rule (UCL6 view)

Function

The rule command creates an ACL6 rule in the ACL6 view. If a user ACL6 rule already exists, this command can be used to modify the ACL6 rule.

The undo rule command deletes an ACL6 rule or certain configuration information.

By default, no user ACL6 rule has been created.

Format

rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol | gre | ipv6-esp | ipv6 | ipv6-ah | ospf | 7-16 | 18-57 | 59-255 } [ [ source { ipv6-address { source-ipv6-address source-wildcard | any | source-wildcard } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ destination { ipv6-address { destination-ipv6-address destination-wildcard | any | destination-wildcard } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ { { precedence { precedence | precedence-enum } | tos { tos | tos-enum } } * | dscp dscp | traffic-class traffic-class } ] | [ time-range time-name ] | [ logging ] | [ fragment ] ] *

rule [ rule-id ] [ name rule-name ] { permit | deny } { 6 | tcp } [ [ source { ipv6-address { source-ipv6-address source-wildcard | any | source-wildcard } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ destination { ipv6-address { destination-ipv6-address destination-wildcard | any | destination-wildcard } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ source-port { operator { port-number | src-begin-tcp-port-enum } | range { port-number | src-begin-tcp-port-enum } { port-number | src-end-tcp-port-enum } } ] | [ destination-port { operator { port-number | dst-begin-tcp-port-enum } | range { port-number | dst-begin-tcp-port-enum } { port-number | dst-end-tcp-port-enum } } ] | [ { { precedence { precedence | precedence-enum } | tos { tos | tos-enum } } * | dscp dscp | traffic-class traffic-class } ] | [ time-range time-name ] | [ logging ] | [ fragment ] ] *

rule [ rule-id ] [ name rule-name ] { permit | deny } { udp | 17 } [ [ source { ipv6-address { source-ipv6-address source-wildcard | any | source-wildcard } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ destination { ipv6-address { destination-ipv6-address destination-wildcard | any | destination-wildcard } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ source-port { operator { port-number | src-begin-udp-port-enum } | range { port-number | src-begin-udp-port-enum } { port-number | src-end-udp-port-enum } } ] | [ destination-port { operator { port-number | dst-begin-udp-port-enum } | range { port-number | dst-begin-udp-port-enum } { port-number | dst-end-udp-port-enum } } ] | [ { { precedence { precedence | precedence-enum } | tos { tos | tos-enum } } * | dscp dscp | traffic-class traffic-class } ] | [ time-range time-name ] | [ logging ] | [ fragment ] ] *

rule [ rule-id ] [ name rule-name ] { permit | deny } { icmpv6 | 58 } [ [ source { ipv6-address { source-ipv6-address source-wildcard | any | source-wildcard } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ destination { ipv6-address { destination-ipv6-address destination-wildcard | any | destination-wildcard } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ icmp6-type { icmp6-type icmp6-code | icmp6-type-name } ] | [ { { precedence { precedence | precedence-enum } | tos { tos | tos-enum } } * | dscp dscp | traffic-class traffic-class } ] | [ time-range time-name ] | [ logging ] | [ fragment ] ] *

undo rule [ name rule-name ] { permit | deny } { protocol | gre | ipv6-esp | ipv6 | ipv6-ah | ospf | 7-16 | 18-57 | 59-255 } [ [ source { ipv6-address { source-ipv6-address source-wildcard | any | source-wildcard } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ destination { ipv6-address { destination-ipv6-address destination-wildcard | any | destination-wildcard } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ { { precedence { precedence | precedence-enum } | tos { tos | tos-enum } } * | dscp dscp | traffic-class traffic-class } ] | [ time-range time-name ] | [ logging ] | [ fragment ] ] *

undo rule [ name rule-name ] { permit | deny } { 6 | tcp } [ [ source { ipv6-address { source-ipv6-address source-wildcard | any | source-wildcard } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ destination { ipv6-address { destination-ipv6-address destination-wildcard | any | destination-wildcard } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ source-port { operator { port-number | src-begin-tcp-port-enum } | range { port-number | src-begin-tcp-port-enum } { port-number | src-end-tcp-port-enum } } ] | [ destination-port { operator { port-number | dst-begin-tcp-port-enum } | range { port-number | dst-begin-tcp-port-enum } { port-number | dst-end-tcp-port-enum } } ] | [ { { precedence { precedence | precedence-enum } | tos { tos | tos-enum } } * | dscp dscp | traffic-class traffic-class } ] | [ time-range time-name ] | [ logging ] | [ fragment ] ] *

undo rule [ name rule-name ] { permit | deny } { udp | 17 } [ [ source { ipv6-address { source-ipv6-address source-wildcard | any | source-wildcard } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ destination { ipv6-address { destination-ipv6-address destination-wildcard | any | destination-wildcard } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ source-port { operator { port-number | src-begin-udp-port-enum } | range { port-number | src-begin-udp-port-enum } { port-number | src-end-udp-port-enum } } ] | [ destination-port { operator { port-number | dst-begin-udp-port-enum } | range { port-number | dst-begin-udp-port-enum } { port-number | dst-end-udp-port-enum } } ] | [ { { precedence { precedence | precedence-enum } | tos { tos | tos-enum } } * | dscp dscp | traffic-class traffic-class } ] | [ time-range time-name ] | [ logging ] | [ fragment ] ] *

undo rule [ name rule-name ] { permit | deny } { icmpv6 | 58 } [ [ source { ipv6-address { source-ipv6-address source-wildcard | any | source-wildcard } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ destination { ipv6-address { destination-ipv6-address destination-wildcard | any | destination-wildcard } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ icmp6-type { icmp6-type icmp6-code | icmp6-type-name } ] | [ { { precedence { precedence | precedence-enum } | tos { tos | tos-enum } } * | dscp dscp | traffic-class traffic-class } ] | [ time-range time-name ] | [ logging ] | [ fragment ] ] *

undo rule rule-id

Parameters

Parameter Description Value
rule-id

Specifies the ID of an ACL6 rule.

The value is an integer ranging from 0 to 4294967294.
name rule-name

Specifies the name of an ACL rule.

The value is a string of 1 to 32 case-sensitive characters that cannot begin with an underscore (_), spaces not supported.
permit

Permits packets that match conditions.

-
deny

Denies packets that match conditions.

-
protocol

Matches packets based on a protocol.

The number is an integer ranging from 1 to 255.
gre

GRE tunnelling (47).

-
ipv6-esp

IPv6 Encapsulating Security Payload(50).

-
ipv6

Any IPv6 protocol(0).

-
ipv6-ah

IPv6-Authentication Header(51).

-
ospf

OSPF routing protocol(89).

-
7-16

Protocol number.

The value is an integer ranging from 7 to 16.
18-57

Protocol number.

The value is an integer ranging from 18 to 57.
59-255

Protocol number.

The value is an integer ranging from 59 to 225.
source

Matches packets based on source information.

-
ipv6-address

Matches packets based on the source IPv6 address.

If no source IP address is specified, an ACL takes effect for ARP packets with any source IPv6 address.

-
source-ipv6-address

Specifies a source IPv6 address.

The address is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
source-wildcard

Specifies the wildcard of a source IPv6 address.

The address is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
any

Indicates any IPv6 address.

-
service-group

Matches packets based on the service group.

If no source service group is specified, an ACL takes effect for packets with any source service group.

-
service-group-name

Specifies the name of the service group.

The value is a string of 1 to 31 case-sensitive characters.
user-group

Matches packets based on the source user group.

If no source user group is specified, an ACL takes effect for packets with any source service group.

-
user-group-name

Specifies the name of the source user group.

The value is a string of 1 to 32 case-sensitive characters.
destination

Matches packets based on destination IPv6 addresses.

If destination is not configured, packets to any destination IPv6 address are matched.

