H3C S6812 Series Command Reference Manual page 1545

Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an
ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of
the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering
step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
counting: Counts the times that the rule is matched. If you do not specify this keyword, matches for
the rule are not counted.
fragment: Applies the rule only to non-first fragments. If you do not specify this keyword, the rule
applies to both fragments and non-fragments. If an ACL is applied for packet filtering, do not specify
this keyword.
logging: Logs matching packets. This feature is available only when the application module (for
example, packet filtering) that uses the ACL supports the logging feature.
routing [ type routing-type ]: Applies the rule to the specified type of IPv6 routing header or all types
of IPv6 routing headers. The routing-type argument specifies the value of the IPv6 routing header
type, in the range of 0 to 255. If you do not specify the type routing-type option, the rule applies to all
types of IPv6 routing headers.
source { source-address source-prefix | source-address/source-prefix | any }: Matches a source
IPv6 address. The source-address argument specifies a source IPv6 address. The source-prefix
argument specifies an address prefix length in the range of 1 to 128. The any keyword represents
any IPv6 source address.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is
a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is
not configured, the system creates the rule. However, the rule using the time range can take effect
only after you configure the time range. For more information about time range, see ACL and QoS
Configuration Guide.
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating
or editing has the same deny or permit statement as another rule in the ACL, the rule will not be
created or changed.
You can edit ACL rules only when the match order is config.
To view the existing IPv6 basic and advanced ACL rules, use the display acl ipv6 all command.
The rule ID is required in the undo rule rule-id command.
If you do not specify optional parameters, the undo rule rule-id command deletes the entire rule. If
you specify optional parameters, the undo rule rule-id command deletes the specified attributes.
The undo rule { deny | permit } command can only be used to delete the entire rule. You must
specify all the attributes of the rule for the command.
The counting keyword in this command enables match counting specific to rules, and the
hardware-count keyword in the packet-filter ipv6 command enables match counting for all rules in
an ACL.
Examples
# Create an IPv6 basic ACL rule to deny the packets from any source IP subnet but 1001::/16,
3124:1123::/32, or FE80:5060:1001::/48.
<Sysname> system-view
[Sysname] acl ipv6 basic 2000
[Sysname-acl-ipv6-basic-2000] rule permit source 1001:: 16
[Sysname-acl-ipv6-basic-2000] rule permit source 3124:1123:: 32
30