rule (MPLS ACL view)

Function

The rule command creates or modifies an ACL rule in the MPLS-based ACL view.

The undo rule command deletes an ACL rule in the MPLS-based ACL view.

By default, no MPLS-based ACL rule is created.

Format

rule [ rule-id ] [ name rule-name ] { permit | deny } [ [ exp { exp-value | any } &<1-4> ] | [ label { label-value | any } &<1-4> ] | [ ttl { { lt | eq | gt } ttlBegin | range ttlBegin ttlEnd | any } &<1-3> ] ] *

undo rule rule-id { exp | label | ttl } *

undo rule [ name rule-name ] { permit | deny } [ [ exp { exp-value | any } &<1-4> ] | [ label { label-value | any } &<1-4> ] | [ ttl { { lt | eq | gt } ttlBegin | range ttlBegin ttlEnd | any } &<1-3> ] ] *

Parameters

Parameter Description Value
rule-id

Specifies the ID of an ACL rule.

The value is an integer ranging from 0 to 4294967294.
name rule-name

Specifies the name of an ACL rule.

The value is a string of 1 to 32 case-sensitive characters that cannot begin with an underscore (_), spaces not supported.
permit

Permits packets that match conditions.

-
deny

Denies packets that match conditions.

-
exp

Matches packets based on the EXP values in MPLS packets. The system can match MPLS packets based on the EXP value in one to four labels.

If exp is not configured, MPLS packets with any EXP value are matched.

-
exp-value

Specifies an EXP value for MPLS packets.

The value is an integer ranging from 0 to 7.
any

Indicates that MPLS packets with any EXP values are matched.

-
label

Matches packets based on the label values in MPLS packets. The system can match MPLS packets based on the label value in one to four labels.

If label is not configured, MPLS packets with any label value are matched.

-
label-value

Specifies a label value for MPLS packets.

The value is an integer ranging from 0 to 1048575.
ttl

Matches packets based on the TTL values in MPLS packets. The system can match MPLS packets based on the TTL value in one to three labels.

If ttl is not configured, MPLS packets with any TTL value are matched.

-
lt

Indicates that MPLS packets with TTL values less than the specified TTL value are matched.

-
eq

Indicates that MPLS packets with TTL values equal to the specified TTL value are matched.

-
gt

Indicates that MPLS packets with TTL values greater than the specified TTL value are matched.

-
range ttlBegin ttlEnd

Specifies a TTL value for MPLS packets.

The value is an integer ranging from 0 to 255.
undo

Cancel current setting.

-
rule

Specify an ACL rule.

-

Views

MPLS ACL view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
acl write

Usage Guidelines

Usage Scenario

After an MPLS-based ACL is created, run the rule command to add rules to the ACL.

Prerequisites

An MPLS-based ACL has been created using the acl command in the system view.

Configuration Impact

When specifying an ACL rule ID, note the following:

  • If a rule with a specified rule ID already exists, and the new rule conflicts with the existing one, the conflicting part in the new rule overwrites that in the existing rule.
  • If no rule with the specified rule ID exists, a rule with the specified rule ID is created.

    When an ACL rule ID is not specified and a rule is added, the system automatically allocates an ID to this rule. ACL rules are arranged in ascending order of rule IDs, with the difference between two adjacent rules as an ACL increment.

    The rule IDs automatically generated by the system start from the ACL increment. For example, if the ACL increment is 5, the rule ID starts from 5; if the ACL increment is 2, the rule ID starts from 2. This allows you to add rules before the first rule.

Precautions

& 1-4 in the command indicates that MPLS packets can be matched based on one to four labels. For example, in the rule 10 permit exp 4 5 6 7 command, 4 is the EXP value in the outer MPLS header closest to the Layer 2 frame header, and 7 is the EXP value in the inner MPLS header closest to the IP header. If the packet has only two MPLS labels, use the rule 10 permit exp 6 5 command or the rule 10 permit exp 6 5 any any command. If the packet has only two labels and you want to filter the packet based on the inner label, use the rule 10 permit exp any 5 command or the rule 10 permit exp any 5 any any command. NOTE: The system can match MPLS packets based on the TTL values in a maximum of three outer MPLS headers.

If rule-id is not specified when you run the rule command to create an ACL, the system automatically assigns an ID to the ACL rule. You can run the display acl command to check the rule ID automatically assigned to an ACL.

If name rule-name is not specified when you run the rule command to create an ACL, the system automatically generates a name for the ACL in the format of "rule"+"_"+rule ID. Rule ID is the ID of an ACL rule that can be specified using the rule-id parameter or automatically assigned by the system. You can check the automatically generated name of an ACL rule through the NMS.

You must specify the rule ID when deleting a rule. To check rule IDs, run the display acl command.

Before deleting an ACL rule, run the display acl command to check whether the ACL rule has been applied to other services. Delete the rule only when it is not applied to other services.

Example

# Create an MPLS-based ACL numbered 10999 and add a rule to ACL 10999 to match packets with the EXP value 5 in the inner MPLS header.
<HUAWEI> system-view
[~HUAWEI] acl number 10999
[*HUAWEI-acl-mpls-10999] rule 10 permit exp any 5
Parent Topic: ACL Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >