Configuring a User ACL Rule

Procedure

1. Run system-view

   The system view is displayed.

2. Run acl { name ucl-acl-name [ ucl | [ ucl ] number ucl-acl-number ] | [ number ] ucl-acl-number } [ match-order { auto | config } ]

   The user ACL view is displayed.

3. Run any of the following commands to create an ACL rule:
   

   When an ACL is applied to the traffic classifier of a global traffic policy, user-group must be specified for each rule in the ACL. Otherwise, the ACL cannot take effect.

   • Create a user ACL rule when protocol is UDP.

     rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | udp } [ [ dscp dscp | [ precedence precedence | tos tos ] ^* ] | source { { ip-address { source-ip-address { source-ip-address-mask | 0 } | any } | source-pool source-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | destination { { ip-address { destination-ip-address { destination-ip-address-mask | 0 } | any } | destination-pool destination-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | source-port operator port-number | destination-port operator port-number | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | time-range time-name | [ logging ] | vlan vlan-id | inner-vlan cvlan-id ] ^*

   • Create a user ACL rule when protocol is TCP.

     rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | tcp } [ [ dscp dscp | [ precedence precedence | tos tos ] ^* ] | source { { ip-address { source-ip-address { source-ip-address-mask | 0 } | any } | source-pool source-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | destination { { ip-address { destination-ip-address { destination-ip-address-mask | 0 } | any } | destination-pool destination-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | source-port operator port-number | destination-port operator port-number | syn-flag { syn-flag [ mask mask-value ] | { bit-match { established | fin | syn | rst | psh | ack | urg | ece | crw | ns } } } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | time-range time-name | [ logging ] | vlan vlan-id | inner-vlan cvlan-id ] ^*

   • Create a user ACL rule when protocol is ICMP.

     rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | icmp } [ [ dscp dscp | [ precedence precedence | tos tos ] ^* ] | source { { ip-address { source-ip-address { source-ip-address-mask | 0 } | any } | source-pool source-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | destination { { ip-address { destination-ip-address { destination-ip-address-mask | 0 } | any } | destination-pool destination-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | icmp-type { icmp-name | icmp-type icmp-code } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | time-range time-name | [ logging ] | vlan vlan-id | inner-vlan cvlan-id ] ^*

   • Create a user ACL rule when protocol is any protocol except TCP, UDP, and ICMP.

   Adding new rules to an ACL will not affect the existing rules.

   When an existing rule is edited and the edited contents conflict with the original contents, the edited contents take effect.

4. (Optional) Run rule rule-id description destext

   The description for an ACL rule is configured.

   The description of an ACL rule can contain the functions of the ACL rule. Configuring a description for an ACL rule is recommended to prevent misuse of the rule in the following situations:

   • A large number of ACLs are configured, and their functions are difficult to identify.
   • An ACL is used at a long interval, and its function may be left forgotten.

5. Run commit

   The configuration is committed.