rule (Basic ACL6 view)

Function

The rule command creates or modifies an ACL6 rule in the basic ACL6 view.

The undo rule command deletes an ACL6 rule in the basic ACL6 view.

By default, no basic ACL6 rule is created.

Format

rule [ rule-id ] [ name rule-name ] { permit | deny } [ fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name | [ { vpn-instance | vpn6-instance } vpn-instance-name | vpn-instance-any ] ] *

undo rule [ name rule-name ] { permit | deny } [ fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *

undo rule rule-id [ to end-rule-id ]

Parameters

Parameter Description Value
rule-id

Specifies the ID of an ACL6 rule.

The value is an integer ranging from 0 to 4294967294.
name rule-name

Specifies the name of an ACL rule.

The value is a string of 1 to 32 case-sensitive characters that cannot begin with an underscore (_), spaces not supported.
permit

Permits packets that match conditions.

-
deny

Denies packets that match conditions.

-
fragment

Checks fragmented packets.

-
source

Matches packets based on source IPv6 addresses.

If source is not configured, packets from any source IPv6 address are matched.

-
source-ipv6-address

Specifies a source IPv6 address.

The address is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
prefix-length

Specifies the length of an IPv6 address mask.

The value is an integer ranging from 1 to 128.
source-ipv6-address/prefix-length

Specifies the IPv6 address and mask length of the source IPv6 address.
  • The address is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
  • The value of mask length is an integer ranging from 1 to 128.
any

Indicates any destination IPv6 address.

-
time-range time-name

Specifies a time range during which an ACL6 rule takes effect. If the time-range is not configured for ACL, it indicates the ACL takes effect immediately.

A time range is configured using the time-range command.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported.
vpn-instance vpn-instance-name

Matches packets based on an IPv6 VPN instance name. If the traffic is from L3VPN, this option must be configured in the ACL. If this option is not configured, it indicates the traffic belongs to the public network rather than L3VPN.

The value is a string of 1 to 31 case-sensitive characters, spaces not supported. In addition, the VPN instance name must not be _public_. When double quotation marks are used around the string, spaces are allowed in the string.
vpn-instance-any

Specifies any VPN instance.

-
rule

Specify an ACL6 rule.

-
to end-rule-id

Specifies an end rule ID for advanced ACL6 rules to be deleted in batches.

The value is an integer ranging from 0 to 4294967294.

Views

Basic ACL6 view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
acl write

Usage Guidelines

Usage Scenario

After a basic ACL6 is created, run the rule command to add rules to the ACL6.

Prerequisites

A basic ACL6 has been created using the acl ipv6 command in the system view.

A time range has been configured using the time-range command in the system view if you want to specify a validity period when creating a basic ACL6 rule.

Configuration Impact

When specifying an ACL6 rule ID, note the following:

  • If a rule with a specified rule ID already exists, and the new rule conflicts with the existing one, the conflicting part in the new rule overwrites that in the existing rule.
  • If no rule with the specified rule ID exists, a rule with the specified rule ID is created.

    When an ACL6 rule ID is not specified and a rule is added, the system automatically allocates an ID to this rule. ACL6 rules are arranged in ascending order of rule IDs, with the difference between two adjacent rules as an ACL6 step.

    The rule IDs automatically generated by the system start from the ACL6 step. For example, if the ACL6 step is 5, the rule ID starts from 5; if the ACL6 step is 2, the rule ID starts from 2. This allows you to add rules before the first rule.

Precautions

If auto is configured when you run the acl ipv6 command to create an ACL6, you cannot specify a rule ID when creating a rule. The system automatically uses the ACL6 step as the start rule ID, and the subsequent rules are numbered by a step in ascending order.

If rule-id is not specified when you run the rule command to create an ACL6, the system automatically assigns an ID to the ACL6 rule. You can run the display acl ipv6 command to check the rule ID automatically assigned to an ACL6.

If name rule-name is not specified when you run the rule command to create an ACL6, the system automatically generates a name for the ACL6 in the format of "rule"+"_"+rule ID. Rule ID is the ID of an ACL6 rule that can be specified using the rule-id parameter or automatically assigned by the system. You can check the automatically generated name of an ACL6 rule through the NMS.

You must specify the rule ID when deleting a rule. To check rule IDs, run the display acl ipv6 command.

Before deleting an ACL6 rule, run the display acl ipv6 command to check whether the ACL6 rule has been applied to other services. Delete the rule only when it is not applied to other services.

Example

# Create a basic ACL6 numbered 2999 and add a rule to ACL6 2999 to match packets with the source IPv6 address 2001:db8::1/64.
<HUAWEI> system-view
[~HUAWEI] acl ipv6 number 2999
[*HUAWEI-acl6-basic-2999] rule permit source 2001:db8::1/64
Parent Topic: ACL6 Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >