Table of Contents
Advertisement
undo rule { deny | permit } protocol [ { { ack | fin | psh | rst | syn | urg }
* | established } | destination { dest-address dest-wildcard | any } |
destination-port { operator port1 [ port2 ] } | { { precedence precedence
| tos tos } * | dscp dscp }
source-port { operator port1 [ port2 ] } | udf-format | vpn-instance
vpn-instance-name ] * [ { { l2 | l4 | l5 } rule-string rule-mask
offset }&<1-8> ] [ counting | time-range time-range-name ] *
Default
No user-defined ACL rules exist.
Views
User-defined ACL view
Predefined user roles
network-admin
Parameters
: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating
rule-id
an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple
of the numbering step to the current highest rule ID, starting from the start rule ID. The numbering
step for user-defined ACLs is fixed at 5. For example, if the rule numbering step is 5 and the current
highest rule ID is 28, the rule is numbered 30.
: Denies matching packets.
deny
: Allows matching packets to pass.
permit
l2
: Specifies that the offset is relative to the beginning of the Layer 2 frame header.
: Specifies that the offset is relative to the beginning of the Layer 4 header.
l4
: Specifies that the offset is relative to the beginning of the Layer 5 header.
l5
rule-string
rule-mask
that of the match pattern. A match pattern mask is used for ANDing the selected string of a packet.
: Specifies an offset in bytes after which the match operation begins.
offset
: Specifies that up to eight match patterns can be defined in the ACL rule.
&<1-8>
: Enables rule match counting in software. If you do not specify this keyword, matches for
counting
the rule are not counted in software.
time-range time-range-name
argument is a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the
time range is not configured, the system creates the rule. However, the rule using the time range can
take effect only after you configure the time range. For more information about time range, see ACL
and QoS Configuration Guide.
: Specifies one of the following values:
protocol
•
A protocol number in the range of 0 to 255.
•
A protocol by its name:
or
udp
If the
protocol
: Defines a match pattern in hexadecimal format. Its length must be a multiple of two.
: Defines a match pattern mask in hexadecimal format. Its length must be the same as
(47),
gre
(17). The
keyword specifies all protocols.
ip
argument is
tcp
{ source-address source-wildcard | any } |
: Specifies a time range for the rule. The
(1),
(2),
icmp
igmp
(6), set the parameters shown in
23
time-range-name
,
(4),
ip
ipinip
ospf
Table
1.
(89),
(6),
tcp
Advertisement
Chapters
Table of Contents
