Configuring Redirection

Background

A traffic policy that contains redirection can only be applied in the inbound direction of the system, interface or VLAN.

If redirect interface is configured in a traffic behavior, you are advised to apply the traffic policy containing the traffic behavior only to Layer 2 data traffic.

Procedure

1. Configure a traffic classifier.

   1. Run:

      system-view

      The system view is displayed.

   2. Run:

      traffic classifier classifier-name [ operator { and | or } ]

      A traffic classifier is created and the traffic classifier view is displayed, or the existing traffic classifier view is displayed.

      and is the logical operator between the rules in the traffic classifier, which means that:

      • If the traffic classifier contains ACL rules, packets match the traffic classifier only when they match one ACL rule and all the non-ACL rules.

      • If the traffic classifier does not contain any ACL rules, packets match the traffic classifier only when they match all the rules in the classifier.

      The logical operator or means that packets match the traffic classifier as long as they match one of rules in the classifier.

      By default, the relationship between rules in a traffic classifier is AND.

   3. Configure matching rules according to the following table.

      Matching Rule	Command	Remarks
      Outer VLAN ID	if-match vlan-id start-vlan-id [ to end-vlan-id ]	-
      802.1p priority in VLAN packets	if-match 8021p 8021p-value &<1-8>	If you enter multiple 802.1p priority values in one command, a packet matches the traffic classifier as long as it matches any one of the 802.1p priorities, regardless of whether the relationship between rules in the traffic classifier is AND or OR.
      Destination MAC address	if-match destination-mac mac-address [ mac-address-mask ]	-
      Source MAC address	if-match source-mac mac-address [ mac-address-mask ]	-
      Protocol type field in the Ethernet frame header	if-match l2-protocol { arp | ip | mpls | rarp | protocol-value }	-
      All packets	if-match any	After the if-match any command is run, only the matching rule configured using this command takes effect, and the other matching rules in the same traffic classifier will become ineffective.
      DSCP priority in IP packets	if-match dscp dscp-value &<1-8>	If you enter multiple DSCP values in one command, a packet matches the traffic classifier as long as it matches any one of the DSCP values, regardless of whether the relationship between rules in the traffic classifier is AND or OR. If the relationship between rules in a traffic classifier is AND, the if-match dscp and if-match ip-precedence commands cannot be used in the traffic classifier simultaneously.
      IP precedence in IP packets	if-match ip-precedence ip-precedence-value &<1-8>	The if-match dscp and if-match ip-precedence commands cannot be configured in a traffic classifier in which the relationship between rules is AND. If you enter multiple IP precedence values in one command, a packet matches the traffic classifier as long as it matches any one of the IP precedence values, regardless of whether the relationship between rules in the traffic classifier is AND or OR.
      Layer 3 protocol type	if-match protocol { ip | ipv6 }	-
      SYN Flag in the TCP packet	if-match tcp syn-flag { syn-flag-value | ack | fin | psh | rst | syn | urg }	-
      Inbound interface	if-match inbound-interface interface-type interface-number	A traffic policy containing this matching rule cannot be applied to the outbound direction or in the interface view.
      ACL rule	if-match acl { acl-number | acl-name }	When an ACL is used to define a traffic classification rule, it is recommended that the ACL be configured first. If an ACL in a traffic classifier defines multiple rules, a packet matches the ACL as long as it matches one of rules, regardless of whether the relationship between rules in the traffic classifier is AND or OR.
      ACL6 rule	if-match ipv6 acl { acl-number | acl-name }	Before specifying an ACL6 in a matching rule, configure the ACL6.

   4. Run:

      quit

      Exit from the traffic classifier view.

2. Configure a traffic behavior.

   1. Run:

      traffic behavior behavior-name

      A traffic behavior is created and the traffic behavior view is displayed, or the view of an existing traffic behavior is displayed.

   2. Run the following commands as required.

      • Run:

        redirect interface interface-type interface-number [ forced ]

        The device is configured to redirect packets matching the traffic classifier to a specified interface.

        After traffic is redirected to an interface in Down state, if forced is specified, traffic is lost on the interface and is not switched to the original forwarding path. If forced is not configured, redirection does not take effect.

        The packets that are redirected to an interface will be discarded if the VLAN of the packets on the interface is not allowed.

   3. Run:

      quit

      Exit from the traffic behavior view.

   4. Run:

      quit

      Exit from the system view.

3. Configure a traffic policy.

   1. Run:

      system-view

      The system view is displayed.

   2. Run:

      traffic policy policy-name

      A traffic policy is created and the traffic policy view is displayed, or the view of an existing traffic policy is displayed.

   3. Run:

      classifier classifier-name behavior behavior-name

      A traffic behavior is bound to a traffic classifier in a traffic policy.

   4. Run:

      quit

      Exit from the traffic policy view.

   5. Run:

      quit

      Exit from the system view.

4. Apply the traffic policy.

   The traffic policy containing redirection cannot be applied in the outbound direction.

   Applying traffic policies consumes ACL resources. If there are no sufficient ACL resources, some traffic policies will fail to be applied. For example, if an if-match rule in a traffic policy occupies one ACL, M ACL resources will be used to apply the traffic policy to M interfaces. When a traffic policy is applied to L VLANs, L ACLs are occupied. When a traffic policy is applied to the system, one ACL is occupied. For details about ACLs occupied by if-match rules, see Table 2-4 in Licensing Requirements and Limitations for MQC.

   • Apply a traffic policy to an interface.

     1. Run:

        system-view

        The system view is displayed.

     2. Run:

        interface interface-type interface-number

        The interface view is displayed.

     3. Run:

        traffic-policy policy-name inbound

        A traffic policy is applied to the interface.

   • Applying a traffic policy to a VLAN

     1. Run:

        system-view

        The system view is displayed.

     2. Run:

        vlan vlan-id

        The VLAN view is displayed.

     3. Run:

        traffic-policy policy-name inbound

        A traffic policy is applied to the VLAN.

   • Apply a traffic policy to the system.

     1. Run:

        system-view

        The system view is displayed.

     2. Run:

        traffic-policy policy-name global { inbound | outbound } [ slot slot-id ]

        A traffic policy is applied to the system.

        Only one traffic policy can be applied to the system or slot in one direction. A traffic policy cannot be applied to the same direction in the system and slot simultaneously.

        • In a stack scenario, a traffic policy that is applied to the system takes effect on all the interfaces and VLANs of all the member switches in the stack. The system then performs traffic policing for all the incoming and outgoing packets that match traffic classification rules on all the member switches. A traffic policy that is applied to a specified slot takes effect on all the interfaces and VLANs of the member switch with the specified stack ID. The system then performs traffic policing for all the incoming and outgoing packets that match traffic classification rules on this member switch.
        • In a non-stack scenario, a traffic policy that is applied to the system takes effect on all the interfaces and VLANs of the local switch. The system then performs traffic policing for all the incoming and outgoing packets that match traffic classification rules on the local switch. Traffic policies applied to the slot and system have the same functions.

Checking the Configuration

• Run the display traffic classifier user-defined [ classifier-name ] command to check the traffic classifier configuration.
• Run the display traffic behavior user-defined [ behavior-name ] command to check the traffic behavior configuration.

• Run the display traffic policy user-defined [ policy-name [ classifier classifier-name ] ] command to check the user-defined traffic policy configuration.

• Run the display traffic-applied [ interface [ interface-type interface-number ] | vlan [ vlan-id ] ] { inbound | outbound } [ verbose ] command to check information about ACL-based simplified and MQC-based traffic policies applied to the system, a VLAN, or an interface.

• Run the display traffic policy { interface [ interface-type interface-number ] | vlan [ vlan-id ] | global } [ inbound | outbound ] command to check the traffic policy configuration.

• Run the display traffic-policy applied-record [ policy-name ] command to check the application record of a specified traffic policy.