No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R010C00 Command Reference

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
traffic-filter (traffic profile view)

traffic-filter (traffic profile view)

Function

The traffic-filter command configures ACL-based packet filtering in a traffic profile.

The undo traffic-filter command cancels configuration of ACL-based packet filtering in a traffic profile.

By default, ACL-based packet filtering is not configured in a traffic profile.

Format

traffic-filter { inbound | outbound } { ipv4 | l2 } acl { acl-number | name acl-name }

traffic-filter { inbound | outbound } ipv4 acl { acl-number | name acl-name } l2 acl { acl-number | name acl-name }

undo traffic-filter { inbound | outbound } { ipv4 | l2 } acl { acl-number | name acl-name }

undo traffic-filter { inbound | outbound } ipv4 acl { acl-number | name acl-name } l2 acl { acl-number | name acl-name }

Parameters

Parameter

Description

Value

inbound

Configures ACL-based packet filtering in the inbound direction.

-

outbound

Configures ACL-based packet filtering in the outbound direction.

-

ipv4

Configures ACL-based IPv4 packet filtering.

-

l2

Configures ACL-based Layer 2 packet filtering.

-

acl acl-number

Specifies the number of an ACL.

The value is an integer that ranges from 3000 to 3031 and from 6000 to 6031 for IPv4 ACLs and from 4000 to 4031 for Layer 2 ACLs.
  • 3000 to 3031: advanced ACLs
  • 6000 to 6031: user ACLs
  • 4000 to 4031: Layer 2 ACLs

name acl-name

Filters packets based on a specified named ACL. acl-name indicates an ACL name.

The value is a string of 1 to 32 case-sensitive characters without spaces and must begin with a letter.

The value range of acl-number corresponding to acl-name is 3000 to 3031, 4000 to 4031, and 6000 to 6031.

Views

Traffic profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

On a wireless network, administrators want to provide differentiated services for wireless users. The services may include, but are not limited to the following:
  • Deny or permit access of specified wireless users to specified LAN devices.
  • Deny access of specified wireless users to specified invalid IP addresses.
You can configure ACL-based packet filtering in a traffic profile for providing differentiated services to wireless users based on ACL rules.

When the traffic-filter command is configured in the traffic profile view, the device first matches packets against ACLs and then perform the action according to the matched policy.

When multiple traffic-filter commands are configured for ACL-based packet filtering in the same direction in the same traffic profile, packets are matched against the next rule in the sequence in which the commands are configured. If packets match a rule, the device executes the specified policy and stops the matching process. Otherwise, the device continues to match packets against the next rule. If no rule is matched, the packets are allowed to pass through.

In particular:
  • If a policy contains only one ACL and the ACL is matched, the permit or deny action is performed.

  • If a policy contains two ACLs, the device considers that the policy is matched only when the packets match both of the ACLs. The device then performs the corresponding action.

    For example, if the actions in the two ACL rules are both permit, the permit action is performed. Otherwise, the deny action is performed.

If an ACL contains multiple rules, packets match against the rules in the ascending order of rule IDs. If packets match a rule, the device considers that the ACL is matched and stops the matching process. Otherwise, the device continues to match packets against the next rule. If no rule is matched, the device considers that this ACL is not matched. To improve match efficiency, you are advised to configure an ACL rule with a high match probability first and set a small ID for the rule. This will reduce the number of times ACL rules are matched and save resources.

For example, run the following commands to configure different rules for ACL 4000, ACL 3003, and ACL 3005, and configure packet filtering based on these rules.
<Huawei> system-view
[Huawei] acl 4000
[Huawei-acl-adv-4000] rule 5 deny source-mac 4c1f-cc25-611b
[Huawei-acl-adv-4000] quit
[Huawei] acl 3003
[Huawei-acl-adv-3003] rule 5 permit ip source 192.168.0.2 0
[Huawei-acl-adv-3003] rule 10 deny ip source 192.168.0.1 0
[Huawei-acl-adv-3003] quit
[Huawei] acl 3005
[Huawei-acl-adv-3005] rule 5 permit ip source 192.168.2.0 0 destination 10.23.1.0 0.0.0.255
[Huawei-acl-adv-3005] quit
[Huawei] wlan
[Huawei-wlan-view] traffic-profile name default
[Huawei-wlan-traffic-prof-default] traffic-filter inbound ipv4 acl 3003 //Policy 1
[Huawei-wlan-traffic-prof-default] traffic-filter inbound ipv4 acl 3005 l2 acl 4000 //Policy2
Table 27-16  Match results of different packets

Packet

Matching Sequence

Result

Source IP address: 192.168.0.1

Match policy 1 (rule 10 of ACL 3003 is matched and the action is deny).

Discarded
  • Source IP address: 192.168.2.1
  • Destination IP address: 10.23.1.3
  • Source MAC address: 4c1f-cc25-611b
  1. Match policy 1. ACL 3003 is not matched.
  2. Match ACL 3005 of policy 2. The ACL can be matched (rule 5 of ACL 3005 is matched and the action is permit).
  3. Match ACL 4000 of policy 2. The ACL can be matched (rule 5 of ACL 4000 is matched and the action is deny).
  4. Policy 2 is matched, and the matched ACL contains a rule (rule 5 of ACL 4000) whose action is deny. As a result, the packet is discarded.

Discarded

  • Source IP address: 192.168.2.1
  • Destination IP address: 10.23.1.3
  • Source MAC address: 0100-5e01-0101
  1. Match policy 1. ACL 3003 is not matched.
  2. Match ACL 3005 of policy 2. The ACL can be matched (rule 5 of ACL 3005 is matched).
  3. Match ACL 4000 of policy 2. The ACL is not matched.
  4. No policy is matched, so the packet is allowed to pass through.
Passed
  • Source IP address: 192.168.2.1
  • Destination IP address: 10.23.2.32
  1. Match policy 1. ACL 3003 is not matched.
  2. Match ACL 3005 of policy 2. The ACL is not matched.
  3. No policy is matched, so the packet is allowed to pass through.
Passed

Prerequisites

An ACL rule has been created before this command is run.

Precautions

The traffic-filter command can reference a numbered ACL rule that is not configured. You can configure the referenced ACL rule after running this command.

You can only configure a maximum of eight ACL rules in the same direction. The sequence in which ACL rules takes effect follows the sequence in which the rules are configured. To change the current packet filtering rules, delete all the related configurations and reconfigure the ACL-based packet filtering.

Example

# Create the traffic profile p1 and configure packet filtering in the inbound direction based on the ACL that permits packets with the source IPv4 address 192.168.0.2/32.

<Huawei> system-view
[Huawei] acl 3000
[Huawei-acl-adv-3000] rule 5 permit ip source 192.168.0.2 0
[Huawei-acl-adv-3000] quit
[Huawei] wlan
[Huawei-wlan-view] traffic-profile name p1
[Huawei-wlan-traffic-prof-p1] traffic-filter inbound ipv4 acl 3000
Translation
Download
Updated: 2019-11-21

Document ID: EDOC1100064352

Views: 204692

Downloads: 122

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next