rule (basic ACL6 view)

Function

The rule command adds or modifies basic ACL6 rules.

The undo rule command deletes a basic ACL6 rule.

By default, no basic ACL6 rule is configured.

Format

rule [ rule-id ] { deny | permit } [ fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | time-range time-name | { vpn-instance vpn-instance-name | public } ] ^*

undo rule { deny | permit } [ fragment | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | time-range time-name | { vpn-instance vpn-instance-name | public } ] ^*

undo rule rule-id [ fragment | logging | source | time-range | { vpn-instance | public } ] ^*

The vpn-instance and public parameter is supported only when a software-based ACL is applied to the S5720-EI, S5720-HI, S5720I-SI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, or S6730S-S. For usage scenarios of software-based ACLs, see "ACL Implementations" in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - Security ACL Configuration - ACL Fundamentals.

Parameters

Parameter	Description	Value
rule-id	Specifies the ID of an ACL6 rule. If the specified rule ID has been created, the new rule is added to the rule with this ID, that is, the old rule is modified. If the specified rule ID does not exist, a rule is created using the ID and ordered based on the configured sequence. If the rule ID is not specified, the device allocates an ID to the new rule. By default, the increment of ACL6 is 5 and cannot be changed. Therefore, the device allocates IDs at an increment of 5 to ACL6 rules. NOTE: ACL rule IDs assigned automatically by the device starts from the increment value. The default increment value is 5. With this increment, the device creates ACL rules with IDs being 5, 10, 15, and so on.	The value is an integer that ranges from 0 to 4294967294.
deny	Denies the packets that match the rule.	-
permit	Permits the packets that match the rule.	-
fragment	Indicates that the rule is valid only for non-first fragments.	-
logging	Logs IP information of packets that match the rule. NOTE: The logging parameter takes effect for incoming packets in either of the following scenarios: An ACL-based simplified traffic policy is configured and the traffic-filter command references ACLs. MQC is configured, the traffic behavior is set to permit or deny, and the traffic-policy command references ACLs. In addition, for the S2720-EI, S5720I-SI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI, deny must be specified for the logging parameter to take effect.	-
source { source-ipv6-address prefix-length \| source-ipv6-address/prefix-length }	Indicates the source address and prefix of a packet.	source-ipv6-address indicates the source address and is expressed in colon hexadecimal notation. prefix-length is an integer that ranges from 1 to 128.
source source-ipv6-address postfix postfix-length	Indicates the source address and the length of source address postfix.	source-ipv6-address indicates the source address and is expressed in colon hexadecimal notation. postfix-length is an integer that ranges from 1 to 64.
source source-ipv6-address wildcard	Indicates the source address and wildcard mask.	source-ipv6-address indicates the source address and is expressed in colon hexadecimal notation. wildcard is expressed in colon hexadecimal notation. After the value is converted to a binary number, the value 0 indicates that the equivalent bit must match and the value 1 indicates that the equivalent bit does not matter. The values 1 and 0 can be discontinuous. For example, the IPv6 address FC00::1 and the wildcard mask 0::2 indicate that the address is FC00::00x1, where x can be any value from 0 to F in hexadecimal notation.
any	Indicates any source address.	-
time-range time-name	Indicates that the configured ACL6 rule is effective only in the specified time range. time-name indicates the name of the time range during which the ACL6 rule takes effect. NOTE: When you specify the time-range parameter to reference a time range to the ACL6, if the specified time-name does not exit, the ACL6 does not take effect.	The value of time-name is a string of 1 to 32 characters.
vpn-instance vpn-instance-name \| public	vpn-instance vpn-instance-name: Specifies the name of a VPN instance, indicating that the ACL6 rule matches private network packets. public: Indicates that the ACL6 rule matches public network packets. NOTE: The two parameters cannot be configured together. If neither vpn-instance nor public is specified, both public and private network packets are matched.	-

Views

Basic ACL6 view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A basic ACL6 matches packets based on information such as source IP addresses, fragment flags, and time ranges.

Prerequisites

An ACL6 has been created before the rule is configured.

Precautions

If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.

To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.

When you use the undo rule command to delete an ACL6 rule, the rule ID must exist. If the rule ID is unknown, you can use the display acl ipv6 command to view the rule ID.

The undo rule command deletes an ACL6 rule even if the ACL6 rule is referenced. Use this command with caution, especially when you delete an ACL6 rule that has been referenced.

Example

# Add a rule for the ACL6 with a number of 2000 to prohibit the passing of packets from the source fc00:1::1/64.

<HUAWEI> system-view
[HUAWEI] acl ipv6 2000
[HUAWEI-acl6-basic-2000] rule deny source fc00:1::1/64