rule(IPv6 ACL)

Function

The rule command creates an IPv6 ACL rule.

The undo rule command deletes the configured IPv6 ACL rule.

Format

# Create or delete a rule in a basic IPv6 ACL.

rule [ rule-id ] { permit | deny } [ logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name ] ^*

undo rule rule-id [ logging | source | time-range ] ^*

# Create or delete a rule in an advanced IPv6 ACL.

For TCP or UDP:

rule [ rule-id ] { deny | permit } { { 6 | tcp } | { 17 | udp } } [ source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | source-port operator port [ port2 ] | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | destination-port operator port [ port2 ] | logging | time-range time-name ] ^*

undo rule rule-id [ source | source-port | destination | destination-port | logging | time-range ] ^*
For ICMPv6:

rule [ rule-id ] { permit | deny } { 58 | icmpv6 } [ icmp6-type { icmpv6-type-name | icmpv6-type-number icmpv6-code } | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | time-range time-name | logging ] ^*

undo rule rule-id [ icmp6-type | source | destination | logging | time-range ] ^*
For other protocols:

rule [ rule-id ] { deny | permit } { INTEGER<1-5> | INTEGER<7-16> | INTEGER<18-57> | INTEGER<59-255> | 0 | gre | ipv6 | ospfv3 } [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | logging | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } | time-range time-name ] ^*

undo rule rule-id [ source | destination | logging | time-range ] ^*

Parameters

Parameter	Description	Value
rule-id	Specifies a rule ID. If the rule ID exists, you can modify it; if the rule ID does not exist, you can add a new rule with the specified ID; if no rule ID is specified, the system automatically assigns a rule ID.	It is an integer ranging from 0 to 4294967294.
permit	Allows the packets that match the rule to pass.	-
deny	Denies the packets that do not match the rule.	-
{ protocol-num \| protocol }	Specifies the protocol by protocol name or protocol number.	It can be an integer ranging from 0 to 255 or a string, such as gre, icmpv6, ipv6, ospfv3, tcp, and udp.
source { source-ipv6-address prefix-length \| source-ipv6-address/prefix-length \| any }	Indicates the source IPv6 address and its prefix of packets.	source-ipv6-address is in dotted decimal notation. prefix-length ranges from 1 to 128. any indicates all source IPv6 addresses.
destination { destination-ipv6-address prefix-length \| destination-ipv6-address/prefix-length \| any }	Indicates the destination IPv6 address and its prefix of packets.	destination-ipv6-address is in dotted decimal notation. prefix-length ranges from 1 to 128. any indicates all destination IPv6 addresses.
logging	Records the packets that match rules in the logs.	-
time-range time-name	Specifies the name of a time range.	The name is a string of case-sensitive characters. If the name does not contain any space, the length ranges from 1 to 32 characters. If the name contains spaces, the length ranges from 3 to 34 characters, and you must use double quotation marks ("") to enclose it (for example, "time for test"). The name cannot contain question marks (?), or commas (,). If the name does not contain any space, it also cannot have any double quotation marks ("). In addition, the name cannot be any or all.
source-port operator port [ port2 ]	Indicates the source port of UDP or TCP packets. It is optional and valid in UDP or TCP. If no source port is specified, any source port of TCP/UDP packets is matched.	Supported comparison operations include eq (equal to), gt (greater than), lt (lower than), and range (between). If the operator is range, two port numbers are used. port can be a name or number. The number ranges from 0 to 65535.
destination-port operator port [ port2 ]	Indicates the destination port of UDP or TCP packets. It is optional and valid in UDP or TCP. If no destination port is specified, any destination port of TCP/UDP packets is matched.	Supported comparison operations include eq (equal to), gt (greater than), lt (lower than), and range (between). If the operator is range, two port numbers are used. port can be a name or number. The number ranges from 0 to 65535.
icmp6-type icmpv6-type-name	Specifies the type name of ICMPv6 packets. It is optional and needs to be specified only when ICMP is used. If it is not specified, all ICMP packets can pass.	For details, see Table 1.
icmp6-type icmpv6-type-number icmpv6-code	Specifies the type number and code of ICMPv6 packets. It is optional and needs to be specified only when ICMP is used. If it is not specified, all ICMP packets can pass.	For details, see Table 1.

**Table 1** Values of icmpv6-type-name and the corresponding icmpv6-type-number and icmpv6-code
icmpv6-type-name	icmpv6-type-number	icmpv6-code
Redirect	137	0
echo	128	0
echo-reply	129	0
err-Header-field	4	0
frag-time-exceeded	3	1
hop-limit-exceeded	3	0
host-admin-prohib	1	1
host-unreachable	1	3
neighbor-advertisement	136	0
neighbor-solicitation	135	0
network-unreachable	1	0
packet-too-big	2	0
port-unreachable	1	4
router-advertisement	134	0
router-solicitation	133	0
unknown-ipv6-opt	4	2
unknown-next-hdr	4	1

Views

ACL6 view

Default Level

2: Configuration level

Usage Guidelines

None

Example

# Create an IPv6 ACL.

<sysname> system-view
[sysname] acl ipv6 number 2000
[sysname-acl6-basic-2000] rule permit source 2030:5060::9050 64
[sysname-acl6-basic-2000] rule 8 deny source fe80:5060::8050 96