, but this method is not recommended.

Example

# Create an advanced CL6 with the number of 3000.

<HUAWEI> system-view
[HUAWEI] acl ipv6 number 3000

acl name

Function

The acl name command creates a named ACL and enters the ACL view.

The undo acl command deletes a named ACL.

By default, no ACL is created.

Format

acl name acl-name [ advance | basic | link | ucl | user | acl-number ] [ match-order { auto | config } ] (Only the S5720HI, S5720EI, S6720S-EI, and S6720EI support the ucl parameter.)

undo acl name acl-name

Parameters

Parameter

Description

Value

acl-name

Specifies the name of an ACL.

The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter.

advance

Indicates an advanced ACL.

-

basic

Indicates a basic ACL.

-

link

Indicates a Layer 2 ACL.

-

ucl

Indicates a user ACL.

-

user

Indicates a user-defined ACL.

-

acl-number

Specifies the number of an ACL.

The value is an integer.

  • The number of a basic ACL ranges from 2000 to 2999.
  • The number of an advanced ACL ranges from 3000 to 3999.
  • The number of a Layer 2 ACL ranges from 4000 to 4999.
  • The number of a user-defined ACL ranges from 5000 to 5999.
  • The number of a user ACL ranges from 6000 to 9999.
NOTE:

Only the S5720HI, S5720EI, S6720S-EI, and S6720EI support user ACL.

match-order { auto | config }

Indicates the matching order of ACL rules.
  • auto:

    indicates that ACL rules are matched based on the depth first principle.

    If the ACL rules are of the same depth first order, they are matched in ascending order of rule IDs.

  • config: indicates that ACL rules are matched based on the configuration order.

    The ACL rules are matched based on the configuration order only when the rule ID is not specified. If rule IDs are specified, the ACL rules are matched in ascending order of rule IDs.

If the match-order parameter is not specified when you create an ACL, the default match order config is used.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An ACL consists of a series of rules defined by multiple permit or deny clauses. ACLs are mainly applied to QoS, route filtering, and user access. The major functions of ACLs are as follows:

  • Limit data flows to improve network performance. For example, ACLs are configured on an enterprise network to limit video data flows, which lowers the network load and improves network performance.

  • Provide flow control. For example, ACLs are used to limit transmission of routing updates so that the bandwidth is saved.

  • Provide network access security. For example, ACLs are configured to allow specified users to access the human resource network.

Follow-up Procedure

Run the rule command to configure ACL rules and apply the ACL to services for which packets need to be filtered.

Precautions

After you create a named ACL by using the acl name command, the ACL still exists even if you exit from the ACL view. You must run the undo acl name acl-name or undo acl acl-number command to delete the ACL.

When you delete an ACL that has been referenced by other services, the services may be interrupted. Before deleting an ACL, ensure that the ACL is not in use.

The device automatically allocates a number to the named ACLs that have no number specified. The number allocated depends on the following:

  • If the type of a named ACL is specified, the number of the named ACL allocated by the device is the maximum value of the named ACL of the type.
  • If the number and the type of a named ACL are not specified, the device considers the named ACL as the advanced ACL and allocates the maximum value as the number of the named ACL.

The Switch does not allocate the number to a named ACL repeatedly.

Example

# Create basic ACL 2001 named test1.

<HUAWEI> system-view
[HUAWEI] acl name test1 2001
Related Topics

acl (system view)

Function

The acl command creates an ACL with the specified number and enters the ACL view.

The undo acl command deletes a specified ACL.

By default, no ACL is created.

Format

acl [ number ] acl-number [ match-order { auto | config } ]

undo acl { [ number ] acl-number | all }

Parameters

Parameter

Description

Value

number

Specifies the number that identifies an ACL.

-

acl-number

Specifies the number of an ACL.

The value is an integer.

  • The number of a basic ACL ranges from 2000 to 2999.
  • The number of an advanced ACL ranges from 3000 to 3999.
  • The number of a Layer 2 ACL ranges from 4000 to 4999.
  • The number of a user defined ACL ranges from 5000 to 5999.
  • The number of a user ACL ranges from 6000 to 9999.
NOTE:

Only the S5720HI, S5720EI, S6720S-EI, and S6720EI support user ACL.

match-order { auto | config }

Indicates the matching order of ACL rules.
  • auto:

    indicates that ACL rules are matched based on the depth first principle.

    If the ACL rules are of the same depth first order, they are matched in ascending order of rule IDs.

  • config: indicates that ACL rules are matched based on the configuration order.

    The ACL rules are matched based on the configuration order only when the rule ID is not specified. If rule IDs are specified, the ACL rules are matched in ascending order of rule IDs.

If the match-order parameter is not specified when you create an ACL, the default match order config is used.

-

all

Indicates that all ACLs are deleted.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An ACL consists of a series of rules defined by multiple permit or deny clauses. ACLs are mainly applied to QoS, route filtering, and user access. The major functions of ACLs are as follows:

  • Limit data flows to improve network performance. For example, ACLs are configured on an enterprise network to limit video data flows, which lowers the network load and improves network performance.

  • Provide flow control. For example, ACLs are used to limit transmission of routing updates so that the bandwidth is saved.

  • Provide network access security. For example, ACLs are configured to allow specified users to access the human resource network.

Follow-up Procedure

Run the rule command to configure ACL rules and apply the ACL to services for which packets need to be filtered.

Precautions

  • After you create an ACL using the acl command, the ACL still exists even if you exit from the ACL view. You must run the undo acl acl-number command to delete the ACL.
  • When you delete an ACL that has been referenced by other services, the services may be interrupted. Before deleting an ACL, ensure that the ACL is not in use.
  • You are advised not to delete all ACLs because this operation may cause a service interruption.

Example

# Create an ACL numbered 2000.

<HUAWEI> system-view
[HUAWEI] acl number 2000

acl threshold-alarm

Function

The acl threshold-alarm command configures the alarm threshold percentage of ACL resource usage.

The undo acl threshold-alarm command restores the default alarm threshold percentage of ACL resource usage.

By default, the lower alarm threshold percentage is 70, and the upper alarm threshold percentage is 80.

Format

acl threshold-alarm { upper-limit upper-limit | lower-limit lower-limit } *

undo acl threshold-alarm

Parameters

Parameter Description Value
upper-limit upper-limit

Indicates the upper alarm threshold percentage of ACL resource usage.

The value is an integer that ranges from 1 to 100.

lower-limit lower-limit

Indicates the lower alarm threshold percentage of ACL resource usage.

The value is an integer that ranges from 1 to 100.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the device runs ACL or ACL6 services for a period, the running ACL services occupy ACL resources. You can run the acl threshold-alarm command to set the alarm threshold percentage of ACL resources.

When the ACL resource usage (that is, the ratio of existing ACL entries to the maximum number of ACL entries supported by the device) is equivalent to or higher than the threshold, the device generates an alarm. When the ACL resource usage becomes equivalent to or lower than the lower threshold, the device generates a clear alarm.

Precautions

If you run the acl threshold-alarm command multiple times, only the latest configuration takes effect.

The upper threshold must be equivalent to or greater than the lower threshold.

Example

# Set the lower alarm threshold percentage to 30 and the upper alarm threshold percentage to 50.

<HUAWEI> system-view
[HUAWEI] acl threshold-alarm upper-limit 50 lower-limit 30

assign resource-template acl-mode

Function

The assign resource-template acl-mode command sets the ACL resource allocation mode.

The undo assign resource-template acl-mode command restores the default ACL resource allocation mode.

By default, the ACL resource allocation mode of is dual-ipv4-ipv6.

NOTE:

Only the S5720HI supports this command.

Format

assign resource-template acl-mode { dual-ipv4-ipv6 | ipv4 | l2 | l2-ipv4 | l2-ipv6 } [ slot slot-id ]

undo assign resource-template acl-mode [ slot slot-id ]

Parameters

Parameter

Description

Value

dual-ipv4-ipv6

Specifies the IPv4 and IPv6 ACL resource allocation mode.

-

ipv4

Specifies the IPv4 ACL resource allocation mode.

-

l2

Specifies the Layer 2 ACL resource allocation mode.

-

l2-ipv4

Specifies the Layer 2 IPv4 ACL resource allocation mode.

-

l2-ipv6

Specifies the Layer 2 IPv6 ACL resource allocation mode.

-

slot slot-id

  • Specifies the slot ID if stacking is not configured.
  • Specifies the stack ID if stacking is configured.

If slot-id is not specified, usage of ACL resources in all the stack switches is displayed.

The value is determined based on the device configuration.

Views

System view

Default Level

3: Management level

Usage Guidelines

If the default number of ACLs for IPv4, IPv6, or Layer 2 services cannot meet service requirements, you can change the ACL resource allocation mode to increase the number of ACLs for the services. Before using this command to change the ACL resource allocation mode, consider the advantage and disadvantage of the change. For example, if the ACL resource allocation mode is changed from dual-ipv4-ipv6 to ipv4, more ACLs are supported for IPv4 services, but the number of ACLs for IPv6 and Layer 2 services reduces to 0.

Table 14-1  ACL specifications in different resource allocation modes
Resource Allocation Mode Maximum Number of IPv4 ACLs Maximum Number of Layer 2+IPv4 ACLs Maximum Number of IPv6 ACLs Maximum Number of Layer 2+IPv6 ACLs Maximum Number of Layer 2 ACLs Total Number of ACLs
dual-ipv4-ipv6 16K 16K 8K 8K 16K 16K(IPV4)+8K(IPV6)
l2-ipv4 32K 32K 0 0 32K 32K
l2-ipv6 0 0 16K 16K 16K 16K
ipv4 64K 0 0 0 0 64K
l2 0 0 0 0 64K 64K

Precautions

After configuring the ACL resource allocation mode, save the configuration, and restart the device for the configuration to take effect.

Example

# Change the ACL resource allocation mode to IPv4.

<HUAWEI> system-view
[HUAWEI] assign resource-template acl-mode ipv4

description

Function

The description command configures the description of an ACL.

The undo description command deletes the description of an ACL.

By default, no description is configured for an ACL.

Format

description text

undo description

Parameters

Parameter

Description

Value

text

Describes an ACL.

The value is a string of 1 to 127 case-sensitive characters with spaces supported.

Views

ACL view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The description command configures the description of an ACL, for example, the usage or application scenario of the ACL. It is used to differentiate ACLs.

Prerequisites

The ACL to be described has been created.

Configuration Impact

The description command cannot be run in the ACL6 view.

If you run the description command multiple times in the same ACL view, only the latest configuration takes effect.

Example

# Configure the description of ACL 2100.

<HUAWEI> system-view
[HUAWEI] acl 2100
[HUAWEI-acl-basic-2100] description This acl is used in QoS policy
[HUAWEI-acl-basic-2100] display acl 2100
Basic ACL 2100, 0 rule                                                                                                              
This acl is used in QoS policy                                                                                                      
ACL's step is 5  

display acl

Function

The display acl command displays the configuration of an ACL.

Format

display acl { acl-number | name acl-name | all }

Parameters

Parameter Description Value
acl-number Specifies the number of an ACL. The value is an integer.
  • The number of a basic ACL ranges from 2000 to 2999.
  • The number of a numbered advanced ACL ranges from 3000 to 3999.
  • The number of a Layer 2 ACL ranges from 4000 to 4999.
  • The number of a user-defined ACL ranges from 5000 to 5999.
  • The number of a user ACL ranges from 6000 to 9999.
NOTE:

Only the S5720HI, S5720EI, S6720S-EI, and S6720EI support user ACL.

name acl-name Specifies the name of an ACL.

The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter.

all Indicates all ACLs. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display acl command displays the ACL configuration.

