No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R010C00 Configuration Guide - QoS

This document describes the configurations of QoS functions, including MQC, priority mapping, traffic policing, traffic shaping, interface-based rate limiting, congestion avoidance, congestion management, packet filtering, redirection, traffic statistics, ACL-based simplified traffic policy, and HQoS.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring ACL-based Packet Filtering

Configuring ACL-based Packet Filtering

Context

ACL-based packet filtering allows the device to permit or reject packets matching ACL rules to control network traffic.

Both the traffic-filter and traffic-secure commands are used to filter packets, and you do not need to configure the two commands on a switch. You can run the traffic-filter or traffic-secure command to configure packet filtering based on the following rules:
  • If the ACL referenced by the traffic-filter or traffic-secure command is not referenced by other ACL-based simplified traffic policies, and packets do not match both ACLs associated with packet filtering and simplified traffic policies, use traffic-filter or traffic-secure.

  • If the ACL referenced by the traffic-filter or traffic-secure command is referenced by other ACL-based simplified traffic policies, or packets match both ACLs associated with packet filtering and simplified traffic policies, the differences between the traffic-filter and traffic-secure commands are as follows:

    • When the traffic-secure command and other ACL-based simplified traffic policies are configured simultaneously, and the ACL defines the deny action, only the traffic-secure, traffic-mirror, and traffic-statistics commands take effect and packets are filtered.

    • When the traffic-secure command and other ACL-based simplified traffic policies are configured simultaneously, and the ACL defines the permit action, the traffic-secure command and other ACL-based simplified traffic policies take effect.

    • When the traffic-filter command and other ACL-based simplified traffic policies are configured simultaneously, and the ACL defines the deny action, only the traffic-filter, traffic-mirror, and traffic-statistics commands take effect and packets are filtered.

    • When the traffic-filter command and other ACL-based simplified traffic policies are configured simultaneously, and the ACL defines the permit action, the traffic policy that was configured first takes effect.

If an ACL rule defines deny and traffic-filter based on the ACL is applied to the outbound direction, when packets match the ACL rule, the device discards control packets of ICMP, OSPF, BGP, RIP, SNMP, and Telnet sent by the CPU. This affects relevant protocol functions.

NOTE:

When ACL-based packet filtering is implemented in the system or in a VLAN, the ACL number is in the range of 2000 to 5999. When ACL-based packet filtering is implemented for user access control on the NAC network, the ACL number is in the range of 6000 to 9999. See traffic-filter acl.

Procedure

  • Configuring packet filtering globally or in a VLAN
    1. Run:

      system-view

      The system view is displayed.

    2. Run the following commands as required.

      • Run:

        traffic-filter [ vlan vlan-id ] inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ]

        The device is configured to filter incoming packets matching an ACL.

        NOTE:

        If the ACL used to filter packets references a UCL group, the ID of the UCL group cannot exceed 48.

      • Run:

        traffic-secure [ vlan vlan-id ] inbound acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ]

        The device is configured to filter incoming packets matching an ACL.

      • Run:

        traffic-filter [ vlan vlan-id ] outbound acl { [ ipv6 ] {bas-acl | adv-acl | name acl-name } | l2-acl } [ rule rule-id ]

        The device is configured to filter outgoing packets matching an ACL.

      • Run:

        traffic-filter [ vlan vlan-id ] { inbound | outbound } acl { l2-acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

        Or,

        traffic-filter [ vlan vlan-id ] { inbound | outbound } acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]

        The device is configured to filter packets matching Layer 2 and Layer 3 ACLs.

      • Run:

        traffic-secure [ vlan vlan-id ] inbound acl { l2-acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

        The device is configured to filter incoming packets matching Layer 2 and Layer 3 ACLs.

  • Configuring packet filtering on an interface
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface interface-type interface-number

      The interface view is displayed.

    3. Run the following commands as required.

      • Run:

        traffic-filter inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ]

        The device is configured to filter incoming packets matching an ACL.

        NOTE:

        If the ACL used to filter packets references a UCL group, the ID of the UCL group cannot exceed 48.

      • Run:

        traffic-secure inbound acl { bas-acl | adv-acl | l2–acl | name acl-name } [ rule rule-id ]

        The device is configured to filter incoming packets matching an ACL.

      • Run:

        traffic-filter outbound acl { [ ipv6 ] {bas-acl | adv-acl | name acl-name } | l2-acl } [ rule rule-id ]

        The device is configured to filter outgoing packets matching an ACL.

      • Run:

        traffic-filter { inbound | outbound } acl { l2-acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

        Or,

        traffic-filter { inbound | outbound } acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]

        The device is configured to filter packets matching Layer 2 and Layer 3 ACLs.

      • Run:

        traffic-secure inbound acl { l2–acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

        The device is configured to filter incoming packets matching Layer 2 and Layer 3 ACLs.

Translation
Download
Updated: 2019-12-28

Document ID: EDOC1000142089

Views: 50279

Downloads: 88

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next