Licensing Requirements and Limitations for ACL-based Simplified Traffic Policies

Involved Network Elements

Other network elements are not required.

Licensing Requirements

The ACL-based simplified traffic policy is a basic feature of a switch and is not under license control.

Feature Support in V200R019C10

All models of S2720, S5700, and S6700 series switches support ACL-based simplified traffic policy.

For details about software mappings, visit Hardware Query Tool and search for the desired product model.

Feature Limitations

• The S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S in V200R012C00 and later versions support ACL-based simplified traffic policy configuration on a VLANIF interface.

  • In versions earlier than V200R019C10, an ACL-based simplified traffic policy can be configured on a VLANIF interface only in the inbound direction. Starting from V200R019C10, an ACL-based simplified traffic policy can be configured on a VLANIF interface in both the inbound and outbound directions.

  • The VLAN corresponding to the VLANIF interface cannot be a Super-VLAN or MUX VLAN.

  • For the S5720-EI, S6720-EI, and S6720S-EI, an ACL-based simplified traffic policy that is applied to a VLANIF interface is only valid for unicast packets and Layer 3 multicast packets on the VLANIF interface.

  • For the S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S, an ACL-based simplified traffic policy that is applied to a VLANIF interface is only valid for unicast packets on the VLANIF interface.

• During configuration of an ACL-based simplified traffic policy:

  • If name acl-name is specified in the command, you need to run the acl name or acl ipv6 name command to create the corresponding ACL. Otherwise, the ACL-based simplified traffic policy fails to be configured.

  • If rule rule-id is specified in the command, you need to create an ACL and configure the corresponding rule. Otherwise, the ACL-based simplified traffic policy fails to be configured.

• In V200R013C00 and earlier versions, when multiple ACL-based simplified traffic policies are configured on an interface, in a VLAN, or in the system and the ACL referenced by one ACL-based simplified traffic policy changes, all ACL-based simplified traffic policies that have been configured will become invalid temporarily.
• If the traffic-redirect (interface view) or traffic-redirect (system view) command is executed to redirect traffic to an interface, you are advised to use ACL rules to match Layer 2 traffic.
• Outbound ACL-based packet filtering, traffic policing, re-marking, or traffic statistics on an interface does not take effect on the S2720-EI, S2750-EI, S5700-LI, S5700S-LI, S5710-X-LI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI in the following situations:
  • Outbound ACL-based packet filtering, traffic policing, re-marking, or traffic statistics is configured, and the ACL is based on VLAN IDs.
  • VLAN mapping is also configured on the interface, and the mapped VLAN ID is the same as the VLAN ID in the ACL.
• The S5720-HI in V200R011C00 and later versions, S5730-HI, S5731-H, S6720-HI, S5731-S, S5731S-S, S6730-S, S6730S-S, S5731S-H, S5732-H, S6730S-H, and S6730-H support simplified traffic policies based on user-defined ACLs.
• If the ACL rule matches the VPN instance name of packets, the ACL-based simplified traffic policy fails to be delivered.

• If an MQC-based traffic policy and an ACL-based simplified traffic policy matching the same ACL are applied to the same object, the ACL-based simplified traffic policy takes effect. However, if ACL-based packet filtering is configured using the traffic-secure command, it can take effect together with an MQC-based traffic policy matching the same ACL.

• To make an ACL-based simplified traffic policy take effect on the S2750-EI, S5700-10P-LI-AC, and S5700-10P-PWR-LI-AC running V200R007C00 and later versions, and S2720-EI running V200R009C00 and V200R010C00, run the assign forward-mode ipv4-hardware command to enable Layer 3 hardware forwarding of IPv4 packets. (In versions earlier than V200R007C00, Layer 3 hardware forwarding of IPv4 packets is not supported on the preceding devices.) On S2720-EI in versions later than V200R010C00 and other devices, Layer 3 hardware forwarding of IPv4 packets is enabled by default.
• On the S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735-S-I, and S5735S-S, when ACL-based simplified traffic policies are applied to the outbound direction:
  • Rules for matching the source IPv6 address and those for matching the destination IPv6 address cannot be both configured in one or more ACL-based simplified traffic policies.
  • Rules for matching IPv4 information (IP address and UDP port number) and those for matching some Layer 2 information (source MAC address, destination MAC address, and other Layer 2 protocol fields excluding IPv4, IPv6, and ARP) cannot be both configured in one or more ACL-based simplified traffic policies.
  • For two ACL-based simplified traffic policies that respectively define rules for matching the source IPv6 address and destination IPv6 address, if their actions conflict, only the ACL-based simplified traffic policy for matching the source IPv6 address takes effect; if their actions do not conflict, both ACL-based simplified traffic policies take effect.
  • The first-fragment parameter cannot be specified in an ACL or ACL6 rule.
• For the S5700-EI, S5700-HI, S5710-EI, S5710-HI, S5720-EI, S6700-EI, S6720-EI, S6720S-EI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735-S-I, S5735S-S, S6720-HI, S6730-H, S6730S-H, S6730-S, or S6730S-S: If both VLAN mapping and ACL-based re-marking are configured for incoming packets and the traffic-remark command is used to configure the switch to re-mark the 802.1p priority or VLAN ID, the VLAN ID before mapping is used in ACL-based re-marking. In other cases, if both VLAN mapping and an ACL-based simplified traffic policy are configured for packets, the ACL-based simplified traffic policy matches the VLAN ID after mapping.
• The packets destined for the local switch are sent to the CPU. After functions related to some protocols such as BGP, OSPF, and LACP are enabled, packets of these protocols are also sent to the CPU. If packets sent to the CPU match both CPCAR and the ACL rule defined in the simplified traffic policy, but the actions to be taken conflict with each other, CPCAR or the simplified traffic policy with a higher precedence takes effect. Table 1 describes the precedence between CPCAR and ACL-based simplified traffic policies.

  Table 1 Precedence between CPCAR and ACL-based simplified traffic policies

  Product Model	Precedence Details
  S2700-EI, S2710-SI, S2720-EI, S2750-EI, S3700, S5700-LI, S5700S-LI, S5710-C-LI, S5710-X-LI, S5700-SI, S5700-EI, S5710-EI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5700-HI, S5710-HI, S5730-SI, S5730S-EI, S6700-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI	ACL-based simplified traffic policies take precedence over CPCAR. NOTE: For ARP packets to be sent to the CPU in the DHCP and NAC authentication services, CPCAR takes precedence over ACL-based simplified traffic policies.
  S6720-EI, S6720S-EI, S5720-EI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S5720-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5730-HI, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S	CPCAR takes precedence over ACL-based simplified traffic policies. NOTE: On the S5720-EI running V200R007, ACL-based simplified traffic policies take precedence over CPCAR. On the S5720-EI running other versions, CPCAR takes precedence over traffic policies.

• For S5720-HI, S5730-HI, S5731-H, S5731S-H, S5732-H, S5731-S, S5731S-S, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S, on devices for which the resource mode of extended entry space cannot be configured, ACL6 rules can define only the protocol number, source port number, destination port number, source IPv6 address, and destination IPv6 address. Additionally, ACL6-based simplified traffic policies that contain these ACL6 rules cannot be applied to VLANIF interfaces.