24
source
{
sour-addr sour-wildcard
|
any
}: Matches a source address. The
sour-addr sour-wildcard
arguments represent a source IP address and wildcard mask in dotted decimal notation. A wildcard
mask of zeros specifies a host address. The
any
keyword represents any source IP address.
time-range
time-range-name
: Specifies a time range for the rule. The
time-range-name
argument is a
case insensitive string of 1 to 32 characters. It must start with an English letter.
vpn-instance
vpn-instance-name
: Applies the rule to packets in a VPN instance. The
vpn-instance-name
argument takes a case sensitive string of 1 to 31 characters. If no VPN instance is specified, the rule
applies only to non-VPN packets.
Description
Use the
rule
command to create or edit an IPv4 basic ACL rule. You can edit ACL rules only when the
match order is config.
Use the
undo
rule
command to delete an entire IPv4 basic ACL rule or some attributes in the rule. If no
optional keywords are provided, you delete the entire rule. If optional keywords or arguments are
provided, you delete the specific attributes.
By default, an IPv4 basic ACL does not contain any rule.
Within an ACL, the permit or deny statement of each rule must be unique. If the ACL rule you are creating
or editing has the same deny or permit statement as another rule in the ACL, your creation or editing
attempt will fail.
To view rules in an ACL and their rule IDs, use the
display acl all
command.
Related commands:
acl
,
display acl
, and
step
.
NOTE:
If an IPv4 basic ACL is for QoS traffic classification, do not specify the
vpn-instance
keyword. The keyword
can cause ACL application failure. The
logging
and
counting
keywords (even if specified) do not take
effect for QoS.
Examples
# Create a rule in IPv4 basic ACL 2000 to deny packets sourced from 1.1.1.1/32.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule deny source 1.1.1.1 0
rule (IPv6 advanced ACL view)
Syntax
rule
[
rule-id
] {
deny
|
permit
}
protocol
[ { {
ack
ack-value
|
fin
fin-value
|
psh
psh-value
|
rst
rst-value
|
syn
syn-value
|
urg
urg-value
} * |
established
} |
counting
|
destination
{
dest dest-prefix
|
dest/dest-prefix
|
any
} |
destination-port
operator port1
[
port2
] |
dscp
dscp
|
flow-label
flow-label-value
|
fragment
|
icmp6-type
{
icmp6-type
icmp6-code
|
icmp6-message
} |
logging
|
source
{
source source-prefix
|
source/source-prefix
| any
} |
source-port
operator port1
[
port2
] |
time-range
time-range-name
|
vpn-instance
vpn-instance-name
] *
undo
rule
rule-id
[ { {
ack
|
fin
|
psh
|
rst
|
syn
|
urg
} * |
established
} |
counting
|
destination |
destination-port
|
dscp | flow-label
|
fragment
|
icmp6-type | logging
|
source |
source-port
|
time-range
|
vpn-instance
] *
