No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Packet Filtering

Configuring Packet Filtering

This section describes how to configure packet filtering.

Background

Packet filtering allows the device to filer packets matching traffic classification rules to implement traffic control.

Procedure

  1. Configure a traffic classifier.
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      traffic classifier classifier-name [ type { and | or } ]

      A traffic classifier is created and the traffic classifier view is displayed, or the existing traffic classifier view is displayed.

      and indicates that rules are ANDed with each other.
      • If a traffic classifier contains ACL rules, packets match the traffic classifier only when the packets match one ACL rule and all the non-ACL rules.

      • If a traffic classifier does not contain ACL rules, packets match the traffic classifier only when the packets match all the non-ACL rules.

      or indicates that rules are ORed with each other. Packets match a traffic classifier as long as packets match one rule of the traffic classifier.

      By default, the relationship between rules in a traffic classifier is OR.

    3. Run the following commands as required.

      Matching Rule

      Command

      Remarks

      Inner VLAN IDs in QinQ packets

      if-match inner-vlan start-inner-vlan-id [ to end-inner-vlan-id ]

      -

      802.1p priority in VLAN packets

      if-match 8021p 8021p-value &<1-8>

      Regardless of whether the relationship between rules in a traffic classifier is AND or OR, if you enter multiple values of 802.1p priorities, the packet that matches one 802.1p priority matches the traffic classifier.

      Inner 802.1p priority in QinQ packets

      if-match inner-8021p 8021p-value &<1-8>

      -

      Outer VLAN ID or inner and outer VLAN IDs of QinQ packets

      if-match vlan start-vlan-id [ to end-vlan-id ] [ inner-vlan inner-vlan-id ] or if-match vlan vlan-id [ inner-vlan start-inner-vlan-id [ to end-inner-vlan-id ] ]

      -

      Drop packet

      if-match discard

      -

      Double tags in QinQ packets

      if-match double-tag

      -

      Destination MAC address

      if-match destination-mac mac-address [ mac-address-mask ]

      -

      Source MAC address

      if-match source-mac mac-address [ mac-address-mask ]

      -

      Protocol type field encapsulated in the Ethernet frame header

      if-match l2-protocol { arp | ip | rarp | protocol-value }

      -

      All packets

      if-match any

      -

      DSCP priority in IP packets

      if-match [ ipv6 ] dscp dscp-value &<1-8>

      • Regardless of whether the relationship between rules in a traffic classifier is AND or OR, if you enter multiple values of DSCP priorities, the packet that matches one DSCP priority matches the traffic classifier.

      • If the relationship between rules in a traffic classifier is AND, the if-match [ ipv6 ] dscp and if-match ip-precedence commands cannot be used in the traffic classifier simultaneously.

      IP precedence in IP packets

      if-match ip-precedence ip-precedence-value &<1-8>

      • The if-match [ ipv6 ] dscp and if-match ip-precedence commands cannot be configured in a traffic classifier in which the relationship between rules is AND.

      • Regardless of whether the relationship between rules in a traffic classifier is AND or OR, if you enter multiple values of IP priorities, the packet that matches one IP priority matches the traffic classifier.

      SYN Flag in the TCP packet header

      if-match tcp-flag { tcp-flag-value | { ack | fin | psh | rst | syn | urg }* }

      -

      Outbound interface

      if-match outbound-interface interface-type interface-number

      The traffic policy containing this matching rule cannot be applied to the outbound direction.

      ACL rule

      if-match acl { acl-number | acl-name }

      NOTE:

      When an ACL is used to define a traffic classification rule, it is recommended that the ACL be configured first.

      Regardless of whether the relationship between rules in a traffic classifier is AND or OR, if an ACL defines many rules, the packet that matches a single ACL rule matches the ACL.

      ACL6 rule

      if-match ipv6 acl { acl-number | acl-name }

      NOTE:

      When an ACL6 is used to define a traffic classification rule, it is recommended that the ACL6 be configured first.

      -

    4. Run:

      commit

      The configuration is committed.

    5. Run:

      quit

      The traffic classifier view is quitted.

  2. Configure a traffic behavior.
    1. Run:

      traffic behavior behavior-name

      A traffic behavior is created and the traffic behavior view is displayed.

    2. Run the following commands as required.
      • Run:

        permit

        The device is configured to forward packets matching the traffic classifier according to the original policy.

      • Run:

        deny

        The device is configured to reject packets matching the traffic classifier.

      NOTE:
      • When permit and other actions are configured in a traffic behavior, the actions are performed in sequence. deny cannot be configured with other actions. When deny is used, other configured actions except traffic statistics and flow mirroring do not take effect.

      • To specify a packet filtering action for packets matching an ACL rule, if the ACL rule defines permit, the action taken for the packets depends on deny or permit in the traffic behavior. If the ACL rule defines deny, the packets are discarded regardless of whether deny or permit is configured in the traffic behavior.

    3. (Optional) Run:

      statistics enable

      The traffic statistics function is enabled.

    4. Run:

      commit

      The configuration is committed.

    5. Run:

      quit

      The traffic behavior view is quitted.

    6. Run:

      quit

      The system view is quitted.

  3. Configure a traffic policy.
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      traffic policy policy-name

      A traffic policy is created and the traffic policy view is displayed, or the view of an existing traffic policy is displayed.

    3. Run:

      classifier classifier-name behavior behavior-name [ precedence precedence-value ]

      A traffic behavior is bound to a traffic classifier in a traffic policy.

    4. Run:

      commit

      The configuration is committed.

    5. Run:

      quit

      The traffic policy view is quitted.

  4. Apply the traffic policy.
    • Applying a traffic policy to an interface
      1. Run:

        system-view

        The system view is displayed.

      2. Run:

        interface interface-type interface-number

        The interface view is displayed.

      3. Run:

        traffic-policy policy-name { inbound | outbound }

        A traffic policy is applied to the interface.

      4. Run:

        commit

        The configuration is committed.

    • Applying a traffic policy to a VLAN
      1. Run:

        system-view

        The system view is displayed.

      2. Run:

        vlan vlan-id

        The VLAN view is displayed.

      3. Run:

        traffic-policy policy-name { inbound | outbound }

        A traffic policy is applied to the VLAN.

        After a traffic policy is applied, the system performs traffic policing for the packets that belong to a VLAN and match traffic classification rules in the inbound or outbound direction.

      4. Run:

        commit

        The configuration is committed.

    • Applying a traffic policy to the system
      1. Run:

        system-view

        The system view is displayed.

      2. Run:

        traffic-policy policy-name global [ slot slot-id ] { inbound | outbound }

        A traffic policy is applied to the system.

      3. Run:

        commit

        The configuration is committed.

Checking the Configuration

  • Run the display traffic classifier [ classifier-name ] command to check the traffic classifier configuration on the device.
  • Run the display traffic behavior [ behavior-name ] command to check the traffic behavior configuration on the device.
  • Run the display traffic policy [ policy-name [ classifier classifier-name ] ] command to check the traffic policy configuration on the device.

  • Run the display traffic-policy applied-record [ policy-name ] [ global [ slot slot-id ] | interface interface-type interface-number | vlan vlan-id ] [ inbound | outbound ] command to check the record of the specified traffic policy.

Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 58436

Downloads: 3621

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next