rule (IPv4 basic ACL view)

Use rule to create or edit an IPv4 basic ACL rule.

Use undo rule to delete an entire IPv4 basic ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } [ counting | fragment | logging | source { source-address source-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *

undo rule rule-id [ counting | fragment | logging | source | time-range | vpn-instance ] *

Default

An IPv4 basic ACL does not contain any rule.

Views

IPv4 basic ACL view

Predefined user roles

network-admin

mdc-admin

Parameters

rule-id: Specifies a rule ID in the range of 0 to 65534. If no rule ID is provided when you create an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.

deny: Denies matching packets.

permit: Allows matching packets to pass.

counting: Counts the number of times the IPv4 basic ACL rule has been matched. The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted.

fragment: Applies the rule only to fragments. A rule without this keyword applies to both fragments and non-fragments.

logging: Logs matching packets. This function is available only when the application module (for example, packet filtering) that uses the ACL supports the logging function.

source { source-address source-wildcard | any }: Matches a source address. The source-address source-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation. A wildcard mask of zeros specifies a host address. The any keyword represents any source IP address.

time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the timer range. For more information about time range, see ACL and QoS Configuration Guide.

vpn-instance vpn-instance-name: Applies the rule to a VPN instance. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If no VPN instance is specified, the rule applies to all packets. On a PE or MCE, rules with this option do not apply to packets received from a VPN site. For more information about PE and MCE, see MPLS Configuration Guide. If the ACL is used on an EB, or FD card in basic ACL hardware mode, this option (even if specified,) does not take effect.

Usage guidelines

Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or editing has the same deny or permit statement as another rule in the ACL, your creation or editing attempt fails.

You can edit ACL rules only when the match order is config.

If no optional keywords are provided for the undo rule command, you delete the entire rule. If optional keywords or arguments are provided, you delete the specified attributes.

To view rules in an ACL and their rule IDs, use the display acl all command.

Examples

# Create a rule in IPv4 basic ACL 2000 to deny the packets from any source IP segment but 10.0.0.0/8, 172.17.0.0/16, or 192.168.1.0/24.

<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule permit source 10.0.0.0 0.255.255.255
[Sysname-acl-basic-2000] rule permit source 172.17.0.0 0.0.255.255
[Sysname-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255
[Sysname-acl-basic-2000] rule deny source any

Related commands