< Home

deny | permit

Function

The deny | permit command configures access control for service packets based on traffic classifiers.

  • The deny command prevents service flows that match a specified rule from passing through.
  • The permit command forwards packets matching traffic classification rules according to the original policy.

The undo { deny | permit } command cancels access control for service packets based on traffic classifiers.

By default, a switch does not control service packets based on traffic classifiers.

Format

deny | permit

undo { deny | permit }

Parameters

None

Views

Traffic behavior view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device implements access control using a traffic policy. That is, you can use a traffic policy containing deny | permit on the device so that the device provides the firewall function to filter out specified types of packets. The deny | permit command only filters data packets, but does not process control packets such as STP BPDUs sent to the CPU.

Precautions

When you specify a packet filtering action for packets matching an ACL, if the ACL rule defines permit, the device processes packets according to the action (deny or permit) in the traffic behavior. If the ACL rule defines deny, the device discards packets regardless of whether deny or permit is configured in the traffic behavior.

When you specify the packet filtering action for packets matching an ACL to deny or permit, if the ACL rule contains the logging field, logs are recorded when packets are discarded or forwarded.

If a traffic policy in which the deny behavior is defined is applied to the outbound direction on the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S, control packets of ICMP, OSPF, BGP, RIP, SNMP, and Telnet sent by the CPU are discarded. This affects relevant protocol functions.

In the same traffic behavior, the deny action cannot be used with other traffic actions. Before adding other traffic actions such as re-marking to a traffic behavior, ensure that the traffic behavior does not contain the deny action. If the traffic behavior contains the deny action, configure the permit action before configuring other traffic actions.

Example

# Configure a traffic policy p1 to prevent the packets from VLAN 2 to pass through GE0/0/1.

<HUAWEI> system-view
[HUAWEI] traffic classifier c1
[HUAWEI-classifier-c1] if-match vlan-id 2
[HUAWEI-classifier-c1] quit
[HUAWEI] traffic behavior b1
[HUAWEI-behavior-b1] deny
[HUAWEI-behavior-b1] quit
[HUAWEI] traffic policy p1
[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1
[HUAWEI-trafficpolicy-p1] quit
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 inbound
Parent Topic: Filtering Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic