rule (Advanced ACL6 view) (protocol)

Function

The rule command creates or modifies an ACL6 rule in the advanced ACL6 view.

The undo rule command deletes an ACL6 rule in the advanced ACL6 view.

By default, no advanced ACL6 rule is created.

Format

rule [ rule-id ] [ name rule-name ] { permit | deny } { hoport [ option-code option-value ] | 1 | 5 | protocol | gre | ipv6 | ipv6-frag | ipv6-ah | ipv6-esp | ospf | 7-16 | 18-42 | { 43 | ipv6-routing } [ routing-type routing-number ] | 44-57 | 59 | { 60 | ipv6-destination } [ option-code option-value ] | 61-255 } [ { destination { destination-ipv6-address prefix-length | dest-ipv6-addr-prefix | any } | destination-pool destination-pool-name } | fragment | { source { source-ipv6-address prefix-length | src-ipv6-addr-prefix | any } | source-pool source-pool-name } | time-range time-name | [ dscp dscp | [ precedence { precedence | critical | flash | flash-override | immediate | internet | network | priority | routine } | tos { tos | max-reliability | max-throughput | min-delay | min-monetary-cost | normal } ] * ] | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *

undo rule [ name rule-name ] { permit | deny } { hoport [ option-code option-value ] | 1 | 5 | protocol | gre | ipv6 | ipv6-frag | ipv6-ah | ipv6-esp | ospf | 7-16 | 18-42 | { 43 | ipv6-routing } [ routing-type routing-number ] | 44-57 | 59 | { 60 ipv6-destination } [ option-code option-value ] | 61-255 } [ { destination { destination-ipv6-address prefix-length | dest-ipv6-addr-prefix | any } | destination-pool destination-pool-name } | fragment | { source { source-ipv6-address prefix-length | src-ipv6-addr-prefix | any } | source-pool source-pool-name } | time-range time-name | [ dscp dscp | [ precedence { precedence | critical | flash | flash-override | immediate | internet | network | priority | routine } | tos { tos | max-reliability | max-throughput | min-delay | min-monetary-cost | normal } ] * ] | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *

Parameters

Parameter Description Value
rule-id

Specifies the number of an advanced ACL6 rule.

The value is an integer that ranges from 0 to 4294967294.
name rule-name

IPv6 Encapsulating Security Payload (50).

The value is a string of 1 to 32 characters.
permit

Minimum delay service (8).

-
deny

Denies the packets that match a rule.

-
hoport

Specifies an ACL6 rule.

-
1

Indicates the protocol number.

-
5

Indicates the protocol number.

-
protocol

Matches packets based on the protocol type.

The value is an integer that ranges from 1 to 5.
gre

Routine priority (0).

-
ipv6

Specifies the time range during which the rule takes effect. If this parameter is not specified, the rule takes effect immediately after being configured.

The time range is configured using the time-range command.

-
ipv6-ah

Checks fragmented packets.

-
ipv6-esp

Basic Routing Encapsulation (47).

-
ospf

Maximum throughput service (4).

-
7-16

Indicates the protocol number.

The value is an integer that ranges from 7 to 16.
destination

Open Shortest Path First (89).

The value is a string of 1 to 32 case-sensitive characters, spaces not supported.
destination-ipv6-address

Specifies the destination IPv6 address.

The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.
prefix-length

Specifies the mask length of an IPv6 address.

The value is an integer that ranges from 1 to 128.
dest-ipv6-addr-prefix

Specifies the destination IPv6 address with a prefix.

The value is a string of case-sensitive characters, spaces not supported.
any

Matches packets with any IPv6 address.

-
destination-pool destination-pool-name

Specifies the name of a destination IPv6 address pool used by an advanced ACL. An ACL IPv6 address pool is created using the acl ipv6-pool command.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported.
fragment

priority (1).

-
source

Specifies any VPN instance.

-
source-ipv6-address

Specifies a source IPv6 address.

The address is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
src-ipv6-addr-prefix

Specifies the mask length of the destination IPv6 address.

The value is an integer that ranges from 1 to 128.
source-pool source-pool-name

Matches packets based on the destination IPv6 address.

If no destination IPv6 address is specified, an ACL takes effect for packets with any destination IPv6 address.

The value is a string of 1 to 32 characters.
time-range time-name

Matches IPv6 packets based on the leftmost six bits of the TC field.

The value is an integer that ranges from 0 to 63.
dscp dscp

Permits the packets that match a rule.

This parameter can be a keyword or a number.

  • If a keyword is used, the keyword and its corresponding number are max-reliability(2), max-throughput(4), min-delay(8), min-monetary-cost(1) or normal(0).
  • If a number is used, the value is an integer ranging from 0 to 15.
precedence precedence

Cheapest service (1).

The value is an integer that ranges from 0 to 7.
critical

Critical priority (5).

-
flash

Matches IPv6 packets based on the leftmost three bits of the TC field.

-
flash-override

priority (1).

-
immediate

Matches packets based on the source IPv6 address.

If no source IPv6 address is configured, packets with any source IPv6 address are matched.

-
internet

Specifies the name of a source IPv6 address pool used by an advanced ACL. An ACL IPv6 address pool is created using the acl ipv6-pool command.

The value is a string of 1 to 31 case-sensitive characters.
network

Records logs for matched packets.

-
priority

Specifies the name of an ACL rule.

The value is an integer that ranges from 0 to 9.
routine

Matches IPv6 packets based on the leftmost four to seven bits of the Traffic Class (TC) field.

-
tos tos

Flash priority (3).

The value is an integer that ranges from 0 to 15.
max-reliability

Immediate priority (2).

-
max-throughput

Internetwork control priority (6).

-
min-delay

Any IPv6 protocol.

-
min-monetary-cost

IPv6 Authentication Header (51).

-
normal

Highest-reliability service (2).

-
vpn-instance vpn-instance-name

Flash-override priority (4).

The value is a string of 1 to 32 case-sensitive characters without spaces and cannot start with an underscore (_).
vpn-instance-any

Common service (0).

-
rule

Matches packets based on an IPv6 VPN instance name. If the IPv6 packet is an L3VPN service address, this parameter needs to be added to the ACL. If this parameter is not specified, the packets are public IPv6 packets.

-

Views

Advanced ACL6 view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
acl write

Usage Guidelines

Usage Scenario

After an advanced ACL6 is created, run the rule command to add rules to the ACL6.

Prerequisites

An advanced ACL6 has been created using the acl ipv6 command in the system view.

A time range has been configured using the time-range command in the system view if you want to specify a validity period when creating an advanced ACL6 rule.

Configuration Impact

When specifying an ACL6 rule ID, note the following:

  • If a rule with a specified rule ID already exists, and the new rule conflicts with the existing one, the conflicting part in the new rule overwrites that in the existing rule.
  • If no rule with the specified rule ID exists, a rule with the specified rule ID is created.

    When an ACL6 rule ID is not specified and a rule is added, the system automatically allocates an ID to this rule. ACL6 rules are arranged in ascending order of rule IDs, with the difference between two adjacent rules as an ACL6 step.

    The rule IDs automatically generated by the system start from the ACL6 step. For example, if the ACL6 step is 5, the rule ID starts from 5; if the ACL6 step is 2, the rule ID starts from 2. This allows you to add rules before the first rule.

Precautions

When you configure advanced ACL6 rules for TCP or UDP, fragment and destination-port or source-port cannot be both configured.

If auto is configured when you run the acl ipv6 command to create an ACL6, you cannot specify a rule ID when creating a rule. The system automatically uses the ACL6 step as the start rule ID, and the subsequent rules are numbered by a step in ascending order.

If the auto mode based on the depth-first principle is specified as the matching order for an advanced ACL6 rule group, you cannot specify a rule ID when creating a rule.

If rule-id is not specified when you run the rule command to create an ACL6, the system automatically assigns an ID to the ACL6 rule. You can run the display acl ipv6 command to check the rule ID automatically assigned to an ACL6.

If name rule-name is not specified when you run the rule command to create an ACL6, the system automatically generates a name for the ACL6 in the format of "rule"+"_"+rule ID. Rule ID is the ID of an ACL6 rule that can be specified using the rule-id parameter or automatically assigned by the system. You can check the automatically generated name of an ACL6 rule through the NMS.

You must specify the rule ID when deleting a rule. To check rule IDs, run the display acl ipv6 command.

Before deleting an ACL6 rule, run the display acl ipv6 command to check whether the ACL6 rule has been applied to other services. Delete the rule only when it is not applied to other services.

If the ID of an advanced ACL6 rule to be deleted is not specified, you must specify all parameters in the rule before deleting it.

Example

# Configure an advanced ACL6 whose matching order is config.
<HUAWEI> system-view
[~HUAWEI] acl ipv6 3000
[*HUAWEI-acl6-advance-3000] rule permit tcp source 2001:db8::1 64
[*HUAWEI-acl6-advance-3000] rule deny udp source 2001:db8::1 64
Parent Topic: ACL6 Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >