The rule command adds a rule for an MPAC policy in the service6-sec view.
The undo rule command deletes a rule or part of the rule configuration from an MPAC policy in the service6-sec view.
By default, no rule is configured for an MPAC policy in the service6-sec view.
rule [ rule-id ] { permit | deny } protocol { protocol-number | ftp | ssh | snmp | telnet | tftp | bgp | ldp | rsvp | ospf | rip | ntp | lsp-ping | dhcp-c | dhcp-r | ip } [ [ source-ip { source-ipv6-address source-ipv6-prefix-length | source-ipv6-address/prefix-length | any } ] | [ destination-ip { destination-ipv6-address destination-ipv6-prefix-length | destination-ipv6-address/prefix-length | any } ] ] *
rule [ rule-id ] { permit | deny } protocol { tcp | tcp-protocol-number | udp | udp-protocol-number } [ [ source-port source-port-number ] | [ destination-port destination-port-number ] | [ source-ip { source-ipv6-address source-ipv6-prefix-length | source-ipv6-address/prefix-length | any } ] | [ destination-ip { destination-ipv6-address destination-ipv6-prefix-length | destination-ipv6-address/prefix-length | any } ] ] *
rule [ rule-id ] { deny | permit } protocol any
undo rule rule-id [ source-ip | destination-ip | source-port | destination-port ] *
| Parameter | Description | Value |
|---|---|---|
| rule-id | Specifies the ID of a rule for an Management Plane Access Control (MPAC) policy. | The value is an integer ranging from 0 to 4294967294. |
| deny | Prevents the matched packets from being sent to the CPU. | - |
| permit | Allows the matched packets to be sent to the CPU. | - |
| protocol | Indicates the protocol name or number. | - |
| tcp | Indicates TCP. | - |
| tcp-protocol-number | Indicates TCP protocol number. | The value is 6. |
| udp | Indicates User Datagram Protocol (UDP). | - |
| udp-protocol-number | Indicates UDP protocol number. | The value is 17. |
| source-port source-port-number | Specifies the source port number. | The value is an integer ranging from 1 to 65535. |
| destination-port destination-port-number | Specifies the destination port number. | The value is an integer ranging from 1 to 65535. |
| protocol-number | Specifies a protocol number. | The value is an integer ranging from 1 to 255. |
| ftp | Indicates FTP. | - |
| ssh | Indicates SSH. | - |
| snmp | Indicates SNMP. | - |
| telnet | Indicates Telnet. | - |
| tftp | Indicates TFTP. | - |
| bgp | Indicates BGP. | - |
| ldp | Indicates LDP. | - |
| rsvp | Indicates Resource Reservation Protocol (RSVP). | - |
| ospf | Indicates OSPF. | - |
| rip | Indicates RIP. | - |
| ntp | Indicates NTP. | - |
| lsp-ping | Indicates LSP ping. | - |
| dhcp-c | Indicates Dynamic Host Configuration Protocol-C (DHCP-C). | - |
| dhcp-r | Indicates Dynamic Host Configuration Protocol-R (DHCP-R). | - |
| ip | Indicates IP. | - |
| source-ip | Indicates the source IP address of packets. | - |
| destination-ip | Specifies the destination address of packets. | - |
| any | Indicates any IP address. | - |
| source-ipv6-address | Specifies a source IPv6 address. | The value is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X. |
| source-ipv6-prefix-length | Specifies the prefix length of a source IPv6 address. | The value is an integer ranging from 1 to 128. |
| source-ipv6-address/prefix-length | Specifies the source IPv6 address and prefix length. | The value is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X/M. The M is an integer ranging from 1 to 128. |
| destination-ipv6-address | Specifies a destination IPv6 address. | The value is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X. |
| destination-ipv6-prefix-length | Specifies the prefix length of a destination IPv6 address. | The value is an integer ranging from 1 to 128. |
| ipv6-address/prefix-length | Specifies the destination IPv6 address and prefix length. | The value is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X/M. The M is an integer ranging from 1 to 128. |
Usage Scenario
To match specific users or packets, run the rule command to specify the protocol name or a 5-tuple matching rule.
Precautions
Exercise caution when using the rule [ rule-id ] deny protocol any command. After this command is applied globally, no protocol packets are sent to the CPU, causing the device to be out of management.