ACL Configuration Commands
NOTE: The SA cards of S series do not support user ACL.
- Command Support
- acl ip-pool
- acl ipv6 ip-pool
- acl ipv6 name
- acl ipv6 (system view)
- acl name
- acl (system view)
- acl threshold-alarm
- assign acl-mode
- description
- display acl
- display acl ip-pool
- display acl ipv6 ip-pool
- display acl ipv6
- display acl resource
- display snmp-agent trap feature-name acle all
- display time-range
- ip address (ACL IP address pool view)
- ipv6 address (ACL IPv6 address pool view)
- reset acl counter
- reset acl ipv6 counter
- rule (advanced ACL view)
- rule (advanced ACL6 view)
- rule (basic ACL view)
- rule (basic ACL6 view)
- rule (layer 2 ACL view)
- rule (user-defined ACL view)
- rule (user ACL view)
- rule description
- snmp-agent trap enable feature-name acle
- step
- time-range
acl ip-pool
Function
The acl ip-pool command creates an ACL IP address pool and enters the ACL IP address pool view.
The undo acl ip-pool command deletes an ACL IP address pool.
By default, no ACL IP address pool has been created on the device.
Usage Guidelines
Usage Scenario
An ACL IP address pool applies when policy-based routing (PBR) is used to redirect packets to multiple next hops. An ACL IP address pool can be invoked by the redirect ip-multihop command to redirect packets to the next hop specified by the ACL IP address pool.
Follow-up Procedure
Run the ip-address (ACL IP address pool view) command multiple times to specify multiple IP addresses.
Precautions
The switch supports a maximum of 12 ACL IP address pools. Each ACL IP address pool supports a maximum of 64 IP addresses.
In the scenario when PBR is used to redirect packets to multiple next hops, if the device has no ARP entry matching the specified next hop IP address, the redirection does not take effect. The device still forwards packets to the original destination until the ARP entry matching the specified next hop IP address is generated on the device. You can run the display acl ip-pool command to check whether the next hop IP address specified in the ACL IP address pool takes effect.
acl ipv6 ip-pool
Function
The acl ipv6 ip-pool command creates an ACL IPv6 address pool and enters the ACL IPv6 address pool view.
The undo acl ipv6 ip-pool command deletes an ACL IPv6 address pool .
By default, no ACL IPv6 address pool has been created on the device.
Usage Guidelines
Usage Scenario
An ACL IPv6 address pool applies when policy-based routing (PBR) is used to redirect packets to multiple next hops. An ACL IPv6 address pool can be invoked by the redirect ipv6-multihop command to redirect packets to the next hop specified by the ACL IPv6 address pool .
Follow-up Procedure
Run the ipv6 address (ACL IPv6 address pool view) command multiple times to specify multiple IPv6 addresses.
Precautions
The switch supports a maximum of 12 ACL IPv6 address pools. Each ACL IPv6 address pool supports a maximum of 64 IPv6 addresses.
In the scenario where PBR is used to redirect packets to multiple next hops, if the device does not match the neighbor entry corresponding to the next hop IPv6 address, the device sends NS packets to check whether the neighbor is reachable. If the neighbor is unreachable, packets are forwarded based on the original path and redirection does not take effect. You can run the display acl ipv6 ip-pool command to check whether the next hop IPv6 address specified in the ACL IPv6 address pool takes effect.
acl ipv6 name
Function
The acl ipv6 name command creates a named ACL6 and enters the ACL6 view.
The undo acl ipv6 name command deletes a named ACL6.
By default, no named ACL6 is created.
Format
acl ipv6 name acl6-name [ advance | basic | acl6-number ] [ match-order { auto | config } ]
undo acl ipv6 name acl6-name
Parameters
Usage Guidelines
Usage Scenario
An ACL6 is a set of rules composed of permit or deny clauses. ACL6s are mainly used in QoS. ACL6s can limit data flows to improve network performance. For example, ACL6s are configured on an enterprise network to limit video data flows, which lowers the network load and improves network performance.
Follow-up Procedure
Run the rule command to configure ACL6 rules and apply the ACL6 to services for which packets need to be filtered.
Precautions
- If only the type of a named ACL6 is specified, the number of the named ACL6 allocated by the Switch is the maximum value of the named ACL6 of the type.
- If the number and the type of a named ACL6 are not specified, the Switch considers the named ACL6 as the advanced ACL6 and allocates the maximum value as the number of the named ACL6.
After you create a named ACL6 by using the acl ipv6 name command, the ACL6 still exists even if you exit from the ACL6 view. You must run the undo acl ipv6 name acl6-name or undo acl ipv6 acl6-number command to delete the ACL6.
When you delete an ACL6 that has been referenced by other services, the services will be interrupted. Therefore, before deleting an ACL6, ensure that the ACL6 is not in use.
acl ipv6 (system view)
Function
The acl ipv6 command creates a numbered ACL6 and enters the ACL6 view.
The undo acl ipv6 command deletes a numbered ACL6.
By default, no numbered ACL6 is created.
Format
acl ipv6 [ number ] acl6-number [ match-order { auto | config } ]
undo acl ipv6 { all | [ number ] acl6-number }
Parameters
| Parameter | Description | Value |
|---|---|---|
| number | Indicates the number that identifies an ACL. | - |
| acl6-number | Specifies an ACL6 number. | The value is an integer that ranges from 2000 to 3999.
|
| match-order { auto | config } | Indicates the matching order of ACL6 rules.
The rule-id in an ACL6 rules does not indicate the priority of the rule. It indicates the rule ID and remains unchanged in auto and config mode switchover. If the match-order parameter is not specified when you create an ACL6, the default match order config is used. |
- |
| all | Indicates that all the configured ACL6s are deleted. | - |
Usage Guidelines
Usage Scenario
An ACL6 is a set of rules composed of permit or deny clauses. ACL6 rules can be referenced by modules. ACL6s are applicable to QoS. ACL6s can limit data flows to improve network performance. For example, ACL6s are configured on an enterprise network to limit video data flows, which lowers the network load and improves network performance.
Follow-up Procedure
Run the rule command to configure ACL6 rules and apply the ACL6 to services for which packets need to be filtered.
Precautions
After you create a named ACL6 using the acl ipv6 command, the ACL6 still exists even if you exit from the ACL6 view. You must run the undo acl ipv6 acl6-number command to delete the ACL6.
When you delete an ACL6 that has been referenced by other services, the services will be interrupted. Before deleting an ACL6, ensure that the ACL6 is not in use.
All ACL6s can be deleted on the device in one go, but this method is not recommended.
acl name
Function
The acl name command creates a named ACL and enters the ACL view.
The undo acl name command deletes a named ACL.
By default, no ACL is created.
Format
acl name acl-name [ advance | basic | link | ucl | user | acl-number ] [ match-order { auto | config } ]
undo acl name acl-name
Parameters
Usage Guidelines
Usage Scenario
An ACL consists of a series of rules defined by multiple permit or deny clauses. ACLs are mainly applied to QoS, route filtering, and user access. The major functions of ACLs are as follows:
Limit data flows to improve network performance. For example, ACLs are configured on an enterprise network to limit video data flows, which lowers the network load and improves network performance.
Provide flow control. For example, ACLs are used to limit transmission of routing updates so that the bandwidth is saved.
Provide network access security. For example, ACLs are configured to allow specified users to access the human resource network.
Follow-up Procedure
Run the rule command to configure ACL rules and apply the ACL to services for which packets need to be filtered.
Precautions
After you create a named ACL by using the acl name command, the ACL still exists even if you exit from the ACL view. You must run the undo acl name acl-name or undo acl acl-number command to delete the ACL.
When you delete an ACL that has been referenced by other services, the services may be interrupted. Before deleting an ACL, ensure that the ACL is not in use.
The device automatically allocates a number to the named ACLs that have no number specified. The number allocated depends on the following:
- If the type of a named ACL is specified, the number of the named ACL allocated by the device is the maximum value of the named ACL of the type.
- If the number and the type of a named ACL are not specified, the device considers the named ACL as the advanced ACL and allocates the maximum value as the number of the named ACL.
The Switch does not allocate the number to a named ACL repeatedly.
acl (system view)
Function
The acl command creates an ACL with the specified number and enters the ACL view.
The undo acl command deletes a specified ACL.
By default, no ACL is created.
Format
acl [ number ] acl-number [ match-order { auto | config } ]
undo acl { [ number ] acl-number | all }
Parameters
Parameter |
Description |
Value |
|---|---|---|
number |
Specifies the number that identifies an ACL. |
- |
acl-number |
Specifies the number of an ACL. |
The value is an integer.
|
match-order { auto | config } |
Indicates the matching order of ACL rules.
If the match-order parameter is not specified when you create an ACL, the default match order config is used. |
- |
all |
Indicates that all ACLs are deleted. |
- |
Usage Guidelines
Usage Scenario
An ACL consists of a series of rules defined by multiple permit or deny clauses. ACLs are mainly applied to QoS, route filtering, and user access. The major functions of ACLs are as follows:
Limit data flows to improve network performance. For example, ACLs are configured on an enterprise network to limit video data flows, which lowers the network load and improves network performance.
Provide flow control. For example, ACLs are used to limit transmission of routing updates so that the bandwidth is saved.
Provide network access security. For example, ACLs are configured to allow specified users to access the human resource network.
Follow-up Procedure
Run the rule command to configure ACL rules and apply the ACL to services for which packets need to be filtered.
Precautions
- After you create an ACL using the acl command, the ACL still exists even if you exit from the ACL view. You must run the undo acl acl-number command to delete the ACL.
- When you delete an ACL that has been referenced by other services, the services may be interrupted. Before deleting an ACL, ensure that the ACL is not in use.
- You are advised not to delete all ACLs because this operation may cause a service interruption.
acl threshold-alarm
Function
The acl threshold-alarm command configures the alarm threshold percentage of ACL resource usage.
The undo acl threshold-alarm command restores the default alarm threshold percentage of ACL resource usage.
By default, the lower alarm threshold percentage is 70, and the upper alarm threshold percentage is 80.
Format
acl threshold-alarm { upper-limit upper-limit | lower-limit lower-limit } *
undo acl threshold-alarm
Parameters
| Parameter | Description | Value |
|---|---|---|
| upper-limit upper-limit | Indicates the upper alarm threshold percentage of ACL resource usage. |
The value is an integer that ranges from 1 to 100. |
| lower-limit lower-limit | Indicates the lower alarm threshold percentage of ACL resource usage. |
The value is an integer that ranges from 1 to 100. |
Usage Guidelines
Usage Scenario
After the device runs ACL or ACL6 services for a period, the running ACL or ACL6 services occupy ACL resources. You can run the acl threshold-alarm command to set the alarm threshold percentage of ACL resources.
When the ACL resource usage (that is, the ratio of existing ACL entries to the maximum number of ACL entries supported by the device) is equivalent to or higher than the threshold, the device generates an alarm. When the ACL resource usage becomes equivalent to or lower than the lower threshold, the device generates a clear alarm.
Precautions
If you run the acl threshold-alarm command multiple times, only the latest configuration takes effect.
The upper threshold must be equivalent to or greater than the lower threshold.
assign acl-mode
Function
The assign acl-mode command sets the ACL resource allocation mode on an interface card.
The undo assign acl-mode command restores the default ACL resource allocation mode on an interface card.
By default, the ACL resource allocation mode is dual-ipv4-ipv6.
NOTE: Only the X1E, X5H, X2E, and X2H series cards support this command.
X2E and X2H series cards support this command only after the resource mode is set to mac-acl using the assign resource-mode command.
Format
assign acl-mode slot slot-id mode { dual-ipv4-ipv6 | ipv4 | l2 | l2-ipv4 | l2-ipv6 }
undo assign acl-mode slot slot-id
NOTE: The X5H series cards only support dual-ipv4-ipv6 and l2-ipv4.
Parameters
Parameter |
Description |
Value |
|---|---|---|
| mode { dual-ipv4-ipv6 | ipv4 | l2 | l2-ipv4 | l2-ipv6 } | Specifies an ACL resource allocation mode. |
|
slot slot-id |
Specifies the slot ID of an interface card. |
The value is an integer. The value range depends on the device configuration. |
Usage Guidelines
If the default number of ACLs for IPv4, IPv6, or Layer 2 services cannot meet service requirements, you can change the ACL resource allocation mode to increase the number of ACLs for the services.
You can use this command to change the ACL resource allocation mode according to service changes on a device. Before making any change, consider the advantages and disadvantages of the change. For example, if the ACL resource allocation mode is changed from dual-ipv4-ipv6 to ipv4, more ACLs are supported for IPv4 services, but the number of ACLs for IPv6 and VLAN services reduces to 0.
Changes to the ACL resource allocation mode take effect only after the interface card is reset.
After the ACL resource allocation mode is set for a card in a slot, the mode will be deleted if the card is replaced by another one that does not support the ACL resource allocation mode.
| Resource Allocation Mode | Maximum Number of IPv4 ACLs | Maximum Number of Layer 2 + IPv4 ACLs | Maximum Number of IPv6 ACLs | Maximum Number of Layer 2 + IPv6 ACLs | Maximum Number of Layer 2 ACLs | Total Number of ACLs |
|---|---|---|---|---|---|---|
| dual-ipv4-ipv6 | 20K | 20K | 8K | 8K | 20K | 20K (IPv4) + 8K (IPv6) |
| l2-ipv4 | 36K | 36K | 0 | 0 | 36K | 36K |
| l2-ipv6 | 16K | 16K | 16K | 16K | 16K | 16K |
| ipv4 | 64K | 0 | 0 | 0 | 0 | 64K |
| l2 | 0 | 0 | 0 | 0 | 64K | 64K |
| Resource Allocation Mode | Maximum Number of IPv4 ACLs | Maximum Number of Layer 2 + IPv4 ACLs | Maximum Number of IPv6 ACLs | Maximum Number of Layer 2 + IPv6 ACLs | Maximum Number of Layer 2 ACLs | Total Number of ACLs |
|---|---|---|---|---|---|---|
| dual-ipv4-ipv6 | 38K | 38K | 16K | 16K | 38K | 38K (IPv4) + 16K (IPv6) |
| l2-ipv4 | 70K | 70K | 0 | 0 | 70K | 70K |
| l2-ipv6 | 32K | 32K | 32K | 32K | 32K | 32K |
| ipv4 | 128K | 0 | 0 | 0 | 0 | 128K |
| l2 | 0 | 0 | 0 | 0 | 128K | 128K |
| Resource Allocation Mode | Maximum Number of IPv4 ACLs | Maximum Number of Layer 2 + IPv4 ACLs | Maximum Number of IPv6 ACLs | Maximum Number of Layer 2 + IPv6 ACLs | Maximum Number of Layer 2 ACLs | Total Number of ACLs |
|---|---|---|---|---|---|---|
| dual-ipv4-ipv6 | 70K | 70K | 32K | 32K | 70K | 70K (IPv4) + 32K (IPv6) |
| l2-ipv4 | 134K | 134K | 0 | 0 | 134K | 134K |
| l2-ipv6 | 64K | 64K | 64K | 64K | 64K | 64K |
| ipv4 | 256K | 0 | 0 | 0 | 0 | 256K |
| l2 | 0 | 0 | 0 | 0 | 256K | 256K |
| Resource Allocation Mode | Maximum Number of IPv4 ACLs | Maximum Number of Layer 2 + IPv4 ACLs | Maximum Number of IPv6 ACLs | Maximum Number of Layer 2 + IPv6 ACLs | Maximum Number of Layer 2 ACLs | Total Number of ACLs |
|---|---|---|---|---|---|---|
| dual-ipv4-ipv6 | 32K | 32K | 8K | 8K | 32K | 32K (IPv4) + 8K (IPv6) |
| l2-ipv4 | 64K | 64K | 0 | 0 | 64K | 64K |
NOTE: The services not included in the table are supported in all modes.
| Resource Allocation Mode | dual-ipv4-ipv6 | l2-ipv4 | l2-ipv6 | l2 | ipv4 |
|---|---|---|---|---|---|
| IPSG (IPv4) | Y | Y | Y | N | N |
| IPSG (IPv6) | Y | N | Y | N | N |
| Service Chain | Y | Y | N | N | N |
| Free mobility | Y | Y | N | N | N |
| RADIUS authorization | Y | Y | N | N | N |
| Authentication free rules | Y | Y | N | N | N |
| User group | Y | Y | N | N | N |
| Portal authentication | Y | Y | N | N | N |
| 802.1X-based fast deployment | Y | Y | N | N | N |
| NQA | Y | Y | Y | N | N |
| Packet capturing | Y | Y | Y | N | N |
| All-0 MAC address alarm | Y | Y | Y | Y | N |
| Global blackhole MAC address entry | Y | Y | Y | Y | N |
| MAC Swap loopback test | Y | Y | Y | N | N |
description
Function
The description command configures the description of an ACL or ACL6.
The undo description command deletes the description of an ACL or ACL6.
By default, no description is configured for an ACL or ACL6.
Usage Guidelines
Usage Scenario
The description command configures the description of an ACL or ACL6, for example, the usage or application scenario of the ACL. It is used to differentiate ACLs.
Prerequisites
The ACL or ACL6 to be described has been created.
Configuration Impact
If you run the description command multiple times in the same ACL view or ACL6 view, only the latest configuration takes effect.
Example
# Configure the description of ACL 2100.
<HUAWEI> system-view [HUAWEI] acl 2100 [HUAWEI-acl-basic-2100] description This acl is used in QoS policy
[HUAWEI-acl-basic-2100] display acl 2100
Basic ACL 2100, 0 rule
This acl is used in QoS policy
Acl's step is 5
# Configure the description of ACL6 3100.
<HUAWEI> system-view [HUAWEI] acl ipv6 3100 [HUAWEI-acl6-adv-3100] description This acl is used in QoS policy
[HUAWEI-acl6-adv-3100] display acl ipv6 3100
Advanced IPv6 ACL 3100, 0 rule
This acl is used in QoS policy
display acl
Parameters
| Parameter | Description | Value |
|---|---|---|
| acl-number | Specifies the number of an ACL. | The value is an integer.
|
| name acl-name | Specifies the name of an ACL. | The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter. |
| all | Indicates all ACLs. | - |
Example
# Display configuration about the ACL named test.
<HUAWEI> display acl name test Advanced ACL test 3999, 1 rule, match-order is auto Acl's step is 5 rule 5 permit ip destination 10.10.10.1 0
# Display the ACL configuration.
<HUAWEI> display acl all Total nonempty ACL number is 1 Advanced ACL 3000, 1 rule Acl's step is 5 rule 5 permit ip dscp cs1
Item |
Description |
|---|---|
Advanced ACL test 3999, 1 rule, match-order is auto |
Advanced ACL 3999 named test that matches in the automatic order and contains one rule. |
Acl's step is 5 |
The ACL's step is 5. To set the step between ACL rule IDs, run the step command. |
rule 5 permit ip destination 10.10.10.1 0 |
Rule 5 that matches packets whose source IP address is 10.10.10.1. To modify an advanced ACL rule, run the rule (advanced ACL view) command. |
| Total nonempty ACL number is 1 | One ACL contains rules. |
Advanced ACL 3000, 1 rule |
Advanced ACL 3000 contains one rule. |
rule 5 permit ip dscp cs1 |
Rule 5 that matches packets with DSCP priorities. To modify an advanced ACL rule, run the rule (advanced ACL view) command. |
display acl ip-pool
Function
The display acl ip-pool command displays the configuration and status of an ACL IP address pool.
Parameters
Parameter |
Description |
Value |
|---|---|---|
| acl-ip-pool-name | Specifies the name of the ACL IP address pool that you want to check. |
The ACL IP address pool name must exist. |
| multihop-status | Displays the status of the next hop IP address specified in the ACL IP address pool. |
- |
| vpn-instance vpn-instance-name | Displays the ACL IP address pool of a specified VPN instance. |
The VPN instance name must exist. |
Usage Guidelines
After an ACL IP address pool is configured, you can run the display acl ip-pool command to check the configuration of the ACL IP address pool and whether the next hop IP address takes effect.
In the scenario when PBR is used to redirect packets to multiple next hops, if the device has no ARP entry matching the specified next hop IP address, the redirection does not take effect. The device still forwards packets to the original destination until the ARP entry matching the specified next hop IP address is generated on the device. You can run the display acl ip-pool command to check whether the next hop IP address specified in the ACL IP address pool takes effect.
Example
# Display the configuration and status of the ACL IP address pool named abc.
<HUAWEI> display acl ip-pool abc multihop-status
-----------------------------------------------------------------------------------------
IP Address NQA AdminName NQA TestName Status
-----------------------------------------------------------------------------------------
10.3.3.3 -- -- invalid
192.168.200.1 user test valid
192.168.150.1 user test valid
-----------------------------------------------------------------------------------------
Total: 3
Item |
Description |
|---|---|
IP Address |
IP address in the ACL IP address pool. |
NQA AdminName |
Administrator of an NQA test instance. |
NQA TestName |
Name of the NQA test instance. |
Status |
Status of the next hop IP address.
NOTE:
When associating NQA with the next-hop IP address configured using the ip-address (ACL IP-pool view) command in an ACL IP pool, ensure that an NQA test instance has been correctly configured and started. Otherwise, you cannot obtain the correct Status field value and cannot determine whether the next-hop IP address takes effect. |
display acl ipv6 ip-pool
Function
The display acl ipv6 ip-pool command displays the configuration and status of an ACL IPv6 address pool .
Format
display acl ipv6 ip-pool acl-ipv6-pool-name [ multihop-status [ vpn-instance vpn-instance-name ] ]
Parameters
Parameter |
Description |
Value |
|---|---|---|
| acl-ipv6-pool-name | Specifies the name of the ACL IPv6 address pool that you want to check. |
The ACL IPv6 address pool name must exist. |
| multihop-status | Displays the status of the next hop IPv6 address specified in the ACL IP address pool. |
- |
| vpn-instance vpn-instance-name | Displays the ACL IPv6 address pool of a specified VPN instance. |
The VPN instance name must exist. |
Usage Guidelines
After an ACL IPv6 address pool is configured, you can run the display acl ipv6 ip-pool command to check the configuration of the ACL IPv6 address pool and whether the next hop IPv6 address takes effect.
In the scenario when PBR is used to redirect packets to multiple next hops, if the device does not match the neighbor entry corresponding to the next hop IPv6 address, the device sends NS packets to check whether the neighbor is reachable. If the neighbor is unreachable, packets are forwarded based on the original path and redirection does not take effect. You can run the display acl ipv6 ip-pool command to check whether the next hop IPv6 address specified in the ACL IPv6 address pool takes effect.
Example
# Display the configuration and status of the ACL IPv6 address pool named abc.
<HUAWEI> display acl ip-pool abc multihop-status
-----------------------------------------------------------------------------------------------------------------
IPv6 Address NQA AdminName NQA TestName Status
-----------------------------------------------------------------------------------------------------------------
2001:DB8::1 -- -- invalid
2001:DB8::2 -- -- invalid
-----------------------------------------------------------------------------------------------------------------
Total: 2
Item |
Description |
|---|---|
IPv6 Address |
IPv6 address in the ACL IPv6 address pool . |
NQA AdminName |
Administrator of an NQA test instance. |
NQA TestName |
Name of the NQA test instance. |
Status |
Status of the next hop IPv6 address.
NOTE:
When associating NQA with the next-hop IPv6 address configured using the ipv6 address (ACL IPv6 address pool view) command in an ACL IPv6 address pool, ensure that an NQA test instance has been correctly configured and started. Otherwise, you cannot obtain the correct Status field value and cannot determine whether the next-hop IPv6 address takes effect. |
display acl ipv6
Parameters
Parameter |
Description |
Value |
|---|---|---|
acl6-number |
Specifies an ACL6 number. |
The value is an integer that ranges from 2000 to 3999. The ACL6 with a number ranging from 2000 to 2999 is a basic ACL6 and the ACL6 with a number ranging from 3000 to 3999 is an advanced ACL6. |
| name acl6-name | Displays the ACL6 with a specified name. |
The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter. |
all |
Displays the configurations of all ACL6s. |
- |
Example
# Display the configuration about the ACL6 with the number of 2000.
<HUAWEI> display acl ipv6 2000
Basic IPv6 ACL 2000, 2 rules
rule 1 permit source 4::/64
rule 0 deny source 3::/64
# Display the ACL6 configuration.
<HUAWEI> display acl ipv6 all
Total nonempty acl6 number is 1
Basic IPv6 ACL 2000, 2 rules
rule 1 permit source 4::/64
rule 0 deny source 3::/64
Item |
Description |
|---|---|
Total nonempty acl6 number is 1 |
One ACL6 contains rules. |
Basic IPv6 ACL 2000, 2 rules |
ACL6 2000, which is a basic ACL6 and has two rules. |
rule 0 deny source 3::/64 |
ACL6 rule 0, which denies packets with the source IPv6 address 3::/64. To modify a basic ACL6 rule, run the rule (rule basic acl6 view) command. |
rule 1 permit source 4::/64 |
ACL6 rule 1, which permits packets with the source IPv6 address 4::/64. To modify a basic ACL6 rule, run the rule (rule basic acl6 view) command. |
display acl resource
Usage Guidelines
- ACL entries: Each ACL entry stores an ACL rule.
- Meter/Car: a traffic control table used to limit the traffic rate. The meter/car must be used with ACL entries.
- Counter: a traffic counter table used to collect traffic statistics. The counter must be used with ACL entries.
If ACL configuration fails, all the ACL resources on the device may have been used up. You can run the display acl resource command to check whether there are available ACL resources (including ACL4 and ACL6).
Example
# Display information about ACL resources on the Slot 1 (EC card is used as an example).
<HUAWEI> display acl resource slot 1 Slot 1 GigabitEthernet1/0/0 to GigabitEthernet1/0/23 Used Free Total ---------------------------------------------------------------------------- VACL 12 1012 1024 IACL Unallocated - - 1024 IACL Allocated - - 1024 IPv4 ACL 1 255 256 Sec ACL 284 228 512 EACL Unallocated - - 512 EACL Allocated - - 0 Ingress Meter 29 2019 2048 Egress Meter 0 512 512 Ingress Counter 112 1936 2048 Egress Counter 0 512 512 Ingress UDF 7 1 8 ----------------------------------------------------------------------------
# Display information about ACL resources on the LPU in slot 3.(X1E card is used as an example)
<HUAWEI> display acl resource slot 3
Slot 3
XGigabitEthernet3/0/0 to XGigabitEthernet3/0/3
GigabitEthernet3/1/0 to GigabitEthernet3/1/23
Used Free Total
-----------------------------------------------------------------------------
ACL Unallocated - - 20480
ACL Allocated 147 365 511
Vlan ACL 1 - -
Sec ACL 146 - -
EXT Unallocated - - 8192
EXT Allocated 0 0 0
Car 260 32508 32768
Counter 144 65392 65536
-----------------------------------------------------------------------------
Item |
Description |
|---|---|
Slot |
Slot ID. |
GigabitEthernet x/0/0 to GigabitEthernet x/0/y |
Interface to which an ACL is applied. |
Vlan-ACL |
Inbound ACL resources delivered before Layer 2 forwarding process starts.
|
Car |
Traffic monitoring resources. |
Counter |
Traffic statistics collection resources. |
Used |
Number of used resources. |
Free |
Number of free resources. |
Total |
Total number of resources. |
ACL Unallocated |
Unallocated common ACL resources. |
ACL Allocated |
Number of ACL resources:
|
EXT Unallocated |
Unallocated extended ACL resources. |
EXT Allocated |
Number of extended ACL resources:
|
VACL |
Inbound ACL resources delivered before Layer 2 forwarding process starts. |
IACL Unallocated |
Unallocated inbound ACL resources. |
IACL Allocated |
Inbound ACL resources are allocated, including:
|
EACL Unallocated |
Unallocated outbound ACL resources. |
EACL Allocated |
Outbound ACL resources are allocated, including:
|
Ingress Meter |
Inbound rate limiting resources. |
Egress Meter |
Outbound rate limiting resources. |
Ingress Counter |
Inbound statistics collection resources. |
Egress Counter |
Outbound statistics collection resources. |
Ingress UDF |
Inbound user-defined ACL resources. |
display snmp-agent trap feature-name acle all
Function
The display snmp-agent trap feature-name acle all command displays the status of all traps on the ACL module.
Usage Guidelines
Usage Scenario
After the trap function of a specified feature is enabled, you can run the display snmp-agent trap feature-name acle all command to check the status of all traps of ACL. You can use the snmp-agent trap enable feature-name acle command to enable the trap function of ACL.
Prerequisites
SNMP has been enabled. See snmp-agent.
Example
# Display all the traps of the ACL module.
<HUAWEI>display snmp-agent trap feature-name acle all
------------------------------------------------------------------------------
Feature name: ACLE
Trap number : 4
------------------------------------------------------------------------------
Trap name Default switch status Current switch status
hwAclResTotalCountExceedTrap on on
hwAclResTotalCountExceedClearTrap
on on
hwAclResThresholdExceedTrap on on
hwAclResThresholdExceedClearTrap
on on
Item |
Description |
|---|---|
Feature name |
Name of the module that the trap belongs to. |
Trap number |
Number of traps. |
Trap name |
Trap name. Traps of the ACL module include:
|
Default switch status |
Default status of the trap function:
|
Current switch status |
Status of the trap function:
|
display time-range
Function
The display time-range command displays the configuration and status of the current time range.
Usage Guidelines
To specify a time range during which ACL rules take effect, run the time-range command and reference the time range name when you configure an ACL.
Before using a time range to filter data packets, run the display time-range command to view the time range configuration to avoid duplicate time ranges.
NOTE: The device updates the status of ACLs with a delay of about 30 seconds. The display time-range command adopts the current time range to determine the status of ACLs; therefore, you may find that the ACL using an active time range is inactive. This is normal.
Example
# Display the configuration and status of all time ranges.
<HUAWEI> display time-range all Current time is 14:48:13 10-17-2012 Wednesday Time-range : abc (Active) from 23:23 2012/9/9 to 23:59 2012/12/31 Total time-range number is 1
Item |
Description |
|---|---|
Current time is 14:48:13 10-17-2012 Wednesday |
The current time is Wednesday 14:48:13 10-17-2012. |
Time-range:abc (Active) |
The time range is named abc and is active. The time
range can be:
|
from 23:23 2012/9/9 to 23:59 2012/12/31 |
Time range abc is from 23:23 2012/9/9 to 23:59 2012/12/31. |
Total time-range number |
The total time-range number. |
ip address (ACL IP address pool view)
Function
The ip address command configures an IP address in an ACL IP address pool.
The undo ip address command deletes an IP address from an ACL IP address pool.
By default, no IP address is configured in an ACL IP address pool.
Format
ip address ip-address [ mask-length | wildcard | track-nqa admin-name test-name ]
undo ip address ip-address [ mask-length | wildcard | track-nqa admin-name test-name ]
Parameters
Parameter |
Description |
Value |
|---|---|---|
| ip-address | Specifies the IP address in the ACL IP address pool. |
The value is in dotted decimal notation. |
| mask-length | Specifies the subnet mask. NOTE:
If the ACL IP address pool is invoked by the redirect ip-multihop command, ensure that the subnet mask is 32-bit long. Otherwise, redirection to the next hop will fail. |
The value is an integer that ranges from 0 to 32. |
| wildcard | Specifies the wildcard of the IP address. |
The value is in dotted decimal notation. |
| track-nqa | Specifies an NQA test instance to be associated with the ACL IP address pool. |
- |
| admin-name | Specifies the administrator of the NQA test instance. |
The value is a string of 1 to 32 case-sensitive characters, excluding question marks (?), hyphens (-), and quotation marks ("). |
| test-name | Specifies the name of the NQA test instance. |
The value is a string of 1 to 32 case-sensitive characters, excluding question marks (?), hyphens (-), and quotation marks ("). |
Usage Guidelines
Usage Scenario
After an ACL IP address pool is created, you can run the ip address command to specify an IP address for the ACL IP address pool. The ACL IP address pool can be invoked by the redirect ip-multihop command to redirect packets to the next hop specified in the ACL IP address pool.
Prerequisites
An ACL IP address pool has been created by running the acl ip-pool command.
Precautions
The switch supports a maximum of 12 ACL IP address pools. Each ACL IP address pool supports a maximum of 64 IP addresses.
In the scenario when PBR is used to redirect packets to multiple next hops, if the device has no ARP entry matching the specified next hop IP address, the redirection does not take effect. The device still forwards packets to the original destination until the ARP entry matching the specified next hop IP address is generated on the device. You can run the display acl ip-pool command to check whether the next hop IP address specified in the ACL IP address pool takes effect.
Example
# Specify five IP addresses for the ACL IP address pool named abc.
<HUAWEI> system-view [HUAWEI] acl ip-pool abc [HUAWEI-acl-ip-pool-abc] ip address 192.168.10.1 32 [HUAWEI-acl-ip-pool-abc] ip address 192.168.20.1 32 [HUAWEI-acl-ip-pool-abc] ip address 192.168.30.1 32 [HUAWEI-acl-ip-pool-abc] ip address 192.168.40.1 32 [HUAWEI-acl-ip-pool-abc] ip address 192.168.50.1 32
ipv6 address (ACL IPv6 address pool view)
Function
The ipv6 address command configures an IPv6 address in an ACL IPv6 address pool .
The undo ipv6 address command deletes an IPv6 address from an ACL IPv6 address pool .
By default, no IPv6 address is configured in an ACL IPv6 address pool .
Format
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
ipv6 address ipv6-address [ track-nqa admin-name test-name ]
undo ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
undo ipv6 address ipv6-address [ track-nqa admin-name test-name ]
Parameters
Parameter |
Description |
Value |
|---|---|---|
| ipv6-address | Specifies the IPv6 address in the ACL IPv6 address pool . |
The value consists of 128 octets, which are classified into 8 groups. Each group contains 4 hexadecimal numbers in the format X:X:X:X:X:X:X:X. |
| prefix-length | Specifies the prefix length of an IPv6 address. NOTE:
If the ACL IPv6 address pool is invoked by the redirect ipv6-multihop command, ensure that the prefix length is 128. Otherwise, redirection to the next hop will fail. |
The value is an integer that ranges from 1 to 128. |
| track-nqa | Specifies an NQA test instance to be associated with the ACL IP address pool. |
- |
| admin-name | Specifies the administrator of the NQA test instance. |
The value is a string of 1 to 32 case-sensitive characters, excluding question marks (?), hyphens (-), and quotation marks ("). |
| test-name | Specifies the name of the NQA test instance. |
The value is a string of 1 to 32 case-sensitive characters, excluding question marks (?), hyphens (-), and quotation marks ("). |
Usage Guidelines
Usage Scenario
After an ACL IPv6 address pool is created, you can run the ipv6 address command to specify an IPv6 address for the ACL IPv6 address pool . The ACL IPv6 address pool can be invoked by the redirect ipv6-multihop command to redirect packets to the next hop specified in the ACL IPv6 address pool .
Prerequisites
An ACL IPv6 address pool has been created by running the acl ipv6 ip-pool command.
Precautions
The switch supports a maximum of 12 ACL IPv6 address pools. Each ACL IPv6 address pool supports a maximum of 64 IPv6 addresses.
In the scenario when PBR is used to redirect packets to multiple next hops, if the device does not match the neighbor entry corresponding to the next hop IPv6 address, the device sends NS packets to check whether the neighbor is reachable. If the neighbor is unreachable, packets are forwarded based on the original path and redirection does not take effect. You can run the display acl ipv6 ip-pool command to check whether the next hop IPv6 address specified in the ACL IPv6 address pool takes effect.
Example
# Specify four IPv6 addresses for the ACL IPv6 address pool named abc.
<HUAWEI> system-view [HUAWEI] acl ipv6 ip-pool abc [HUAWEI-acl6-ip-pool-abc] ipv6 address 2001:db8::1 128 [HUAWEI-acl6-ip-pool-abc] ipv6 address 2001:db8::2 128 [HUAWEI-acl6-ip-pool-abc] ipv6 address 2001:db8::3 128 [HUAWEI-acl6-ip-pool-abc] ipv6 address 2001:db8::4 128
reset acl counter
Parameters
| Parameter | Description | Value |
|---|---|---|
| name acl-name | Specifies the name of an ACL whose statistics need to be cleared. | The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter. |
| acl-number | Specifies the number of an ACL whose statistics need to be cleared. | The value is an integer.
|
| all | Clears all the ACL statistics. | - |
Usage Guidelines
Usage Scenario
To obtain the accurate ACL statistics generated in a certain period, run the reset acl counter command to clear existing statistics and start statistics collection.
After the reset acl counter command is executed, the system does not prompt you the statistics deletion.
Before using the reset acl counter command, determine whether you intend to clear ACL statistics.
Follow-up Procedure
After running the reset acl counter command to clear the previous ACL statistics, you can use the display acl match-counter command in the diagnostic view to check ACL rules and statistics on the packets matching the ACL rules in the current period.
reset acl ipv6 counter
Parameters
Parameter |
Description |
Value |
|---|---|---|
name acl6-name |
Specifies the name of an ACL6 whose statistics need to be cleared. |
The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter. |
acl6-number |
Specifies the number of an ACL6 whose statistics need to be cleared. |
The value is an integer that ranges from 2000 to 3999.
|
all |
Clears all the ACL6 statistics. |
- |
Usage Guidelines
Usage Scenario
To obtain the accurate ACL6 statistics in a certain period, run the reset acl ipv6 counter command to clear existing statistics and start statistics collection.
Before using the reset acl ipv6 counter command, determine whether you intend to clear ACL6 statistics.
After the reset acl ipv6 counter command is executed, the system does not prompt you the statistics deletion.
Follow-up Procedure
After running the reset acl ipv6 counter command to clear the previous ACL statistics, you can use the display acl ipv6 command to view ACL rules and statistics on the packets matching the ACL rules in the current period.
rule (advanced ACL view)
Function
The rule command adds or modifies an advanced ACL rule.
The undo rule command deletes an advanced ACL rule.
By default, no advanced ACL rule is configured.
Format
When the parameter protocol is specified as the Internet Control Message Protocol (ICMP), the command format is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | icmp } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | icmp-type { icmp-name | icmp-type [ icmp-code ] } | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { protocol-number | icmp } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | icmp-type { icmp-name | icmp-type [ icmp-code ] } | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *
When the parameter protocol is specified as the Transmission Control Protocol (TCP), the command format is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { protocol-number | tcp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *
When the parameter protocol is specified as the User Datagram Protocol (UDP), the command format is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | udp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { protocol-number | udp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *
When the parameter protocol is specified as another protocol rather than GRE, IGMP, IP, IPINIP, or OSPF, the command format is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *
To delete an advanced ACL rule, run:
undo rule rule-id [ destination | destination-port | { { precedence | tos } * | dscp } | { fragment | first-fragment } | logging | icmp-type | source | source-port | tcp-flag | time-range | ttl-expired | vpn-instance ] *
Parameters
Parameter |
Description |
Value |
|---|---|---|
rule-id |
Specifies the ID of an ACL rule.
NOTE:
ACL rule IDs assigned automatically start from the step value. The default step is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on. |
The value is an integer that ranges from 0 to 4294967294. |
deny |
Denies the packets that match the rule. |
- |
permit |
Permits the packets that match the rule. |
- |
icmp |
Indicates that the protocol type is ICMP. The value 1 indicates that ICMP is specified. |
- |
tcp |
Indicates that the protocol type is TCP. The value 6 indicates that TCP is specified. |
- |
udp |
Indicates that the protocol type is UDP. The value 17 indicates that UDP is specified. |
- |
| gre | Indicates that the protocol type is GRE. The value 47 indicates the GRE protocol. |
- |
| igmp | Indicates that the protocol type is IGMP. The value 2 indicates the IGMP protocol. |
- |
| ip | Indicates that the protocol type is IP. |
- |
| ipinip | Indicates that the protocol type is IPINIP. The value 4 indicates the IPINIP protocol. |
- |
| ospf | Indicates that the protocol type is OSPF. The value 89 indicates the OSPF protocol. |
- |
protocol-number |
Indicates the protocol type expressed by name or number.
NOTE:
Parameters in an ACL vary with the protocol type. The combination of source-port { eq port | gt port | lt port | range port-start port-end } and destination-port { eq port | gt port | lt port | range port-start port-end } is applicable to TCP and UDP only. |
The value expressed by number is an integer that ranges from 1 to 255. |
destination { destination-address destination-wildcard | any } |
Indicates the destination IP address of packets that match ACL rules. If this parameter is not specified, packets with any destination IP address are matched.
|
destination-address: The value is in dotted decimal notation. destination-wildcard: The value is in dotted decimal notation. The wildcard mask of the destination IP address can be 0, equivalent to 0.0.0.0, indicating that the destination IP address is the host address. NOTE:
The wildcard is in dotted decimal format. After the value is converted to a binary number, the value 0 indicates that the IP address needs to be matched and the value
1 indicates that the IP address does not need to be matched. The values 1 and 0 can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the website 192.168.1.x0x0xx01. The value x can be 0 or 1. |
icmp-type { icmp-name | icmp-type [ icmp-code ] } |
Indicates the type and code of ICMP packets, which are valid only when the protocol of packets is ICMP. If this parameter is not specified, all types of ICMP packets are matched.
|
icmp-type is an integer that ranges from 0 to 255. icmp-code is an integer that ranges from 0 to 255. Table 14-14 lists the mapping between ICMP names and ICMP types and codes. |
source { source-address source-wildcard | any } |
Indicates the source IP address of packets that match an ACL rule. If this parameter is not specified, packets with any source IP address are matched.
|
source-address: The value is in dotted decimal notation. source-wildcard: The value is in dotted decimal notation. The wildcard mask of the source IP address can be 0, equivalent to 0.0.0.0, indicating that the source IP address is the host address. NOTE:
The wildcard is in dotted decimal format. After the value is converted to a binary number, the value 0 indicates that the IP address needs to be matched and the value 1 indicates that
the IP address does not need to be matched. The values 1 and 0 can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the website 192.168.1.x0x0xx01. The value x can be 0 or 1. |
tcp-flag |
Indicates the SYN Flag in the TCP packet header. |
- |
ack |
Indicates that the SYN Flag type in the TCP packet header is ack (010000). |
- |
established |
Indicates that the SYN Flag type in the TCP packet header is ack(010000) or rst(000100). |
- |
fin |
Indicates that the SYN Flag type in the TCP packet header is fin (000001). |
- |
psh |
Indicates that the SYN Flag type in the TCP packet header is psh (001000). |
- |
rst |
Indicates that the SYN Flag type in the TCP packet header is rst (000100). |
- |
syn |
Indicates that the SYN Flag type in the TCP packet header is syn (000010). |
- |
urg |
Indicates that the SYN Flag type in the TCP packet header is urg (100000). |
- |
time-range time-name |
Specifies the name of a time range during which ACL rules take effect. If this parameter is not specified, ACL rules take effect at any time. |
The value is a string of 1 to 32 characters. |
destination-port { eq port | gt port | lt port | range port-start port-end } |
Specifies the destination port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched. The operators
are as follows:
|
The value of port can be a name or a number.
The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535. Table 14-15 and Table 14-16 list the mapping between the well-known source or destination port numbers of UDP or TCP and values of port. |
source-port { eq port | gt port | lt port | range port-start port-end } |
Specifies the source port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched. The operators are as follows:
|
The value of port can be a name or a number.
The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535. Table 14-15 and Table 14-16 list the mapping between the well-known source or destination port numbers of UDP or TCP and values of port. |
dscp dscp |
Specifies the value of a Differentiated Services Code Point (DSCP). NOTE:
The dscp dscp and precedence precedence parameters cannot be set for the same rule. The dscp dscp and tos tos parameters cannot be set for the same rule. |
The value is an integer or a name.
|
tos tos |
Indicates that packets are filtered according to the Type of Service (ToS). |
The value is an integer or a name.
|
precedence precedence |
Indicates that packets are filtered based on the precedence field. precedence specifies the precedence value. |
The value ranges from 0 to 7. The values 0 to 7 correspond to routine, priority, immediate, flash, flash-override, critical, internet, and network. |
fragment |
Indicates that the rule is valid only for non-initial fragments. If this parameter is specified, the rule is valid for only non-initial fragments. |
- |
first-fragment |
Indicates that the rule is valid for only initial fragments. If this parameter is specified, the rule is valid for only initial fragments. |
- |
logging |
Logs IP information of packets that match the rule. NOTE:
The logging parameter takes effect for incoming packets in either of the following scenarios:
|
- |
ttl-expired |
Matches packets with the TTL value 1. If this keyword is not specified, the ACL rule matches packets with any TTL value. |
- |
vpn-instance vpn-instance-name |
Specifies the name of a VPN instance. NOTE:
If the vpn-instance parameter is not specified, the switch matches packets from both public and private networks against ACL. |
The value must be an existing VPN instance name. |
ToS Name |
Value |
ToS Name |
Value |
|---|---|---|---|
normal |
0 |
max-reliability |
2 |
min-monetary-cost |
1 |
max-throughput |
4 |
min-delay |
8 |
- |
- |
icmp-name |
icmp-type |
icmp-code |
|---|---|---|
Echo |
8 |
0 |
Echo-reply |
0 |
0 |
Parameter-problem |
12 |
0 |
Port-unreachable |
3 |
3 |
Protocol-unreachable |
3 |
2 |
Reassembly-timeout |
11 |
1 |
Source-quench |
4 |
0 |
Source-route-failed |
3 |
5 |
Timestamp-reply |
14 |
0 |
Timestamp-request |
13 |
0 |
Ttl-exceeded |
11 |
0 |
Fragmentneed-DFset |
3 |
4 |
Host-redirect |
5 |
1 |
Host-tos-redirect |
5 |
3 |
Host-unreachable |
3 |
1 |
Information-reply |
16 |
0 |
Information-request |
15 |
0 |
Net-redirect |
5 |
0 |
Net-tos-redirect |
5 |
2 |
Net-unreachable |
3 |
0 |
Port Number |
Value of port | Protocol |
Description |
|---|---|---|---|
| 7 | echo | Echo | Echo service. |
| 9 | discard | Discard | Null service used for connectivity test. |
| 37 | time | Time | Time protocol. |
| 42 | nameserver | Host Name Server | Host name service. |
| 53 | dns | Domain Name Service (DNS) | Domain name service. |
| 65 | tacacs-ds | TACACS-Database Service | TACACS database service. |
| 67 | bootps | Bootstrap Protocol Server | Bootstrap Protocol (BOOTP) Server, also used by Dynamic Host Configuration Protocol (DHCP). |
| 68 | bootpc | Bootstrap Protocol Client | Bootstrap Protocol (BOOTP) Client, also used by Dynamic Host Configuration Protocol (DHCP). |
| 69 | tftp | Trivial File Transfer Protocol (TFTP) | Trivial File Transfer Protocol (TFTP). |
| 90 | dnsix | DNSIX Security Attribute Token Map | DoD Network Security for Information Exchange (DNSIX) Security Attribute Token Map. |
| 111 | sunrpc | SUN Remote Procedure Call (SUN RPC) | RPC protocol of SUN. It is used to remotely execute commands and used by the network file system (NFS). |
| 123 | ntp | Network Time Protocol (NTP) | Network Time Protocol (NTP), which may be utilized by worm virus. |
| 137 | netbios-ns | NETBIOS Name Service | NETBIOS name service. |
| 138 | netbios-dgm | NETBIOS Datagram Service | NETBIOS datagram service. |
| 139 | netbios-ssn | NETBIOS Session Service | NETBIOS session service. |
| 161 | snmp | SNMP | Simple Network Management Protocol (SNMP). |
| 162 | snmptrap | SNMPTRAP | SNMP trap. |
| 177 | xdmcp | X Display Manager Control Protocol (XDMCP) | X Display Manager Control Protocol (XDMCP). |
| 434 | mobilip-ag | MobileIP-Agent | Mobile IP agent. |
| 435 | mobilip-mn | MobileIP-MN | Mobile IP management. |
| 512 | biff | Mail notify | Notifies user of received emails. |
| 513 | who | Who | Login user list. |
| 514 | syslog | Syslog | UNIX system log service. |
| 517 | talk | Talk | Remotely talks with server and client. |
| 520 | rip | Routing Information Protocol | RIP routing protocol. |
Port Number |
Value of port | Protocol |
Description |
|---|---|---|---|
| 7 | echo | Echo | Echo service. |
| 9 | discard | Discard | Null service used for connectivity test. |
| 13 | daytime | Daytime | Daytime protocol. |
| 19 | CHARgen | Character generator | Character Generator Protocol. |
| 20 | ftp-data | FTP data connections | FTP data port. |
| 21 | ftp | File Transfer Protocol(FTP) | File Transfer Protocol (FTP) port. |
| 23 | telnet | Telnet | Telnet service. |
| 25 | smtp | Simple Mail Transport Protocol (SMTP) | Simple Mail Transfer Protocol (SMTP). |
| 37 | time | Time | Time protocol. |
| 43 | whois | Nicname (WHOIS) | Directory service. |
| 49 | tacacs | TAC Access Control System (TACACS) | Access control system based on TCP/IP authentication (TACACS login host protocol) |
| 53 | domain | Domain Name Service (DNS) | Domain name service. |
| 70 | gopher | Gopher | Information index protocol (document searching and indexing on the Internet) |
| 79 | finger | Finger | Queries online user information on a remote host. |
| 80 | www | World Wide Web (HTTP) NOTE:
If the HTTPS protocol is used, the port number is 443. |
Protocol used by the WWW service. HTTP is used to browse web pages. |
| 101 | hostname | NIC hostname server | Host name service on the NIC machine. |
| 109 | pop2 | Post Office Protocol v2 | Email protocol version 2. |
| 110 | pop3 | Post Office Protocol v3 | Email protocol version 3. |
| 111 | sunrpc | Sun Remote Procedure Call (RPC) | RPC protocol of SUN. It is used to remotely execute commands and used by the network file system (NFS). |
| 119 | nntp | Network News Transport Protocol (NNTP) | Network News Transfer Protocol for retrieval of newsgroup messages. It carries USENET. |
| 179 | bgp | Border Gateway Protocol (BGP) | Border Gateway Protocol (BGP). |
| 194 | irc | Internet Relay Chat (IRC) | Internet Relay Chat (IRC) protocol. |
| 512 | exec | Exec (rsh) | Authenticates remote process. |
| 513 | login | Login (rlogin) | Remote login. |
| 514 | cmd | Remote commands | Used to execute non-interactive commands on a remote system (rshell, rcp). |
| 515 | lpd | Printer service | Line Printer Daemon. It is a print service. |
| 517 | talk | Talk | Remotely talks with server and client. |
| 540 | uucp | Unix-to-Unix Copy Program | Unix-to-Unix copy protocol. |
| 543 | klogin | Kerberos login | Kerberos login protocol version 5. |
| 544 | kshell | Kerberos shell | Kerberos Remote shell protocol version 5. |
Usage Guidelines
Usage Scenario
An advanced ACL matches packets based on information such as source and destination IP addresses, source and destination port numbers, and protocol types.
The rule command defines the time range and flexibly configures the time ACL rules take effect.
Prerequisites
An ACL has been created before the rule is configured.
Precautions
If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.
To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.
To configure both the precedence precedence and tos tos parameters, set the two parameters consecutively in the command.
The undo rule command deletes an ACL rule even if the ACL rule is referenced. (If a simplified traffic policy references a specified rule in an ACL, this command does not take effect.) Before deleting a rule, ensure that the rule is not being referenced.
Error: The fragment cannot be configured together with the source-port, destination-port, icmp-type and tcp-flag.
Example
# Add a rule to ACL 3000 to filter ICMP packets.
<HUAWEI> system-view [HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule 1 permit icmp
# Delete a rule from ACL 3000.
<HUAWEI> system-view [HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] undo rule 1
# Add a rule to ACL 3000 to filter IGMP packets.
<HUAWEI> system-view [HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule 2 permit igmp
# Add a rule to ACL 3000 to filter packets with DSCP priorities.
<HUAWEI> system-view [HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule 3 permit ip dscp cs1
# Add a rule to ACL 3001 to filter all the IP packets sent from hosts at 10.9.0.0 to hosts at 10.38.160.0.
<HUAWEI> system-view [HUAWEI] acl 3001 [HUAWEI-acl-adv-3001] rule permit ip source 10.9.0.0 0.0.255.255 destination 10.38.160.0 0.0.0.255
# Add a rule to ACL 3001 to filter the packets with source UDP port number 128 from 10.9.8.0 to 10.38.160.0.
<HUAWEI> system-view [HUAWEI] acl 3001 [HUAWEI-acl-adv-3001] rule permit udp source 10.9.8.0 0.0.0.255 destination 10.38.160.0 0.0.0.255 destination-port eq 128
rule (advanced ACL6 view)
Function
The rule command adds or modifies an advanced ACL6 rule.
The undo rule command deletes an advanced ACL6 rule.
By default, no advanced ACL6 rule is created.
Format
When protocol is set to TCP, the command format of an advanced ACL6 rule is as follows:
rule [ rule-id ] { deny | permit } { tcp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { tcp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *
When protocol is set to UDP, the command format of an advanced ACL6 rule is as follows:
rule [ rule-id ] { deny | permit } { udp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { udp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *
When protocol is set to ICMPv6, the command format of an advanced ACL6 rule is as follows:
rule [ rule-id ] { deny | permit } { icmpv6 | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | icmp6-type { icmp6-type-name | icmp6-type [ icmp6-code ] } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { icmpv6 | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | icmp6-type { icmp6-type-name | icmp6-type [ icmp6-code ] } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *
When protocol is set to other protocols, the command format of an advanced ACL6 rule is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | gre | ipv6 | ospf } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { protocol-number | gre | ipv6 | ospf } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *
To delete an advanced ACL6 rule, run:
undo rule rule-id [ destination | destination-port | routing [ routing-type routing-type ] | { fragment | first-fragment } | icmp6-type | logging | { { precedence | tos } * | dscp } | routing | source | source-port | tcp-flag | time-range | vpn-instance ] *
Parameters
Parameter |
Description |
Value |
|---|---|---|
| rule-id | Specifies the ID of a rule.
|
The value is an integer that ranges from 0 to 2047. |
| deny | Indicates to drop packets conforming to certain conditions. | - |
| permit | Indicates to forward packets conforming to certain conditions. | - |
| tcp | Specifies the protocol type is TCP. |
- |
| udp | Specifies the protocol type is UDP. |
- |
| icmpv6 | Specifies the protocol type is ICMPv6. |
- |
| protocol-number | Specifies the protocol type that is expressed as a name or a number. | The value ranges from 1 to 255. The protocol type expressed as a name can be GRE, ICMPv6, IPv6, OSPF, TCP, and UDP. |
| destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | Indicates the destination address and prefix of a packet. | destination-ipv6-address is expressed in hexadecimal notation. The value of prefix-length is an integer that ranges from 1 to 128. You can also use any to represent any destination address. |
| destination destination-ipv6-address postfix postfix-length | Indicates the destination address and the length of destination address postfix. | destination-ipv6-address indicates the destination address and is expressed in hexadecimal notation. postfix-length is an integer that ranges from 1 to 64. |
| dscp dscp | Specifies the Differentiated Services Code Point (DSCP) value. NOTE:
The dscp dscp and precedence precedence parameters cannot be set for the same rule. The dscp dscp and tos tos parameters cannot be set for the same rule. |
The value of dscp can be an integer or a name. When the value is an integer, the value ranges from 0 to 63. When the value is a name, the value can be af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, default, or ef. |
| routing [ routing-type routing-type ] | Specifies the IPv6 header in ACL6. The routing-type parameter specifies the routing-type field in the IPv6 header. | The value of routing-type is an integer that ranges from 0 to 255. |
| fragment | Indicates that the rule is valid for only non-first fragmented packets. | - |
| first-fragment | Indicates that the rule is valid for only initial fragmented packets. | - |
| logging | Logs IP information of packets that match the rule. NOTE:
The logging parameter takes effect for incoming packets in either of the following scenarios:
|
- |
| precedence precedence | Indicates that the packets are filtered according to the precedence field. | precedence can be expressed as a name or a number. The value ranges from 0 to 7. |
| source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | Indicates the source address and prefix of a packet. | source-ipv6-address indicates the source address and is expressed in hexadecimal notation. prefix-length is an integer that ranges from 1 to 128. You can also use any to represent any source address. |
| source source-ipv6-address postfix postfix-length | Indicates the source address and the length of source address postfix. | source-ipv6-address indicates the source address and is expressed in hexadecimal notation. postfix-length is an integer that ranges from 1 to 64. |
| destination-port { eq port | gt port | lt port | range port-start port-end } | Specifies the destination port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched. The operators
are as follows:
|
The value of port can be a name or a number.
The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535. Table 14-20 and Table 14-19 list the mapping between the well-known source or destination port numbers of UDP or TCP and values of port. |
| source-port { eq port | gt port | lt port | range port-start port-end } | Specifies the source port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched. The operators are as follows:
|
The value of port can be a name or a number.
The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535. Table 14-20 and Table 14-19 list the mapping between the well-known source or destination port numbers of UDP or TCP and values of port. |
| icmp6-type { icmp6-type-name | icmp6-type [ icmp6-code ] } | Indicates that the type and code of ICMPv6 packets, which is effective only when the packet protocol is ICMP. If this parameter is not specified, all ICMP packets are matched. | icmp6-type: indicates the type of ICMP messages. The value ranges from 0 to 255. icmp6-code: indicates the type of ICMP messages. The value ranges from 0 to 255. The value of icmp6-type-name and the corresponding ICMP-Type and ICMP-Code are as Table 14-18. |
| tcp-flag | Indicates the SYN Flag in the TCP packet header. |
- |
| ack | Specifies the type of the SYN Flag in the TCP packet header is ack(010000). | - |
| established | Specifies the type of the SYN Flag in the TCP packet header is ack(010000) or rst(000100). | - |
| fin | Specifies the type of the SYN Flag in the TCP packet header is fin(000001). | - |
| psh | Specifies the type of the SYN Flag in the TCP packet header is psh(001000). | - |
| rst | Specifies the type of the SYN Flag in the TCP packet header is rst(000100). | - |
| syn | Specifies the type of the SYN Flag in the TCP packet header is syn(000010). | - |
| urg | Specifies the type of the SYN Flag in the TCP packet header is urg(100000). | - |
| time-range time-name | Indicates that the configured ACL6 rule is effective only in the specified time range. time-name indicates the name of the time range during which the ACL6 rule takes effect. | The value of time-name is a string of 1 to 32 characters. |
| tos tos | Indicates that packets are filtered according to the Type of Service (ToS). | The value is an integer or a name.
|
| vpn-instance vpn-instance-name | Specifies the name of a VPN instance. NOTE:
If the vpn-instance parameter is not specified, the switch matches packets from both public and private networks against ACL. |
The value must be an existing VPN instance name. |
ToS Name |
Value |
ToS Name |
Value |
|---|---|---|---|
normal |
0 |
max-reliability |
2 |
min-monetary-cost |
1 |
max-throughput |
4 |
min-delay |
8 |
- |
- |
icmp6-type-name |
icmp-type |
icmp-code |
|---|---|---|
Redirect |
137 |
0 |
Echo |
128 |
0 |
Echo-reply |
129 |
0 |
Err-Header-field |
4 |
0 |
Frag-time-exceeded |
3 |
1 |
Hop-limit-exceeded |
3 |
0 |
Host-admin-prohib |
1 |
1 |
Host-unreachable |
1 |
3 |
Neighbor-advertisement |
136 |
0 |
Neighbor-solicitation |
135 |
0 |
Network-unreachable |
1 |
0 |
Packet-too-big |
2 |
0 |
Port-unreachable |
1 |
4 |
Router-advertisement |
134 |
0 |
Router-solicitation |
133 |
0 |
Unknown-ipv6-opt |
4 |
2 |
Unknown-next-hdr |
4 |
1 |
Port Number |
Value of port | Protocol |
Description |
|---|---|---|---|
| 7 | echo | Echo | Echo service. |
| 9 | discard | Discard | Null service used for connectivity test. |
| 13 | daytime | Daytime | Daytime protocol. |
| 19 | CHARgen | Character generator | Character Generator Protocol. |
| 20 | ftp-data | FTP data connections | FTP data port. |
| 21 | ftp | File Transfer Protocol(FTP) | File Transfer Protocol (FTP) port. |
| 23 | telnet | Telnet | Telnet service. |
| 25 | smtp | Simple Mail Transport Protocol (SMTP) | Simple Mail Transfer Protocol (SMTP). |
| 37 | time | Time | Time protocol. |
| 43 | whois | Nicname (WHOIS) | Directory service. |
| 49 | tacacs | TAC Access Control System (TACACS) | Access control system based on TCP/IP authentication (TACACS login host protocol) |
| 53 | domain | Domain Name Service (DNS) | Domain name service. |
| 70 | gopher | Gopher | Information index protocol (document searching and indexing on the Internet) |
| 79 | finger | Finger | Queries online user information on a remote host. |
| 80 | www | World Wide Web (HTTP) NOTE:
If the HTTPS protocol is used, the port number is 443. |
Protocol used by the WWW service. HTTP is used to browse web pages. |
| 101 | hostname | NIC hostname server | Host name service on the NIC machine. |
| 109 | pop2 | Post Office Protocol v2 | Email protocol version 2. |
| 110 | pop3 | Post Office Protocol v3 | Email protocol version 3. |
| 111 | sunrpc | Sun Remote Procedure Call (RPC) | RPC protocol of SUN. It is used to remotely execute commands and used by the network file system (NFS). |
| 119 | nntp | Network News Transport Protocol (NNTP) | Network News Transfer Protocol for retrieval of newsgroup messages. It carries USENET. |
| 179 | bgp | Border Gateway Protocol (BGP) | Border Gateway Protocol (BGP). |
| 194 | irc | Internet Relay Chat (IRC) | Internet Relay Chat (IRC) protocol. |
| 512 | exec | Exec (rsh) | Authenticates remote process. |
| 513 | login | Login (rlogin) | Remote login. |
| 514 | cmd | Remote commands | Used to execute non-interactive commands on a remote system (rshell, rcp). |
| 515 | lpd | Printer service | Line Printer Daemon. It is a print service. |
| 517 | talk | Talk | Remotely talks with server and client. |
| 540 | uucp | Unix-to-Unix Copy Program | Unix-to-Unix copy protocol. |
| 543 | klogin | Kerberos login | Kerberos login protocol version 5. |
| 544 | kshell | Kerberos shell | Kerberos Remote shell protocol version 5. |
Port Number |
Value of port | Protocol |
Description |
|---|---|---|---|
| 7 | echo | Echo | Echo service. |
| 9 | discard | Discard | Null service used for connectivity test. |
| 37 | time | Time | Time protocol. |
| 42 | nameserver | Host Name Server | Host name service. |
| 53 | dns | Domain Name Service (DNS) | Domain name service. |
| 65 | tacacs-ds | TACACS-Database Service | TACACS database service. |
| 67 | bootps | Bootstrap Protocol Server | Bootstrap Protocol (BOOTP) Server, also used by Dynamic Host Configuration Protocol (DHCP). |
| 68 | bootpc | Bootstrap Protocol Client | Bootstrap Protocol (BOOTP) Client, also used by Dynamic Host Configuration Protocol (DHCP). |
| 69 | tftp | Trivial File Transfer Protocol (TFTP) | Trivial File Transfer Protocol (TFTP). |
| 90 | dnsix | DNSIX Security Attribute Token Map | DoD Network Security for Information Exchange (DNSIX) Security Attribute Token Map. |
| 111 | sunrpc | SUN Remote Procedure Call (SUN RPC) | RPC protocol of SUN. It is used to remotely execute commands and used by the network file system (NFS). |
| 123 | ntp | Network Time Protocol (NTP) | Network Time Protocol (NTP), which may be utilized by worm virus. |
| 137 | netbios-ns | NETBIOS Name Service | NETBIOS name service. |
| 138 | netbios-dgm | NETBIOS Datagram Service | NETBIOS datagram service. |
| 139 | netbios-ssn | NETBIOS Session Service | NETBIOS session service. |
| 161 | snmp | SNMP | Simple Network Management Protocol (SNMP). |
| 162 | snmptrap | SNMPTRAP | SNMP trap. |
| 177 | xdmcp | X Display Manager Control Protocol (XDMCP) | X Display Manager Control Protocol (XDMCP). |
| 434 | mobilip-ag | MobileIP-Agent | Mobile IP agent. |
| 435 | mobilip-mn | MobileIP-MN | Mobile IP management. |
| 512 | biff | Mail notify | Notifies user of received emails. |
| 513 | who | Who | Login user list. |
| 514 | syslog | Syslog | UNIX system log service. |
| 517 | talk | Talk | Remotely talks with server and client. |
| 520 | rip | Routing Information Protocol | RIP routing protocol. |
Usage Guidelines
Usage Scenario
Advanced ACL6s classify data packets based on the source IP address, destination IP address, source port number, destination port number, and protocol type.
The rule command defines the time range and flexibly configures the time ACL6 rules take effect.
Prerequisites
An ACL6 has been created before the rule is configured.
Precautions
If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.
To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.
To configure both the precedence precedence and tos tos parameters, set the two parameters consecutively in the command.
When you use the undo rule command to delete an ACL6 rule, the rule ID must exist. If the rule ID is unknown, you can use the display acl ipv6 command to view the rule ID.
The undo rule command deletes an ACL6 rule even if the ACL6 rule is referenced. Use this command with caution, especially when you delete an ACL rule that has been referenced.
The parameter fragment cannot be set together with source-port, destination-port, icmp6-type, and tcp-flag.
rule (basic ACL view)
Function
The rule command adds or modifies a basic ACL rule.
The undo rule command deletes a basic ACL rule.
By default, no rule is configured for a basic ACL.
Format
rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | fragment | logging | time-range time-name | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } [ source { source-address source-wildcard | any } | fragment | logging | time-range time-name | vpn-instance vpn-instance-name ] *
undo rule rule-id [ fragment | logging | source | time-range | vpn-instance ] *
Parameters
Parameter |
Description |
Value |
|---|---|---|
rule-id |
Specifies the ID of an ACL rule.
NOTE:
ACL rule IDs assigned automatically by the device starts from the step value. The default step value is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on. |
The value is an integer that ranges from 0 to 4294967294. |
deny |
Denies the packets that match the rule. |
- |
permit |
Permits the packets that match a rule. |
- |
| source { source-address source-wildcard | any } | Indicates the source IP address of packets that match an ACL rule. If this parameter is not specified, packets with any source IP address are matched.
|
source-address : The value is in dotted decimal notation. source-wildcard: The value is in dotted decimal notation. The wildcard mask of the source IP address can be 0, equivalent to 0.0.0.0, indicating that the source IP address is the host address. NOTE:
The wildcard is in dotted decimal format. After the value is converted to a binary number, the value 0 indicates that the IP address needs to be matched and the value 1 indicates that
the IP address does not need to be matched. The values 1 and 0 can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the website 192.168.1.x0x0xx01. The value x can be 0 or 1. |
vpn-instance vpn-instance-name |
Specifies the name of a VPN instance. NOTE:
If the vpn-instance parameter is not specified, the switch matches packets from both public and private networks against ACL. |
The value must be an existing VPN instance name. |
fragment |
Indicates that the rule is valid for only non-first fragmented packets. If fragment is contained, the rule is valid for non-first fragmented packets and invalid for non-fragmented packets and first fragmented packet. NOTE:
Rules that do not contain fragment are valid for all the packets. |
- |
logging |
Logs IP information of packets that match the rule. NOTE:
The logging parameter takes effect for incoming packets in either of the following scenarios:
|
- |
time-range time-name |
Specifies the name of a time range during which ACL rules take effect. If this parameter is not specified, ACL rules take effect at any time. NOTE:
When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL cannot be bound to the specified time range. |
The value is a string of 1 to 32 characters. |
Usage Guidelines
Usage Scenario
A basic ACL matches packets based on information such as source IP addresses, fragment flags, and time ranges.
The rule command defines the time range and flexibly configures the time ACL rules take effect.
Prerequisites
An ACL has been created before the rule is configured.
Precautions
If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.
To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.
The undo rule command deletes an ACL rule even if the ACL rule is referenced. Use this command with caution, especially when you delete an ACL rule that has been referenced.
rule (basic ACL6 view)
Function
The rule command adds or modifies basic ACL6 rules.
The undo rule command deletes a basic ACL6 rule.
By default, there is no basic ACL6 rule.
Format
rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } [ fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *
undo rule rule-id [ fragment | logging | source | time-range | vpn-instance ] *
Parameters
Parameter |
Description |
Value |
|---|---|---|
| rule-id | Specifies the ID of a rule.
|
The value is an integer that ranges from 0 to 2047. |
| deny | Indicates to drop packets conforming to certain conditions. | - |
| permit | Indicates to forward packets conforming to certain conditions. | - |
| fragment | Indicates that the rule is valid for only non-first fragmented packets. | - |
| logging | Logs IP information of packets that match the rule. NOTE:
The logging parameter takes effect for incoming packets in either of the following scenarios:
|
- |
| source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length } | Indicates the source address and prefix of a packet. | source-ipv6-address indicates the source address and is expressed in hexadecimal notation. prefix-length is an integer that ranges from 1 to 128. |
| source source-ipv6-address postfix postfix-length | Indicates the source address and the length of source address postfix. | source-ipv6-address indicates the source address and is expressed in hexadecimal notation. postfix-length is an integer that ranges from 1 to 64. |
| any | Indicates any source address. | - |
| time-range time-name | Indicates that the configured ACL6 rule is effective only in the specified time range. time-name indicates the name of the time range during which the ACL6 rule takes effect. NOTE:
When you specify the time-range parameter to reference a time range to the ACL6, if the specified time-name does not exit, the ACL6 does not take effect. |
The value of time-name is a string of 1 to 32 characters. |
| vpn-instance vpn-instance-name | Specifies the name of a VPN instance. NOTE:
If the vpn-instance parameter is not specified, the switch matches packets from both public and private networks against ACL. |
The value must be an existing VPN instance name. |
Usage Guidelines
Usage Scenario
A basic ACL6 matches packets based on information such as source IP addresses, fragment flags, and time ranges.
Prerequisites
An ACL6 has been created before the rule is configured.
Precautions
If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.
To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.
When you use the undo rule command to delete an ACL6 rule, the rule ID must exist. If the rule ID is unknown, you can use the display acl ipv6 command to view the rule ID.
The undo rule command deletes an ACL6 rule even if the ACL6 rule is referenced. Use this command with caution, especially when you delete an ACL rule that has been referenced.
rule (layer 2 ACL view)
Function
The rule command adds or modifies a Layer 2 ACL rule.
The undo rule command deletes a Layer 2 ACL rule.
By default, there is no rule in the related Layer 2 ACL view.
Format
rule [ rule-id ] { permit | deny } [ [ ether-ii | 802.3 | snap ] | l2-protocol type-value [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | source-mac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value | cvlan-id cvlan-id [ cvlan-id-mask ] | cvlan-8021p 802.1p-value | double-tag | time-range time-name ] *
undo rule { permit | deny } [ [ ether-ii | 802.3 | snap ] | l2-protocol type-value [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | source-mac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value | cvlan-id cvlan-id [ cvlan-id-mask ] | cvlan-8021p 802.1p-value | double-tag | time-range time-name ] *
undo rule rule-id
Parameters
Parameter |
Description |
Value |
|---|---|---|
rule-id |
Specifies the ID of an ACL rule.
NOTE:
ACL rule IDs assigned automatically by the device starts from the step value. The default step value is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on. |
The value is an integer that ranges from 0 to 4294967294. |
deny |
Denies the packets that match a rule. |
- |
permit |
Permits the packets that match a rule. |
- |
ether-ii | 802.3 | snap |
Indicates the encapsulation format of a packet that matches the rule.
|
- |
l2-protocol type-value [ type-mask ] |
Indicates the type of a Layer 2 protocol. This parameter corresponds to the Ethernet type of Ethernet_II frames and the type-code domain of Ethernet_SNAP frames.
|
type-value can be a hexadecimal number of 3 to 6 bits that ranges from 0x0000 to 0xFFFF or the following protocol name:
The default value of type-mask is 0xffff. |
destination-mac dest-mac-address [ dest-mac-mask ] |
Specifies the destination MAC address of packets that matches ACL rules.
|
dest-mac-address and dest-mac-mask are both in the format of H-H-H. Each H stands for one to four hexadecimal digits. The default value of the dest-mac-mask is ffff-ffff-ffff. You can obtain the required destination MAC address range by specifying source-mac-address and source-mac-mask. For example, 00e0-fc01-0101 ffff-ffff-ffff specifies a MAC address 00e0-fc01-0101, whereas 00e0-fc01-0101 ffff-ffff-0000 specifies a MAC address range from 00e0-fc01-0000 to 00e0-fc01-ffff. |
source-mac source-mac-address [ source-mac-mask ] |
Specifies the source MAC address of packets that matches ACL rules.
|
source-mac-address and source-mac-mask are both in the format of H-H-H. Each H stands for one to four hexadecimal digits. The default value of the source-mac-mask is ffff-ffff-ffff. You can obtain the required source MAC address range by specifying source-mac-address and source-mac-mask. For example, 00e0-fc01-0101 ffff-ffff-ffff specifies a MAC address 00e0-fc01-0101, whereas 00e0-fc01-0101 ffff-ffff-0000 specifies a MAC address range from 00e0-fc01-0000 to 00e0-fc01-ffff. |
vlan-id vlan-id [ vlan-id-mask ] |
Indicates the outer VLAN ID contained in a packet that matches the rule.
|
The value of vlan-id is an integer ranging from 1 to 4094. The value of the vlan-id-mask is a hexadecimal number ranging from 0x0 to 0xFFF. The default value is 0xFFF. |
8021p 802.1p-value |
Indicates the 802.1p priority in the outer VLAN tag of a packet that matches the rule. |
The value is an integer ranging from 0 to 7. |
cvlan-id cvlan-id [ cvlan-id-mask ] |
Indicates the inner VLAN ID of a packet that matches the rule.
|
The value of cvlan-id is an integer ranging from 1 to 4094. The value of the cvlan-id-mask is a hexadecimal number ranging from 0x0 to 0xFFF. The default value is 0xFFF. |
cvlan-8021p 802.1p-value |
Indicates the 802.1p priority in the inner VLAN tag of a packet that matches the rule. |
The value is an integer ranging from 0 to 7. |
double-tag |
Indicates that only packets with double tags match the rule. |
- |
time-range time-name |
Defines the time range during which an ACL rule is valid. time-name specifies the name of a time range. NOTE:
When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL cannot be bound to the specified time range. |
The value of time-name is a string of 1 to 32 characters. |
Usage Guidelines
Usage Scenario
A Layer 2 ACL matches packets based on Layer 2 information of the packets, such as source MAC addresses, destination MAC addresses, and Layer 2 protocol types.
The rule command defines the time range and flexibly configures the time when the ACL rules take effect.
Prerequisites
An ACL has been created before the rule is configured.
Precautions
If the specified rule ID already exists, the new rule overwrites the old rule no matter whether the rules conflict.
To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.
The undo rule command deletes an ACL rule even if the ACL rule is referenced. Use this command with caution, especially when you delete an ACL rule that has been referenced.
Example
# Add a rule to ACL 4001 to match packets with the destination MAC address being 0000-0000-0001, source MAC address being 0000-0000-0002, and the value of the Layer 2 protocol type being 0x0800.
<HUAWEI> system-view [HUAWEI] acl 4001 [HUAWEI-acl-L2-4001] rule permit destination-mac 0000-0000-0001 source-mac 0000-0000-0002 l2-protocol 0x0800
rule (user-defined ACL view)
Function
The rule command adds and modifies a rule in the related UCL view.
The undo rule command deletes an ACL rule.
By default, there is no rule in the related advanced UCL view.
Format
rule [ rule-id ] { deny | permit } [ [ l2-head | ipv4-head | ipv6-head | l4-head ] { rule-string rule-mask offset } &<1-8> | time-range time-name ] *
undo rule { deny | permit } [ [ l2-head | ipv4-head | ipv6-head | l4-head ] { rule-string rule-mask offset } &<1-8> | time-range time-name ] *
undo rule rule-id
Parameters
Parameter |
Description |
Value |
|---|---|---|
rule-id |
Specifies the ID of an ACL rule.
NOTE:
ACL rule IDs assigned automatically start from the step value. The default step is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on. |
The value is an integer that ranges from 0 to 4294967294. |
deny |
Denies the packets that match a rule. |
- |
permit |
Permits the packets that match a rule. |
- |
l2-head | ipv4-head | ipv6-head | l4-head |
Indicates the position from which the offset starts.
|
- |
rule-string |
Specifies the customized rule string. |
The value is a string of 3 to 10 characters. The string is in hexadecimal notation. The maximum length of the string is 4 bytes. NOTE:
The rule command in the user-defined ACL view matches four bytes each time. When the matching field length is smaller than four bytes, add 0 to the field. |
rule-mask |
Specifies the mask of the rule string. |
The value is a string of 3 to 10 characters. The string is in hexadecimal notation. The maximum length of the string is 4 bytes. When the mask bit of the customized character string is 1, the ACL matches the bit. When the mask bit of the customized character string is 0, the ACL does not match the bit. |
offset |
Specifies the value of the offset. |
The value is an integer, in bytes. The value of the offset varies with the offset position.
|
time-range time-name |
Defines the time range during which an ACL rule takes effect. time-name specifies the name of the time range during which an ACL rule takes effect. |
The value is a string of 1 to 32 characters. |
Usage Guidelines
Usage Scenario
A user-defined ACL defines rules by setting the offset position and value of the packet. The user-defined ACL is applicable to matching rules of a traffic classifier.
The rule command defines the time range and flexibly configures the time when the ACL rules take effect.
NOTE: The user-defined ACL is applicable to only the incoming traffic.
If the user-defined ACL matches packets, the 802.1Q tag is involved when the offset is calculated.
Prerequisites
An ACL must be created before the rule is configured.
Precautions
- If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule. To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.
- To change the offset in a user-defined ACL rule, delete and reconfigure the ACL rule.
- The undo rule command deletes an ACL rule even if the ACL rule is referenced. Use this command with caution, especially when you delete an ACL rule that has been referenced.
rule (user ACL view)
Function
The rule command configures a user ACL rule.
The undo rule command deletes a user ACL rule.
By default, no user ACL rule is configured.
Format
When the parameter protocol is specified as the ICMP, the command format is as follows:
rule [ rule-id ] { permit | deny } { icmp | protocol-number } [ source { { source-address source-wildcard | any } | { ucl-group { name source-ucl-group-name | source-ucl-group-index } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { name destination-ucl-group-name | destination-ucl-group-index } } } * | fqdn fqdn-name } | icmp-type { icmp-type [ icmp-code ] | icmp-name } | vpn-instance vpn-instance-name | time-range time-name ] *
undo rule { permit | deny } { icmp | protocol-number } [ source { { source-address source-wildcard | any } | { ucl-group { name source-ucl-group-name | source-ucl-group-index } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { name destination-ucl-group-name | destination-ucl-group-index } } } * | fqdn fqdn-name } | icmp-type { icmp-type [ icmp-code ] | icmp-name } | vpn-instance vpn-instance-name | time-range time-name ] *
When the parameter protocol is specified as the TCP, the command format is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { protocol-number | tcp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *
When the parameter protocol is specified as the UDP, the command format is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | udp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { protocol-number | udp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *
When the parameter protocol is specified as the GRE, IGMP, IP, IPINIP, or OSPF, the command format is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | time-range time-name | vpn-instance vpn-instance-name ] *
undo rule { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | time-range time-name | vpn-instance vpn-instance-name ] *
To delete an ACL rule, run:
undo rule rule-id
Parameters
Parameter |
Description |
Value |
|---|---|---|
rule-id |
Specifies the ID of an ACL rule.
NOTE:
ACL rule IDs assigned automatically start from the step value. The default step is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on. |
The value is an integer that ranges from 0 to 4294967294. |
deny |
Denies the packets that match the rule. |
- |
permit |
Permits the packets that match the rule. |
- |
icmp |
Indicates that the protocol type is ICMP. The value 1 indicates that ICMP is specified. |
- |
tcp |
Indicates that the protocol type is TCP. The value 6 indicates that TCP is specified. |
- |
udp |
Indicates that the protocol type is UDP. The value 17 indicates that UDP is specified. |
- |
| gre | Indicates that the protocol type is GRE. The value 47 indicates the GRE protocol. |
- |
| igmp | Indicates that the protocol type is IGMP. The value 2 indicates the IGMP protocol. |
- |
| ip | Indicates that the protocol type is IP. |
- |
| ipinip | Indicates that the protocol type is IPINIP. The value 4 indicates the IPINIP protocol. |
- |
| ospf | Indicates that the protocol type is OSPF. The value 89 indicates the OSPF protocol. |
- |
protocol-number |
Indicates the protocol type expressed by number. |
The value expressed by number is an integer that ranges from 1 to 255. |
source { { source-address source-wildcard | any } | { [ source ] ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * |
Indicates the source IP address of packets that match an ACL rule. If this parameter is not specified, packets with any source IP address are matched.
|
|
destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } |
Indicates the destination IP address of packets that match ACL rules. If this parameter is not specified, packets with any destination IP address are matched.
|
|
icmp-type { icmp-name | icmp-type [ icmp-code ] } |
Indicates the type and code of ICMP packets, which are valid only when the protocol of packets is ICMP. If this parameter is not specified, all types of ICMP packets are matched.
|
icmp-type is an integer that ranges from 0 to 255. icmp-code is an integer that ranges from 0 to 255. NOTE:
Table 14-21 lists the mapping between ICMP names and ICMP types and codes. |
source-port { eq port | gt port | lt port | range port-start port-end } |
Specifies the source port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched. The operators are as follows:
|
The value of port can be a name or a number.
The value of port-start and port-end can be a name or an integer. When the value is expressed as an integer, it ranges from 0 to 65535. |
destination-port { eq port | gt port | lt port | range port-start port-end } |
Specifies the destination port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched. The operators
are as follows:
|
The value of port can be a name or a number.
The value of port-start and port-end can be a name or an integer. When the value is expressed as an integer, it ranges from 0 to 65535. |
tcp-flag |
Indicates the SYN Flag in the TCP packet header. |
- |
ack |
Indicates that the SYN Flag type in the TCP packet header is ack (010000). |
- |
established |
Indicates that the SYN Flag type in the TCP packet header is ack(010000) or rst(000100). |
- |
fin |
Indicates that the SYN Flag type in the TCP packet header is fin (000001). |
- |
psh |
Indicates that the SYN Flag type in the TCP packet header is psh (001000). |
- |
rst |
Indicates that the SYN Flag type in the TCP packet header is rst (000100). |
- |
syn |
Indicates that the SYN Flag type in the TCP packet header is syn (000010). |
- |
urg |
Indicates that the SYN Flag type in the TCP packet header is urg (100000). |
- |
time-range time-name |
Specifies the name of a time range during which ACL rules take effect. If this parameter is not specified, ACL rules take effect at any time. NOTE:
When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL cannot be bound to the specified time range. |
The value is a string of 1 to 32 characters. |
vpn-instance vpn-instance-name |
Specifies the name of a VPN instance on the inbound interface. |
The value must be an existing VPN instance name. |
icmp-name |
icmp-type |
icmp-code |
|---|---|---|
Echo |
8 |
0 |
Echo-reply |
0 |
0 |
Fragmentneed-DFset |
3 |
4 |
Host-redirect |
5 |
1 |
Host-tos-redirect |
5 |
3 |
Host-unreachable |
3 |
1 |
Information-reply |
16 |
0 |
Information-request |
15 |
0 |
Net-redirect |
5 |
0 |
Net-tos-redirect |
5 |
2 |
Net-unreachable |
3 |
0 |
Parameter-problem |
12 |
0 |
Port-unreachable |
3 |
3 |
Protocol-unreachable |
3 |
2 |
Reassembly-timeout |
11 |
1 |
Source-quench |
4 |
0 |
Source-route-failed |
3 |
5 |
Timestamp-reply |
14 |
0 |
Timestamp-request |
13 |
0 |
Ttl-exceeded |
11 |
0 |
Usage Guidelines
Usage Scenario
A user ACL defines rules to filter IPv4 packets based on the source IP addresses or source User Control List (UCL) groups, destination IP addresses or destination UCL groups, IP protocol types, ICMP types, TCP source/destination port numbers, UDP source/destination port numbers, and time ranges.
Currently, the user ACL can be applied only to the UCL groups of the NAC mode. To control the network access rights of users based on user groups, you can perform the following operations: configure a UCL group, associate user ACL rules with the UCL group so that the ACL rules apply to all users in the user group, configure packet filtering based on the user ACL to make the ACL take effect, and then apply the UCL group to the AAA service scheme.
Prerequisites
If the ucl-group name source-ucl-group-name or ucl-group name destination-ucl-group-name parameter is configured for a rule, the source and destination UCL groups must have been created by the ucl-group command.
Precautions
If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.
The undo rule command deletes an ACL rule even if the ACL rule is referenced. (If a simplified traffic policy references a specified rule in an ACL, this command does not take effect.) Before deleting a rule, ensure that the rule is not being referenced.
rule description
Function
The rule description command configures the description of an ACL rule.
The undo rule description command deletes the description of an ACL rule.
By default, no description is configured for an ACL rule.
Parameters
Parameter |
Description |
Value |
|---|---|---|
rule-id |
Specifies the ID of an ACL rule. |
|
description description |
Specifies the description of an ACL rule. You can configure the description to record an ACL rule in detail. |
The value is a character string and contains a maximum of 127 characters. |
Usage Guidelines
Application Scenarios
The rule-id parameter identifies a rule, but cannot describe the meaning and usage of the rule. The description with a character string can be used to solve the problem.
Prerequisites
The ACL rule has been created. If the ACL rule does not exist, the system displays an error message when you run this command.
Precautions
If the rule description command is run repeatedly, the latest configuration takes effect.
After you run the undo rule rule-id command, the rule and rule description are deleted.
Example
# Configure the description for rule 5 in acl 2001, which permits the packets from 192.168.32.1.
<HUAWEI> system-view [HUAWEI] acl 2001 [HUAWEI-acl-basic-2001] rule 5 permit source 192.168.32.1 0 [HUAWEI-acl-basic-2001] rule 5 description permit 192.168.32.1 [HUAWEI-acl-basic-2001] display acl 2001 Basic ACL 2001, 1 rule Acl's step is 5 rule 5 permit source 192.168.32.1 0 rule 5 description permit 192.168.32.1
snmp-agent trap enable feature-name acle
Function
The snmp-agent trap enable feature-name acle command enables the trap function for the ACL module.
The undo snmp-agent trap enable feature-name acle command disables the trap function for the ACL module.
By default, the trap function is enabled for the ACL module.
Format
snmp-agent trap enable feature-name acle [ trap-name { hwaclresthresholdexceedcleartrap | hwaclresthresholdexceedtrap | hwaclrestotalcountexceedcleartrap | hwaclrestotalcountexceedtrap } ]
undo snmp-agent trap enable feature-name acle [ trap-name { hwaclresthresholdexceedcleartrap | hwaclresthresholdexceedtrap | hwaclrestotalcountexceedcleartrap | hwaclrestotalcountexceedtrap } ]
Parameters
Parameter |
Description |
Value |
|---|---|---|
trap-name |
Enables or disables the trap function for the specified event. |
- |
hwaclresthresholdexceedcleartrap |
Enables the device to send a Huawei-property trap sent when the ACL resource usage on the device falls below the lower alarm threshold (percentage). |
- |
hwaclresthresholdexceedtrap |
Enables the device to send a Huawei-property trap sent when the ACL resource usage on the device exceeds the upper alarm threshold (percentage). |
- |
hwaclrestotalcountexceedcleartrap |
Enables the device to send a Huawei-property trap sent when the ACL resource usage on the device reaches 100%, and then falls below 100% and stays below 100% for a period of time. |
- |
hwaclrestotalcountexceedtrap |
Enables the device to send a Huawei-property trap sent when the ACL resource usage on the device reaches 100%. |
- |
Usage Guidelines
When the trap function is enabled, the device generates traps during running and sends traps to the NMS through SNMP. When the trap function is not enabled, the device does not generate traps and the SNMP module does not send traps to the NMS.
You can specify trap-name to enable the trap function for one or more events.
step
Function
The step command sets the step between ACL rule IDs.
The undo step command restores the default step between ACL rule IDs.
By default, the step between ACL rule IDs is 5.
Usage Guidelines
Usage Scenario
The step is the difference between rule IDs when the system automatically assigns rule IDs. For example, if the ACL step value is set to 5, rules are numbered 5, 10, 15, and so on.
To add a rule between existing rules, you need to reset the step. For example, an ACL in config mode contains three rules with IDs being 5, 10, and 15. To insert a new rule after rule 5 (the first rule), run the rule 7 xxxx command to insert rule 7.
If the step value is changed, ACL rule IDs are arranged automatically. For example, if the original rule IDs are 5, 10, and 15, the rule IDs become 2, 4, and 6 after you change the step value to 2.
NOTE: The undo step command can be used to realign ACL rule IDs immediately based on the default step. For example, ACL rule group 3001 contains four rules with IDs being 1, 3, 5, and 7, and the step is 2. After the undo step command is executed, the rule IDs become 5, 10, 15, and 20 and the step value is restored to 5.
Prerequisites
An ACL has been created by running the acl command.
Precautions
The ACL6 does not support the step.
time-range
Function
The time-range command sets a time range.
The undo time-range command deletes a time range.
By default, no time range is set.
Format
time-range time-name { start-time to end-time { days } &<1-7> | from time1 date1 [ to time2 date2 ] }
undo time-range time-name [ start-time to end-time { days } &<1-7> | from time1 date1 [ to time2 date2 ] ]
Parameters
Parameter |
Description |
Value |
|---|---|---|
time-name |
Specifies the name of a time range. |
The value is a string of case-sensitive characters without spaces and must begin with a letter. The value ranges from 1 to 32. To avoid confusion, do not use "all" as the name of a time range. |
start-time |
Specify the start time of a time range. |
The format is hh:mm.
|
end-time |
Specify the end time of a time range. |
The format is hh:mm.
|
days |
Specifies the date on which the time range takes effect. |
The value can be one of the following:
|
from time1 date1 |
Specifies the time for the time range to take effect. |
time1 is in the format of hh:mm.
|
to time2 date2 |
Specifies the end of a time range. |
The formats time2 and date2 are the same as those of the start time. The end time must be later than the start time. If the end time is not set, the device takes the maximum value allowed by the system. |
Usage Guidelines
Usage Scenario
If some services or functions need to be started at intervals or periodically, you can run the time-range command to set the time range. When configuring ACL or ACL6 rules, you can reference the names of time ranges.
- Relative time range (periodic time range): It is specified by start-time and end-time. The weekday when the time range takes effect is determined by days.
- Absolute time range: It is specified by from and to. The absolute time range can be used to limit the periodic time range.
- Time range 1: 01.01.2010 00:00 to 31.12.2010 23:59 (absolute time range)
- Time range 2: 8:00 to 18:00 from Monday to Friday (periodic time range)
- Time range 3: 14:00 to 18:00 on Saturday and Sunday (periodic time range)
Precautions
There may be a time difference of no more than 10 seconds between the configured time range and the time range that actually takes effect.
Example
# Set a time range named test that takes effect from 2010-01-01 00:00 to 2010-12-31 23:59.
<HUAWEI> system-view [HUAWEI] time-range test from 0:0 2010/1/1 to 23:59 2010/12/31
# Set a time range named test that takes effect at 8:00-18:00 from Monday to Friday.
<HUAWEI> system-view [HUAWEI] time-range test 8:00 to 18:00 working-day
# Set a time range named test that takes effect from 14:00 to 18:00 on every Saturday and Sunday.
<HUAWEI> system-view [HUAWEI] time-range test 14:00 to 18:00 off-day
Previous