-
destination-ipv6-address

Specifies a destination IPv6 address.

The value is a 32-digit hexadecimal number in the format of X:X::X:X.
destination-wildcard

Specifies the wildcard of a destination IPv6 address.

The address is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
precedence precedence

Matches IPv6 packets based on the leftmost three bits of theTC field.

The number is an integer ranging from 0 to 7.
precedence-enum

Matches IPv6 packets based on the leftmost three bits of theTC field.

The number is an integer ranging from 0 to 7.
tos tos

Matches IPv6 packets based on the leftmost four to seven bits of the TC field.

The number is an integer ranging from 0 to 15.
tos-enum

Matches IPv6 packets based on the leftmost four to seven bits of the TC field.

When the value is a keyword, it can be max-reliability(2), max-throughput(4), min-delay(8), min-monetary-cost(1), or normal(0).
dscp dscp

Matches packets based on a DSCP value.

The value is an integer ranging from 0 to 63.
traffic-class traffic-class

Matches packets based on a traffic type.

The value is an integer ranging from 0 to 255.
time-range time-name

Specifies a time range during which an ACL6 rule takes effect. If the time-range is not configured for ACL, it indicates the ACL takes effect immediately.

A time range is configured using the time-range command.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported.
logging

Indicates the logs for matched packets.

-
fragment

Only check the subsequence fragments of the fragmented packet, including neither the first fragmented packet nor the non-fragmented packet.

-
rule

Specify an ACL rule.

-
6

Transmission Control Protocol(6).

The value is 6.
tcp

Transmission Control Protocol(6).

-
source-port

Matches packets based on source port numbers.

If source-port is not configured, packets from any source ports are matched.

-
operator

Specifies an operator that compares source port numbers.

The value of operator can be:

  • eq: matches packets with the specified port number.
  • gt: matches packets with the port number greater than the specified port number.
  • lt: matches packets with the port number less than the specified port number.
port-number

Specifies a TCP or UDP port number.

The value can be a keyword or number.

  • The available keyword options are as follows:
    • When protocol is TCP, the keyword and its corresponding number can be bgp (179), chargen (19), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), or www (80).
    • When protocol is UDP, the keyword and its corresponding number can be biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), or xdmcp (177).
  • If a number is used, the number is an integer ranging from 0 to 65535.
src-begin-tcp-port-enum

Specifies a TCP port number.

The value can be a keyword or number.

  • The available keyword options are as follows:When protocol is TCP, the keyword and its corresponding number can be bgp (179), chargen (19), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), or www (80).
  • If a number is used, the number is an integer ranging from 0 to 65535.
range

Packets with source or destination port numbers within a certain range are matched.

-
src-end-tcp-port-enum

Specifies a TCP port number.

The value can be a keyword or number.

  • The available keyword options are as follows:When protocol is TCP, the keyword and its corresponding number can be bgp (179), chargen (19), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), or www (80).
  • If a number is used, the number is an integer ranging from 0 to 65535.
destination-port

Matches packets based on destination port numbers.

This parameter is available only when protocol is set to tcp (6) or udp (17). If destination-port is not configured, TCP and UDP packets to any destination ports are matched.

-
dst-begin-tcp-port-enum

Specifies a TCP port number.

The value can be a keyword or number.

  • The available keyword options are as follows:When protocol is TCP, the keyword and its corresponding number can be bgp (179), chargen (19), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), or www (80).
  • If a number is used, the number is an integer ranging from 0 to 65535.
dst-end-tcp-port-enum

Specifies a TCP port number.

The value can be a keyword or number.

  • The available keyword options are as follows:When protocol is TCP, the keyword and its corresponding number can be bgp (179), chargen (19), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), or www (80).
  • If a number is used, the number is an integer ranging from 0 to 65535.
udp

User Datagram Protocol (17).

-
17

Protocol number.

The value is 7.
src-begin-udp-port-enum

Specifies a UDP port number.

The value can be a keyword or number.

