No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R013C00 Command Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ACL-based Simplified Traffic Policy Commands

ACL-based Simplified Traffic Policy Commands

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

display traffic-statistics

Function

The display traffic-statistics command displays ACL-based traffic statistics.

Format

display traffic-statistics [ vlan vlan-id | interface interface-type interface-number ] inbound [ acl { bas-acl | adv-acl } [ rule rule-id ] ] [ secure ]

display traffic-statistics [ vlan vlan-id | interface interface-type interface-number ] inbound acl user-acl [ rule rule-id ]

display traffic-statistics [ vlan vlan-id | interface interface-type interface-number ] outbound [ acl { bas-acl | adv-acl | user-acl } [ rule rule-id ] ]

display traffic-statistics [ vlan vlan-id | interface interface-type interface-number ] inbound [ acl { acl-name | l2-acl } [ rule rule-id ] [ acl { bas-acl | adv-acl | acl-name } [ rule rule-id ] ] ] [ secure ]

display traffic-statistics [ vlan vlan-id | interface interface-type interface-number ] outbound [ acl { acl-name | l2-acl } [ rule rule-id ] [ acl { bas-acl | adv-acl | acl-name } [ rule rule-id ] ] ]

display traffic-statistics interface inbound [ secure ]

display traffic-statistics interface outbound

display traffic-statistics [ vlan vlan-id | interface interface-type interface-number ] { inbound | outbound } [ acl ipv6 { bas-acl | adv-acl | acl-name } [ rule rule-id ] ]

Parameters

Parameter

Description

Value

vlan vlan-id

Displays ACL-based traffic statistics in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

interface interface-type interface-number

Displays ACL-based traffic statistics on a specified interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.
If interface-type interface-number is not specified, ACL-based traffic statistics on all interfaces are displayed.

-

inbound

Displays ACL-based traffic statistics in the inbound direction.

-

outbound

Displays ACL-based traffic statistics in the outbound direction.

-

acl { bas-acl | adv-acl | user-acl }

Displays traffic statistics on packets matching a specified ACL.
  • bas-acl specifies a basic ACL.
  • adv-acl specifies an advanced ACL.
  • user-acl specifies a user-defined ACL.
The value is an integer. The value ranges are as follows:
  • The value of bas-acl ranges from 2000 to 2999.
  • The value of adv-acl ranges from 3000 to 3999.
  • The value of user-acl ranges from 5000 to 5999.

acl { acl-name | l2-acl }

Displays traffic statistics on packets matching a specified ACL.
  • acl-name specifies the name of an ACL.
  • l2-acl specifies the number of a Layer 2 ACL.
  • The value of acl-name must be the name of an existing ACL.
  • The value of l2-acl is an integer that ranges from 4000 to 4999.
acl ipv6

Displays traffic statistics based on the IPv6 ACL.

-

rule rule-id

Displays traffic statistics on packets matching a specified ACL rule.

The IPv4 ACL rule ID is an integer that ranges from 0 to 4294967294, and the IPv6 ACL rule ID is an integer that ranges from 0 to 2047.

secure

Displays traffic statistics on packets based on packet filtering policies configured through the traffic-secure (interface view) or traffic-secure (system view) command.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The display traffic-statistics command displays ACL-based traffic statistics on an interface or in a VLAN. The command output helps you learn about forwarded and discarded packets matching the ACL and locate faults.

Prerequisites

The traffic statistics function has been enabled using the traffic-statistic (interface view) or traffic-statistic (system view) command.

Precautions

Before running the display traffic-statistics command to display traffic statistics on packets based on packet filtering policies configured through the traffic-secure (interface view) command, you must specify the secure parameter in the traffic-statistic (interface view) command.

Before running the display traffic-statistics command to display traffic statistics on packets based on packet filtering policies configured through the traffic-secure (system view) command, you must specify the secure parameter in the traffic-statistic (system view) command.

Example

# Display statistics on packets matching ACL 3009 in the inbound direction on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] acl 3009
[HUAWEI-acl-adv-3009] rule 1 permit ip
[HUAWEI-acl-adv-3009] quit
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] traffic-statistic inbound acl 3009
[HUAWEI-GigabitEthernet1/0/1] quit
[HUAWEI] display traffic-statistics interface gigabitethernet 1/0/1 inbound acl 3009
---------------------------------------------------------------------------
Interface GigabitEthernet1/0/1
 ACL:3009 Rule:1
     matched:0 packets, passed:0 packets, dropped:0 packets
Table 15-29  Description of the display traffic-statistics command output

Item

Description

ACL

ACL number.

Rule

ACL rule ID.

matched

Number of packets matching the ACL.

passed

Number of forwarded packets.

dropped

Number of discarded packets.

reset traffic-statistics

Function

The reset traffic-statistics command clears ACL-based traffic statistics.

Format

reset traffic-statistics [ vlan vlan-id | interface interface-type interface-number ] inbound [ acl { bas-acl | adv-acl } [ rule rule-id ] ] [ secure ]

reset traffic-statistics [ vlan vlan-id | interface interface-type interface-number ] inbound acl user-acl [ rule rule-id ]

reset traffic-statistics [ vlan vlan-id | interface interface-type interface-number ] outbound [ acl { bas-acl | adv-acl | user-acl } [ rule rule-id ] ]

reset traffic-statistics [ vlan vlan-id | interface interface-type interface-number ] inbound [ acl { acl-name | l2-acl } [ rule rule-id ] [ acl { bas-acl | adv-acl | acl-name } [ rule rule-id ] ] ] [ secure ]

reset traffic-statistics [ vlan vlan-id | interface interface-type interface-number ] outbound [ acl { acl-name | l2-acl } [ rule rule-id ] [ acl { bas-acl | adv-acl | acl-name } [ rule rule-id ] ] ]

reset traffic-statistics { interface | vlan } inbound [ secure ]

reset traffic-statistics { interface | vlan } outbound

reset traffic-statistics [ vlan vlan-id | interface interface-type interface-number ] { inbound | outbound } [ acl ipv6 { bas-acl | adv-acl | acl-name } [ rule rule-id ] ]

Parameters

Parameter

Description

Value

vlan vlan-id

Clears ACL-based traffic statistics in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

interface interface-type interface-number

Clears ACL-based traffic statistics on a specified interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.
If interface-type interface-number is not specified, ACL-based traffic statistics on all interfaces are cleared.

-

inbound

Clears ACL-based traffic statistics in the inbound direction.

-

outbound

Clears ACL-based traffic statistics in the outbound direction.

-

acl { bas-acl | adv-acl | user-acl }

Clears traffic statistics on packets matching a specified ACL.
  • bas-acl specifies a basic ACL.
  • adv-acl specifies an advanced ACL.
  • user-acl specifies a user-defined ACL.
The value is an integer. The value ranges are as follows:
  • The value of bas-acl ranges from 2000 to 2999.
  • The value of adv-acl ranges from 3000 to 3999.
  • The value of user-acl ranges from 5000 to 5999.

acl { acl-name | l2-acl }

Clears traffic statistics on packets matching a specified ACL.
  • acl-name specifies the name of an ACL.
  • l2-acl specifies the number of a Layer 2 ACL.
  • The value of acl-name must be the name of an existing ACL.
  • The value of l2-acl is an integer that ranges from 4000 to 4999.

acl ipv6

Clears traffic statistics based on the IPv6 ACL.

-

rule rule-id

Clears traffic statistics on packets matching a specified ACL rule.

The IPv4 ACL rule ID is an integer that ranges from 0 to 4294967294, and the IPv6 ACL rule ID is an integer that ranges from 0 to 2047.

secure

Clears traffic statistics on packets based on packet filtering policies configured through the traffic-secure (interface view) or traffic-secure (system view) command.

-

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Before re-collecting ACL-based traffic statistics, run the reset traffic-statistics command to clear existing statistics. Then run the display traffic-statistics command to view ACL-based traffic statistics.

Precautions

After the reset traffic-statistics command is executed, statistics are cleared and cannot be restored. Exercise caution when you use this command.

Example

# Clear statistics about incoming packets that match rule 5 in the ACL named test on GE1/0/1.

<HUAWEI> reset traffic-statistics interface gigabitethernet 1/0/1 inbound acl test rule 5

traffic-delete fast-mode enable

Function

The traffic-delete fast-mode enable command enables the device to rapidly delete ACL-based simplified traffic policies.

The undo traffic-delete fast-mode enable command disables the device from rapidly deleting ACL-based simplified traffic policies.

By default, the device is disabled from rapidly deleting ACL-based simplified traffic policies.

Format

traffic-delete fast-mode enable

undo traffic-delete fast-mode enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When multiple ACL-based simplified traffic policies are configured and the ACL contains a large number of rules, it takes a long time for the device to delete the traffic policies. To solve the problem, run the traffic-delete fast-mode enable command to enable the device to rapidly delete ACL-based simplified traffic policies.

Precautions

After the traffic-delete fast-mode enable command is executed, the traffic policy statistics are cleared.

After the traffic-delete fast-mode enable command is used, if you configure a new ACL-based simplified traffic policy, the original ACL-based simplified traffic policy becomes invalid temporarily and takes effect only when the new ACL-based simplified traffic policy is applied successfully.

Example

# Enable the device to rapidly delete ACL-based simplified traffic policies.

<HUAWEI> system-view
[HUAWEI] traffic-delete fast-mode enable

traffic-filter (interface view)

Function

The traffic-filter command applies an ACL to an interface to filter packets on the interface.

The undo traffic-filter command cancels the configuration.

By default, no ACL is applied to an interface to filter packets on the interface.

Format

Use the following command in the inbound direction on an interface:

traffic-filter inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ]

undo traffic-filter inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ]

Use the following command in the outbound direction on an interface:

traffic-filter outbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl } [ rule rule-id ]

undo traffic-filter outbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl } [ rule rule-id ]

If both Layer 2 ACLs and Layer 3 ACLs are configured, use the following command:

traffic-filter { inbound | outbound } acl { l2-acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

undo traffic-filter { inbound | outbound } acl { l2-acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

traffic-filter { inbound | outbound } acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]

undo traffic-filter { inbound | outbound } acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]

Parameters

Parameter

Description

Value

inbound

Configures ACL-based packet filtering in the inbound direction on an interface.

-

outbound

Configures ACL-based packet filtering in the outbound direction on an interface.

-

acl

Filters packets based on the IPv4 ACL.

-

ipv6

Configures IPv6 ACL-based packet filtering.

-

bas-acl

Filters packets based on a specified basic ACL.

The value is an integer that ranges from 2000 to 2999.

adv-acl

Filters packets based on a specified advanced ACL.

The value is an integer that ranges from 3000 to 3999.

l2-acl

Filters packets based on a specified Layer 2 ACL.

The value is an integer that ranges from 4000 to 4999.

user-acl

Filters packets based on a specified user-defined ACL.

The value is an integer that ranges from 5000 to 5999.

name acl-name

Filters packets based on a specified named ACL. acl-name specifies the name of the ACL.

The value must be the name of an existing ACL.

rule rule-id

Filters packets based on a specified ACL rule.

The IPv4 ACL rule ID ranges from 0 to 4294967294, and the IPv6 ACL rule ID ranges from 0 to 2047.

Views

VLANIF interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the traffic-filter command is executed on an interface, the device filters packets matching ACL rules:

  • If the action in an ACL rule is deny, the device discards packets matching the rule.
  • If the action in an ACL rule is permit, the device forwards packets matching the rule.
  • If no rule is matched, packets are allowed to pass through.

Precautions

If name acl-name is specified in the command, you need to run the acl name or acl ipv6 name command to create the corresponding ACL. Otherwise, the ACL-based simplified traffic policy fails to be configured.

If rule rule-id is specified in the command, you need to create an ACL and configure the corresponding rule. Otherwise, the ACL-based simplified traffic policy fails to be configured.

When an ACL-based simplified traffic policy is configured on a VLANIF interface,

  • The ACL-based simplified traffic policy can be configured on the VLANIF interface only in the inbound direction.

  • The VLAN corresponding to the VLANIF interface cannot be a Super-VLAN or MUX VLAN.

  • On X series cards, an ACL-based simplified traffic policy that is applied to a VLANIF interface is only valid for unicast packets on the VLANIF interface. For other cards, an ACL-based simplified traffic policy that is applied to a VLANIF interface is only valid for unicast packets and Layer 3 multicast packets on the VLANIF interface.

If the traffic-filter (system view) and traffic-filter (interface view) commands are used simultaneously, the traffic-filter (interface view) command takes effect.

When the deny action is defined in the ACL rule associated with the traffic-filter command, the ACL rule can only be associated with the traffic-mirror (interface view), traffic-mirror (system view), traffic-statistic (interface view), or traffic-statistic (system view) command. If the ACL rule is associated with other simplified traffic policies, the simplified traffic policies may not take effect.

When the permit action is defined in the ACL rule associated with the traffic-filter command, the ACL rule can be associated with other simplified traffic policies.

When the ACL rule containing the logging field is associated with the traffic-filter command, logs are recorded when packets are discarded or forwarded.

If an ACL rule defines deny and traffic-filter based on the ACL is applied to the outbound direction, when packets match the ACL rule, control packets of ICMP, OSPF, BGP, RIP, SNMP, and Telnet sent by the CPU are discarded. This affects relevant protocol functions.

Example

# On the GE1/0/1, configure packet filtering based on the ACL that rejects packets with source IP address 192.168.0.2/32.

<HUAWEI> system-view
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule 5 deny ip source 192.168.0.2 0
[HUAWEI-acl-adv-3000] quit
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] traffic-filter inbound acl 3000

traffic-filter (system view)

Function

The traffic-filter command configures ACL-based packet filtering globally or in a VLAN.

The undo traffic-filter command cancels ACL-based packet filtering globally or in a VLAN.

By default, ACL-based packet filtering is not configured globally or in a VLAN.

NOTE:

When ACL-based packet filtering is implemented in the system or in a VLAN, the ACL number is in the range of 2000 to 5999. When ACL-based packet filtering is implemented for user access control on the NAC network, the ACL number is in the range of 6000 to 9999. See traffic-filter acl.

Format

To configure ACL-based packet filtering in the inbound direction on a switch, use the following command:

traffic-filter [ vlan vlan-id ] inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ]

undo traffic-filter [ vlan vlan-id ] inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ]

To configure ACL-based packet filtering in the outbound direction on a switch, use the following command:

traffic-filter [ vlan vlan-id ] outbound acl { [ ipv6 ] {bas-acl | adv-acl | name acl-name } | l2-acl } [ rule rule-id ]

undo traffic-filter [ vlan vlan-id ] outbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl } [ rule rule-id ]

If both Layer 2 ACLs and Layer 3 ACLs are configured, use the following command:

traffic-filter [ vlan vlan-id ] { inbound | outbound } acl { l2-acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

undo traffic-filter [ vlan vlan-id ] { inbound | outbound } acl { l2-acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

traffic-filter [ vlan vlan-id ] { inbound | outbound } acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]

undo traffic-filter [ vlan vlan-id ] { inbound | outbound } acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]

Parameters

Parameter

Description

Value

vlan vlan-id

Configures ACL-based packet filtering in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

inbound

Configures ACL-based packet filtering in the inbound direction.

-

outbound

Configures ACL-based packet filtering in the outbound direction.

NOTE:

Packet filtering based on the user-defined ACL cannot be applied to the outbound direction.

-

acl

Filters packets based on the IPv4 ACL.

-

ipv6

Filters packets based on the IPv6 ACL.

-

bas-acl

Filters packets based on a specified basic ACL.

The value is an integer that ranges from 2000 to 2999.

adv-acl

Filters packets based on a specified advanced ACL.

The value is an integer that ranges from 3000 to 3999.

l2-acl

Filters packets based on a specified Layer 2 ACL.

The value is an integer that ranges from 4000 to 4999.

user-acl

Filters packets based on a specified user-defined ACL.

The value is an integer that ranges from 5000 to 5999.

name acl-name

Specifies the name of an ACL.

The value must be the name of an existing ACL.

rule rule-id

Filters packets based on a specified ACL rule.

The IPv4 ACL rule ID ranges from 0 to 4294967294, and the IPv6 ACL rule ID ranges from 0 to 2047.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the traffic-filter command is executed on the device, the device filters packets matching an ACL rule:

  • If the action in the ACL rule is deny, the device discards packets matching the rule.
  • If the action in the ACL rule is permit, the device forwards packets matching the rule.
  • If no rule is matched, packets are allowed to pass through.

Precautions

If name acl-name is specified in the command, you need to run the acl name or acl ipv6 name command to create the corresponding ACL. Otherwise, the ACL-based simplified traffic policy fails to be configured.

If rule rule-id is specified in the command, you need to create an ACL and configure the corresponding rule. Otherwise, the ACL-based simplified traffic policy fails to be configured.

If the traffic-filter (system view) and traffic-filter (interface view) commands are used simultaneously, the traffic-filter (interface view) command takes effect.

When the deny action is defined in the ACL rule associated with the traffic-filter command, the ACL rule can only be associated with the traffic-mirror (interface view), traffic-mirror (system view), traffic-statistic (interface view), or traffic-statistic (system view) command. If the ACL rule is associated with other simplified traffic policies, the simplified traffic policies may not take effect.

When the permit action is defined in the ACL rule associated with the traffic-filter command, the ACL rule can be associated with other simplified traffic policies.

When the ACL rule containing the logging field is associated with the traffic-filter command, logs are recorded when packets are discarded or forwarded.

If an ACL rule defines deny and traffic-filter based on the ACL is applied to the outbound direction, when packets match the ACL rule, control packets of ICMP, OSPF, BGP, RIP, SNMP, and Telnet sent by the CPU are discarded. This affects relevant protocol functions.

Example

# Configure ACL-based packet filtering in VLAN 100. The ACL rejects packets with source IP address 192.168.0.2/32.

<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] quit
[HUAWEI] acl name test 3000
[HUAWEI-acl-adv-test] rule 5 deny ip source 192.168.0.2 0
[HUAWEI-acl-adv-test] quit
[HUAWEI] traffic-filter vlan 100 inbound acl name test

traffic-limit (interface view)

Function

The traffic-limit command configures ACL-based traffic policing on an interface.

The undo traffic-limit command cancels ACL-based traffic policing on an interface.

By default, ACL-based traffic policing is not configured on an interface.

Format

Use the following command in the inbound direction on a switch interface:

traffic-limit inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ] cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] [ [ green { drop | pass [ remark-dscp dscp-value ] } ] [ yellow { drop | pass [ remark-dscp dscp-value ] } ] [ red { drop | pass [ remark-dscp dscp-value ] } ] ]

undo traffic-limit inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ]

Use the following command in the outbound direction on a switch interface:

traffic-limit outbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl } [ rule rule-id ] cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] [ [ green { drop | pass [ remark-8021p 8021p-value | remark-dscp dscp-value ] } ] [ yellow { drop | pass [ remark-8021p 8021p-value | remark-dscp dscp-value ] } ] [ red { drop | pass [ remark-8021p 8021p-value | remark-dscp dscp-value ] } ] ]

undo traffic-limit outbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl } [ rule rule-id ]

If both Layer 2 and Layer 3 ACLs are configured and traffic policing is used in the inbound direction on a switch interface, use the following command:

traffic-limit inbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] [ green { drop | pass [ remark-dscp dscp-value ] } ] [ yellow { drop | pass [ remark-dscp dscp-value ] } ] [ red { drop | pass [ remark-dscp dscp-value ] } ]

undo traffic-limit inbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

traffic-limit inbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ] cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] [ green { drop | pass [ remark-dscp dscp-value ] } ] [ yellow { drop | pass [ remark-dscp dscp-value ] } ] [ red { drop | pass [ remark-dscp dscp-value ] } ]

undo traffic-limit inbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]

traffic-limit inbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ] cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] [ green { drop | pass [ remark-dscp dscp-value ] } ] [ yellow { drop | pass [ remark-dscp dscp-value ] } ] [ red { drop | pass [ remark-dscp dscp-value ] } ]

undo traffic-limit inbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ]

If both Layer 2 and Layer 3 ACLs are configured and traffic policing is used in the outbound direction on a switch interface, use the following command:

traffic-limit outbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] [ green { drop | pass [ remark-8021p 8021p-value | remark-dscp dscp-value ] } ] [ yellow { drop | pass [ remark-8021p 8021p-value | remark-dscp dscp-value ] } ] [ red { drop | pass [ remark-8021p 8021p-value | remark-dscp dscp-value ] } ]

undo traffic-limit outbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

traffic-limit outbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ] cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] [ green { drop | pass [ remark-8021p 8021p-value | remark-dscp dscp-value ] } ] [ yellow { drop | pass [ remark-8021p 8021p-value | remark-dscp dscp-value ] } ] [ red { drop | pass [ remark-8021p 8021p-value | remark-dscp dscp-value ] } ]

undo traffic-limit outbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]

traffic-limit outbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ] cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] [ green { drop | pass [ remark-8021p 8021p-value | remark-dscp dscp-value ] } ] [ yellow { drop | pass [ remark-8021p 8021p-value | remark-dscp dscp-value ] } ] [ red { drop | pass [ remark-8021p 8021p-value | remark-dscp dscp-value ] } ]

undo traffic-limit outbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ]

Parameters

Parameter

Description

Value

inbound

Performs traffic policing for packets in the inbound direction of an interface.

-

outbound

Performs traffic policing for packets in the outbound direction of an interface.

-

acl

Performs traffic policing for packets based on the IPv4 ACL.

-

ipv6

Performs traffic policing for packets based on the IPv6 ACL.

-

bas-acl

Performs traffic policing for packets based on a specified basic ACL.

The value is an integer that ranges from 2000 to 2999.

adv-acl

Performs traffic policing for packets based on a specified advanced ACL.

The value is an integer that ranges from 3000 to 3999.

l2-acl

Performs traffic policing for packets based on a specified Layer 2 ACL.

The value is an integer that ranges from 4000 to 4999.

user-acl

Performs traffic policing for packets based on a specified user-defined ACL.

The value is an integer that ranges from 5000 to 5999.

name acl-name

Performs traffic policing for packets based on a specified named ACL. acl-name specifies the name of the ACL.

The value must be the name of an existing ACL.

rule rule-id

Performs traffic policing for packets based on a specified ACL rule.

The IPv4 ACL rule ID ranges from 0 to 4294967294, and the IPv6 ACL rule ID ranges from 0 to 2047.

cir cir-value

Specifies the committed information rate (CIR), which is the guaranteed average transmission rate.

The value is an integer that ranges from 8 to 4294967295, in kbit/s.

pir pir-value

Specifies the peak information rate (PIR), which is the maximum rate at which traffic can pass through.

The value is an integer that ranges from 8 to 4294967295, in kbit/s.

The PIR must be greater than or equal to the CIR. The default PIR is equal to the CIR.

cbs cbs-value

Specifies the committed burst size (CBS), which is the average volume of burst traffic that can pass through an interface.

The value is an integer that ranges from 4000 to 4294967295, in bytes. The default CBS is 125 times the CIR. If the CIR multiplied by 125 is smaller than 4000, the default CBS is 4000.

pbs pbs-value

Specifies the peak burst size (PBS), which is the maximum volume of burst traffic that can pass through an interface.

The value is an integer that ranges from 4000 to 4294967295, in bytes. If the PIR is not set, the default PBS is 125 times the CIR. If the PIR is set, the default PBS is 125 times the PIR. If the CIR or PIR multiplied by 125 is smaller than 4000, the default PBS is 4000.

green

Performs traffic policing for green packets. By default, green packets are allowed to pass through.

-

yellow

Performs traffic policing for yellow packets. By default, yellow packets are allowed to pass through.

-

red

Performs traffic policing for red packets. By default, red packets are discarded.

-

remark-8021p 8021p-value

Re-marks the 802.1p priority in packets.

The value is an integer that ranges from 0 to 7.

remark-dscp dscp-value

Re-marks the DSCP priority in packets.

The value is an integer that ranges from 0 to 63.

drop

Indicates that packets are discarded.

-

pass

Indicates that packets are allowed to pass through.

-

Views

VLANIF interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the traffic-limit command is executed on an interface, the device limits the rate and remarks the 802.1p or DSCP priority of packets matching an ACL.

Precautions

If name acl-name is specified in the command, you need to run the acl name or acl ipv6 name command to create the corresponding ACL. Otherwise, the ACL-based simplified traffic policy fails to be configured.

If rule rule-id is specified in the command, you need to create an ACL and configure the corresponding rule. Otherwise, the ACL-based simplified traffic policy fails to be configured.

When an ACL-based simplified traffic policy is configured on a VLANIF interface,

  • The ACL-based simplified traffic policy can be configured on the VLANIF interface only in the inbound direction.

  • The VLAN corresponding to the VLANIF interface cannot be a Super-VLAN or MUX VLAN.

  • On X series cards, an ACL-based simplified traffic policy that is applied to a VLANIF interface is only valid for unicast packets on the VLANIF interface. For other cards, an ACL-based simplified traffic policy that is applied to a VLANIF interface is only valid for unicast packets and Layer 3 multicast packets on the VLANIF interface.

If the traffic-limit (system view) and traffic-limit (interface view) commands are used simultaneously, the traffic-limit (interface view) command takes effect.

When the traffic-limit (interface view) command and the traffic-filter (interface view) command or the traffic-filter (system view) command are used simultaneously, and the two commands are associated with the same ACL rule:

  • If the deny action is configured in the ACL rule, traffic is discarded.
  • If the permit action is configured in the ACL rule, the traffic rate is limited.

If the traffic-limit command with the same ACL rule specified is executed two or more times in the interface view, the system displays the following information:

Error:Sacl does not support config the same acl or rule repeatedly.

Example

# Configure ACL-based traffic policing in the inbound direction on GE1/0/1, set the CIR to 10000 kbit/s for packets matching ACL 3000, configure GE1/0/1 to allow green packets, yellow packets, and red packets to pass through, and re-mark the DSCP priority of red packets with 5.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] traffic-limit inbound acl 3000 cir 10000 green pass yellow pass red pass remark-dscp 5

traffic-limit (system view)

Function

The traffic-limit command configures ACL-based traffic policing globally or in a VLAN.

The undo traffic-limit command cancels ACL-based traffic policing globally or in a VLAN.

By default, ACL-based traffic policing is not configured globally or in a VLAN.

Format

To configure ACL-based traffic policing in the inbound direction on a switch, use the following command:

traffic-limit [ vlan vlan-id ] inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ] cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] [ [ green { drop | pass [ remark-dscp dscp-value ] } ] [ yellow { drop | pass [ remark-dscp dscp-value ] } ] [ red { drop | pass [ remark-dscp dscp-value ] } ] ]

undo traffic-limit [ vlan vlan-id ] inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ]

To configure ACL-based traffic policing in the outbound direction on a switch, use the following command:

traffic-limit [ vlan vlan-id ] outbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl } [ rule rule-id ] cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] [ [ green { drop | pass [ remark-8021p 8021p-value | remark-dscp dscp-value ] } ] [ yellow { drop | pass [ remark-8021p 8021p-value | remark-dscp dscp-value ] } ] [ red { drop | pass [ remark-8021p 8021p-value | remark-dscp dscp-value ] } ] ]

undo traffic-limit [ vlan vlan-id ] outbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl } [ rule rule-id ]

If both Layer 2 and Layer 3 ACLs are configured and traffic policing is used in the inbound direction on a switch, use the following command:

traffic-limit [ vlan vlan-id ] inbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] [ green { drop | pass [ remark-dscp dscp-value ] } ] [ yellow { drop | pass [ remark-dscp dscp-value ] } ] [ red { drop | pass [ remark-dscp dscp-value ] } ]

undo traffic-limit [ vlan vlan-id ] inbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

traffic-limit [ vlan vlan-id ] inbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ] cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] [ green { drop | pass [ remark-dscp dscp-value ] } ] [ yellow { drop | pass [ remark-dscp dscp-value ] } ] [ red { drop | pass [ remark-dscp dscp-value ] } ]

undo traffic-limit [ vlan vlan-id ] inbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]

traffic-limit [ vlan vlan-id ] inbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ] cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] [ green { drop | pass [ remark-dscp dscp-value ] } ] [ yellow { drop | pass [ remark-dscp dscp-value ] } ] [ red { drop | pass [ remark-dscp dscp-value ] } ]

undo traffic-limit [ vlan vlan-id ] inbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ]

If both Layer 2 and Layer 3 ACLs are configured and traffic policing is used in the outbound direction on a switch, use the following command:

traffic-limit [ vlan vlan-id ] outbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] [ green { drop | pass [ remark-8021p 8021p-value | remark-dscp dscp-value ] } ] [ yellow { drop | pass [ remark-8021p 8021p-value | remark-dscp dscp-value ] } ] [ red { drop | pass [ remark-8021p 8021p-value | remark-dscp dscp-value ] } ]

undo traffic-limit [ vlan vlan-id ] outbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

traffic-limit [ vlan vlan-id ] outbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ] cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] [ green { drop | pass [ remark-8021p 8021p-value | remark-dscp dscp-value ] } ] [ yellow { drop | pass [ remark-8021p 8021p-value | remark-dscp dscp-value ] } ] [ red { drop | pass [ remark-8021p 8021p-value | remark-dscp dscp-value ] } ]

undo traffic-limit [ vlan vlan-id ] outbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]

traffic-limit [ vlan vlan-id ] outbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ] cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] [ green { drop | pass [ remark-8021p 8021p-value | remark-dscp dscp-value ] } ] [ yellow { drop | pass [ remark-8021p 8021p-value | remark-dscp dscp-value ] } ] [ red { drop | pass [ remark-8021p 8021p-value | remark-dscp dscp-value ] } ]

undo traffic-limit [ vlan vlan-id ] outbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ]

Parameters

Parameter

Description

Value

vlan vlan-id

Specifies a VLAN ID.

The value is an integer that ranges from 1 to 4094.

inbound

Performs traffic policing for packets in the inbound direction.

-

outbound

Performs traffic policing for packets in the outbound direction.

-

acl

Performs traffic policing for packets based on the IPv4 ACL.

-

ipv6

Performs traffic policing for packets based on the IPv6 ACL.

-

bas-acl

Performs traffic policing for packets based on a specified basic ACL.

The value is an integer that ranges from 2000 to 2999.

adv-acl

Performs traffic policing for packets based on a specified advanced ACL.

The value is an integer that ranges from 3000 to 3999.

l2-acl

Performs traffic policing for packets based on a specified Layer 2 ACL.

The value is an integer that ranges from 4000 to 4999.

user-acl

Performs traffic policing for packets based on a specified user-defined ACL.

The value is an integer that ranges from 5000 to 5999.

name acl-name

Performs traffic policing for packets based on a specified named ACL. acl-name specifies the name of the ACL.

The value must be the name of an existing ACL.

rule rule-id

Performs traffic policing for packets based on a specified ACL rule.

The IPv4 ACL rule ID ranges from 0 to 4294967294, and the IPv6 ACL rule ID ranges from 0 to 2047.

cir cir-value

Specifies the committed information rate (CIR), which is the guaranteed average transmission rate.

The value is an integer that ranges from 8 to 4294967295, in kbit/s.

pir pir-value

Specifies the peak information rate (PIR), which is the maximum rate at which traffic can pass through.

The value is an integer that ranges from 8 to 4294967295, in kbit/s.

The PIR must be greater than or equal to the CIR. The default PIR is equal to the CIR.

cbs cbs-value

Specifies the committed burst size (CBS), which is the average volume of burst traffic that can pass through an interface.

The value is an integer that ranges from 4000 to 4294967295, in bytes. The default CBS is 125 times the CIR. If the CIR multiplied by 125 is smaller than 4000, the default CBS is 4000.

pbs pbs-value

Specifies the peak burst size (PBS), which is the maximum volume of burst traffic that can pass through an interface.

The value is an integer that ranges from 4000 to 4294967295, in bytes. If the PIR is not set, the default PBS is 125 times the CIR. If the PIR is set, the default PBS is 125 times the PIR. If the CIR or PIR multiplied by 125 is smaller than 4000, the default PBS is 4000.

green

Performs traffic policing for green packets. By default, green packets are allowed to pass through.

-

yellow

Performs traffic policing for yellow packets. By default, yellow packets are allowed to pass through.

-

red

Performs traffic policing for red packets. By default, red packets are discarded.

-

remark-8021p 8021p-value

Re-marks the 802.1p priority in packets.

The value is an integer that ranges from 0 to 7.

remark-dscp dscp-value

Re-marks the DSCP priority in packets.

The value is an integer that ranges from 0 to 63.

drop

Indicates that packets are discarded.

-

pass

Indicates that packets are allowed to pass through.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the traffic-limit command is executed on the device, the device limits the rate and remarks the 802.1p or DSCP priority of packets matching an ACL.

Precautions

If name acl-name is specified in the command, you need to run the acl name or acl ipv6 name command to create the corresponding ACL. Otherwise, the ACL-based simplified traffic policy fails to be configured.

If rule rule-id is specified in the command, you need to create an ACL and configure the corresponding rule. Otherwise, the ACL-based simplified traffic policy fails to be configured.

If the traffic-limit (interface view) and traffic-limit (system view) commands are used simultaneously, the traffic-limit (interface view) command takes effect.

When the traffic-limit (system view) command and the traffic-filter (interface view) command or the traffic-filter (system view) command are used simultaneously, and the two commands are associated with the same ACL rule:

  • If the deny action is configured in the ACL rule, traffic is discarded.
  • If the permit action is configured in the ACL rule, the traffic rate is limited.

Example

# In the inbound direction in VLAN 100, configure traffic policing based on ACL 3000, set the CIR to 10000 kbit/s, and configure the device to permit green and yellow packets to pass through and to discard red packets.

<HUAWEI> system-view
[HUAWEI] traffic-limit vlan 100 inbound acl 3000 cir 10000 green pass yellow pass red drop

traffic-mirror (interface view)

Function

The traffic-mirror command configures ACL-based flow mirroring on an interface.

The undo traffic-mirror command cancels ACL-based flow mirroring on an interface.

By default, ACL-based flow mirroring is not configured on an interface.

Format

To configure a single ACL, use the following command:

traffic-mirror inbound { acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } } [ rule rule-id ] to observe-port o-index

undo traffic-mirror inbound { acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } } [ rule rule-id ]

If both Layer 2 ACLs and Layer 3 ACLs are configured, use the following command:

traffic-mirror inbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] to observe-port o-index

undo traffic-mirror inbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

traffic-mirror inbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ] to observe-port o-index

undo traffic-mirror inbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ]

traffic-mirror inbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ] to observe-port o-index

undo traffic-mirror inbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]

Parameters

Parameter

Description

Value

inbound

Mirrors packets in the inbound direction on an interface.

-

acl

Mirrors packets based on the IPv4 ACL.

-

ipv6

Mirrors packets based on the IPv6 ACL.

-

bas-acl

Mirrors packets based on a specified basic ACL.

The value is an integer that ranges from 2000 to 2999.

adv-acl

Mirrors packets based on a specified advanced ACL.

The value is an integer that ranges from 3000 to 3999.

l2-acl

Mirrors packets based on a specified Layer 2 ACL.

The value is an integer that ranges from 4000 to 4999.

user-acl

Mirrors packets based on a specified user-defined ACL.

The value is an integer that ranges from 5000 to 5999.

name acl-name

Mirrors packets based on a specified named ACL. acl-name specifies the name of the ACL.

The value must be the name of an existing ACL.

rule rule-id

Mirrors packets based on a specified ACL rule.

The IPv4 ACL rule ID ranges from 0 to 4294967294, and the IPv6 ACL rule ID ranges from 0 to 2047.

to observe-port o-index

Specifies the index of the observing port to which packets are mirrored.

The value is an integer that ranges from 1 to 8.

Views

VLANIF interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After the traffic-mirror command is configured, the device can perform flow mirroring or remote flow mirroring, without affecting traffic forwarding.

Prerequisites

An observing port has been created through the observe-port (local mirroring) or observe-port (remote mirroring) command.

Precautions

If name acl-name is specified in the command, you need to run the acl name or acl ipv6 name command to create the corresponding ACL. Otherwise, the ACL-based simplified traffic policy fails to be configured.

If rule rule-id is specified in the command, you need to create an ACL and configure the corresponding rule. Otherwise, the ACL-based simplified traffic policy fails to be configured.

When an ACL-based simplified traffic policy is configured on a VLANIF interface,

  • The ACL-based simplified traffic policy can be configured on the VLANIF interface only in the inbound direction.

  • The VLAN corresponding to the VLANIF interface cannot be a Super-VLAN or MUX VLAN.

  • On X series cards, an ACL-based simplified traffic policy that is applied to a VLANIF interface is only valid for unicast packets on the VLANIF interface. For other cards, an ACL-based simplified traffic policy that is applied to a VLANIF interface is only valid for unicast packets and Layer 3 multicast packets on the VLANIF interface.

If the traffic-mirror (system view) and traffic-mirror (interface view) commands are used simultaneously, the traffic-mirror (interface view) command takes effect.

Example

# Configure ACL-based flow mirroring in the inbound direction on GE1/0/1, and mirror the packets matching ACL 3000 to the observing port with the index of 1.

<HUAWEI> system-view
[HUAWEI] observe-port 1 interface gigabitethernet 1/0/1
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] traffic-mirror inbound acl 3000 to observe-port 1

traffic-mirror (system view)

Function

The traffic-mirror command configures ACL-based flow mirroring globally or in a VLAN.

The undo traffic-mirror command cancels ACL-based flow mirroring globally or in a VLAN.

By default, ACL-based flow mirroring is not configured globally or in a VLAN.

Format

To configure a single ACL, use the following command:

traffic-mirror [ vlan vlan-id ] inbound { acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } } [ rule rule-id ] to observe-port o-index

undo traffic-mirror [ vlan vlan-id ] inbound { acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } } [ rule rule-id ]

If both Layer 2 ACLs and Layer 3 ACLs are configured, use the following command:

traffic-mirror [ vlan vlan-id ] inbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] to observe-port o-index

undo traffic-mirror [ vlan vlan-id ] inbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

traffic-mirror [ vlan vlan-id ] inbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ] to observe-port o-index

undo traffic-mirror [ vlan vlan-id ] inbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]

traffic-mirror [ vlan vlan-id ] inbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ] to observe-port o-index

undo traffic-mirror [ vlan vlan-id ] inbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ]

Parameters

Parameter

Description

Value

vlan vlan-id

Specifies a VLAN ID.

The value is an integer that ranges from 1 to 4094.

inbound

Mirrors packets in the inbound direction.

-

acl

Mirrors packets based on the IPv4 ACL.

-

ipv6

Mirrors packets based on the IPv6 ACL.

-

bas-acl

Mirrors packets based on a specified basic ACL.

The value is an integer that ranges from 2000 to 2999.

adv-acl

Mirrors packets based on a specified advanced ACL.

The value is an integer that ranges from 3000 to 3999.

l2-acl

Mirrors packets based on a specified Layer 2 ACL.

The value is an integer that ranges from 4000 to 4999.

user-acl

Mirrors packets based on a specified user-defined ACL.

The value is an integer that ranges from 5000 to 5999.

name acl-name

Mirrors packets based on a specified named ACL. acl-name specifies the name of the ACL.

The value must be the name of an existing ACL.

rule rule-id

Mirrors packets based on a specified ACL rule.

The IPv4 ACL rule ID ranges from 0 to 4294967294, and the IPv6 ACL rule ID ranges from 0 to 2047.

to observe-port o-index

Specifies the index of the observing port to which packets are mirrored.

The value is an integer that ranges from 1 to 8.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After the traffic-mirror command is configured, the device can perform flow mirroring or remote flow mirroring, without affecting traffic forwarding.

Prerequisites

An observing port has been created through the observe-port (local mirroring) or observe-port (remote mirroring) command.

Precautions

If name acl-name is specified in the command, you need to run the acl name or acl ipv6 name command to create the corresponding ACL. Otherwise, the ACL-based simplified traffic policy fails to be configured.

If rule rule-id is specified in the command, you need to create an ACL and configure the corresponding rule. Otherwise, the ACL-based simplified traffic policy fails to be configured.

If the traffic-mirror (interface view) and traffic-mirror (system view) commands are used simultaneously, the traffic-mirror (interface view) command takes effect.

Example

# Configure ACL-based flow mirroring in the inbound direction in VLAN 100, and mirror the packets matching ACL 3000 to the observing port with the index of 1.

<HUAWEI> system-view
[HUAWEI] observe-port 1 interface gigabitethernet 1/0/1
[HUAWEI] traffic-mirror vlan 100 inbound acl 3000 to observe-port 1

traffic-redirect (interface view)

Function

The traffic-redirect command configures ACL-based redirection on an interface.

The undo traffic-redirect command cancels ACL-based redirection on an interface.

By default, ACL-based redirection is not configured on an interface.

Format

To configure a single ACL, use the following command:

traffic-redirect inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ] { cpu | interface interface-type interface-number | [ vpn-instance vpn-instance-name ] ip-nexthop ip-nexthop | ipv6-nexthop ipv6-nexthop }

undo traffic-redirect inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ]

If both Layer 2 ACLs and Layer 3 ACLs are configured, use the following command:

traffic-redirect inbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] { cpu | interface interface-type interface-number | [ vpn-instance vpn-instance-name ] ip-nexthop ip-nexthop | ipv6-nexthop ipv6-nexthop }

undo traffic-redirect inbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

traffic-redirect inbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ] { cpu | interface interface-type interface-number | [ vpn-instance vpn-instance-name ] ip-nexthop ip-nexthop | ipv6-nexthop ipv6-nexthop }

undo traffic-redirect inbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]

traffic-redirect inbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ] { cpu | interface interface-type interface-number | [ vpn-instance vpn-instance-name ] ip-nexthop ip-nexthop | ipv6-nexthop ipv6-nexthop }

undo traffic-redirect inbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ]

Parameters

Parameter

Description

Value

inbound

Redirects packets in the inbound direction on an interface.

-

acl

Redirects packets based on the IPv4 ACL.

-

ipv6

Redirects packets based on the IPv6 ACL.

-

bas-acl

Redirects packets based on a specified basic ACL.

The value is an integer that ranges from 2000 to 2999.

adv-acl

Redirects packets based on a specified advanced ACL.

The value is an integer that ranges from 3000 to 3999.

l2-acl

Redirects packets based on a specified Layer 2 ACL.

The value is an integer that ranges from 4000 to 4999.

user-acl

Redirects packets based on a specified user-defined ACL.

The value is an integer that ranges from 5000 to 5999.

name acl-name

Redirects packets based on a specified named ACL. acl-name specifies the name of the ACL.

The value must be the name of an existing ACL.

rule rule-id

Redirects packets based on a specified ACL rule.

The IPv4 ACL rule ID ranges from 0 to 4294967294, and the IPv6 ACL rule ID ranges from 0 to 2047.

cpu

Redirects packets to the CPU.

-

interface interface-type interface-number

Redirects packets to a specified interface.
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

vpn-instance vpn-instance-name

Redirects packets to a VPN instance.

The value must be an existing VPN instance name.

ip-nexthop ip-nexthop

Redirects packets to a next-hop IPv4 address.

The value is in dotted decimal notation.

ipv6-nexthop ipv6-nexthop

Redirects packets to a next-hop IPv6 address.

The address is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

Views

VLANIF interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the traffic-redirect command is executed on an interface, the device redirects packets matching an ACL to the CPU, a specified interface, or a specified next hop address.

Precautions

If name acl-name is specified in the command, you need to run the acl name or acl ipv6 name command to create the corresponding ACL. Otherwise, the ACL-based simplified traffic policy fails to be configured.

If rule rule-id is specified in the command, you need to create an ACL and configure the corresponding rule. Otherwise, the ACL-based simplified traffic policy fails to be configured.

When an ACL-based simplified traffic policy is configured on a VLANIF interface,

  • The ACL-based simplified traffic policy can be configured on the VLANIF interface only in the inbound direction.

  • The VLAN corresponding to the VLANIF interface cannot be a Super-VLAN or MUX VLAN.

  • On X series cards, an ACL-based simplified traffic policy that is applied to a VLANIF interface is only valid for unicast packets on the VLANIF interface. For other cards, an ACL-based simplified traffic policy that is applied to a VLANIF interface is only valid for unicast packets and Layer 3 multicast packets on the VLANIF interface.

If the traffic-redirect (system view) and traffic-redirect (interface view) commands are used simultaneously, the traffic-redirect (interface view) command takes effect.

The switch supports inter-card redirection for inbound flows. The switch can redirect the flows that meet certain conditions to the CPU, other interfaces, or other IP addresses.

When the traffic-redirect (interface view) command and the traffic-filter (interface view) command or the traffic-filter (system view) command are used simultaneously, and the two commands are associated with the same ACL rule:

  • If the deny action is configured in the ACL rule, traffic is discarded.
  • If the permit action is configured in the ACL rule, traffic is redirected.

Before redirecting packets to an IPv6 address using this command, run the ipv6 neighbor command to configure a static neighbor.

Redirection to the specified interface (excluding a tunnel interface) only takes effect on L2 traffic.

If packets are redirected to the CPU, a large number of packets will be sent to the CPU, affecting normal services. Exercise caution when you configure redirection to the CPU.

Example

# Configure ACL-based redirection in the inbound direction on GE1/0/1, and redirect packets matching ACL 3000 to GE2/0/0.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] traffic-redirect inbound acl 3000 interface gigabitethernet 2/0/0

traffic-redirect (system view)

Function

The traffic-redirect command configures ACL-based redirection globally or in a VLAN.

The undo traffic-redirect command cancels ACL-based redirection globally or in a VLAN.

By default, ACL-based redirection is not configured globally or in a VLAN.

NOTE:

When ACL-based redirection is implemented in the system or in a VLAN, the ACL number is in the range of 2000 to 5999. When ACL-based redirection is implemented on the NAC network, the ACL number is in the range of 6000 to 9999. See traffic-redirect acl.

Format

To configure a single ACL, use the following command:

traffic-redirect [ vlan vlan-id ] inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ] { cpu | interface interface-type interface-number | [ vpn-instance vpn-instance-name ] ip-nexthop ip-nexthop | ipv6-nexthop ipv6-nexthop }

undo traffic-redirect [ vlan vlan-id ] inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ]

If both Layer 2 ACLs and Layer 3 ACLs are configured, use the following command:

traffic-redirect [ vlan vlan-id ] inbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] { cpu | interface interface-type interface-number | [ vpn-instance vpn-instance-name ] ip-nexthop ip-nexthop | ipv6-nexthop ipv6-nexthop }

undo traffic-redirect [ vlan vlan-id ] inbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

traffic-redirect [ vlan vlan-id ] inbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ] { cpu | interface interface-type interface-number | [ vpn-instance vpn-instance-name ] ip-nexthop ip-nexthop | ipv6-nexthop ipv6-nexthop }

undo traffic-redirect [ vlan vlan-id ] inbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]

traffic-redirect [ vlan vlan-id ] inbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ] { cpu | interface interface-type interface-number | [ vpn-instance vpn-instance-name ] ip-nexthop ip-nexthop | ipv6-nexthop ipv6-nexthop }

undo traffic-redirect [ vlan vlan-id ] inbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ]

Parameters

Parameter

Description

Value

vlan vlan-id

Specifies a VLAN ID.

The value is an integer that ranges from 1 to 4094.

inbound

Redirects packets to the inbound direction.

-

acl

Redirects packets based on the IPv4 ACL.

-

ipv6

Redirects packets based on the IPv6 ACL.

-

bas-acl

Redirects packets based on a specified basic ACL.

The value is an integer that ranges from 2000 to 2999.

adv-acl

Redirects packets based on a specified advanced ACL.

The value is an integer that ranges from 3000 to 3999.

l2-acl

Redirects packets based on a specified Layer 2 ACL.

The value is an integer that ranges from 4000 to 4999.

user-acl

Redirects packets based on a specified user-defined ACL.

The value is an integer that ranges from 5000 to 5999.

name acl-name

Redirects packets based on a specified named ACL. acl-name specifies the name of the ACL.

The value must be the name of an existing ACL.

rule rule-id

Redirects packets based on a specified ACL rule.

The IPv4 ACL rule ID ranges from 0 to 4294967294, and the IPv6 ACL rule ID ranges from 0 to 2047.

cpu

Redirects packets to the CPU.

-

interface interface-type interface-number

Redirects packets to a specified interface.
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

vpn-instance vpn-instance-name

Redirects packets to a VPN instance.

The value must be an existing VPN instance name.

ip-nexthop ip-nexthop

Redirects packets to a next-hop IPv4 address.

The value is in dotted decimal notation.

ipv6-nexthop ipv6-nexthop

Redirects packets to a next-hop IPv6 address.

The address is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the traffic-redirect command is executed on the device, the device redirects packets matching an ACL to the CPU, a specified interface, or a specified next hop address.

Precautions

If name acl-name is specified in the command, you need to run the acl name or acl ipv6 name command to create the corresponding ACL. Otherwise, the ACL-based simplified traffic policy fails to be configured.

If rule rule-id is specified in the command, you need to create an ACL and configure the corresponding rule. Otherwise, the ACL-based simplified traffic policy fails to be configured.

If the traffic-redirect (interface view) and traffic-redirect (system view) commands are used simultaneously, the traffic-redirect (interface view) command takes effect.

When the traffic-redirect (system view) command and the traffic-filter (interface view) command or the traffic-filter (system view) command are used simultaneously, and the two commands are associated with the same ACL rule:

  • If the deny action is configured in the ACL rule, traffic is discarded.
  • If the permit action is configured in the ACL rule, traffic is redirected.

Before redirecting packets to an IPv6 address using this command, run the ipv6 neighbor command to configure a static neighbor.

Redirection to the specified interface (excluding a tunnel interface) only takes effect on L2 traffic.

If packets are redirected to the CPU, a large number of packets will be sent to the CPU, affecting normal services. Exercise caution when you configure redirection to the CPU.

Example

# Configure ACL-based redirection in the inbound direction in VLAN 100, and redirect packets matching ACL 3000 to GE1/0/1.

<HUAWEI> system-view
[HUAWEI] traffic-redirect vlan 100 inbound acl 3000 interface gigabitethernet 1/0/1

traffic-remark (interface view)

Function

The traffic-remark command configures ACL-based re-marking on an interface.

The undo traffic-remark command cancels ACL-based re-marking on an interface.

By default, ACL-based re-marking is not configured on an interface.

Format

To configure ACL-based re-marking in the inbound direction on a switch interface, use the following command:

traffic-remark inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ] { 8021p 8021p-value | destination-mac mac-address | dscp { dscp-name | dscp-value } | local-precedence local-precedence-value | vlan-id vlan-id }

undo traffic-remark inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ] { 8021p | destination-mac | dscp | local-precedence | vlan-id }

To configure ACL-based re-marking in the outbound direction on a switch interface, use the following command:

traffic-remark outbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl } [ rule rule-id ] { 8021p 8021p-value | cvlan-id cvlan-id | dscp { dscp-name | dscp-value } | vlan-id vlan-id }

undo traffic-remark outbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl } [ rule rule-id ] { 8021p | cvlan-id | dscp | vlan-id }

If both Layer 2 and Layer 3 ACLs are configured and re-marking is used in the inbound direction on a switch interface, use the following command:

traffic-remark inbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] { 8021p 8021p-value | destination-mac mac-address | dscp { dscp-name | dscp-value } | local-precedence local-precedence-value | vlan-id vlan-id }

undo traffic-remark inbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] { 8021p | destination-mac | dscp | local-precedence | vlan-id }

traffic-remark inbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ] { 8021p 8021p-value | destination-mac mac-address | dscp { dscp-name | dscp-value } | local-precedence local-precedence-value | vlan-id vlan-id }

undo traffic-remark inbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ] { 8021p | destination-mac | dscp | local-precedence | vlan-id }

traffic-remark inbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ] { 8021p 8021p-value | destination-mac mac-address | dscp { dscp-name | dscp-value } | local-precedence local-precedence-value | vlan-id vlan-id }

undo traffic-remark inbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ] { 8021p | destination-mac | dscp | local-precedence | vlan-id }

If both Layer 2 and Layer 3 ACLs are configured and re-marking is used in the outbound direction on a switch interface, use the following command:

traffic-remark outbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] { 8021p 8021p-value | cvlan-id cvlan-id | dscp { dscp-name | dscp-value } | vlan-id vlan-id }

undo traffic-remark outbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] { 8021p | cvlan-id | dscp | vlan-id }

traffic-remark outbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ] { 8021p 8021p-value | cvlan-id cvlan-id | dscp { dscp-name | dscp-value } | vlan-id vlan-id }

undo traffic-remark outbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ] { 8021p | cvlan-id | dscp | vlan-id }

traffic-remark outbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ] { 8021p 8021p-value | cvlan-id cvlan-id | dscp { dscp-name | dscp-value } | vlan-id vlan-id }

undo traffic-remark outbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ] { 8021p | cvlan-id | dscp | vlan-id }

Parameters

Parameter

Description

Value

inbound

Re-marks packets in the inbound direction.

-

outbound

Re-marks packets in the outbound direction.

-

acl

Re-marks packets based on the IPv4 ACL.

-

ipv6

Re-marks packets based on the IPv6 ACL.

-

bas-acl

Re-marks packets based on a specified basic ACL.

The value is an integer that ranges from 2000 to 2999.

adv-acl

Re-marks packets based on a specified advanced ACL.

The value is an integer that ranges from 3000 to 3999.

l2-acl

Re-marks packets based on a specified Layer 2 ACL.

The value is an integer that ranges from 4000 to 4999.

user-acl

Re-marks packets based on a specified user-defined ACL.

The value is an integer that ranges from 5000 to 5999.

name acl-name

Re-marks packets based on a specified named ACL. acl-name specifies the name of the ACL.

The value must be the name of an existing ACL.

rule rule-id

Re-marks packets based on a specified ACL rule.

The IPv4 ACL rule ID ranges from 0 to 4294967294, and the IPv6 ACL rule ID ranges from 0 to 2047.

8021p 8021p-value

Re-marks the 802.1p priority in packets.

The value is an integer that ranges from 0 to 7. A larger value indicates a higher priority.

cvlan-id cvlan-id

Re-marks the inner VLAN tag in QinQ packets.

The value is an integer that ranges from 1 to 4094.

destination-mac mac-address

Re-marks the destination MAC address in packets.

NOTE:
The destination MAC address in packets cannot be re-marked on X series cards.

The value is in H-H-H format. An H is a hexadecimal number of 1 to 4 digits.

dscp { dscp-name | dscp-value }

Re-marks the DSCP service type in packets.

The value can be an integer in the range of 0 to 63, or DSCP service name, for example, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1 to cs7, default, or ef.

The values corresponding to DSCP service names are as follows:

  • af11: 10
  • af12: 12
  • af13: 14
  • af21: 18
  • af22: 20
  • af23: 22
  • af31: 26
  • af32: 28
  • af33: 30
  • af41: 34
  • af42: 36
  • af43: 38
  • cs1: 8
  • cs2: 16
  • cs3: 24
  • cs4: 32
  • cs5: 40
  • cs6: 48
  • cs7: 56
  • default: 0
  • ef: 46

By default, the dscp-value is 0.

local-precedence local-precedence-value

Re-marks the local IP precedence in packets.

The value is an integer that ranges from 0 to 7. A larger value indicates a higher priority.

vlan-id vlan-id

Re-marks the VLAN ID in packets.

The value is an integer that ranges from 1 to 4094.

Views

VLANIF interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the traffic-remark command is executed on an interface, the device re-marks packets matching an ACL, for example, 802.1p priority, inner VLAN tag in QinQ packets, destination MAC address, DSCP service type, local IP precedence, IP precedence, and VLAN ID.

Precautions

If name acl-name is specified in the command, you need to run the acl name or acl ipv6 name command to create the corresponding ACL. Otherwise, the ACL-based simplified traffic policy fails to be configured.

If rule rule-id is specified in the command, you need to create an ACL and configure the corresponding rule. Otherwise, the ACL-based simplified traffic policy fails to be configured.

When an ACL-based simplified traffic policy is configured on a VLANIF interface,

  • The destination MAC address and VLAN ID in packets cannot be re-marked.

  • The ACL-based simplified traffic policy can be configured on the VLANIF interface only in the inbound direction.

  • The VLAN corresponding to the VLANIF interface cannot be a Super-VLAN or MUX VLAN.

  • On X series cards, an ACL-based simplified traffic policy that is applied to a VLANIF interface is only valid for unicast packets on the VLANIF interface. For other cards, an ACL-based simplified traffic policy that is applied to a VLANIF interface is only valid for unicast packets and Layer 3 multicast packets on the VLANIF interface.

If the traffic-remark (system view) and traffic-remark (interface view) commands are used simultaneously, the traffic-remark (interface view) command takes effect.

When the traffic-remark (interface view) command and the traffic-filter (interface view) command or the traffic-filter (system view) command are used simultaneously, and the two commands are associated with the same ACL rule:

  • If the deny action is configured in the ACL rule, traffic is discarded.
  • If the permit action is configured in the ACL rule, traffic is re-marked.

Example

# Configure ACL-based re-marking in the inbound direction on GE1/0/1, and re-mark the VLAN ID in packets from source MAC address 0-0-1 with 100.

<HUAWEI> system-view
[HUAWEI] acl 4001
[HUAWEI-acl-L2-4001] rule 5 permit source-mac 0-0-1
[HUAWEI-acl-L2-4001] quit
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] traffic-remark inbound acl 4001 rule 5 vlan-id 100

traffic-remark (system view)

Function

The traffic-remark command configures ACL-based re-marking globally or in a VLAN.

The undo traffic-remark command cancels ACL-based re-marking globally or in a VLAN.

By default, ACL-based re-marking is not configured globally or in a VLAN.

Format

To configure ACL-based re-marking in the inbound direction on a switch, use the following command:

traffic-remark [ vlan vlan-id ] inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ] { 8021p 8021p-value | destination-mac mac-address | dscp { dscp-name | dscp-value } | local-precedence local-precedence-value | vlan-id vlan-id }

undo traffic-remark [ vlan vlan-id ] inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ] { 8021p | destination-mac | dscp | local-precedence | vlan-id }

To configure ACL-based re-marking in the outbound direction on a switch, use the following command:

traffic-remark [ vlan vlan-id ] outbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl } [ rule rule-id ] { 8021p 8021p-value | cvlan-id cvlan-id | dscp { dscp-name | dscp-value } | vlan-id vlan-id }

undo traffic-remark [ vlan vlan-id ] outbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl } [ rule rule-id ] { 8021p | cvlan-id | dscp | vlan-id }

If both Layer 2 and Layer 3 ACLs are configured and re-marking is used in the inbound direction on a switch, use the following command:

traffic-remark [ vlan vlan-id ] inbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] { 8021p 8021p-value | destination-mac mac-address | dscp { dscp-name | dscp-value } | local-precedence local-precedence-value | vlan-id vlan-id }

undo traffic-remark [ vlan vlan-id ] inbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] { 8021p | destination-mac | dscp | local-precedence | vlan-id }

traffic-remark [ vlan vlan-id ] inbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ] { 8021p 8021p-value | destination-mac mac-address | dscp { dscp-name | dscp-value } | local-precedence local-precedence-value | vlan-id vlan-id }

undo traffic-remark [ vlan vlan-id ] inbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ] { 8021p | destination-mac | dscp | local-precedence | vlan-id }

traffic-remark [ vlan vlan-id ] inbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ] { 8021p 8021p-value | destination-mac mac-address | dscp { dscp-name | dscp-value } | local-precedence local-precedence-value | vlan-id vlan-id }

undo traffic-remark [ vlan vlan-id ] inbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ] { 8021p | destination-mac | dscp | local-precedence | vlan-id }

If both Layer 2 and Layer 3 ACLs are configured and re-marking is used in the outbound direction on a switch, use the following command:

traffic-remark [ vlan vlan-id ] outbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] { 8021p 8021p-value | cvlan-id cvlan-id | dscp { dscp-name | dscp-value } | vlan-id vlan-id }

undo traffic-remark [ vlan vlan-id ] outbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] { 8021p | cvlan-id | dscp | vlan-id }

traffic-remark [ vlan vlan-id ] outbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ] { 8021p 8021p-value | cvlan-id cvlan-id | dscp { dscp-name | dscp-value } | vlan-id vlan-id }

undo traffic-remark [ vlan vlan-id ] outbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ] { 8021p | cvlan-id | dscp | vlan-id }

traffic-remark [ vlan vlan-id ] outbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ] { 8021p 8021p-value | cvlan-id cvlan-id | dscp { dscp-name | dscp-value } | vlan-id vlan-id }

undo traffic-remark [ vlan vlan-id ] outbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ] { 8021p | cvlan-id | dscp | vlan-id }

Parameters

Parameter

Description

Value

vlan vlan-id

Configures ACL-based re-marking in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

inbound

Re-marks packets in the inbound direction.

-

outbound

Re-marks packets in the outbound direction.

-

acl

Re-marks packets based on the IPv4 ACL.

-

ipv6

Re-marks packets based on the IPv6 ACL.

-

bas-acl

Re-marks packets based on a specified basic ACL.

The value is an integer that ranges from 2000 to 2999.

adv-acl

Re-marks packets based on a specified advanced ACL.

The value is an integer that ranges from 3000 to 3999.

l2-acl

Re-marks packets based on a specified Layer 2 ACL.

The value is an integer that ranges from 4000 to 4999.

user-acl

Re-marks packets based on a specified user-defined ACL.

The value is an integer that ranges from 5000 to 5999.

name acl-name

Re-marks packets based on a specified named ACL. acl-name specifies the name of the ACL.

The value must be the name of an existing ACL.

rule rule-id

Re-marks packets based on a specified ACL rule.

The IPv4 ACL rule ID ranges from 0 to 4294967294, and the IPv6 ACL rule ID ranges from 0 to 2047.

8021p 8021p-value

Re-marks the 802.1p priority in packets.

The value is an integer that ranges from 0 to 7. A larger value indicates a higher priority.

cvlan-id cvlan-id

Re-marks the inner VLAN tag in QinQ packets.

The value is an integer that ranges from 1 to 4094.

destination-mac mac-address

Re-marks the destination MAC address in packets.

NOTE:
The destination MAC address in packets cannot be re-marked on X series cards.

The value is in H-H-H format. An H is a hexadecimal number of 1 to 4 digits.

dscp { dscp-name | dscp-value }

Re-marks the DSCP priority in packets.

The value can be an integer in the range of 0 to 63, or DSCP service name, for example, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1 to cs7, default, or ef.

The values corresponding to DSCP service names are as follows:

  • af11: 10
  • af12: 12
  • af13: 14
  • af21: 18
  • af22: 20
  • af23: 22
  • af31: 26
  • af32: 28
  • af33: 30
  • af41: 34
  • af42: 36
  • af43: 38
  • cs1: 8
  • cs2: 16
  • cs3: 24
  • cs4: 32
  • cs5: 40
  • cs6: 48
  • cs7: 56
  • default: 0
  • ef: 46

By default, the dscp-value is 0.

local-precedence local-precedence-value

Re-marks the local IP precedence in packets.

The value is an integer that ranges from 0 to 7. A larger value indicates a higher priority.

vlan-id vlan-id

Re-marks the VLAN ID in packets.

The value is an integer that ranges from 1 to 4094.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the traffic-remark command is executed on the device, the device re-marks packets matching an ACL, for example, for example, 802.1p priority, inner VLAN tag in QinQ packets, destination MAC address, DSCP service type, local IP precedence, IP precedence, and VLAN ID.

Precautions

If name acl-name is specified in the command, you need to run the acl name or acl ipv6 name command to create the corresponding ACL. Otherwise, the ACL-based simplified traffic policy fails to be configured.

If rule rule-id is specified in the command, you need to create an ACL and configure the corresponding rule. Otherwise, the ACL-based simplified traffic policy fails to be configured.

If the traffic-remark (interface view) and traffic-remark (system view) commands are used simultaneously, the traffic-remark (interface view) command takes effect.

When the traffic-remark (system view) command and the traffic-filter (interface view) command or the traffic-filter (system view) command are used simultaneously, and the two commands are associated with the same ACL rule:

  • If the deny action is configured in the ACL rule, traffic is discarded.
  • If the permit action is configured in the ACL rule, traffic is re-marked.

Example

# Configure ACL-based re-marking in the inbound direction in VLAN 100, and re-mark the VLAN ID in packets from source MAC address 0-0-1 with 101.

<HUAWEI> system-view
[HUAWEI] acl 4001
[HUAWEI-acl-L2-4001] rule 5 permit source-mac 0-0-1
[HUAWEI-acl-L2-4001] quit
[HUAWEI] traffic-remark vlan 100 inbound acl 4001 rule 5 vlan-id 101

traffic-secure (interface view)

Function

The traffic-secure command configures ACL-based packet filtering on an interface.

The undo traffic-secure command cancels ACL-based packet filtering on an interface.

By default, ACL-based packet filtering is not configured on an interface.

Format

To configure a single ACL, use the following command:

traffic-secure inbound acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ]

undo traffic-secure inbound acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ]

If both Layer 2 ACLs and Layer 3 ACLs are configured, use the following command:

traffic-secure inbound acl { l2-acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

undo traffic-secure inbound acl { l2-acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

Parameters

Parameter

Description

Value

inbound

Filters packets in the inbound direction.

-

acl

Filters packets based on the IPv4 ACL.

-

bas-acl

Filters packets based on a specified basic ACL.

The value is an integer that ranges from 2000 to 2999.

adv-acl

Filters packets based on a specified advanced ACL.

The value is an integer that ranges from 3000 to 3999.

l2-acl

Filters packets based on a specified Layer 2 ACL.

The value is an integer that ranges from 4000 to 4999.

name acl-name

Filters packets based on a specified named ACL. acl-name specifies the name of the ACL.

The value must be the name of an existing ACL.

rule rule-id

Filters packets based on a specified ACL rule.

The IPv4 ACL value ranges from 0 to 4294967294.

Views

VLANIF interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the traffic-secure command is executed on an interface, the device filters packets matching ACL rules:

  • If the action in an ACL rule is deny, the device discards packets matching the rule.
  • If the action in an ACL rule is permit, the device forwards packets matching the rule.
  • If no rule is matched, packets are allowed to pass through.

Precautions

If name acl-name is specified in the command, you need to run the acl name or acl ipv6 name command to create the corresponding ACL. Otherwise, the ACL-based simplified traffic policy fails to be configured.

If rule rule-id is specified in the command, you need to create an ACL and configure the corresponding rule. Otherwise, the ACL-based simplified traffic policy fails to be configured.

When an ACL-based simplified traffic policy is configured on a VLANIF interface,

  • The ACL-based simplified traffic policy can be configured on the VLANIF interface only in the inbound direction.

  • The VLAN corresponding to the VLANIF interface cannot be a Super-VLAN or MUX VLAN.

  • On X series cards, an ACL-based simplified traffic policy that is applied to a VLANIF interface is only valid for unicast packets on the VLANIF interface. For other cards, an ACL-based simplified traffic policy that is applied to a VLANIF interface is only valid for unicast packets and Layer 3 multicast packets on the VLANIF interface.

The traffic-secure command takes precedence over other ACL-based simplified traffic policy commands.

If both traffic-secure and other ACL-based simplified traffic policy commands need to be configured on the device and the inner 802.1p priority, inner VLAN ID, or port range needs to be matched in an ACL, configure the traffic-secure command, and then configure other ACL-based simplified traffic policy commands.

Example

# Configure the traffic filtering action on GE1/0/1 to discard the packets with source address 192.168.0.2 and mirror the packets with destination address 192.168.1.3 to the observing interface with the index of 1.

<HUAWEI> system-view
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule 5 deny ip source 192.168.0.2 0
[HUAWEI-acl-adv-3000] quit
[HUAWEI] acl name test 3001
[HUAWEI-acl-adv-test] rule 5 permit ip destination 192.168.1.3 0
[HUAWEI-acl-adv-test] quit
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] traffic-secure inbound acl 3000 
[HUAWEI-GigabitEthernet1/0/1] traffic-mirror inbound acl 3001 to observe-port 1

traffic-secure (system view)

Function

The traffic-secure command configures ACL-based packet filtering globally or in a VLAN.

The undo traffic-secure command cancels ACL-based packet filtering globally or in a VLAN.

By default, ACL-based packet filtering is not configured globally or in a VLAN.

Format

To configure a single ACL, use the following command:

traffic-secure [ vlan vlan-id ] inbound acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ]

undo traffic-secure [ vlan vlan-id ] inbound acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ]

If both Layer 2 ACLs and Layer 3 ACLs are configured, use the following command:

traffic-secure [ vlan vlan-id ] inbound acl { l2-acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

undo traffic-secure [ vlan vlan-id ] inbound acl { l2-acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

Parameters

Parameter

Description

Value

vlan vlan-id

Configures ACL-based packet filtering in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

inbound

Filters packets in the inbound direction.

-

acl

Filters packets based on the IPv4 ACL.

-

bas-acl

Filters packets based on a specified basic ACL.

The value is an integer that ranges from 2000 to 2999.

adv-acl

Filters packets based on a specified advanced ACL.

The value is an integer that ranges from 3000 to 3999.

l2-acl

Filters packets based on a specified Layer 2 ACL.

The value is an integer that ranges from 4000 to 4999.

name acl-name

Filters packets based on a specified named ACL. acl-name specifies the name of the ACL.

The value must be the name of an existing ACL.

rule rule-id

Filters packets based on a specified ACL rule.

The IPv4 ACL value ranges from 0 to 4294967294.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the traffic-secure command is executed on the device, the device filters packets matching ACL rules:

  • If the action in an ACL rule is deny, the device discards packets matching the rule.
  • If the action in an ACL rule is permit, the device forwards packets matching the rule.
  • If no rule is matched, packets are allowed to pass through.

Precautions

If name acl-name is specified in the command, you need to run the acl name or acl ipv6 name command to create the corresponding ACL. Otherwise, the ACL-based simplified traffic policy fails to be configured.

If rule rule-id is specified in the command, you need to create an ACL and configure the corresponding rule. Otherwise, the ACL-based simplified traffic policy fails to be configured.

The traffic-secure command takes precedence over other ACL-based simplified traffic policy commands.

If both traffic-secure and other ACL-based simplified traffic policy commands need to be configured on the device and the inner 802.1p priority, inner VLAN ID, or port range needs to be matched in an ACL, configure the traffic-secure command, and then configure other ACL-based simplified traffic policy commands.

Example

# Configure the traffic filtering action globally to discard the packets with source address 192.168.0.2 and mirror the packets with destination address 192.168.1.3 to the observing interface with the index of 1.

<HUAWEI> system-view
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule 5 deny ip source 192.168.0.2 0
[HUAWEI-acl-adv-3000] quit
[HUAWEI] acl name test 3001
[HUAWEI-acl-adv-test] rule 5 permit ip destination 192.168.1.3 0
[HUAWEI-acl-adv-test] quit
[HUAWEI] traffic-secure inbound acl 3000
[HUAWEI] traffic-mirror inbound acl 3001 to observe-port 1

traffic-statistic (interface view)

Function

The traffic-statistic command configures ACL-based traffic statistics on an interface.

The undo traffic-statistic command cancels ACL-based traffic statistics on an interface.

By default, the ACL-based traffic statistics function is not configured on an interface.

Format

Use the following command in the inbound direction on a switch interface:

traffic-statistic inbound acl { bas-acl | adv-acl | name acl-name | l2-acl } [ rule rule-id ] [ by-bytes ] [ secure ]

undo traffic-statistic inbound acl { bas-acl | adv-acl | name acl-name | l2-acl } [ rule rule-id ] [ secure ]

traffic-statistic inbound acl { ipv6 { bas-acl | adv-acl | name acl-name } | user-acl } [ rule rule-id ] [ by-bytes ]

undo traffic-statistic inbound acl { ipv6 { bas-acl | adv-acl | name acl-name } | user-acl } [ rule rule-id ]

Use the following command in the outbound direction on a switch interface:

traffic-statistic outbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl } [ rule rule-id ]

undo traffic-statistic outbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl } [ rule rule-id ]

If both Layer 2 and Layer 3 ACLs are configured and the ACL-based traffic statistics function is used in the inbound direction on a switch interface, use the following command:

traffic-statistic inbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] [ by-bytes ] [ secure ]

undo traffic-statistic inbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] [ secure ]

traffic-statistic inbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ] [ by-bytes ] [ secure ]

undo traffic-statistic inbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ] [ secure ]

traffic-statistic inbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ] [ by-bytes ] [ secure ]

undo traffic-statistic inbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ] [ secure ]

If both Layer 2 and Layer 3 ACLs are configured and the ACL-based traffic statistics function is used in the outbound direction on a switch interface, use the following command:

traffic-statistic outbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

undo traffic-statistic outbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

traffic-statistic outbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]

undo traffic-statistic outbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]

traffic-statistic outbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ]

undo traffic-statistic outbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ]

Parameters

Parameter

Description

Value

inbound

Collects statistics on packets in the inbound direction.

-

outbound

Collects statistics on packets in the outbound direction.

-

acl

Collects statistics on packets based on the IPv4 ACL.

-

ipv6

Collects statistics on packets based on the IPv6 ACL.

-

bas-acl

Collects statistics on packets based on a specified basic ACL.

The value is an integer that ranges from 2000 to 2999.

adv-acl

Collects statistics on packets based on a specified advanced ACL.

The value is an integer that ranges from 3000 to 3999.

l2-acl

Collects statistics on packets based on a specified Layer 2 ACL.

The value is an integer that ranges from 4000 to 4999.

user-acl

Collects statistics on packets based on a specified user-defined ACL.

The value is an integer that ranges from 5000 to 5999.

name acl-name

Collects statistics on packets based on a specified named ACL. acl-name specifies the name of the ACL.

The value must be the name of an existing ACL.

rule rule-id

Collects statistics on packets based on a specified ACL rule.

The IPv4 ACL rule ID ranges from 0 to 4294967294, and the IPv6 ACL rule ID ranges from 0 to 2047.

by-bytes

Indicates that traffic statistics are collected based on the number of bytes.

NOTE:

By default, traffic statistics are collected based on the number of packets. After by-bytes is specified, traffic statistics are collected based on the number of bytes.

-

secure

Collects statistics on packets based on packet filtering policies configured through the traffic-secure (interface view) command.

-

Views

VLANIF interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the traffic-statistic command is executed on an interface, the device collects statistics on packets matching an ACL. After the statistics function is configured, you can use the display traffic-statistics command to view the statistics.

Precautions

If name acl-name is specified in the command, you need to run the acl name or acl ipv6 name command to create the corresponding ACL. Otherwise, the ACL-based simplified traffic policy fails to be configured.

If rule rule-id is specified in the command, you need to create an ACL and configure the corresponding rule. Otherwise, the ACL-based simplified traffic policy fails to be configured.

When an ACL-based simplified traffic policy is configured on a VLANIF interface,

  • The ACL-based simplified traffic policy can be configured on the VLANIF interface only in the inbound direction.

  • The VLAN corresponding to the VLANIF interface cannot be a Super-VLAN or MUX VLAN.

  • On X series cards, an ACL-based simplified traffic policy that is applied to a VLANIF interface is only valid for unicast packets on the VLANIF interface. For other cards, an ACL-based simplified traffic policy that is applied to a VLANIF interface is only valid for unicast packets and Layer 3 multicast packets on the VLANIF interface.

If the traffic-statistic (system view) and traffic-statistic (interface view) commands are used simultaneously, the traffic-statistic (interface view) command takes effect.

When the action in an ACL rule is permit or deny, the ACL can be associated with the traffic-statistic command, but deny does not take effect. That is, only traffic statistics are collected.

For the X series cards, if traffic-statistic is applied to an Eth-Trunk in the outbound direction, traffic statistics does not take effect for the packets sent by the CPU. In this case, you can configure traffic statistics or port mirroring in the inbound direction on the interface connected to the Eth-Trunk.

Example

# Configure the ACL-based traffic statistics function in the inbound direction on GE1/0/1 to collect statistics on packets matching rule 1 in ACL 3000.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] traffic-statistic inbound acl 3000 rule 1

traffic-statistic (system view)

Function

The traffic-statistic command configures ACL-based traffic statistics globally or in a VLAN.

The undo traffic-statistic command cancels ACL-based traffic statistics globally or in a VLAN

By default, the ACL-based traffic statistics function is not configured globally or in a VLAN.

Format

Use the following command in the inbound direction on a switch:

traffic-statistic [ vlan vlan-id ] inbound acl { bas-acl | adv-acl | name acl-name | l2-acl } [ rule rule-id ] [ by-bytes ] [ secure ]

undo traffic-statistic [ vlan vlan-id ] inbound acl { bas-acl | adv-acl | name acl-name | l2-acl } [ rule rule-id ] [ secure ]

traffic-statistic [ vlan vlan-id ] inbound acl { ipv6 { bas-acl | adv-acl | name acl-name } | user-acl } [ rule rule-id ] [ by-bytes ]

undo traffic-statistic [ vlan vlan-id ] inbound acl { ipv6 { bas-acl | adv-acl | name acl-name } | user-acl } [ rule rule-id ]

Use the following command in the outbound direction on a switch:

traffic-statistic [ vlan vlan-id ] outbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ]

undo traffic-statistic [ vlan vlan-id ] outbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ]

If both Layer 2 and Layer 3 ACLs are configured and the ACL-based traffic statistics function is used in the inbound direction on a switch, use the following command:

traffic-statistic [ vlan vlan-id ] inbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] [ by-bytes ] [ secure ]

undo traffic-statistic [ vlan vlan-id ] inbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] [ secure ]

traffic-statistic [ vlan vlan-id ] inbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ] [ by-bytes ] [ secure ]

undo traffic-statistic [ vlan vlan-id ] inbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ] [ secure ]

traffic-statistic [ vlan vlan-id ] inbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ] [ by-bytes ] [ secure ]

undo traffic-statistic [ vlan vlan-id ] inbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ] [ secure ]

If both Layer 2 and Layer 3 ACLs are configured and the ACL-based traffic statistics function is used in the outbound direction on a switch, use the following command:

traffic-statistic [ vlan vlan-id ] outbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

undo traffic-statistic [ vlan vlan-id ] outbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

traffic-statistic [ vlan vlan-id ] outbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]

undo traffic-statistic [ vlan vlan-id ] outbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]

traffic-statistic [ vlan vlan-id ] outbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ]

undo traffic-statistic [ vlan vlan-id ] outbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ]

Parameters

Parameter

Description

Value

vlan vlan-id

Configures ACL-based packet statistics in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

inbound

Collects statistics on packets in the inbound direction.

-

outbound

Collects statistics on packets in the outbound direction.

-

acl

Collects statistics on packets based on the IPv4 ACL.

-

ipv6

Collects statistics on packets based on the IPv6 ACL.

-

bas-acl

Collects statistics on packets based on a specified basic ACL.

The value is an integer that ranges from 2000 to 2999.

adv-acl

Collects statistics on packets based on a specified advanced ACL.

The value is an integer that ranges from 3000 to 3999.

l2-acl

Collects statistics on packets based on a specified Layer 2 ACL.

The value is an integer that ranges from 4000 to 4999.

user-acl

Collects statistics on packets based on a specified user-defined ACL.

The value is an integer that ranges from 5000 to 5999.

name acl-name

Collects statistics on packets based on a specified named ACL. acl-name specifies the name of the ACL.

The value must be the name of an existing ACL.

rule rule-id

Collects statistics on packets based on a specified ACL rule.

The IPv4 ACL rule ID ranges from 0 to 4294967294, and the IPv6 ACL rule ID ranges from 0 to 2047.

by-bytes

Indicates that traffic statistics are collected based on the number of bytes.

NOTE:

By default, traffic statistics are collected based on the number of packets. After by-bytes is specified, traffic statistics are collected based on the number of bytes.

-

secure

Collects statistics on packets based on packet filtering policies configured through the traffic-secure (system view) command.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the traffic-statistic command is executed on the device, the device collect statistics on packets matching an ACL. After the statistics function is configured, you can use the display traffic-statistics command to view the statistics.

Precautions

If name acl-name is specified in the command, you need to run the acl name or acl ipv6 name command to create the corresponding ACL. Otherwise, the ACL-based simplified traffic policy fails to be configured.

If rule rule-id is specified in the command, you need to create an ACL and configure the corresponding rule. Otherwise, the ACL-based simplified traffic policy fails to be configured.

If the traffic-statistic (interface view) and traffic-statistic (system view) commands are used simultaneously, the traffic-statistic (interface view) command takes effect.

When the action in an ACL rule is permit or deny, the ACL can be associated with the traffic-statistic command, but deny does not take effect. That is, only traffic statistics are collected.

Example

# Configure the ACL-based traffic statistics function in the inbound direction in VLAN 100 to collect statistics on packets matching rule 1 in ACL 3000.

<HUAWEI> system-view
[HUAWEI] traffic-statistic vlan 100 inbound acl 3000 rule 1
Translation
Download
Updated: 2019-04-09

Document ID: EDOC1100065659

Views: 115351

Downloads: 83

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next