rule (user-defined ACL view)
Function
The rule command adds and modifies a rule in the related UCL view.
The undo rule command deletes an ACL rule.
By default, there is no rule in the related advanced UCL view.
Format
rule [ rule-id ] { deny | permit } [ [ l2-head | ipv4-head | ipv6-head | l4-head ] { rule-string rule-mask offset } &<1-8> | time-range time-name ] *
undo rule { deny | permit } [ [ l2-head | ipv4-head | ipv6-head | l4-head ] { rule-string rule-mask offset } &<1-8> | time-range time-name ] *
undo rule rule-id
The S2720-EI, S5720I-SI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI do not support &<1-8> and ipv6-head.
Parameters
Parameter |
Description |
Value |
|---|---|---|
rule-id |
Specifies the ID of an ACL rule.
NOTE:
ACL rule IDs assigned automatically start from the step value. The default step is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on. |
The value is an integer that ranges from 0 to 4294967294. |
deny |
Denies the packets that match a rule. |
- |
permit |
Permits the packets that match a rule. |
- |
l2-head | ipv4-head | ipv6-head | l4-head |
Indicates the position from which the offset starts.
|
- |
rule-string |
Specifies the customized rule string. |
The value is a string of 3 to 10 characters. The string is in hexadecimal notation. The maximum length of the string is 4 bytes. NOTE:
The rule command in the user-defined ACL view matches four bytes each time. When the matching field length is smaller than four bytes, add 0 to the field. |
rule-mask |
Specifies the mask of the rule string. |
The value is a string of 3 to 10 characters. The string is in hexadecimal notation. The maximum length of the string is 4 bytes. When the mask bit of the customized character string is 1, the ACL matches the bit. When the mask bit of the customized character string is 0, the ACL does not match the bit. |
offset |
Specifies the value of the offset. |
The value is an integer, in bytes. The value of the offset varies with the offset position.
NOTE:
For the S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735-S-I, and S5735S-S, the value of offset is 2N for any offset positions. N is an integer starting from 0. |
time-range time-name |
Defines the time range during which an ACL rule takes effect. time-name specifies the name of the time range during which an ACL rule takes effect. |
The value is a string of 1 to 32 characters. |
Usage Guidelines
Usage Scenario
A user-defined ACL defines rules by setting the offset position and value of the packet. The user-defined ACL is applicable to matching rules of a traffic classifier.
The rule command defines the time range and flexibly configures the time when the ACL rules take effect.
The user-defined ACL is applicable to only the incoming traffic.
Prerequisites
An ACL must be created before the rule is configured.
Precautions
- If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule. To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.
- To change the offset in a user-defined ACL rule, delete and reconfigure the ACL rule.
- The undo rule command deletes an ACL rule even if the ACL rule is referenced. Use this command with caution, especially when you delete an ACL rule that has been referenced.
When specifying an ACL rule to match offset bytes in the Layer 2 header on the S5730-SI, S5730S-EI, S6720-56C-PWH-SI-AC, or S6720-56C-PWH-SI, add a tag first if the ACL rule will be applied on a GE electrical interface through which packets having no tag pass.