rule (IPv4 advanced ACL view)
Use rule to create or modify an IPv4 advanced ACL rule.
Use undo rule to delete an entire IPv4 advanced ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { dest-address dest-wildcard | any } | destination-port operator port1 [ port2 ] | { dscp dscp | { precedence precedence | tos tos } * } | fragment | icmp-type { icmp-type [ icmp-code ] | icmp-message } | logging | source { source-address source-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-range-name ] *
undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | { dscp | { precedence | tos } * } | fragment | icmp-type | logging | source | source-port | time-range ] *
Default
An IPv4 advanced ACL does not contain any rule.
Views
IPv4 advanced ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets to pass.
permit: Allows matching packets to pass.
protocol: Specifies a protocol number in the range of 0 to 255, or specifies a protocol by its name, gre (47), icmp (1), ip, ipinip (4), tcp (6), or udp (17). The ip keyword specifies all protocols. Table 7 describes the parameters that you can specify regardless of the value for the protocol argument.
Table 7: Match criteria and other rule information for IPv4 advanced ACL rules
Parameters | Function | Description |
---|---|---|
source { source-address source-wildcard | any } | Specifies a source address. | The source-address source-wildcard arguments represent a source IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address. The any keyword specifies any source IP address. |
destination { dest-address dest-wildcard | any } | Specifies a destination address. | The dest-address dest-wildcard arguments represent a destination IP address and wildcard mask in dotted decimal notation. An all-zero wildcard specifies a host address. The any keyword represents any destination IP address. |
counting | Counts the number of times the IPv4 advanced ACL rule has been matched. | The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter command enables match counting for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted. |
precedence precedence | Specifies an IP precedence value. | The precedence argument can be a number in the range of 0 to 7, or in words, routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), or network (7). |
tos tos | Specifies a ToS preference. | The tos argument can be a number in the range of 0 to 15, or in words, max-reliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1), or normal (0). |
dscp dscp | Specifies a DSCP priority. | The dscp argument can be a number in the range of 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46). |
fragment | Applies the rule only to non-first fragments. | If you do not specify this keyword, the rule applies to all fragments and non-fragments. |
logging | Logs matching packets. | This feature requires that the module (for example, packet filtering) that uses the ACL supports logging. |
time-range time-range-name | Specifies a time range for the rule. | The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the timer range. For more information about time range, see ACL and QoS Configuration Guide. |
If the protocol argument is tcp (6) or udp (7), set the parameters shown in Table 8.
Table 8: TCP/UDP-specific parameters for IPv4 advanced ACL rules
Parameters | Function | Description |
---|---|---|
source-port operator port1 [ port2 ] | Specifies one or more UDP or TCP source ports. | The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. port2 is needed only when the operator argument is range. TCP port numbers can be represented as: chargen (19), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented as: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177). |
destination-port operator port1 [ port2 ] | Specifies one or more UDP or TCP destination ports. | |
{ ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | Specifies one or more TCP flags including ACK, FIN, PSH, RST, SYN, and URG. | Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The TCP flags in a rule are ANDed. For example, a rule configured with ack 0 psh 1 matches packets that have the ACK flag bit not set and the PSH flag bit set. |
established | Specifies the flags for indicating the established status of a TCP connection. | Parameter specific to TCP. The rule matches TCP connection packets with the ACK or RST flag bit set. |
If the protocol argument is icmp (1), set the parameters shown in Table 9.
Table 9: ICMP-specific parameters for IPv4 advanced ACL rules
Parameters | Function | Description |
---|---|---|
icmp-type { icmp-type icmp-code | icmp-message } | Specifies the ICMP message type and code. | The icmp-type argument is in the range of 0 to 255. The icmp-code argument is in the range of 0 to 255. The icmp-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 10. |
Table 10: ICMP message names supported in IPv4 advanced ACL rules
ICMP message name | ICMP message type | ICMP message code |
---|---|---|
echo | 8 | 0 |
echo-reply | 0 | 0 |
fragmentneed-DFset | 3 | 4 |
host-redirect | 5 | 1 |
host-tos-redirect | 5 | 3 |
host-unreachable | 3 | 1 |
information-reply | 16 | 0 |
information-request | 15 | 0 |
net-redirect | 5 | 0 |
net-tos-redirect | 5 | 2 |
net-unreachable | 3 | 0 |
parameter-problem | 12 | 0 |
port-unreachable | 3 | 3 |
protocol-unreachable | 3 | 2 |
reassembly-timeout | 11 | 1 |
source-quench | 4 | 0 |
source-route-failed | 3 | 5 |
timestamp-reply | 14 | 0 |
timestamp-request | 13 | 0 |
ttl-exceeded | 11 | 0 |
Usage guidelines
Rules within an ACL must use unique IDs. When you create a new rule, assign it an ID that is not in use. You can modify an existing rule by creating a new rule with the same ID. The system modifies the existing rule by adding new attributes from the new rule to the existing rule.
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or modifying has the same deny or permit statement as another rule in the ACL, the rule will not be created or modified.
If an ACL is for QoS traffic classification or packet filtering, do not specify neq for the operator argument.
You can edit ACL rules only when the match order is config.
The undo rule command deletes the entire rule if you do not specify any optional parameters. It deletes the specified attributes if you specify optional parameters.
Use the display acl all command to view the rules in Ethernet frame header, IPv4 advanced, and IPv4 basic ACLs.
Examples
# Create an IPv4 advanced ACL rule to permit TCP packets with the destination port 80 from 129.9.0.0/16 to 202.38.160.0/24.
<Sysname> system-view [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80
# Create IPv4 advanced ACL rules to permit all IP packets but the ICMP packets destined for 192.168.1.0/24.
<Sysname> system-view [Sysname] acl number 3001 [Sysname-acl-adv-3001] rule deny icmp destination 192.168.1.0 0.0.0.255 [Sysname-acl-adv-3001] rule permit ip
# Create IPv4 advanced ACL rules to permit inbound and outbound FTP packets.
<Sysname> system-view [Sysname] acl number 3002 [Sysname-acl-adv-3002] rule permit tcp source-port eq ftp [Sysname-acl-adv-3002] rule permit tcp source-port eq ftp-data [Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp [Sysname-acl-adv-3002] rule permit tcp destination-port eq ftp-data
# Create IPv4 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.
<Sysname> system-view [Sysname] acl number 3003 [Sysname-acl-adv-3003] rule permit udp source-port eq snmp [Sysname-acl-adv-3003] rule permit udp source-port eq snmptrap [Sysname-acl-adv-3003] rule permit udp destination-port eq snmp [Sysname-acl-adv-3003] rule permit udp destination-port eq snmptrap
Related commands
acl
acl logging interval
display acl
step
time-range