< Home

rule (advanced ACL6 view) (upgrade-compatible command)

Function

The rule command adds or modifies advanced ACL6 rules.

Format

rule [ rule-id ] { deny | permit } ipv6-ah [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | dscp dscp | fragment | logging | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | tos tos | vpn-instance vpn-instance-name ] *

rule [ rule-id ] { deny | permit } ipv6-esp [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | dscp dscp | fragment | logging | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | tos tos | vpn-instance vpn-instance-name ] *

Parameters

Parameter

Description

Value

rule-id

Indicates the ID of an ACL6 rule.

The value ranges from 0 to 2047.
  • If the ID of a rule is specified and the rule exists, the new rule is added to the rule with this ID, that is, the old rule is modified.
  • If the rule associated with a rule ID does not exist, a rule can be created with this rule ID and its position in the ACL is determined by the rule ID.
  • If no rule ID is specified, the device allocates an ID to the new rule. The rule IDs are sorted in ascending order.

deny

Discards packets that do not match ACL rules.

-

permit

Allows packets to pass.

-

ipv6-ah

Indicates the protocol type.

-

ipv6-esp

Indicates the protocol type.

-
destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } Indicates the destination address and prefix of a packet. destination-ipv6-address is expressed in hexadecimal notation. The value of prefix-length is an integer that ranges from 1 to 128. You can also use any to represent any destination address.
destination destination-ipv6-address postfix postfix-length Indicates the destination address and the length of destination address postfix. destination-ipv6-address indicates the destination address and is expressed in hexadecimal notation. postfix-length is an integer that ranges from 1 to 64.

dscp dscp

Specifies the value of a Differentiated Services CodePoint (DSCP).

The value ranges from 0 to 63.

fragment

Indicates that the rule is valid for only non-initial fragments.

-

logging

Indicates whether to record logs for packets that meet ACL rules.

Log contents include the ACL rule ID, pass or discard of packets, type of the protocol over IP, source or destination address, source or destination port number, and number of packets.

precedence precedence

Filters packets by priority.

The value is a name or a digit that ranges from 0 to 7.

source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } Indicates the source address and prefix of a packet. source-ipv6-address indicates the source address and is expressed in hexadecimal notation. prefix-length is an integer that ranges from 1 to 128. You can also use any to represent any source address.
source source-ipv6-address postfix postfix-length Indicates the source address and the length of source address postfix. source-ipv6-address indicates the source address and is expressed in hexadecimal notation. postfix-length is an integer that ranges from 1 to 64.

time-range time-name

Specifies the time range only in which ACL6 rules are effective.

time-name indicates the name of the time range.

The value is a string of 1 to 32 characters.

tos tos

Filters packets by Type of Service (ToS).

The value is a name or a digit that ranges from 0 to 15.

vpn-instance vpn-instance-name Specifies the name of a VPN instance.

The vpn-instance must already exist.

Views

Advanced ACL6 view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Advanced ACL6s classify data packets based on the source IP address, destination IP address, source port number, destination port number, and protocol type.

Prerequisites

An ACL6 has been created before the rule is configured.

Precautions

If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.

To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result may be incorrect.

When you use the undo rule command to delete an ACL6 rule, the rule ID must exist. If the rule ID is unknown, you can use the display acl ipv6 command to view the rule ID.

The undo rule command deletes an ACL6 rule even if the ACL6 rule is referenced. Exercise caution when you run the undo rule command.

Example

# Create an advanced ACL6 with ID 3000 and configure a rule that allows only IPv6 ESP packets with the source IPv6 address 2030:5060::9050 and mask 64 to pass. 

<HUAWEI> system-view
[HUAWEI] acl ipv6 number 3000
[HUAWEI-acl6-adv-3000] rule 0 permit ipv6-esp source 2030:5060::9050/64
Parent Topic: ACL Compatible Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic