No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Command Reference

CloudEngine 8800, 7800, 6800, and 5800 V200R002C50

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Filtering Configuration Commands

Filtering Configuration Commands

deny | permit


The deny | permit command configures access control for service packets based on traffic classifiers.

The undo { deny | permit } command restores the default setting.

  • The deny command prevents service flows that match a specified rule from passing through.
  • The permit command forwards packets matching traffic classification rules according to the original policy.

By default, the permit command is used to forward packets matching traffic classification rules according to the original policy.


deny | permit

undo { deny | permit }




Traffic behavior view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device implements access control using a traffic policy. That is, you can use a traffic policy containing deny | permit on the device so that the device provides the firewall function to filter out specified types of packets. The deny | permit command only filters data packets, but does not process control packets such as STP BPDUs sent to the CPU.


When you specify a packet filtering action for packets matching an ACL, if the ACL rule defines permit, the device processes packets according to the action (deny or permit) in the traffic behavior. If the ACL rule defines deny, the device discards packets regardless of whether deny or permit is configured in the traffic behavior.

In the same traffic behavior, the deny action cannot be used with other traffic actions except for traffic statistics and flow mirroring. Before adding other traffic actions such as re-marking to a traffic behavior, ensure that the traffic behavior does not contain the deny action. If the traffic behavior contains the deny action, configure the permit action before configuring other traffic actions.


# Configure a traffic policy p1 to prevent the packets from VLAN 2 to pass through 10GE1/0/1.

<HUAWEI> system-view
[~HUAWEI] traffic classifier c1
[*HUAWEI-classifier-c1] if-match vlan 2
[*HUAWEI-classifier-c1] quit
[*HUAWEI] traffic behavior b1
[*HUAWEI-behavior-b1] deny
[*HUAWEI-behavior-b1] quit
[*HUAWEI] traffic policy p1
[*HUAWEI-trafficpolicy-p1] classifier c1 behavior b1
[*HUAWEI-trafficpolicy-p1] quit
[*HUAWEI] interface 10ge 1/0/1
[*HUAWEI-10GE1/0/1] traffic-policy p1 inbound
Related Topics
Updated: 2019-03-21

Document ID: EDOC1000166501

Views: 69485

Downloads: 374

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next