ACL Rule Management

S12700 and S12700E V200R019C10 NETCONF YANG API Reference

This document describes the NETCONF YANG API functions supported by the switch, including the data model and samples.

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

ACL Rule Management

This section describes the configuration model of ACL rule management and provides examples of XML packets.

Data Model
Configuring an ACL Rule
Configuring an IPv6 ACL Rule

Data Model

The configuration model files for ACL rule management are ietf-acl.yang and huawei-acl.yang.

Table 2-360 ACL Rule management

Object	Description	Value	Remarks
/ietf-acl:access-lists/access-list/access-control-list-name	Indicates the name or ID of an ACL.	IPv4 ACL Name: The value is a string of 1 to 64 case-sensitive characters without spaces and must begin with a letter. ID: The value is an integer. The value range for advanced IPv4 ACLs is 3000 to 3999, and that for user ACLs is 6000 to 9999. IPv6 ACL The value must start with ipv6: followed by a name or an ID. Name: The value is a string of 1 to 64 case-sensitive characters without spaces and must begin with a letter. ID: The value is an integer. When the value is in the range from 2000 to 2999, the ACL is a basic IPv6 ACL. When the value is in the range from 3000 to 3999, the ACL is an advanced IPv6 ACL.	When the /ietf-acl:access-lists/access-list/huawei-acl:ipv6-flag object is set to true, the system identifies the created ACL as an IPv6 ACL. When this object is set to false, the system identifies the created ACL as an IPv4 ACL.
/ietf-acl:access-lists/access-list/huawei-acl:ipv6-flag	Indicates whether the created ACL is an IPv4 ACL or an IPv6 ACL.	The value is of the Boolean type: true: IPv6 ACL false: IPv4 ACL The default value is false.	N/A
/ietf-acl:access-lists/access-list/access-control-list-type	Indicates the ACL type.	The value is IP-access-control-list.	N/A
/ietf-acl:access-lists/access-list/huawei-acl:acl-name-type	Indicates the type of an ACL created by name.	The value is of the numerated type: basic: basic ACL advance: advanced ACL ucl: user ACL	N/A
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/rule-name	Indicates the ID of an ACL rule.	IPv4 ACL: The value is an integer that ranges from 0 to 4294967294. IPv6 ACL: The value is an integer that ranges from 0 to 4294967294.	N/A
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/actions	Indicates the action in the ACL rule: deny indicates that the packets matching the ACL rule will be discarded. permit indicates that the packets matching the ACL rule will be forwarded properly.	The value can be spaces or left empty.	The action in an ACL rule depends on the content of access-control-list.
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/dscp	Indicates the Differentiated Services Code Point (DSCP).	The value is an integer that ranges from 0 to 63.	This object is not supported by basic IPv6 and user ACLs.
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/protocol	Indicates the type of protocol packets matching the ACL rule.	The value is an integer that ranges from 1 or 255. Common protocol packets supported by IPv4 ACLs include the following: 1: ICMP packets 2: IGMP packets 4: IPINIP packets 6: TCP packets 17: UDP packets 47: GRE packets 89: OSPF packets By default, an IPv4 ACL is used to match IP packets. Common protocol packets supported by IPv6 ACLs include the following: 6: TCP packets 17: UDP packets 47: GRE packets 58: ICMPv6 packets 89: OSPF packets By default, an IPv6 ACL is used to match IPv6 packets.	This object is not supported by basic IPv6 ACLs.
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/source-port-range/lower-port /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/source-port-range/upper-port	Indicates the source port of the UDP or TCP packets matching the ACL rule. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched. lower-port indicates the start port number, and upper-port indicates the end port number. The two parameters specify a source port number range.	The value of lower-port or upper-port is a port number that ranges from 0 to 65535.	This object is supported only when the /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/protocol object is set to 6 (TCP packets) or 17 (UDP packets). The value of upper-port must be greater than or equal to the value of lower-port. This object is not supported by basic IPv6 ACLs.
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/destination-port-range/lower-port /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/destination-port-range/upper-port	Indicates the destination port of the UDP or TCP packets matching the ACL rule. If this parameter is not specified, TCP or UDP packets with any destination port are matched. lower-port indicates the start port number, and upper-port indicates the end port number. The two parameters specify a destination port number range.	The value of lower-port or upper-port is a port number that ranges from 0 to 65535.	This object is supported only when the /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/protocol object is set to 6 (TCP packets) or 17 (UDP packets). The value of upper-port must be greater than or equal to the value of lower-port. This object is not supported by basic IPv6 ACLs.
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/source-ipv4-network	Indicates the source addresses of packets that match the IPv4 ACL rule. If no source address is specified, the packets with any source address are matched.	The value is in the format of source-address/source-wildcard. source-address indicates a source IP address in dotted decimal notation. source-wildcard specifies the wildcard of the source IP address in dotted decimal notation. The wildcard of the source IP address can be 0, which is equivalent to 0.0.0.0, indicating that the source IP address is a host address.	N/A
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/destination-ipv4-network	Indicates the destination addresses of packets that match the IPv4 ACL rule. If no destination address is specified, the packets with any destination address are matched.	The value is in the format of destination-address/destination-wildcard. destination-address indicates a destination IP address in dotted decimal notation. destination-wildcard specifies the wildcard of the destination IP address in dotted decimal notation. The wildcard of the destination IP address can be 0, which is equivalent to 0.0.0.0, indicating that the destination IP address is a host address.	N/A
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/source-ipv6-network	Indicates the source addresses of packets that match the IPv6 ACL rule. If no source address is specified, the packets with any source address are matched.	The value is in the format of source-ipv6-address/prefix-length. source-ipv6-address indicates the source IPv6 address. The total length of the value is 128 bits, which are divided into eight groups. Each group contains four hexadecimal digits. The value is in the format of X:X:X:X:X:X:X:X. prefix-length indicates the prefix length. The value is an integer that ranges from 1 to 128.	N/A
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/destination-ipv6-network	Indicates the destination addresses of packets that match the IPv6 ACL rule. If no destination address is specified, the packets with any destination address are matched.	The value is in the format of destination-ipv6-address/prefix-length. destination-ipv6-address indicates the destination IPv6 address. The total length of the value is 128 bits, which are divided into eight groups. Each group contains four hexadecimal digits. The value is in the format of X:X:X:X:X:X:X:X. prefix-length indicates the prefix length. The value is an integer that ranges from 1 to 128.	N/A
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/huawei-acl:vpn-instance	Indicates the name of a VPN instance on the inbound interface.	The value is a string of 1 to 31 case-sensitive characters without spaces. If the string is enclosed in double quotation marks (" "), the string can contain spaces.	The value must be an existing VPN instance name.
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/huawei-acl:fqdn	Indicates the name of a destination domain.	The value is a string of 1 to 64 characters.	N/A
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/huawei-acl: source-ucl-group/ucl-name	Indicates the name of the UCL group to which the source IP address of packets belongs that match ACL rules.	The value is a string of 1 to 31 case-sensitive characters without spaces.	The value must be the name of an existing UCL group.
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/huawei-acl: source-ucl-group/ucl-index	Indicates the ID of the UCL group to which the source IP address of packets belongs that match ACL rules.	The value is an integer that ranges from 0 to 64000.	N/A
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/huawei-acl: destination-ucl-group/ucl-name	Indicates the name of the UCL group to which the destination IP address of packets belongs that match ACL rules.	The value is a string of 1 to 31 case-sensitive characters without spaces.	The value must be the name of an existing UCL group.
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/huawei-acl: destination-ucl-group/ucl-index	Indicates the ID of the UCL group to which the destination IP address of packets belongs that match ACL rules.	The value is an integer that ranges from 0 to 64000.	N/A
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/huawei-acl: tcp-flag/flag-name	Indicates the SYN Flag in the TCP packet header that match ACL rules.	The value is of the numerated type: ack: ack(010000) established: ack(010000) or rst(000100) fin: fin(000001) psh: psh(001000) rst: rst(000100) syn: syn(000010) urg: urg(100000)	This object is supported only when the /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/protocol object is set to 6 (TCP packets).
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/huawei-acl:time-range	Indicates the time range name of an ACL rule.	The value is a string of 1 to 32 characters.	Before configuring this object, configure the /huawei-time-range:time-ranges/time-range/name object first.

Configuring an ACL Rule

This section describes how to configure, modify, and delete an ACL rule using the edit-config method.

Table 2-361 Configuring an ACL rule

Operation	XPATH
edit-config:create edit-config:replace edit-config:delete	/ietf-acl:access-lists/access-list/access-control-list-name /ietf-acl:access-lists/access-list/access-control-list-type /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry

Operation

XPATH

edit-config:create

edit-config:replace

edit-config:delete

/ietf-acl:access-lists/access-list/access-control-list-name
/ietf-acl:access-lists/access-list/access-control-list-type
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry

Data Requirement 1: Creating an ACL Rule for Matching TCP Protocol Packets

Item	Data	Description
ACL name	test1	Create an ACL named test1.
ACL type	IP-access-control-list	Set the ACL type to IP-access-control-list.
ACL rule name	1	Set the ACL rule name to 1.
Action in the ACL rule	NA	Discard packets that match the ACL rule.
Type of protocol packets matching the ACL rule	6	Specify TCP protocol packets to match the ACL rule.
Source port of the TCP packets matching the ACL rule	lower-port: 1 upper-port: N/A	Specify port 1 to any port as the source port range of TCP packets that match the ACL rule.
Destination port of the TCP packets matching the ACL rule	lower-port: 1 upper-port: 3	Specify ports 1 to 3 as the destination port range of TCP packets that match the ACL rule.
Source addresses of packets that match the ACL rule	10.1.1.1/16	Specify 10.1.1.1/16 as the source addresses of packets that match the ACL rule.
Destination addresses of packets that match the ACL rule	10.2.1.1/24	Specify 10.2.1.1/24 as the destination addresses of packets that match the ACL rule.
DSCP	0	Set the DSCP value to 0 for the ACL rule.
Name of the time range within which the ACL rule takes effect	abc	Apply the ACL rule in a time range named abc.

Request example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="5" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <access-control-list:access-lists xmlns:access-control-list="urn:ietf:params:xml:ns:yang:ietf-acl">
        <access-control-list:access-list>
          <access-control-list:access-control-list-name>test1</access-control-list:access-control-list-name>
          <access-control-list:access-control-list-type>IP-access-control-list</access-control-list:access-control-list-type>
          <access-control-list:access-list-entries>
            <access-control-list:access-list-entry>
              <access-control-list:rule-name>1</access-control-list:rule-name>
              <access-control-list:matches>
                <access-control-list:source-port-range>
                  <access-control-list:lower-port>1</access-control-list:lower-port>
                </access-control-list:source-port-range>
                <access-control-list:destination-port-range>
                  <access-control-list:lower-port>1</access-control-list:lower-port>
                  <access-control-list:upper-port>3</access-control-list:upper-port>
                </access-control-list:destination-port-range>
                <access-control-list:dscp>0</access-control-list:dscp>
                <access-control-list:protocol>6</access-control-list:protocol>
                <access-control-list:destination-ipv4-network>10.2.1.1/24</access-control-list:destination-ipv4-network>
                <access-control-list:source-ipv4-network>10.1.1.1/16</access-control-list:source-ipv4-network>
              </access-control-list:matches>
		   <access-control-list:actions>
                <access-control-list:deny></access-control-list:deny>
              </access-control-list:actions>
              <hw-acl:time-range xmlns:hw-acl="urn:huawei:params:xml:ns:yang:huawei-acl">abc</hw-acl:time-range>
            </access-control-list:access-list-entry>
          </access-control-list:access-list-entries>
        </access-control-list:access-list>
      </access-control-list:access-lists>
    </config>
  </edit-config>
</rpc>

Response example

Sample of successful response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="3">
  <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="7">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>parse rpc config error.</error-message>
  </rpc-error>
</rpc-reply>

Data Requirement 2: Modifying the Destination Port Number Range in an ACL Rule

The following provides only the item to be modified. For other items, see data requirement 1.

Item	Data	Description
Destination port of the TCP packets matching the ACL rule	lower-port: 1 upper-port: 6	Modify the destination port range of TCP packets that match the ACL rule from ports 1 to 3 to ports 1 to 6.

Item

Data

Description

Destination port of the TCP packets matching the ACL rule

lower-port: 1

upper-port: 6

Modify the destination port range of TCP packets that match the ACL rule from ports 1 to 3 to ports 1 to 6.

Request example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="8" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <access-control-list:access-lists xmlns:access-control-list="urn:ietf:params:xml:ns:yang:ietf-acl">
        <access-control-list:access-list>
          <access-control-list:access-control-list-name>test1</access-control-list:access-control-list-name>
          <access-control-list:access-control-list-type>IP-access-control-list</access-control-list:access-control-list-type>
          <access-control-list:access-list-entries>
            <access-control-list:access-list-entry>
              <access-control-list:rule-name>1</access-control-list:rule-name>
              <access-control-list:matches>
                <access-control-list:source-port-range>
                  <access-control-list:lower-port>1</access-control-list:lower-port>
                </access-control-list:source-port-range>
                <access-control-list:destination-port-range>
                  <access-control-list:lower-port>1</access-control-list:lower-port>
                  <access-control-list:upper-port xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="replace">6</access-control-list:upper-port>
                </access-control-list:destination-port-range>
                <access-control-list:dscp>0</access-control-list:dscp>
                <access-control-list:protocol>6</access-control-list:protocol>
                <access-control-list:destination-ipv4-network>10.2.1.1/24</access-control-list:destination-ipv4-network>
                <access-control-list:source-ipv4-network>10.1.1.1/16</access-control-list:source-ipv4-network>
              </access-control-list:matches>
              <hw-acl:time-range xmlns:hw-acl="urn:huawei:params:xml:ns:yang:huawei-acl">abc</hw-acl:time-range>
            </access-control-list:access-list-entry>
          </access-control-list:access-list-entries>
        </access-control-list:access-list>
      </access-control-list:access-lists>
    </config>
  </edit-config>
</rpc>

Response example

Sample of successful response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="3">
  <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="4">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Service process failed.</error-message>
    <error-info>Error on node /ietf-acl:access-lists/access-list[access-control-list-name="test1"]</error-info>
  </rpc-error>
</rpc-reply>

Data Requirement 3: Canceling the Upper Destination Port Number Limit in an ACL Rule

The following provides only the item to be modified. For other items, see data requirement 1.

Item	Data	Description
Destination port of the TCP packets matching the ACL rule	lower-port: 1 upper-port: N/A	Modify the destination port range of TCP packets that match the ACL rule to port 1 to any port.

Item

Data

Description

Destination port of the TCP packets matching the ACL rule

lower-port: 1

upper-port: N/A

Modify the destination port range of TCP packets that match the ACL rule to port 1 to any port.

Request example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="9" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <access-control-list:access-lists xmlns:access-control-list="urn:ietf:params:xml:ns:yang:ietf-acl">
        <access-control-list:access-list>
          <access-control-list:access-control-list-name>test1</access-control-list:access-control-list-name>
          <access-control-list:access-control-list-type>IP-access-control-list</access-control-list:access-control-list-type>
          <access-control-list:access-list-entries>
            <access-control-list:access-list-entry>
              <access-control-list:rule-name>1</access-control-list:rule-name>
              <access-control-list:matches>
                <access-control-list:source-port-range>
                  <access-control-list:lower-port>1</access-control-list:lower-port>
                </access-control-list:source-port-range>
                <access-control-list:destination-port-range>
                  <access-control-list:lower-port>1</access-control-list:lower-port>
                  <access-control-list:upper-port xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="delete">6</access-control-list:upper-port>
                </access-control-list:destination-port-range>
                <access-control-list:dscp>0</access-control-list:dscp>
                <access-control-list:protocol>6</access-control-list:protocol>
                <access-control-list:destination-ipv4-network>10.2.1.1/24</access-control-list:destination-ipv4-network>
                <access-control-list:source-ipv4-network>10.1.1.1/16</access-control-list:source-ipv4-network>
              </access-control-list:matches>
              <hw-acl:time-range xmlns:hw-acl="urn:huawei:params:xml:ns:yang:huawei-acl">abc</hw-acl:time-range>
            </access-control-list:access-list-entry>
          </access-control-list:access-list-entries>
        </access-control-list:access-list>
      </access-control-list:access-lists>
    </config>
  </edit-config>
</rpc>

Response example

Sample of successful response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="3">
  <ok/>
</rpc-reply>

Sample of failed response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="7">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>operation-failed</error-tag>
    <error-severity>error</error-severity>
    <error-message>edit operation failed.</error-message>
  </rpc-error>
</rpc-reply>

Configuring an IPv6 ACL Rule

This section describes how to configure and delete an IPv6 ACL rule using the edit-config method.

Table 2-362 Configuring an IPv6 ACL Rule

Operation	XPATH
edit-config	/ietf-acl:access-lists/access-list/access-control-list-name /ietf-acl:access-lists/access-list/huawei-acl:ipv6-flag /ietf-acl:access-lists/access-list/access-control-list-type /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/rule-name /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/actions /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/dscp /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/protocol /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/source-port-range/lower-port /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/source-port-range/upper-port /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/source-ipv6-network /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/destination-ipv6-network /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/huawei-acl:time-range /huawei-time-range:time-ranges/time-range/name /huawei-time-range:time-ranges/time-range/vsys /huawei-time-range:time-ranges/time-range/period-time/start /huawei-time-range:time-ranges/time-range/period-time/end /huawei-time-range:time-ranges/time-range/period-time/weekday

Operation

XPATH

edit-config

/ietf-acl:access-lists/access-list/access-control-list-name
/ietf-acl:access-lists/access-list/huawei-acl:ipv6-flag
/ietf-acl:access-lists/access-list/access-control-list-type
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/rule-name
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/actions
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/dscp
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/protocol
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/source-port-range/lower-port
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/source-port-range/upper-port
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/source-ipv6-network
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/destination-ipv6-network
/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/huawei-acl:time-range
/huawei-time-range:time-ranges/time-range/name
/huawei-time-range:time-ranges/time-range/vsys
/huawei-time-range:time-ranges/time-range/period-time/start
/huawei-time-range:time-ranges/time-range/period-time/end
/huawei-time-range:time-ranges/time-range/period-time/weekday

Data Requirement 1: Creating an IPv6 ACL Rule for Matching TCP Protocol Packets

Item	Data	Description
Name or ID of an ACL to be created	ipv6:3600	-
Whether the created ACL is an IPv4 ACL or an IPv6 ACL	true	-
ACL type	IP-access-control-list	-
ACL rule ID	1	-
Action in the ACL rule	Space (The permit action is used.)	Allow packets matching the ACL rule to pass.
Type of protocol packets matching the ACL rule	6	-
Source port of the TCP packets matching the ACL rule	lower-port: 50 upper-port: 60	-
Destination port of the TCP packets matching the ACL rule	lower-port: 70 upper-port: 80	-
Source addresses of packets that match the IPv6 ACL rule	2001:db8:1::1/64	-
Destination addresses of packets that match the IPv6 ACL rule	2001:db8:1::2/64	-
DSCP	60	-
Name of the time range within which the ACL rule takes effect	t1	-
Start time of the time range	12:23:34	-
End time of the time range	23:34:56	-
Validity period	friday	-

Request example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-time-range:time-ranges xmlns:hw-time-range="urn:huawei:params:xml:ns:yang:huawei-time-range">
        <hw-time-range:time-range>
          <hw-time-range:vsys>public</hw-time-range:vsys>
          <hw-time-range:name>t1</hw-time-range:name>
          <hw-time-range:period-time>
            <hw-time-range:start>12:23:34</hw-time-range:start>
            <hw-time-range:end>23:34:56</hw-time-range:end>
            <hw-time-range:weekday>friday</hw-time-range:weekday>
          </hw-time-range:period-time>
        </hw-time-range:time-range>
      </hw-time-range:time-ranges>
      <access-control-list:access-lists xmlns:access-control-list="urn:ietf:params:xml:ns:yang:ietf-acl">
         <access-control-list:access-list>
          <access-control-list:access-control-list-name>ipv6:3600</access-control-list:access-control-list-name>
          <access-control-list:access-control-list-type>IP-access-control-list</access-control-list:access-control-list-type>
          <access-control-list:access-list-entries>
            <access-control-list:access-list-entry>
              <access-control-list:rule-name>1</access-control-list:rule-name>
              <access-control-list:matches>
                <access-control-list:source-port-range>
                  <access-control-list:lower-port>50</access-control-list:lower-port>
                  <access-control-list:upper-port>60</access-control-list:upper-port>
                </access-control-list:source-port-range>
                <access-control-list:destination-port-range>
                  <access-control-list:lower-port>70</access-control-list:lower-port>
                  <access-control-list:upper-port>80</access-control-list:upper-port>
                </access-control-list:destination-port-range>
                <access-control-list:dscp>60</access-control-list:dscp>
                <access-control-list:protocol>6</access-control-list:protocol>
                <access-control-list:source-ipv6-network>2001:db8:1::1/64</access-control-list:source-ipv6-network>
                <access-control-list:destination-ipv6-network>2001:db8:1::2/64</access-control-list:destination-ipv6-network>
                <hw-acl:time-range xmlns:hw-acl="urn:huawei:params:xml:ns:yang:huawei-acl">t1</hw-acl:time-range>
              </access-control-list:matches>
              <access-control-list:actions>
                <access-control-list:permit> </access-control-list:permit>
              </access-control-list:actions>
            </access-control-list:access-list-entry>
          </access-control-list:access-list-entries>
          <hw-acl:ipv6-flag xmlns:hw-acl="urn:huawei:params:xml:ns:yang:huawei-acl">true</hw-acl:ipv6-flag>
        </access-control-list:access-list>
      </access-control-list:access-lists>
    </config>
  </edit-config>
</rpc>

Response example

# Sample of successful response

##### Ok Reply or Operation Successful #####
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply>

# Sample of failed response

##### Error Reply or Operation Failed #####
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>The acl6 must start with "ipv6:".</error-message>
    <error-info>Error on node /ietf-acl:access-lists/access-list[access-control-list-name="ipv:3600"]</error-info>
  </rpc-error>
</rpc-reply>

Data Requirement 2: Deleting the IPv6 ACL Rule for Matching TCP Protocol Packets

Delete the configuration performed in Data Requirement 1.

Request example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="2" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <hw-time-range:time-ranges xmlns:hw-time-range="urn:huawei:params:xml:ns:yang:huawei-time-range">
        <hw-time-range:time-range xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="delete">
          <hw-time-range:vsys>public</hw-time-range:vsys>
          <hw-time-range:name>t1</hw-time-range:name>
          <hw-time-range:period-time>
            <hw-time-range:start>12:23:34</hw-time-range:start>
            <hw-time-range:end>23:34:56</hw-time-range:end>
            <hw-time-range:weekday>friday</hw-time-range:weekday>
          </hw-time-range:period-time>
        </hw-time-range:time-range>
      </hw-time-range:time-ranges>
      <access-control-list:access-lists xmlns:access-control-list="urn:ietf:params:xml:ns:yang:ietf-acl">
         <access-control-list:access-list xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="delete">
          <access-control-list:access-control-list-name>ipv6:3600</access-control-list:access-control-list-name>
          <access-control-list:access-control-list-type>IP-access-control-list</access-control-list:access-control-list-type>
          <access-control-list:access-list-entries>
            <access-control-list:access-list-entry>
              <access-control-list:rule-name>1</access-control-list:rule-name>
              <access-control-list:matches>
                <access-control-list:source-port-range>
                  <access-control-list:lower-port>50</access-control-list:lower-port>
                  <access-control-list:upper-port>60</access-control-list:upper-port>
                </access-control-list:source-port-range>
                <access-control-list:destination-port-range>
                  <access-control-list:lower-port>70</access-control-list:lower-port>
                  <access-control-list:upper-port>80</access-control-list:upper-port>
                </access-control-list:destination-port-range>
                <access-control-list:dscp>60</access-control-list:dscp>
                <access-control-list:protocol>6</access-control-list:protocol>
                <access-control-list:source-ipv6-network>2001:db8:1::1/64</access-control-list:source-ipv6-network>
                <access-control-list:destination-ipv6-network>2001:db8:1::2/64</access-control-list:destination-ipv6-network>
                <hw-acl:time-range xmlns:hw-acl="urn:huawei:params:xml:ns:yang:huawei-acl">t1</hw-acl:time-range>
              </access-control-list:matches>
              <access-control-list:actions>
                <access-control-list:permit> </access-control-list:permit>
              </access-control-list:actions>
            </access-control-list:access-list-entry>
          </access-control-list:access-list-entries>
          <hw-acl:ipv6-flag xmlns:hw-acl="urn:huawei:params:xml:ns:yang:huawei-acl">true</hw-acl:ipv6-flag>
        </access-control-list:access-list>
      </access-control-list:access-lists>
    </config>
  </edit-config>
</rpc>

Response example

# Sample of successful response

##### Ok Reply or Operation Successful #####
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2">
  <ok/>
</rpc-reply>

# Sample of failed response

##### Error Reply or Operation Failed #####
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Service process failed.</error-message>
    <error-info>Error on node /ietf-acl:access-lists/access-list[access-control-list-name="test1"]</error-info>
  </rpc-error>
</rpc-reply>

Data Model
Configuring an ACL Rule
Configuring an IPv6 ACL Rule

Translation

简体中文

Download

Updated: 2022-05-25

Document ID: EDOC1100126933

Downloads: 83

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate

This document describes the NETCONF YANG API functions supported by the switch, including the data model and samples.

Data Model

Configuring an ACL Rule

Data Requirement 1: Creating an ACL Rule for Matching TCP Protocol Packets

Data Requirement 2: Modifying the Destination Port Number Range in an ACL Rule

Data Requirement 3: Canceling the Upper Destination Port Number Limit in an ACL Rule

Configuring an IPv6 ACL Rule

Data Requirement 1: Creating an IPv6 ACL Rule for Matching TCP Protocol Packets

Data Requirement 2: Deleting the IPv6 ACL Rule for Matching TCP Protocol Packets

Related Version

Related Documents

Digital Signature File