ACL6 Configuration
Access control lists (ACLs) help ensure network security and stability. ACL6s are the ACLs that support IPv6.
Overview of ACL6s
An access control list (ACL) is a set of sequential packet filtering rules. After an ACL is configured on a Router, the Router permits or denies packets based on the matched rules defined in the ACL. ACL6s are the ACLs that support IPv6, and can be applied to various services, such as routing policies, traffic management, and QoS.
Introduction
As the name indicates, an Access Control List (ACL) is a list. The list contains matching clauses, which are actually matching rules and used to tell the device to perform action on the packet or not. ACL6s are the ACLs that support IPv6, and can be applied to various services, such as routing policies, traffic management, and QoS.
Device communication networks need to provide reliable data transmission. To this end, ACL6s can be used on access or core devices to achieve network security and stability.
- Defend against various network attacks, such as attacks by using IPv6, TCP, and ICMPv6 packets.
- Control network access. For example, ACL6s can be used to control enterprise network user access to external networks, to specify the network resources accessible to users, and to define the time ranges in which users can access networks.
- Limit network traffic and improve network performance. For example, ACL6s can be used to limit bandwidth for upstream and downstream traffic and to apply charging rules to user requested bandwidth, therefore achieving efficient utilization of network resources.
An ACL6 classifies packets based only on its predefined rules. ACL6s can be used to filter packets only after they are applied to a specific service during device management, policy-based routing, unicast packet filtering, routing policies, traffic management, or multicast packet filtering.
ACL6 Classification
ACL6 Type |
Function |
ACL6 Number |
|---|---|---|
Interface-based ACL6 |
Defines rules based on packets' inbound interfaces. |
1000 to 1999 |
Basic ACL6 |
Defines rules based on packets' source addresses. |
2000 to 2999 |
Advanced ACL6 |
Defines rules based on packets' source or destination addresses, source or destination port numbers, and protocol types. |
3000 to 3999 |
User ACL6 (UCL6) |
Defines rules based on the source/destination IP address, source/destination service group, source/destination user group, source/destination port number, and protocol type. |
6000 to 9999 |
Validity Period of ACL6 Rules
- An absolute time range start from yyyy-mm-dd to yyyy-mm-dd. This time range is effective once and does not repeat.
- A cyclic time range is cyclic, with a one week cycle. For example, an ACL rule takes effect from 8:00 to 12:00 every Sunday.
ACL6 Description
Configuring the description for a created ACL6 helps you learn the ACL6 quickly.
ACL6 Rules
ACL6 rules are configured for each ACL6 and used to classify packets in different scenarios. Table 11-2 lists ACL6 rules and their functions.
ACL6 Rule |
ACL6 Type |
Function |
|---|---|---|
Validity period |
Interface-based ACL6, basic ACL6, advanced ACL6, user ACL6 |
Sets a validity period in which ACL6 rules take effect. This rule is used for:
|
Inbound interface |
Interface-based ACL6 |
Classifies packets based on their inbound interfaces. This rule is used for:
|
Non-first fragment |
Basic ACL6, advanced ACL6, user ACL6 |
Classifies packets based on whether a packet is the first packet fragment. This rule is used for:
|
Source IPv6 address |
Basic ACL6, advanced ACL6, user ACL6 |
Classifies packets based on their source IPv6 addresses. This rule is used for:
|
VPN instance |
Basic ACL6 and advanced ACL6 |
Classifies packets based on the VPN instances to which the packets belong. This rule is used for:
|
Destination IPv6 address |
Advanced ACL6, user ACL6 |
Classifies packets based on their destination IPv6 addresses. This rule is used for:
|
Protocol type |
Advanced ACL6, user ACL6 |
Classifies packets based on their protocol types. |
Source port number |
Advanced ACL6, user ACL6 |
Classifies packets based on source TCP or UDP port numbers. This rule is used for:
|
Destination port number |
Advanced ACL6, user ACL6 |
Classifies packets based on destination TCP or UDP port numbers. This rule is used for:
|
IPv6 DSCP value |
Advanced ACL6, user ACL6 |
Classifies IPv6 packets based on their DSCP values. This rule is used for route filtering. |
IPv6 precedence value |
Advanced ACL6, user ACL6 |
Classifies IPv6 packets based on the IPv6 precedence. This rule is used for flow control. |
IPv6 ToS value |
Advanced ACL6, user ACL6 |
Classifies IPv6 packets based on their ToS values. This rule is used for flow control. |
Source/destination service group, or source/destination user group |
User ACL6 |
Classifies IPv6 packets based on source/destination service group, or source/destination user group. This rule is used for flow control. |
Matching Order of ACL6 Rules
A device configured with ACL6s matches the received packets against ACL6 rules according to the matching order of rules.
The rule sequence in an ACL6 depends on ACL6 rule-matching orders and ACL6 rule numbers.
Rule matching orders include the configuration order and the automatic order.
Automatic order: The system sequences rules automatically and places the most precise rule in the front of the ACL6 based on the depth-first principle.
- ACL6 rules are sequenced based on rule precision. For an ACL6 rule (where a protocol type, a source IPv6 address range, or a destination IPv6 address range is specified), the stricter the rule, the more precise it is. For example, an ACL6 rule can be configured based on the wildcard of an IPv6 address. The smaller the wildcard, the smaller the specified network segment and the stricter the ACL6 rule.
- If rules have the same precision, they are matched based on the configuration order.
Configuration order: The system sequences ACL6 rules based on the rules' configuration order.
The mechanism in which ACL6 rules are matched based on their configuration order applies only when rule numbers are not specified. If rule numbers are specified, the ACL6 rules are matched based on their numbers in ascending order.
Configuring an Interface-based ACL6
An interface-based ACL6 defines rules to filter packets.
Usage Scenario
As shown in Figure 11-1, an ACL6 based on interface1 is created on Device A to allow Device A to permit all the packets sent from Network A to the Internet and deny all packets sent from Network B to the Internet.
(Optional) Creating a Validity Period for an ACL6 Rule
You can create a validity period for an ACL6 rule to control network traffic in a specified period.
Context
To control certain types of traffic in a specified period, you can configure the validity period of an ACL6 rule to determine the time traffic passes through. For example, to ensure reliable transmission of video traffic at prime time at night, you need to limit the volume of traffic for common online users.
After this configuration task is performed, a time range is created. Then, you can specify the time range as the validity period when creating an ACL6 rule.
The validity period of an ACL6 rule can be either of the following types:
Absolute time range: The validity period is fixed.
Relative time range: The validity period is a periodic period, for example, each Monday.
Procedure
- Run system-view
The system view is displayed.
- Run time-range time-name { start-time to end-time days &<1-7> | from time1 date1 [ to time2 date2 ] }
A validity period is created.
- You can configure up to 256 time ranges.
- Up to 32 relative time ranges (periodic time ranges) and 12 absolute time ranges can share one time range name.
- Run commit
The configuration is committed.
Creating an Interface-based ACL6
You can create an interface-based ACL6 and configure parameters for the ACL6.
Procedure
- Run system-view
The system view is displayed.
- Run acl ipv6 { name interface-based-acl6-name interface | number interface-based-acl6-number } [ match-order { config | auto } ]
An interface-based ACL6 is created.
The interface-based ACL6 number ranges from 1000 to 1999.
- (Optional) Run step step
An ACL6 step is set.
You can use an ACL6 step to maintain ACL6 rules and add new ACL6 rules conveniently.Assume that a user has created four rules numbered from 1 to 4 in an ACL6. The user can reconfigure the ACL6 step, for example, to 2 by running the step 2 command in the ACL6 view. The original rule numbers 1, 2, 3, and 4 are renumbered as 2, 4, 6, and 8, respectively. After that, the user can run the rule 3 xxxx command to add a rule numbered 3 between the renumbered rules 2 and 4.
- (Optional) Run description text
The ACL6 description is configured.
The description command configures a description for an ACL6 in any of the following situations:
- A large number of ACL6s are configured, and their functions are difficult to identify.
- An ACL6 is used at a long interval, and its function may be left forgotten.
- Names of named ACL6s cannot fully explain the ACL6s' functions.
- Run commit
The configuration is committed.
Configuring an Interface-based ACL6 Rule
Interface-based ACL6 rules are defined based on packets' inbound interfaces to filter packets.
Procedure
- Run system-view
The system view is displayed.
- Run acl ipv6 { name interface-based-acl6-name interface | number interface-based-acl6-number } [ match-order { config | auto } ]
The interface-based ACL6 view is displayed.
- Run rule [ rule-id ] [ name rule-name ] { deny | permit } interface { interface-type interface-number | any } [ time-range time-name ] *
A rule is configured for the interface-based ACL6.
Adding new rules to an ACL6 will not affect the existing rules.
When an existing rule is edited and the edited contents conflict with the original contents, the edited contents take effect.
When you configure an interface-based ACL6:
If an interface is specified by configuring interface, the system filters only packets received by this specified interface.
If all interfaces are specified by configuring any, the system does not check packets' inbound interfaces, and considers that all packets have matched the rule and directly takes an action (deny or permit) on the packets.
If a validity period is specified by configuring time-range, the time range name specified by time-name must already exist. Otherwise, the configuration does not take effect.
- (Optional) Run rule description text
The description for an ACL6 rule is configured.
The description of an ACL6 rule can contain the functions of the ACL6 rule. Configuring a description for an ACL6 rule is recommended to prevent misuse of the rule in the following situations:- A large number of ACL6s are configured, and their functions are difficult to identify.
- An ACL6 is used at a long interval, and its function may be left forgotten.
- Run commit
The configuration is committed.
Configuring a Basic ACL6
A basic ACL6 defines rules to filter packets.
Usage Scenario
As shown in Figure 11-2, a basic ACL6 is created on Device A to allow Device A to permit all packets sent from Network A to the Internet and deny all packets sent from Network B and Network C to the Internet.
(Optional) Creating a Validity Period for an ACL6 Rule
You can create a validity period for an ACL6 rule to control network traffic in a specified period.
Context
To control certain types of traffic in a specified period, you can configure the validity period of an ACL6 rule to determine the time traffic passes through. For example, to ensure reliable transmission of video traffic at prime time at night, you need to limit the volume of traffic for common online users.
After this configuration task is performed, a time range is created. Then, you can specify the time range as the validity period when creating an ACL6 rule.
The validity period of an ACL6 rule can be either of the following types:
Absolute time range: The validity period is fixed.
Relative time range: The validity period is a periodic period, for example, each Monday.
Procedure
- Run system-view
The system view is displayed.
- Run time-range time-name { start-time to end-time days &<1-7> | from time1 date1 [ to time2 date2 ] }
A validity period is created.
- You can configure up to 256 time ranges.
- Up to 32 relative time ranges (periodic time ranges) and 12 absolute time ranges can share one time range name.
- Run commit
The configuration is committed.
Creating a Basic ACL6
You can create a basic ACL6 and configure parameters for the ACL6.
Procedure
- Run system-view
The system view is displayed.
- Run acl ipv6 { name basic-acl6-name [ basic ] | [ number ] basic-acl6-number } [ match-order { config | auto } ]
A basic ACL6 is created.
The basic ACL6 number ranges from 2000 to 2999.
- (Optional) Run step step
An ACL6 step is set.
You can use an ACL6 step to maintain ACL6 rules and add new ACL6 rules conveniently.Assume that a user has created four rules numbered from 1 to 4 in an ACL6. The user can reconfigure the ACL6 step, for example, to 2 by running the step 2 command in the ACL6 view. The original rule numbers 1, 2, 3, and 4 are renumbered as 2, 4, 6, and 8, respectively. After that, the user can run the rule 3 xxxx command to add a rule numbered 3 between the renumbered rules 2 and 4.
- (Optional) Run description text
The ACL6 description is configured.
The description command configures a description for an ACL6 in any of the following situations:
- A large number of ACL6s are configured, and their functions are difficult to identify.
- An ACL6 is used at a long interval, and its function may be left forgotten.
- Names of named ACL6s cannot fully explain the ACL6s' functions.
- Run commit
The configuration is committed.
Configuring a Basic ACL6 Rule
Basic ACL6 rules are defined based on whether the packets are the first fragments, packets' source IP addresses, and VPN instances to filter packets.
Procedure
- Run system-view
The system view is displayed.
- Run acl ipv6 { name basic-acl6-name [ basic ] | [ number ] basic-acl6-number } [ match-order { config | auto } ]
The basic ACL6 view is displayed.
- Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment | source { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *
A rule is configured for the basic ACL6.
Adding new rules to an ACL6 will not affect the existing rules.
When an existing rule is edited and the edited contents conflict with the original contents, the edited contents take effect.
When you configure a basic ACL6:
If a source IPv6 address is specified by configuring source, the system filters only packets with this specified source IPv6 address.
If all source IPv6 addresses are specified by configuring any, the system does not check packets' source IPv6 addresses, and considers that all packets have matched the rule and directly takes an action (deny or permit) on the packets.
If a validity period is specified by configuring time-range, the time range name specified by time-name must already exist. Otherwise, the configuration does not take effect.
- (Optional) Run rule description text
The description for an ACL6 rule is configured.
The description of an ACL6 rule can contain the functions of the ACL6 rule. Configuring a description for an ACL6 rule is recommended to prevent misuse of the rule in the following situations:- A large number of ACL6s are configured, and their functions are difficult to identify.
- An ACL6 is used at a long interval, and its function may be left forgotten.
- Run commit
The configuration is committed.
Applying a Basic ACL6
Basic ACL6s can be used in device management, QoS services, multicast packet filtering, and routing policies.
Context
Table 11-3 describes the typical applications of basic ACL6s.
Typical Application |
Usage Scenario |
Operation |
|---|---|---|
Device management |
When a device functions as a TFTP server, configure a basic ACL6 to allow only the clients that match specific ACL6 rules to access the server. |
For details on how to configure rights to access a TFTP server, see Configuring TFTP Access Authority. |
Multicast packet filtering |
To filter multicast packets, you can configure a basic ACL6 to receive or forward only the multicast packets that match the ACL6 rules. |
For details on how to filter multicast packets, see
|
Routing policies |
To control the reception and advertisement of routing information on a device, configure a basic ACL6 on the device to allow the device to receive or advertise only the routes that match the ACL6 rules. |
For details on how to control the reception and advertisement of routing information on a device, see
|
QoS services |
To process different types of traffic, configure a basic ACL6 to perform traffic policing, traffic shaping, or traffic classification on traffic that matches the ACL6 rules. |
For details on how to process different types of traffic, see Configuring the Traffic Policing Policy, Configuring Traffic Shaping, and Configuring Traffic Behaviors. |
Configuring an Advanced ACL6
An advanced ACL6 defines rules to filter packets.
Usage Scenario
As shown in Figure 11-3, an advanced ACL6 is created on Device D to allow Device D to permit all ICMPv6 packets sent from Network B to Network C and deny all ICMPv6 packets sent from Network A to the Network C.
(Optional) Creating a Validity Period for an ACL6 Rule
You can create a validity period for an ACL6 rule to control network traffic in a specified period.
Context
To control certain types of traffic in a specified period, you can configure the validity period of an ACL6 rule to determine the time traffic passes through. For example, to ensure reliable transmission of video traffic at prime time at night, you need to limit the volume of traffic for common online users.
After this configuration task is performed, a time range is created. Then, you can specify the time range as the validity period when creating an ACL6 rule.
The validity period of an ACL6 rule can be either of the following types:
Absolute time range: The validity period is fixed.
Relative time range: The validity period is a periodic period, for example, each Monday.
Procedure
- Run system-view
The system view is displayed.
- Run time-range time-name { start-time to end-time days &<1-7> | from time1 date1 [ to time2 date2 ] }
A validity period is created.
- You can configure up to 256 time ranges.
- Up to 32 relative time ranges (periodic time ranges) and 12 absolute time ranges can share one time range name.
- Run commit
The configuration is committed.
Creating an Advanced ACL6
You can create an advanced ACL6 and configure parameters for the ACL6.
Procedure
- Run system-view
The system view is displayed.
- Run acl ipv6 { name advance-acl6-name [ advance ] | [ number ] advance-acl6-number } [ match-order { config | auto } ]
An advanced ACL6 is created.
The advanced ACL6 number ranges from 3000 to 3999.
- (Optional) Run step step
An ACL6 step is set.
You can use an ACL6 step to maintain ACL6 rules and add new ACL6 rules conveniently.Assume that a user has created four rules numbered from 1 to 4 in an ACL6. The user can reconfigure the ACL6 step, for example, to 2 by running the step 2 command in the ACL6 view. The original rule numbers 1, 2, 3, and 4 are renumbered as 2, 4, 6, and 8, respectively. After that, the user can run the rule 3 xxxx command to add a rule numbered 3 between the renumbered rules 2 and 4.
- (Optional) Run description text
The ACL6 description is configured.
The description command configures a description for an ACL6 in any of the following situations:
- A large number of ACL6s are configured, and their functions are difficult to identify.
- An ACL6 is used at a long interval, and its function may be left forgotten.
- Names of named ACL6s cannot fully explain the ACL6s' functions.
- Run commit
The configuration is committed.
(Optional) Configuring An ACL IPv6 Address Pool
This section describes how to configure an ACL IPv6 address pool to filter packets based on the source IPv6 addresses of BGP peers.
Context
In typical ACL6 usage scenarios such as QoS or security service, to filter traffic based on the source IPv6 addresses of BGP peers, run the acl ipv6-pool command to create an ACL IPv6 address pool and run the apply bgp-peer command to associate the IPv6 addresses of BGP peers with the ACL IPv6 address pools. Then, reference the ACL6 address pool in QoS or security service to filter packets based on the source IP addresses of BGP peers.
Procedure
- Run system-view
The system view is displayed.
- Run acl ipv6-pool pool-name
An ACL IPv6 address pool is created, and the ACL IPv6 address pool view is displayed.
- Run apply bgp-peer [ public-vpn | all-private-vpn | vpn-instance vpn-instance-name ]
The IPv6 addresses of BGP peers are associated with the ACL IPv6 address pool.
This command is applicable only to QoS or device security services.
- Run commit
The configuration is committed.
Configuring an Advanced ACL6 Rule
Advanced ACL6 rules are defined based on the source IPv6 address, destination IPv6 address, protocol type carried over IPv6, source port, and destination port to filter packets.
Procedure
- Run system-view
The system view is displayed.
- Run acl ipv6 { name advance-acl6-name [ advance ] | [ number ] advance-acl6-number } [ match-order { config | auto } ]
The advanced ACL6 view is displayed.
- Run any of the following commands to create an advanced ACL rule:
When protocol is specified as UDP, run:
rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol | udp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | destination-port operator port | fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } source-pool source-pool-name } | source-port operator port | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *
When protocol is specified as TCP, run:
rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol | tcp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | destination-port operator port | fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } source-pool source-pool-name } | source-port operator port | tcp-flag { tcp-flag [ mask mask-value ] | established | { ack | fin | psh | rst | syn | urg } * } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *
When protocol is specified as ICMPv6, run:
rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol | icmpv6 } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | fragment | icmp6-type { icmp6-type-name | icmp6-type [ to icmp6-type-end ] [ icmp6-code ] } | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *
When protocol is specified as a protocol other than TCP, UDP, and ICMPv6, run:
rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol | gre | ipv6 | ipv6-ah | ipv6-esp | ospf } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *
Adding new rules to an ACL6 will not affect the existing rules.
When an existing rule is edited and the edited contents conflict with the original contents, the edited contents take effect.
When you configure an advanced ACL6:
If a destination IPv6 address is specified by configuring destination, a destination port number is specified by configuring destination-port, a source IPv6 address is specified by configuring source, and a source port number is specified by configuring source-port, the system filters only packets with the specified destination IPv6 address, destination port number, source IPv6 address, and source port number.
If all destination IPv6 addresses, destination port numbers, source IPv6 addresses, and source port numbers are specified by configuring any, the system does not check packets' destination IPv6 addresses, destination port numbers, source IPv6 addresses, and source port numbers, and considers that all packets have matched the rule and directly takes an action (deny or permit) on the packets.
If a validity period is specified by configuring time-range, the time range name specified by time-name must already exist. Otherwise, the configuration does not take effect.
- (Optional) Run rule description text
The description for an ACL6 rule is configured.
The description of an ACL6 rule can contain the functions of the ACL6 rule. Configuring a description for an ACL6 rule is recommended to prevent misuse of the rule in the following situations:- A large number of ACL6s are configured, and their functions are difficult to identify.
- An ACL6 is used at a long interval, and its function may be left forgotten.
- Run commit
The configuration is committed.
Applying an Advanced ACL6
Advanced ACL6s can be used in device management, QoS services, multicast packet filtering, and routing policies.
Context
Table 11-4 describes the typical applications of advanced ACL6s.
Typical Application |
Usage Scenario |
Operation |
|---|---|---|
Multicast packet filtering |
To filter multicast packets, configure an advanced ACL6 to receive or forward only the multicast packets that match the ACL6 rules. |
For details on how to filter multicast packets, see
|
QoS services |
To process different types of traffic, configure an advanced ACL6 to perform traffic policing, traffic shaping, or traffic classification on traffic that matches the ACL6 rules. |
For details on how to process different types of traffic, see Configuring the Traffic Policing Policy, Configuring Traffic Shaping, and Configuring Traffic Behaviors. |
Configuring a User ACL6
A User ACL6 defines rules to filter packets.
(Optional) Creating a Validity Period for an ACL6 Rule
You can create a validity period for an ACL6 rule to control network traffic in a specified period.
Context
To control certain types of traffic in a specified period, you can configure the validity period of an ACL6 rule to determine the time traffic passes through. For example, to ensure reliable transmission of video traffic at prime time at night, you need to limit the volume of traffic for common online users.
After this configuration task is performed, a time range is created. Then, you can specify the time range as the validity period when creating an ACL6 rule.
The validity period of an ACL6 rule can be either of the following types:
Absolute time range: The validity period is fixed.
Relative time range: The validity period is a periodic period, for example, each Monday.
Procedure
- Run system-view
The system view is displayed.
- Run time-range time-name { start-time to end-time days &<1-7> | from time1 date1 [ to time2 date2 ] }
A validity period is created.
- You can configure up to 256 time ranges.
- Up to 32 relative time ranges (periodic time ranges) and 12 absolute time ranges can share one time range name.
- Run commit
The configuration is committed.
Creating a User ACL6
You can create a user ACL6 and configure parameters for the ACL6.
Procedure
- Run system-view
The system view is displayed.
- Run acl ipv6 { name ucl-acl6-name ucl | number ucl-acl6-number } [ match-order { auto | config } ]
A user ACL6 is created.
The user ACL6 number ranges from 6000 to 9999.
- (Optional) Run step step
An ACL6 step is set.
You can use an ACL6 step to maintain ACL6 rules and add new ACL6 rules conveniently.Assume that a user has created four rules numbered from 1 to 4 in an ACL6. The user can reconfigure the ACL6 step, for example, to 2 by running the step 2 command in the ACL6 view. The original rule numbers 1, 2, 3, and 4 are renumbered as 2, 4, 6, and 8, respectively. After that, the user can run the rule 3 xxxx command to add a rule numbered 3 between the renumbered rules 2 and 4.
- (Optional) Run description text
The ACL6 description is configured.
The description command configures a description for an ACL6 in any of the following situations:
- A large number of ACL6s are configured, and their functions are difficult to identify.
- An ACL6 is used at a long interval, and its function may be left forgotten.
- Names of named ACL6s cannot fully explain the ACL6s' functions.
- Run commit
The configuration is committed.
Configuring a User ACL6 Rule
User ACL6s match packets based on the source/destination IPv6 address, source/destination service group, source/destination user group, source/destination port number, and protocol type.
Procedure
- Run system-view
The system view is displayed.
- Run acl ipv6 { name ucl-acl6-name ucl | number ucl-acl6-number } [ match-order { auto | config } ]
The user ACL6 view is displayed.
- Run any of the following commands to create an advanced ACL6 rule:
When protocol is specified as UDP, run:
rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | udp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | source { ipv6-address { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | destination { ipv6-address { destination-ipv6-address { prefix-length | destination-wildcard } | destination-ipv6-address/prefix-length | any } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | source-port operator port-number | destination-port operator port-number | fragment | traffic-class traffic-class | time-range time-name | logging ] *
When protocol is specified as TCP, run:
rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | tcp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | source { ipv6-address { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | destination { ipv6-address { destination-ipv6-address { prefix-length | destination-wildcard } | destination-ipv6-address/prefix-length | any } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | source-port operator port-number | destination-port operator port-number | fragment | traffic-class traffic-class | time-range time-name | logging ] *
When protocol is specified as ICMPv6, run:
rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | icmpv6 } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | source { ipv6-address { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | destination { ipv6-address { destination-ipv6-address { prefix-length | destination-wildcard } | destination-ipv6-address/prefix-length | any } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | icmp6-type { icmp6-type-name | icmp6-type icmp6-code } | fragment | traffic-class traffic-class | time-range time-name | logging ] *
When protocol is specified as a protocol other than TCP, UDP, and ICMPv6, run:
rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | gre | ipv6-esp | ipv6 | ipv6-ah | ospf } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | source { ipv6-address { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | destination { ipv6-address { destination-ipv6-address { prefix-length | destination-wildcard } | destination-ipv6-address/prefix-length | any } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | fragment | traffic-class traffic-class | time-range time-name | logging ] *
Adding new rules to an ACL6 will not affect the existing rules.
When an existing rule is edited and the edited contents conflict with the original contents, the edited contents take effect.
- (Optional) Run rule description text
The description for an ACL6 rule is configured.
The description of an ACL6 rule can contain the functions of the ACL6 rule. Configuring a description for an ACL6 rule is recommended to prevent misuse of the rule in the following situations:- A large number of ACL6s are configured, and their functions are difficult to identify.
- An ACL6 is used at a long interval, and its function may be left forgotten.
- Run commit
The configuration is committed.
Applying a User ACL6
User ACL6s can be used in QoS services.
Context
Table 11-5 describes the typical applications of User ACL6s.
Typical Application |
Usage Scenario |
Operation |
|---|---|---|
QoS |
To process different types of traffic, users can configure a User ACL6 to perform traffic policing, traffic shaping, or traffic classification on traffic that matches the ACL6 rules. |
To find out more about the procedures for processing different types of traffic, see how to configure traffic policing, traffic shaping, and traffic behavior. |
Maintaining an ACL6
This section describes how to clear ACL6 statistics and monitor the ACL6 operating status.
