rule (IPv4 advanced ACL view)
Use rule to create or edit an IPv4 advanced ACL rule.
Use undo rule to delete an entire IPv4 advanced ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { dest-address dest-wildcard | any } | destination-port operator port1 [ port2 ] | { dscp dscp | { precedence precedence | tos tos } * } | fragment | icmp-type { icmp-type [ icmp-code ] | icmp-message } | logging | source { source-address source-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name | vpn-instance vpn-instance-name ] *
undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | { dscp | { precedence | tos } * } | fragment | icmp-type | logging | source | source-port | time-range | vpn-instance ] *
Default
An IPv4 advanced ACL does not contain any rule.
Views
IPv4 advanced ACL view
Predefined user roles
network-admin
mdc-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
protocol: Specifies one of the following values:
A protocol number in the range of 0 to 255.
A protocol by its name: gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17). The ip keyword specifies all protocols.
Table 8 describes the parameters that you can specify regardless of the value for the protocol argument.
Table 8: Match criteria and other rule information for IPv4 advanced ACL rules
Parameters | Function | Description |
|---|---|---|
source { source-address source-wildcard | any } | Specifies a source address. | The source-address source-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address. The any keyword specifies any source IP address. |
destination { dest-address dest-wildcard | any } | Specifies a destination address. | The dest-address dest-wildcard arguments represent a destination IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address. The any keyword represents any destination IP address. |
counting | Counts the number of times the IPv4 advanced ACL rule has been matched. | The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted. |
precedence precedence | Specifies an IP precedence value. | The precedence argument can be a number in the range of 0 to 7, or in words: routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), or network (7). |
tos tos | Specifies a ToS preference. | The tos argument can be a number in the range of 0 to 15, or in words: max-reliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1), or normal (0). If the ACL is used on an EB, or FD card in basic ACL hardware mode, this option (even if specified,) does not take effect for outbound application. |
dscp dscp | Specifies a DSCP priority. | The dscp argument can be a number in the range of 0 to 63, or in words: af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46). |
fragment | Applies the rule to only fragments. | Without this keyword, the rule applies to all fragments and non-fragments. |
logging | Logs matching packets. | This function requires that the module (for example, packet filtering) that uses the ACL supports logging. |
time-range time-range-name | Specifies a time range for the rule. | The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the timer range. For more information about time range, see ACL and QoS Configuration Guide. |
vpn-instance vpn-instance-name | Applies the rule to a VPN instance. | The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If no VPN instance is specified, the rule applies to all packets. On a PE or MCE, rules with this option do not apply to packets received from a VPN site. For more information about PE and MCE, see MPLS Configuration Guide. If the ACL is used on an EB, or FD card in basic ACL hardware mode, this option (even if specified,) does not take effect. |
![[IMPORTANT: ]](images/important.png) | IMPORTANT: If the dscp keyword is specified together with precendence or tos, the precendence or tos configuration does not take effect. | |
If the protocol argument is tcp (6) or udp (7), set the parameters shown in Table 9.
Table 9: TCP/UDP-specific parameters for IPv4 advanced ACL rules
Parameters | Function | Description |
|---|---|---|
source-port operator port1 [ port2 ] | Specifies one or more UDP or TCP source ports. | The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. port2 is needed only when the operator argument is range. TCP port numbers can be represented as: chargen (19), bgp (179), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented as: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177). |
destination-port operator port1 [ port2 ] | Specifies one or more UDP or TCP destination ports. | |
{ ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG. | Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The TCP flags in a rule are ANDed. A rule configured with ack 0 psh 1 matches packets that have the ACK flag bit not set and the PSH flag bit set. |
established | Specifies the flags for indicating the established status of a TCP connection. | Parameter specific to TCP. The rule matches TCP connection packets with the ACK or RST flag bit set. |
If the protocol argument is icmp (1), set the parameters shown in Table 10.
Table 10: ICMP-specific parameters for IPv4 advanced ACL rules
Parameters | Function | Description |
|---|---|---|
icmp-type { icmp-type icmp-code | icmp-message } | Specifies the ICMP message type and code. | The icmp-type argument is in the range of 0 to 255. The icmp-code argument is in the range of 0 to 255. The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 11. |
Table 11: ICMP message names supported in IPv4 advanced ACL rules
ICMP message name | ICMP message type | ICMP message code |
|---|---|---|
echo | 8 | 0 |
echo-reply | 0 | 0 |
fragmentneed-DFset | 3 | 4 |
host-redirect | 5 | 1 |
host-tos-redirect | 5 | 3 |
host-unreachable | 3 | 1 |
information-reply | 16 | 0 |
information-request | 15 | 0 |
net-redirect | 5 | 0 |
net-tos-redirect | 5 | 2 |
net-unreachable | 3 | 0 |
parameter-problem | 12 | 0 |
port-unreachable | 3 | 3 |
protocol-unreachable | 3 | 2 |
reassembly-timeout | 11 | 1 |
source-quench | 4 | 0 |
source-route-failed | 3 | 5 |
timestamp-reply | 14 | 0 |
timestamp-request | 13 | 0 |
ttl-exceeded | 11 | 0 |
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt fails.
You can edit ACL rules only when the match order is config.
If no optional keywords are provided for the undo rule command, you delete the entire rule. If optional keywords or arguments are provided, you delete the specified attributes.
To view rules in an ACL and their rule IDs, use the display acl all command.
Examples
# Create an IPv4 advanced ACL rule to permit TCP packets with the destination port 80 from 129.9.0.0/16 to 202.38.160.0/24.
<Sysname> system-view [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80
# Create IPv4 advanced ACL rules to permit all IP packets but the ICMP packets destined for 192.168.1.0/24.
<Sysname> system-view [Sysname] acl number 3001 [Sysname-acl-adv-3001] rule deny icmp destination 192.168.1.0 0.0.0.255 [Sysname-acl-adv-3001] rule permit ip
# Create IPv4 advanced ACL rules to permit inbound and outbound FTP packets.
<Sysname> system-view [Sysname] acl number 3002 [Sysname-acl-adv-3002] rule permit tcp source-port eq ftp [Sysname-acl-adv-3002] rule permit tcp source-port eq ftp-data [Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp [Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp-data
# Create IPv4 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.
<Sysname> system-view [Sysname] acl number 3003 [Sysname-acl-adv-3003] rule permit udp source-port eq snmp [Sysname-acl-adv-3003] rule permit udp source-port eq snmptrap [Sysname-acl-adv-3003] rule permit udp destination-port eq snmp [Sysname-acl-adv-3003] rule permit udp destination-port eq snmptrap
Related commands
acl
acl logging interval
display acl
step
time-range