No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R013C00 Command Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ACL Configuration Commands

ACL Configuration Commands

NOTE:

The SA cards of S series do not support user ACL.

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

acl ip-pool

Function

The acl ip-pool command creates an ACL IP address pool and enters the ACL IP address pool view.

The undo acl ip-pool command deletes an ACL IP address pool.

By default, no ACL IP address pool has been created on the device.

Format

acl ip-pool acl-ip-pool-name

undo acl ip-pool acl-ip-pool-name

Parameters

Parameter

Description

Value

acl-ip-pool-name

Specifies the name of the ACL IP address pool to be created.

The value is a string of 1 to 32 characters without spaces and starting with a letter.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An ACL IP address pool applies when policy-based routing (PBR) is used to redirect packets to multiple next hops. An ACL IP address pool can be invoked by the redirect ip-multihop command to redirect packets to the next hop specified by the ACL IP address pool.

Follow-up Procedure

Run the ip-address (ACL IP address pool view) command multiple times to specify multiple IP addresses.

Precautions

The switch supports a maximum of 12 ACL IP address pools. Each ACL IP address pool supports a maximum of 64 IP addresses.

In the scenario when PBR is used to redirect packets to multiple next hops, if the device has no ARP entry matching the specified next hop IP address, the redirection does not take effect. The device still forwards packets to the original destination until the ARP entry matching the specified next hop IP address is generated on the device. You can run the display acl ip-pool command to check whether the next hop IP address specified in the ACL IP address pool takes effect.

Example

# Create an ACL IP address pool named abc.

<HUAWEI> system-view
[HUAWEI] acl ip-pool abc

acl ipv6 ip-pool

Function

The acl ipv6 ip-pool command creates an ACL IPv6 address pool and enters the ACL IPv6 address pool view.

The undo acl ipv6 ip-pool command deletes an ACL IPv6 address pool .

By default, no ACL IPv6 address pool has been created on the device.

Format

acl ipv6 ip-pool acl-ipv6-pool-name

undo acl ipv6 ip-pool acl-ipv6-pool-name

Parameters

Parameter

Description

Value

acl-ipv6-pool-name

Specifies the name of the ACL IPv6 address pool to be created.

The value is a string of 1 to 32 characters without spaces and starting with a letter.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An ACL IPv6 address pool applies when policy-based routing (PBR) is used to redirect packets to multiple next hops. An ACL IPv6 address pool can be invoked by the redirect ipv6-multihop command to redirect packets to the next hop specified by the ACL IPv6 address pool .

Follow-up Procedure

Run the ipv6 address (ACL IPv6 address pool view) command multiple times to specify multiple IPv6 addresses.

Precautions

The switch supports a maximum of 12 ACL IPv6 address pools. Each ACL IPv6 address pool supports a maximum of 64 IPv6 addresses.

In the scenario where PBR is used to redirect packets to multiple next hops, if the device does not match the neighbor entry corresponding to the next hop IPv6 address, the device sends NS packets to check whether the neighbor is reachable. If the neighbor is unreachable, packets are forwarded based on the original path and redirection does not take effect. You can run the display acl ipv6 ip-pool command to check whether the next hop IPv6 address specified in the ACL IPv6 address pool takes effect.

Example

# Create an ACL IPv6 address pool named abc.

<HUAWEI> system-view
[HUAWEI] acl ipv6 ip-pool abc

acl ipv6 name

Function

The acl ipv6 name command creates a named ACL6 and enters the ACL6 view.

The undo acl ipv6 name command deletes a named ACL6.

By default, no named ACL6 is created.

Format

acl ipv6 name acl6-name [ advance | basic | acl6-number ] [ match-order { auto | config } ]

undo acl ipv6 name acl6-name

Parameters

Parameter

Description

Value

acl6-name

Specifies the name of an ACL6.

The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter.

advance

Indicates an advanced ACL6.

-

basic

Indicates a basic ACL6.

-

acl6-number

Specifies the number of an ACL6.

The value is an integer that ranges from 2000 to 3999.

  • The value of a basic ACL6 ranges from 2000 to 2999.
  • The value of an advanced ACL6 ranges from 3000 to 3999.
match-order { auto | config }

Indicates the matching order of ACL6 rules.

  • auto:

    indicates that ACL6 rules are matched based on the depth first principle.

    If the ACL rules are of the same depth first order, they are matched in ascending order of rule IDs.

  • config: indicates that ACL6 rules are matched based on the configuration order.

The rule-id in an ACL6 rules does not indicate the priority of the rule. It indicates the rule ID and remains unchanged in auto and config mode switchover.

If the match-order parameter is not specified when you create an ACL6, the default match order config is used.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An ACL6 is a set of rules composed of permit or deny clauses. ACL6s are mainly used in QoS. ACL6s can limit data flows to improve network performance. For example, ACL6s are configured on an enterprise network to limit video data flows, which lowers the network load and improves network performance.

Follow-up Procedure

Run the rule command to configure ACL6 rules and apply the ACL6 to services for which packets need to be filtered.

Precautions

The Switch allocates a number to named ACL6s that have no specified number. The number allocated depends on the following:
  • If only the type of a named ACL6 is specified, the number of the named ACL6 allocated by the Switch is the maximum value of the named ACL6 of the type.
  • If the number and the type of a named ACL6 are not specified, the Switch considers the named ACL6 as the advanced ACL6 and allocates the maximum value as the number of the named ACL6.

After you create a named ACL6 by using the acl ipv6 name command, the ACL6 still exists even if you exit from the ACL6 view. You must run the undo acl ipv6 name acl6-name or undo acl ipv6 acl6-number command to delete the ACL6.

When you delete an ACL6 that has been referenced by other services, the services will be interrupted. Therefore, before deleting an ACL6, ensure that the ACL6 is not in use.

Example

# Create basic ACL6 2001 named test2.

<HUAWEI> system-view
[HUAWEI] acl ipv6 name test2 2001
Related Topics

acl ipv6 (system view)

Function

The acl ipv6 command creates a numbered ACL6 and enters the ACL6 view.

The undo acl ipv6 command deletes a numbered ACL6.

By default, no numbered ACL6 is created.

Format

acl ipv6 [ number ] acl6-number [ match-order { auto | config } ]

undo acl ipv6 { all | [ number ] acl6-number }

Parameters

Parameter Description Value
number Indicates the number that identifies an ACL. -
acl6-number Specifies an ACL6 number.

The value is an integer that ranges from 2000 to 3999.

  • The value of a basic ACL6 ranges from 2000 to 2999.
  • The value of an advanced ACL6 ranges from 3000 to 3999.
match-order { auto | config }

Indicates the matching order of ACL6 rules.

  • auto:

    indicates that ACL6 rules are matched based on the depth first principle.

    If the ACL rules are of the same depth first order, they are matched in ascending order of rule IDs.

  • config: indicates that ACL6 rules are matched based on the configuration order.

The rule-id in an ACL6 rules does not indicate the priority of the rule. It indicates the rule ID and remains unchanged in auto and config mode switchover.

If the match-order parameter is not specified when you create an ACL6, the default match order config is used.

-
all Indicates that all the configured ACL6s are deleted. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An ACL6 is a set of rules composed of permit or deny clauses. ACL6 rules can be referenced by modules. ACL6s are applicable to QoS. ACL6s can limit data flows to improve network performance. For example, ACL6s are configured on an enterprise network to limit video data flows, which lowers the network load and improves network performance.

Follow-up Procedure

Run the rule command to configure ACL6 rules and apply the ACL6 to services for which packets need to be filtered.

Precautions

After you create a named ACL6 using the acl ipv6 command, the ACL6 still exists even if you exit from the ACL6 view. You must run the undo acl ipv6 acl6-number command to delete the ACL6.

When you delete an ACL6 that has been referenced by other services, the services will be interrupted. Before deleting an ACL6, ensure that the ACL6 is not in use.

All ACL6s can be deleted on the device in one go, but this method is not recommended.

Example

# Create an advanced ACL6 with the number of 3000.

<HUAWEI> system-view
[HUAWEI] acl ipv6 number 3000

acl name

Function

The acl name command creates a named ACL and enters the ACL view.

The undo acl name command deletes a named ACL.

By default, no ACL is created.

Format

acl name acl-name [ advance | basic | link | ucl | user | acl-number ] [ match-order { auto | config } ]

undo acl name acl-name

Parameters

Parameter

Description

Value

acl-name

Specifies the name of an ACL.

The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter.

advance

Indicates an advanced ACL.

-

basic

Indicates a basic ACL.

-

link

Indicates a Layer 2 ACL.

-

ucl

Indicates a user ACL.

-

user

Indicates a user-defined ACL.

-

acl-number

Specifies the number of an ACL.

The value is an integer.

  • The number of a basic ACL ranges from 2000 to 2999.
  • The number of an advanced ACL ranges from 3000 to 3999.
  • The number of a Layer 2 ACL ranges from 4000 to 4999.
  • The number of a user-defined ACL ranges from 5000 to 5999.
  • The number of a user ACL ranges from 6000 to 9999.

match-order { auto | config }

Indicates the matching order of ACL rules.
  • auto:

    indicates that ACL rules are matched based on the depth first principle.

    If the ACL rules are of the same depth first order, they are matched in ascending order of rule IDs.

  • config: indicates that ACL rules are matched based on the configuration order.

    The ACL rules are matched based on the configuration order only when the rule ID is not specified. If rule IDs are specified, the ACL rules are matched in ascending order of rule IDs.

If the match-order parameter is not specified when you create an ACL, the default match order config is used.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An ACL consists of a series of rules defined by multiple permit or deny clauses. ACLs are mainly applied to QoS, route filtering, and user access. The major functions of ACLs are as follows:

  • Limit data flows to improve network performance. For example, ACLs are configured on an enterprise network to limit video data flows, which lowers the network load and improves network performance.

  • Provide flow control. For example, ACLs are used to limit transmission of routing updates so that the bandwidth is saved.

  • Provide network access security. For example, ACLs are configured to allow specified users to access the human resource network.

Follow-up Procedure

Run the rule command to configure ACL rules and apply the ACL to services for which packets need to be filtered.

Precautions

After you create a named ACL by using the acl name command, the ACL still exists even if you exit from the ACL view. You must run the undo acl name acl-name or undo acl acl-number command to delete the ACL.

When you delete an ACL that has been referenced by other services, the services may be interrupted. Before deleting an ACL, ensure that the ACL is not in use.

The device automatically allocates a number to the named ACLs that have no number specified. The number allocated depends on the following:

  • If the type of a named ACL is specified, the number of the named ACL allocated by the device is the maximum value of the named ACL of the type.
  • If the number and the type of a named ACL are not specified, the device considers the named ACL as the advanced ACL and allocates the maximum value as the number of the named ACL.

The Switch does not allocate the number to a named ACL repeatedly.

Example

# Create basic ACL 2001 named test1.

<HUAWEI> system-view
[HUAWEI] acl name test1 2001
Related Topics

acl (system view)

Function

The acl command creates an ACL with the specified number and enters the ACL view.

The undo acl command deletes a specified ACL.

By default, no ACL is created.

Format

acl [ number ] acl-number [ match-order { auto | config } ]

undo acl { [ number ] acl-number | all }

Parameters

Parameter

Description

Value

number

Specifies the number that identifies an ACL.

-

acl-number

Specifies the number of an ACL.

The value is an integer.

  • The number of a basic ACL ranges from 2000 to 2999.
  • The number of an advanced ACL ranges from 3000 to 3999.
  • The number of a Layer 2 ACL ranges from 4000 to 4999.
  • The number of a user defined ACL ranges from 5000 to 5999.
  • The number of a user ACL ranges from 6000 to 9999.

match-order { auto | config }

Indicates the matching order of ACL rules.
  • auto: indicates that ACL rules are matched based on the depth first principle.

    If the ACL rules are of the same depth first order, they are matched in ascending order of rule IDs.

  • config: indicates that ACL rules are matched based on the configuration order.

    The ACL rules are matched based on the configuration order only when the rule ID is not specified. If rule IDs are specified, the ACL rules are matched in ascending order of rule IDs.

If the match-order parameter is not specified when you create an ACL, the default match order config is used.

-

all

Indicates that all ACLs are deleted.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An ACL consists of a series of rules defined by multiple permit or deny clauses. ACLs are mainly applied to QoS, route filtering, and user access. The major functions of ACLs are as follows:

  • Limit data flows to improve network performance. For example, ACLs are configured on an enterprise network to limit video data flows, which lowers the network load and improves network performance.

  • Provide flow control. For example, ACLs are used to limit transmission of routing updates so that the bandwidth is saved.

  • Provide network access security. For example, ACLs are configured to allow specified users to access the human resource network.

Follow-up Procedure

Run the rule command to configure ACL rules and apply the ACL to services for which packets need to be filtered.

Precautions

  • After you create an ACL using the acl command, the ACL still exists even if you exit from the ACL view. You must run the undo acl acl-number command to delete the ACL.
  • When you delete an ACL that has been referenced by other services, the services may be interrupted. Before deleting an ACL, ensure that the ACL is not in use.
  • You are advised not to delete all ACLs because this operation may cause a service interruption.

Example

# Create an ACL numbered 2000.

<HUAWEI> system-view
[HUAWEI] acl number 2000

acl threshold-alarm

Function

The acl threshold-alarm command configures the alarm threshold percentage of ACL resource usage.

The undo acl threshold-alarm command restores the default alarm threshold percentage of ACL resource usage.

By default, the lower alarm threshold percentage is 70, and the upper alarm threshold percentage is 80.

Format

acl threshold-alarm { upper-limit upper-limit | lower-limit lower-limit } *

undo acl threshold-alarm

Parameters

Parameter Description Value
upper-limit upper-limit

Indicates the upper alarm threshold percentage of ACL resource usage.

The value is an integer that ranges from 1 to 100.

lower-limit lower-limit

Indicates the lower alarm threshold percentage of ACL resource usage.

The value is an integer that ranges from 1 to 100.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the device runs ACL or ACL6 services for a period, the running ACL or ACL6 services occupy ACL resources. You can run the acl threshold-alarm command to set the alarm threshold percentage of ACL resources.

When the ACL resource usage (that is, the ratio of existing ACL entries to the maximum number of ACL entries supported by the device) is equivalent to or higher than the threshold, the device generates an alarm. When the ACL resource usage becomes equivalent to or lower than the lower threshold, the device generates a clear alarm.

Precautions

If you run the acl threshold-alarm command multiple times, only the latest configuration takes effect.

The upper threshold must be equivalent to or greater than the lower threshold.

Example

# Set the lower alarm threshold percentage to 30 and the upper alarm threshold percentage to 50.

<HUAWEI> system-view
[HUAWEI] acl threshold-alarm upper-limit 50 lower-limit 30

assign acl-mode

Function

The assign acl-mode command sets the ACL resource allocation mode on an interface card.

The undo assign acl-mode command restores the default ACL resource allocation mode on an interface card.

By default, the ACL resource allocation mode is dual-ipv4-ipv6.

NOTE:

Only the X1E, X5H, X2E, and X2H series cards support this command.

X2E and X2H series cards support this command only after the resource mode is set to mac-acl using the assign resource-mode command.

Format

assign acl-mode slot slot-id mode { dual-ipv4-ipv6 | ipv4 | l2 | l2-ipv4 | l2-ipv6 }

undo assign acl-mode slot slot-id

NOTE:

The X5H series cards only support dual-ipv4-ipv6 and l2-ipv4.

Parameters

Parameter

Description

Value

mode { dual-ipv4-ipv6 | ipv4 | l2 | l2-ipv4 | l2-ipv6 }

Specifies an ACL resource allocation mode.

  • dual-ipv4-ipv6: configures the IPv4 and IPv6 ACL resource allocation mode.
  • l2-ipv4: configures the Layer 2 IPv4 ACL resource allocation mode.
  • l2-ipv6: configures the Layer 2 IPv6 ACL resource allocation mode.
  • l2: configures the Layer 2 ACL resource allocation mode.
  • ipv4: configures the IPv4 ACL resource allocation mode.

slot slot-id

Specifies the slot ID of an interface card.

The value is an integer. The value range depends on the device configuration.

Views

System view

Default Level

3: Management level

Usage Guidelines

If the default number of ACLs for IPv4, IPv6, or Layer 2 services cannot meet service requirements, you can change the ACL resource allocation mode to increase the number of ACLs for the services.

You can use this command to change the ACL resource allocation mode according to service changes on a device. Before making any change, consider the advantages and disadvantages of the change. For example, if the ACL resource allocation mode is changed from dual-ipv4-ipv6 to ipv4, more ACLs are supported for IPv4 services, but the number of ACLs for IPv6 and VLAN services reduces to 0.

Changes to the ACL resource allocation mode take effect only after the interface card is reset.

After the ACL resource allocation mode is set for a card in a slot, the mode will be deleted if the card is replaced by another one that does not support the ACL resource allocation mode.

Table 14-1  ACL specifications in different resource allocation modes (X1E series cards)
Resource Allocation Mode Maximum Number of IPv4 ACLs Maximum Number of Layer 2 + IPv4 ACLs Maximum Number of IPv6 ACLs Maximum Number of Layer 2 + IPv6 ACLs Maximum Number of Layer 2 ACLs Total Number of ACLs
dual-ipv4-ipv6 20K 20K 8K 8K 20K 20K (IPv4) + 8K (IPv6)
l2-ipv4 36K 36K 0 0 36K 36K
l2-ipv6 16K 16K 16K 16K 16K 16K
ipv4 64K 0 0 0 0 64K
l2 0 0 0 0 64K 64K
Table 14-2  ACL specifications in different resource allocation modes (X2E series cards)
Resource Allocation Mode Maximum Number of IPv4 ACLs Maximum Number of Layer 2 + IPv4 ACLs Maximum Number of IPv6 ACLs Maximum Number of Layer 2 + IPv6 ACLs Maximum Number of Layer 2 ACLs Total Number of ACLs
dual-ipv4-ipv6 38K 38K 16K 16K 38K 38K (IPv4) + 16K (IPv6)
l2-ipv4 70K 70K 0 0 70K 70K
l2-ipv6 32K 32K 32K 32K 32K 32K
ipv4 128K 0 0 0 0 128K
l2 0 0 0 0 128K 128K
Table 14-3  ACL specifications in different resource allocation modes (X2H series cards)
Resource Allocation Mode Maximum Number of IPv4 ACLs Maximum Number of Layer 2 + IPv4 ACLs Maximum Number of IPv6 ACLs Maximum Number of Layer 2 + IPv6 ACLs Maximum Number of Layer 2 ACLs Total Number of ACLs
dual-ipv4-ipv6 70K 70K 32K 32K 70K 70K (IPv4) + 32K (IPv6)
l2-ipv4 134K 134K 0 0 134K 134K
l2-ipv6 64K 64K 64K 64K 64K 64K
ipv4 256K 0 0 0 0 256K
l2 0 0 0 0 256K 256K
Table 14-4  ACL specifications in different resource allocation modes (X5H series cards)
Resource Allocation Mode Maximum Number of IPv4 ACLs Maximum Number of Layer 2 + IPv4 ACLs Maximum Number of IPv6 ACLs Maximum Number of Layer 2 + IPv6 ACLs Maximum Number of Layer 2 ACLs Total Number of ACLs
dual-ipv4-ipv6 32K 32K 8K 8K 32K 32K (IPv4) + 8K (IPv6)
l2-ipv4 64K 64K 0 0 64K 64K
Table 14-5 lists the resource allocation modes supported by different services. For example, the free mobility service is supported in the Dual IPv4 and IPv6 mode. After the Dual IPv4 and IPv6 mode is changed to the IPv4 mode and the LPU is restarted, the free mobility service becomes invalid.
NOTE:

The services not included in the table are supported in all modes.

Table 14-5  Resource allocation modes and services
Resource Allocation Mode dual-ipv4-ipv6 l2-ipv4 l2-ipv6 l2 ipv4
IPSG (IPv4) Y Y Y N N
IPSG (IPv6) Y N Y N N
Service Chain Y Y N N N
Free mobility Y Y N N N
RADIUS authorization Y Y N N N
Authentication free rules Y Y N N N
User group Y Y N N N
Portal authentication Y Y N N N
802.1X-based fast deployment Y Y N N N
NQA Y Y Y N N
Packet capturing Y Y Y N N
All-0 MAC address alarm Y Y Y Y N
Global blackhole MAC address entry Y Y Y Y N
MAC Swap loopback test Y Y Y N N

Example

# Change the ACL resource allocation mode on the X1E interface card in slot 10 to mode l2.

<HUAWEI> system-view
[HUAWEI] assign acl-mode slot 10 mode l2

description

Function

The description command configures the description of an ACL or ACL6.

The undo description command deletes the description of an ACL or ACL6.

By default, no description is configured for an ACL or ACL6.

Format

description text

undo description

Parameters

Parameter

Description

Value

text

Describes an ACL or ACL6.

The value is a string of 1 to 127 case-sensitive characters with spaces supported.

Views

ACL view, ACL6 view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The description command configures the description of an ACL or ACL6, for example, the usage or application scenario of the ACL. It is used to differentiate ACLs.

Prerequisites

The ACL or ACL6 to be described has been created.

Configuration Impact

If you run the description command multiple times in the same ACL view or ACL6 view, only the latest configuration takes effect.

Example

# Configure the description of ACL 2100.

<HUAWEI> system-view
[HUAWEI] acl 2100
[HUAWEI-acl-basic-2100] description This acl is used in QoS policy
[HUAWEI-acl-basic-2100] display acl 2100
Basic ACL 2100, 0 rule                                                                                                              
This acl is used in QoS policy                                                                                                      
Acl's step is 5  

# Configure the description of ACL6 3100.

<HUAWEI> system-view
[HUAWEI] acl ipv6 3100
[HUAWEI-acl6-adv-3100] description This acl is used in QoS policy
[HUAWEI-acl6-adv-3100] display acl ipv6 3100
                                                                                                                                    
Advanced IPv6 ACL 3100, 0 rule                                                                                                      
This acl is used in QoS policy      

display acl

Function

The display acl command displays the configuration of an ACL.

Format

display acl { acl-number | name acl-name | all }

Parameters

Parameter Description Value
acl-number Specifies the number of an ACL. The value is an integer.
  • The number of a basic ACL ranges from 2000 to 2999.
  • The number of a numbered advanced ACL ranges from 3000 to 3999.
  • The number of a Layer 2 ACL ranges from 4000 to 4999.
  • The number of a user-defined ACL ranges from 5000 to 5999.
  • The number of a user ACL ranges from 6000 to 9999.
name acl-name Specifies the name of an ACL.

The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter.

all Indicates all ACLs. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display acl command displays the ACL configuration.

Example

# Display configuration about the ACL named test.

<HUAWEI> display acl name test
Advanced ACL test 3999, 1 rule, match-order is auto
Acl's step is 5
 rule 5 permit ip destination 10.10.10.1 0

# Display the ACL configuration.

<HUAWEI> display acl all
 Total nonempty ACL number is 1
 
Advanced ACL 3000, 1 rule
Acl's step is 5
 rule 5 permit ip dscp cs1
Table 14-6  Description of the display acl command output

Item

Description

Advanced ACL test 3999, 1 rule, match-order is auto

Advanced ACL 3999 named test that matches in the automatic order and contains one rule.

Acl's step is 5

The ACL's step is 5.

To set the step between ACL rule IDs, run the step command.

rule 5 permit ip destination 10.10.10.1 0

Rule 5 that matches packets whose source IP address is 10.10.10.1.

To modify an advanced ACL rule, run the rule (advanced ACL view) command.

Total nonempty ACL number is 1

One ACL contains rules.

Advanced ACL 3000, 1 rule

Advanced ACL 3000 contains one rule.

rule 5 permit ip dscp cs1

Rule 5 that matches packets with DSCP priorities.

To modify an advanced ACL rule, run the rule (advanced ACL view) command.

display acl ip-pool

Function

The display acl ip-pool command displays the configuration and status of an ACL IP address pool.

Format

display acl ip-pool acl-ip-pool-name [ multihop-status [ vpn-instance vpn-instance-name ] ]

Parameters

Parameter

Description

Value

acl-ip-pool-name

Specifies the name of the ACL IP address pool that you want to check.

The ACL IP address pool name must exist.

multihop-status

Displays the status of the next hop IP address specified in the ACL IP address pool.

-

vpn-instance vpn-instance-name

Displays the ACL IP address pool of a specified VPN instance.

The VPN instance name must exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After an ACL IP address pool is configured, you can run the display acl ip-pool command to check the configuration of the ACL IP address pool and whether the next hop IP address takes effect.

In the scenario when PBR is used to redirect packets to multiple next hops, if the device has no ARP entry matching the specified next hop IP address, the redirection does not take effect. The device still forwards packets to the original destination until the ARP entry matching the specified next hop IP address is generated on the device. You can run the display acl ip-pool command to check whether the next hop IP address specified in the ACL IP address pool takes effect.

Example

# Display the configuration and status of the ACL IP address pool named abc.

<HUAWEI> display acl ip-pool abc multihop-status
-----------------------------------------------------------------------------------------
IP Address      NQA AdminName                    NQA TestName                     Status
-----------------------------------------------------------------------------------------
10.3.3.3        --                               --                               invalid
192.168.200.1   user                             test                             valid  
192.168.150.1   user                             test                             valid  
-----------------------------------------------------------------------------------------
Total: 3
Table 14-7  Description of the display acl ip-pool abc multihop-status command output

Item

Description

IP Address

IP address in the ACL IP address pool.

NQA AdminName

Administrator of an NQA test instance.

NQA TestName

Name of the NQA test instance.

Status

Status of the next hop IP address.
  • valid: indicates that the next hop IP address already takes effect.
  • invalid: indicates that the next hop IP address is not effective.
NOTE:

When associating NQA with the next-hop IP address configured using the ip-address (ACL IP-pool view) command in an ACL IP pool, ensure that an NQA test instance has been correctly configured and started. Otherwise, you cannot obtain the correct Status field value and cannot determine whether the next-hop IP address takes effect.

display acl ipv6 ip-pool

Function

The display acl ipv6 ip-pool command displays the configuration and status of an ACL IPv6 address pool .

Format

display acl ipv6 ip-pool acl-ipv6-pool-name [ multihop-status [ vpn-instance vpn-instance-name ] ]

Parameters

Parameter

Description

Value

acl-ipv6-pool-name

Specifies the name of the ACL IPv6 address pool that you want to check.

The ACL IPv6 address pool name must exist.

multihop-status

Displays the status of the next hop IPv6 address specified in the ACL IP address pool.

-

vpn-instance vpn-instance-name

Displays the ACL IPv6 address pool of a specified VPN instance.

The VPN instance name must exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After an ACL IPv6 address pool is configured, you can run the display acl ipv6 ip-pool command to check the configuration of the ACL IPv6 address pool and whether the next hop IPv6 address takes effect.

In the scenario when PBR is used to redirect packets to multiple next hops, if the device does not match the neighbor entry corresponding to the next hop IPv6 address, the device sends NS packets to check whether the neighbor is reachable. If the neighbor is unreachable, packets are forwarded based on the original path and redirection does not take effect. You can run the display acl ipv6 ip-pool command to check whether the next hop IPv6 address specified in the ACL IPv6 address pool takes effect.

Example

# Display the configuration and status of the ACL IPv6 address pool named abc.

<HUAWEI> display acl ip-pool abc multihop-status
-----------------------------------------------------------------------------------------------------------------                   
IPv6 Address                             NQA AdminName                    NQA TestName                     Status                   
-----------------------------------------------------------------------------------------------------------------                   
2001:DB8::1                              --                               --                               invalid                  
2001:DB8::2                              --                               --                               invalid                  
-----------------------------------------------------------------------------------------------------------------                   
Total: 2
Table 14-8  Description of the display acl ipv6 ip-pool abc multihop-status command output

Item

Description

IPv6 Address

IPv6 address in the ACL IPv6 address pool .

NQA AdminName

Administrator of an NQA test instance.

NQA TestName

Name of the NQA test instance.

Status

Status of the next hop IPv6 address.
  • valid: indicates that the next hop IPv6 address already takes effect.
  • invalid: indicates that the next hop IPv6 address is not effective.
NOTE:

When associating NQA with the next-hop IPv6 address configured using the ipv6 address (ACL IPv6 address pool view) command in an ACL IPv6 address pool, ensure that an NQA test instance has been correctly configured and started. Otherwise, you cannot obtain the correct Status field value and cannot determine whether the next-hop IPv6 address takes effect.

display acl ipv6

Function

The display acl ipv6 command displays the configuration of a specific ACL6 or all ACL6s.

Format

display acl ipv6 { acl6-number | name acl6-name | all }

Parameters

Parameter

Description

Value

acl6-number

Specifies an ACL6 number.

The value is an integer that ranges from 2000 to 3999. The ACL6 with a number ranging from 2000 to 2999 is a basic ACL6 and the ACL6 with a number ranging from 3000 to 3999 is an advanced ACL6.

name acl6-name

Displays the ACL6 with a specified name.

The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter.

all

Displays the configurations of all ACL6s.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display acl ipv6 command displays the ACL6 configuration.

Example

# Display the configuration about the ACL6 with the number of 2000.

<HUAWEI> display acl ipv6 2000

Basic IPv6 ACL 2000, 2 rules
 rule 1 permit source 4::/64   
 rule 0 deny source 3::/64 

# Display the ACL6 configuration.

<HUAWEI> display acl ipv6 all
 Total nonempty acl6 number is 1
 
Basic IPv6 ACL 2000, 2 rules
 rule 1 permit source 4::/64
 rule 0 deny source 3::/64
Table 14-9  Description of the display acl ipv6 command output

Item

Description

Total nonempty acl6 number is 1

One ACL6 contains rules.

Basic IPv6 ACL 2000, 2 rules

ACL6 2000, which is a basic ACL6 and has two rules.

rule 0 deny source 3::/64

ACL6 rule 0, which denies packets with the source IPv6 address 3::/64.

To modify a basic ACL6 rule, run the rule (rule basic acl6 view) command.

rule 1 permit source 4::/64

ACL6 rule 1, which permits packets with the source IPv6 address 4::/64.

To modify a basic ACL6 rule, run the rule (rule basic acl6 view) command.

display acl resource

Function

The display acl resource command displays information about ACL resources.

Format

display acl resource [ slot slot-id ]

Parameters

Parameter

Description

Value

slot slot-id

Displays information about ACL resources of the board in a specified slot.

The value is an integer. The value range depends on the configuration of a device.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

ACL resources are related to hardware chips. The following are types of ACL resources:
  • ACL entries: Each ACL entry stores an ACL rule.
  • Meter/Car: a traffic control table used to limit the traffic rate. The meter/car must be used with ACL entries.
  • Counter: a traffic counter table used to collect traffic statistics. The counter must be used with ACL entries.

If ACL configuration fails, all the ACL resources on the device may have been used up. You can run the display acl resource command to check whether there are available ACL resources (including ACL4 and ACL6).

Example

# Display information about ACL resources on the Slot 1 (EC card is used as an example).

<HUAWEI> display acl resource slot 1
Slot  1
GigabitEthernet1/0/0 to GigabitEthernet1/0/23
                   Used          Free         Total
----------------------------------------------------------------------------
  VACL             12            1012         1024

  IACL Unallocated -             -            1024
  IACL Allocated   -             -            1024
    IPv4   ACL     1             255          256
    Sec    ACL     284           228          512

  EACL Unallocated -             -            512
  EACL Allocated   -             -            0

  Ingress Meter    29            2019         2048
  Egress  Meter    0             512          512
  Ingress Counter  112           1936         2048
  Egress  Counter  0             512          512

  Ingress UDF      7             1            8
----------------------------------------------------------------------------

# Display information about ACL resources on the LPU in slot 3.(X1E card is used as an example)

<HUAWEI> display acl resource slot 3
Slot  3
XGigabitEthernet3/0/0 to XGigabitEthernet3/0/3
GigabitEthernet3/1/0 to GigabitEthernet3/1/23
                    Used          Free         Total
-----------------------------------------------------------------------------
  ACL Unallocated   -             -            20480
  ACL Allocated     147           365          511
    Vlan    ACL     1             -            -
    Sec     ACL     146           -            -

  EXT Unallocated   -             -            8192
  EXT Allocated     0             0            0

  Car               260           32508        32768
  Counter           144           65392        65536
-----------------------------------------------------------------------------
Table 14-10  Description of the display acl resource command output

Item

Description

Slot

Slot ID.

GigabitEthernet x/0/0 to GigabitEthernet x/0/y

Interface to which an ACL is applied.

Vlan-ACL

Inbound ACL resources delivered before Layer 2 forwarding process starts.
  • For the services related to VLAN translation, for example, VLAN mapping (configured by using the port vlan-mapping vlan map-vlan command) and VLAN stacking (configured by using the port vlan-stacking command), the device delivers Vlan-ACL resources.

  • The device delivers Vlan-ACL resources when the traffic policy is applied to the inbound direction and contains a traffic behavior related to VLAN. The following are two examples of the traffic behavior related to VLAN:

    • The behavior that remarks the 802.1p field on VLAN packets (configured by using the remark 8021p command)

    • The behavior that remarks the VLAN tag on VLAN packets (configured by using the remark vlan-id command)

Car

Traffic monitoring resources.

Counter

Traffic statistics collection resources.

Used

Number of used resources.

Free

Number of free resources.

Total

Total number of resources.

ACL Unallocated

Unallocated common ACL resources.

ACL Allocated

Number of ACL resources:
  • Vlan ACL: ACL resources used by VLAN.

  • Ingress ACL: Resources used by inbound traffic policy, ACL-based simplified traffic policy, and IPSG.

  • Egress ACL: Resources used by outbound traffic policy and ACL-based simplified traffic policy.

  • Ingress UCL: Resources used by traffic from user terminals to switch.

  • Egress UCL: Resources used by traffic from switch to user terminals.

  • Srv ACL: Resources used by inbound and outbound iPCA and voice VLAN.

  • Sec ACL: Inbound secure ACL resources.

EXT Unallocated

Unallocated extended ACL resources.

EXT Allocated

Number of extended ACL resources:
  • Ingress ACL: Resources used by inbound traffic policy and ACL-based simplified traffic policy.

  • Egress ACL: Resources used by outbound traffic policy and ACL-based simplified traffic policy.

VACL

Inbound ACL resources delivered before Layer 2 forwarding process starts.

IACL Unallocated

Unallocated inbound ACL resources.

IACL Allocated

Inbound ACL resources are allocated, including:
  • L2 ACL: ACL resources of L2 type.

  • IPv4 ACL: ACL resources of IPv4 type.

  • IPv6 ACL: ACL resources of IPv6 type.

  • L2IPv4 ACL: ACL resources of L2 IPv4 type.

  • L2IPv6 ACL: ACL resources of L2 IPv6 type.

  • UDF ACL: user-defined ACL resources.

  • Srv ACL: ACL resources of service type.

  • Sec ACL: ACL resources of security type.

  • Ext ACL: extended ACL resources.

EACL Unallocated

Unallocated outbound ACL resources.

EACL Allocated

Outbound ACL resources are allocated, including:
  • L2 ACL: ACL resources of L2 type.

  • IPv4 ACL: ACL resources of IPv4 type.

  • IPv6 ACL: ACL resources of IPv6 type.

  • L2IPv4 ACL: ACL resources of L2 IPv4 type.

  • L2IPv6 ACL: ACL resources of L2 IPv6 type.

  • UDF ACL: user-defined ACL resources.

  • Srv ACL: ACL resources of service type.

  • Ext ACL: extended ACL resources.

Ingress Meter

Inbound rate limiting resources.

Egress Meter

Outbound rate limiting resources.

Ingress Counter

Inbound statistics collection resources.

Egress Counter

Outbound statistics collection resources.

Ingress UDF

Inbound user-defined ACL resources.

Related Topics

display snmp-agent trap feature-name acle all

Function

The display snmp-agent trap feature-name acle all command displays the status of all traps on the ACL module.

Format

display snmp-agent trap feature-name acle all

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After the trap function of a specified feature is enabled, you can run the display snmp-agent trap feature-name acle all command to check the status of all traps of ACL. You can use the snmp-agent trap enable feature-name acle command to enable the trap function of ACL.

Prerequisites

SNMP has been enabled. See snmp-agent.

Example

# Display all the traps of the ACL module.

<HUAWEI>display snmp-agent trap feature-name acle all
------------------------------------------------------------------------------
Feature name: ACLE
Trap number : 4
------------------------------------------------------------------------------
Trap name                       Default switch status   Current switch status
hwAclResTotalCountExceedTrap    on                      on
hwAclResTotalCountExceedClearTrap
                                on                      on
hwAclResThresholdExceedTrap     on                      on
hwAclResThresholdExceedClearTrap
                                on                      on
Table 14-11  Description of the display snmp-agent trap feature-name acle all command output

Item

Description

Feature name

Name of the module that the trap belongs to.

Trap number

Number of traps.

Trap name

Trap name. Traps of the ACL module include:
  • hwAclResTotalCountExceedTrap: indicates the Huawei-property trap sent when the ACL resource usage on the device reaches 100%.

  • hwAclResTotalCountExceedClearTrap: indicates the Huawei-property trap sent when the ACL resource usage on the device reaches 100%, and then falls below 100% and stays below 100% for a period of time.

  • hwAclResThresholdExceedTrap: indicates the Huawei-property trap sent when the ACL resource usage on the device exceeds the upper alarm threshold (percentage).

  • hwAclResThresholdExceedClearTrap: indicates the Huawei-property trap sent when the ACL resource usage on the device falls below the lower alarm threshold (percentage).

Default switch status

Default status of the trap function:
  • on: indicates that the trap function is enabled by default.

  • off: indicates that the trap function is disabled by default.

Current switch status

Status of the trap function:

  • on: indicates that the trap function is enabled.

  • off: indicates that the trap function is disabled.

display time-range

Function

The display time-range command displays the configuration and status of the current time range.

Format

display time-range { all | time-name }

Parameters

Parameter

Description

Value

all

Indicates all the configured time ranges.

-

time-name

Specifies the name of a time range during which ACL rules take effect.

The value is a string of 1 to 32 case-sensitive characters without spaces.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

To specify a time range during which ACL rules take effect, run the time-range command and reference the time range name when you configure an ACL.

Before using a time range to filter data packets, run the display time-range command to view the time range configuration to avoid duplicate time ranges.

NOTE:

The device updates the status of ACLs with a delay of about 30 seconds. The display time-range command adopts the current time range to determine the status of ACLs; therefore, you may find that the ACL using an active time range is inactive. This is normal.

Example

# Display the configuration and status of all time ranges.

<HUAWEI> display time-range all
Current time is 14:48:13 10-17-2012 Wednesday

Time-range : abc (Active)
from 23:23 2012/9/9 to 23:59 2012/12/31
Total time-range number is 1
Table 14-12  Description of the display time-range command output

Item

Description

Current time is 14:48:13 10-17-2012 Wednesday

The current time is Wednesday 14:48:13 10-17-2012.

Time-range:abc (Active)

The time range is named abc and is active. The time range can be:
  • Active.
  • Inactive.

from 23:23 2012/9/9 to 23:59 2012/12/31

Time range abc is from 23:23 2012/9/9 to 23:59 2012/12/31.

Total time-range number

The total time-range number.

Related Topics

ip address (ACL IP address pool view)

Function

The ip address command configures an IP address in an ACL IP address pool.

The undo ip address command deletes an IP address from an ACL IP address pool.

By default, no IP address is configured in an ACL IP address pool.

Format

ip address ip-address [ mask-length | wildcard | track-nqa admin-name test-name ]

undo ip address ip-address [ mask-length | wildcard | track-nqa admin-name test-name ]

Parameters

Parameter

Description

Value

ip-address

Specifies the IP address in the ACL IP address pool.

The value is in dotted decimal notation.

mask-length

Specifies the subnet mask.

NOTE:

If the ACL IP address pool is invoked by the redirect ip-multihop command, ensure that the subnet mask is 32-bit long. Otherwise, redirection to the next hop will fail.

The value is an integer that ranges from 0 to 32.

wildcard

Specifies the wildcard of the IP address.

The value is in dotted decimal notation.

track-nqa

Specifies an NQA test instance to be associated with the ACL IP address pool.

-

admin-name

Specifies the administrator of the NQA test instance.

The value is a string of 1 to 32 case-sensitive characters, excluding question marks (?), hyphens (-), and quotation marks (").

test-name

Specifies the name of the NQA test instance.

The value is a string of 1 to 32 case-sensitive characters, excluding question marks (?), hyphens (-), and quotation marks (").

Views

ACL IP address pool view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After an ACL IP address pool is created, you can run the ip address command to specify an IP address for the ACL IP address pool. The ACL IP address pool can be invoked by the redirect ip-multihop command to redirect packets to the next hop specified in the ACL IP address pool.

Prerequisites

An ACL IP address pool has been created by running the acl ip-pool command.

Precautions

The switch supports a maximum of 12 ACL IP address pools. Each ACL IP address pool supports a maximum of 64 IP addresses.

In the scenario when PBR is used to redirect packets to multiple next hops, if the device has no ARP entry matching the specified next hop IP address, the redirection does not take effect. The device still forwards packets to the original destination until the ARP entry matching the specified next hop IP address is generated on the device. You can run the display acl ip-pool command to check whether the next hop IP address specified in the ACL IP address pool takes effect.

Example

# Specify five IP addresses for the ACL IP address pool named abc.

<HUAWEI> system-view
[HUAWEI] acl ip-pool abc
[HUAWEI-acl-ip-pool-abc] ip address 192.168.10.1 32
[HUAWEI-acl-ip-pool-abc] ip address 192.168.20.1 32
[HUAWEI-acl-ip-pool-abc] ip address 192.168.30.1 32
[HUAWEI-acl-ip-pool-abc] ip address 192.168.40.1 32
[HUAWEI-acl-ip-pool-abc] ip address 192.168.50.1 32

ipv6 address (ACL IPv6 address pool view)

Function

The ipv6 address command configures an IPv6 address in an ACL IPv6 address pool .

The undo ipv6 address command deletes an IPv6 address from an ACL IPv6 address pool .

By default, no IPv6 address is configured in an ACL IPv6 address pool .

Format

ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }

ipv6 address ipv6-address [ track-nqa admin-name test-name ]

undo ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }

undo ipv6 address ipv6-address [ track-nqa admin-name test-name ]

Parameters

Parameter

Description

Value

ipv6-address

Specifies the IPv6 address in the ACL IPv6 address pool .

The value consists of 128 octets, which are classified into 8 groups. Each group contains 4 hexadecimal numbers in the format X:X:X:X:X:X:X:X.

prefix-length

Specifies the prefix length of an IPv6 address.

NOTE:

If the ACL IPv6 address pool is invoked by the redirect ipv6-multihop command, ensure that the prefix length is 128. Otherwise, redirection to the next hop will fail.

The value is an integer that ranges from 1 to 128.

track-nqa

Specifies an NQA test instance to be associated with the ACL IP address pool.

-

admin-name

Specifies the administrator of the NQA test instance.

The value is a string of 1 to 32 case-sensitive characters, excluding question marks (?), hyphens (-), and quotation marks (").

test-name

Specifies the name of the NQA test instance.

The value is a string of 1 to 32 case-sensitive characters, excluding question marks (?), hyphens (-), and quotation marks (").

Views

ACL IPv6 address pool view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After an ACL IPv6 address pool is created, you can run the ipv6 address command to specify an IPv6 address for the ACL IPv6 address pool . The ACL IPv6 address pool can be invoked by the redirect ipv6-multihop command to redirect packets to the next hop specified in the ACL IPv6 address pool .

Prerequisites

An ACL IPv6 address pool has been created by running the acl ipv6 ip-pool command.

Precautions

The switch supports a maximum of 12 ACL IPv6 address pools. Each ACL IPv6 address pool supports a maximum of 64 IPv6 addresses.

In the scenario when PBR is used to redirect packets to multiple next hops, if the device does not match the neighbor entry corresponding to the next hop IPv6 address, the device sends NS packets to check whether the neighbor is reachable. If the neighbor is unreachable, packets are forwarded based on the original path and redirection does not take effect. You can run the display acl ipv6 ip-pool command to check whether the next hop IPv6 address specified in the ACL IPv6 address pool takes effect.

Example

# Specify four IPv6 addresses for the ACL IPv6 address pool named abc.

<HUAWEI> system-view
[HUAWEI] acl ipv6 ip-pool abc
[HUAWEI-acl6-ip-pool-abc] ipv6 address 2001:db8::1 128
[HUAWEI-acl6-ip-pool-abc] ipv6 address 2001:db8::2 128
[HUAWEI-acl6-ip-pool-abc] ipv6 address 2001:db8::3 128
[HUAWEI-acl6-ip-pool-abc] ipv6 address 2001:db8::4 128

reset acl counter

Function

The reset acl counter command clears statistics about ACLs.

Format

reset acl counter { name acl-name | acl-number | all }

Parameters

Parameter Description Value
name acl-name Specifies the name of an ACL whose statistics need to be cleared.

The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter.

acl-number Specifies the number of an ACL whose statistics need to be cleared.

The value is an integer.

  • The number of a basic ACL ranges from 2000 to 2999.
  • The number of a numbered advanced ACL ranges from 3000 to 3999.
  • The number of a Layer 2 ACL ranges from 4000 to 4999.
  • The number of a user-defined ACL ranges from 5000 to 5999.
  • The number of a user ACL ranges from 6000 to 9999.
all Clears all the ACL statistics. -

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To obtain the accurate ACL statistics generated in a certain period, run the reset acl counter command to clear existing statistics and start statistics collection.

After the reset acl counter command is executed, the system does not prompt you the statistics deletion.

Before using the reset acl counter command, determine whether you intend to clear ACL statistics.

Follow-up Procedure

After running the reset acl counter command to clear the previous ACL statistics, you can use the display acl match-counter command in the diagnostic view to check ACL rules and statistics on the packets matching the ACL rules in the current period.

Example

# Clear statistics about ACL 2000.

<HUAWEI> reset acl counter 2000
Related Topics

reset acl ipv6 counter

Function

The reset acl ipv6 counter command clears the ACL6 statistics.

Format

reset acl ipv6 counter { name acl6-name | acl6-number | all }

Parameters

Parameter

Description

Value

name acl6-name

Specifies the name of an ACL6 whose statistics need to be cleared.

The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter.

acl6-number

Specifies the number of an ACL6 whose statistics need to be cleared.

The value is an integer that ranges from 2000 to 3999.

  • ACL6s numbered 2000 to 2999 are basic ACL6s.
  • ACL6s numbered 3000 to 3999 are advanced ACL6s.

all

Clears all the ACL6 statistics.

-

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To obtain the accurate ACL6 statistics in a certain period, run the reset acl ipv6 counter command to clear existing statistics and start statistics collection.

Before using the reset acl ipv6 counter command, determine whether you intend to clear ACL6 statistics.

After the reset acl ipv6 counter command is executed, the system does not prompt you the statistics deletion.

Follow-up Procedure

After running the reset acl ipv6 counter command to clear the previous ACL statistics, you can use the display acl ipv6 command to view ACL rules and statistics on the packets matching the ACL rules in the current period.

Example

# Clear the statistics about basic ACL6 2000.

<HUAWEI> reset acl ipv6 counter 2000
Related Topics

rule (advanced ACL view)

Function

The rule command adds or modifies an advanced ACL rule.

The undo rule command deletes an advanced ACL rule.

By default, no advanced ACL rule is configured.

Format

  • When the parameter protocol is specified as the Internet Control Message Protocol (ICMP), the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | icmp } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | icmp-type { icmp-name | icmp-type [ icmp-code ] } | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { protocol-number | icmp } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | icmp-type { icmp-name | icmp-type [ icmp-code ] } | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

  • When the parameter protocol is specified as the Transmission Control Protocol (TCP), the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { protocol-number | tcp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

  • When the parameter protocol is specified as the User Datagram Protocol (UDP), the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | udp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { protocol-number | udp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

  • When the parameter protocol is specified as another protocol rather than GRE, IGMP, IP, IPINIP, or OSPF, the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | vpn-instance vpn-instance-name ] *

  • To delete an advanced ACL rule, run:

    undo rule rule-id [ destination | destination-port | { { precedence | tos } * | dscp } | { fragment | first-fragment } | logging | icmp-type | source | source-port | tcp-flag | time-range | ttl-expired | vpn-instance ] *

NOTE:

The X series cards do not support ttl-expired.

If the ACL rules configured on X5S, X5E, and X2S series cards are hardware-based ACLs, tcp-flag is not supported.

Parameters

Parameter

Description

Value

rule-id

Specifies the ID of an ACL rule.
  • If the specified rule ID has been created, the new rule is added to the rule with this ID, that is, the old rule is modified. If the specified rule ID does not exist, the device creates a rule and determines the position of the rule according to the ID.
  • If the rule ID is not specified, the device allocates an ID to the new rule. The rule IDs are sorted in ascending order. The device automatically allocates IDs according to the step. The step value is set by using the step command.
NOTE:

ACL rule IDs assigned automatically start from the step value. The default step is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on.

The value is an integer that ranges from 0 to 4294967294.

deny

Denies the packets that match the rule.

-

permit

Permits the packets that match the rule.

-

icmp

Indicates that the protocol type is ICMP. The value 1 indicates that ICMP is specified.

-

tcp

Indicates that the protocol type is TCP. The value 6 indicates that TCP is specified.

-

udp

Indicates that the protocol type is UDP. The value 17 indicates that UDP is specified.

-

gre

Indicates that the protocol type is GRE. The value 47 indicates the GRE protocol.

-

igmp

Indicates that the protocol type is IGMP. The value 2 indicates the IGMP protocol.

-

ip

Indicates that the protocol type is IP.

-

ipinip

Indicates that the protocol type is IPINIP. The value 4 indicates the IPINIP protocol.

-

ospf

Indicates that the protocol type is OSPF. The value 89 indicates the OSPF protocol.

-

protocol-number

Indicates the protocol type expressed by name or number.
NOTE:

Parameters in an ACL vary with the protocol type. The combination of source-port { eq port | gt port | lt port | range port-start port-end } and destination-port { eq port | gt port | lt port | range port-start port-end } is applicable to TCP and UDP only.

The value expressed by number is an integer that ranges from 1 to 255.

destination { destination-address destination-wildcard | any }

Indicates the destination IP address of packets that match ACL rules. If this parameter is not specified, packets with any destination IP address are matched.
  • destination-address: specifies the destination IP address of data packets.
  • destination-wildcard: specifies the wildcard mask of the destination IP address.
  • any: indicates any destination IP address of packets. That is, the value of destination-address is 0.0.0.0 or the value of destination-wildcard is 255.255.255.255.

destination-address: The value is in dotted decimal notation.

destination-wildcard: The value is in dotted decimal notation. The wildcard mask of the destination IP address can be 0, equivalent to 0.0.0.0, indicating that the destination IP address is the host address.

NOTE:
The wildcard is in dotted decimal format. After the value is converted to a binary number, the value 0 indicates that the IP address needs to be matched and the value 1 indicates that the IP address does not need to be matched. The values 1 and 0 can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the website 192.168.1.x0x0xx01. The value x can be 0 or 1.

icmp-type { icmp-name | icmp-type [ icmp-code ] }

Indicates the type and code of ICMP packets, which are valid only when the protocol of packets is ICMP. If this parameter is not specified, all types of ICMP packets are matched.
  • icmp-name: specifies the name of ICMP packets.
  • icmp-type: specifies the type of ICMP packets.
  • icmp-code: specifies the code of ICMP packets.

icmp-type is an integer that ranges from 0 to 255.

icmp-code is an integer that ranges from 0 to 255.

Table 14-14 lists the mapping between ICMP names and ICMP types and codes.

source { source-address source-wildcard | any }

Indicates the source IP address of packets that match an ACL rule. If this parameter is not specified, packets with any source IP address are matched.
  • source-address: specifies the source IP address of packets.
  • source-wildcard: specifies the wildcard mask of the source IP address.
  • any: indicates any source IP address of packets. That is, the value of source-address is 0.0.0.0 or the value of source-wildcard is 255.255.255.255.

source-address: The value is in dotted decimal notation.

source-wildcard: The value is in dotted decimal notation. The wildcard mask of the source IP address can be 0, equivalent to 0.0.0.0, indicating that the source IP address is the host address.

NOTE:
The wildcard is in dotted decimal format. After the value is converted to a binary number, the value 0 indicates that the IP address needs to be matched and the value 1 indicates that the IP address does not need to be matched. The values 1 and 0 can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the website 192.168.1.x0x0xx01. The value x can be 0 or 1.

tcp-flag

Indicates the SYN Flag in the TCP packet header.

-

ack

Indicates that the SYN Flag type in the TCP packet header is ack (010000).

-

established

Indicates that the SYN Flag type in the TCP packet header is ack(010000) or rst(000100).

-

fin

Indicates that the SYN Flag type in the TCP packet header is fin (000001).

-

psh

Indicates that the SYN Flag type in the TCP packet header is psh (001000).

-

rst

Indicates that the SYN Flag type in the TCP packet header is rst (000100).

-

syn

Indicates that the SYN Flag type in the TCP packet header is syn (000010).

-

urg

Indicates that the SYN Flag type in the TCP packet header is urg (100000).

-

time-range time-name

Specifies the name of a time range during which ACL rules take effect.

If this parameter is not specified, ACL rules take effect at any time.

NOTE:

When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL cannot be bound to the specified time range.

The value is a string of 1 to 32 characters.

destination-port { eq port | gt port | lt port | range port-start port-end }

Specifies the destination port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched. The operators are as follows:
  • eq port: equivalent to the destination port number.
  • gt port: greater than the destination port number.
  • 1t port: smaller than the destination port number.
  • range port-start port-end: destination port number range. port-start specifies the start port number. port-end specifies the end port number.

The value of port can be a name or a number.

  • When the value is expressed as a number, it ranges from 0 to 65535 in eq port
  • When the value is expressed as a number, it ranges from 0 to 65534 in gt port
  • When the value is expressed as a number, it ranges from 1 to 65535 in lt port

The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535.

Table 14-15 and Table 14-16 list the mapping between the well-known source or destination port numbers of UDP or TCP and values of port.

source-port { eq port | gt port | lt port | range port-start port-end }

Specifies the source port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched. The operators are as follows:
  • eq port: equivalent to the source port number.
  • gt port: greater than the source port number.
  • 1t port: smaller than the source port number.
  • range port-start port-end: source port number range. port-start specifies the start port number. port-end specifies the end port number.

The value of port can be a name or a number.

  • When the value is expressed as a number, it ranges from 0 to 65535 in eq port
  • When the value is expressed as a number, it ranges from 0 to 65534 in gt port
  • When the value is expressed as a number, it ranges from 1 to 65535 in lt port

The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535.

Table 14-15 and Table 14-16 list the mapping between the well-known source or destination port numbers of UDP or TCP and values of port.

dscp dscp

Specifies the value of a Differentiated Services Code Point (DSCP).

NOTE:

The dscp dscp and precedence precedence parameters cannot be set for the same rule.

The dscp dscp and tos tos parameters cannot be set for the same rule.

The value is an integer or a name.
  • The value ranges from 0 to 63 when it is an integer.
  • When it is a name, the value can be af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, default, or ef.

tos tos

Indicates that packets are filtered according to the Type of Service (ToS).

The value is an integer or a name.
  • The value ranges from 0 to 15 when it is an integer.
  • When the value is a name, the value can be normal, min-monetary-cost, max-reliability, max-throughput, or min-delay. Table 14-13 describes the mapping between ToS names and values.

precedence precedence

Indicates that packets are filtered based on the precedence field. precedence specifies the precedence value.

The value ranges from 0 to 7. The values 0 to 7 correspond to routine, priority, immediate, flash, flash-override, critical, internet, and network.

fragment

Indicates that the rule is valid only for non-initial fragments. If this parameter is specified, the rule is valid for only non-initial fragments.

-

first-fragment

Indicates that the rule is valid for only initial fragments. If this parameter is specified, the rule is valid for only initial fragments.

-

logging

Logs IP information of packets that match the rule.

NOTE:
The logging parameter takes effect for incoming packets in either of the following scenarios:
  • An ACL-based simplified traffic policy is configured and the traffic-filter and traffic-secure commands reference ACLs.
  • MQC is configured, the traffic behavior is set to permit or deny, and the traffic-policy command references ACLs.

-

ttl-expired

Matches packets with the TTL value 1. If this keyword is not specified, the ACL rule matches packets with any TTL value.

-

vpn-instance vpn-instance-name

Specifies the name of a VPN instance.

NOTE:

If the vpn-instance parameter is not specified, the switch matches packets from both public and private networks against ACL.

The value must be an existing VPN instance name.
Table 14-13  Mapping between ToS names and values

ToS Name

Value

ToS Name

Value

normal

0

max-reliability

2

min-monetary-cost

1

max-throughput

4

min-delay

8

-

-

Table 14-14  Mapping between ICMP names and ICMP types and codes

icmp-name

icmp-type

icmp-code

Echo

8

0

Echo-reply

0

0

Parameter-problem

12

0

Port-unreachable

3

3

Protocol-unreachable

3

2

Reassembly-timeout

11

1

Source-quench

4

0

Source-route-failed

3

5

Timestamp-reply

14

0

Timestamp-request

13

0

Ttl-exceeded

11

0

Fragmentneed-DFset

3

4

Host-redirect

5

1

Host-tos-redirect

5

3

Host-unreachable

3

1

Information-reply

16

0

Information-request

15

0

Net-redirect

5

0

Net-tos-redirect

5

2

Net-unreachable

3

0

Table 14-15  Mapping between the well-known source or destination port numbers of UDP and values of port

Port Number

Value of port

Protocol

Description

7 echo Echo Echo service.
9 discard Discard Null service used for connectivity test.
37 time Time Time protocol.
42 nameserver Host Name Server Host name service.
53 dns Domain Name Service (DNS) Domain name service.
65 tacacs-ds TACACS-Database Service TACACS database service.
67 bootps Bootstrap Protocol Server Bootstrap Protocol (BOOTP) Server, also used by Dynamic Host Configuration Protocol (DHCP).
68 bootpc Bootstrap Protocol Client Bootstrap Protocol (BOOTP) Client, also used by Dynamic Host Configuration Protocol (DHCP).
69 tftp Trivial File Transfer Protocol (TFTP) Trivial File Transfer Protocol (TFTP).
90 dnsix DNSIX Security Attribute Token Map DoD Network Security for Information Exchange (DNSIX) Security Attribute Token Map.
111 sunrpc SUN Remote Procedure Call (SUN RPC) RPC protocol of SUN. It is used to remotely execute commands and used by the network file system (NFS).
123 ntp Network Time Protocol (NTP) Network Time Protocol (NTP), which may be utilized by worm virus.
137 netbios-ns NETBIOS Name Service NETBIOS name service.
138 netbios-dgm NETBIOS Datagram Service NETBIOS datagram service.
139 netbios-ssn NETBIOS Session Service NETBIOS session service.
161 snmp SNMP Simple Network Management Protocol (SNMP).
162 snmptrap SNMPTRAP SNMP trap.
177 xdmcp X Display Manager Control Protocol (XDMCP) X Display Manager Control Protocol (XDMCP).
434 mobilip-ag MobileIP-Agent Mobile IP agent.
435 mobilip-mn MobileIP-MN Mobile IP management.
512 biff Mail notify Notifies user of received emails.
513 who Who Login user list.
514 syslog Syslog UNIX system log service.
517 talk Talk Remotely talks with server and client.
520 rip Routing Information Protocol RIP routing protocol.
Table 14-16  Mapping between the well-known source or destination port numbers of TCP and values of port

Port Number

Value of port

Protocol

Description

7 echo Echo Echo service.
9 discard Discard Null service used for connectivity test.
13 daytime Daytime Daytime protocol.
19 CHARgen Character generator Character Generator Protocol.
20 ftp-data FTP data connections FTP data port.
21 ftp File Transfer Protocol(FTP) File Transfer Protocol (FTP) port.
23 telnet Telnet Telnet service.
25 smtp Simple Mail Transport Protocol (SMTP) Simple Mail Transfer Protocol (SMTP).
37 time Time Time protocol.
43 whois Nicname (WHOIS) Directory service.
49 tacacs TAC Access Control System (TACACS) Access control system based on TCP/IP authentication (TACACS login host protocol)
53 domain Domain Name Service (DNS) Domain name service.
70 gopher Gopher Information index protocol (document searching and indexing on the Internet)
79 finger Finger Queries online user information on a remote host.
80 www World Wide Web (HTTP)
NOTE:

If the HTTPS protocol is used, the port number is 443.

Protocol used by the WWW service. HTTP is used to browse web pages.
101 hostname NIC hostname server Host name service on the NIC machine.
109 pop2 Post Office Protocol v2 Email protocol version 2.
110 pop3 Post Office Protocol v3 Email protocol version 3.
111 sunrpc Sun Remote Procedure Call (RPC) RPC protocol of SUN. It is used to remotely execute commands and used by the network file system (NFS).
119 nntp Network News Transport Protocol (NNTP) Network News Transfer Protocol for retrieval of newsgroup messages. It carries USENET.
179 bgp Border Gateway Protocol (BGP) Border Gateway Protocol (BGP).
194 irc Internet Relay Chat (IRC) Internet Relay Chat (IRC) protocol.
512 exec Exec (rsh) Authenticates remote process.
513 login Login (rlogin) Remote login.
514 cmd Remote commands Used to execute non-interactive commands on a remote system (rshell, rcp).
515 lpd Printer service Line Printer Daemon. It is a print service.
517 talk Talk Remotely talks with server and client.
540 uucp Unix-to-Unix Copy Program Unix-to-Unix copy protocol.
543 klogin Kerberos login Kerberos login protocol version 5.
544 kshell Kerberos shell Kerberos Remote shell protocol version 5.

Views

Advanced ACL view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An advanced ACL matches packets based on information such as source and destination IP addresses, source and destination port numbers, and protocol types.

The rule command defines the time range and flexibly configures the time ACL rules take effect.

Prerequisites

An ACL has been created before the rule is configured.

Precautions

If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.

To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.

To configure both the precedence precedence and tos tos parameters, set the two parameters consecutively in the command.

The undo rule command deletes an ACL rule even if the ACL rule is referenced. (If a simplified traffic policy references a specified rule in an ACL, this command does not take effect.) Before deleting a rule, ensure that the rule is not being referenced.

The parameter fragment cannot be set together with source-port, destination-port, icmp-type, and tcp-flag; otherwise, the following error message is displayed:
Error: The fragment cannot be configured together with the source-port, destination-port, icmp-type and tcp-flag.

Example

# Add a rule to ACL 3000 to filter ICMP packets.

<HUAWEI> system-view
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule 1 permit icmp

# Delete a rule from ACL 3000.

<HUAWEI> system-view
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] undo rule 1

# Add a rule to ACL 3000 to filter IGMP packets.

<HUAWEI> system-view
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule 2 permit igmp

# Add a rule to ACL 3000 to filter packets with DSCP priorities.

<HUAWEI> system-view
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule 3 permit ip dscp cs1

# Add a rule to ACL 3001 to filter all the IP packets sent from hosts at 10.9.0.0 to hosts at 10.38.160.0.

<HUAWEI> system-view
[HUAWEI] acl 3001
[HUAWEI-acl-adv-3001] rule permit ip source 10.9.0.0 0.0.255.255 destination 10.38.160.0 0.0.0.255

# Add a rule to ACL 3001 to filter the packets with source UDP port number 128 from 10.9.8.0 to 10.38.160.0.

<HUAWEI> system-view
[HUAWEI] acl 3001
[HUAWEI-acl-adv-3001] rule permit udp source 10.9.8.0 0.0.0.255 destination 10.38.160.0 0.0.0.255 destination-port eq 128

rule (advanced ACL6 view)

Function

The rule command adds or modifies an advanced ACL6 rule.

The undo rule command deletes an advanced ACL6 rule.

By default, no advanced ACL6 rule is created.

Format

  • When protocol is set to TCP, the command format of an advanced ACL6 rule is as follows:

    rule [ rule-id ] { deny | permit } { tcp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { tcp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *

  • When protocol is set to UDP, the command format of an advanced ACL6 rule is as follows:

    rule [ rule-id ] { deny | permit } { udp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { udp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *

  • When protocol is set to ICMPv6, the command format of an advanced ACL6 rule is as follows:

    rule [ rule-id ] { deny | permit } { icmpv6 | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | icmp6-type { icmp6-type-name | icmp6-type [ icmp6-code ] } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { icmpv6 | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | icmp6-type { icmp6-type-name | icmp6-type [ icmp6-code ] } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *

  • When protocol is set to other protocols, the command format of an advanced ACL6 rule is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | gre | ipv6 | ospf } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { protocol-number | gre | ipv6 | ospf } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *

  • To delete an advanced ACL6 rule, run:

    undo rule rule-id [ destination | destination-port | routing [ routing-type routing-type ] | { fragment | first-fragment } | icmp6-type | logging | { { precedence | tos } * | dscp } | routing | source | source-port | tcp-flag | time-range | vpn-instance ] *

NOTE:

If the ACL rules configured on X5S, X5E, and X2S series cards are hardware-based ACLs, tcp-flag is not supported.

Parameters

Parameter

Description

Value

rule-id Specifies the ID of a rule.
  • If the specified rule ID has been created, the new rule is added to the rule with this ID, that is, the old rule is modified. If the specified rule ID does not exist, a rule is created using the ID and ordered based on the configured sequence.
  • If the rule ID is not specified, the device allocates an ID to the new rule. By default, the step of ACL6 is 1 and cannot be changed. Therefore, the device allocates IDs at an interval of 1 to ACL6 rules.
The value is an integer that ranges from 0 to 2047.
deny Indicates to drop packets conforming to certain conditions. -
permit Indicates to forward packets conforming to certain conditions. -
tcp

Specifies the protocol type is TCP.

-
udp

Specifies the protocol type is UDP.

-
icmpv6

Specifies the protocol type is ICMPv6.

-
protocol-number Specifies the protocol type that is expressed as a name or a number. The value ranges from 1 to 255. The protocol type expressed as a name can be GRE, ICMPv6, IPv6, OSPF, TCP, and UDP.
destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } Indicates the destination address and prefix of a packet. destination-ipv6-address is expressed in hexadecimal notation. The value of prefix-length is an integer that ranges from 1 to 128. You can also use any to represent any destination address.
destination destination-ipv6-address postfix postfix-length Indicates the destination address and the length of destination address postfix. destination-ipv6-address indicates the destination address and is expressed in hexadecimal notation. postfix-length is an integer that ranges from 1 to 64.
dscp dscp Specifies the Differentiated Services Code Point (DSCP) value.
NOTE:

The dscp dscp and precedence precedence parameters cannot be set for the same rule.

The dscp dscp and tos tos parameters cannot be set for the same rule.

The value of dscp can be an integer or a name. When the value is an integer, the value ranges from 0 to 63. When the value is a name, the value can be af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, default, or ef.
routing [ routing-type routing-type ] Specifies the IPv6 header in ACL6. The routing-type parameter specifies the routing-type field in the IPv6 header. The value of routing-type is an integer that ranges from 0 to 255.
fragment Indicates that the rule is valid for only non-first fragmented packets. -
first-fragment Indicates that the rule is valid for only initial fragmented packets. -
logging Logs IP information of packets that match the rule.
NOTE:
The logging parameter takes effect for incoming packets in either of the following scenarios:
  • An ACL-based simplified traffic policy is configured and the traffic-filter command references ACLs.
  • MQC is configured, the traffic behavior is set to permit or deny, and the traffic-policy command references ACLs.
-
precedence precedence Indicates that the packets are filtered according to the precedence field. precedence can be expressed as a name or a number. The value ranges from 0 to 7.
source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } Indicates the source address and prefix of a packet. source-ipv6-address indicates the source address and is expressed in hexadecimal notation. prefix-length is an integer that ranges from 1 to 128. You can also use any to represent any source address.
source source-ipv6-address postfix postfix-length Indicates the source address and the length of source address postfix. source-ipv6-address indicates the source address and is expressed in hexadecimal notation. postfix-length is an integer that ranges from 1 to 64.
destination-port { eq port | gt port | lt port | range port-start port-end }
Specifies the destination port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched. The operators are as follows:
  • eq port: equivalent to the destination port number.
  • gt port: greater than the destination port number.
  • 1t port: smaller than the destination port number.
  • range port-start port-end: destination port number range. port-start specifies the start port number. port-end specifies the end port number.

The value of port can be a name or a number.

  • When the value is expressed as a number, it ranges from 0 to 65535 in eq port
  • When the value is expressed as a number, it ranges from 0 to 65534 in gt port
  • When the value is expressed as a number, it ranges from 1 to 65535 in lt port

The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535.

Table 14-20 and Table 14-19 list the mapping between the well-known source or destination port numbers of UDP or TCP and values of port.

source-port { eq port | gt port | lt port | range port-start port-end }
Specifies the source port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched. The operators are as follows:
  • eq port: equivalent to the source port number.
  • gt port: greater than the source port number.
  • 1t port: smaller than the source port number.
  • range port-start port-end: source port number range. port-start specifies the start port number. port-end specifies the end port number.

The value of port can be a name or a number.

  • When the value is expressed as a number, it ranges from 0 to 65535 in eq port
  • When the value is expressed as a number, it ranges from 0 to 65534 in gt port
  • When the value is expressed as a number, it ranges from 1 to 65535 in lt port

The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535.

Table 14-20 and Table 14-19 list the mapping between the well-known source or destination port numbers of UDP or TCP and values of port.

icmp6-type { icmp6-type-name | icmp6-type [ icmp6-code ] } Indicates that the type and code of ICMPv6 packets, which is effective only when the packet protocol is ICMP. If this parameter is not specified, all ICMP packets are matched.

icmp6-type: indicates the type of ICMP messages. The value ranges from 0 to 255.

icmp6-code: indicates the type of ICMP messages. The value ranges from 0 to 255.

The value of icmp6-type-name and the corresponding ICMP-Type and ICMP-Code are as Table 14-18.

tcp-flag

Indicates the SYN Flag in the TCP packet header.

-
ack Specifies the type of the SYN Flag in the TCP packet header is ack(010000). -
established Specifies the type of the SYN Flag in the TCP packet header is ack(010000) or rst(000100). -
fin Specifies the type of the SYN Flag in the TCP packet header is fin(000001). -
psh Specifies the type of the SYN Flag in the TCP packet header is psh(001000). -
rst Specifies the type of the SYN Flag in the TCP packet header is rst(000100). -
syn Specifies the type of the SYN Flag in the TCP packet header is syn(000010). -
urg Specifies the type of the SYN Flag in the TCP packet header is urg(100000). -
time-range time-name Indicates that the configured ACL6 rule is effective only in the specified time range. time-name indicates the name of the time range during which the ACL6 rule takes effect.
NOTE:

When you specify the time-range parameter to reference a time range to the ACL6, if the specified time-name does not exit, the ACL6 does not take effect.

The value of time-name is a string of 1 to 32 characters.
tos tos Indicates that packets are filtered according to the Type of Service (ToS).
The value is an integer or a name.
  • The value ranges from 0 to 15 when it is an integer.
  • When the value is a name, the value can be normal, min-monetary-cost, max-reliability, max-throughput, or min-delay. Table 14-17 describes the mapping between ToS names and values.
vpn-instance vpn-instance-name Specifies the name of a VPN instance.
NOTE:

If the vpn-instance parameter is not specified, the switch matches packets from both public and private networks against ACL.

The value must be an existing VPN instance name.
Table 14-17  Mapping between ToS names and values

ToS Name

Value

ToS Name

Value

normal

0

max-reliability

2

min-monetary-cost

1

max-throughput

4

min-delay

8

-

-

Table 14-18  Values of icmp6-type-name and the corresponding ICMP-Type and ICMP-Code

icmp6-type-name

icmp-type

icmp-code

Redirect

137

0

Echo

128

0

Echo-reply

129

0

Err-Header-field

4

0

Frag-time-exceeded

3

1

Hop-limit-exceeded

3

0

Host-admin-prohib

1

1

Host-unreachable

1

3

Neighbor-advertisement

136

0

Neighbor-solicitation

135

0

Network-unreachable

1

0

Packet-too-big

2

0

Port-unreachable

1

4

Router-advertisement

134

0

Router-solicitation

133

0

Unknown-ipv6-opt

4

2

Unknown-next-hdr

4

1

Table 14-19  Mapping between the well-known source or destination port numbers of TCP and values of port

Port Number

Value of port

Protocol

Description

7 echo Echo Echo service.
9 discard Discard Null service used for connectivity test.
13 daytime Daytime Daytime protocol.
19 CHARgen Character generator Character Generator Protocol.
20 ftp-data FTP data connections FTP data port.
21 ftp File Transfer Protocol(FTP) File Transfer Protocol (FTP) port.
23 telnet Telnet Telnet service.
25 smtp Simple Mail Transport Protocol (SMTP) Simple Mail Transfer Protocol (SMTP).
37 time Time Time protocol.
43 whois Nicname (WHOIS) Directory service.
49 tacacs TAC Access Control System (TACACS) Access control system based on TCP/IP authentication (TACACS login host protocol)
53 domain Domain Name Service (DNS) Domain name service.
70 gopher Gopher Information index protocol (document searching and indexing on the Internet)
79 finger Finger Queries online user information on a remote host.
80 www World Wide Web (HTTP)
NOTE:

If the HTTPS protocol is used, the port number is 443.

Protocol used by the WWW service. HTTP is used to browse web pages.
101 hostname NIC hostname server Host name service on the NIC machine.
109 pop2 Post Office Protocol v2 Email protocol version 2.
110 pop3 Post Office Protocol v3 Email protocol version 3.
111 sunrpc Sun Remote Procedure Call (RPC) RPC protocol of SUN. It is used to remotely execute commands and used by the network file system (NFS).
119 nntp Network News Transport Protocol (NNTP) Network News Transfer Protocol for retrieval of newsgroup messages. It carries USENET.
179 bgp Border Gateway Protocol (BGP) Border Gateway Protocol (BGP).
194 irc Internet Relay Chat (IRC) Internet Relay Chat (IRC) protocol.
512 exec Exec (rsh) Authenticates remote process.
513 login Login (rlogin) Remote login.
514 cmd Remote commands Used to execute non-interactive commands on a remote system (rshell, rcp).
515 lpd Printer service Line Printer Daemon. It is a print service.
517 talk Talk Remotely talks with server and client.
540 uucp Unix-to-Unix Copy Program Unix-to-Unix copy protocol.
543 klogin Kerberos login Kerberos login protocol version 5.
544 kshell Kerberos shell Kerberos Remote shell protocol version 5.
Table 14-20  Mapping between the well-known source or destination port numbers of UDP and values of port

Port Number

Value of port

Protocol

Description

7 echo Echo Echo service.
9 discard Discard Null service used for connectivity test.
37 time Time Time protocol.
42 nameserver Host Name Server Host name service.
53 dns Domain Name Service (DNS) Domain name service.
65 tacacs-ds TACACS-Database Service TACACS database service.
67 bootps Bootstrap Protocol Server Bootstrap Protocol (BOOTP) Server, also used by Dynamic Host Configuration Protocol (DHCP).
68 bootpc Bootstrap Protocol Client Bootstrap Protocol (BOOTP) Client, also used by Dynamic Host Configuration Protocol (DHCP).
69 tftp Trivial File Transfer Protocol (TFTP) Trivial File Transfer Protocol (TFTP).
90 dnsix DNSIX Security Attribute Token Map DoD Network Security for Information Exchange (DNSIX) Security Attribute Token Map.
111 sunrpc SUN Remote Procedure Call (SUN RPC) RPC protocol of SUN. It is used to remotely execute commands and used by the network file system (NFS).
123 ntp Network Time Protocol (NTP) Network Time Protocol (NTP), which may be utilized by worm virus.
137 netbios-ns NETBIOS Name Service NETBIOS name service.
138 netbios-dgm NETBIOS Datagram Service NETBIOS datagram service.
139 netbios-ssn NETBIOS Session Service NETBIOS session service.
161 snmp SNMP Simple Network Management Protocol (SNMP).
162 snmptrap SNMPTRAP SNMP trap.
177 xdmcp X Display Manager Control Protocol (XDMCP) X Display Manager Control Protocol (XDMCP).
434 mobilip-ag MobileIP-Agent Mobile IP agent.
435 mobilip-mn MobileIP-MN Mobile IP management.
512 biff Mail notify Notifies user of received emails.
513 who Who Login user list.
514 syslog Syslog UNIX system log service.
517 talk Talk Remotely talks with server and client.
520 rip Routing Information Protocol RIP routing protocol.

Views

Advanced ACL6 view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Advanced ACL6s classify data packets based on the source IP address, destination IP address, source port number, destination port number, and protocol type.

The rule command defines the time range and flexibly configures the time ACL6 rules take effect.

Prerequisites

An ACL6 has been created before the rule is configured.

Precautions

If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.

To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.

To configure both the precedence precedence and tos tos parameters, set the two parameters consecutively in the command.

When you use the undo rule command to delete an ACL6 rule, the rule ID must exist. If the rule ID is unknown, you can use the display acl ipv6 command to view the rule ID.

The undo rule command deletes an ACL6 rule even if the ACL6 rule is referenced. Use this command with caution, especially when you delete an ACL rule that has been referenced.

The parameter fragment cannot be set together with source-port, destination-port, icmp6-type, and tcp-flag.

Example

# Add a rule to ACL6 3000 to deny the packets with the destination UDP port number that is greater than 128 from fc00:1::1 to fc00:3::1.

<HUAWEI> system-view
[HUAWEI] acl ipv6 3000
[HUAWEI-acl6-adv-3000] rule deny udp source fc00:1::1 64 destination fc00:3::1 64 destination-port gt 128

rule (basic ACL view)

Function

The rule command adds or modifies a basic ACL rule.

The undo rule command deletes a basic ACL rule.

By default, no rule is configured for a basic ACL.

Format

rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | fragment | logging | time-range time-name | vpn-instance vpn-instance-name ] *

undo rule { deny | permit } [ source { source-address source-wildcard | any } | fragment | logging | time-range time-name | vpn-instance vpn-instance-name ] *

undo rule rule-id [ fragment | logging | source | time-range | vpn-instance ] *

Parameters

Parameter

Description

Value

rule-id

Specifies the ID of an ACL rule.
  • If the specified rule ID has been created, the new rule is added to the rule with this ID, that is, the old rule is modified. If the specified rule ID does not exist, the device creates a rule and determines the position of the rule according to the ID.
  • If the rule ID is not specified, the device allocates an ID to the new rule. The rule IDs are sorted in ascending order. The device automatically allocates IDs according to the step. The step value is set by using the step command.
NOTE:

ACL rule IDs assigned automatically by the device starts from the step value. The default step value is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on.

The value is an integer that ranges from 0 to 4294967294.

deny

Denies the packets that match the rule.

-

permit

Permits the packets that match a rule.

-

source { source-address source-wildcard | any }
Indicates the source IP address of packets that match an ACL rule. If this parameter is not specified, packets with any source IP address are matched.
  • source-address: specifies the source IP address of packets.
  • source-wildcard: specifies the wildcard mask of the source IP address.
  • any: indicates any source IP address of packets. That is, the value of source-address is 0.0.0.0 or the value of source-wildcard is 255.255.255.255.

source-address : The value is in dotted decimal notation.

source-wildcard: The value is in dotted decimal notation. The wildcard mask of the source IP address can be 0, equivalent to 0.0.0.0, indicating that the source IP address is the host address.

NOTE:
The wildcard is in dotted decimal format. After the value is converted to a binary number, the value 0 indicates that the IP address needs to be matched and the value 1 indicates that the IP address does not need to be matched. The values 1 and 0 can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the website 192.168.1.x0x0xx01. The value x can be 0 or 1.

vpn-instance vpn-instance-name

Specifies the name of a VPN instance.

NOTE:

If the vpn-instance parameter is not specified, the switch matches packets from both public and private networks against ACL.

The value must be an existing VPN instance name.

fragment

Indicates that the rule is valid for only non-first fragmented packets. If fragment is contained, the rule is valid for non-first fragmented packets and invalid for non-fragmented packets and first fragmented packet.

NOTE:
Rules that do not contain fragment are valid for all the packets.

-

logging

Logs IP information of packets that match the rule.

NOTE:
The logging parameter takes effect for incoming packets in either of the following scenarios:
  • An ACL-based simplified traffic policy is configured and the traffic-filter and traffic-secure commands reference ACLs.
  • MQC is configured, the traffic behavior is set to permit or deny, and the traffic-policy command references ACLs.

-

time-range time-name

Specifies the name of a time range during which ACL rules take effect.

If this parameter is not specified, ACL rules take effect at any time.

NOTE:

When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL cannot be bound to the specified time range.

The value is a string of 1 to 32 characters.

Views

Basic ACL view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A basic ACL matches packets based on information such as source IP addresses, fragment flags, and time ranges.

The rule command defines the time range and flexibly configures the time ACL rules take effect.

Prerequisites

An ACL has been created before the rule is configured.

Precautions

If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.

To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.

The undo rule command deletes an ACL rule even if the ACL rule is referenced. Use this command with caution, especially when you delete an ACL rule that has been referenced.

Example

# Add a rule in ACL 2001 to permit the packets from 192.168.32.1.

<HUAWEI> system-view 
[HUAWEI] acl 2001 
[HUAWEI-acl-basic-2001] rule permit source 192.168.32.1 0

# Delete rule 5 from ACL 2001.

<HUAWEI> system-view 
[HUAWEI] acl 2001 
[HUAWEI-acl-basic-2001] undo rule 5

rule (basic ACL6 view)

Function

The rule command adds or modifies basic ACL6 rules.

The undo rule command deletes a basic ACL6 rule.

By default, there is no basic ACL6 rule.

Format

rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *

undo rule { deny | permit } [ fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | vpn-instance vpn-instance-name ] *

undo rule rule-id [ fragment | logging | source | time-range | vpn-instance ] *

Parameters

Parameter

Description

Value

rule-id Specifies the ID of a rule.
  • If the specified rule ID has been created, the new rule is added to the rule with this ID, that is, the old rule is modified. If the specified rule ID does not exist, a rule is created using the ID and ordered based on the configured sequence.
  • If the rule ID is not specified, the device allocates an ID to the new rule. By default, the step of ACL6 is 1 and cannot be changed. Therefore, the device allocates IDs at an interval of 1 to ACL6 rules.
The value is an integer that ranges from 0 to 2047.
deny Indicates to drop packets conforming to certain conditions. -
permit Indicates to forward packets conforming to certain conditions. -
fragment Indicates that the rule is valid for only non-first fragmented packets. -
logging Logs IP information of packets that match the rule.
NOTE:
The logging parameter takes effect for incoming packets in either of the following scenarios:
  • An ACL-based simplified traffic policy is configured and the traffic-filter command references ACLs.
  • MQC is configured, the traffic behavior is set to permit or deny, and the traffic-policy command references ACLs.
-
source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length } Indicates the source address and prefix of a packet. source-ipv6-address indicates the source address and is expressed in hexadecimal notation. prefix-length is an integer that ranges from 1 to 128.
source source-ipv6-address postfix postfix-length Indicates the source address and the length of source address postfix. source-ipv6-address indicates the source address and is expressed in hexadecimal notation. postfix-length is an integer that ranges from 1 to 64.
any Indicates any source address. -
time-range time-name Indicates that the configured ACL6 rule is effective only in the specified time range. time-name indicates the name of the time range during which the ACL6 rule takes effect.
NOTE:

When you specify the time-range parameter to reference a time range to the ACL6, if the specified time-name does not exit, the ACL6 does not take effect.

The value of time-name is a string of 1 to 32 characters.
vpn-instance vpn-instance-name Specifies the name of a VPN instance.
NOTE:

If the vpn-instance parameter is not specified, the switch matches packets from both public and private networks against ACL.

The value must be an existing VPN instance name.

Views

Basic ACL6 view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A basic ACL6 matches packets based on information such as source IP addresses, fragment flags, and time ranges.

Prerequisites

An ACL6 has been created before the rule is configured.

Precautions

If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.

To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.

When you use the undo rule command to delete an ACL6 rule, the rule ID must exist. If the rule ID is unknown, you can use the display acl ipv6 command to view the rule ID.

The undo rule command deletes an ACL6 rule even if the ACL6 rule is referenced. Use this command with caution, especially when you delete an ACL rule that has been referenced.

Example

# Add a rule for the ACL6 with a number of 2000 to prohibit the passing of packets from the source fc00:1::1/64.

<HUAWEI> system-view
[HUAWEI] acl ipv6 2000
[HUAWEI-acl6-basic-2000] rule deny source fc00:1::1/64

rule (layer 2 ACL view)

Function

The rule command adds or modifies a Layer 2 ACL rule.

The undo rule command deletes a Layer 2 ACL rule.

By default, there is no rule in the related Layer 2 ACL view.

Format

rule [ rule-id ] { permit | deny } [ [ ether-ii | 802.3 | snap ] | l2-protocol type-value [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | source-mac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value | cvlan-id cvlan-id [ cvlan-id-mask ] | cvlan-8021p 802.1p-value | double-tag | time-range time-name ] *

undo rule { permit | deny } [ [ ether-ii | 802.3 | snap ] | l2-protocol type-value [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | source-mac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value | cvlan-id cvlan-id [ cvlan-id-mask ] | cvlan-8021p 802.1p-value | double-tag | time-range time-name ] *

undo rule rule-id

Parameters

Parameter

Description

Value

rule-id

Specifies the ID of an ACL rule.
  • If the specified rule ID has been created, the new rule overwrites the old rule. If the specified rule ID does not exist, the device creates a rule and determines the position of the rule according to the ID.
  • If the rule ID is not specified, the device allocates an ID to the new rule. The rule IDs are sorted in ascending order. The device automatically allocates IDs according to the step. The step value is set by using the step command.
NOTE:

ACL rule IDs assigned automatically by the device starts from the step value. The default step value is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on.

The value is an integer that ranges from 0 to 4294967294.

deny

Denies the packets that match a rule.

-

permit

Permits the packets that match a rule.

-

ether-ii | 802.3 | snap

Indicates the encapsulation format of a packet that matches the rule.
  • ether-ii: specifies the Ethernet II encapsulation.
  • 802.3: specifies the 802.3 encapsulation.
  • snap: specifies the SNAP encapsulation.

-

l2-protocol type-value [ type-mask ]

Indicates the type of a Layer 2 protocol. This parameter corresponds to the Ethernet type of Ethernet_II frames and the type-code domain of Ethernet_SNAP frames.

  • type-value: specifies the type value of a Layer 2 protocol.
  • type-mask: specifies the type mask of a Layer 2 protocol.
type-value can be a hexadecimal number of 3 to 6 bits that ranges from 0x0000 to 0xFFFF or the following protocol name:
  • ARP, corresponding to 0x0806
  • IP, corresponding to 0x0800
  • IPv6, corresponding to 0x86dd
  • MPLS, corresponding to 0x8847
  • RARP, corresponding to 0x8035

The default value of type-mask is 0xffff.

destination-mac dest-mac-address [ dest-mac-mask ]

Specifies the destination MAC address of packets that matches ACL rules.
  • dest-mac-address specifies the destination MAC address of packets.
  • dest-mac-mask specifies the mask of the destination MAC address of packets.

dest-mac-address and dest-mac-mask are both in the format of H-H-H. Each H stands for one to four hexadecimal digits. The default value of the dest-mac-mask is ffff-ffff-ffff.

You can obtain the required destination MAC address range by specifying source-mac-address and source-mac-mask. For example, 00e0-fc01-0101 ffff-ffff-ffff specifies a MAC address 00e0-fc01-0101, whereas 00e0-fc01-0101 ffff-ffff-0000 specifies a MAC address range from 00e0-fc01-0000 to 00e0-fc01-ffff.

source-mac source-mac-address [ source-mac-mask ]

Specifies the source MAC address of packets that matches ACL rules.
  • source-mac-address specifies the source MAC address of packets.
  • source-mac-mask specifies the mask of the source MAC address of packets. If this parameter is not specified, the mask is ffff-ffff-ffff.

source-mac-address and source-mac-mask are both in the format of H-H-H. Each H stands for one to four hexadecimal digits. The default value of the source-mac-mask is ffff-ffff-ffff.

You can obtain the required source MAC address range by specifying source-mac-address and source-mac-mask. For example, 00e0-fc01-0101 ffff-ffff-ffff specifies a MAC address 00e0-fc01-0101, whereas 00e0-fc01-0101 ffff-ffff-0000 specifies a MAC address range from 00e0-fc01-0000 to 00e0-fc01-ffff.

vlan-id vlan-id [ vlan-id-mask ]

Indicates the outer VLAN ID contained in a packet that matches the rule.

  • vlan-id: specifies the number of the VLAN ID.
  • vlan-id-mask: specifies the mask of the VLAN ID.

The value of vlan-id is an integer ranging from 1 to 4094.

The value of the vlan-id-mask is a hexadecimal number ranging from 0x0 to 0xFFF. The default value is 0xFFF.

8021p 802.1p-value

Indicates the 802.1p priority in the outer VLAN tag of a packet that matches the rule.

The value is an integer ranging from 0 to 7.

cvlan-id cvlan-id [ cvlan-id-mask ]

Indicates the inner VLAN ID of a packet that matches the rule.

  • cvlan-id: specifies the number of the inner VLAN ID.
  • cvlan-id-mask: specifies the mask of the inner VLAN ID.

The value of cvlan-id is an integer ranging from 1 to 4094.

The value of the cvlan-id-mask is a hexadecimal number ranging from 0x0 to 0xFFF. The default value is 0xFFF.

cvlan-8021p 802.1p-value

Indicates the 802.1p priority in the inner VLAN tag of a packet that matches the rule.

The value is an integer ranging from 0 to 7.

double-tag

Indicates that only packets with double tags match the rule.

-

time-range time-name

Defines the time range during which an ACL rule is valid. time-name specifies the name of a time range.

NOTE:

When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL cannot be bound to the specified time range.

The value of time-name is a string of 1 to 32 characters.

Views

layer 2 ACL view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A Layer 2 ACL matches packets based on Layer 2 information of the packets, such as source MAC addresses, destination MAC addresses, and Layer 2 protocol types.

The rule command defines the time range and flexibly configures the time when the ACL rules take effect.

Prerequisites

An ACL has been created before the rule is configured.

Precautions

If the specified rule ID already exists, the new rule overwrites the old rule no matter whether the rules conflict.

To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.

The undo rule command deletes an ACL rule even if the ACL rule is referenced. Use this command with caution, especially when you delete an ACL rule that has been referenced.

Example

# Add a rule to ACL 4001 to match packets with the destination MAC address being 0000-0000-0001, source MAC address being 0000-0000-0002, and the value of the Layer 2 protocol type being 0x0800.

<HUAWEI> system-view
[HUAWEI] acl 4001
[HUAWEI-acl-L2-4001] rule permit destination-mac 0000-0000-0001 source-mac 0000-0000-0002 l2-protocol 0x0800

rule (user-defined ACL view)

Function

The rule command adds and modifies a rule in the related UCL view.

The undo rule command deletes an ACL rule.

By default, there is no rule in the related advanced UCL view.

Format

rule [ rule-id ] { deny | permit } [ [ l2-head | ipv4-head | ipv6-head | l4-head ] { rule-string rule-mask offset } &<1-8> | time-range time-name ] *

undo rule { deny | permit } [ [ l2-head | ipv4-head | ipv6-head | l4-head ] { rule-string rule-mask offset } &<1-8> | time-range time-name ] *

undo rule rule-id

Parameters

Parameter

Description

Value

rule-id

Specifies the ID of an ACL rule.

  • If the specified rule ID has been created, the new rule overwrites the old rule. If the specified rule ID does not exist, the Switch creates a rule and determines the position of the rule according to the ID.
  • If the rule ID is not specified, the Switch allocates an ID to the new rule. The rule IDs are sorted in ascending order. The Switch automatically allocates IDs according to the step. The step is set by using the step command.
NOTE:

ACL rule IDs assigned automatically start from the step value. The default step is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on.

The value is an integer that ranges from 0 to 4294967294.

deny

Denies the packets that match a rule.

-

permit

Permits the packets that match a rule.

-

l2-head | ipv4-head | ipv6-head | l4-head

Indicates the position from which the offset starts.
  • l2-head: indicates that the offset begins from the Layer 2 header.
  • ipv4-head: indicates that the offset begins from the IPv4 header.
  • ipv6-head: indicates that the offset begins from the IPv6 header.
  • l4-head: indicates that the offset begins from the Layer 4 header.

-

rule-string

Specifies the customized rule string.

The value is a string of 3 to 10 characters. The string is in hexadecimal notation. The maximum length of the string is 4 bytes.

NOTE:

The rule command in the user-defined ACL view matches four bytes each time. When the matching field length is smaller than four bytes, add 0 to the field.

rule-mask

Specifies the mask of the rule string.

The value is a string of 3 to 10 characters. The string is in hexadecimal notation. The maximum length of the string is 4 bytes. When the mask bit of the customized character string is 1, the ACL matches the bit. When the mask bit of the customized character string is 0, the ACL does not match the bit.

offset

Specifies the value of the offset.

The value is an integer, in bytes. The value of the offset varies with the offset position.
  • For l2-head, the value of offset is 4N+2. N is an integer starting from 0.
  • For other offset positions, the value of offset is 4N. N is an integer starting from 0.

time-range time-name

Defines the time range during which an ACL rule takes effect. time-name specifies the name of the time range during which an ACL rule takes effect.

The value is a string of 1 to 32 characters.

Views

User-defined ACL view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A user-defined ACL defines rules by setting the offset position and value of the packet. The user-defined ACL is applicable to matching rules of a traffic classifier.

The rule command defines the time range and flexibly configures the time when the ACL rules take effect.

NOTE:

The user-defined ACL is applicable to only the incoming traffic.

If the user-defined ACL matches packets, the 802.1Q tag is involved when the offset is calculated.

Prerequisites

An ACL must be created before the rule is configured.

Precautions

  • If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule. To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.
  • To change the offset in a user-defined ACL rule, delete and reconfigure the ACL rule.
  • The undo rule command deletes an ACL rule even if the ACL rule is referenced. Use this command with caution, especially when you delete an ACL rule that has been referenced.

Example

# Add a rule in ACL 5001 to match the four bytes following the 14 offset bytes from the Layer 2 header. The string of the ACL rule is 0x0180C200.

<HUAWEI> system-view
[HUAWEI] acl 5001
[HUAWEI-acl-user-5001] rule permit l2-head 0x0180C200 0xFFFFFFFF 14

rule (user ACL view)

Function

The rule command configures a user ACL rule.

The undo rule command deletes a user ACL rule.

By default, no user ACL rule is configured.

Format

  • When the parameter protocol is specified as the ICMP, the command format is as follows:

    rule [ rule-id ] { permit | deny } { icmp | protocol-number } [ source { { source-address source-wildcard | any } | { ucl-group { name source-ucl-group-name | source-ucl-group-index } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { name destination-ucl-group-name | destination-ucl-group-index } } } * | fqdn fqdn-name } | icmp-type { icmp-type [ icmp-code ] | icmp-name } | vpn-instance vpn-instance-name | time-range time-name ] *

    undo rule { permit | deny } { icmp | protocol-number } [ source { { source-address source-wildcard | any } | { ucl-group { name source-ucl-group-name | source-ucl-group-index } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { name destination-ucl-group-name | destination-ucl-group-index } } } * | fqdn fqdn-name } | icmp-type { icmp-type [ icmp-code ] | icmp-name } | vpn-instance vpn-instance-name | time-range time-name ] *

  • When the parameter protocol is specified as the TCP, the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { protocol-number | tcp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *

  • When the parameter protocol is specified as the UDP, the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | udp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { protocol-number | udp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *

  • When the parameter protocol is specified as the GRE, IGMP, IP, IPINIP, or OSPF, the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | time-range time-name | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | time-range time-name | vpn-instance vpn-instance-name ] *

  • To delete an ACL rule, run:

    undo rule rule-id

Parameters

Parameter

Description

Value

rule-id

Specifies the ID of an ACL rule.
  • If the specified rule ID has been created, the new rule is added to the rule with this ID, that is, the old rule is modified. If the specified rule ID does not exist, the device creates a rule and determines the position of the rule according to the ID.
  • If the rule ID is not specified, the device allocates an ID to the new rule. The rule IDs are sorted in ascending order. The device automatically allocates IDs according to the step. The step value is set by using the step command.
NOTE:

ACL rule IDs assigned automatically start from the step value. The default step is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on.

The value is an integer that ranges from 0 to 4294967294.

deny

Denies the packets that match the rule.

-

permit

Permits the packets that match the rule.

-

icmp

Indicates that the protocol type is ICMP. The value 1 indicates that ICMP is specified.

-

tcp

Indicates that the protocol type is TCP. The value 6 indicates that TCP is specified.

-

udp

Indicates that the protocol type is UDP. The value 17 indicates that UDP is specified.

-

gre

Indicates that the protocol type is GRE. The value 47 indicates the GRE protocol.

-

igmp

Indicates that the protocol type is IGMP. The value 2 indicates the IGMP protocol.

-

ip

Indicates that the protocol type is IP.

-

ipinip

Indicates that the protocol type is IPINIP. The value 4 indicates the IPINIP protocol.

-

ospf

Indicates that the protocol type is OSPF. The value 89 indicates the OSPF protocol.

-

protocol-number

Indicates the protocol type expressed by number.

The value expressed by number is an integer that ranges from 1 to 255.

source { { source-address source-wildcard | any } | { [ source ] ucl-group { source-ucl-group-index | name source-ucl-group-name } } } *

Indicates the source IP address of packets that match an ACL rule. If this parameter is not specified, packets with any source IP address are matched.
  • source-address: specifies the source IP address of packets.
  • source-wildcard: specifies the wildcard mask of the source IP address.
  • any: indicates any source IP address of packets. That is, the value of source-address is 0.0.0.0 and the value of source-wildcard is 255.255.255.255.
  • ucl-group source-ucl-group-index: specifies the ID of the UCL group to which the source IP address of packets belongs.
  • ucl-group name source-ucl-group-name: specifies the name of the UCL group to which the source IP address of packets belongs.
  • source-address: The value is in dotted decimal notation.
  • source-wildcard: The value is in dotted decimal notation. The wildcard mask of the source IP address can be 0, equivalent to 0.0.0.0, indicating that the source IP address is the host address.
    NOTE:
    The wildcard is in dotted decimal format. After the value is converted to a binary number, the value 0 indicates that the IP address needs to be matched and the value 1 indicates that the IP address does not need to be matched. The values 1 and 0 can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the website 192.168.1.x0x0xx01. The value x can be 0 or 1.
  • The value of source-ucl-group-name must be the name of an existing UCL group.
  • source-ucl-group-index is an integer that ranges from 0 to 64000.
  • When the value of source-ucl-group-index is 0, the source address of packet matching the ACL rule is beyond the UCL group range.

destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name }

Indicates the destination IP address of packets that match ACL rules. If this parameter is not specified, packets with any destination IP address are matched.
  • destination-address: specifies the destination IP address of data packets.
  • destination-wildcard: specifies the wildcard mask of the destination IP address.
  • any: indicates any destination IP address of packets. That is, the value of destination-address is 0.0.0.0 and the value of destination-wildcard is 255.255.255.255.
  • ucl-group destination-ucl-group-index: specifies the ID of the UCL group to which the destination IP address of packets belongs.
  • ucl-group name destination-ucl-group-name: specifies the name of the UCL group to which the destination IP address of packets belongs.
  • fqdn fqdn-name: specifies the name of a domain. The precise matching and fuzzy matching (using *) are supported. In fuzzy matching, the domain name must be in the format of *.XXX, for example, *.abc.com. The fuzzy domain name and full domain name cannot include each other. For example, if www.abc.com has been configured on the device, *.abc.com cannot be configured, but *.aaa.com can be configured. Similarly, if *.abc.com has been configured on the device, *.www.abc.com cannot be configured, but www.aaa.com can be configured. This parameter is available for only wireless users.
  • destination-address: The value is in dotted decimal notation.
  • destination-wildcard: The value is in dotted decimal notation. The wildcard mask of the destination IP address can be 0, equivalent to 0.0.0.0, indicating that the destination IP address is the host address.
    NOTE:
    The wildcard is in dotted decimal format. After the value is converted to a binary number, the value 0 indicates that the IP address needs to be matched and the value 1 indicates that the IP address does not need to be matched. The values 1 and 0 can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the website 192.168.1.x0x0xx01. The value x can be 0 or 1.
  • The value of destination-ucl-group-name must be the name of an existing UCL group.
  • destination-ucl-group-index is an integer that ranges from 0 to 64000.
  • When the value of destination-ucl-group-index is 0, the destination address of packet matching the ACL rule is beyond the UCL group range.
  • The value of fqdn-name is a string of 1 to 64 characters.

icmp-type { icmp-name | icmp-type [ icmp-code ] }

Indicates the type and code of ICMP packets, which are valid only when the protocol of packets is ICMP. If this parameter is not specified, all types of ICMP packets are matched.
  • icmp-name: specifies the name of ICMP packets.
  • icmp-type: specifies the type of ICMP packets.
  • icmp-code: specifies the code of ICMP packets.

icmp-type is an integer that ranges from 0 to 255.

icmp-code is an integer that ranges from 0 to 255.

NOTE:

Table 14-21 lists the mapping between ICMP names and ICMP types and codes.

source-port { eq port | gt port | lt port | range port-start port-end }

Specifies the source port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched. The operators are as follows:
  • eq port: equal operator.
  • gt port: greater than operator.
  • 1t port: smaller than operator.
  • range port-start port-end: within the range.port-start specifies the start port number.port-end specifies the end port number.

The value of port can be a name or a number.

  • When the value is expressed as a number, it ranges from 0 to 65535 in eq port
  • When the value is expressed as a number, it ranges from 0 to 65534 in gt port
  • When the value is expressed as a number, it ranges from 1 to 65535 in lt port

The value of port-start and port-end can be a name or an integer. When the value is expressed as an integer, it ranges from 0 to 65535.

destination-port { eq port | gt port | lt port | range port-start port-end }

Specifies the destination port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched. The operators are as follows:
  • eq port: equal operator.
  • gt port: greater than operator.
  • 1t port: smaller than operator.
  • range port-start port-end: within the range. port-start specifies the start port number. port-end specifies the end port number.

The value of port can be a name or a number.

  • When the value is expressed as a number, it ranges from 0 to 65535 in eq port
  • When the value is expressed as a number, it ranges from 0 to 65534 in gt port
  • When the value is expressed as a number, it ranges from 1 to 65535 in lt port

The value of port-start and port-end can be a name or an integer. When the value is expressed as an integer, it ranges from 0 to 65535.

tcp-flag

Indicates the SYN Flag in the TCP packet header.

-

ack

Indicates that the SYN Flag type in the TCP packet header is ack (010000).

-

established

Indicates that the SYN Flag type in the TCP packet header is ack(010000) or rst(000100).

-

fin

Indicates that the SYN Flag type in the TCP packet header is fin (000001).

-

psh

Indicates that the SYN Flag type in the TCP packet header is psh (001000).

-

rst

Indicates that the SYN Flag type in the TCP packet header is rst (000100).

-

syn

Indicates that the SYN Flag type in the TCP packet header is syn (000010).

-

urg

Indicates that the SYN Flag type in the TCP packet header is urg (100000).

-

time-range time-name

Specifies the name of a time range during which ACL rules take effect.

If this parameter is not specified, ACL rules take effect at any time.

NOTE:

When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL cannot be bound to the specified time range.

The value is a string of 1 to 32 characters.

vpn-instance vpn-instance-name

Specifies the name of a VPN instance on the inbound interface.

The value must be an existing VPN instance name.
Table 14-21  Mapping between ICMP names and ICMP types and codes

icmp-name

icmp-type

icmp-code

Echo

8

0

Echo-reply

0

0

Fragmentneed-DFset

3

4

Host-redirect

5

1

Host-tos-redirect

5

3

Host-unreachable

3

1

Information-reply

16

0

Information-request

15

0

Net-redirect

5

0

Net-tos-redirect

5

2

Net-unreachable

3

0

Parameter-problem

12

0

Port-unreachable

3

3

Protocol-unreachable

3

2

Reassembly-timeout

11

1

Source-quench

4

0

Source-route-failed

3

5

Timestamp-reply

14

0

Timestamp-request

13

0

Ttl-exceeded

11

0

Views

User ACL view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A user ACL defines rules to filter IPv4 packets based on the source IP addresses or source User Control List (UCL) groups, destination IP addresses or destination UCL groups, IP protocol types, ICMP types, TCP source/destination port numbers, UDP source/destination port numbers, and time ranges.

Currently, the user ACL can be applied only to the UCL groups of the NAC mode. To control the network access rights of users based on user groups, you can perform the following operations: configure a UCL group, associate user ACL rules with the UCL group so that the ACL rules apply to all users in the user group, configure packet filtering based on the user ACL to make the ACL take effect, and then apply the UCL group to the AAA service scheme.

Prerequisites

If the ucl-group name source-ucl-group-name or ucl-group name destination-ucl-group-name parameter is configured for a rule, the source and destination UCL groups must have been created by the ucl-group command.

Precautions

If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.

The undo rule command deletes an ACL rule even if the ACL rule is referenced. (If a simplified traffic policy references a specified rule in an ACL, this command does not take effect.) Before deleting a rule, ensure that the rule is not being referenced.

Example

# Add a rule to ACL 6000 to reject all the IP packets sent from UCL group group1 to network segment 10.9.9.0/24.

<HUAWEI> system-view
[HUAWEI] ucl-group 1 name group1
[HUAWEI] acl 6000
[HUAWEI-acl-ucl-6000] rule deny ip source ucl-group name group1 destination 10.9.9.0 0.0.0.255

rule description

Function

The rule description command configures the description of an ACL rule.

The undo rule description command deletes the description of an ACL rule.

By default, no description is configured for an ACL rule.

Format

rule rule-id description description

undo rule rule-id description

Parameters

Parameter

Description

Value

rule-id

Specifies the ID of an ACL rule.

  • ACL view: The value is an integer that ranges from 0 to 4294967294.
  • ACL6 view: The value is an integer that ranges from 0 to 2047.

description description

Specifies the description of an ACL rule.

You can configure the description to record an ACL rule in detail.

The value is a character string and contains a maximum of 127 characters.

Views

ACL view, ACL6 view

Default Level

2: Configuration level

Usage Guidelines

Application Scenarios

The rule-id parameter identifies a rule, but cannot describe the meaning and usage of the rule. The description with a character string can be used to solve the problem.

Prerequisites

The ACL rule has been created. If the ACL rule does not exist, the system displays an error message when you run this command.

Precautions

If the rule description command is run repeatedly, the latest configuration takes effect.

After you run the undo rule rule-id command, the rule and rule description are deleted.

Example

# Configure the description for rule 5 in acl 2001, which permits the packets from 192.168.32.1.

<HUAWEI> system-view
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule 5 permit source 192.168.32.1 0
[HUAWEI-acl-basic-2001] rule 5 description permit 192.168.32.1
[HUAWEI-acl-basic-2001] display acl 2001
Basic ACL 2001, 1 rule
Acl's step is 5
 rule 5 permit source 192.168.32.1 0
 rule 5 description permit 192.168.32.1

snmp-agent trap enable feature-name acle

Function

The snmp-agent trap enable feature-name acle command enables the trap function for the ACL module.

The undo snmp-agent trap enable feature-name acle command disables the trap function for the ACL module.

By default, the trap function is enabled for the ACL module.

Format

snmp-agent trap enable feature-name acle [ trap-name { hwaclresthresholdexceedcleartrap | hwaclresthresholdexceedtrap | hwaclrestotalcountexceedcleartrap | hwaclrestotalcountexceedtrap } ]

undo snmp-agent trap enable feature-name acle [ trap-name { hwaclresthresholdexceedcleartrap | hwaclresthresholdexceedtrap | hwaclrestotalcountexceedcleartrap | hwaclrestotalcountexceedtrap } ]

Parameters

Parameter

Description

Value

trap-name

Enables or disables the trap function for the specified event.

-

hwaclresthresholdexceedcleartrap

Enables the device to send a Huawei-property trap sent when the ACL resource usage on the device falls below the lower alarm threshold (percentage).

-

hwaclresthresholdexceedtrap

Enables the device to send a Huawei-property trap sent when the ACL resource usage on the device exceeds the upper alarm threshold (percentage).

-

hwaclrestotalcountexceedcleartrap

Enables the device to send a Huawei-property trap sent when the ACL resource usage on the device reaches 100%, and then falls below 100% and stays below 100% for a period of time.

-

hwaclrestotalcountexceedtrap

Enables the device to send a Huawei-property trap sent when the ACL resource usage on the device reaches 100%.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When the trap function is enabled, the device generates traps during running and sends traps to the NMS through SNMP. When the trap function is not enabled, the device does not generate traps and the SNMP module does not send traps to the NMS.

You can specify trap-name to enable the trap function for one or more events.

Example

# Enable the hwaclresthresholdexceedtrap for ACL.

<HUAWEI> system-view
[HUAWEI] snmp-agent trap enable feature-name acle trap-name hwaclresthresholdexceedtrap

step

Function

The step command sets the step between ACL rule IDs.

The undo step command restores the default step between ACL rule IDs.

By default, the step between ACL rule IDs is 5.

Format

step step

undo step

Parameters

Parameter

Description

Value

step

Specifies the step between ACL rule IDs.

The value is an integer that ranges from 1 to 20.

Views

ACL view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The step is the difference between rule IDs when the system automatically assigns rule IDs. For example, if the ACL step value is set to 5, rules are numbered 5, 10, 15, and so on.

To add a rule between existing rules, you need to reset the step. For example, an ACL in config mode contains three rules with IDs being 5, 10, and 15. To insert a new rule after rule 5 (the first rule), run the rule 7 xxxx command to insert rule 7.

If the step value is changed, ACL rule IDs are arranged automatically. For example, if the original rule IDs are 5, 10, and 15, the rule IDs become 2, 4, and 6 after you change the step value to 2.

NOTE:

The undo step command can be used to realign ACL rule IDs immediately based on the default step. For example, ACL rule group 3001 contains four rules with IDs being 1, 3, 5, and 7, and the step is 2. After the undo step command is executed, the rule IDs become 5, 10, 15, and 20 and the step value is restored to 5.

Prerequisites

An ACL has been created by running the acl command.

Precautions

The ACL6 does not support the step.

Example

# Set the step between rules in ACL 3101 to 2.

<HUAWEI> system-view
[HUAWEI] acl 3101
[HUAWEI-acl-adv-3101] step 2

time-range

Function

The time-range command sets a time range.

The undo time-range command deletes a time range.

By default, no time range is set.

Format

time-range time-name { start-time to end-time { days } &<1-7> | from time1 date1 [ to time2 date2 ] }

undo time-range time-name [ start-time to end-time { days } &<1-7> | from time1 date1 [ to time2 date2 ] ]

Parameters

Parameter

Description

Value

time-name

Specifies the name of a time range.

The value is a string of case-sensitive characters without spaces and must begin with a letter. The value ranges from 1 to 32. To avoid confusion, do not use "all" as the name of a time range.

start-time

Specify the start time of a time range.

The format is hh:mm.
  • hh specifies the hour. The value is an integer that ranges from 0 to 23.
  • mm specifies the minute. The value is an integer that ranges from 0 to 59.

end-time

Specify the end time of a time range.

The format is hh:mm.
  • hh specifies the hour. The value is an integer that ranges from 0 to 23.
  • mm specifies the minute. The value is an integer that ranges from 0 to 59.

days

Specifies the date on which the time range takes effect.

The value can be one of the following:
  • The numbers 0 to 6 indicate that the time range takes effect from Sunday to Saturday. The number 0 refers to Sunday.
  • A weekday includes Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, and Sunday.
  • The value "Daily" indicates that the time range takes effect during the seven days in a week.
  • The value "off-day" indicates that the time range takes effect on weekends including Saturday and Sunday.
  • The value "Working-day" indicates that the time range takes effect in five days from Monday to Friday.

from time1 date1

Specifies the time for the time range to take effect.

time1 is in the format of hh:mm.
  • hh specifies the hour. The value is an integer that ranges from 0 to 23.
  • mm specifies the minute. The value is an integer that ranges from 0 to 59.
date1 is in the format of yyyy/mm/dd.
  • yyyy specifies the year. The value is an integer that ranges from 1970 to 2099.
  • mm specifies the month. The value is an integer that ranges from 1 to 12.
  • dd specifies the day. The value is an integer that ranges from 1 to 31.

to time2 date2

Specifies the end of a time range.

The formats time2 and date2 are the same as those of the start time. The end time must be later than the start time. If the end time is not set, the device takes the maximum value allowed by the system.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If some services or functions need to be started at intervals or periodically, you can run the time-range command to set the time range. When configuring ACL or ACL6 rules, you can reference the names of time ranges.

The time range is classified into the following types:
  • Relative time range (periodic time range): It is specified by start-time and end-time. The weekday when the time range takes effect is determined by days.
  • Absolute time range: It is specified by from and to. The absolute time range can be used to limit the periodic time range.
You can set the same name for multiple time ranges to describe a special period. If multiple time ranges have the same name, the periodic time ranges are ORed, and a periodic time range and a definite time range are ANDed. For example, three time ranges are set with the same name test:
  • Time range 1: 01.01.2010 00:00 to 31.12.2010 23:59 (absolute time range)
  • Time range 2: 8:00 to 18:00 from Monday to Friday (periodic time range)
  • Time range 3: 14:00 to 18:00 on Saturday and Sunday (periodic time range)
The time range test takes effect at 8:00-18:00 on Monday to Friday and 14:00-18:00 on Saturday and Sunday in the year 2010.

Precautions

There may be a time difference of no more than 10 seconds between the configured time range and the time range that actually takes effect.

Example

# Set a time range named test that takes effect from 2010-01-01 00:00 to 2010-12-31 23:59.

<HUAWEI> system-view
[HUAWEI] time-range test from 0:0 2010/1/1 to 23:59 2010/12/31

# Set a time range named test that takes effect at 8:00-18:00 from Monday to Friday.

<HUAWEI> system-view
[HUAWEI] time-range test 8:00 to 18:00 working-day

# Set a time range named test that takes effect from 14:00 to 18:00 on every Saturday and Sunday.

<HUAWEI> system-view
[HUAWEI] time-range test 14:00 to 18:00 off-day
Related Topics
Translation
Download
Updated: 2019-04-09

Document ID: EDOC1100065659

Views: 128012

Downloads: 88

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next