< Home

if-match acl

Function

The if-match acl command configures a matching rule based on an Access Control List (ACL) in a traffic classifier.

The undo if-match acl command deletes a matching rule based on an ACL.

By default, a matching rule based on an ACL is not configured in a traffic classifier.

Format

if-match [ ipv6 ] acl { acl-number | acl-name }

undo if-match [ ipv6 ] acl { acl-number | acl-name }

Parameters

Parameter

Description

Value

ipv6

Indicates that IPv6 ACLs are matched. If this parameter is not specified, IPv4 ACLs are matched.

-

acl-number

Specifies the number of an ACL.
The value is an integer that ranges from 2000 to 5999, and the value of an ACL6 ranges from 2000 to 3999.
  • ACLs numbered 2000 to 2999 are basic ACLs, which are used to classify all packets.
  • ACLs numbered 3000 to 3999 are advanced ACLs, which are used to classify packets based on Layer 3 information.
  • ACLs numbered 4000 to 4999 are Layer 2 ACLs, which are used to classify packets based on the source MAC address, destination MAC address, and packet type.
  • ACLs numbered 5000 to 5999 are user-defined ACLs.

acl-name

Specifies the name of an ACL.

The value must be the name of an existing ACL.

Views

Traffic classifier view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To classify packets based on the interface that receives packets, source IP address, destination IP address, protocol over IP, source and destination TCP port numbers, ICMP type and code, and source and destination MAC addresses, ARP packets, reference an ACL in a traffic classifier. You must first define an ACL and configure rules in the ACL, and then run the if-match acl command to configure a matching rule based on the ACL so that the device processes packets matching the same rule in the same manner.

Prerequisites

The following operations must have been performed:

  • Create an ACL and configure rules in the ACL.

  • Create a traffic classifier using the traffic classifier command.

Precautions

Regardless of whether the relationship between rules in a traffic classifier is AND or OR, if an ACL contains multiple rules, the packet that matches one ACL rule matches the ACL.

Only the S5720-EI, S6720-EI, and S6720S-EI support traffic classifiers with advanced ACLs containing the ttl-expired field.

You can configure multiple ACL rules in a traffic classifier to match different types of packets.

If the vpn-instance parameter is specified in an ACL rule, a traffic policy that defines a traffic classifier matching this ACL rule does not take effect.

On the S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735-S-I, and S5735S-S, if a traffic policy is applied to the outbound direction and the relationship between rules in a traffic classifier is AND:
  • Rules for matching the source IPv6 address and those for matching destination IPv6 address cannot be configured in the same traffic classifier.
  • Rules for matching IPv6 information (for example, if-match protocol ipv6 and if-match ipv6 acl) and those for matching the source MAC address, destination MAC address, source IPv6 address, or destination IPv6 address of packets cannot be configured in the same traffic classifier. (ACL6 rules can be used to match the source or destination IPv6 address of packets.)
  • Rules for matching IPv4 information (IP address and UDP port number) and those for matching some Layer 2 information (for example, if-match source-mac, if-match destination-mac, and if-match l2-protocol { mpls | rarp | protocol-value }) cannot be configured in the same traffic classifier.
On the S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735-S-I, and S5735S-S, if a traffic policy is applied to the outbound direction, and an ACL6 rule for matching the source IPv6 address of packets and an ACL6 rule for matching the destination IPv6 address of packets are respectively configured in two traffic classifiers:
  • If the traffic behaviors corresponding to the two traffic classifiers do not conflict, the two traffic classifiers and their corresponding traffic behaviors take effect.
  • If the traffic behaviors corresponding to the two traffic classifiers conflict, the traffic behavior and traffic classifier defining the ACL6 rule for matching the source IPv6 address of packets take effect.

MTU-exceeded UDP packets will be fragmented. Only the first fragmented packet contains UDP information, and the other fragmented packets cannot be matched against ACL rules based on UDP information. Therefore, a traffic policy that contains if-match acl for matching UDP information does not take effect on fragmented packets. For example, if traffic policing is configured for traffic that contains a large number of fragmented packets and these fragmented packets do not match the UDP port number in an ACL rule, traffic policing is not performed on the fragmented packets. As a result, the actual rate is higher than the rate limit.

For S5720-HI, S5730-HI, S5731-H, S5731S-H, S5732-H, S5731-S, S5731S-S, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S, on devices for which the resource mode of extended entry space cannot be configured, ACL6 rules can define only the protocol number, source port number, destination port number, source IPv6 address, and destination IPv6 address. Additionally, ACL6-based traffic policies that contain these ACL6 rules cannot be applied to sub-interfaces and VLANIF interfaces.

On the S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, and S5735-S-I, if the first-fragment parameter is specified in an ACL rule, a traffic policy defining this ACL rule can be applied only to the inbound direction.

Example

# Configure a matching rule based on ACL 2046 in the traffic classifier c1.

<HUAWEI> system-view
[HUAWEI] acl 2046
[HUAWEI-acl-basic-2046] rule permit source any
[HUAWEI-acl-basic-2046] quit
[HUAWEI] traffic classifier c1 operator and
[HUAWEI-classifier-c1] if-match acl 2046
Parent Topic: MQC Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >