rule (Ethernet frame header ACL view)

Use rule to create or edit an Ethernet frame header ACL rule.

Use undo rule to delete an Ethernet frame header ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } [ cos vlan-pri | counting | dest-mac dest-address dest-mask | { lsap lsap-type lsap-type-mask | type protocol-type protocol-type-mask } | source-mac source-address source-mask | time-range time-range-name ] *

undo rule rule-id [ counting | time-range ] *

Default

An Ethernet frame header ACL does not contain any rule.

Views

Ethernet frame header ACL view

Predefined user roles

network-admin

mdc-admin

Parameters

rule-id: Specifies a rule ID in the range of 0 to 65534. If no rule ID is specified when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.

deny: Denies matching packets.

permit: Allows matching packets to pass.

cos vlan-pri: Matches an 802.1p priority. The vlan-pri argument can be a number in the range of 0 to 7, or in words, best-effort (0), background (1), spare (2), excellent-effort (3), controlled-load (4), video (5), voice (6), or network-management (7).

counting: Counts the number of times the Ethernet frame header ACL rule has been matched. The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted.

dest-mac dest-address dest-mask: Matches a destination MAC address range. The dest-address and dest-mask arguments represent a destination MAC address and mask in the H-H-H format.

lsap lsap-type lsap-type-mask: Matches the DSAP and SSAP fields in LLC encapsulation. The lsap-type argument is a 16-bit hexadecimal number that represents the encapsulation format. The lsap-type-mask argument is a 16-bit hexadecimal number that represents the LSAP mask. This option is not supported in the current software version. It is reversed for future support.

type protocol-type protocol-type-mask: Matches one or more protocols in the Ethernet frame header. The protocol-type argument is a 16-bit hexadecimal number that represents a protocol type in Ethernet_II and Ethernet_SNAP frames. The protocol-type-mask argument is a 16-bit hexadecimal number that represents a protocol type mask. To match ARP packets, IPv4 packets, and IPv6 packets, set the protocol-type protocol-type-mask argument to 0x0806 0xFFFF, 0x0800 0xFFFF, and 0x86DD 0xFFFF. On an EB/FD card that operates in basic ACL hardware mode, the protocol-type protocol-type-mask argument cannot be set to 0x86DD 0xFFFF, which matches IPv6 packets.

source-mac source-address source-mask: Matches a source MAC address range. The source-address argument represents a source MAC address, and the sour-mask argument represents a mask in the H-H-H format.

time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the timer range. For more information about time range, see ACL and QoS Configuration Guide.

Usage guidelines

Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt fails.

You can edit ACL rules only when the match order is config.

• If no optional keywords are provided for the undo rule command, you delete the entire rule.

• If optional keywords or arguments are provided, you delete the specified attributes.

On an EB, or FD card that is in basic ACL hardware mode:

• An Ethernet frame header ACL does not take effect on IPv4 packets.

• An Ethernet frame header ACL does not match ARP packets by the source MAC address and the destination MAC address.

• If an Ethernet frame header ACL is for packet filtering, the ACL matches IPv6 packets by only the destination MAC address (for incoming packets only) and 802.1p priority.

• If an Ethernet frame header ACL is for other applications, the ACL matches IPv6 packets by only the source MAC address (for incoming packets only), destination MAC address (for incoming packets only) and 802.1p priority.

To view rules in an ACL and their rule IDs, use the display acl all command.

Examples

# Create a rule in Ethernet frame header ACL 4000 to permit ARP packets and deny RARP packets.

<Sysname> system-view
[Sysname] acl number 4000
[Sysname-acl-ethernetframe-4000] rule permit type 0806 ffff
[Sysname-acl-ethernetframe-4000] rule deny type 8035 ffff

Related commands

• acl

• display acl

• step

• time-range