acl (user interface view)

Function

The acl command restricts the incoming and outgoing call on the user interface that provides various services.

The undo acl command cancels the current settings.

Format

acl [ ipv6 ] acl-number { inbound | outbound }

undo acl [ ipv6 ] [ acl-number ] { inbound | outbound }

Parameters

Parameter	Description	Value
ipv6	Specifies the number of an IPv6 address-based ACL.	-
acl-number	Specifies the number of an access control list (ACL). When configuring an ACL rule, set permit or deny. The restriction action for the call-in and call-out permission for the user interface is determined by permit or deny.	The value is an integer and the range depends on the ACL type. If the ACL type is basic, the value ranges from 2000 to 2999. If the ACL type is advanced, the value ranges from 3000 to 3999.
inbound	Indicates the restriction on the call-in of the user interface. Specifically, the restriction action is taken on the user with a specific address or on a specific address range who tries to log in to theFW.	-
outbound	Indicates the restriction on the call-out of the user interface. Specifically, the restriction action is taken on the user who has logged in to the FW and tries to log in to otherFWs.	-

Views

User interface view

Default Level

3: Management level

Usage Guidelines

By default, there is no restriction on incoming and outgoing calls.

Configuration Impact

If the ACL is applied in the inbound direction:
If the packets received by the local device match a rule in the ACL and the ACL rule is set to permit, other devices are allowed to access the local device.

If the packets received by the local device match a rule in the ACL and the ACL rule is set to deny, the local device is denied access from other devices.

If the packets received by the local device do not match any rule in the ACL, the local device is denied access from other devices.
If the ACL is applied in the outbound direction:
If the packets received by the local device match a rule in the ACL and the ACL rule is set to permit, the local device is allowed to access other devices.

If the packets received by the local device match a rule in the ACL and the ACL rule is set to deny, the local device is denied access to other devices.

If the packets received by the local device do not match any rule in the ACL, the local device is denied access to other devices.

If you want to restrict a user and allow other users to log in, you need to configure a permit rule in the ACL. For example, if you want to restrict the login of only the user whose source IP address is 10.1.1.10, define two rules in the ACL:

rule deny source 10.1.1.10 0
rule permit source any

If rule permit source any is not defined, users whose source IP addresses are not 10.1.1.10 are also restricted.

Precautions

If no rule is configured for the referenced ACL or the referenced ACL does not exist, the system does not restrict outgoing calls from the user interface after you run this command.
Only one ACL of the same type can be configured for a user interface. Otherwise, a conflict occurs. That is, for IPv4 inbound, IPv4 outbound, IPv6 inbound, and IPv6 outbound, only one ACL can be configured for each type.
If the device interface connected to the login user has a VPN instance bound, the ACL configured to restrict incoming and outgoing calls on user interfaces must be bound to the same VPN instance for the ACL to take effect.
After the configurations of this ACL take effect, all users in the user interface are under the restriction of this ACL.

Example

# Restrict Telnet outgoing call on the user interface VTY0.

<sysname> system-view
[sysname] user-interface vty 0
[sysname-ui-vty0] acl 2000 outbound

# Remove the restriction on Telnet outgoing call on the user interface VTY0.

<sysname> system-view
[sysname] user-interface vty 0
[sysname-ui-vty0] undo acl outbound