  • The available keyword options are as follows:When protocol is UDP, the keyword and its corresponding number can be biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), or xdmcp (177).
  • If a number is used, the number is an integer ranging from 0 to 65535.
src-end-udp-port-enum

Specifies a UDP port number.

The value can be a keyword or number.

  • The available keyword options are as follows:When protocol is UDP, the keyword and its corresponding number can be biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), or xdmcp (177).
  • If a number is used, the number is an integer ranging from 0 to 65535.
dst-begin-udp-port-enum

Specifies a UDP port number.

The value can be a keyword or number.

  • The available keyword options are as follows:When protocol is UDP, the keyword and its corresponding number can be biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), or xdmcp (177).
  • If a number is used, the number is an integer ranging from 0 to 65535.
dst-end-udp-port-enum

Specifies a UDP port number.

The value can be a keyword or number.

  • The available keyword options are as follows:When protocol is UDP, the keyword and its corresponding number can be biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), or xdmcp (177).
  • If a number is used, the number is an integer ranging from 0 to 65535.
icmpv6

Internet Control Message Protocol(58).

-
58

Protocol number.

The value is 58.
icmp6-type

Specifies the type of an ICMPv6 message.

The value is an integer ranging from 0 to 255.
icmp6-code

Specifies the code of an ICMPv6 message.

The value is an integer ranging from 0 to 255.
icmp6-type-name

Specifies the name of an ICMPv6 message.

The value is an enumerated type. You can select a value according to the prompt information after entering a question mark (?).

Views

UCL6 view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
acl write

Usage Guidelines

Usage Scenario

After a user ACL6 has been created, run the rule command to add rules to the user ACL6.

Prerequisites

A basic ACL6 has been created using the acl ipv6 command in the system view.

A time range has been configured using the time-range command in the system view if you want to specify a validity period when creating a basic ACL6 rule.

Configuration Impact

When specifying an ACL6 rule ID, note the following:

  • If a rule with a specified rule ID already exists, and the new rule conflicts with the existing one, the conflicting part in the new rule overwrites that in the existing rule.
  • If no rule with the specified rule ID exists, a rule with the specified rule ID is created.

    When an ACL6 rule ID is not specified and a rule is added, the system automatically allocates an ID to this rule. ACL6 rules are arranged in ascending order of rule IDs, with the difference between two adjacent rules as an ACL6 step.

    The rule IDs automatically generated by the system start from the ACL6 step. For example, if the ACL6 step is 5, the rule ID starts from 5; if the ACL6 step is 2, the rule ID starts from 2. This allows you to add rules before the first rule.

Precautions

If auto is configured when you run the acl ipv6 command to create an ACL6, you cannot specify a rule ID when creating a rule. The system automatically uses the ACL6 step as the start rule ID, and the subsequent rules are numbered by a step in ascending order.

If rule-id is not specified when you run the rule command to create an ACL6, the system automatically assigns an ID to the ACL6 rule. You can run the display acl ipv6 command to check the rule ID automatically assigned to an ACL6.

If name rule-name is not specified when you run the rule command to create an ACL6, the system automatically generates a name for the ACL6 in the format of "rule"+"_"+rule ID. Rule ID is the ID of an ACL6 rule that can be specified using the rule-id parameter or automatically assigned by the system. You can check the automatically generated name of an ACL6 rule through the NMS.

You must specify the rule ID when deleting a rule. To check rule IDs, run the display acl ipv6 command.Before deleting an ACL6 rule, run the display acl ipv6 command to check whether the ACL6 rule has been applied to other services. Delete the rule only when it is not applied to other services.

Example

# Create a user ACL6 numbered 6999 and create a user ACL6 rule to prohibit the host with any source service group from sending IPv6 packets to a host with any destination user group.
<HUAWEI> system-view
[~HUAWEI] acl ipv6 number 6999
[*HUAWEI-acl6-ucl-6999] rule deny ipv6 source service-group any destination user-group any
Parent Topic: ACL6 Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >