< Home

rule (user ACL view)

Function

The rule command configures a user ACL rule.

The undo rule command deletes a user ACL rule.

By default, no user ACL rule is configured.

Format

  • When the parameter protocol is specified as the ICMP, the command format is as follows:

    rule [ rule-id ] { permit | deny } { icmp | protocol-number } [ source { { source-address source-wildcard | any } | { ucl-group { name source-ucl-group-name | source-ucl-group-index } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { name destination-ucl-group-name | destination-ucl-group-index } } } * | fqdn fqdn-name } | icmp-type { icmp-type [ icmp-code ] | icmp-name } | vpn-instance vpn-instance-name | time-range time-name ] *

    undo rule { permit | deny } { icmp | protocol-number } [ source { { source-address source-wildcard | any } | { ucl-group { name source-ucl-group-name | source-ucl-group-index } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { name destination-ucl-group-name | destination-ucl-group-index } } } * | fqdn fqdn-name } | icmp-type { icmp-type [ icmp-code ] | icmp-name } | vpn-instance vpn-instance-name | time-range time-name ] *

  • When the parameter protocol is specified as the TCP, the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { protocol-number | tcp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | vpn-instance vpn-instance-name ] *

  • When the parameter protocol is specified as the UDP, the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | udp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { protocol-number | udp } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | vpn-instance vpn-instance-name ] *

  • When the parameter protocol is specified as the GRE, IGMP, IP, IPINIP, or OSPF, the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | time-range time-name | vpn-instance vpn-instance-name ] *

    undo rule { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ source { { source-address source-wildcard | any } | { ucl-group { source-ucl-group-index | name source-ucl-group-name } } } * | destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name } | time-range time-name | vpn-instance vpn-instance-name ] *

  • To delete an ACL rule, run:

    undo rule rule-id

The S2720-EI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5720S-SI, S5720I-SI, S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S5720-EI, S6720S-EI, and S6720-EI do not support destination { fqdn fqdn-name }, ucl-group { destination-ucl-group-index | name destination-ucl-group-name }, and vpn-instance vpn-instance-name.

Parameters

Parameter

Description

Value

rule-id
Specifies the ID of an ACL rule.
  • If the specified rule ID has been created, the new rule is added to the rule with this ID, that is, the old rule is modified. If the specified rule ID does not exist, the device creates a rule and determines the position of the rule according to the ID.
  • If the rule ID is not specified, the device allocates an ID to the new rule. The rule IDs are sorted in ascending order. The device automatically allocates IDs according to the step. The step value is set by using the step command.
NOTE:

ACL rule IDs assigned automatically start from the step value. The default step is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on.

The value is an integer that ranges from 0 to 4294967294.

deny

Denies the packets that match the rule.

-

permit

Permits the packets that match the rule.

-

icmp

Indicates that the protocol type is ICMP. The value 1 indicates that ICMP is specified.

-

tcp

Indicates that the protocol type is TCP. The value 6 indicates that TCP is specified.

-

udp

Indicates that the protocol type is UDP. The value 17 indicates that UDP is specified.

-

gre

Indicates that the protocol type is GRE. The value 47 indicates the GRE protocol.

-

igmp

Indicates that the protocol type is IGMP. The value 2 indicates the IGMP protocol.

-

ip

Indicates that the protocol type is IP.

-

ipinip

Indicates that the protocol type is IPINIP. The value 4 indicates the IPINIP protocol.

-

ospf

Indicates that the protocol type is OSPF. The value 89 indicates the OSPF protocol.

-

protocol-number

Indicates the protocol type expressed by number.

The value expressed by number is an integer that ranges from 1 to 255.

source { { source-address source-wildcard | any } | { [ source ] ucl-group { source-ucl-group-index | name source-ucl-group-name } } } *
Indicates the source IP address of packets that match an ACL rule. If this parameter is not specified, packets with any source IP address are matched.
  • source-address: specifies the source IP address of packets.
  • source-wildcard: specifies the wildcard mask of the source IP address.
  • any: indicates any source IP address of packets. That is, the value of source-address is 0.0.0.0 and the value of source-wildcard is 255.255.255.255.
  • ucl-group source-ucl-group-index: specifies the ID of the UCL group to which the source IP address of packets belongs.
  • ucl-group name source-ucl-group-name: specifies the name of the UCL group to which the source IP address of packets belongs.
  • source-address: The value is in dotted decimal notation.
  • source-wildcard: The value is in dotted decimal notation. The wildcard mask of the source IP address can be 0, equivalent to 0.0.0.0, indicating that the source IP address is the host address.
    NOTE:

    The wildcard is in dotted decimal format. After the value is converted to a binary number, the value 0 indicates that the IP address needs to be matched and the value 1 indicates that the IP address does not need to be matched. The values 1 and 0 can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the website 192.168.1.x0x0xx01. The value x can be 0 or 1.

  • The value of source-ucl-group-name must be the name of an existing UCL group.
  • source-ucl-group-index is an integer, the value varies according to different devices. When the value is 0, the source address of packet matching the ACL rule is beyond the UCL group range.

destination { { { destination-address destination-wildcard | any } | { ucl-group { destination-ucl-group-index | name destination-ucl-group-name } } } * | fqdn fqdn-name }
Indicates the destination IP address of packets that match ACL rules. If this parameter is not specified, packets with any destination IP address are matched.
  • destination-address: specifies the destination IP address of data packets.
  • destination-wildcard: specifies the wildcard mask of the destination IP address.
  • any: indicates any destination IP address of packets. That is, the value of destination-address is 0.0.0.0 and the value of destination-wildcard is 255.255.255.255.
  • ucl-group destination-ucl-group-index: specifies the ID of the UCL group to which the destination IP address of packets belongs.
  • ucl-group name destination-ucl-group-name: specifies the name of the UCL group to which the destination IP address of packets belongs.
  • fqdn fqdn-name: specifies the name of a domain. The precise matching and fuzzy matching (using *) are supported. In fuzzy matching, the domain name must be in the format of *.XXX, for example, *.abc.com. The fuzzy domain name and full domain name cannot include each other. For example, if www.abc.com has been configured on the device, *.abc.com cannot be configured, but *.aaa.com can be configured. Similarly, if *.abc.com has been configured on the device, *.www.abc.com cannot be configured, but www.aaa.com can be configured. This parameter is available for only wireless users.
  • destination-address: The value is in dotted decimal notation.
  • destination-wildcard: The value is in dotted decimal notation. The wildcard mask of the destination IP address can be 0, equivalent to 0.0.0.0, indicating that the destination IP address is the host address.
    NOTE:

    The wildcard is in dotted decimal format. After the value is converted to a binary number, the value 0 indicates that the IP address needs to be matched and the value 1 indicates that the IP address does not need to be matched. The values 1 and 0 can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the website 192.168.1.x0x0xx01. The value x can be 0 or 1.

  • The value of destination-ucl-group-name must be the name of an existing UCL group.
  • destination-ucl-group-index is an integer, the value varies according to different devices. When the value is 0, the source address of packet matching the ACL rule is beyond the UCL group range.
  • The value of fqdn-name is a string of 1 to 64 characters.

icmp-type { icmp-name | icmp-type [ icmp-code ] }
Indicates the type and code of ICMP packets, which are valid only when the protocol of packets is ICMP. If this parameter is not specified, all types of ICMP packets are matched.
  • icmp-name: specifies the name of ICMP packets.
  • icmp-type: specifies the type of ICMP packets.
  • icmp-code: specifies the code of ICMP packets.

icmp-type is an integer that ranges from 0 to 255.

icmp-code is an integer that ranges from 0 to 255.

The value of ICMP name and the corresponding

ICMP type and ICMP code are as Table 1.

source-port { eq port | gt port | lt port | range port-start port-end }
Specifies the source port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched. The operators are as follows:
  • eq port: equal operator.
  • gt port: greater than operator.
  • 1t port: smaller than operator.
  • range port-start port-end: within the range.port-start specifies the start port number.port-end specifies the end port number.

The value of port can be a name or a number.

  • When the value is expressed as a number, it ranges from 0 to 65535 in eq port
  • When the value is expressed as a number, it ranges from 0 to 65534 in gt port
  • When the value is expressed as a number, it ranges from 1 to 65535 in lt port

The value of port-start and port-end can be a name or an integer. When the value is expressed as an integer, it ranges from 0 to 65535.

destination-port { eq port | gt port | lt port | range port-start port-end }
Specifies the destination port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched. The operators are as follows:
  • eq port: equal operator.
  • gt port: greater than operator.
  • 1t port: smaller than operator.
  • range port-start port-end: within the range. port-start specifies the start port number. port-end specifies the end port number.

The value of port can be a name or a number.

  • When the value is expressed as a number, it ranges from 0 to 65535 in eq port
  • When the value is expressed as a number, it ranges from 0 to 65534 in gt port
  • When the value is expressed as a number, it ranges from 1 to 65535 in lt port

The value of port-start and port-end can be a name or an integer. When the value is expressed as an integer, it ranges from 0 to 65535.

tcp-flag

Indicates the SYN Flag in the TCP packet header.

-

ack

Indicates that the SYN Flag type in the TCP packet header is ack (010000).

-

established

Indicates that the SYN Flag type in the TCP packet header is ack(010000) or rst(000100).

-

fin

Indicates that the SYN Flag type in the TCP packet header is fin (000001).

-

psh

Indicates that the SYN Flag type in the TCP packet header is psh (001000).

-

rst

Indicates that the SYN Flag type in the TCP packet header is rst (000100).

-

syn

Indicates that the SYN Flag type in the TCP packet header is syn (000010).

-

urg

Indicates that the SYN Flag type in the TCP packet header is urg (100000).

-

time-range time-name

Specifies the name of a time range during which ACL rules take effect.

If this parameter is not specified, ACL rules take effect at any time.

NOTE:

When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL cannot be bound to the specified time range.

The value is a string of 1 to 32 characters.

vpn-instance vpn-instance-name

Specifies the name of a VPN instance on the inbound interface.

The value must be an existing VPN instance name.
Table 1 Values of ICMP name and the corresponding ICMP type and ICMP code

ICMP name

ICMP type

ICMP code

Echo

8

0

Echo-reply

0

0

Fragmentneed-DFset

3

4

Host-redirect

5

1

Host-tos-redirect

5

3

Host-unreachable

3

1

Information-reply

16

0

Information-request

15

0

Net-redirect

5

0

Net-tos-redirect

5

2

Net-unreachable

3

0

Parameter-problem

12

0

Port-unreachable

3

3

Protocol-unreachable

3

2

Reassembly-timeout

11

1

Source-quench

4

0

Source-route-failed

3

5

Timestamp-reply

14

0

Timestamp-request

13

0

Ttl-exceeded

11

0

Views

User ACL view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A user ACL defines rules to filter IPv4 packets based on the source IP addresses or source User Control List (UCL) groups, destination IP addresses or destination UCL groups, IP protocol types, ICMP types, TCP source/destination port numbers, UDP source/destination port numbers, and time ranges.

Currently, the user ACL can be applied only to the UCL groups of the NAC mode. To control the network access rights of users based on user groups, you can perform the following operations: configure a UCL group, associate user ACL rules with the UCL group so that the ACL rules apply to all users in the user group, configure packet filtering based on the user ACL to make the ACL take effect, and then apply the UCL group to the AAA service scheme.

Prerequisites

If the ucl-group name source-ucl-group-name or ucl-group name destination-ucl-group-name parameter is configured for a rule, the source and destination UCL groups must have been created by the ucl-group command.

Precautions

If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.

The undo rule command deletes an ACL rule even if the ACL rule is referenced. (If a simplified traffic policy references a specified rule in an ACL, this command does not take effect.) Before deleting a rule, ensure that the rule is not being referenced.

Example

# Add a rule to ACL 6000 to reject all the IP packets sent from UCL group group1 to network segment 10.9.9.0/24.

<HUAWEI> system-view
[HUAWEI] ucl-group 1 name group1
[HUAWEI] acl 6000
[HUAWEI-acl-ucl-6000] rule deny ip source ucl-group name group1 destination 10.9.9.0 0.0.0.255
Parent Topic: ACL Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >