< Home

rule (user ACL6 view)

Function

The rule command configures a user ACL6 rule.

The undo rule command deletes a user ACL6 rule.

By default, no user ACL6 rule is configured.

Format

  • When the protocol is set to ICMPv6, the command format is as follows:

    rule [ rule-id ] { permit | deny } { icmpv6 | protocol-number } [ source { { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | { ucl-group { name source-ucl-group-name | source-ucl-group-index } } } * | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | destination-ipv6-address wildcard | any } | icmp6-type { icmp6-type [ icmp6-code ] | icmp6-name } | vpn-instance vpn-instance-name | time-range time-name ] *

    undo rule { permit | deny } { icmpv6 | protocol-number } [ source { { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | { ucl-group { name source-ucl-group-name | source-ucl-group-index } } } * | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | destination-ipv6-address wildcard | any } | icmp6-type { icmp6-type [ icmp6-code ] | icmp6-name } | vpn-instance vpn-instance-name | time-range time-name ] *

  • When the protocol is set to TCP, the command format is as follows:

    rule [ rule-id ] { deny | permit } { tcp | protocol-number } [ source { { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | destination-ipv6-address wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { tcp | protocol-number } [ source { { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | destination-ipv6-address wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *

  • When the protocol is set to UDP, the command format is as follows:

    rule [ rule-id ] { deny | permit } { udp | protocol-number } [ source { { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | destination-ipv6-address wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { udp | protocol-number } [ source { { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | destination-ipv6-address wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *

  • When the protocol is set to GRE, IPv6, or OSPF, the command format is as follows:

    rule [ rule-id ] { deny | permit } { gre | ipv6 | ospf | protocol-number } [ source { { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | destination-ipv6-address wildcard | any } | time-range time-name | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { gre | ipv6 | ospf | protocol-number } [ source { { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | destination-ipv6-address wildcard | any } | time-range time-name | vpn-instance vpn-instance-name ] *

  • To delete a user ACL6 rule, run:

    undo rule rule-id

The S2720-EI, S5720-LI, S5720S-LI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S5720-SI, S5720S-SI, S5720I-SI, S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S5720-EI, S6720S-EI, and S6720-EI do not support vpn-instance vpn-instance-name.

Parameters

Parameter

Description

Value

rule-id

Specifies the ID of an ACL6 rule.

  • If the specified rule ID has been created, the new rule is added to the rule with this ID, that is, the old rule is modified. If the specified rule ID does not exist, a rule is created using the ID and ordered based on the configured sequence.
  • If the rule ID is not specified, the device allocates an ID to the new rule. By default, the increment of ACL6 is 5 and cannot be changed. Therefore, the device allocates IDs at an increment of 5 to ACL6 rules.
NOTE:

ACL rule IDs assigned automatically by the device starts from the increment value. The default increment value is 5. With this increment, the device creates ACL rules with IDs being 5, 10, 15, and so on.

The value is an integer that ranges from 0 to 4294967294.

deny

Denies the packets that match the rule.

-

permit

Permits the packets that match the rule.

-

icmpv6

Indicates that the protocol type is ICMPv6. The value 58 indicates the ICMPv6 protocol.

-

tcp

Indicates that the protocol type is TCP. The value 6 indicates the TCP protocol.

-

udp

Indicates that the protocol type is UDP. The value 17 indicates the UDP protocol.

-

gre

Indicates that the protocol type is GRE. The value 47 indicates the GRE protocol.

-

ipv6

Indicates that the protocol type is IPv6.

-

ospf

Indicates that the protocol type is OSPF. The value 89 indicates the OSPF protocol.

-

protocol-number

Indicates the protocol type expressed by number.

The value is an integer that ranges from 1 to 255.

source { { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | source-ipv6-address wildcard | any } | { ucl-group { name source-ucl-group-name | source-ucl-group-index } } } *
Indicates the source IPv6 address of packets that match an ACL6 rule. If this parameter is not specified, packets with any source IPv6 address are matched.
  • source-ipv6-address: specifies the source IPv6 address of data packets.
  • prefix-length: specifies the prefix of the source IPv6 address.
  • postfix postfix-length: specifies the length of source address postfix.
  • wildcard: specifies the wildcard mask of the address.
  • any: indicates any source IPv6 address of packets.
  • ucl-group name source-ucl-group-name: specifies the name of the UCL group to which the source IPv6 address of packets belongs.
  • ucl-group source-ucl-group-index: specifies the ID of the UCL group to which the source IPv6 address of packets belongs.
  • source-ipv6-address: The value is in colon hexadecimal notation.
  • prefix-length: The value is an integer that ranges from 1 to 128.
  • postfix-length: The value is an integer that ranges from 1 to 64.
  • wildcard: The value is in colon hexadecimal notation. After the value is converted to a binary number, the value 0 indicates that the equivalent bit must match and the value 1 indicates that the equivalent bit does not matter. The values 1 and 0 can be discontinuous. For example, the IPv6 address FC00::1 and the wildcard mask 0::2 indicate that the address is FC00::00x1, where x can be any value from 0 to F in hexadecimal notation.
  • source-ucl-group-name: The value must be the name of an existing UCL group.
  • source-ucl-group-index: The value is an integer and must be the index of an existing UCL group. When the value is 0, the source address of packet matching the ACL rule is beyond the UCL group range.

destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | destination-ipv6-address wildcard | any }
Indicates the destination IPv6 address of packets that match ACL6 rules. If this parameter is not specified, packets with any destination IPv6 address are matched.
  • destination-ipv6-address: specifies the destination IPv6 address of data packets.
  • prefix-length: specifies the prefix of the destination IPv6 address.
  • postfix postfix-length: specifies the length of destination address postfix.
  • wildcard: specifies the wildcard mask of the address.
  • any: indicates any destination IPv6 address of packets.
  • destination-ipv6-address: The value is in colon hexadecimal notation.
  • prefix-length: The value is an integer that ranges from 1 to 128.
  • postfix-length: The value is an integer that ranges from 1 to 64.
  • wildcard: The value is in colon hexadecimal notation. After the value is converted to a binary number, the value 0 indicates that the equivalent bit must match and the value 1 indicates that the equivalent bit does not matter. The values 1 and 0 can be discontinuous. For example, the IPv6 address FC00::1 and the wildcard mask 0::2 indicate that the address is FC00::00x1, where x can be any value from 0 to F in hexadecimal notation.

icmp6-type { icmp6-name | icmp6-type [ icmp6-code ] }
Indicates the type and code of ICMPv6 packets, which are valid only when the protocol of packets is ICMPv6. If this parameter is not specified, all ICMPv6 packets are matched.
  • icmp6-name: specifies the name of ICMPv6 packets.
  • icmp6-type: specifies the type of ICMPv6 packets.
  • icmp6-code: specifies the code of ICMPv6 packets.

icmp6-type is an integer that ranges from 0 to 255.

icmp6-code is an integer that ranges from 0 to 255.

The value of cmp6-name and the corresponding ICMPv6 type and ICMPv6 code are as described in Table 1.

source-port { eq port | gt port | lt port | range port-start port-end }
Specifies the source port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched. The operators are as follows:
  • eq port: equal operator.
  • gt port: greater than operator.
  • lt port: smaller than operator.
  • range port-start port-end: source port number range. port-start specifies the start port number. port-end specifies the end port number.

The value of port can be a name or a number.

  • When the value is expressed as a number, it ranges from 0 to 65535 in eq port
  • When the value is expressed as a number, it ranges from 0 to 65534 in gt port
  • When the value is expressed as a number, it ranges from 1 to 65535 in lt port

The value of port-start and port-end can be a name or an integer. When the value is expressed as an integer, it ranges from 0 to 65535.

destination-port { eq port | gt port | lt port | range port-start port-end }
Specifies the destination port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched. The operators are as follows:
  • eq port: equal operator.
  • gt port: greater than operator.
  • lt port: smaller than operator.
  • range port-start port-end: source port number range. port-start specifies the start port number. port-end specifies the end port number.

The value of port can be a name or a number.

  • When the value is expressed as a number, it ranges from 0 to 65535 in eq port
  • When the value is expressed as a number, it ranges from 0 to 65534 in gt port
  • When the value is expressed as a number, it ranges from 1 to 65535 in lt port

The value of port-start and port-end can be a name or an integer. When the value is expressed as an integer, it ranges from 0 to 65535.

tcp-flag

Indicates the SYN Flag in the TCP packet header.

-

ack

Indicates that the SYN Flag type in the TCP packet header is ack (010000).

-

established

Indicates that the SYN Flag type in the TCP packet header is ack (010000) or rst (000100).

-

fin

Indicates that the SYN Flag type in the TCP packet header is fin (000001).

-

psh

Indicates that the SYN Flag type in the TCP packet header is psh (001000).

-

rst

Indicates that the SYN Flag type in the TCP packet header is rst (000100).

-

syn

Indicates that the SYN Flag type in the TCP packet header is syn (000010).

-

urg

Indicates that the SYN Flag type in the TCP packet header is urg (100000).

-

time-range time-name

Specifies the name of a time range during which ACL6 rules take effect.

If this parameter is not specified, ACL6 rules take effect at any time.

NOTE:

When you specify the time-range parameter to reference a time range to the ACL6, if the specified time-name does not exit, the ACL6 does not take effect.

The value is a string of 1 to 32 characters.

vpn-instance vpn-instance-name

Specifies the name of a VPN instance on the inbound interface.

The value must be an existing VPN instance name.
Table 1 Values of cmp6-name and the corresponding ICMPv6 type and ICMPv6 code

ICMPv6 Name

ICMPv6 Type

ICMPv6 Code

Echo

128

0

Echo-reply

129

0

err-Header-field

4

0

frag-time-exceeded

3

1

hop-limit-exceeded

3

0

host-admin-prohib

1

1

host-unreachable

1

3

neighbor-advertisement

136

0

neighbor-solicitation

135

0

network-unreachable

1

0

packet-too-big

2

0

port-unreachable

1

4

redirect

137

0

router-advertisement

134

0

router-solicitation

133

0

unknown-ipv6-opt

4

2

unknown-next-hdr

4

1

Views

User ACL6 view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A user ACL6 defines rules to filter IPv6 packets based on the source IPv6 addresses or source User Control List (UCL) groups, destination IPv6 addresses, IPv6 protocol types, ICMPv6 types, TCP source/destination port numbers, UDP source/destination port numbers, and time ranges.

Currently, the user ACL6 can be applied only to the UCL groups of the NAC mode. To control the network access rights of users based on user groups, you can perform the following operations: configure a UCL group, associate user ACL6 rules with the UCL group so that the ACL6 rules apply to all users in the user group, configure packet filtering based on the user ACL6 to make the ACL6 take effect, and then apply the UCL group to the AAA service scheme.

Prerequisites

If the ucl-group name source-ucl-group-name parameter is configured for a rule, the source UCL groups must have been created by the ucl-group command.

Precautions

If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.

To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.

The undo rule command deletes an ACL6 rule even if the ACL6 rule is referenced. Use this command with caution, especially when you delete an ACL6 rule that has been referenced.

Example

# Add a rule to ACL6 6000 to reject all the IPv6 packets sent from UCL group group1 to network segment fc00:1::/64.

<HUAWEI> system-view
[HUAWEI] ucl-group 1 name group1
[HUAWEI] acl ipv6 6000
[HUAWEI-acl6-ucl-6000] rule deny ipv6 source ucl-group name group1 destination fc00:1:: 64
Parent Topic: ACL Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >