24
undo rule rule-id [ counting | fragment | logging | source | time-range | vpn-instance ] *
undo rule { deny | permit } [ counting | fragment | logging | source { source-address
source-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] *
Default
No IPv4 basic ACL rules exist.
Views
IPv4 basic ACL view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an
ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of
the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering
step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
counting: Counts the times that the rule is matched. If you do not specify this keyword, matches for
the rule are not counted.
fragment: Applies the rule only to non-first fragments. If you do not specify this keyword, the rule
applies to both fragments and non-fragments.
logging: Logs matching packets. This feature is available only when the application module (for
example, packet filtering) that uses the ACL supports the logging feature.
source { source-address source-wildcard | any }: Matches a source address. The source-address
and source-wildcard arguments specify a source IP address and a wildcard mask in dotted decimal
notation. A wildcard mask of zeros represents a host address. The any keyword represents any
source IP address.
time-range time-range-name: Specifies a time range for the rule. The time-range-name argument is
a case-insensitive string of 1 to 32 characters. It must start with an English letter. If the time range is
not configured, the system creates the rule. However, the rule using the time range can take effect
only after you configure the time range. For more information about time range, see ACL and QoS
Configuration Guide.
vpn-instance vpn-instance-name: Applies the rule to an MPLS L3VPN instance. The
vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify a
VPN instance, the rule applies to both non-VPN packets and VPN packets.
Usage guidelines
Within an ACL, the permit or deny statement of each rule must be unique. If the rule you are creating
or editing has the same deny or permit statement as another rule in the ACL, the rule will not be
created or changed.
You can edit ACL rules only when the match order is config.
If an IPv4 basic ACL is used for QoS traffic classification or packet filtering in a VXLAN network, the
ACL matches packets as follows:
• The ACL matches outgoing VXLAN packets by outer IPv4 header information on a VTEP.
• The ACL matches incoming VXLAN packets by outer IPv4 header information on an
intermediate transport device.
• The ACL matches de-encapsulated incoming VXLAN packets by IPv4 header information on a
VTEP.
To Next Page
Loading...
