No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
How Can I Apply an ACL to an Interface?

How Can I Apply an ACL to an Interface?

An ACL cannot be directly applied to an interface. You can use either of the following methods to associate an ACL with a service module (traffic policy or simplified traffic policy), and apply the ACL to an interface:


The following commands are only for you reference. You should comply with the command line syntax of the version running on your device.

Since V200R009, traffic policies can be applied to VLANIF interfaces.

  • Method 1: Apply a traffic policy to an interface.
    1. Configure a traffic classifier.
      1. Run the traffic classifier classifier-name [ operator { and | or } ] [ precedence precedence-value ] command in the system view to enter the traffic classifier view.
      2. Run the if-match acl { acl-number | acl-name } command to apply an ACL to the traffic classifier.
    2. Configure a traffic behavior.

      Run the traffic behavior behavior-name command in the system view to create a traffic behavior and enter the traffic behavior view.

    3. Configure a traffic action.

      There are two actions for packet filtering: deny and permit. For other traffic actions, see Configuration Guide - QoS of the corresponding product version.

    4. Configure a traffic policy.

      1. Run the traffic policy policy-name [ match-order { auto | config } ] command in the system view to create a traffic policy and enter the traffic policy view.

      2. Run the classifier classifier-name behavior behavior-name command to configure a traffic behavior for the specified traffic classifier in the traffic policy. That is, bind the traffic behavior to the classifier.

    5. Apply the traffic policy.

      Run the traffic-policy policy-name { inbound | outbound } command in the interface view to apply the traffic policy.

  • Method 2: Apply a simplified traffic policy to an interface.

    Run the following commands in the interface view:

    • Packet filtering based on ACL
      • traffic-filter inbound acl xxx
      • traffic-filter outbound acl xxx
      • traffic-secure inbound acl xxx
    • Traffic policing based on ACL

      • traffic-limit inbound acl xxx
      • traffic-limit outbound acl xxx
    • Redirection based on ACL

      traffic-redirect inbound acl xxx

    • Re-mark based on ACL

      • traffic-remark inbound acl xxx
      • traffic-remark outbound acl xxx
    • Traffic statistics collection based on ACL

      • traffic-statistic inbound acl xxx
      • traffic-statistic outbound acl xxx
    • Traffic mirroring based on ACL

      traffic-mirror inbound acl xxx

Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 145908

Downloads: 78

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next