< Home

Configuring an AS in Centralized Mode (Profile-based Batch Configuration)

In an SVF system, the parent delivers configurations to ASs using service profiles. Service profiles are a set of service configurations. After service profiles are delivered to an AS, the AS parses and executes the services configured in the service profiles.

For services that can be batch configured for ASs using service profiles, see Service Configuration Supported on an AS.

  • An AS port group can be bound to a network basic profile, network enhanced profile, user access profile, traffic policy profile, and network QoS profile.

  • Ports of an AS can be added to a maximum of 32 different AS port groups.

  • Only a network basic profile can be bound to an AP port group, and an AP port group can be bound to only one network basic profile.

  • When an AS goes offline and then goes online again, the AS restarts if the global configuration of the AS is changed on the parent and the changed configuration is committed.

Services can be configured for ASs using service profiles:

Configuring Services for ASs Using an AS Administrator Profile

  1. Run system-view

    The system view is displayed.

  2. Run uni-mng

    The uni-mng view is displayed.

  3. Run as-admin-profile name profile-name

    An AS administrator profile is created.

  4. Configure required services in the AS administrator profile.
    • Run user user-name password password

      The user name and password required for AS logins are configured.

    • Run traffic-limit outbound { arp | dhcp } cir cir-value,

      By default, the rate limits for outgoing ARP packets and DHCP packets are 32 kbit/s and 128 kbit/s respectively on an AS uplink fabric port.

      The rate limit for outgoing ARP and DHCP packets on an uplink fabric port is configured.

    • Run stp bpdu-protection

      BPDU protection is configured on the AS.

    • Run ipv6

      IPv6 function is configured on the AS.

  5. Run quit

    Exit from the AS administrator profile view.

  6. Run as-group name group-name

    An AS group is created.

  7. Add ASs in the AS group using one of the following methods:
    • Run as name as-name

      An AS with a specified name is added to the AS group.

    • Run as name-include string

      ASs of which the name contains a specified string are added to the AS group.

    • Run as all

      All online ASs are added to the AS group.

  8. Run as-admin-profile profile-name

    The specified AS administrator profile is bound to the AS group.

  9. Run quit

    Exit from the AS group view.

  10. Run commit as { name as-name | all }

    The configuration is committed.

    After configuring service profiles and binding them to an AS group, you must run this command to commit the configuration so that the configuration can be delivered to ASs.

Example

This example shows how to configure the user name and password used to log in to ASs using an AS administrator profile.
<HUAWEI> system-view
[HUAWEI] uni-mng
[HUAWEI-um] as-admin-profile name profile_1
[HUAWEI-um-as-admin-profile_1] user test password Pwd@123456  // Specify the user name and password used to log in to ASs.
[HUAWEI-um-as-admin-profile_1] quit
[HUAWEI-um] as-group name group_1
[HUAWEI-um-as-group-group_1] as all  // This configuration takes effect for all online ASs.
[HUAWEI-um-as-group-group_1] as-admin-profile profile_1  // Bind the AS group to the AS administrator profile.
[HUAWEI-um-as-group-group_1] quit
[HUAWEI-um] commit as all  // Commit the configuration to deliver it to ASs.

Configuring Services for ASs Using a Network Basic Profile

  1. Run system-view

    The system view is displayed.

  2. Run uni-mng

    The uni-mng view is displayed.

  3. Run network-basic-profile name profile-name

    A network basic profile is created.

  4. Configure required services in the network basic profile.

    Service Functions

    Configuration Command

    Usage Description

    Configure the default VLAN on an interface.

    user-vlan vlan-id

    -

    Configure allowed VLANs on an interface.

    pass-vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

    A maximum of 32 allowed VLANs can be configured on each AS port.

    Configure a voice VLAN on an interface.

    voice-vlan vlan-id [ include-untagged ]

    The command configuration does not take effect on the service Eth-Trunk bound to a port group.

    When configuring a voice VLAN on an AS port, ensure that IP phones connected to the AS port support LLDP and have LLDP enabled.
  5. Run quit

    Exit from the network basic profile view.

  6. Run port-group name group-name

    An AS port group is created.

  7. (Optional) Run description description

    The AS port group description is configured to facilitate identification of the terminals connected to the AS port group.

  8. Add AS ports in the AS port group using one of the following methods:
    • Run as name as-name interface { { interface-type interface-number1 [ to interface-number2 ] } &<1-10> | all }

      Ports of a specified AS are added to the AS port group.

    • Run as name-include string interface all

      Ports of ASs of which the name contains a specified string are added to the AS port group.

  9. Run network-basic-profile profile-name

    The specified network basic profile is bound to the AS port group.

  10. Run quit

    Exit from the AS port group view.

  11. Run port-group connect-ap name group-name

    An AP port group is created.

  12. (Optional) Run description description

    The AP port group description is configured to facilitate identification of the terminals connected to the AP port group.

  13. Add AP ports to the AP port group.
    • Run as name as-name interface { { interface-type interface-number1 [ to interface-number2 ] } &<1-10> | all }

      Ports of a specified AS are added to the AS port group.

    • Run as name-include string interface all

      Ports of ASs of which the name contains a specified string are added to the AS port group.

  14. Run network-basic-profile profile-name

    The specified network basic profile is bound to the AP port group.

    When an AP port group is bound to a network basic profile, only the pass-vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> command takes effect in the network basic profile view.

  15. Run quit

    Exit from the AP port group view.

  16. Run commit as { name as-name | all }

    The configuration is committed.

    After configuring service profiles and binding them to a port group, you must run this command to commit the configuration so that the configuration can be delivered to ASs.

Example

This example shows how to configure allowed VLANs on AS ports using a network basic profile.
<HUAWEI> system-view
[HUAWEI] uni-mng
[HUAWEI-um] network-basic-profile name profile_1
[HUAWEI-um-net-basic-profile_1] pass-vlan 10 to 12  // Specify the allowed VLANs on AS ports.
[HUAWEI-um-net-basic-profile_1] quit
[HUAWEI-um] port-group name group_1
[HUAWEI-um-portgroup-group_1] as name as1 interface gigabitethernet 0/0/1 to 0/0/5  // Deliver the configuration to ports GE0/0/1 to GE0/0/5 on AS1.
[HUAWEI-um-portgroup-group_1] network-basic-profile profile_1  // Bind the port group to the network basic profile.
[HUAWEI-um-portgroup-group_1] quit
[HUAWEI-um] commit as name as1  // Commit the configuration to deliver it to AS1.

Configuring Services for ASs Using a Network Enhanced Profile

  1. Run system-view

    The system view is displayed.

  2. Run uni-mng

    The uni-mng view is displayed.

  3. Run network-enhanced-profile name profile-name

    A network enhanced profile is created.

  4. Configure required services in the network enhanced profile.

    Service Functions

    Configuration Command

    Usage Description

    Configure unknown unicast traffic suppression on an interface.

    unicast-suppression packets packets-per-second

    The command configuration does not take effect on the service Eth-Trunk bound to a port group.

    Configure multicast traffic suppression on an interface.

    multicast-suppression packets packets-per-second

    The command configuration does not take effect on the service Eth-Trunk bound to a port group.

    Configure broadcast traffic suppression on an interface.

    broadcast-suppression packets packets-per-second

    The command configuration does not take effect on the service Eth-Trunk bound to a port group.

    Enable DHCP snooping on an interface.

    dhcp snooping enable

    This command can only be used to check packets against DHCP dynamic binding entries but not DHCP static binding entries.

    Enable IP packet check on an interface.

    ip source check user-bind enable

    Before running this command, you must run the dhcp snooping enable command.

    Configure dynamic ARP inspection (DAI) on an interface.

    arp anti-attack check user-bind enable

    Before running this command, you must run the dhcp snooping enable command.

    Configure traffic rate limiting on an interface.

    rate-limit cir-value

    The command configuration does not take effect on the service Eth-Trunk bound to a port group.

    If user traffic is not limited, continuous burst data from numerous users can make the network congested. You can configure traffic rate limiting in inbound direction on an interface to limit traffic entering from the interface within a specified range.

    Configure an interface as an edge interface.

    user-access-port enable

    Ports connected to a Layer 2 STP network do not need to participate in spanning tree calculation. If these ports participate in the calculation, the network topology convergence speed is affected and the status changes of these ports may cause network flapping. After these ports are configured as edge ports, they do not participate in spanning tree calculation. This configuration speeds up network topology convergence and enhances network stability.

    Configure the system to set an interface to the Error-Down state when MAC address flapping is detected on the interface.

    mac-address flapping action error-down

    -

    Configure the alarm function for MAC address learning and aging on an interface.

    mac-address trap notification all

    -

    Enable the port security function.

    port-security enable

    If the mac-limit command is configured in the user access profile view on an AS port bound to a network enhanced profile, the port security function cannot be enabled on the AS port.

    Set the aging time of secure dynamic MAC addresses on an interface.

    port-security aging-time time

    The port security function must be enabled.

    Enable the sticky MAC function on an interface.

    port-security mac-address sticky

    The port security function must be enabled.
  5. Run quit

    Exit from the network enhanced profile view.

  6. Run port-group name group-name

    An AS port group is created.

  7. (Optional) Run description description

    The AS port group description is configured to facilitate identification of the terminals connected to the AS port group.

  8. Add AS ports in the AS port group using one of the following methods:
    • Run as name as-name interface { { interface-type interface-number1 [ to interface-number2 ] } &<1-10> | all }

      Ports of a specified AS are added to the AS port group.

    • Run as name-include string interface all

      Ports of ASs of which the name contains a specified string are added to the AS port group.

  9. Run network-enhanced-profile profile-name

    The network enhanced profile is bound to the AS port group.

  10. Run quit

    Exit from the AS port group view.

  11. Run commit as { name as-name | all }

    The configuration is committed.

    After configuring service profiles and binding them to a port group, you must run this command to commit the configuration so that the configuration can be delivered to ASs.

Example

This example shows how to configure unknown unicast traffic suppression on AS ports using a network enhanced profile.
<HUAWEI> system-view
[HUAWEI] uni-mng
[HUAWEI-um] network-enhanced-profile name profile_1
[HUAWEI-um-net-enhanced-profile_1] unicast-suppression packets 148810  // Configure unknown unicast traffic suppression for ASs.
[HUAWEI-um-net-enhanced-profile_1] quit
[HUAWEI-um] port-group name group_1
[HUAWEI-um-portgroup-group_1] as name as1 interface gigabitethernet 0/0/1 to 0/0/5  // Deliver the configuration to ports GE0/0/1 to GE0/0/5 on AS1.
[HUAWEI-um-portgroup-group_1] network-enhanced-profile profile_1  // Bind the port group to the network enhanced profile.
[HUAWEI-um-portgroup-group_1] quit
[HUAWEI-um] commit as name as1  // Commit the configuration to deliver it to AS1.

Configuring Services for ASs Using a User Access Profile

  1. Run system-view

    The system view is displayed.

  2. Run uni-mng

    The uni-mng view is displayed.

  3. Run user-access-profile name profile-name

    A user access profile is created.

  4. Before configuring the user authentication mode, configure an authentication profile.

    NAC provides three user authentication modes: 802.1X authentication, MAC address authentication, and Portal authentication. To implement user access authentication, run the dot1x-access-profile name access-profile-name, mac-access-profile name access-profile-name, and portal-access-profile name access-profile-name commands in the system view to create an access profile, bind one or multiple of the three user authentication modes to the authentication profile, and then bind the authentication profile to the user access profile in an SVF system.

  5. Configure required services in the user access profile.

    Service Functions

    Configuration Command

    Usage Description

    Configure an authentication profile to set the user access authentication mode.

    authentication-profile authentication-profile-name

    The command configuration does not take effect on the service Eth-Trunk bound to a port group.

    The user access authentication mode configured through an authentication profile is mutually exclusive with MAC address limiting on an interface and cannot be both configured.

    The user access authentication mode configured through an authentication profile is mutually exclusive with the function of rate limiting incoming ARP and DHCP packets on an AS port and cannot be both configured.

    • If Portal authentication is deployed in an SVF system, you must run the web-auth-server server-name command to specify the Portal server template used in Portal authentication in the Portal access profile view. Additionally, only one Portal server template can be configured in a Portal access profile.

    • If the Portal authentication mode has been set to layer3 in the portal-access-profile bound to the authentication profile, it is not allowed to bind this authentication profile to the user access profile. If an authentication profile has been bound to the user access profile, it is now allowed to set the Portal authentication mode to layer3.

    • In versions earlier than V200R019C10, user access profiles must be bound to the same authentication profile at any time. In V200R019C10 and later versions, user access profiles can be bound to different authentication profiles. However, if these user access profiles are bound to ASs on the same cascade port, the authentication profiles must be the same.

    • In V200R019 and later versions, the authentication ipv6-control enable command configured in an authentication profile can be delivered to ASs. This command can take effect only in the following situations:
      • The parent is S6720-EI, S6720S-EI, S6720-SI, or S6720S-SI, and ASs are S2720-EI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5720-EI, S5730-SI, S5730S-EI, S6720-EI, S6720S-EI, S6720-LI, S6720S-LI, S6720-SI, or S6720S-SI.
      • The parent is a modular switch and the parent's port to which the authentication profile is bound is not located on the ES0D0G24SA00, ES0D0G24CA00, LE0MG24CA, LE0MG24SA, LE1D2S04SEC0, LE1D2X32SEC0, LE1D2H02QEC0, or X series cards, and ASs are S2720-EI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5720-EI, S5730-SI, S5730S-EI, S6720-EI, S6720S-EI, S6720-LI, S6720S-LI, S6720-SI, or S6720S-SI.
    • In V200R019 and later versions, the authentication single-stack-control enable command configured in an authentication profile can be delivered to ASs. This command can take effect only in the following situations:
      • The parent is S5720-HI, S5730-HI, S5731-H, S5731S-H, S5732-H, S6730-S, S6730S-S, S6720-HI, S6730S-H, or S6730-H, and ASs are S5730-HI, S5731-H, S5731S-H, S5732-H, S5731-S, S5731S-S, S6730-S, S6730S-S, S6730S-H, or S6730-H.
      • The parent is a modular switch and the parent's port to which the authentication profile is bound is located on the LE1D2S04SEC0, LE1D2X32SEC0, LE1D2H02QEC0, or X series cards, and ASs are S5730-HI, S5731-H, S5731S-H, S5732-H, S5731-S, S5731S-S, S6730-S, S6730S-S, S6730S-H, or S6730-H.

    • If an interface needs to be unbound from an authentication profile and there are many users on the interface, it takes a long time to unbind the interface from the authentication profile. To shorten the time, run the authentication speed-limit max-num command to increase the rate at which a specified AS sends user disassociation request messages.

    Configure MAC address limiting on an interface.

    mac-limit maximum max-num
    • The user access authentication mode configured through an authentication profile is mutually exclusive with MAC address limiting on an interface and cannot be both configured.
    • The port-security max-mac-num max-number command in direct configuration mode is mutually exclusive with the mac-limit maximum max-num command configured in a user access profile and cannot be both configured.

    Rate limit incoming ARP and DHCP packets on an AS port.

    traffic-limit inbound { arp | dhcp } cir cir-value

    By default, the forwarding rate of incoming ARP and DHCP packets on an AS port is not limited.

    • The user access authentication mode configured through an authentication profile is mutually exclusive with the function of rate limiting incoming ARP and DHCP packets on an AS port and cannot be both configured.

    • Do not run the traffic-limit inbound dhcp and dhcp snooping enable (network enhanced profile view) commands simultaneously on the same port; otherwise, the traffic-limit inbound dhcp command does not take effect. On an AS of the S2720-EI, S2750-EI, S5700-LI, S5700S-LI, S5720S-LI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5720S-SI, S5720I-SI, S5710-X-LI, S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, or S600-E model, running the dhcp snooping enable (network enhanced profile view) command on any port may cause the traffic-limit inbound dhcp command unable to take effect on all ports. You are advised to shut down the attacked port after detecting DoS attacks.

    • Do not run the traffic-limit inbound arp and arp anti-attack check user-bind enable (network enhanced profile view) commands simultaneously on the same port. Otherwise, the traffic-limit inbound arp command may not take effect. On an AS of the S2720-EI, S2750-EI, S5700-LI, S5700S-LI, S5720S-LI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5720S-SI, S5720I-SI, S5710-X-LI, S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, or S600-E model, running the arp anti-attack check user-bind enable (network enhanced profile view) command on any port may cause the traffic-limit inbound arp command unable to take effect on all ports. You are advised to shut down the attacked port after detecting DoS attacks.

    Configure the maximum number of access users on an AS port.

    authentication access-user maximum

    The maximum number of access users ranges from 1 to 1024. After the value is delivered to an AS, the effective value depends on the AS specifications. For details, see authentication access-point max-user.

    The authentication access-user maximum command configuration takes effect only for new users.

    The command configuration does not take effect on the service Eth-Trunk bound to a port group.
  6. Run quit

    Exit from the user access profile view.

  7. Run port-group name group-name

    An AS port group is created.

  8. (Optional) Run description description

    The AS port group description is configured to facilitate identification of the terminals connected to the AS port group.

  9. Add AS ports in the AS port group using one of the following methods:
    • Run as name as-name interface { { interface-type interface-number1 [ to interface-number2 ] } &<1-10> | all }

      Ports of a specified AS are added to the AS port group.

    • Run as name-include string interface all

      Ports of ASs of which the name contains a specified string are added to the AS port group.

  10. Run user-access-profile name profile-name

    The specified user access profile is bound to the AS port group.

  11. Run quit

    Exit from the AS port group view.

  12. Run commit as { name as-name | all }

    The configuration is committed.

    After configuring service profiles and binding them to a port group, you must run this command to commit the configuration so that the configuration can be delivered to ASs.

Example

This example shows how to set the user authentication mode to MAC address authentication using a user access profile.
<HUAWEI> system-view
[HUAWEI] mac-access-profile name 1
[HUAWEI-mac-access-profile-1] quit
[HUAWEI] authentication-profile name test
[HUAWEI-authen-profile-test] mac-access-profile 1  // Configure a MAC access profile.
[HUAWEI-authen-profile-test] quit
[HUAWEI] uni-mng
[HUAWEI-um] user-access-profile name huawei
[HUAWEI-um-user-access-huawei] authentication-profile test  // Bind the authentication profile to the user access profile.
[HUAWEI-um-user-access-huawei] quit
[HUAWEI-um] port-group name group_1
[HUAWEI-um-portgroup-group_1] as name as1 interface gigabitethernet 0/0/1 to 0/0/5  // Deliver the configuration to ports GE0/0/1 to GE0/0/5 on AS1.
[HUAWEI-um-portgroup-group_1] user-access-profile huawei  // Bind the port group to the user access profile.
[HUAWEI-um-portgroup-group_1] quit
[HUAWEI-um] commit as name as1  // Commit the configuration to deliver it to AS1.

Configuring Services for ASs Using a Network QoS Profile

  1. Run system-view

    The system view is displayed.

  2. Run uni-mng

    The uni-mng view is displayed.

  3. Run network-qos-profile name profile-name

    A network QoS profile is created.

  4. Configure required services in the network QoS profile

    Service Functions

    Configuration Command

    Usage Description

    Configure priority mapping based on DSCP priorities.

    trust dscp

    -

    Set a scheduling mode for interface queues.

    qos { pq | wrr | drr }

    -

    Configure a queue scheduling weight.

    qos queue queue-index { drr | wrr } weight weight

    The queue scheduling mode of an AS port has been set to WRR or WDRR using the qos { pq | wrr | drr } command.
  5. Run quit

    Exit from the network QoS profile view.

  6. Run port-group name group-name

    An AS port group is created.

  7. (Optional) Run description description

    The AS port group description is configured to facilitate identification of the terminals connected to the AS port group.

  8. Add AS ports in the AS port group using one of the following methods:
    • Run as name as-name interface { { interface-type interface-number1 [ to interface-number2 ] } &<1-10> | all }

      Ports of a specified AS are added to the AS port group.

    • Run as name-include string interface all

      Ports of ASs of which the name contains a specified string are added to the AS port group.

  9. Run network-qos-profile profile-name

    The specified network QoS profile is bound to the AS port group.

  10. Run quit

    Exit from the AS port group view.

  11. Run commit as { name as-name | all }

    The configuration is committed.

    After configuring service profiles and binding them to a port group, you must run this command to commit the configuration so that the configuration can be delivered to ASs.

Example

This example shows how to perform priority mapping on packets based on DSCP priorities using a network QoS profile.
<HUAWEI> system-view
[HUAWEI] uni-mng
[HUAWEI-um] network-qos-profile name test
[HUAWEI-um-net-qos-test] trust dscp  // Perform priority mapping on packets based on DSCP priorities.
[HUAWEI-um-net-qos-test] quit
[HUAWEI-um] port-group name group_1
[HUAWEI-um-portgroup-group_1] as name as1 interface gigabitethernet 0/0/1 to 0/0/5  // Deliver the configuration to ports GE0/0/1 to GE0/0/5 on AS1.
[HUAWEI-um-portgroup-group_1] network-qos-profile test  // Bind the port group to the network QoS profile.
[HUAWEI-um-portgroup-group_1] quit
[HUAWEI-um] commit as name as1  // Commit the configuration to deliver it to AS1.

Configuring Services for ASs Using a Traffic Policy Profile

  1. Run system-view

    The system view is displayed.

  2. Run acl acl-number

    An ACL number is configured. The ACL number ranges from 3000 to 3900.

    Or run acl ipv6 acl6-number

    An IPv6 ACL number is configured. The ACL number ranges from 3000 to 3900.

  3. Run rule (advanced ACL view)

    An ACL rule is configured.

    Or run rule (advanced ACL6 view)

    An ACL6 rule is configured.

    Only 5-tuple information (source IP address, destination IP address, source MAC address, destination MAC address, and protocol type) can be specified in ACL rules and ACL6 rule.

  4. Run quit

    Exit from the ACL view.

  5. Run uni-mng

    The uni-mng view is displayed.

  6. Run as-admin-profile name profile-name

    An AS administrator profile is created.

  7. Run acl number acl-number

    An ACL rule to be used in the AS administrator profile is configured.

    Or run acl ipv6 number acl-number

    An IPv6 ACL rule to be used in the AS administrator profile is configured.

  8. Run quit

    Exit from the AS administrator profile view.

  9. Run as-group name group-name

    An AS group is created.

  10. Add ASs in the AS group using one of the following methods:
    • Run as name as-name

      An AS with a specified name is added to the AS group.

    • Run as name-include string

      ASs of which the name contains a specified string are added to the AS group.

    • Run as all

      All online ASs are added to the AS group.

  11. Run as-admin-profile profile-name

    The specified AS administrator profile is bound to the AS group.

  12. Run quit

    Exit from the AS group view.

  13. Run commit as { name as-name | all }

    The configuration is committed.

    After configuring service profiles and binding them to an AS group, you must run this command to commit the configuration so that the configuration can be delivered to ASs.

  14. Run traffic-policy-profile name profile-name

    A traffic policy profile is created.

  15. Run policy (traffic policy profile view)

    A traffic policy is created.

    A maximum of 64 traffic policies can be created in a traffic policy profile.

  16. Run quit

    Exit from the traffic policy profile view.

  17. Run port-group name group-name

    An AS port group is created.

  18. (Optional) Run description description

    The AS port group description is configured to facilitate identification of the terminals connected to the AS port group.

  19. Add AS ports in the AS port group using one of the following methods:
    • Run as name as-name interface { { interface-type interface-number1 [ to interface-number2 ] } &<1-10> | all }

      Ports of a specified AS are added to the AS port group.

    • Run as name-include string interface all

      Ports of ASs of which the name contains a specified string are added to the AS port group.

  20. Run traffic-policy-profile profile-name { inbound | outbound }

    Ports in the AS port group are bound to the traffic policy profile.

  21. Run quit

    Exit from the AS port group view.

  22. Run commit as { name as-name | all }

    The configuration is committed.

    After configuring service profiles and binding them to a port group, you must run this command to commit the configuration so that the configuration can be delivered to ASs.

Example

This example shows how to deliver a traffic policy to ASs using a traffic policy profile.
<HUAWEI> system-view
[HUAWEI] acl 3001
[HUAWEI-acl-adv-3001] rule permit ip dscp cs1
[HUAWEI-acl-adv-3001] quit
[HUAWEI] uni-mng
[HUAWEI-um] as-admin-profile name profile_1
[HUAWEI-as-admin-profile_1] acl number 3001
[HUAWEI-as-admin-profile_1] quit
[HUAWEI-um] as-group name group_1
[HUAWEI-um-as-group-group_1] as name as1  // This configuration takes effect for AS1 that has been online.
[HUAWEI-um-as-group-group_1] as-admin-profile profile_1  // Bind the AS group to the AS administrator profile.
[HUAWEI-um-as-group-group_1] quit
[HUAWEI-um] commit as name as1  // Commit the configuration to deliver it to AS1.
[HUAWEI-um] traffic-policy-profile name profile_1
[HUAWEI-um-traffic-policy-profile_1] policy a remark 8021p 2 if-match acl 3001  // Configure a traffic policy.
[HUAWEI-um-traffic-policy-profile_1] quit
[HUAWEI-um] port-group name group_1
[HUAWEI-um-portgroup-group_1] as name as1 interface gigabitethernet 0/0/1 to 0/0/5  // Deliver the configuration to ports GE0/0/1 to GE0/0/5 on AS1.
[HUAWEI-um-portgroup-group_1] traffic-policy-profile profile_1 inbound  // Bind the port group to the traffic policy profile.
[HUAWEI-um-portgroup-group_1] quit
[HUAWEI-um] commit as name as1  // Commit the configuration to deliver it to AS1.
Parent Topic: Configuring Services for an AS
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >