< Home

Data Model

The configuration model files for ACL rule management are ietf-acl.yang and huawei-acl.yang.

Table 1 ACL Rule management

Object

Description

Value

Remarks

/ietf-acl:access-lists/access-list/access-control-list-name

Indicates the name or ID of an ACL.
  • IPv4 ACL
    • Name: The value is a string of 1 to 64 case-sensitive characters without spaces and must begin with a letter.
    • ID: The value is an integer. The value range for advanced IPv4 ACLs is 3000 to 3999, and that for user ACLs is 6000 to 9999.
  • IPv6 ACL
    • The value must start with ipv6: followed by a name or an ID.
    • Name: The value is a string of 1 to 64 case-sensitive characters without spaces and must begin with a letter.
    • ID: The value is an integer. When the value is in the range from 2000 to 2999, the ACL is a basic IPv6 ACL. When the value is in the range from 3000 to 3999, the ACL is an advanced IPv6 ACL.

When the /ietf-acl:access-lists/access-list/huawei-acl:ipv6-flag object is set to true, the system identifies the created ACL as an IPv6 ACL. When this object is set to false, the system identifies the created ACL as an IPv4 ACL.

/ietf-acl:access-lists/access-list/huawei-acl:ipv6-flag

Indicates whether the created ACL is an IPv4 ACL or an IPv6 ACL.
The value is of the Boolean type:
  • true: IPv6 ACL
  • false: IPv4 ACL

The default value is false.

N/A

/ietf-acl:access-lists/access-list/access-control-list-type

Indicates the ACL type.

The value is IP-access-control-list.

N/A

/ietf-acl:access-lists/access-list/huawei-acl:acl-name-type

Indicates the type of an ACL created by name.
The value is of the numerated type:
  • basic: basic ACL
  • advance: advanced ACL
  • ucl: user ACL

N/A

/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/rule-name

Indicates the ID of an ACL rule.
  • IPv4 ACL: The value is an integer that ranges from 0 to 4294967294.
  • IPv6 ACL: The value is an integer that ranges from 0 to 4294967294.

N/A

/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/actions
Indicates the action in the ACL rule:
  • deny indicates that the packets matching the ACL rule will be discarded.
  • permit indicates that the packets matching the ACL rule will be forwarded properly.

The value can be spaces or left empty.

The action in an ACL rule depends on the content of access-control-list.

/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/dscp

Indicates the Differentiated Services Code Point (DSCP).

The value is an integer that ranges from 0 to 63.

This object is not supported by basic IPv6 and user ACLs.

/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/protocol

Indicates the type of protocol packets matching the ACL rule.
The value is an integer that ranges from 1 or 255.
  • Common protocol packets supported by IPv4 ACLs include the following:
    • 1: ICMP packets
    • 2: IGMP packets
    • 4: IPINIP packets
    • 6: TCP packets
    • 17: UDP packets
    • 47: GRE packets
    • 89: OSPF packets

    By default, an IPv4 ACL is used to match IP packets.

  • Common protocol packets supported by IPv6 ACLs include the following:
    • 6: TCP packets
    • 17: UDP packets
    • 47: GRE packets
    • 58: ICMPv6 packets
    • 89: OSPF packets

    By default, an IPv6 ACL is used to match IPv6 packets.

This object is not supported by basic IPv6 ACLs.
  • /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/source-port-range/lower-port
  • /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/source-port-range/upper-port

Indicates the source port of the UDP or TCP packets matching the ACL rule. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched.

lower-port indicates the start port number, and upper-port indicates the end port number. The two parameters specify a source port number range.

The value of lower-port or upper-port is a port number that ranges from 0 to 65535.
  • This object is supported only when the /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/protocol object is set to 6 (TCP packets) or 17 (UDP packets).
  • The value of upper-port must be greater than or equal to the value of lower-port.
  • This object is not supported by basic IPv6 ACLs.
  • /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/destination-port-range/lower-port
  • /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/destination-port-range/upper-port

Indicates the destination port of the UDP or TCP packets matching the ACL rule. If this parameter is not specified, TCP or UDP packets with any destination port are matched.

lower-port indicates the start port number, and upper-port indicates the end port number. The two parameters specify a destination port number range.

The value of lower-port or upper-port is a port number that ranges from 0 to 65535.
  • This object is supported only when the /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/protocol object is set to 6 (TCP packets) or 17 (UDP packets).
  • The value of upper-port must be greater than or equal to the value of lower-port.
  • This object is not supported by basic IPv6 ACLs.

/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/source-ipv4-network

Indicates the source addresses of packets that match the IPv4 ACL rule. If no source address is specified, the packets with any source address are matched.
The value is in the format of source-address/source-wildcard.
  • source-address indicates a source IP address in dotted decimal notation.
  • source-wildcard specifies the wildcard of the source IP address in dotted decimal notation. The wildcard of the source IP address can be 0, which is equivalent to 0.0.0.0, indicating that the source IP address is a host address.

N/A

/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/destination-ipv4-network

Indicates the destination addresses of packets that match the IPv4 ACL rule. If no destination address is specified, the packets with any destination address are matched.
The value is in the format of destination-address/destination-wildcard.
  • destination-address indicates a destination IP address in dotted decimal notation.
  • destination-wildcard specifies the wildcard of the destination IP address in dotted decimal notation. The wildcard of the destination IP address can be 0, which is equivalent to 0.0.0.0, indicating that the destination IP address is a host address.

N/A

/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/source-ipv6-network

Indicates the source addresses of packets that match the IPv6 ACL rule. If no source address is specified, the packets with any source address are matched.
The value is in the format of source-ipv6-address/prefix-length.
  • source-ipv6-address indicates the source IPv6 address. The total length of the value is 128 bits, which are divided into eight groups. Each group contains four hexadecimal digits. The value is in the format of X:X:X:X:X:X:X:X.
  • prefix-length indicates the prefix length. The value is an integer that ranges from 1 to 128.

N/A

/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/destination-ipv6-network

Indicates the destination addresses of packets that match the IPv6 ACL rule. If no destination address is specified, the packets with any destination address are matched.
The value is in the format of destination-ipv6-address/prefix-length.
  • destination-ipv6-address indicates the destination IPv6 address. The total length of the value is 128 bits, which are divided into eight groups. Each group contains four hexadecimal digits. The value is in the format of X:X:X:X:X:X:X:X.
  • prefix-length indicates the prefix length. The value is an integer that ranges from 1 to 128.

N/A

/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/huawei-acl:vpn-instance

Indicates the name of a VPN instance on the inbound interface.

The value is a string of 1 to 31 case-sensitive characters without spaces. If the string is enclosed in double quotation marks (" "), the string can contain spaces.

The value must be an existing VPN instance name.

/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/huawei-acl:fqdn

Indicates the name of a destination domain.

The value is a string of 1 to 64 characters.

N/A

/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/huawei-acl: source-ucl-group/ucl-name

Indicates the name of the UCL group to which the source IP address of packets belongs that match ACL rules.

The value is a string of 1 to 31 case-sensitive characters without spaces.

The value must be the name of an existing UCL group.

/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/huawei-acl: source-ucl-group/ucl-index

Indicates the ID of the UCL group to which the source IP address of packets belongs that match ACL rules.

The value is an integer that ranges from 0 to 48 for S5720-EI, S6720S-EI, and S6720-EI, 0 to 64000 for the other models.

N/A

/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/huawei-acl: destination-ucl-group/ucl-name

Indicates the name of the UCL group to which the destination IP address of packets belongs that match ACL rules.

The value is a string of 1 to 31 case-sensitive characters without spaces.

The value must be the name of an existing UCL group.

/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/huawei-acl: destination-ucl-group/ucl-index

Indicates the ID of the UCL group to which the destination IP address of packets belongs that match ACL rules.

The value is an integer that ranges from 0 to 64000.

N/A

/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/huawei-acl: tcp-flag/flag-name

Indicates the SYN Flag in the TCP packet header that match ACL rules.

The value is of the numerated type:

  • ack: ack(010000)
  • established: ack(010000) or rst(000100)
  • fin: fin(000001)
  • psh: psh(001000)
  • rst: rst(000100)
  • syn: syn(000010)
  • urg: urg(100000)

This object is supported only when the /ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/matches/protocol object is set to 6 (TCP packets).

/ietf-acl:access-lists/access-list/access-list-entries/access-list-entry/huawei-acl:time-range

Indicates the time range name of an ACL rule.

The value is a string of 1 to 32 characters.

Before configuring this object, configure the /huawei-time-range:time-ranges/time-range/name object first.
Parent Topic: ACL Rule Management
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >