rule (IPv6 advanced ACL view)
Use rule to create or modify an IPv6 advanced ACL rule.
Use undo rule to delete an entire IPv6 advanced ACL rule or some attributes in the rule.
Syntax
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination { dest-address dest-prefix | dest-address/dest-prefix | any } | destination-port operator port1 [ port2 ] | dscp dscp | flow-label flow-label-value | fragment | icmp6-type { icmp6-type icmp6-code | icmp6-message } | logging | routing [ type routing-type ] | hop-by-hop [ type hop-type ] | source { source-address source-prefix | source-address/source-prefix | any } | source-port operator port1 [ port2 ] | time-range time-range-name ] *
undo rule rule-id [ { { ack | fin | psh | rst | syn | urg } * | established } | counting | destination | destination-port | dscp | flow-label | fragment | icmp6-type | logging | routing | hop-by-hop | source | source-port | time-range ] *
Default
An IPv6 advanced ACL does not contain any rule.
Views
IPv6 advanced ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets to pass.
permit: Allows matching packets to pass.
protocol: Specifies a protocol number in the range of 0 to 255, or specifies a protocol by its name, gre (47), icmpv6 (58), ipv6, ipv6-ah (51), ipv6-esp (50), tcp (6), or udp (17). The ipv6 keyword specifies all protocols.
You can set the protocol argument to one of the values in Table 11 to match packets with the corresponding IPv6 extended header.
Table 11: Protocol values of IPv6 extended headers
Value of the protocol argument | IPv6 extended header |
---|---|
0 | Hop-by-Hop Options Header. |
43 | Routing Header. |
44 | Fragment Header. |
50 | Encapsulating Security Payload Header. |
51 | Authentication Header. |
60 | Destination Options Header. |
Table 12 describes the parameters that you can specify regardless of the value for the protocol argument.
Table 12: Match criteria and other rule information for IPv6 advanced ACL rules
Parameters | Function | Description |
---|---|---|
source { source-address source-prefix | source-address/source-prefix | any } | Specifies a source IPv6 address. | The source-address and source-prefix arguments represent an IPv6 source address, and prefix length in the range of 1 to 128. The any keyword represents any IPv6 source address. |
destination { dest-address dest-prefix | dest-address/dest-prefix | any } | Specifies a destination IPv6 address. | The dest-address and dest-prefix arguments represent a destination IPv6 address, and prefix length in the range of 1 to 128. The any keyword specifies any IPv6 destination address. |
counting | Counts the number of times the IPv6 advanced ACL rule has been matched. | The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter ipv6 command enables match counting for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted. |
dscp dscp | Specifies a DSCP preference. | The dscp argument can be a number in the range of 0 to 63, or in words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), default (0), or ef (46). |
flow-label flow-label-value | Specifies a flow label value in an IPv6 packet header. | The flow-label-value argument is in the range of 0 to 1048575. |
fragment | Applies the rule only to non-first fragments. | If you do not specify this keyword, the rule applies to all fragments and non-fragments. |
logging | Logs matching packets. | This feature requires that the module (for example, packet filtering) that uses the ACL supports logging. |
routing [ type routing-type ] | Specifies an IPv6 routing header type. | routing-type: Value of the IPv6 routing header type, in the range of 0 to 255. If you specify the type routing-type option, the rule applies to the specified type of IPv6 routing header. Otherwise, the rule applies to all types of IPv6 routing header. |
hop-by-hop [ type hop-type ] | Specifies an IPv6 Hop-by-Hop Options header type. | hop-type: Value of the IPv6 Hop-by-Hop Options header type, in the range of 0 to 255. If you specify the type hop-type option, the rule applies to the specified type of IPv6 Hop-by-Hop Options header. Otherwise, the rule applies to all types of IPv6 Hop-by-Hop Options header. |
time-range time-range-name | Specifies a time range for the rule. | The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the timer range. For more information about time range, see ACL and QoS Configuration Guide. |
If the protocol argument is tcp (6) or udp (17), set the parameters shown in Table 13.
Table 13: TCP/UDP-specific parameters for IPv6 advanced ACL rules
Parameters | Function | Description |
---|---|---|
source-port operator port1 [ port2 ] | Specifies one or more UDP or TCP source ports. | The operator argument can be lt (lower than), gt (greater than), eq (equal to), neq (not equal to), or range (inclusive range). The port1 and port2 arguments are TCP or UDP port numbers in the range of 0 to 65535. port2 is needed only when the operator argument is range. TCP port numbers can be represented as: chargen (19), cmd (514), daytime (13), discard (9), domain (53), echo (7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (101), irc (194), klogin (543), kshell (544), login (513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37), uucp (540), whois (43), and www (80). UDP port numbers can be represented as: biff (512), bootpc (68), bootps (67), discard (9), dns (53), dnsix (90), echo (7), mobilip-ag (434), mobilip-mn (435), nameserver (42), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who (513), and xdmcp (177). |
destination-port operator port1 [ port2 ] | Specifies one or more UDP or TCP destination ports. | |
{ ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | Specifies one or more TCP flags, including ACK, FIN, PSH, RST, SYN, and URG. | Parameters specific to TCP. The value for each argument can be 0 (flag bit not set) or 1 (flag bit set). The TCP flags in a rule are ANDed. For example, a rule configured with ack 0 psh 1 matches packets that have the ACK flag bit not set and the PSH flag bit set. |
established | Specifies the flags for indicating the established status of a TCP connection. | Parameter specific to TCP. The rule matches TCP connection packets with the ACK or RST flag bit set. |
If the protocol argument is icmpv6 (58), set the parameters shown in Table 14.
Table 14: ICMPv6-specific parameters for IPv6 advanced ACL rules
Parameters | Function | Description |
---|---|---|
icmp6-type { icmp6-type icmp6-code | icmp6-message } | Specifies the ICMPv6 message type and code. | The icmp6-type argument is in the range of 0 to 255. The icmp6-code argument is in the range of 0 to 255. The icmp6-message argument specifies a message name. Supported ICMP message names and their corresponding type and code values are listed in Table 15. |
Table 15: ICMPv6 message names supported in IPv6 advanced ACL rules
ICMPv6 message name | ICMPv6 message type | ICMPv6 message code |
---|---|---|
echo-reply | 129 | 0 |
echo-request | 128 | 0 |
err-Header-field | 4 | 0 |
frag-time-exceeded | 3 | 1 |
hop-limit-exceeded | 3 | 0 |
host-admin-prohib | 1 | 1 |
host-unreachable | 1 | 3 |
neighbor-advertisement | 136 | 0 |
neighbor-solicitation | 135 | 0 |
network-unreachable | 1 | 0 |
packet-too-big | 2 | 0 |
port-unreachable | 1 | 4 |
redirect | 137 | 0 |
router-advertisement | 134 | 0 |
router-solicitation | 133 | 0 |
unknown-ipv6-opt | 4 | 2 |
unknown-next-hdr | 4 | 1 |
Usage guidelines
Rules within an ACL must use unique IDs. When you create a new rule, assign it an ID that is not in use. You can modify an existing rule by creating a new rule with the same ID. The system modifies the existing rule by adding new attributes from the new rule to the existing rule.
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or modifying has the same deny or permit statement as another rule in the ACL, the rule will not be created or modified.
If an ACL is for QoS traffic classification or packet filtering:
Do not specify the fragment keyword.
Do not specify neq for the operator argument.
Do not specify the routing, hop-by-hop, or flow-label keyword if the ACL is for outbound application.
Do not specify ipv6-ah for the protocol argument, nor set its value to 0, 43, 44, 51, or 60, if the ACL is for outbound application.
If an ACL is to match information in the IPv6 packet payload, it can only match packets with one extension header. It cannot match packets with two or more extension headers or with the Encapsulating Security Payload Header.
You can edit ACL rules only when the match order is config.
The undo rule command deletes the entire rule if you do not specify any optional parameters. It deletes the specified attributes if you specify optional parameters.
Use the display acl ipv6 all command to view the rules in IPv6 advanced and basic ACLs.
Examples
# Create an IPv6 advanced ACL rule to permit TCP packets with the destination port 80 from 2030:5060::/64 to FE80:5060::/96.
<Sysname> system-view [Sysname] acl ipv6 number 3000 [Sysname-acl6-adv-3000] rule permit tcp source 2030:5060::/64 destination fe80:5060::/96 destination-port eq 80
# Create IPv6 advanced ACL rules to permit all IPv6 packets but the ICMPv6 packets destined for FE80:5060:1001::/48.
<Sysname> system-view [Sysname] acl ipv6 number 3001 [Sysname-acl6-adv-3001] rule deny icmpv6 destination fe80:5060:1001:: 48 [Sysname-acl6-adv-3001] rule permit ipv6
# Create IPv6 advanced ACL rules to permit inbound and outbound FTP packets.
<Sysname> system-view [Sysname] acl ipv6 number 3002 [Sysname-acl6-adv-3002] rule permit tcp source-port eq ftp [Sysname-acl6-adv-3002] rule permit tcp source-port eq ftp-data [Sysname-acl6-adv-3002] rule permit tcp destination-port eq ftp [Sysname-acl6-adv-3002] rule permit tcp destination-port eq ftp-data
# Create IPv6 advanced ACL rules to permit inbound and outbound SNMP and SNMP trap packets.
<Sysname> system-view [Sysname] acl ipv6 number 3003 [Sysname-acl6-adv-3003] rule permit udp source-port eq snmp [Sysname-acl6-adv-3003] rule permit udp source-port eq snmptrap [Sysname-acl6-adv-3003] rule permit udp destination-port eq snmp [Sysname-acl6-adv-3003] rule permit udp destination-port eq snmptrap
# Create IPv6 advanced ACL 3004, and configure two rules: one permits packets with the Hop-by-Hop Options header type as 5, and the other one denies packets with other Hop-by-Hop Options header types.
<Sysname> system-view [Sysname] acl ipv6 number 3004 [Sysname-acl6-adv-3004] rule permit ipv6 hop-by-hop type 5 [Sysname-acl6-adv-3004] rule deny ipv6 hop-by-hop
Related commands
acl
acl logging interval
display acl
step
time-range