rule (Interface-based ACL view)

Function

The rule command creates or modifies an ACL rule in the interface ACL view.

The undo rule command deletes an ACL rule in the interface ACL view.

By default, no interface ACL rule is created.

Format

rule [ rule-id ] [ name rule-name ] { permit | deny } interface { interface-name | any | interface-type interface-number } [ time-range time-name ] *

undo rule [ name rule-name ] { permit | deny } interface { interface-name | any | interface-type interface-number } [ time-range time-name ] *

Parameters

Parameter Description Value
rule-id

Specifies the ID of an ACL rule.

The value is an integer ranging from 0 to 4294967294.
name rule-name

Specifies the name of an ACL rule.

The value is a string of 1 to 32 case-sensitive characters that cannot begin with an underscore (_), spaces not supported.
permit

Permits packets that match conditions.

-
deny

Denies packets that match conditions.

-
interface interface-type interface-number

Matches packets based on an inbound interface type and number.

-
interface interface-name

Matches packets based on an inbound interface name.

The value is a string of 1 to 63 case-sensitive characters, spaces not supported.
any

Matches packets from any inbound interface.

-
time-range time-name

Specifies a time range during which an ACL rule takes effect.

A time range is configured using the time-range command.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported.

Views

Interface-based ACL view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
acl write

Usage Guidelines

Usage Scenario

After an interface ACL is created, run the rule command to add rules to the ACL.

Both IPv6 ACL and IPv4 ACL support interface ACL, basic ACL, and advanced ACL.

  • Interface-based IPv6 and IPv4 ACLs filter packets based on the inbound interfaces.
  • Basic IPv6 and IPv4 ACLs filter packets based on the source IPv6 and IPv4 addresses, respectively.
  • Advanced IPv6 and IPv4 ACLs filter packets based on the information carried in Layer 3 or Layer 4 (TCP/UDP) protocol headers.

Prerequisites

An interface ACL has been created using the acl command in the system view.

A time range has been configured using the time-range command in the system view if you want to specify a validity period when creating an interface ACL rule.

Configuration Impact

When specifying an ACL rule ID, note the following:

  • If a rule with a specified rule ID already exists, and the new rule conflicts with the existing one, the conflicting part in the new rule overwrites that in the existing rule.
  • If no rule with the specified rule ID exists, a rule with the specified rule ID is created.

    When an ACL rule ID is not specified and a rule is added, the system automatically allocates an ID to this rule. ACL rules are arranged in ascending order of rule IDs, with the difference between two adjacent rules as an ACL increment.

    The rule IDs automatically generated by the system start from the ACL increment. For example, if the ACL increment is 5, the rule ID starts from 5; if the ACL increment is 2, the rule ID starts from 2. This allows you to add rules before the first rule.

Precautions

If auto is configured when you run the acl command to create an ACL, you cannot specify a rule ID when creating a rule. The system automatically uses the ACL increment as the start rule ID, and the subsequent rules are numbered by an ACL increment in ascending order.

If rule-id is not specified when you run the rule command to create an ACL, the system automatically assigns an ID to the ACL rule. You can run the display acl command to check the rule ID automatically assigned to an ACL.

If name rule-name is not specified when you run the rule command to create an ACL, the system automatically generates a name for the ACL in the format of "rule"+"_"+rule ID. Rule ID is the ID of an ACL rule that can be specified using the rule-id parameter or automatically assigned by the system. You can check the automatically generated name of an ACL rule through the NMS.

You must specify the rule ID when deleting a rule. To check rule IDs, run the display acl command.

Before deleting an ACL rule, run the display acl command to check whether the ACL rule has been applied to other services. Delete the rule only when it is not applied to other services.

Example

# Create an interface ACL numbered 1999 and add a rule to ACL 1999 to match packets from the inbound interface GE 0/1/0.
<HUAWEI> system-view
[~HUAWEI] acl number 1999
[*HUAWEI-acl4-interface-1999] rule deny interface GigabitEthernet0/1/0
Parent Topic: ACL Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >