< Home

Configuring a Basic ACL6

Prerequisites

If you need to configure a time-based ACL6, create a time range and associate the time range with the ACL6 rules. For details, see (Optional) Creating a Time Range in Which an ACL Takes Effect.

Context

A basic ACL6 defines rules to filter IPv6 packets based on information such as source IPv6 addresses, fragment information, and time ranges.

To filter packets based only on source IPv6 addresses, you can configure a basic ACL6.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Create a basic ACL6. You can create a numbered or named ACL.

    • Run the acl ipv6 [ number ] acl6-number [ match-order { auto | config } ] command to create a numbered basic ACL6 (2000-2999) and enter the basic ACL6 view.

    • Run the acl ipv6 name acl6-name { basic | acl6-number } [ match-order { auto | config } ] command to create a named basic ACL6 and enter the basic ACL6 view.

    By default, no ACL6 exists on the device.

    If the parameter match-order is not specified when you create an ACL6, the default matching order config is used. The matching order of an ACL6 is the same as that of an ACL. For details, see ACL Matching.

  3. (Optional) Run description text

    A description is configured for the ACL6.

    By default, an ACL6 has no description.

    The ACL6 description helps you understand and remember the functions or purpose of an ACL6.

  4. Run rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | time-range time-name | { vpn-instance vpn-instance-name | public } ] *

    Rules are configured in the basic ACL6.

    In this example, only one permit or deny rule is configured. In actual configuration, you can configure multiple rules and decide the matching order of the rules according to service requirements.

    Configuring rules for the basic ACL6 provides a rule configuration example.

  5. (Optional) Run rule rule-id description description

    A description is configured for the ACL rules.

    By default, an ACL rule has no description.

    The ACL rule description helps you understand and remember the functions or purpose of an ACL rule.

    You can configure descriptions for only the existing rules on the device. That is, you cannot configure a description for a rule before creating it.

Follow-up Procedure

After an ACL is configured, it must be applied to a service module so that the ACL rules can be delivered and take effect. For supported service modules and configurations, see Applying an ACL.

Configuration Examples

Configuring rules for a basic ACL6

  • Configuring a packet filtering rule based on the source IPv6 address (host address)

    Configure a rule in ACL6 2001 to allow packets from the host at fc00:1::1/128 to pass.
    <HUAWEI> system-view
[HUAWEI] acl ipv6 2001
[HUAWEI-acl6-basic-2001] rule permit source fc00:1::1 128

  • Configuring a packet filtering rule based on the source IPv6 network segment

    Configure a rule in ACL6 2001 to allow packets from the host at fc00:1::1/128 to pass and reject packets from other hosts on the network segment fc00:1::/64.
    <HUAWEI> system-view
[HUAWEI] acl ipv6 2001
[HUAWEI-acl6-basic-2001] rule permit source fc00:1::1 128
[HUAWEI-acl6-basic-2001] rule deny source fc00:1:: 64

  • Configuring a time-based ACL6 rule

    For details, see Configuring a time-based ACL rule in Configuring a Basic ACL.

  • Configuring a packet filtering rule based on the source network segment and IP fragment information

    For details, see Configuring a packet filtering rule based on the IP fragment information and source IP address segment in Configuring a Basic ACL.

Parent Topic: Configuring an ACL
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >