No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Command Reference

S1720, S2700, S5700, and S6720 V200R011C10

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Filtering Configuration Commands

Filtering Configuration Commands

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

deny | permit


The deny | permit command configures access control for service packets based on traffic classifiers.

  • The deny command prevents service flows that match a specified rule from passing through.
  • The permit command forwards packets matching traffic classification rules according to the original policy.

By default, an AC does not control service packets based on traffic classifiers.


deny | permit

undo { deny | permit }




Traffic behavior view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device implements access control using a traffic policy. That is, you can use a traffic policy containing deny | permit on the device so that the device provides the firewall function to filter out specified types of packets. The deny | permit command only filters data packets, but does not process control packets such as STP BPDUs sent to the CPU.


When you specify a packet filtering action for packets matching an ACL, if the ACL rule defines permit, the device processes packets according to the action (deny or permit) in the traffic behavior. If the ACL rule defines deny, the device discards packets regardless of whether deny or permit is configured in the traffic behavior.

When you specify the packet filtering action for packets matching an ACL to deny or permit, if the ACL rule contains the logging field, logs are recorded when packets are discarded or forwarded.

If a traffic policy in which the deny behavior is defined is applied to the outbound direction on the S5720EI, S5720HI, S6720EI, and S6720S-EI, control packets of ICMP, OSPF, BGP, RIP, SNMP, and Telnet sent by the CPU are discarded. This affects relevant protocol functions.

In the same traffic behavior, the deny action cannot be used with other traffic actions. Before adding other traffic actions such as re-marking to a traffic behavior, ensure that the traffic behavior does not contain the deny action. If the traffic behavior contains the deny action, configure the permit action before configuring other traffic actions.


# Configure a traffic policy p1 to prevent the packets from VLAN 2 to pass through GE0/0/1.

<HUAWEI> system-view
[HUAWEI] traffic classifier c1
[HUAWEI-classifier-c1] if-match vlan-id 2
[HUAWEI-classifier-c1] quit
[HUAWEI] traffic behavior b1
[HUAWEI-behavior-b1] deny
[HUAWEI-behavior-b1] quit
[HUAWEI] traffic policy p1
[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1
[HUAWEI-trafficpolicy-p1] quit
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 inbound
Related Topics
Updated: 2020-02-06

Document ID: EDOC1000178165

Views: 74738

Downloads: 1296

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Previous Next