Example

# Display configuration about the ACL named test.

<HUAWEI> display acl name test
Advanced ACL test 3999, 1 rule, match-order is auto
Acl's step is 5
 rule 5 permit ip destination 10.10.10.1 0

# Display the ACL configuration.

<HUAWEI> display acl all
 Total nonempty ACL number is 1
 
Advanced ACL 3000, 1 rule
Acl's step is 5
 rule 5 permit ip dscp cs1
Table 14-2  Description of the display acl command output

Item

Description

Advanced ACL test 3999, 1 rule, match-order is auto

Advanced ACL 3999 named test that matches in the automatic order and contains one rule.

Acl's step is 5

The ACL's step is 5.

To set the step between ACL rule IDs, run the step command.

rule 5 permit ip destination 10.10.10.1 0

Rule 5 that matches packets whose source IP address is 10.10.10.1.

To modify an advanced ACL rule, run the rule (advanced ACL view) command.

Total nonempty ACL number is 1

One ACL contains rules.

Advanced ACL 3000, 1 rule

Advanced ACL 3000 contains one rule.

rule 5 permit ip dscp cs1

Rule 5 that matches packets with DSCP priorities.

To modify an advanced ACL rule, run the rule (advanced ACL view) command.

display acl ipv6

Function

The display acl ipv6 command displays the configuration of a specific ACL6 or all ACL6s.

Format

display acl ipv6 { acl6-number | name acl6-name | all }

Parameters

Parameter

Description

Value

acl6-number

Specifies an ACL6 number.

The value is an integer that ranges from 2000 to 3999. The ACL6 with a number ranging from 2000 to 2999 is a basic ACL6 and the ACL6 with a number ranging from 3000 to 3999 is an advanced ACL6.

name acl6-name

Displays the ACL6 with a specified name.

The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter.

all

Displays the configurations of all ACL6s.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display acl ipv6 command displays the ACL6 configuration.

Example

# Display the configuration about the ACL6 with the number of 2000.

<HUAWEI> display acl ipv6 2000

Basic IPv6 ACL 2000, 2 rules
 rule 1 permit source 4::/64   
 rule 0 deny source 3::/64 

# Display the ACL6 configuration.

<HUAWEI> display acl ipv6 all
 Total nonempty acl6 number is 1
 
Basic IPv6 ACL 2000, 2 rules
 rule 1 permit source 4::/64
 rule 0 deny source 3::/64
Table 14-3  Description of the display acl ipv6 command output

Item

Description

Total nonempty acl6 number is 1

One ACL6 contains rules.

Basic IPv6 ACL 2000, 2 rules

ACL6 2000, which is a basic ACL6 and has two rules.

rule 0 deny source 3::/64

ACL6 rule 0, which denies packets with the source IPv6 address 3::/64.

To modify a basic ACL6 rule, run the rule (rule basic acl6 view) command.

rule 1 permit source 4::/64

ACL6 rule 1, which permits packets with the source IPv6 address 4::/64.

To modify a basic ACL6 rule, run the rule (rule basic acl6 view) command.

display acl resource

Function

The display acl resource command displays information about ACL resources.

Format

display acl resource [ slot slot-id ]

Parameters

Parameter

Description

Value

slot slot-id

Displays device information about ACL resources. slot-id specifies the stack ID.

The value is an integer. The value range depends on the configuration of a device.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

ACL resources are related to hardware chips. The following are types of ACL resources:
  • ACL entries: Each ACL entry stores an ACL rule.
  • Meter/Car: a traffic control table used to limit the traffic rate. The meter/car must be used with ACL entries.
  • Counter: a traffic counter table used to collect traffic statistics. The counter must be used with ACL entries.

If ACL configuration fails, all the ACL resources on the device may have been used up. You can run the display acl resource command to check whether there are available ACL resources (including ACL4 and ACL6).

NOTE:

After ACL is applied to the S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S2750EI, S5710-X-LI, S5720LI, S5720S-LI, S5700LI, S5700S-LI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI, the ACL resources are applied to both incoming and outgoing traffic. For example, if a traffic policy is applied to only the incoming traffic, the Outbound-ACL value and Inbound-ACL value in the display acl resource command output are the same.

Example

# Display information about ACL resources on the Slot 0 (S5700LI is used as an example).

<HUAWEI> display acl resource slot 0
Slot  0                                                                                                                             
GigabitEthernet0/0/1 to GigabitEthernet0/0/10                                                                                       
                     Vlan-ACL    Inbound-ACL    Outbound-ACL    Router-ACL                                                          
---------------------------------------------------------------------------                                                         
  Rule Used                0           71            71         10                                                                  
  Rule Free             1024          421           421        522                                                                  
  Rule Total            1024          492           492        532                                                                  
                                                                                                                                    
  Meter Used               0            0             0          0                                                                  
  Meter Free               0          172           128          0                                                                  
  Meter Total              0          172           128          0                                                                  
                                                                                                                                    
  Counter Used             0            0             0          0                                                                  
  Counter Free             0          172           128          0                                                                  
  Counter Total            0          172           128          0                                                                  
---------------------------------------------------------------------------     

# Display information about ACL resources on the Slot 0 (S6720LI is used as an example).

<HUAWEI> display acl resource slot 0
Slot  0
XGigabitEthernet0/0/1 to XGigabitEthernet0/0/24
40GE0/0/1
40GE0/0/2
                     Vlan-ACL    Inbound-ACL    Outbound-ACL   Reserved-ACL
---------------------------------------------------------------------------
  Rule Used                0           30            30        124
  Rule Free              512         2018          2018        388
  Rule Total             512         2048          2048        512

  Meter Used               0            0             0          0
  Meter Free               0         1536          2048          0
  Meter Total              0         1536          2048          0

  Counter Used             0            0             0          0
  Counter Free             0         1536          2048          0
  Counter Total            0         1536          2048          0
---------------------------------------------------------------------------

# Display information about ACL resources on the Slot 0. (S5720HI is used as an example)

<HUAWEI> display acl resource slot 0
Slot  0
GigabitEthernet0/0/1 to GigabitEthernet0/0/48
XGigabitEthernet0/0/1 to XGigabitEthernet0/0/4
                    Used          Free         Total
-----------------------------------------------------------------------------
  ACL Unallocated   -             -            20480
  ACL Allocated     147           365          511
    Vlan    ACL     1             -            -
    Sec     ACL     146           -            -

  EXT Unallocated   -             -            8192
  EXT Allocated     0             0            0

  Car               260           32508        32768
  Counter           144           65392        65536
-----------------------------------------------------------------------------

# Display information about ACL resources on the Slot 0. (S5720EI is used as an example)

<HUAWEI> display acl resource slot 0
Slot  0
GigabitEthernet0/0/1 to GigabitEthernet0/0/48
XGigabitEthernet0/0/1 to XGigabitEthernet0/0/4
                   Used          Free         Total
----------------------------------------------------------------------------
  VACL             8             2040         2048

  IACL Unallocated -             -            3072
  IACL Allocated   -             -            1024
    Srv    ACL     10            502          512
    Sec    ACL     348           164          512

  EACL Unallocated -             -            1024
  EACL Allocated   -             -            0

  Ingress Meter    36            4060         4096
  Egress  Meter    0             1024         1024
  Ingress Counter  155           3941         4096
  Egress  Counter  0             1024         1024

  Ingress UDF      0             8            8
----------------------------------------------------------------------------
Table 14-4  Description of the display acl resource command output

Item

Description

Slot

Stack ID.

GigabitEthernet 0/0/1 to GigabitEthernet 0/0/x

XGigabitEthernet 0/0/1 to XGigabitEthernet 0/0/x

Interface to which an ACL is applied.

Vlan-ACL

Inbound ACL resources delivered before Layer 2 forwarding process starts.
  • For the services related to VLAN translation, for example, VLAN mapping (configured by using the port vlan-mapping vlan map-vlan command) and VLAN stacking (configured by using the port vlan-stacking command), the device delivers Vlan-ACL resources.

  • When a traffic policy is applied to the inbound direction and bound to a traffic behavior containing a VLAN-related action (except remark 8021p), for example, if the action in a traffic behavior is to remark the VLAN tag on VLAN packets (configured by using the remark vlan-id command), the device delivers Vlan-ACL resources. This applies to the S5720HI.

Inbound-ACL

Inbound ACL resources delivered after Layer 3 forwarding process is complete.Generally, the device delivers Inbound-ACL resources in the following situation:
  • The ACL is applied to a service irrelevant to direction, for example, a user group.

  • The traffic policy is applied to the inbound direction and contains a traffic behavior irrelevant to VLAN.

Outbound-ACL

ACL resources in outbound direction. The device delivers Outbound-ACL resources when the traffic policy applied to the outbound direction contains a traffic behavior which is not mirroring to observe-port. If the traffic behavior contained in the traffic policy is mirroring to observe-port, the device delivers Inbound-ACL resources.

Router-ACL

ACL resources used for route forwarding.

NOTE:

This field is displayed only when hardware-based Layer 3 forwarding is enabled for IPv4 packets on an S2750EI, S5700-10P-LI-AC, or S5700-10P-PWR-LI-AC.

Reserved-ACL

ACL resources reserved for CPCAR.

Rule Used

Number of used ACL rules.

Rule Free

Number of free ACL rules.

Rule Total

Total number of ACL rules.

Meter Used

Number of used rate limiting resources.

Meter Free

Number of idle rate limiting resources.

Meter Total

Total number of rate limiting resources.

Counter Used

Number of used counters.

Counter Free

Number of free counters.

Counter Total

Total number of counters, including those for collecting statistics on traffic policies, VLAN traffic, VLANIF interface traffic, and packets sent to the CPU.

Car

Traffic monitoring resources.

Counter

Traffic statistics collection resources.

Used

Number of used resources.

Free

Number of free resources.

Total

Total number of resources.

ACL Unallocated

Unallocated common ACL resources.

ACL Allocated

Number of ACL resources:
  • Vlan ACL: ACL resources used by VLAN.

  • Ingress ACL: Resources used by inbound traffic policy, ACL-based simplified traffic policy, and IPSG.

  • Egress ACL: Resources used by outbound traffic policy and ACL-based simplified traffic policy.

  • Ingress UCL: Resources used by traffic from user terminals to switch.

  • Egress UCL: Resources used by traffic from switch to user terminals.

  • Srv ACL: Resources used by inbound and outbound iPCA and voice VLAN.

  • Sec ACL: Inbound secure ACL resources.

EXT Unallocated

Unallocated extended ACL resources.

EXT Allocated

Number of extended ACL resources:
  • Ingress ACL: Resources used by inbound traffic policy and ACL-based simplified traffic policy.

  • Egress ACL: Resources used by outbound traffic policy and ACL-based simplified traffic policy.

VACL

Inbound ACL resources delivered before Layer 2 forwarding process starts.

IACL Unallocated

Unallocated inbound ACL resources.

IACL Allocated

Inbound ACL resources are allocated, including:
  • L2 ACL: ACL resources of L2 type.

  • IPv4 ACL: ACL resources of IPv4 type.

  • IPv6 ACL: ACL resources of IPv6 type.

  • L2IPv4 ACL: ACL resources of L2 IPv4 type.

  • L2IPv6 ACL: ACL resources of L2 IPv6 type.

  • UDF ACL: user-defined ACL resources.

  • Srv ACL: ACL resources of service type.

  • Sec ACL: ACL resources of security type.

  • Ext ACL: extended ACL resources.

EACL Unallocated

Unallocated outbound ACL resources.

EACL Allocated

Outbound ACL resources are allocated, including:
  • L2 ACL: ACL resources of L2 type.

  • IPv4 ACL: ACL resources of IPv4 type.

  • IPv6 ACL: ACL resources of IPv6 type.

  • L2IPv4 ACL: ACL resources of L2 IPv4 type.

  • L2IPv6 ACL: ACL resources of L2 IPv6 type.

  • UDF ACL: user-defined ACL resources.

  • Srv ACL: ACL resources of service type.

  • Ext ACL: extended ACL resources.

Ingress Meter

Inbound rate limiting resources.

Egress Meter

Outbound rate limiting resources.

Ingress Counter

Inbound statistics collection resources.

Egress Counter

Outbound statistics collection resources.

Ingress UDF

Inbound user-defined ACL resources.

Related Topics

display snmp-agent trap feature-name acle all

Function

The display snmp-agent trap feature-name acle all command displays the status of all traps on the ACL module.

Format

display snmp-agent trap feature-name acle all

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After the trap function of a specified feature is enabled, you can run the display snmp-agent trap feature-name acle all command to check the status of all traps of ACL. You can use the snmp-agent trap enable feature-name acle command to enable the trap function of ACL.

Prerequisites

SNMP has been enabled. See snmp-agent.

Example

# Display all the traps of the ACL module.

<HUAWEI>display snmp-agent trap feature-name acle all
------------------------------------------------------------------------------
Feature name: ACLE
Trap number : 4
------------------------------------------------------------------------------
Trap name                       Default switch status   Current switch status
hwAclResTotalCountExceedTrap    on                      on
hwAclResTotalCountExceedClearTrap
                                on                      on
hwAclResThresholdExceedTrap     on                      on
hwAclResThresholdExceedClearTrap
                                on                      on
Table 14-5  Description of the display snmp-agent trap feature-name acle all command output

Item

Description

Feature name

Name of the module that the trap belongs to.

Trap number

Number of traps.

Trap name

Trap name. Traps of the ACL module include:
  • hwAclResTotalCountExceedTrap: indicates the Huawei-property trap sent when the ACL resource usage on the device reaches 100%.

  • hwAclResTotalCountExceedClearTrap: indicates the Huawei-property trap sent when the ACL resource usage on the device reaches 100%, and then falls below 100% and stays below 100% for a period of time.

  • hwAclResThresholdExceedTrap: indicates the Huawei-property trap sent when the ACL resource usage on the device exceeds the upper alarm threshold (percentage).

  • hwAclResThresholdExceedClearTrap: indicates the Huawei-property trap sent when the ACL resource usage on the device falls below the lower alarm threshold (percentage).

Default switch status

Default status of the trap function:
  • on: indicates that the trap function is enabled by default.

  • off: indicates that the trap function is disabled by default.

Current switch status

Status of the trap function:

  • on: indicates that the trap function is enabled.

  • off: indicates that the trap function is disabled.

display time-range

Function

The display time-range command displays the configuration and status of the current time range.

Format

display time-range { all | time-name }

Parameters

Parameter

Description

Value

all

Indicates all the configured time ranges.

-

time-name

Specifies the name of a time range during which ACL rules take effect.

The value is a string of 1 to 32 case-sensitive characters without spaces.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

To specify a time range during which ACL rules take effect, run the time-range command and reference the time range name when you configure an ACL.

Before using a time range to filter data packets, run the display time-range command to view the time range configuration to avoid duplicate time ranges.

NOTE:

The device updates the status of ACLs with a delay of about 30 seconds. The display time-range command adopts the current time range to determine the status of ACLs; therefore, you may find that the ACL using an active time range is inactive. This is normal.

Example

# Display the configuration and status of all time ranges.

<HUAWEI> display time-range all
Current time is 14:48:13 10-17-2012 Wednesday

Time-range : abc (Active)
from 23:23 2012/9/9 to 23:59 2012/12/31
Total time-range number is 1
Table 14-6  Description of the display time-range command output

Item

Description

Current time is 14:48:13 10-17-2012 Wednesday

The current time is Wednesday 14:48:13 10-17-2012.

Time-range:abc (Active)

The time range is named abc and is active. The time range can be:
  • Active.
  • Inactive.

from 23:23 2012/9/9 to 23:59 2012/12/31

Time range abc is from 23:23 2012/9/9 to 23:59 2012/12/31.

Total time-range number

The total time-range number.

Related Topics

reset acl counter

Function

The reset acl counter command clears statistics about ACLs.

Format

reset acl counter { name acl-name | acl-number | all }

Parameters

Parameter Description Value
name acl-name Specifies the name of an ACL whose statistics need to be cleared.

The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter.

acl-number Specifies the number of an ACL whose statistics need to be cleared.

The value is an integer.

  • The number of a basic ACL ranges from 2000 to 2999.
  • The number of a numbered advanced ACL ranges from 3000 to 3999.
  • The number of a Layer 2 ACL ranges from 4000 to 4999.
  • The number of a user-defined ACL ranges from 5000 to 5999.
  • The number of a user ACL ranges from 6000 to 9999.
NOTE:

Only the S5720HI, S5720EI, S6720S-EI, and S6720EI support user ACL.

all Clears all the ACL statistics. -

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To obtain the accurate ACL statistics generated in a certain period, run the reset acl counter command to clear existing statistics and start statistics collection.

After the reset acl counter command is executed, the system does not prompt you the statistics deletion.

Before using the reset acl counter command, determine whether you intend to clear ACL statistics.

Follow-up Procedure

After running the reset acl counter command to clear the previous ACL statistics, you can use the display acl match-counter command in the diagnostic view to check ACL rules and statistics on the packets matching the ACL rules in the current period.

Example

# Clear statistics about ACL 2000.

<HUAWEI> reset acl counter 2000
Related Topics

reset acl ipv6 counter

Function

The reset acl ipv6 counter command clears the ACL6 statistics.

Format

reset acl ipv6 counter { name acl6-name | acl6-number | all }

Parameters

Parameter

Description

Value

name acl6-name

Specifies the name of an ACL6 whose statistics need to be cleared.

The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter.

acl6-number

Specifies the number of an ACL6 whose statistics need to be cleared.

The value is an integer that ranges from 2000 to 3999.

  • ACL6s numbered 2000 to 2999 are basic ACL6s.
  • ACL6s numbered 3000 to 3999 are advanced ACL6s.

all

Clears all the ACL6 statistics.

-

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To obtain the accurate ACL6 statistics in a certain period, run the reset acl ipv6 counter command to clear existing statistics and start statistics collection.

Before using the reset acl ipv6 counter command, determine whether you intend to clear ACL6 statistics.

After the reset acl ipv6 counter command is executed, the system does not prompt you the statistics deletion.

Follow-up Procedure

After running the reset acl ipv6 counter command to clear the previous ACL statistics, you can use the display acl ipv6 command to view ACL rules and statistics on the packets matching the ACL rules in the current period.

Example

# Clear the statistics about basic ACL6 2000.

<HUAWEI> reset acl ipv6 counter 2000
Related Topics

rule (advanced ACL view)

Function

The rule command adds or modifies an advanced ACL rule.

The undo rule command deletes an advanced ACL rule.

By default, no advanced ACL rule is configured.

Format

  • When the parameter protocol is specified as the Internet Control Message Protocol (ICMP), the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | icmp } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | icmp-type { icmp-name | icmp-type [ icmp-code ] } | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { protocol-number | icmp } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | icmp-type { icmp-name | icmp-type [ icmp-code ] } | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

  • When the parameter protocol is specified as the Transmission Control Protocol (TCP), the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { protocol-number | tcp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

  • When the parameter protocol is specified as the User Datagram Protocol (UDP), the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | udp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { protocol-number | udp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

  • When the parameter protocol is specified as another protocol rather than GRE, IGMP, IP, IPINIP, or OSPF, the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

  • To delete an advanced ACL rule, run:

    undo rule rule-id [ destination | destination-port | { { precedence | tos } * | dscp } | { fragment | first-fragment } | logging | icmp-type | source | source-port | tcp-flag | time-range | ttl-expired | vpn-instance ] *

NOTE:
  • The S2750, S5700LI, and S5700S-LI do not support tos.
  • Only the S5720EI, S6720S-EI, and S6720EI support ttl-expired.
  • The vpn-instance parameter is supported only when a software-based ACL is applied to the S5720SI, S5720S-SI, S5720EI, S5720HI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S6720EI, or S6720S-EI. For usage scenarios of software-based ACLs, see "ACL Implementations" in the S1720, S2700, S5700, and S6720 V200R011C10 Configuration Guide - Security ACL Configuration - ACL Fundamentals.

  • Only the S5720EI, S5720HI, S6720S-EI, and S6720EI support first-fragment.

Parameters

Parameter

Description

Value

rule-id

Specifies the ID of an ACL rule.
  • If the specified rule ID has been created, the new rule is added to the rule with this ID, that is, the old rule is modified. If the specified rule ID does not exist, the device creates a rule and determines the position of the rule according to the ID.
  • If the rule ID is not specified, the device allocates an ID to the new rule. The rule IDs are sorted in ascending order. The device automatically allocates IDs according to the step. The step value is set by using the step command.
NOTE:

ACL rule IDs assigned automatically start from the step value. The default step is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on.

The value is an integer that ranges from 0 to 4294967294.

deny

Denies the packets that match the rule.

-

permit

Permits the packets that match the rule.

-

icmp

Indicates that the protocol type is ICMP. The value 1 indicates that ICMP is specified.

-

tcp

Indicates that the protocol type is TCP. The value 6 indicates that TCP is specified.

-

udp

Indicates that the protocol type is UDP. The value 17 indicates that UDP is specified.

-

gre

Indicates that the protocol type is GRE. The value 47 indicates the GRE protocol.

-

igmp

Indicates that the protocol type is IGMP. The value 2 indicates the IGMP protocol.

-

ip

Indicates that the protocol type is IP.

-

ipinip

Indicates that the protocol type is IPINIP. The value 4 indicates the IPINIP protocol.

-

ospf

Indicates that the protocol type is OSPF. The value 89 indicates the OSPF protocol.

-

protocol-number

Indicates the protocol type expressed by name or number.
NOTE:

Parameters in an ACL vary with the protocol type. The combination of source-port { eq port | gt port | lt port | range port-start port-end } and destination-port { eq port | gt port | lt port | range port-start port-end } is applicable to TCP and UDP only.

The value expressed by number is an integer that ranges from 1 to 255.

destination { destination-address destination-wildcard | any }

Indicates the destination IP address of packets that match ACL rules. If this parameter is not specified, packets with any destination IP address are matched.
  • destination-address: specifies the destination IP address of data packets.
  • destination-wildcard: specifies the wildcard mask of the destination IP address.
  • any: indicates any destination IP address of packets. That is, the value of destination-address is 0.0.0.0 or the value of destination-wildcard is 255.255.255.255.

destination-address: The value is in dotted decimal notation.

destination-wildcard: The value is in dotted decimal notation. The wildcard mask of the destination IP address can be 0, equivalent to 0.0.0.0, indicating that the destination IP address is the host address.

NOTE:
The wildcard is in dotted decimal format. After the value is converted to a binary number, the value 0 indicates that the IP address needs to be matched and the value 1 indicates that the IP address does not need to be matched. The values 1 and 0 can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the website 192.168.1.x0x0xx01. The value x can be 0 or 1.

icmp-type { icmp-name | icmp-type [ icmp-code ] }

Indicates the type and code of ICMP packets, which are valid only when the protocol of packets is ICMP. If this parameter is not specified, all types of ICMP packets are matched.
  • icmp-name: specifies the name of ICMP packets.
  • icmp-type: specifies the type of ICMP packets.
  • icmp-code: specifies the code of ICMP packets.

icmp-type is an integer that ranges from 0 to 255.

icmp-code is an integer that ranges from 0 to 255.

Table 14-8 lists the mapping between ICMP names and ICMP types and codes.

source { source-address source-wildcard | any }

Indicates the source IP address of packets that match an ACL rule. If this parameter is not specified, packets with any source IP address are matched.
  • source-address: specifies the source IP address of packets.
  • source-wildcard: specifies the wildcard mask of the source IP address.
  • any: indicates any source IP address of packets. That is, the value of source-address is 0.0.0.0 or the value of source-wildcard is 255.255.255.255.

source-address: The value is in dotted decimal notation.

source-wildcard: The value is in dotted decimal notation. The wildcard mask of the source IP address can be 0, equivalent to 0.0.0.0, indicating that the source IP address is the host address.

NOTE:
The wildcard is in dotted decimal format. After the value is converted to a binary number, the value 0 indicates that the IP address needs to be matched and the value 1 indicates that the IP address does not need to be matched. The values 1 and 0 can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the website 192.168.1.x0x0xx01. The value x can be 0 or 1.

tcp-flag

Indicates the SYN Flag in the TCP packet header.

-

ack

Indicates that the SYN Flag type in the TCP packet header is ack (010000).

-

established

Indicates that the SYN Flag type in the TCP packet header is ack(010000) or rst(000100).

-

fin

Indicates that the SYN Flag type in the TCP packet header is fin (000001).

-

psh

Indicates that the SYN Flag type in the TCP packet header is psh (001000).

-

rst

Indicates that the SYN Flag type in the TCP packet header is rst (000100).

-

syn

Indicates that the SYN Flag type in the TCP packet header is syn (000010).

-

urg

Indicates that the SYN Flag type in the TCP packet header is urg (100000).

-

time-range time-name

Specifies the name of a time range during which ACL rules take effect.

If this parameter is not specified, ACL rules take effect at any time.

NOTE:

When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL cannot be bound to the specified time range.

The value is a string of 1 to 32 characters.

destination-port { eq port | gt port | lt port | range port-start port-end }

Specifies the destination port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched. The operators are as follows:
  • eq port: equivalent to the destination port number.
  • gt port: greater than the destination port number.
  • 1t port: smaller than the destination port number.
  • range port-start port-end: destination port number range. port-start specifies the start port number. port-end specifies the end port number.

The value of port can be a name or a number.

  • When the value is expressed as a number, it ranges from 0 to 65535 in eq port
  • When the value is expressed as a number, it ranges from 0 to 65534 in gt port
  • When the value is expressed as a number, it ranges from 1 to 65535 in lt port

The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535.

source-port { eq port | gt port | lt port | range port-start port-end }

Specifies the source port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched. The operators are as follows:
  • eq port: equivalent to the source port number.
  • gt port: greater than the source port number.
  • 1t port: smaller than the source port number.
  • range port-start port-end: source port number range. port-start specifies the start port number. port-end specifies the end port number.

The value of port can be a name or a number.

  • When the value is expressed as a number, it ranges from 0 to 65535 in eq port
  • When the value is expressed as a number, it ranges from 0 to 65534 in gt port
  • When the value is expressed as a number, it ranges from 1 to 65535 in lt port

The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535.

dscp dscp

Specifies the value of a Differentiated Services Code Point (DSCP).

NOTE:

The dscp dscp and precedence precedence parameters cannot be set for the same rule.

The dscp dscp and tos tos parameters cannot be set for the same rule.

The value is an integer or a name.
  • The value ranges from 0 to 63 when it is an integer.
  • When it is a name, the value can be af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, default, or ef.

tos tos

Indicates that packets are filtered according to the Type of Service (ToS).

The value is an integer or a name.
  • The value can be 0, 1, 2, 4, or 8 when it is an integer.
  • When the value is a name, the value can be normal, min-monetary-cost, max-reliability, max-throughput, or min-delay. Table 14-7 describes the mapping between ToS names and values.

precedence precedence

Indicates that packets are filtered based on the precedence field. precedence specifies the precedence value.

The value ranges from 0 to 7. The values 0 to 7 correspond to routine, priority, immediate, flash, flash-override, critical, internet, and network.

fragment

Indicates that the rule is valid for only non-initial fragments. If this parameter is specified, the rule is valid for only non-initial fragments.

-

first-fragment

Indicates that the rule is valid for only initial fragments. If this parameter is specified, the rule is valid for only initial fragments.

-

logging

Logs IP information of packets that match the rule.

NOTE:
The logging parameter takes effect for incoming packets in either of the following scenarios:
  • An ACL-based simplified traffic policy is configured and the traffic-filter and traffic-secure commands reference ACLs.
  • MQC is configured, the traffic behavior is set to permit or deny, and the traffic-policy command references ACLs.

In addition, for the S1720GFR, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S2750EI, S5700LI, S5700S-LI, S5710-X-LI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI, deny must be specified for the logging parameter to take effect.

-

ttl-expired

Matches packets with the TTL value 1. If this keyword is not specified, the ACL rule matches packets with any TTL value.

-

vpn-instance vpn-instance-name

Specifies the name of a VPN instance.

NOTE:

If the vpn-instance parameter is not specified, the switch matches packets from both public and private networks against ACL.

The value must be an existing VPN instance name.
Table 14-7  Mapping between ToS names and values

ToS Name

Value

ToS Name

Value

normal

0

max-reliability

2

min-monetary-cost

1

max-throughput

4

min-delay

8

-

-

Table 14-8  Mapping between ICMP names and ICMP types and codes

icmp-name

icmp-type

icmp-code

Echo

8

0

Echo-reply

0

0

Parameter-problem

12

0

Port-unreachable

3

3

Protocol-unreachable

3

2

Reassembly-timeout

11

1

Source-quench

4

0

Source-route-failed

3

5

Timestamp-reply

14

0

Timestamp-request

13

0

Ttl-exceeded

11

0

Fragmentneed-DFset

3

4

Host-redirect

5

1

Host-tos-redirect

5

3

Host-unreachable

3

1

Information-reply

16

0

Information-request

15

0

Net-redirect

5

0

Net-tos-redirect

5

2

Net-unreachable

3

0

Views

Advanced ACL view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An advanced ACL matches packets based on information such as source and destination IP addresses, source and destination port numbers, and protocol types.

The rule command defines the time range and flexibly configures the time ACL rules take effect.

Prerequisites

An ACL has been created before the rule is configured.

Precautions

If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.

To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.

To configure both the precedence precedence and tos tos parameters, set the two parameters consecutively in the command.

The undo rule command deletes an ACL rule even if the ACL rule is referenced. (If a simplified traffic policy references a specified rule in an ACL, this command does not take effect.) Before deleting a rule, ensure that the rule is not being referenced.

The parameter fragment cannot be set together with source-port, destination-port, icmp-type, and tcp-flag; otherwise, the following error message is displayed:
Error: The fragment cannot be configured together with the source-port, destination-port, icmp-type and tcp-flag.

Example

# Add a rule to ACL 3000 to filter ICMP packets.

<HUAWEI> system-view
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule 1 permit icmp

# Delete a rule from ACL 3000.

<HUAWEI> system-view
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] undo rule 1

# Add a rule to ACL 3000 to filter IGMP packets.

<HUAWEI> system-view
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule 2 permit igmp

# Add a rule to ACL 3000 to filter packets with DSCP priorities.

<HUAWEI> system-view
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule 3 permit ip dscp cs1

# Add a rule to ACL 3001 to filter all the IP packets sent from hosts at 10.9.0.0 to hosts at 10.38.160.0.

<HUAWEI> system-view
[HUAWEI] acl 3001
[HUAWEI-acl-adv-3001] rule permit ip source 10.9.0.0 0.0.255.255 destination 10.38.160.0 0.0.0.255

# Add a rule to ACL 3001 to filter the packets with source UDP port number 128 from 10.9.8.0 to 10.38.160.0.

<HUAWEI> system-view
[HUAWEI] acl 3001
[HUAWEI-acl-adv-3001] rule permit udp source 10.9.8.0 0.0.0.255 destination 10.38.160.0 0.0.0.255 destination-port eq 128

rule (advanced ACL6 view)

Function

The rule command adds or modifies an advanced ACL6 rule.

The undo rule command deletes an advanced CL6 rule.

By default, no advanced ACL6 rule is created.

Format

  • When protocol is set to TCP, the command format of an advanced ACL6 rule is as follows:

    rule [ rule-id ] { deny | permit } { tcp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { tcp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *

  • When protocol is set to UDP, the command format of an advanced ACL6 rule is as follows:

    rule [ rule-id ] { deny | permit } { udp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { udp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *

  • When protocol is set to ICMPv6, the command format of an advanced ACL6 rule is as follows:

    rule [ rule-id ] { deny | permit } { icmpv6 | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | icmp6-type { icmp6-type-name | icmp6-type [ icmp6-code ] } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { icmpv6 | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | icmp6-type { icmp6-type-name | icmp6-type [ icmp6-code ] } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *

  • When protocol is set to other protocols, the command format of an advanced ACL6 rule is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | gre | ipv6 | ospf } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { protocol-number | gre | ipv6 | ospf } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *

  • To delete an advanced ACL6 rule, run:

    undo rule rule-id [ destination | destination-port | routing [ routing-type routing-type ] | { fragment | first-fragment } | icmp6-type | logging | { { precedence | tos } * | dscp } | routing | source | source-port | tcp-flag | time-range | vpn-instance ] *

NOTE:
  • The vpn-instance parameter is supported only when a software-based ACL is applied to the S5720SI, S5720S-SI, S5720EI, S5720HI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S6720EI, or S6720S-EI. For usage scenarios of software-based ACLs, see "ACL Implementations" in the S1720, S2700, S5700, and S6720 V200R011C10 Configuration Guide - Security ACL Configuration - ACL Fundamentals.

  • Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support destination, routing [ routing-type routing-type ] and first-fragment.
  • Only the S5730SI, S6720SI, S5720EI, S5720HI, S6720EI, and S6720S-EI support dscp, precedence, and tos.

Parameters

Parameter

Description

Value

rule-id Specifies the ID of a rule.
  • If the specified rule ID has been created, the new rule is added to the rule with this ID, that is, the old rule is modified. If the specified rule ID does not exist, a rule is created using the ID and ordered based on the configured sequence.
  • If the rule ID is not specified, the device allocates an ID to the new rule. By default, the step of ACL6 is 1 and cannot be changed. Therefore, the device allocates IDs at an interval of 1 to ACL6 rules.
The value is an integer that ranges from 0 to 2047.
deny Indicates to drop packets conforming to certain conditions. -
permit Indicates to forward packets conforming to certain conditions. -
tcp

Specifies the protocol type is TCP.

-
udp

Specifies the protocol type is UDP.

-
icmpv6

Specifies the protocol type is ICMPv6.

-
protocol-number Specifies the protocol type that is expressed as a name or a number. The value ranges from 1 to 255. The protocol type expressed as a name can be GRE, ICMPv6, IPv6, OSPF, TCP, and UDP.
destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } Indicates the destination address and prefix of a packet. destination-ipv6-address is expressed in hexadecimal notation. The value of prefix-length is an integer that ranges from 1 to 128. You can also use any to represent any destination address.
destination destination-ipv6-address postfix postfix-length Indicates the destination address and the length of destination address postfix. destination-ipv6-address indicates the destination address and is expressed in hexadecimal notation. postfix-length is an integer that ranges from 1 to 64.
dscp dscp Specifies the Differentiated Services Code Point (DSCP) value.
NOTE:

The dscp dscp and precedence precedence parameters cannot be set for the same rule.

The dscp dscp and tos tos parameters cannot be set for the same rule.

The value of dscp can be an integer or a name. When the value is an integer, the value ranges from 0 to 63. When the value is a name, the value can be af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, default, or ef.
routing [ routing-type routing-type ] Specifies the IPv6 header in ACL6. The routing-type parameter specifies the routing-type field in the IPv6 header. The value of routing-type is an integer that ranges from 0 to 255.
fragment Indicates that the rule is valid for only non-first fragmented packets. -
first-fragment Indicates that the rule is valid for only initial fragmented packets. -
logging Logs IP information of packets that match the rule.
NOTE:
The logging parameter takes effect for incoming packets in either of the following scenarios:
  • An ACL-based simplified traffic policy is configured and the traffic-filter command references ACLs.
  • MQC is configured, the traffic behavior is set to permit or deny, and the traffic-policy command references ACLs.

In addition, for the S1720GFR, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S2750EI, S5700LI, S5700S-LI, S5710-X-LI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI, deny must be specified for the logging parameter to take effect.

-
precedence precedence Indicates that the packets are filtered according to the precedence field. precedence can be expressed as a name or a number. The value ranges from 0 to 7.
source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } Indicates the source address and prefix of a packet. source-ipv6-address indicates the source address and is expressed in hexadecimal notation. prefix-length is an integer that ranges from 1 to 128. You can also use any to represent any source address.
source source-ipv6-address postfix postfix-length Indicates the source address and the length of source address postfix. source-ipv6-address indicates the source address and is expressed in hexadecimal notation. postfix-length is an integer that ranges from 1 to 64.
destination-port { eq port | gt port | lt port | range port-start port-end }
Specifies the destination port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched. The operators are as follows:
  • eq port: equivalent to the destination port number.
  • gt port: greater than the destination port number.
  • 1t port: smaller than the destination port number.
  • range port-start port-end: destination port number range. port-start specifies the start port number. port-end specifies the end port number.

The value of port can be a name or a number.

  • When the value is expressed as a number, it ranges from 0 to 65535 in eq port
  • When the value is expressed as a number, it ranges from 0 to 65534 in gt port
  • When the value is expressed as a number, it ranges from 1 to 65535 in lt port

The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535.

source-port { eq port | gt port | lt port | range port-start port-end }
Specifies the source port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched. The operators are as follows:
  • eq port: equivalent to the source port number.
  • gt port: greater than the source port number.
  • 1t port: smaller than the source port number.
  • range port-start port-end: source port number range. port-start specifies the start port number. port-end specifies the end port number.

The value of port can be a name or a number.

  • When the value is expressed as a number, it ranges from 0 to 65535 in eq port
  • When the value is expressed as a number, it ranges from 0 to 65534 in gt port
  • When the value is expressed as a number, it ranges from 1 to 65535 in lt port

The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535.

icmp6-type { icmp6-type-name | icmp6-type [ icmp6-code ] } Indicates that the type and code of ICMPv6 packets, which is effective only when the packet protocol is ICMP. If this parameter is not specified, all ICMP packets are matched.

icmp6-type: indicates the type of ICMP messages. The value ranges from 0 to 255.

icmp6-code: indicates the type of ICMP messages. The value ranges from 0 to 255.

The value of icmp6-type-name and the corresponding ICMP-Type and ICMP-Code are as Table 14-10.

tcp-flag

Indicates the SYN Flag in the TCP packet header.

-
ack Specifies the type of the SYN Flag in the TCP packet header is ack(010000). -
established Specifies the type of the SYN Flag in the TCP packet header is ack(010000) or rst(000100). -
fin Specifies the type of the SYN Flag in the TCP packet header is fin(000001). -
psh Specifies the type of the SYN Flag in the TCP packet header is psh(001000). -
rst Specifies the type of the SYN Flag in the TCP packet header is rst(000100). -
syn Specifies the type of the SYN Flag in the TCP packet header is syn(000010). -
urg Specifies the type of the SYN Flag in the TCP packet header is urg(100000). -
time-range time-name Indicates that the configured ACL6 rule is effective only in the specified time range. time-name indicates the name of the time range during which the ACL6 rule takes effect.
NOTE:

When you specify the time-range parameter to reference a time range to the ACL6, if the specified time-name does not exit, the ACL6 does not take effect.

The value of time-name is a string of 1 to 32 characters.
tos tos Indicates that packets are filtered according to the Type of Service (ToS).
The value is an integer or a name.
  • The value ranges from 0 to 15 when it is an integer.
  • When the value is a name, the value can be normal, min-monetary-cost, max-reliability, max-throughput, or min-delay. Table 14-9 describes the mapping between ToS names and values.
vpn-instance vpn-instance-name Specifies the name of a VPN instance.
NOTE:

If the vpn-instance parameter is not specified, the switch matches packets from both public and private networks against ACL.

The value must be an existing VPN instance name.
Table 14-9  Mapping between ToS names and values

ToS Name

Value

ToS Name

Value

normal

0

max-reliability

2

min-monetary-cost

1

max-throughput

4

min-delay

8

-

-

Table 14-10  Values of icmp6-type-name and the corresponding ICMP-Type and ICMP-Code

icmp6-type-name

icmp-type

icmp-code

Redirect

137

0

Echo

128

0

Echo-reply

129

0

Err-Header-field

4

0

Frag-time-exceeded

3

1

Hop-limit-exceeded

3

0

Host-admin-prohib

1

1

Host-unreachable

1

3

Neighbor-advertisement

136

0

Neighbor-solicitation

135

0

Network-unreachable

1

0

Packet-too-big

2

0

Port-unreachable

1

4

Router-advertisement

134

0

Router-solicitation

133

0

Unknown-ipv6-opt

4

2

Unknown-next-hdr

4

1

Views

Advanced ACL6 view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Advanced ACL6s classify data packets based on the source IP address, destination IP address, source port number, destination port number, and protocol type.

The rule command defines the time range and flexibly configures the time ACL6 rules take effect.

Prerequisites

An ACL6 has been created before the rule is configured.

Precautions

If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.

To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.

To configure both the precedence precedence and tos tos parameters, set the two parameters consecutively in the command.

When you use the undo rule command to delete an ACL6 rule, the rule ID must exist. If the rule ID is unknown, you can use the display acl ipv6 command to view the rule ID.

The undo rule command deletes an ACL6 rule even if the ACL6 rule is referenced. Use this command with caution, especially when you delete an ACL rule that has been referenced.

The parameter fragment cannot be set together with source-port, destination-port, icmp6-type, and tcp-flag.

Example

# Add a rule to ACL6 3000 to deny the packets with the destination UDP port number that is greater than 128 from fc00:1::1 to fc00:3::1.

<HUAWEI> system-view
[HUAWEI] acl ipv6 3000
[HUAWEI-acl6-adv-3000] rule deny udp source fc00:1::1 64 destination fc00:3::1 64 destination-port gt 128

rule (basic ACL view)

Function

The rule command adds or modifies a basic ACL rule.

The undo rule command deletes a basic ACL rule.

By default, no rule is configured for a basic ACL.

Format

rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | fragment | logging | time-range time-name | vpn-instance vpn-instance-name ] *

undo rule { deny | permit } [ source { source-address source-wildcard | any } | fragment | logging | time-range time-name | vpn-instance vpn-instance-name ] *

undo rule rule-id [ fragment | logging | source | time-range | vpn-instance ] *

NOTE:

The vpn-instance parameter is supported only when a software-based ACL is applied to the S5720SI, S5720S-SI, S5720EI, S5720HI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S6720EI, or S6720S-EI. For usage scenarios of software-based ACLs, see "ACL Implementations" in the S1720, S2700, S5700, and S6720 V200R011C10 Configuration Guide - Security ACL Configuration - ACL Fundamentals.

Parameters

Parameter

Description

Value

rule-id

Specifies the ID of an ACL rule.
  • If the specified rule ID has been created, the new rule is added to the rule with this ID, that is, the old rule is modified. If the specified rule ID does not exist, the device creates a rule and determines the position of the rule according to the ID.
  • If the rule ID is not specified, the device allocates an ID to the new rule. The rule IDs are sorted in ascending order. The device automatically allocates IDs according to the step. The step value is set by using the step command.
NOTE:

ACL rule IDs assigned automatically by the device starts from the step value. The default step value is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on.

The value is an integer that ranges from 0 to 4294967294.

deny

Denies the packets that match the rule.

-

permit

Permits the packets that match a rule.

-

source { source-address source-wildcard | any }
Indicates the source IP address of packets that match an ACL rule. If this parameter is not specified, packets with any source IP address are matched.
  • source-address: specifies the source IP address of packets.
  • source-wildcard: specifies the wildcard mask of the source IP address.
  • any: indicates any source IP address of packets. That is, the value of source-address is 0.0.0.0 or the value of source-wildcard is 255.255.255.255.

source-address : The value is in dotted decimal notation.

source-wildcard: The value is in dotted decimal notation. The wildcard mask of the source IP address can be 0, equivalent to 0.0.0.0, indicating that the source IP address is the host address.

NOTE:
The wildcard is in dotted decimal format. After the value is converted to a binary number, the value 0 indicates that the IP address needs to be matched and the value 1 indicates that the IP address does not need to be matched. The values 1 and 0 can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the website 192.168.1.x0x0xx01. The value x can be 0 or 1.

vpn-instance vpn-instance-name

Specifies the name of a VPN instance.

NOTE:

If the vpn-instance parameter is not specified, the switch matches packets from both public and private networks against ACL.

The value must be an existing VPN instance name.

fragment

Indicates that the rule is valid for only non-first fragmented packets. If fragment is contained, the rule is valid for non-first fragmented packets and invalid for non-fragmented packets and first fragmented packet.

NOTE:
Rules that do not contain fragment are valid for all the packets.

-

logging

Logs IP information of packets that match the rule.

NOTE:
The logging parameter takes effect for incoming packets in either of the following scenarios:
  • An ACL-based simplified traffic policy is configured and the traffic-filter and traffic-secure commands reference ACLs.
  • MQC is configured, the traffic behavior is set to permit or deny, and the traffic-policy command references ACLs.

In addition, for the S1720GFR, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S2750EI, S5700LI, S5700S-LI, S5710-X-LI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI, deny must be specified for the logging parameter to take effect.

-

time-range time-name

Specifies the name of a time range during which ACL rules take effect.

If this parameter is not specified, ACL rules take effect at any time.

NOTE:

When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL cannot be bound to the specified time range.

The value is a string of 1 to 32 characters.

Views

Basic ACL view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A basic ACL matches packets based on information such as source IP addresses, fragment flags, and time ranges.

The rule command defines the time range and flexibly configures the time ACL rules take effect.

Prerequisites

An ACL has been created before the rule is configured.

Precautions

If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.

To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.

The undo rule command deletes an ACL rule even if the ACL rule is referenced. Use this command with caution, especially when you delete an ACL rule that has been referenced.

Example

# Add a rule in ACL 2001 to permit the packets from 192.168.32.1.

<HUAWEI> system-view 
[HUAWEI] acl 2001 
[HUAWEI-acl-basic-2001] rule permit source 192.168.32.1 0

# Delete rule 5 from ACL 2001.

<HUAWEI> system-view 
[HUAWEI] acl 2001 
[HUAWEI-acl-basic-2001] undo rule 5

rule (basic ACL6 view)

Function

The rule command adds or modifies basic ACL6 rules.

The undo rule command deletes a basic CL6 rule.

By default, there is no basic ACL6 rule.

Format

rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *

undo rule { deny | permit } [ fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *

undo rule rule-id [ fragment | logging | source | time-range | vpn-instance ] *

NOTE:

The vpn-instance parameter is supported only when a software-based ACL is applied to the S5720SI, S5720S-SI, S5720EI, S5720HI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S6720EI, or S6720S-EI. For usage scenarios of software-based ACLs, see "ACL Implementations" in the S1720, S2700, S5700, and S6720 V200R011C10 Configuration Guide - Security ACL Configuration - ACL Fundamentals.

Parameters

Parameter

Description

Value

rule-id Specifies the ID of a rule.
  • If the specified rule ID has been created, the new rule is added to the rule with this ID, that is, the old rule is modified. If the specified rule ID does not exist, a rule is created using the ID and ordered based on the configured sequence.
  • If the rule ID is not specified, the device allocates an ID to the new rule. By default, the step of ACL6 is 1 and cannot be changed. Therefore, the device allocates IDs at an interval of 1 to ACL6 rules.
The value is an integer that ranges from 0 to 2047.
deny Indicates to drop packets conforming to certain conditions. -
permit Indicates to forward packets conforming to certain conditions. -
fragment Indicates that the rule is valid for only non-first fragmented packets. -
logging Logs IP information of packets that match the rule.
NOTE:
The logging parameter takes effect for incoming packets in either of the following scenarios:
  • An ACL-based simplified traffic policy is configured and the traffic-filter command references ACLs.
  • MQC is configured, the traffic behavior is set to permit or deny, and the traffic-policy command references ACLs.

In addition, for the S1720GFR, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S2750EI, S5700LI, S5700S-LI, S5710-X-LI, S5720LI, S5720S-LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI, deny must be specified for the logging parameter to take effect.

-
source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length } Indicates the source address and prefix of a packet. source-ipv6-address indicates the source address and is expressed in hexadecimal notation. prefix-length is an integer that ranges from 1 to 128.
source source-ipv6-address postfix postfix-length Indicates the source address and the length of source address postfix. source-ipv6-address indicates the source address and is expressed in hexadecimal notation. postfix-length is an integer that ranges from 1 to 64.
any Indicates any source address. -
time-range time-name Indicates that the configured ACL6 rule is effective only in the specified time range. time-name indicates the name of the time range during which the ACL6 rule takes effect.
NOTE:

When you specify the time-range parameter to reference a time range to the ACL6, if the specified time-name does not exit, the ACL6 does not take effect.

The value of time-name is a string of 1 to 32 characters.
vpn-instance vpn-instance-name Specifies the name of a VPN instance.
NOTE:

If the vpn-instance parameter is not specified, the switch matches packets from both public and private networks against ACL.

The value must be an existing VPN instance name.

Views

Basic ACL6 view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A basic ACL6 matches packets based on information such as source IP addresses, fragment flags, and time ranges.

Prerequisites

An ACL6 has been created before the rule is configured.

Precautions

If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.

To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.

When you use the undo rule command to delete an ACL6 rule, the rule ID must exist. If the rule ID is unknown, you can use the display acl ipv6 command to view the rule ID.

The undo rule command deletes an ACL6 rule even if the ACL6 rule is referenced. Use this command with caution, especially when you delete an ACL rule that has been referenced.

Example

# Add a rule for the ACL6 with a number of 2000 to prohibit the passing of packets from the source fc00:1::1/64.

<HUAWEI> system-view
[HUAWEI] acl ipv6 2000
[HUAWEI-acl6-basic-2000] rule deny source fc00:1::1/64

rule (layer 2 ACL view)

Function

The rule command adds or modifies a Layer 2 ACL rule.

The undo rule command deletes a Layer 2 ACL rule.

By default, there is no rule in the related Layer 2 ACL view.

Format

rule [ rule-id ] { permit | deny } [ [ ether-ii | 802.3 | snap ] | l2-protocol type-value [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | source-mac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value | cvlan-id cvlan-id [ cvlan-id-mask ] | cvlan-8021p 802.1p-value | double-tag | time-range time-name ] *

undo rule { permit | deny } [ [ ether-ii | 802.3 | snap ] | l2-protocol type-value [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | source-mac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value | cvlan-id cvlan-id [ cvlan-id-mask ] | cvlan-8021p 802.1p-value | double-tag | time-range time-name ] *

undo rule rule-id

NOTE:

The S1720GFR, S1720GW, S1720GWR, S1720GW-E, S1720GWR-E, S2720EI, S2750EI, S5720SI, S5720S-SI, S5710-X-LI, S5720LI, S5720S-LI, S5700LI, and S5700S-LI do not support cvlan-id cvlan-id [ cvlan-id-mask ], cvlan-8021p 802.1p-value, and double-tag.

The S1720X, S1720X-E, S6720LI, S5730SI, S5730S-EI, S6720S-LI, S6720SI, and S6720S-SI do not support cvlan-8021p 802.1p-value.

Parameters

Parameter

Description

Value

rule-id

Specifies the ID of an ACL rule.
  • If the specified rule ID has been created, the new rule overwrites the old rule. If the specified rule ID does not exist, the device creates a rule and determines the position of the rule according to the ID.
  • If the rule ID is not specified, the device allocates an ID to the new rule. The rule IDs are sorted in ascending order. The device automatically allocates IDs according to the step. The step value is set by using the step command.
NOTE:

ACL rule IDs assigned automatically by the device starts from the step value. The default step value is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on.

The value is an integer that ranges from 0 to 4294967294.

deny

Denies the packets that match a rule.

-

permit

Permits the packets that match a rule.

-

ether-ii | 802.3 | snap

Indicates the encapsulation format of a packet that matches the rule.
  • ether-ii: specifies the Ethernet II encapsulation.
  • 802.3: specifies the 802.3 encapsulation.
  • snap: specifies the SNAP encapsulation.
NOTE:
  • On the S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S2750EI, S5720SI, S5720S-SI, S5710-X-LI, S5720LI, S5720S-LI, S5700LI, or S5700S-LI, when the ACL matching the encapsulation format ether-ii or snap is configured, the ACL matches the packets encapsulated with both Ethernet II and SNAP, including IPv4 and IPv6 packets.
  • On the S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, or S6720S-SI, when the ACL matching the encapsulation format ether-ii or snap is configured, the ACL matches the IPv6 packets encapsulated with Ethernet II and SNAP, but matches the IPv4 packets encapsulated with either ether-ii or snap.

-

l2-protocol type-value [ type-mask ]

Indicates the type of a Layer 2 protocol. This parameter corresponds to the Ethernet type of Ethernet_II frames and the type-code domain of Ethernet_SNAP frames.

  • type-value: specifies the type value of a Layer 2 protocol.
  • type-mask: specifies the type mask of a Layer 2 protocol.
type-value can be a hexadecimal number of 3 to 6 bits that ranges from 0x0000 to 0xFFFF or the following protocol name:
  • ARP, corresponding to 0x0806
  • IP, corresponding to 0x0800
  • IPv6, corresponding to 0x86dd
  • MPLS, corresponding to 0x8847
  • RARP, corresponding to 0x8035

The default value of type-mask is 0xffff.

destination-mac dest-mac-address [ dest-mac-mask ]

Specifies the destination MAC address of packets that matches ACL rules.
  • dest-mac-address specifies the destination MAC address of packets.
  • dest-mac-mask specifies the mask of the destination MAC address of packets.

dest-mac-address and dest-mac-mask are both in the format of H-H-H. Each H stands for one to four hexadecimal digits. The default value of the dest-mac-mask is ffff-ffff-ffff.

You can obtain the required destination MAC address range by specifying source-mac-address and source-mac-mask. For example, 00e0-fc01-0101 ffff-ffff-ffff specifies a MAC address 00e0-fc01-0101, whereas 00e0-fc01-0101 ffff-ffff-0000 specifies a MAC address range from 00e0-fc01-0000 to 00e0-fc01-ffff.

source-mac source-mac-address [ source-mac-mask ]

Specifies the source MAC address of packets that matches ACL rules.
  • source-mac-address specifies the source MAC address of packets.
  • source-mac-mask specifies the mask of the source MAC address of packets. If this parameter is not specified, the mask is ffff-ffff-ffff.

source-mac-address and source-mac-mask are both in the format of H-H-H. Each H stands for one to four hexadecimal digits. The default value of the source-mac-mask is ffff-ffff-ffff.

You can obtain the required source MAC address range by specifying source-mac-address and source-mac-mask. For example, 00e0-fc01-0101 ffff-ffff-ffff specifies a MAC address 00e0-fc01-0101, whereas 00e0-fc01-0101 ffff-ffff-0000 specifies a MAC address range from 00e0-fc01-0000 to 00e0-fc01-ffff.

vlan-id vlan-id [ vlan-id-mask ]

Indicates the outer VLAN ID contained in a packet that matches the rule.

  • vlan-id: specifies the number of the VLAN ID.
  • vlan-id-mask: specifies the mask of the VLAN ID.

The value of vlan-id is an integer ranging from 1 to 4094.

The value of the vlan-id-mask is a hexadecimal number ranging from 0x0 to 0xFFF. The default value is 0xFFF.

8021p 802.1p-value

Indicates the 802.1p priority in the outer VLAN tag of a packet that matches the rule.

The value is an integer ranging from 0 to 7.

cvlan-id cvlan-id [ cvlan-id-mask ]

Indicates the inner VLAN ID of a packet that matches the rule.

  • cvlan-id: specifies the number of the inner VLAN ID.
  • cvlan-id-mask: specifies the mask of the inner VLAN ID.

The value of cvlan-id is an integer ranging from 1 to 4094.

The value of the cvlan-id-mask is a hexadecimal number ranging from 0x0 to 0xFFF. The default value is 0xFFF.

cvlan-8021p 802.1p-value

Indicates the 802.1p priority in the inner VLAN tag of a packet that matches the rule.

The value is an integer ranging from 0 to 7.

double-tag

Indicates that only packets with double tags match the rule.

-

time-range time-name

Defines the time range during which an ACL rule is valid. time-name specifies the name of a time range.

NOTE:

When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL cannot be bound to the specified time range.

The value of time-name is a string of 1 to 32 characters.

Views

layer 2 ACL view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A Layer 2 ACL matches packets based on Layer 2 information of the packets, such as source MAC addresses, destination MAC addresses, and Layer 2 protocol types.

The rule command defines the time range and flexibly configures the time when the ACL rules take effect.

Prerequisites

An ACL has been created before the rule is configured.

Precautions

If the specified rule ID already exists, the new rule overwrites the old rule no matter whether the rules conflict.

To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.

The undo rule command deletes an ACL rule even if the ACL rule is referenced. Use this command with caution, especially when you delete an ACL rule that has been referenced.

Example

# Add a rule to ACL 4001 to match packets with the destination MAC address being 0000-0000-0001, source MAC address being 0000-0000-0002, and the value of the Layer 2 protocol type being 0x0800.

<HUAWEI> system-view
[HUAWEI] acl 4001
[HUAWEI-acl-L2-4001] rule permit destination-mac 0000-0000-0001 source-mac 0000-0000-0002 l2-protocol 0x0800

rule (user-defined ACL view)

Function

The rule command adds and modifies a rule in the related UCL view.

The undo rule command deletes an ACL rule.

By default, there is no rule in the related advanced UCL view.

Format

rule [ rule-id ] { deny | permit } [ [ l2-head | ipv4-head | ipv6-head | l4-head ] { rule-string rule-mask offset } &<1-8> | time-range time-name ] *

undo rule { deny | permit } [ [ l2-head | ipv4-head | ipv6-head | l4-head ] { rule-string rule-mask offset } &<1-8> | time-range time-name ] *

undo rule rule-id

NOTE:

The S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S2750EI, S5720SI, S5720S-SI, S5710-X-LI, S5720LI, S5720S-LI, S5700LI, S5700S-LI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI do not support &<1-8> and ipv6-head.

Parameters

Parameter

Description

Value

rule-id

Specifies the ID of an ACL rule.

  • If the specified rule ID has been created, the new rule overwrites the old rule. If the specified rule ID does not exist, the Switch creates a new rule and determines the position of the rule according to the ID.
  • If the rule ID is not specified, the Switch allocates an ID to the new rule. The rule IDs are sorted in ascending order. The Switch automatically allocates IDs according to the step. The step is set by using the step command.
NOTE:

ACL rule IDs assigned automatically start from the step value. The default step is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on.

The value is an integer that ranges from 0 to 4294967294.

deny

Denies the packets that match a rule.

-

permit

Permits the packets that match a rule.

-

l2-head | ipv4-head | ipv6-head | l4-head

Indicates the position from which the offset starts.
  • l2-head: indicates that the offset begins from the Layer 2 header.
  • ipv4-head: indicates that the offset begins from the IPv4 header.
  • ipv6-head: indicates that the offset begins from the IPv6 header.
  • l4-head: indicates that the offset begins from the Layer 4 header.

-

rule-string

Specifies the customized rule string.

The value is a string of 3 to 10 characters. The string is in hexadecimal notation. The maximum length of the string is 4 bytes.

NOTE:

The rule command in the user-defined ACL view matches four bytes each time. When the matching field length is smaller than four bytes, add 0 to the field.

rule-mask

Specifies the mask of the rule string.

The value is a string of 3 to 10 characters. The string is in hexadecimal notation. The maximum length of the string is 4 bytes. When the mask bit of the customized character string is 1, the ACL matches the bit. When the mask bit of the customized character string is 0, the ACL does not match the bit.

offset

Specifies the value of the offset.

The value is an integer, in bytes. The value of the offset varies with the offset position.
  • For l2-head, the value of offset is 4N+2. N is an integer starting from 0.
  • For other offset positions, the value of offset is 4N. N is an integer starting from 0.

time-range time-name

Defines the time range during which an ACL rule takes effect. time-name specifies the name of the time range during which an ACL rule takes effect.

The value is a string of 1 to 32 characters.

Views

User-defined ACL view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A user-defined ACL defines rules by setting the offset position and value of the packet. The user-defined ACL is applicable to matching rules of a traffic classifier.

The rule command defines the time range and flexibly configures the time when the ACL rules take effect.

NOTE:

The user-defined ACL is applicable to only the incoming traffic.

Prerequisites

An ACL must be created before the rule is configured.

Precautions

  • If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule. To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.
  • To change the offset in a user-defined ACL rule, delete and reconfigure the ACL rule.
  • The undo rule command deletes an ACL rule even if the ACL rule is referenced. Use this command with caution, especially when you delete an ACL rule that has been referenced.
  • When specifying an ACL rule to match offset bytes in the Layer 2 header on the S5730SI, S5730S-EI, S6720-56C-PWH-SI-AC, or S6720-56C-PWH-SI, add a tag first if the ACL rule will be applied on a GE electrical interface through which packets having no tag pass.

Example

# Add a rule in ACL 5001 to match the four bytes following the 14 offset bytes from the Layer 2 header. The string of the ACL rule is 0x0180C200.

<HUAWEI> system-view
[HUAWEI] acl 5001
[HUAWEI-acl-user-5001] rule permit l2-head 0x0180C200 0xFFFFFFFF 14

rule (user ACL view)

Function

The rule command configures a user ACL rule.

The undo rule command deletes a user ACL rule.

By default, no user ACL rule is configured.

NOTE:

Only the S5720EI, S5720HI, S6720S-EI, and S6720EI support this command.

Format

  • When the parameter protocol is specified as the ICMP, the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | icmp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | icmp-type { icmp-name | icmp-type [ icmp-code ] } | time-range time-name | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { protocol-number | icmp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | icmp-type { icmp-name | icmp-type [ icmp-code ] } | time-range time-name | vpn-instance vpn-instance-name ] *

  • When the parameter protocol is specified as the TCP, the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { protocol-number | tcp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *

  • When the parameter protocol is specified as the UDP, the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | udp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { protocol-number | udp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *

  • When the parameter protocol is specified as the GRE, IGMP, IP, IPINIP, or OSPF, the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | time-range time-name | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | time-range time-name | vpn-instance vpn-instance-name ] *

  • To delete an ACL rule, run:

    undo rule rule-id

NOTE:

The S5720EI, S6720S-EI, and S6720EI do not support destination { fqdn fqdn-name }, ucl-group { destination-ucl-group-index | name destination-ucl-group-name }, and vpn-instance vpn-instance-name.

Only the S5720HI supports the source and destination parameters in [ source ] ucl-group and [ destination ] ucl-group.

Parameters

Parameter

Description

Value

rule-id

Specifies the ID of an ACL rule.
  • If the specified rule ID has been created, the new rule is added to the rule with this ID, that is, the old rule is modified. If the specified rule ID does not exist, the device creates a rule and determines the position of the rule according to the ID.
  • If the rule ID is not specified, the device allocates an ID to the new rule. The rule IDs are sorted in ascending order. The device automatically allocates IDs according to the step. The step value is set by using the step command.
NOTE:

ACL rule IDs assigned automatically start from the step value. The default step is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on.

The value is an integer that ranges from 0 to 4294967294.

deny

Denies the packets that match the rule.

-

permit

Permits the packets that match the rule.

-

icmp

Indicates that the protocol type is ICMP. The value 1 indicates that ICMP is specified.

-

tcp

Indicates that the protocol type is TCP. The value 6 indicates that TCP is specified.

-

udp

Indicates that the protocol type is UDP. The value 17 indicates that UDP is specified.

-

gre

Indicates that the protocol type is GRE. The value 47 indicates the GRE protocol.

-

igmp

Indicates that the protocol type is IGMP. The value 2 indicates the IGMP protocol.

-

ip

Indicates that the protocol type is IP.

-

ipinip

Indicates that the protocol type is IPINIP. The value 4 indicates the IPINIP protocol.

-

ospf

Indicates that the protocol type is OSPF. The value 89 indicates the OSPF protocol.

-

protocol-number

Indicates the protocol type expressed by number.

The value expressed by number is an integer that ranges from 1 to 255.

source { { source-address source-wildcard | any } | { [ source ] ucl-group { source-ucl-group-index | name source-ucl-group-name } } } *

Indicates the source IP address of packets that match an ACL rule. If this parameter is not specified, packets with any source IP address are matched.
  • source-address: specifies the source IP address of packets.
  • source-wildcard: specifies the wildcard mask of the source IP address.
  • any: indicates any source IP address of packets. That is, the value of source-address is 0.0.0.0 and the value of source-wildcard is 255.255.255.255.
  • ucl-group source-ucl-group-index: specifies the ID of the UCL group to which the source IP address of packets belongs.
  • ucl-group name source-ucl-group-name: specifies the name of the UCL group to which the source IP address of packets belongs.
  • source-address: The value is in dotted decimal notation.
  • source-wildcard: The value is in dotted decimal notation. The wildcard mask of the source IP address can be 0, equivalent to 0.0.0.0, indicating that the source IP address is the host address.
    NOTE:
    The wildcard is in dotted decimal format. After the value is converted to a binary number, the value 0 indicates that the IP address needs to be matched and the value 1 indicates that the IP address does not need to be matched. The values 1 and 0 can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the website 192.168.1.x0x0xx01. The value x can be 0 or 1.
  • The value of source-ucl-group-name must be the name of an existing UCL group.
  • source-ucl-group-index is an integer that ranges from 0 to 48 for S5720EI, S6720S-EI, and S6720EI, 0 to 64000 for the other models.
  • When the value of source-ucl-group-index is 0, the source address of packet matching the ACL rule is beyond the UCL group range.

destination { { { destination-address destination-wildcard | any } | { [ destination ] ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name }

Indicates the destination IP address of packets that match ACL rules. If this parameter is not specified, packets with any destination IP address are matched.
  • destination-address: specifies the destination IP address of data packets.
  • destination-wildcard: specifies the wildcard mask of the destination IP address.
  • any: indicates any destination IP address of packets. That is, the value of destination-address is 0.0.0.0 and the value of destination-wildcard is 255.255.255.255.
  • ucl-group destination-ucl-group-index: specifies the ID of the UCL group to which the destination IP address of packets belongs.
  • ucl-group name destination-ucl-group-name: specifies the name of the UCL group to which the destination IP address of packets belongs.
  • fqdn fqdn-name: specifies the name of a domain. The precise matching and fuzzy matching (using *) are supported. In fuzzy matching, the fuzzy domain name and full domain name cannot include each other. For example, if www.abc.com has been configured on the device, *.abc.com cannot be configured, but *.aaa.com can be configured. Similarly, if *.abc.com has been configured on the device, *.www.abc.com cannot be configured, but www.aaa.com can be configured. This parameter is available for only wireless users.
  • destination-address: The value is in dotted decimal notation.
  • destination-wildcard: The value is in dotted decimal notation. The wildcard mask of the destination IP address can be 0, equivalent to 0.0.0.0, indicating that the destination IP address is the host address.
    NOTE:
    The wildcard is in dotted decimal format. After the value is converted to a binary number, the value 0 indicates that the IP address needs to be matched and the value 1 indicates that the IP address does not need to be matched. The values 1 and 0 can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the website 192.168.1.x0x0xx01. The value x can be 0 or 1.
  • destination-ucl-group-index is an integer that ranges from 0 to 48 for S5720EI, S6720S-EI, and S6720EI, 0 to 64000 for the other models.
  • When the value of destination-ucl-group-index is 0, the destination address of packet matching the ACL rule is beyond the UCL group range.
  • The value of fqdn-name is a string of 1 to 64 characters.

icmp-type { icmp-name | icmp-type [ icmp-code ] }

Indicates the type and code of ICMP packets, which are valid only when the protocol of packets is ICMP. If this parameter is not specified, all types of ICMP packets are matched.
  • icmp-name: specifies the name of ICMP packets.
  • icmp-type: specifies the type of ICMP packets.
  • icmp-code: specifies the code of ICMP packets.

icmp-type is an integer that ranges from 0 to 255.

icmp-code is an integer that ranges from 0 to 255.

NOTE:

Table 14-11 lists the mapping between ICMP names and ICMP types and codes.

source-port { eq port | gt port | lt port | range port-start port-end }

Specifies the source port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched. The operators are as follows:
  • eq port: equal operator.
  • gt port: greater than operator.
  • 1t port: smaller than operator.
  • range port-start port-end: within the range.port-start specifies the start port number.port-end specifies the end port number.

The value of port can be a name or a number.

  • When the value is expressed as a number, it ranges from 0 to 65535 in eq port
  • When the value is expressed as a number, it ranges from 0 to 65534 in gt port
  • When the value is expressed as a number, it ranges from 1 to 65535 in lt port

The value of port-start and port-end can be a name or an integer. When the value is expressed as an integer, it ranges from 0 to 65535.

destination-port { eq port | gt port | lt port | range port-start port-end }

Specifies the destination port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched. The operators are as follows:
  • eq port: equal operator.
  • gt port: greater than operator.
  • 1t port: smaller than operator.
  • range port-start port-end: within the range. port-start specifies the start port number. port-end specifies the end port number.

The value of port can be a name or a number.

  • When the value is expressed as a number, it ranges from 0 to 65535 in eq port
  • When the value is expressed as a number, it ranges from 0 to 65534 in gt port
  • When the value is expressed as a number, it ranges from 1 to 65535 in lt port

The value of port-start and port-end can be a name or an integer. When the value is expressed as an integer, it ranges from 0 to 65535.

tcp-flag

Indicates the SYN Flag in the TCP packet header.

-

ack

Indicates that the SYN Flag type in the TCP packet header is ack (010000).

-

established

Indicates that the SYN Flag type in the TCP packet header is ack(010000) or rst(000100).

-

fin

Indicates that the SYN Flag type in the TCP packet header is fin (000001).

-

psh

Indicates that the SYN Flag type in the TCP packet header is psh (001000).

-

rst

Indicates that the SYN Flag type in the TCP packet header is rst (000100).

-

syn

Indicates that the SYN Flag type in the TCP packet header is syn (000010).

-

urg

Indicates that the SYN Flag type in the TCP packet header is urg (100000).

-

time-range time-name

Specifies the name of a time range during which ACL rules take effect.

If this parameter is not specified, ACL rules take effect at any time.

NOTE:

When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL cannot be bound to the specified time range.

The value is a string of 1 to 32 characters.

vpn-instance vpn-instance-name

Specifies the name of a VPN instance on the inbound interface.

The value must be an existing VPN instance name.
Table 14-11  Mapping between ICMP names and ICMP types and codes

icmp-name

icmp-type

icmp-code

Echo

8

0

Echo-reply

0

0

Fragmentneed-DFset

3

4

Host-redirect

5

1

Host-tos-redirect

5

3

Host-unreachable

3

1

Information-reply

16

0

Information-request

15

0

Net-redirect

5

0

Net-tos-redirect

5

2

Net-unreachable

3

0

Parameter-problem

12

0

Port-unreachable

3

3

Protocol-unreachable

3

2

Reassembly-timeout

11

1

Source-quench

4

0

Source-route-failed

3

5

Timestamp-reply

14

0

Timestamp-request

13

0

Ttl-exceeded

11

0

Views

User ACL view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A user ACL defines rules to filter IPv4 packets based on the source IP addresses or source User Control List (UCL) groups, destination IP addresses or destination UCL groups, IP protocol types, ICMP types, TCP source/destination port numbers, UDP source/destination port numbers, and time ranges.

Currently, the user ACL can only be applied to the UCL groups of the NAC feature. To control the network access rights of users based on user groups, you can perform the following operations: configure a UCL group, associate user ACL rules with the UCL group so that the ACL rules apply to all users in the user group, configure packet filtering based on user ACL to make the ACL take effect, and then apply the UCL group to the AAA service scheme.

Prerequisites

If the ucl-group name source-ucl-group-name or ucl-group name destination-ucl-group-name parameter is configured for a rule, the source and destination UCL groups must have been created by the ucl-group command.

Precautions

If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.

The undo rule command deletes an ACL rule even if the ACL rule is referenced. (If a simplified traffic policy references a specified rule in an ACL, this command does not take effect.) Before deleting a rule, ensure that the rule is not being referenced.

Example

# Add a rule to ACL 6000 to reject all the IP packets sent from UCL group group1 to network segment 10.9.9.0/24.

<HUAWEI> system-view
[HUAWEI] ucl-group 1 name group1
[HUAWEI] acl 6000
[HUAWEI-acl-ucl-6000] rule deny ip source ucl-group name group1 destination 10.9.9.0 0.0.0.255

rule description

Function

The rule description command configures the description of an ACL rule.

The undo rule description command deletes the description of an ACL rule.

By default, no description is configured for an ACL rule.

Format

rule rule-id description description

undo rule rule-id description

Parameters

Parameter

Description

Value

rule-id

Specifies the ID of an ACL rule.

  • ACL view: The value is an integer that ranges from 0 to 4294967294.
  • ACL6 view: The value is an integer that ranges from 0 to 2047.

description description

Specifies the description of an ACL rule.

You can configure the description to record an ACL rule in detail.

The value is a character string and contains a maximum of 127 characters.

Views

ACL view, ACL6 view

Default Level

2: Configuration level

Usage Guidelines

Application Scenarios

The rule-id parameter identifies a rule, but cannot describe the meaning and usage of the rule. The description with a character string can be used to solve the problem.

Prerequisites

The ACL rule has been created. If the ACL rule does not exist, the system displays an error message when you run this command.

Precautions

If the rule description command is run repeatedly, the latest configuration takes effect.

After you run the undo rule rule-id command, the rule and rule description are deleted.

Example

# Configure the description for rule 5 in acl 2001, which permits the packets from 192.168.32.1.

<HUAWEI> system-view
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule 5 permit source 192.168.32.1 0
[HUAWEI-acl-basic-2001] rule 5 description permit 192.168.32.1
[HUAWEI-acl-basic-2001] display acl 2001
Basic ACL 2001, 1 rule
Acl's step is 5
 rule 5 permit source 192.168.32.1 0
 rule 5 description permit 192.168.32.1

snmp-agent trap enable feature-name acle

Function

The snmp-agent trap enable feature-name acle command enables the trap function for the ACL module.

The undo snmp-agent trap enable feature-name acle command disables the trap function for the ACL module.

By default, the trap function is enabled for the ACL module.

Format

snmp-agent trap enable feature-name acle [ trap-name { hwaclresthresholdexceedcleartrap | hwaclresthresholdexceedtrap | hwaclrestotalcountexceedcleartrap | hwaclrestotalcountexceedtrap } ]

undo snmp-agent trap enable feature-name acle [ trap-name { hwaclresthresholdexceedcleartrap | hwaclresthresholdexceedtrap | hwaclrestotalcountexceedcleartrap | hwaclrestotalcountexceedtrap } ]

Parameters

Parameter

Description

Value

trap-name

Enables or disables the trap function for the specified event.

-

hwaclresthresholdexceedcleartrap

Enables the device to send a Huawei-property trap sent when the ACL resource usage on the device falls below the lower alarm threshold (percentage).

-

hwaclresthresholdexceedtrap

Enables the device to send a Huawei-property trap sent when the ACL resource usage on the device exceeds the upper alarm threshold (percentage).

-

hwaclrestotalcountexceedcleartrap

Enables the device to send a Huawei-property trap sent when the ACL resource usage on the device reaches 100%, and then falls below 100% and stays below 100% for a period of time.

-

hwaclrestotalcountexceedtrap

Enables the device to send a Huawei-property trap sent when the ACL resource usage on the device reaches 100%.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When the trap function is enabled, the device generates traps during running and sends traps to the NMS through SNMP. When the trap function is not enabled, the device does not generate traps and the SNMP module does not send traps to the NMS.

You can specify trap-name to enable the trap function for one or more events.

Example

# Enable the hwaclresthresholdexceedtrap for ACL.

<HUAWEI> system-view
[HUAWEI] snmp-agent trap enable feature-name acle trap-name hwaclresthresholdexceedtrap

step

Function

The step command sets the step between ACL rule IDs.

The undo step command restores the default step between ACL rule IDs.

By default, the step between ACL rule IDs is 5.

Format

step step

undo step

Parameters

Parameter

Description

Value

step

Specifies the step between ACL rule IDs.

The value is an integer that ranges from 1 to 20.

Views

ACL view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The step is the difference between rule IDs when the system automatically assigns rule IDs. For example, if the ACL step value is set to 5, rules are numbered 5, 10, 15, and so on.

To add a rule between existing rules, you need to reset the step. For example, an ACL in config mode contains three rules with IDs being 5, 10, and 15. To insert a new rule after rule 5 (the first rule), run the rule 7 xxxx command to insert rule 7.

If the step value is changed, ACL rule IDs are arranged automatically. For example, if the original rule IDs are 5, 10, and 15, the rule IDs become 2, 4, and 6 after you change the step value to 2.

NOTE:

The undo step command can be used to realign ACL rule IDs immediately based on the default step. For example, ACL rule group 3001 contains four rules with IDs being 1, 3, 5, and 7, and the step is 2. After the undo step command is executed, the rule IDs become 5, 10, 15, and 20 and the step value is restored to 5.

Prerequisites

An ACL has been created by running the acl command.

Precautions

The ACL6 does not support the step.

Example

# Set the step between rules in ACL 3101 to 2.

<HUAWEI> system-view
[HUAWEI] acl 3101
[HUAWEI-acl-adv-3101] step 2

time-range

Function

The time-range command sets a time range.

The undo time-range command deletes a time range.

By default, no time range is set.

Format

time-range time-name { start-time to end-time { days } &<1-7> | from time1 date1 [ to time2 date2 ] }

undo time-range time-name [ start-time to end-time { days } &<1-7> | from time1 date1 [ to time2 date2 ] ]

Parameters

Parameter

Description

Value

time-name

Specifies the name of a time range.

The value is a string of case-sensitive characters without spaces and must begin with a letter. The value ranges from 1 to 32. To avoid confusion, do not use "all" as the name of a time range.

start-time

Specify the start time of a time range.

The format is hh:mm.
  • hh specifies the hour. The value is an integer that ranges from 0 to 23.
  • mm specifies the minute. The value is an integer that ranges from 0 to 59.

end-time

Specify the end time of a time range.

The format is hh:mm.
  • hh specifies the hour. The value is an integer that ranges from 0 to 23.
  • mm specifies the minute. The value is an integer that ranges from 0 to 59.

days

Specifies the date on which the time range takes effect.

The value can be one of the following:
  • The numbers 0 to 6 indicate that the time range takes effect from Sunday to Saturday. The number 0 refers to Sunday.
  • A weekday includes Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, and Sunday.
  • The value "Daily" indicates that the time range takes effect during the seven days in a week.
  • The value "off-day" indicates that the time range takes effect on weekends including Saturday and Sunday.
  • The value "Working-day" indicates that the time range takes effect in five days from Monday to Friday.

from time1 date1

Specifies the time for the time range to take effect.

time1 is in the format of hh:mm.
  • hh specifies the hour. The value is an integer that ranges from 0 to 23.
  • mm specifies the minute. The value is an integer that ranges from 0 to 59.
date1 is in the format of yyyy/mm/dd.
  • yyyy specifies the year. The value is an integer that ranges from 1970 to 2099.
  • mm specifies the month. The value is an integer that ranges from 1 to 12.
  • dd specifies the day. The value is an integer that ranges from 1 to 31.

to time2 date2

Specifies the end of a time range.

The formats time2 and date2 are the same as those of the start time. The end time must be later than the start time. If the end time is not set, the device takes the maximum value allowed by the system.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If some services or functions need to be started at intervals or periodically, you can run the time-range command to set the time range. When configuring ACL or ACL6 rules, you can reference the names of time ranges.

The time range is classified into the following types:
  • Relative time range (periodic time range): It is specified by start-time and end-time. The weekday when the time range takes effect is determined by days.
  • Absolute time range: It is specified by from and to. The absolute time range can be used to limit the periodic time range.
You can set the same name for multiple time ranges to describe a special period. If multiple time ranges have the same name, the periodic time ranges are ORed, and a periodic time range and a definite time range are ANDed. For example, three time ranges are set with the same name test:
  • Time range 1: 01.01.2010 00:00 to 31.12.2010 23:59 (absolute time range)
  • Time range 2: 8:00 to 18:00 from Monday to Friday (periodic time range)
  • Time range 3: 14:00 to 18:00 on Saturday and Sunday (periodic time range)
The time range test takes effect at 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in the year 2010.

Precautions

There may be a time difference of no more than 10 seconds between the configured time range and the time range that actually takes effect.

Example

# Set a time range named test that takes effect from 2010-01-01 00:00 to 2010-12-31 23:59.

<HUAWEI> system-view
[HUAWEI] time-range test from 0:0 2010/1/1 to 23:59 2010/12/31

# Set a time range named test that takes effect at 8:00-18:00 from Monday to Friday.

<HUAWEI> system-view
[HUAWEI] time-range test 8:00 to 18:00 working-day

# Set a time range named test that takes effect from 14:00 to 18:00 on every Saturday and Sunday.

<HUAWEI> system-view
[HUAWEI] time-range test 14:00 to 18:00 off-day
Related Topics
Translation
Download
Updated: 2019-04-18

Document ID: EDOC1000178165

Views: 42388

Downloads: 1107

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next