if-match acl

Function

The if-match acl command configures a matching rule for complex traffic classification based on an IPv4 or IPv6 ACL.

The undo if-match acl command cancels the configuration.

By default, the matching rule for complex traffic classification based on an IPv4 or IPv6 ACL is not configured in traffic classifier view.

Format

if-match acl { acl-number | name acl-name }

if-match ipv6 acl { acl-number | name acl-name }

if-match acl { acl-number | name acl-name } precedence precedence-value

if-match ipv6 acl { acl-number | name acl-name } precedence precedence-value

undo if-match acl { acl-number | name acl-name }

undo if-match ipv6 acl { acl-number | name acl-name }

undo if-match acl { acl-number | name acl-name } precedence precedence-value

undo if-match ipv6 acl { acl-number | name acl-name } precedence precedence-value

Parameters

Parameter Description Value
acl-number

Specifies the number of an ACL.
For IPv4 ACL, the value is an integer ranging from 2000 to 4999, 6000 to 10999.
  • The number of a basic ACL ranges from 2000 to 2999.
  • The number of an advanced ACL ranges from 3000 to 3999.
  • The number of a Layer 2 ACL ranges from 4000 to 4999.
  • The number of a user-defined ACL ranges from 6000 to 9999.
  • The number of an MPLS-based ACL ranges from 10000 to 10999.
For IPv6 ACL, The value is an integer ranging from 2000 to 3999, 6000 to 9999.
  • The number of a basic ACL6 ranges from 2000 to 2999.
  • The number of an advanced ACL6 ranges from 3000 to 3999.
  • The number of a user-defined ACL6 ranges from 6000 to 9999.
name acl-name

Specifies the name of a named ACL.

The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter (a to z or A to Z, case sensitive).
ipv6

Specifies the ACL6.

-
precedence precedence-value

Specifies the precedence of an ACL. This parameter can be configured only in a traffic classifier in OR mode.

The value is an integer that ranges from 1 to 65535.A smaller value indicates a higher precedence. The precedence takes effect only in the traffic classifier profile.

Views

Traffic classifier view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
qos write

Usage Guidelines

Usage Scenario

To classify packets according to the interface where the packets are received, source IP address, destination IP address, IP bearer protocol type, TCP source port and destination port, ICMP message type, code, source MAC address, and destination MAC address, source ip address group, destination ip address group, you need to define an ACL. That is, you need to define the ACL and configure ACL rules before running this command to configure a matching rule for complex traffic classification in the traffic classifier.

Prerequisites

The ACL is defined and the rules are configured.

A traffic classifier is configured in the system view and the traffic classifier view is displayed.

Configuration Impact

Packets are classified according to the matched ACL rule and different traffic behaviors are performed for packets in different traffic classifiers.

Follow-up Procedure

You need to configure the traffic behavior and traffic policy for the traffic classifier matching the rules and apply the traffic policy to interfaces.

Precautions

You can configure more than one ACL number for a traffic classifier to match packets of different types. One traffic classifier can match a maximum of 16 if-match rules.

When the precedence has been set to 65535 in the if-match acl command in the traffic classifier view, if-match rules without precedence cannot be configured.

When a VPN instance is configured in an ACL, matching the ACL's rule in the traffic classification view does not take effect.

If a matching rule based on hoport is configured in an ACL, only permit and deny actions are supported. Other actions can be configured but do not take effect.

In versions earlier than V800R013C00, ACL priorities are allocated globally by default. In V800R013C00 and later versions, ACL priorities are allocated based on traffic classification profiles. After an upgrade from a version earlier than V800R013C00 to V800R013C00 or a later version, the default priority is displayed in the configuration file of the new version.

Example

# Set a traffic classifier named class1 to match IPv6 ACL 2999.
<HUAWEI> system-view
[~HUAWEI] acl ipv6 number 2999
[*HUAWEI-acl6-basic-2999] rule permit source 2001:0db8::9050/64
[*HUAWEI-acl6-basic-2999] quit
[*HUAWEI] traffic classifier class1
[*HUAWEI-classifier-class1] if-match ipv6 acl 2999
# Define a traffic classifier named class1 and apply IPv6 ACL 2999 with a precedence of 3 to the traffic classifier.
<HUAWEI> system-view
[~HUAWEI] acl ipv6 number 2999
[*HUAWEI-acl6-basic-2999] rule permit source 2001:0db8::9050/64
[*HUAWEI-acl6-basic-2999] quit
[*HUAWEI] traffic classifier class1
[*HUAWEI-classifier-class1] if-match ipv6 acl 2999 precedence 3
# Define a traffic classifier named class1 and apply IPv4 ACL 3101 with a precedence of 2 to the traffic classifier.
<HUAWEI> system-view
[~HUAWEI] acl 3101
[*HUAWEI-acl4-advance-3101] rule deny ip source 10.1.1.1 0 destination 10.2.1.1 0
[*HUAWEI-acl4-advance-3101] quit
[*HUAWEI] traffic classifier class1
[*HUAWEI-classifier-class1] if-match acl 3101 precedence 2
# Set a traffic classifier named class1 and apply an IPv4 ACL 3101 to the traffic classifier.
<HUAWEI> system-view
[~HUAWEI] acl 3101
[*HUAWEI-acl4-advance-3101] rule deny ip source 10.1.1.1 0 destination 10.2.1.1 0
[*HUAWEI-acl4-advance-3101] quit
[*HUAWEI] traffic classifier class1
[*HUAWEI-classifier-class1] if-match acl 3101
Parent Topic: Class-based QoS Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >