The rule command adds a rule for an MPAC policy in the service-sec view.
The undo rule command deletes a rule or part of the rule configuration from an MPAC policy in the service-sec view.
By default, no rule is configured for an MPAC policy in the service-sec view.
rule [ rule-id ] { permit | deny } protocol { protocol-number | ftp | ssh | snmp | telnet | tftp | bgp | ldp | rsvp | ospf | rip | ntp | lsp-ping | dhcp-c | dhcp-r | ip } [ [ source-ip { source-ipv4-address { source-ipv4-mask | 0 } | any } ] | [ destination-ip { destination-ipv4-address { destination-ipv4-mask | 0 } | any } ] ] *
rule [ rule-id ] { permit | deny } protocol { tcp | tcp-protocol-number | udp | udp-protocol-number } [ [ source-port source-port-number ] | [ destination-port destination-port-number ] | [ source-ip { source-ipv4-address { source-ipv4-mask | 0 } | any } ] | [ destination-ip { destination-ipv4-address { destination-ipv4-mask | 0 } | any } ] ] *
rule [ rule-id ] { deny | permit } protocol { any | isis }
undo rule rule-id [ source-ip | destination-ip | source-port | destination-port ] *
| Parameter | Description | Value |
|---|---|---|
| rule-id | Specifies the ID of a rule for an Management Plane Access Control (MPAC) policy. | The value is an integer ranging from 0 to 4294967294. |
| deny | Prevents the matched packets from being sent to the CPU. | - |
| permit | Allows the matched packets to be sent to the CPU. | - |
| protocol | Indicates the protocol name or number. | - |
| tcp | Indicates TCP. | - |
| tcp-protocol-number | Indicates TCP protocol number. | The value is 6. |
| udp | Indicates User Datagram Protocol (UDP). | - |
| udp-protocol-number | Indicates UDP protocol number. | The value is 17. |
| source-port source-port-number | Specifies the source port number. | The value is an integer ranging from 1 to 65535. |
| destination-port destination-port-number | Specifies the destination port number. | The value is an integer ranging from 1 to 65535. |
| protocol-number | Specifies a protocol number. | The value is an integer ranging from 1 to 255. |
| ftp | Indicates FTP. | - |
| ssh | Indicates SSH. | - |
| snmp | Indicates SNMP. | - |
| telnet | Indicates Telnet. | - |
| tftp | Indicates TFTP. | - |
| bgp | Indicates BGP. | - |
| ldp | Indicates LDP. | - |
| rsvp | Indicates Resource Reservation Protocol (RSVP). | - |
| ospf | Indicates OSPF. | - |
| rip | Indicates RIP. | - |
| ntp | Indicates NTP. | - |
| lsp-ping | Indicates LSP ping. | - |
| dhcp-c | Indicates Dynamic Host Configuration Protocol-C (DHCP-C). | - |
| dhcp-r | Indicates Dynamic Host Configuration Protocol-R (DHCP-R). | - |
| ip | Indicates IP. | - |
| source-ip | Indicates the source IP address of packets. | - |
| source-ipv4-address | Specifies a source IPv4 address. | The value is in dotted decimal notation. |
| source-ipv4-mask | Specifies the mask of a source IPv4 address. The protocol packets from this network segment are allowed to be or denied from being sent to the CPU. | The value is in dotted decimal notation. |
| 0 | Specifies the source host. The protocol packets from the host are allowed to be or denied from being sent to the CPU. | - |
| destination-ip | Specifies the destination address of packets. | - |
| destination-ipv4-address | Specifies a destination IPv4 address. The protocol packets destined for the address are allowed to be or denied from being sent to the CPU. | The value is in dotted decimal notation. |
| destination-ipv4-mask | Specifies the mask of a destination IPv4 address. | The value is in dotted decimal notation. |
| 0 | Specifies the destination host. The protocol packets destined for the host are allowed to be or denied from being sent to the CPU. | - |
| any | Indicates any IP address. | - |
| isis | Indicates IS-IS. | - |
Usage Scenario
To match specific users or packets, run the rule command to specify the protocol name or a 5-tuple matching rule.
Precautions
In the service6-sec policy view, you cannot configure rules for ISIS packets.
Exercise caution when using the rule [ rule-id ] deny protocol any command. After this command is applied globally, no protocol packets are sent to the CPU, causing the device to be out of management.