< Home

rule (advanced ACL6 view)

Function

The rule command adds or modifies an advanced ACL6 rule.

The undo rule command deletes an advanced ACL6 rule.

By default, no advanced ACL6 rule is created.

Format

  • When the protocol is set to TCP, the command format is as follows:

    rule [ rule-id ] { deny | permit } { tcp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | destination-ipv6-address wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | { vpn-instance vpn-instance-name | public } ] *

    undo rule { deny | permit } { tcp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | destination-ipv6-address wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | { vpn-instance vpn-instance-name | public } ] *

  • When the protocol is set to UDP, the command format is as follows:

    rule [ rule-id ] { deny | permit } { udp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | destination-ipv6-address wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | { vpn-instance vpn-instance-name | public } ] *

    undo rule { deny | permit } { udp | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | destination-ipv6-address wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | { vpn-instance vpn-instance-name | public } ] *

  • When the protocol is set to ICMPv6, the command format is as follows:

    rule [ rule-id ] { deny | permit } { icmpv6 | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | destination-ipv6-address wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | icmp6-type { icmp6-name | icmp6-type [ icmp6-code ] } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | time-range time-name | { vpn-instance vpn-instance-name | public } ] *

    undo rule { deny | permit } { icmpv6 | protocol-number } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | destination-ipv6-address wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | icmp6-type { icmp6-name | icmp6-type [ icmp6-code ] } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | time-range time-name | { vpn-instance vpn-instance-name | public } ] *

  • When the protocol is set to other protocols, the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | gre | ipv6 | ospf } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | destination-ipv6-address wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | time-range time-name | { vpn-instance vpn-instance-name | public } ] *

    undo rule { deny | permit } { protocol-number | gre | ipv6 | ospf } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | destination-ipv6-address wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | routing [ routing-type routing-type ] | { fragment | first-fragment } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | time-range time-name | { vpn-instance vpn-instance-name | public } ] *

  • To delete an advanced ACL6 rule, run:

    undo rule rule-id [ destination | destination-port | routing [ routing-type routing-type ] | { fragment | first-fragment } | icmp6-type | logging | { { precedence | tos } * | dscp } | routing | source | source-port | tcp-flag | time-range | { vpn-instance | public } ] *

  • The vpn-instance and public parameter is supported only when a software-based ACL is applied to the S5720-EI, S5720-HI, S5720I-SI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, or S6730S-S. For usage scenarios of software-based ACLs, see "ACL Implementations" in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - Security ACL Configuration - ACL Fundamentals.

  • If the ACL rules configured on the S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, and S6720-HI are hardware-based ACLs, tcp-flag is not supported.
  • Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support routing [ routing-type routing-type ].
  • Only the S5720-EI, S5720-HI, S5730-HI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6720-SI, S6730-H, S6730S-H, S6730-S, and S6730S-S support dscp, precedence, and tos.
  • Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support destination and first-fragment. For the S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, and S5735-S-I, an ACL containing the first-fragment can only be used in the inbound direction.

Parameters

Parameter

Description

Value

rule-id

Specifies the ID of an ACL6 rule.

  • If the specified rule ID has been created, the new rule is added to the rule with this ID, that is, the old rule is modified. If the specified rule ID does not exist, a rule is created using the ID and ordered based on the configured sequence.
  • If the rule ID is not specified, the device allocates an ID to the new rule. By default, the increment of ACL6 is 5 and cannot be changed. Therefore, the device allocates IDs at an increment of 5 to ACL6 rules.
NOTE:

ACL rule IDs assigned automatically by the device starts from the increment value. The default increment value is 5. With this increment, the device creates ACL rules with IDs being 5, 10, 15, and so on.

The value is an integer that ranges from 0 to 4294967294.

deny

Denies the packets that match the rule.

-

permit

Permits the packets that match the rule.

-

tcp

Indicates that the protocol type is TCP.

-

udp

Indicates that the protocol type is UDP.

-

icmpv6

Indicates that the protocol type is ICMPv6.

-

protocol-number

Specifies the protocol type that is expressed as a name or a number.

The value ranges from 1 to 255. The protocol type expressed as a name can be GRE, ICMPv6, IPv6, OSPF, TCP, and UDP.

destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any }

Indicates the destination address and prefix of a packet.

destination-ipv6-address is expressed in colon hexadecimal notation. The value of prefix-length is an integer that ranges from 1 to 128. You can also use any to represent any destination address.

destination destination-ipv6-address postfix postfix-length

Indicates the destination address and the length of destination address postfix.

destination-ipv6-address indicates the destination address and is expressed in colon hexadecimal notation. postfix-length is an integer that ranges from 1 to 64.

destination destination-ipv6-address wildcard

Indicates the destination address and wildcard mask.

destination-ipv6-address indicates the destination address and is expressed in colon hexadecimal notation. wildcard is expressed in colon hexadecimal notation. After the value is converted to a binary number, the value 0 indicates that the equivalent bit must match and the value 1 indicates that the equivalent bit does not matter. The values 1 and 0 can be discontinuous. For example, the IPv6 address FC00::1 and the wildcard mask 0::2 indicate that the address is FC00::00x1, where x can be any value from 0 to F in hexadecimal notation.

dscp dscp

Specifies the Differentiated Services Code Point (DSCP) value.

NOTE:

The dscp dscp and precedence precedence parameters cannot be set for the same rule.

The dscp dscp and tos tos parameters cannot be set for the same rule.

The value of dscp can be an integer or a name. When the value is an integer, the value ranges from 0 to 63. When the value is a name, the value can be af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, default, or ef.

routing [ routing-type routing-type ]

Specifies the IPv6 header in ACL6. The routing-type parameter specifies the routing-type field in the IPv6 header.

The value of routing-type is an integer that ranges from 0 to 255.

fragment

Indicates that the rule is valid only for non-first fragments.

-

first-fragment

Indicates that the rule is valid only for first fragments.

-

logging

Logs IP information of packets that match the rule.

NOTE:
The logging parameter takes effect for incoming packets in either of the following scenarios:
  • An ACL-based simplified traffic policy is configured and the traffic-filter command references ACLs.
  • MQC is configured, the traffic behavior is set to permit or deny, and the traffic-policy command references ACLs.

In addition, for the S2720-EI, S5720I-SI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI, deny must be specified for the logging parameter to take effect.

-

precedence precedence

Indicates that the packets are filtered according to the precedence field.

precedence can be expressed as a name or a number. The value ranges from 0 to 7.

source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any }

Indicates the source address and prefix of a packet.

source-ipv6-address indicates the source address and is expressed in colon hexadecimal notation. prefix-length is an integer that ranges from 1 to 128. You can also use any to represent any source address.

source source-ipv6-address postfix postfix-length

Indicates the source address and the length of source address postfix.

source-ipv6-address indicates the source address and is expressed in colon hexadecimal notation. postfix-length is an integer that ranges from 1 to 64.

source source-ipv6-address wildcard

Indicates the source address and wildcard mask.

source-ipv6-address indicates the source address and is expressed in colon hexadecimal notation. wildcard is expressed in colon hexadecimal notation. After the value is converted to a binary number, the value 0 indicates that the equivalent bit must match and the value 1 indicates that the equivalent bit does not matter. The values 1 and 0 can be discontinuous. For example, the IPv6 address FC00::1 and the wildcard mask 0::2 indicate that the address is FC00::00x1, where x can be any value from 0 to F in hexadecimal notation.

destination-port { eq port | gt port | lt port | range port-start port-end }
Specifies the destination port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched. The operators are as follows:
  • eq port: equivalent to the destination port number.
  • gt port: greater than the destination port number.
  • lt port: smaller than the destination port number.
  • range port-start port-end: destination port number range. port-start specifies the start port number. port-end specifies the end port number.

The value of port can be a name or a number.

  • When the value is expressed as a number, it ranges from 0 to 65535 in eq port
  • When the value is expressed as a number, it ranges from 0 to 65534 in gt port
  • When the value is expressed as a number, it ranges from 1 to 65535 in lt port

The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535.

Table 4 and Table 3 list the mapping between the well-known source or destination port numbers of UDP or TCP and values of port.

source-port { eq port | gt port | lt port | range port-start port-end }
Specifies the source port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched. The operators are as follows:
  • eq port: equivalent to the source port number.
  • gt port: greater than the source port number.
  • lt port: smaller than the source port number.
  • range port-start port-end: source port number range. port-start specifies the start port number. port-end specifies the end port number.

The value of port can be a name or a number.

  • When the value is expressed as a number, it ranges from 0 to 65535 in eq port
  • When the value is expressed as a number, it ranges from 0 to 65534 in gt port
  • When the value is expressed as a number, it ranges from 1 to 65535 in lt port

The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535.

Table 4 and Table 3 list the mapping between the well-known source or destination port numbers of UDP or TCP and values of port.

icmp6-type { icmp6-name | icmp6-type [ icmp6-code ] }
Indicates the type and code of ICMPv6 packets, which are valid only when the protocol of packets is ICMPv6. If this parameter is not specified, all ICMPv6 packets are matched.
  • cmp6-name: specifies the name of ICMPv6 packets.
  • icmp6-type: specifies the type of ICMPv6 packets.
  • icmp6-code: specifies the code of ICMPv6 packets.

icmp6-type is an integer that ranges from 0 to 255.

icmp6-code is an integer that ranges from 0 to 255.

The value of cmp6-name and the corresponding ICMPv6 type and ICMPv6 code are as described in Table 2.

tcp-flag

Indicates the SYN Flag in the TCP packet header.

-

ack

Indicates that the type of the SYN Flag in the TCP packet header is ack (010000).

-

established

Indicates that the type of the SYN Flag in the TCP packet header is ack (010000) or rst (000100).

-

fin

Indicates that the type of the SYN Flag in the TCP packet header is fin (000001).

-

psh

Indicates that the type of the SYN Flag in the TCP packet header is psh (001000).

-

rst

Indicates that the type of the SYN Flag in the TCP packet header is rst (000100).

-

syn

Indicates that the type of the SYN Flag in the TCP packet header is syn (000010).

-

urg

Indicates that the type of the SYN Flag in the TCP packet header is urg (100000).

-

time-range time-name

Indicates that the configured ACL6 rule is effective only in the specified time range. time-name indicates the name of the time range during which the ACL6 rule takes effect.

NOTE:

When you specify the time-range parameter to reference a time range to the ACL6, if the specified time-name does not exit, the ACL6 does not take effect.

The value of time-name is a string of 1 to 32 characters.

tos tos

Indicates that packets are filtered according to the Type of Service (ToS).
The value is an integer or a name.
  • The value ranges from 0 to 15 when it is an integer.
  • When the value is a name, the value can be normal, min-monetary-cost, max-reliability, max-throughput, or min-delay. Table 1 describes the mappings between ToS names and values.

vpn-instance vpn-instance-name | public
  • vpn-instance vpn-instance-name: Specifies the name of a VPN instance, indicating that the ACL6 rule matches private network packets.
  • public: Indicates that the ACL6 rule matches public network packets.
NOTE:

The two parameters cannot be configured together. If neither vpn-instance nor public is specified, both public and private network packets are matched.

-
Table 1 Mapping between ToS names and values

ToS Name

Value

ToS Name

Value

normal

0

max-reliability

2

min-monetary-cost

1

max-throughput

4

min-delay

8

-

-
Table 2 Values of cmp6-name and the corresponding ICMPv6 type and ICMPv6 code

ICMPv6 Name

ICMPv6 Type

ICMPv6 Code

Redirect

137

0

Echo

128

0

Echo-reply

129

0

Err-Header-field

4

0

Frag-time-exceeded

3

1

Hop-limit-exceeded

3

0

Host-admin-prohib

1

1

Host-unreachable

1

3

Neighbor-advertisement

136

0

Neighbor-solicitation

135

0

Network-unreachable

1

0

Packet-too-big

2

0

Port-unreachable

1

4

Router-advertisement

134

0

Router-solicitation

133

0

Unknown-ipv6-opt

4

2

Unknown-next-hdr

4

1
Table 3 Mapping between well-known source or destination port numbers of TCP and values of port

Port Number

Value of port

Protocol

Description

7

echo

Echo

Port for the Echo service.

9

discard

Discard

Port for the null service, which is used for connectivity test.

13

daytime

Daytime

Port used to send the date and time to the requesting host.

19

CHARgen

Character generator

Port for the Character Generator Protocol.

20

ftp-data

FTP data connections

FTP data port.

21

ftp

File Transfer Protocol (FTP)

FTP port.

23

telnet

Telnet

Port for the Telnet service.

25

smtp

Simple Mail Transport Protocol (SMTP)

SMTP port.

37

time

Time

Port for the time protocol.

43

whois

Nicname (WHOIS)

Port for the directory service.

49

tacacs

TAC Access Control System (TACACS)

Port for the access control system based on TCP/IP authentication (TACACS login host protocol).

53

domain

Domain Name Service (DNS)

DNS port.

70

gopher

Gopher

Port for the information index protocol (document searching and indexing on the Internet).

79

finger

Finger

Port for the Finger service, which is used to query information, such as online users of remote hosts.

80

www

World Wide Web (HTTP)

NOTE:

If the HTTPS protocol is used, the port number is 443.

HTTP port for the WWW service, which is used to browse web pages.

101

hostname

NIC hostname server

Host name service port on the NIC machine.

109

pop2

Post Office Protocol v2

Port for the email protocol version 2.

110

pop3

Post Office Protocol v3

Port for the email protocol version 3.

111

sunrpc

Sun Remote Procedure Call (RPC)

Port for the RPC protocol of SUN. It is used to remotely execute commands and used by the network file system (NFS).

119

nntp

Network News Transport Protocol (NNTP)

NNTP port, which carries USENET.

179

bgp

Border Gateway Protocol (BGP)

BGP port.

194

irc

Internet Relay Chat (IRC)

Port for the IRC protocol.

512

exec

Exec (rsh)

Port used to authenticate remote processes.

513

login

Login (rlogin)

Port for remote login.

514

cmd

Remote commands

Port used to execute non-interactive commands on a remote system (rshell, rcp).

515

lpd

Printer service

Port for the Line Printer Daemon protocol.

517

talk

Talk

Port used to remotely talk with servers and clients.

540

uucp

Unix-to-Unix Copy Program

Port for the Unix-to-Unix copy protocol.

543

klogin

Kerberos login

Port for Kerberos remote login protocol version 5.

544

kshell

Kerberos shell

Port for Kerberos remote shell protocol version 5.
Table 4 Mapping between well-known source or destination port numbers of UDP and values of port

Parameter

Value of port

Protocol

Description

7

echo

Echo

Port for the Echo service.

9

discard

Discard

Port for the null service, which is used for connectivity test.

37

time

Time

Port for the time protocol.

42

nameserver

Host Name Server

Port for the host name service.

53

dns

Domain Name Service (DNS)

DNS port.

65

tacacs-ds

TACACS-Database Service

Port for the TACACS database service.

67

bootps

Bootstrap Protocol (BOOTP) Server

Port for the BOOTP server, which is also used by DHCP servers.

68

bootpc

Bootstrap Protocol (BOOTP) Client

Port for the BOOTP client, which is also used by DHCP clients.

69

tftp

Trivial File Transfer Protocol (TFTP)

TFTP port.

90

dnsix

DNSIX Security Attribute Token Map

Port for DoD Network Security for Information Exchange (DNSIX) Security Attribute Token Map.

111

sunrpc

SUN Remote Procedure Call (SUN RPC)

Port for the RPC protocol of SUN. It is used to remotely execute commands and used by the NFS.

123

ntp

Network Time Protocol (NTP)

NTP port, which may be utilized by worm virus.

137

netbios-ns

NETBIOS Name Service

Port for the NetBIOS name service.

138

netbios-dgm

NETBIOS Datagram Service

Port for the NetBIOS datagram service.

139

netbios-ssn

NETBIOS Session Service

Port for the NetBIOS session service.

161

snmp

SNMP

Port for the Simple Network Management Protocol (SNMP).

162

snmptrap

SNMPTRAP

Port for SNMP trap.

177

xdmcp

X Display Manager Control Protocol (XDMCP)

XDMCP port.

434

mobilip-ag

MobileIP-Agent

Port for the mobile IP agent.

435

mobilip-mn

MobileIP-MN

Port for mobile IP management.

512

biff

Mail notify

Port used to notify user of received emails.

513

who

Who

Port for the login user list.

514

syslog

Syslog

Port for the UNIX system log service.

517

talk

Talk

Port used to remotely talk with servers and clients.

520

rip

Routing Information Protocol

RIP port.

Views

Advanced ACL6 view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Advanced ACL6s classify data packets based on the source IP address, destination IP address, source port number, destination port number, and protocol type.

The rule command defines the time range to flexibly configure the time during which ACL6 rules take effect.

Prerequisites

An ACL6 has been created before the rule is configured.

Precautions

If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.

To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.

To configure both the precedence precedence and tos tos parameters, set the two parameters consecutively in the command.

When you use the undo rule command to delete an ACL6 rule, the rule ID must exist. If the rule ID is unknown, you can use the display acl ipv6 command to view the rule ID.

The undo rule command deletes an ACL6 rule even if the ACL6 rule is referenced. Use this command with caution, especially when you delete an ACL6 rule that has been referenced.

The parameter fragment cannot be set together with source-port, destination-port, icmp6-type, and tcp-flag.

Example

# Add a rule to ACL6 3000 to deny the packets with the destination UDP port number that is greater than 128 from fc00:1::1 to fc00:3::1.

<HUAWEI> system-view
[HUAWEI] acl ipv6 3000
[HUAWEI-acl6-adv-3000] rule deny udp source fc00:1::1 64 destination fc00:3::1 64 destination-port gt 128
Parent Topic: ACL Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >