The rule command adds a rule for an MPAC policy in the service-sec view.
The undo rule command deletes a rule or part of the rule configuration from an MPAC policy in the service-sec view.
By default, no rule is configured for an MPAC policy in the service-sec view.
rule [ ruleid ] [ name rule_name ] { permit | deny } protocol { ospf | rsvp | pim | ip | 18-255 | 1-5 | 7-16 } [ [ source-ip { source-address { source-mask | 0 } | any } ] | [ destination-ip { destination-address { destination-mask | 0 } | any } ] ] *
rule [ ruleid ] [ name rule_name ] { permit | deny } protocol { bgp | dhcp-c | dhcp-r | ftp | ldp | lsp-ping | ntp | rip | snmp | ssh | telnet | tftp | igmp } [ [ source-ip { source-address { source-mask | 0 } | any } ] | [ destination-ip { destination-address { destination-mask | 0 } | any } ] ] *
rule [ ruleid ] [ name rule_name ] { permit | deny } protocol { tcp | udp | 6 | 17 } [ [ source-port source-port-number ] | [ destination-port destination-port-number ] | [ source-ip { source-address { source-mask | 0 } | any } ] | [ destination-ip { destination-address { destination-mask | 0 } | any } ] ] *
rule [ ruleid ] [ name rule_name ] { permit | deny } protocol { any | isis }
undo rule { ruleid | name rule_name } [ [ source-port ] | [ destination-port ] | [ source-ip ] | [ destination-ip ] ] *
| Parameter | Description | Value |
|---|---|---|
| ruleid |
Specifies the ID of a rule for an MPAC policy. |
The value is an integer ranging from 0 to 4294967294. |
| name rule_name |
Specifies the name of a rule for a Management Plane Access Control (MPAC) policy. |
The value is a string. |
| permit |
Allows the matched packets to be sent to the CPU. |
- |
| deny |
Prevents the matched packets from being sent to the CPU. |
- |
| protocol |
Indicates the protocol name or number. |
- |
| protocol any |
Indicates any protocol. |
- |
| protocol isis |
Indicates IS-IS. |
- |
| ospf |
Indicates OSPF. |
- |
| rsvp |
Indicates Resource Reservation Protocol (RSVP). |
- |
| pim |
Indicates PIM. |
- |
| ip |
Indicates IP. |
- |
| 1-5 7-16 18-255 |
Specifies a protocol number except tcp and udp protocol number. |
The value is an integer ranging from 1 to 255 except 6 and 17. |
| source-ip |
Indicates the source IP address of packets. |
- |
| source-address |
Specifies a source IPv4 address. |
The value is in dotted decimal notation. |
| source-mask |
Specifies the mask of a source IPv4 address. The protocol packets from this network segment are allowed to be or denied from being sent to the CPU. |
The value is in dotted decimal notation. |
| 0 |
Specifies the source host. The protocol packets from the host are allowed to be or denied from being sent to the CPU. |
- |
| 0 |
Specifies the destination host. The protocol packets destined for the host are allowed to be or denied from being sent to the CPU. |
- |
| any |
Indicates any IP address. |
- |
| destination-ip |
Specifies the destination address of packets. |
- |
| destination-address |
Specifies a destination IPv4 address. The protocol packets destined for the address are allowed to be or denied from being sent to the CPU. |
The value is in dotted decimal notation. |
| destination-mask |
Specifies the mask of a destination IPv4 address. |
The value is in dotted decimal notation. |
| bgp |
Indicates BGP. |
- |
| dhcp-c |
Indicates Dynamic Host Configuration Protocol-C (DHCP-C). |
- |
| dhcp-r |
Indicates Dynamic Host Configuration Protocol-R (DHCP-R). |
- |
| ftp |
Indicates FTP. |
- |
| ldp |
Indicates LDP. |
- |
| lsp-ping |
Indicates LSP ping. |
- |
| ntp |
Indicates NTP. |
- |
| rip |
Indicates RIP. |
- |
| snmp |
Indicates SNMP. |
- |
| ssh |
Indicates SSH. |
- |
| telnet |
Indicates Telnet. |
- |
| tftp |
Indicates TFTP. |
- |
| igmp |
Indicates IGMP. |
- |
| tcp |
Indicates TCP. |
- |
| udp |
Indicates User Datagram Protocol (UDP). |
- |
| 6 |
Indicates TCP protocol number. |
The value is 6. |
| 17 |
Indicates UDP protocol number. |
The value is 17. |
| source-port source-port-number |
Specifies the source port number. |
The value is an integer ranging from 0 to 65535. |
| destination-port destination-port-number |
Specifies the destination port number. |
The value is an integer ranging from 0 to 65535. |
Usage Scenario
To match specific users or packets, run the rule command to specify the protocol name or 5-tuple matching rule.
Prerequisites
An MPAC policy has been created using the service-security policy command.
Precautions
Exercise caution when using the rule [ rule-id ] deny protocol any command. After this command is applied globally, no protocol packets are sent to the CPU, causing the device to be out of management.