rule (layer 2 ACL view)

Function

The rule command adds or modifies a Layer 2 ACL rule.

The undo rule command deletes a Layer 2 ACL rule.

By default, there is no rule in the related Layer 2 ACL view.

Format

rule [ rule-id ] { permit | deny } [ [ ether-ii | 802.3 | snap ] | l2-protocol type-value [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | source-mac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value | cvlan-id cvlan-id [ cvlan-id-mask ] | cvlan-8021p 802.1p-value | double-tag | time-range time-name ] ^*

undo rule { permit | deny } [ [ ether-ii | 802.3 | snap ] | l2-protocol type-value [ type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | source-mac source-mac-address [ source-mac-mask ] | vlan-id vlan-id [ vlan-id-mask ] | 8021p 802.1p-value | cvlan-id cvlan-id [ cvlan-id-mask ] | cvlan-8021p 802.1p-value | double-tag | time-range time-name ] ^*

undo rule rule-id

The S2720-EI, S5720I-SI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S5735-S-I, and S5735S-S do not support cvlan-id cvlan-id [ cvlan-id-mask ], cvlan-8021p 802.1p-value, and double-tag.

The S6720-LI, S5730-SI, S5730S-EI, S6720S-LI, S6720-SI, and S6720S-SI do not support cvlan-8021p 802.1p-value.

Parameters

Parameter	Description	Value
rule-id	Specifies the ID of an ACL rule. If the specified rule ID has been created, the new rule overwrites the old rule. If the specified rule ID does not exist, the device creates a rule and determines the position of the rule according to the ID. If the rule ID is not specified, the device allocates an ID to the new rule. The rule IDs are sorted in ascending order. The device automatically allocates IDs according to the step. The step value is set by using the step command. NOTE: ACL rule IDs assigned automatically by the device starts from the step value. The default step value is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on.	The value is an integer that ranges from 0 to 4294967294.
deny	Denies the packets that match a rule.	-
permit	Permits the packets that match a rule.	-
ether-ii \| 802.3 \| snap	Indicates the encapsulation format of a packet that matches the rule. ether-ii: specifies the Ethernet II encapsulation. 802.3: specifies the 802.3 encapsulation. snap: specifies the SNAP encapsulation. NOTE: On the S2720-EI, S5720I-SI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S5735-S-I, and S5735S-S, when an ACL rule is configured to match the packets with encapsulation format ether-ii or snap, the ACL rule matches all the packets with encapsulation formats Ethernet II and SNAP, including IPv4 and IPv6 packets. On the S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, and S6720S-SI, when the ACL matching the encapsulation format ether-ii or snap is configured, the ACL matches the IPv6 packets encapsulated with Ethernet II and SNAP, but matches the IPv4 packets encapsulated with either ether-ii or snap.	-
l2-protocol type-value [ type-mask ]	Indicates the type of a Layer 2 protocol. This parameter corresponds to the Ethernet type of Ethernet_II frames and the type-code domain of Ethernet_SNAP frames. type-value: specifies the type value of a Layer 2 protocol. type-mask: specifies the type mask of a Layer 2 protocol.	type-value can be a hexadecimal number of 3 to 6 bits that ranges from 0x0000 to 0xFFFF or the following protocol name: ARP, corresponding to 0x0806 IP, corresponding to 0x0800 IPv6, corresponding to 0x86dd MPLS, corresponding to 0x8847 RARP, corresponding to 0x8035 The default value of type-mask is 0xffff.
destination-mac dest-mac-address [ dest-mac-mask ]	Specifies the destination MAC address of packets that matches ACL rules. dest-mac-address specifies the destination MAC address of packets. dest-mac-mask specifies the mask of the destination MAC address of packets.	dest-mac-address and dest-mac-mask are both in the format of H-H-H. Each H stands for one to four hexadecimal digits. The default value of the dest-mac-mask is ffff-ffff-ffff. You can obtain the required destination MAC address range by specifying source-mac-address and source-mac-mask. For example, 00e0-fc01-0101 ffff-ffff-ffff specifies a MAC address 00e0-fc01-0101, whereas 00e0-fc01-0101 ffff-ffff-0000 specifies a MAC address range from 00e0-fc01-0000 to 00e0-fc01-ffff.
source-mac source-mac-address [ source-mac-mask ]	Specifies the source MAC address of packets that matches ACL rules. source-mac-address specifies the source MAC address of packets. source-mac-mask specifies the mask of the source MAC address of packets. If this parameter is not specified, the mask is ffff-ffff-ffff.	source-mac-address and source-mac-mask are both in the format of H-H-H. Each H stands for one to four hexadecimal digits. The default value of the source-mac-mask is ffff-ffff-ffff. You can obtain the required source MAC address range by specifying source-mac-address and source-mac-mask. For example, 00e0-fc01-0101 ffff-ffff-ffff specifies a MAC address 00e0-fc01-0101, whereas 00e0-fc01-0101 ffff-ffff-0000 specifies a MAC address range from 00e0-fc01-0000 to 00e0-fc01-ffff.
vlan-id vlan-id [ vlan-id-mask ]	Indicates the outer VLAN ID contained in a packet that matches the rule. vlan-id: specifies the number of the VLAN ID. vlan-id-mask: specifies the mask of the VLAN ID.	The value of vlan-id is an integer ranging from 1 to 4094. The value of the vlan-id-mask is a hexadecimal number ranging from 0x0 to 0xFFF. The default value is 0xFFF.
8021p 802.1p-value	Indicates the 802.1p priority in the outer VLAN tag of a packet that matches the rule.	The value is an integer ranging from 0 to 7.
cvlan-id cvlan-id [ cvlan-id-mask ]	Indicates the inner VLAN ID of a packet that matches the rule. cvlan-id: specifies the number of the inner VLAN ID. cvlan-id-mask: specifies the mask of the inner VLAN ID.	The value of cvlan-id is an integer ranging from 1 to 4094. The value of the cvlan-id-mask is a hexadecimal number ranging from 0x0 to 0xFFF. The default value is 0xFFF.
cvlan-8021p 802.1p-value	Indicates the 802.1p priority in the inner VLAN tag of a packet that matches the rule.	The value is an integer ranging from 0 to 7.
double-tag	Indicates that only packets with double tags match the rule.	-
time-range time-name	Defines the time range during which an ACL rule is valid. time-name specifies the name of a time range. NOTE: When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL cannot be bound to the specified time range.	The value of time-name is a string of 1 to 32 characters.

Views

layer 2 ACL view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A Layer 2 ACL matches packets based on Layer 2 information of the packets, such as source MAC addresses, destination MAC addresses, and Layer 2 protocol types.

The rule command defines the time range and flexibly configures the time when the ACL rules take effect.

Prerequisites

An ACL has been created before the rule is configured.

Precautions

If the specified rule ID already exists, the new rule overwrites the old rule no matter whether the rules conflict.

To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.

The undo rule command deletes an ACL rule even if the ACL rule is referenced. Use this command with caution, especially when you delete an ACL rule that has been referenced.

Example

# Add a rule to ACL 4001 to match packets with the destination MAC address being 0000-0000-0001, source MAC address being 0000-0000-0002, and the value of the Layer 2 protocol type being 0x0800.

<HUAWEI> system-view
[HUAWEI] acl 4001
[HUAWEI-acl-L2-4001] rule permit destination-mac 0000-0000-0001 source-mac 0000-0000-0002 l2-protocol 0x0800