No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R013C00 Configuration Guide - QoS

This document describes the configurations of QoS functions, including MQC, priority mapping, traffic policing, traffic shaping, interface-based rate limiting, congestion avoidance, congestion management, packet filtering, redirection, traffic statistics, ACL-based simplified traffic policy, and HQoS.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring ACL-based Packet Filtering

Configuring ACL-based Packet Filtering

Context

ACL-based packet filtering allows the device to permit or reject packets matching ACL rules to control network traffic.

Both the traffic-filter and traffic-secure commands are used to filter packets. You can run either the traffic-filter or traffic-secure command to configure packet filtering based on the following rules:
  • If the ACL referenced by the traffic-filter or traffic-secure command is not referenced by other ACL-based simplified traffic policies, and packets do not match both ACLs associated with packet filtering and simplified traffic policies, use traffic-filter or traffic-secure.

  • If the ACL referenced by the traffic-filter or traffic-secure command is referenced by other ACL-based simplified traffic policies, or packets match both ACLs associated with packet filtering and simplified traffic policies, the differences between the traffic-filter and traffic-secure commands are as follows:

    • When the traffic-secure command and other ACL-based simplified traffic policies are configured simultaneously, and the ACL defines the deny action, only the traffic-secure, traffic-mirror, and traffic-statistics commands take effect and packets are filtered.

    • When the traffic-secure command and other ACL-based simplified traffic policies are configured simultaneously, and the ACL defines the permit action, the traffic-secure command and other ACL-based simplified traffic policies take effect.

    • When the traffic-filter command and other ACL-based simplified traffic policies are configured simultaneously, and the ACL defines the deny action, only the traffic-filter, traffic-mirror, and traffic-statistics commands take effect and packets are filtered.

    • When the traffic-filter command and other ACL-based simplified traffic policies are configured simultaneously, and the ACL defines the permit action, the traffic policy that was configured first takes effect.

If an ACL rule defines deny and traffic-filter based on the ACL is applied to the outbound direction, when packets match the ACL rule, control packets of ICMP, OSPF, BGP, RIP, SNMP, and Telnet sent by the CPU are discarded. This affects relevant protocol functions.

NOTE:

When ACL-based packet filtering is implemented in the system or in a VLAN, the ACL number is in the range of 2000 to 5999. When ACL-based packet filtering is implemented for user access control on the NAC network, the ACL number is in the range of 6000 to 9999. See traffic-filter acl.

Procedure

  • Configuring packet filtering globally or in a VLAN
    1. Run system-view

      The system view is displayed.

    2. Run the following commands as required.

      • Run traffic-filter [ vlan vlan-id ] inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ]

        The device is configured to filter incoming packets matching an ACL.

        NOTE:

        If the ACL used to filter packets references a UCL group, the ID of the UCL group cannot exceed 48.

      • Run traffic-secure [ vlan vlan-id ] inbound acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ]

        The device is configured to filter incoming packets matching an ACL.

      • Run traffic-filter [ vlan vlan-id ] outbound acl { [ ipv6 ] {bas-acl | adv-acl | name acl-name } | l2-acl } [ rule rule-id ]

        The device is configured to filter outgoing packets matching an ACL.

      • Run traffic-filter [ vlan vlan-id ] { inbound | outbound } acl { l2-acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

        Or run traffic-filter [ vlan vlan-id ] { inbound | outbound } acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]

        The device is configured to filter packets matching Layer 2 and Layer 3 ACLs.

      • Run traffic-secure [ vlan vlan-id ] inbound acl { l2-acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

        The device is configured to filter incoming packets matching Layer 2 and Layer 3 ACLs.

  • Configuring packet filtering on an interface
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run the following commands as required.

      • Run traffic-filter inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ]

        The device is configured to filter incoming packets matching an ACL.

        NOTE:

        If the ACL used to filter packets references a UCL group, the ID of the UCL group cannot exceed 48.

      • Run traffic-secure inbound acl { bas-acl | adv-acl | l2–acl | name acl-name } [ rule rule-id ]

        The device is configured to filter incoming packets matching an ACL.

      • Run traffic-filter outbound acl { [ ipv6 ] {bas-acl | adv-acl | name acl-name } | l2-acl } [ rule rule-id ]

        The device is configured to filter outgoing packets matching an ACL.

      • Run traffic-filter { inbound | outbound } acl { l2-acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

        Or run traffic-filter { inbound | outbound } acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]

        The device is configured to filter packets matching Layer 2 and Layer 3 ACLs.

      • Run traffic-secure inbound acl { l2–acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

        The device is configured to filter incoming packets matching Layer 2 and Layer 3 ACLs.

Translation
Download
Updated: 2019-04-08

Document ID: EDOC1100065653

Views: 19054

Downloads: 45

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next