Configuring MQC to Implement Traffic Policing

Context

To control a specific type of traffic in the inbound or outbound direction on an interface, configure MQC-based traffic policing. MQC-based traffic policing implements differentiated services using complex traffic classification. When the receive or transmit rate of packets matching traffic classification rules exceeds the limit, the device discards the packets.

When inbound interface-based rate limiting, broadcast traffic suppression in a VLAN (for details on how to configure broadcast traffic suppression in a VLAN, see Configuring Traffic Suppression in a VLAN in "Traffic Suppression and Storm Control Configuration" in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - Security), and inbound MQC-based traffic policing are configured simultaneously on the S2720-EI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, and S6720S-SI, these rules take effect in descending order of priority: inbound interface-based rate limiting > broadcast traffic suppression in a VLAN > inbound MQC-based traffic policing. For example, if both inbound interface-based rate limiting and broadcast traffic suppression in a VLAN are configured, inbound interface-based rate limiting takes effect.

Procedure

1. Configure a traffic classifier.

   1. Run system-view

      The system view is displayed.

   2. Run traffic classifier classifier-name [ operator { and | or } ]

      A traffic classifier is created and the traffic classifier view is displayed, or the view of an existing traffic classifier is displayed.

      The logical operator and between the rules in the traffic classifier means that:

      • If the traffic classifier contains ACL rules, packets match the traffic classifier only if they match one ACL rule and all the non-ACL rules.

      • If the traffic classifier does not contain any ACL rules, packets match the traffic classifier only if they match all the rules in the classifier.

      The logical operator or means that packets match the traffic classifier if they match one of the rules in the classifier.

      By default, the relationship between rules in a traffic classifier is or.

   3. Configure matching rules in the traffic classifier according to the following table.
      

      Only the S5720-EI, S6720-EI, and S6720S-EI support traffic classifiers with advanced ACLs containing the ttl-expired field.

      When a traffic classifier contains if-match ipv6 acl { acl-number | acl-name }, the S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S do not support remark 8021p [ 8021p-value | inner-8021p ], remark cvlan-id cvlan-id, remark vlan-id vlan-id, or mac-address learning disable.

      On the S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735-S-I, and S5735S-S, if a traffic policy is applied to the outbound direction and the relationship between rules in a traffic classifier is AND:

      • Rules for matching the source IPv6 address and those for matching destination IPv6 address cannot be configured in the same traffic classifier.
      • Rules for matching IPv6 information (for example, if-match protocol ipv6 and if-match ipv6 acl) and those for matching the source MAC address, destination MAC address, source IPv6 address, or destination IPv6 address of packets cannot be configured in the same traffic classifier. (ACL6 rules can be used to match the source or destination IPv6 address of packets.)
      • Rules for matching IPv4 information (IP address and UDP port number) and those for matching some Layer 2 information (for example, if-match source-mac, if-match destination-mac, and if-match l2-protocol { mpls | rarp | protocol-value }) cannot be configured in the same traffic classifier.

      Matching Rule	Command	Remarks
      Outer VLAN ID or inner and outer VLAN IDs of QinQ packets	if-match vlan-id start-vlan-id [ to end-vlan-id ] [ cvlan-id cvlan-id ]	Only the S5720-EI, S5720-HI, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720-LI, S6720S-EI, S6720S-LI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, and S6730S-S support the cvlan-id cvlan-id parameter.
      Inner and outer VLAN IDs in QinQ packets	if-match cvlan-id start-vlan-id [ to end-vlan-id ] [ vlan-id vlan-id ]	Only the S5720-EI, S5720-HI, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720-LI, S6720S-EI, S6720S-LI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, and S6730S-S support this matching rule.
      802.1p priority in VLAN packets	if-match 8021p 8021p-value &<1-8>	If you specify multiple values for 8021p-value in one command, a packet matching any of the values matches the traffic classifier, regardless of whether the relationship between rules in the traffic classifier is AND or OR.
      Inner 802.1p priority in QinQ packets	if-match cvlan-8021p 8021p-value &<1-8>	Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support this matching rule.
      Discarded packet	if-match discard	Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support this matching rule. A traffic classifier containing this matching rule can only be bound to traffic behaviors containing the traffic statistics collection and flow mirroring actions.
      Double tags in QinQ packets	if-match double-tag	Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735-S-I, S5735S-S, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support this matching rule.
      EXP priority in MPLS packets	if-match mpls-exp exp-value &<1-8>	Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support this matching rule. If you specify multiple values for exp-value in one command, a packet matching any of the values matches the traffic classifier, regardless of whether the relationship between rules in the traffic classifier is AND or OR.
      Destination MAC address	if-match destination-mac mac-address [ mac-address-mask ]	-
      Source MAC address	if-match source-mac mac-address [ mac-address-mask ]	-
      Protocol type in the Ethernet frame header	if-match l2-protocol { arp | ip | mpls | rarp | protocol-value }	-
      All packets	if-match any	After the if-match any command is run, only the matching rule configured using this command takes effect, and the other matching rules in the same traffic classifier will become ineffective.
      DSCP priority in IP packets	if-match dscp dscp-value &<1-8>	If you specify multiple values for dscp-value in one command, a packet matching any of the values matches the traffic classifier, regardless of whether the relationship between rules in the traffic classifier is AND or OR. The if-match dscp and if-match ip-precedence commands cannot be configured in the same traffic classifier in which the relationship between rules is AND.
      IP precedence in IP packets	if-match ip-precedence ip-precedence-value &<1-8>	If you specify multiple values for ip-precedence-value in one command, a packet matching any of the values matches the traffic classifier, regardless of whether the relationship between rules in the traffic classifier is AND or OR. The if-match dscp and if-match ip-precedence commands cannot be configured in the same traffic classifier in which the relationship between rules is AND.
      Layer 3 protocol type	if-match protocol { ip | ipv6 }	-
      SYN flag in the TCP packet	if-match tcp syn-flag { syn-flag-value | ack | fin | psh | rst | syn | urg }	-
      Inbound interface	if-match inbound-interface interface-type interface-number	A traffic policy containing this matching rule cannot be applied to the outbound direction or in the interface view.
      Outbound interface	if-match outbound-interface interface-type interface-number	The S2720-EI, S5720-LI, S5720S-LI, S5720-SI, S5720I-SI, S5720S-SI, S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, and S6720S-SI do not support this matching rule. A traffic policy containing this matching rule cannot be applied to the inbound direction on the S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S. A traffic policy containing this matching rule cannot be applied in the interface view.
      ACL rule	if-match acl { acl-number | acl-name }	Before specifying an ACL in a matching rule, configure the ACL. If an ACL in a traffic classifier defines multiple rules and a packet matches any of the rules, the packet matches the ACL, regardless of whether the relationship between rules in the traffic classifier is AND or OR. If the vpn-instance parameter is specified in an ACL rule, a traffic policy that defines a traffic classifier matching this ACL rule does not take effect.
      ACL6 rule	if-match ipv6 acl { acl-number | acl-name }	Before specifying an ACL6 in a matching rule, configure the ACL6. If the vpn-instance parameter is specified in an ACL6 rule, a traffic policy that defines a traffic classifier matching this ACL6 rule does not take effect. On the S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735-S-I, and S5735S-S, if a traffic policy is applied to the outbound direction, and an ACL6 rule for matching the source IPv6 address of packets and an ACL6 rule for matching the destination IPv6 address of packets are respectively configured in two traffic classifiers: If the traffic behaviors corresponding to the two traffic classifiers do not conflict, the two traffic classifiers and their corresponding traffic behaviors take effect. If the traffic behaviors corresponding to the two traffic classifiers conflict, the traffic behavior and traffic classifier defining the ACL6 rule for matching the source IPv6 address of packets take effect.
      Flow ID	if-match flow-id flow-id	Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735-S-I, S5735S-S, S6720-EI, S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S, and S6720S-EI support matching of flow IDs. A traffic classifier containing if-match flow-id and a traffic behavior containing remark flow-id must be bound to different traffic policies. A traffic policy containing if-match flow-id can be only applied to an interface, a VLAN, a VLANIF interface or the system in the inbound direction.
      Inner information of VXLAN packets	if-match vxlan [ transit ] vni vni-id	Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support this matching rule. A traffic policy containing this matching rule cannot be applied to the outbound direction. If a traffic classifier contains this matching rule, it supports only traffic behaviors of traffic policing, packet filtering, and traffic statistics collection.
      Application name	if-match application name appname	Only the S5730-HI, S6720-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S support this matching rule. A traffic policy containing this matching rule can be applied only to the inbound direction.

   4. Run quit

      Exit from the traffic classifier view.

2. Configure a traffic behavior.

   1. Run traffic behavior behavior-name

      A traffic behavior is created and the traffic behavior view is displayed, or the view of an existing traffic behavior is displayed.

   2. Run any of the following commands depending on the product model to configure the CAR action:
      • On the S2720-EI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, and S6720S-SI, run car [ aggregation ] cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] [ share ] [ green pass ] [ yellow { discard | pass [ remark-dscp dscp-value | remark-8021p 8021p-value ] } ] [ red { discard | pass [ remark-dscp dscp-value | remark-8021p 8021p-value ] } ]
        

        If a traffic behavior defines the car command with remark-8021p 8021p-value or remark-dscp dscp-value specified, a traffic policy containing this traffic behavior can only be applied in the inbound direction.

        If aggregated CAR is configured by specifying the aggregation parameter, the traffic policies containing this traffic behavior can only be applied in the inbound direction.

        The aggregation and share parameters cannot be specified simultaneously in one traffic behavior.

      • On the S5720-EI, S6720-EI, and S6720S-EI, run car cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] [ share ] [ green { discard | pass [ remark-dscp dscp-value | remark-8021p 8021p-value ] } ] [ yellow { discard | pass [ remark-dscp dscp-value | remark-8021p 8021p-value ] } ] [ red { discard | pass [ remark-dscp dscp-value | remark-8021p 8021p-value ] } ]
      • On the S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S, run car cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] [ share ] [ green { discard | pass [ service-class class color color ] } | yellow { discard | pass [ service-class class color color ] } | red { discard | pass [ service-class class color color ] } ]^*
      • On the S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735-S-I, and S5735S-S, run car [ aggregation ] cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ] [ share ] [ green { discard | pass [ remark-dscp dscp-value ] } ] [ yellow { discard | pass [ remark-dscp dscp-value ] } ] [ red { discard | pass [ remark-dscp dscp-value ] } ]

        The CAR action is configured.

   3. (Optional) Run statistic enable

      The traffic statistics collection function is enabled.

      

      On the S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735-S-I, and S5735S-S, if traffic policing and traffic statistics collection are configured in the same traffic behavior, only statistics on the numbers of packets and bytes that match the bound traffic classifier and on the packet rate, namely, values of Packets, Bytes, Rate(pps), and Rate(bps) in matched in the display traffic policy statistics command output, are correct.

   4. Run quit

      Exit from the traffic behavior view.

   5. (Optional) Run qos-car exclude-interframe
      The system is configured not to count the inter-frame gap and preamble of packets when calculating the traffic rate for traffic shaping.

      

      The qos-car exclude-interframe command configures the system not to count the inter-frame gap and preamble of packets when calculating the traffic rate for traffic policing or inbound interface-based rate limiting.

   6. Run quit

      Exit from the system view.

3. Configure a traffic policy.

   1. Run system-view

      The system view is displayed.

   2. Perform the following operations according to actual situations:

      • On the S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI, run traffic policy policy-name

        A traffic policy is created and the traffic policy view is displayed, or the view of an existing traffic policy is displayed.

      • On the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S, run traffic policy policy-name [ match-order { auto | config } ]

        A traffic policy is created and the traffic policy view is displayed, or the view of an existing traffic policy is displayed. If you do not specify the matching order of traffic classifiers when creating a traffic policy, the default matching order is config.

        After a traffic policy is applied, you cannot use the traffic policy command to modify the matching order of traffic classifiers in the traffic policy. To modify the matching order, delete the traffic policy, create a traffic policy, and then specify the matching order.

        When creating a traffic policy, you can specify the matching order of matching rules in the traffic policy. The matching order can be either the automatic order (auto) or configuration order (config):

        • If the automatic order is used, traffic classifiers are matched based on the priorities of their types. If the traffic policy is applied to the inbound direction on the S5720-EI, S6720-EI, or S6720S-EI, traffic classifiers based on the following information are matched in descending order of priority: Layer 2 and IPv4 Layer 3 information > advanced ACL6 > basic ACL6 > IPv4 Layer 3 information > Layer 2 information > user-defined ACL information. In other cases, traffic classifiers based on the following information are matched in descending order of priority: Layer 2 and IPv4 Layer 3 information > advanced ACL6 information > basic ACL6 information > Layer 2 information > IPv4 Layer 3 information > user-defined ACL information. If data traffic matches multiple traffic classifiers and the bound traffic behaviors conflict with each other, the traffic behavior corresponding to the highest priority rule takes effect.
        • If the configuration order is used, traffic classifiers are matched based on the sequence in which they are bound to traffic behaviors.
        

        If more than 128 ACL rules defining CAR are configured, a traffic policy must be applied to an interface, a VLAN, and the system in sequence in the outbound direction. In the preceding situation, if ACL rules need to be updated, delete the traffic policy from the interface, VLAN, and system and re-configure a traffic policy in sequence.

   3. Run classifier classifier-name behavior behavior-name

      A traffic behavior is bound to a traffic classifier in the traffic policy.

   4. Run quit

      Exit from the traffic policy view.

   5. Run quit

      Exit from the system view.

4. Apply the traffic policy.
   • Applying a traffic policy to an interface

     1. Run system-view

        The system view is displayed.

     2. Run interface interface-type interface-number [.subinterface-number ]

        The interface view or sub-interface view is displayed.

        

        • Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support Ethernet sub-interfaces.

        • Only hybrid and trunk interfaces on the preceding switches support Ethernet sub-interface configuration.

        • After you run the undo portswitch command to switch Layer 2 interfaces on the preceding series of switches into Layer 3 interfaces, you can configure Ethernet sub-interfaces on the interfaces.

        • After an interface is added to an Eth-Trunk, sub-interfaces cannot be configured on the interface.

        • VLAN termination sub-interfaces cannot be created on a VCMP client.

     3. Run traffic-policy policy-name { inbound | outbound }

        A traffic policy is applied to the interface or sub-interface.

        Each direction on an interface can be configured with only one traffic policy. A single traffic policy can be applied to both directions on one or more interfaces. After a traffic policy is applied to an interface, the system performs traffic policing for all the incoming or outgoing packets that match traffic classification rules on the interface.

        

        • Traffic policies can be applied to only the inbound direction of sub-interfaces on the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S.

        • You are not advised to apply a traffic policy containing remark 8021p, remark cvlan-id, or remark vlan-id to the outbound direction of an untagged interface. This configuration may cause incorrect information in the packets.

        • Applying traffic policies consumes ACL resources. If ACL resources are insufficient, some traffic policies will fail to be applied. For example, if an if-match rule in a traffic policy occupies one ACL, one ACL is occupied for each interface to which the traffic policy is applied. When a traffic policy is applied to multiple VLANs, one ACL is occupied for each VLAN to which the traffic policy is applied. When a traffic policy is applied to the system, one ACL is occupied. For details about ACLs occupied by if-match rules, see Table 3 in "Licensing Requirements and Limitations for MQC."

        • Among the 2N interfaces on the S6720-EI or S6720S-EI, if an interface in the range from 1 to N and an interface in the range from N+1 to 2N are added to the same Eth-Trunk or VLAN, and outgoing traffic of the Eth-Trunk or VLAN is rate-limited by car, the outgoing traffic rate is two times the CAR value.
   • Applying a traffic policy to a VLAN

     1. Run system-view

        The system view is displayed.

     2. Run vlan vlan-id

        The VLAN view is displayed.

     3. Run traffic-policy policy-name { inbound | outbound }

        A traffic policy is applied to the VLAN.

        Each direction of a VLAN can be configured with only one traffic policy.

        After a traffic policy is applied to a VLAN, the system performs traffic policing for the packets that belong to the VLAN and match traffic classification rules in the inbound or outbound direction.

   • Applying a traffic policy to a VLANIF interface

     1. Run system-view

        The system view is displayed.

     2. Run interface vlanif vlan-id

        The VLANIF interface view is displayed.

     3. Run traffic-policy policy-name { inbound | outbound }

        A traffic policy is applied to the VLANIF interface.

        Each direction of a VLANIF interface can be configured with only one traffic policy. A single traffic policy can be applied to both directions on one or more VLANIF interfaces.

        A traffic policy cannot be applied to a VLANIF interface corresponding to the super-VLAN or MUX VLAN.

        On the S5720-EI, S6720-EI, and S6720S-EI, a traffic policy applied to a VLANIF interface takes effect only for unicast packets and Layer 3 multicast packets on the VLANIF interface.

        On the S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S, a traffic policy applied to a VLANIF interface takes effect only for unicast packets on the VLANIF interface.

        

        A traffic policy can be applied to a VLANIF interface only on the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S.

        A traffic policy cannot be applied to the inbound direction of a VLANIF interface when the bound traffic behaviors define the following actions:

        • remark vlan-id
        • remark cvlan-id
        • remark 8021p
        • remark flow-id
        • mac-address learning disable

        A traffic policy cannot be applied to the outbound direction of a VLANIF interface when the bound traffic behaviors define the following actions:

        • remark flow-id
        • mac-address learning disable
   • Applying a traffic policy globally

     1. Run system-view

        The system view is displayed.

     2. Run traffic-policy policy-name global { inbound | outbound } [ slot slot-id ]

        A traffic policy is applied to the system.

        Each direction can be configured with only one traffic policy in the system or slot. A traffic policy cannot be applied to the same direction in both the system and slot.

        • In a stack, a traffic policy applied to the system takes effect on all the interfaces and VLANs of all the member switches in the stack. The system then performs traffic policing for all the incoming and outgoing packets that match traffic classification rules on all the member switches. A traffic policy applied to a specified slot takes effect on all the interfaces and VLANs of the member switch with the specified stack ID. The system then performs traffic policing for all the incoming and outgoing packets that match traffic classification rules on this member switch.
        • On a standalone switch, a traffic policy applied to the system takes effect on all the interfaces and VLANs of the local switch. The system then performs traffic policing for all the incoming and outgoing packets that match traffic classification rules on the local switch. Traffic policies applied to the slot and system have the same functions.

Verifying the Configuration

After traffic statistics collection is configured in a traffic behavior containing car, you can run the display traffic policy statistics command to view the rate limiting result and check whether traffic policing takes effect.

Statistics about incoming packets on an interface (queried using the display interface or display this interface command) are collected before traffic policing is performed in the inbound direction of the interface. Therefore, you cannot determine whether traffic policing takes effect by comparing the number of incoming packets on an interface with the rate limit.

• Run the display traffic classifier user-defined [ classifier-name ] command to check the traffic classifier configuration.
• Run the display traffic behavior user-defined [ behavior-name ] command to check the traffic behavior configuration.

• Run the display traffic policy user-defined [ policy-name [ classifier classifier-name ] ] command to check the configuration of a specified user-defined traffic policy.

• Run the display traffic-applied [ interface [ interface-type interface-number ] | vlan [ vlan-id ] ] { inbound | outbound } [ verbose ] command to check information about ACL-based simplified and MQC-based traffic policies applied to the system, a VLAN, or an interface.

  

  The display traffic-applied command cannot be used to check information about ACL-based simplified and MQC-based traffic policies applied to a sub-interface. However, traffic policies can be applied to a sub-interface.

• Run the display traffic policy { interface [ interface-type interface-number [.subinterface-number ] ] | vlan [ vlan-id ] | ssid-profile [ ssid-profile-name ] | global } [ inbound | outbound ] command to check the traffic policy configuration.

  

  Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support sub-interfaces.

  Only the S5720-HI, S5730-HI, S5731-H, S5731S-H, S5732-H, S6720-HI, S6730S-H, and S6730-H support ssid-profile [ ssid-profile-name ].

• Run the display traffic-policy applied-record [ policy-name ] command to check the application records of a specified traffic policy.