[x]

ACL commands > rule (IPv6 basic ACL view)

 

 Next

rule (IPv6 basic ACL view)

Use rule to create or modify an IPv6 basic ACL rule.

Use undo rule to delete an entire IPv6 basic ACL rule or some attributes in the rule.

Syntax

rule [ rule-id ] { deny | permit } [ counting | fragment | logging | routing [ type routing-type ] | source { source-address source-prefix | source-address/source-prefix | any } | time-range time-range-name ] *

undo rule rule-id [ counting | fragment | logging | routing | source | time-range ] *

Default

An IPv6 basic ACL does not contain any rule.

Views

IPv6 basic ACL view

Predefined user roles

network-admin

Parameters

rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering step is 5 and the current highest rule ID is 28, the rule is numbered 30.

deny: Denies matching packets to pass.

permit: Allows matching packets to pass.

counting: Counts the number of times the IPv6 basic ACL rule has been matched. The counting keyword enables match counting specific to rules, and the hardware-count keyword in the packet-filter ipv6 command enables match counting for all rules in an ACL. If the counting keyword is not specified, matches for the rule are not counted.

fragment: Applies the rule only to non-first fragments. If you do not specify this keyword, the rule applies to both fragments and non-fragments.

logging: Logs matching packets. This feature is available only when the application module (for example, packet filtering) that uses the ACL supports logging.

routing [ type routing-type ]: Applies the rule to the specified type of routing header or all types of routing header. The routing-type argument specifies the value of the routing header type, which is in the range of 0 to 255. If you specify the type routing-type option, the rule applies to the specified type of routing header. Otherwise, the rule applies to any type of routing header.

source { source-address source-prefix | source-address/source-prefix | any }: Matches a source IP address. The ipv6-address and prefix-length arguments represent a source IPv6 address and address prefix length in the range of 1 to 128. The any keyword represents any IPv6 source address.

time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is not configured, the system creates the rule. However, the rule using the time range can take effect only after you configure the timer range. For more information about time range, see ACL and QoS Configuration Guide.

Usage guidelines

Rules within an ACL must use unique IDs. When you create a new rule, assign it an ID that is not in use. You can modify an existing rule by creating a new rule with the same ID. The system modifies the existing rule by adding new attributes from the new rule to the existing rule.

Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating or modifying has the same deny or permit statement as another rule in the ACL, the rule will not be created or modified.

If an ACL is for QoS traffic classification or packet filtering:

You can edit ACL rules only when the match order is config.

The undo rule command deletes the entire rule if you do not specify any optional parameters. It deletes the specified attributes if you specify optional parameters.

Use the display acl ipv6 all command to view the rules in IPv6 advanced and basic ACLs.

Examples

# Create an IPv6 basic ACL rule to deny the packets from any source IP segment but 1001::/16, 3124:1123::/32, or FE80:5060:1001::/48.

<Sysname> system-view
[Sysname] acl ipv6 number 2000
[Sysname-acl6-basic-2000] rule permit source 1001:: 16
[Sysname-acl6-basic-2000] rule permit source 3124:1123:: 32
[Sysname-acl6-basic-2000] rule permit source fe80:5060:1001:: 48
[Sysname-acl6-basic-2000] rule deny source any

Related commands

prev

 

up

 next

rule (IPv6 advanced ACL view) 

home

 rule comment

© Copyright 2015, 2017 Hewlett Packard Enterprise Development LP