Configuring a User ACL6 Rule

User ACL6s match packets based on the source/destination IPv6 address, source/destination service group, source/destination user group, source/destination port number, and protocol type.

Procedure

Run system-view
The system view is displayed.
Run acl ipv6 { name ucl-acl6-name ucl | number ucl-acl6-number } [ match-order { auto | config } ]
The user ACL6 view is displayed.
Run any of the following commands to create a user ACL6 rule:
- When protocol is specified as UDP, run:
  
  rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | udp } [ [ dscp dscp | [ precedence precedence | tos tos ] ^* ] | source { ipv6-address { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | destination { ipv6-address { destination-ipv6-address { prefix-length | destination-wildcard } | destination-ipv6-address/prefix-length | any } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | source-port operator port-number | destination-port operator port-number | fragment | traffic-class traffic-class | time-range time-name | logging ] ^*
- When protocol is specified as TCP, run:
  
  rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | tcp } [ [ dscp dscp | [ precedence precedence | tos tos ] ^* ] | source { ipv6-address { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | destination { ipv6-address { destination-ipv6-address { prefix-length | destination-wildcard } | destination-ipv6-address/prefix-length | any } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | source-port operator port-number | destination-port operator port-number | fragment | traffic-class traffic-class | time-range time-name | logging ] ^*
- When protocol is specified as ICMPv6, run:
  
  rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | icmpv6 } [ [ dscp dscp | [ precedence precedence | tos tos ] ^* ] | source { ipv6-address { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | destination { ipv6-address { destination-ipv6-address { prefix-length | destination-wildcard } | destination-ipv6-address/prefix-length | any } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | icmp6-type { icmp6-type-name | icmp6-type icmp6-code } | fragment | traffic-class traffic-class | time-range time-name | logging ] ^*
- When protocol is specified as a protocol other than TCP, UDP, and ICMPv6, run:
  
  rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | gre | ipv6-esp | ipv6 | ipv6-ah | ospf } [ [ dscp dscp | [ precedence precedence | tos tos ] ^* ] | source { ipv6-address { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | destination { ipv6-address { destination-ipv6-address { prefix-length | destination-wildcard } | destination-ipv6-address/prefix-length | any } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | fragment | traffic-class traffic-class | time-range time-name | logging ] ^*
Adding new rules to an ACL6 will not affect the existing rules.

When an existing rule is edited and the edited contents conflict with the original contents, the edited contents take effect.
(Optional) Run rule rule-id description destext
The description for an ACL6 rule is configured.
The description of an ACL6 rule can contain the functions of the ACL6 rule. Configuring a description for an ACL6 rule is recommended to prevent misuse of the rule in the following situations:
- A large number of ACL6s are configured, and their functions are difficult to identify.
- An ACL6 is used at a long interval, and its function may be left forgotten.
Run commit
The configuration is committed.