rule (advanced ACL view)
Function
The rule command adds or modifies an advanced ACL rule.
The undo rule command deletes an advanced ACL rule.
By default, no advanced ACL rule is configured.
Format
When the Internet Control Management Protocol (ICMP) is used, run:
rule [ rule-id ] { deny | permit } { protocol-number | icmp } [ destination { destination-address destination-wildcard | any } | icmp-type { icmp-name | icmp-type icmp-code } | source { source-address source-wildcard | any } | time-range time-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | fragment ] *
When the Transmission Control Protocol (TCP) is used, run:
rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | fin | psh | rst | syn | urg } * | time-range time-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | fragment ] *
When the User Datagram Protocol (UDP) is used, run:
rule [ rule-id ] { deny | permit }{ protocol-number | udp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | fragment ] *
When the parameter protocol is specified as another protocol rather than TCP, UDP, or ICMP, run:
rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | source { source-address source-wildcard | any } | time-range time-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | fragment ] *
When the IP protocol version is IPv4, run:
rule [ rule-id ] { deny | permit } ip [ destination { destination-address destination-wildcard | any } | source { source-address source-wildcard | any } | time-range time-name | [ dscp dscp | [ tos tos | precedence precedence ] * ] | fragment ] *
To delete an advanced ACL rule, run:
undo rule rule-id [ destination | destination-port | icmp-type | source | source-port | tcp-flag | time-range | dscp | tos | precedence | fragment ] *
Parameters
Parameter |
Description |
Value |
|---|---|---|
rule-id |
Specifies the ID of an ACL rule.
NOTE:
ACL rule IDs assigned automatically start from the step value. The default step is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on. |
The value is an integer that ranges from 0 to 4294967294. |
deny |
Denies the packets that match the rule. |
- |
permit |
Permits the packets that match a rule. |
- |
icmp |
Indicates that the protocol type is ICMP. The value 1 indicates that ICMP is specified. |
- |
tcp |
Indicates that the protocol type is TCP. The value 6 indicates that TCP is specified. |
- |
udp |
Indicates that the protocol type is UDP. The value 17 indicates that UDP is specified. |
- |
protocol-number |
Indicates the protocol type expressed by name or number.
NOTE:
Parameters in an ACL vary with the protocol type. The combination of source-port { eq port | gt port | lt port | range port-start port-end } and destination-port { eq port | gt port | lt port | range port-start port-end } is applicable to TCP and UDP only. |
The value expressed by number is an integer that ranges from 1 to 255. The value expressed by name can be gre, icmp, igmp, ipinip, ospf, tcp, or udp. icmp, tcp, udp, gre, igmp, ipinip, and ospf correspond to 1, 6, 17, 47, 2, 4, and 89. |
ip |
Indicates that IPv4 packets of any protocol type can match the ACL rule. |
- |
destination { destination-address destination-wildcard | any } |
Indicates the destination IP address of packets that match ACL rules. If this parameter is not specified, packets with any destination IP address are matched.
|
destination-address: The value is in dotted decimal notation. destination-wildcard: The value is in dotted decimal notation. The wildcard mask of the destination IP address can be 0, equivalent to 0.0.0.0, indicating that the destination IP address is the host address. NOTE:
The wildcard is in dotted decimal format. After the value is converted to a binary number, the value 0 indicates that the IP address needs to be matched and the value
1 indicates that the IP address does not need to be matched. The values 1 and 0 can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the website 192.168.1.x0x0xx01. The value x can be 0 or 1. |
icmp-type { icmp-name | icmp-type icmp-code } |
Indicates the type and code of ICMP packets, which are valid only when the protocol of packets is ICMP. If this parameter is not specified, all types of ICMP packets are matched.
|
icmp-type is an integer that ranges from 0 to 255. icmp-code is an integer that ranges from 0 to 255. NOTE:
Table 24-80 lists the mapping between ICMP names and ICMP types and codes. |
source { source-address source-wildcard | any } |
Indicates the source IP address of packets that match an ACL rule. If this parameter is not specified, packets with any source IP address are matched.
|
source-address: The value is in dotted decimal notation. source-wildcard: The value is in dotted decimal notation. The wildcard mask of the source IP address can be 0, equivalent to 0.0.0.0, indicating that the source IP address is the host address. NOTE:
The wildcard is in dotted decimal format. After the value is converted to a binary number, the value 0 indicates that the IP address needs to be matched and the value 1 indicates
that the IP address does not need to be matched. The values 1 and 0 can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the website 192.168.1.x0x0xx01. The value x can be 0 or 1. |
tcp-flag |
Indicates the SYN Flag in the TCP packet header. |
- |
ack |
Indicates that the SYN Flag type in the TCP packet header is ack (010000). |
- |
fin |
Indicates that the SYN Flag type in the TCP packet header is fin (000001). |
- |
psh |
Indicates that the SYN Flag type in the TCP packet header is psh (001000). |
- |
rst |
Indicates that the SYN Flag type in the TCP packet header is rst (000100). |
- |
syn |
Indicates that the SYN Flag type in the TCP packet header is syn (000010). |
- |
urg |
Indicates that the SYN Flag type in the TCP packet header is urg (100000). |
- |
time-range time-name |
Specifies the name of a time range during which ACL rules take effect. If this parameter is not specified, ACL rules take effect at any time. |
The value is a string of 1 to 32 characters. |
destination-port { eq port | gt port | lt port | range port-start port-end } |
Specifies the destination port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched. The operators are as follows:
|
The value of port can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535 in eq port, from 0 to 65535 in gt port, and from 0 to 65535 in lt port. The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535. |
source-port { eq port | gt port | lt port | range port-start port-end } |
Specifies the source port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched. The operators are as follows:
|
The value of port can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535 in eq port, from 0 to 65535 in gt port, and from 0 to 65535 in lt port. The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535. |
dscp dscp |
Specifies the value of a Differentiated Services CodePoint (DSCP). NOTE:
The dscp dscp and precedence precedence parameters cannot be set for the same rule. The dscp dscp and tos tos parameters cannot be set for the same rule. |
The value is an integer or a name.
|
tos tos |
Indicates that packets are filtered according to the Type of Service (ToS). |
The value is an integer or a name.
|
precedence precedence |
Indicates that packets are filtered based on the precedence field. precedence specifies the precedence value. |
The value ranges from 0 to 7. The values 0 to 7 correspond to routine, priority, immediate, flash, flash-override, critical, internet, and network. |
fragment |
Indicates that the rule is valid for all fragments. If this parameter is specified, the rule is valid for all fragments. NOTE:
On an AC6605 GE interface, this parameter indicates that the rule is valid for only non-initial fragments. |
- |
ToS Name |
Value |
ToS Name |
Value |
|---|---|---|---|
normal |
0 |
max-reliability |
2 |
min-monetary-cost |
1 |
max-throughput |
4 |
min-delay |
8 |
- |
- |
icmp-name |
icmp-type |
icmp-code |
|---|---|---|
Echo |
8 |
0 |
Echo-reply |
0 |
0 |
Parameter-problem |
12 |
0 |
Port-unreachable |
3 |
3 |
Protocol-unreachable |
3 |
2 |
Reassembly-timeout |
11 |
1 |
Source-quench |
4 |
0 |
Source-route-failed |
3 |
5 |
Timestamp-reply |
14 |
0 |
Timestamp-request |
13 |
0 |
Ttl-exceeded |
11 |
0 |
Fragmentneed-DFset |
3 |
4 |
Host-redirect |
5 |
1 |
Host-tos-redirect |
5 |
3 |
Host-unreachable |
3 |
1 |
Information-reply |
16 |
0 |
Information-request |
15 |
0 |
Net-redirect |
5 |
0 |
Net-tos-redirect |
5 |
2 |
Net-unreachable |
3 |
0 |
Usage Guidelines
Usage Scenario
An advanced ACL matches packets based on information such as source and destination IP addresses, source and destination port numbers, and protocol types.
The rule command defines the time range and flexibly configures the time ACL rules take effect.
Prerequisites
An ACL has been created before the rule is configured.
Precautions
If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.
To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result may be incorrect.
To configure both the precedence precedence and tos tos parameters, set the two parameters consecutively in the command.
When you use the undo rule command to delete an ACL rule, the rule ID must exist. If the rule ID is unknown, you can use the display acl command to view the rule ID.
The undo rule command deletes an ACL rule even if the ACL rule is referenced. Exercise caution when you run the undo rule command.
Error: The fragment cannot be configured together with the source-port, destination-port, icmp-type and tcp-flag.
Example
# Add a rule to ACL 3000 to filter ICMP packets.
<AC6605> system-view [AC6605] acl 3000 [AC6605-acl-adv-3000] rule 1 permit icmp
# Delete a rule to filter ICMP packets from ACL 3000.
<AC6605> system-view [AC6605] acl 3000 [AC6605-acl-adv-3000] undo rule 1
# Add a rule to ACL 3000 to filter IGMP packets.
<AC6605> system-view [AC6605] acl 3000 [AC6605-acl-adv-3000] rule 2 permit igmp
# Add a rule to ACL 3000 to filter packets with DSCP priorities.
<AC6605> system-view [AC6605] acl 3000 [AC6605-acl-adv-3000] rule 3 permit ip dscp cs1
# Add a rule to ACL 3001 to filter all the IP packets sent from hosts at 10.9.0.0 to hosts at 10.38.160.0.
<AC6605> system-view [AC6605] acl 3001 [AC6605-acl-adv-3001] rule permit ip source 10.9.0.0 0.0.255.255 destination 10.38.160.0 0.0.0.255
# Add a rule to ACL 3001 to filter the packets with source UDP port number 128 from 10.9.8.0 to 10.38.160.0.
<AC6605> system-view [AC6605] acl 3001 [AC6605-acl-adv-3001] rule permit udp source 10.9.8.0 0.0.0.255 destination 10.38.160.0 0.0.0.255 destination-port eq 128
