< Home

port add-tag acl

Function

The port add-tag acl command adds an outer tag to the packet that matches an ACL rule on an interface.

The undo port add-tag acl command cancels the configuration.

By default, the device does not add an outer tag to the packet that matches an ACL rule.

Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support this command.

Format

port add-tag acl { acl-number | name acl-name } [ rule rule-id ] vlan vlan-id { priority-inherit | remark-8021p 8021p-value }

undo port add-tag acl { acl-number | name acl-name } [ rule rule-id ]

If both Layer 2 ACLs and Layer 3 ACLs are configured, use the following command:

port add-tag acl l2-acl [ rule rule-id ] [ acl { basic-acl | advance-acl | name acl-name } [ rule rule-id ] ] vlan vlan-id { priority-inherit | remark-8021p 8021p-value }

port add-tag acl { basic-acl | advance-acl } [ rule rule-id ] [ acl { l2-acl | name acl-name } [ rule rule-id ] ] vlan vlan-id { remark-8021p 8021p-value | priority-inherit }

port add-tag acl name acl-name [ rule rule-id ] [ acl { basic-acl | advance-acl | l2-acl | name acl-name } [ rule rule-id ] ] vlan vlan-id { remark-8021p 8021p-value | priority-inherit }

undo port add-tag acl l2-acl [ rule rule-id ] [ acl { basic-acl | advance-acl | name acl-name } [ rule rule-id ] ]

undo port add-tag acl { basic-acl | advance-acl } [ rule rule-id ] [ acl { l2-acl | name acl-name } [ rule rule-id ] ]

undo port add-tag acl name acl-name [ rule rule-id ] [ acl { basic-acl | advance-acl | l2-acl | name acl-name } [ rule rule-id ] ]

Parameters

Parameter

Description

Value

acl-number

Specifies the number of an ACL.
The value is an integer that ranges from 2000 to 4999. The value ranges of different types of ACLs are as follows:
  • The value of a basic ACL ranges from 2000 to 2999.
  • The value of an advanced ACL ranges from 3000 to 3999.
  • The value of a Layer 2 ACL ranges from 4000 to 4999.

rule-id

Specifies the ID of an ACL rule.
The value of an IPv4 ACL ranges from 0 to 4294967294.
  • When the rule ID is specified and the rule associated with the rule ID exists, the new rule takes effect.
  • If the rule associated with the rule ID does not exist, you can create a new rule with a specified rule ID and add the rule according to the rule ID.
NOTE:

The number of ACL rules assigned automatically by the device starts from the step. The default step is 5. With this step, the device creates ACL rules with the numbers of 5, 10, 15, and so on.

name acl-name

Specifies a named ACL.

The value must the name of an existing ACL.

vlan vlan-id

Specifies a VLAN ID.

The value is an integer that ranges from 1 to 4094.

l2-acl

Specifies the number of a Layer 2 ACL.

The value is an integer that ranges from 4000 to 4999.

basic-acl

Specifies the number of a basic ACL.

The value is an integer that ranges from 2000 to 2999.

advance-acl

Specifies the number of an advance ACL.

The value is an integer that ranges from 3000 to 3999.

priority-inherit

Indicates that the outer VLAN tag inherits the priority in the inner VLAN tag.

-

remark-8021p 8021p-value

Specifies the re-marked priority of the added outer VLAN tag. 8021p-value specifies the 802.1p priority.

The value is an integer that ranges from 0 to 7. A larger value indicates a higher priority.

Views

Ethernet interface view, GE interface view, XGE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, MultiGEinterface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A device interface adds the specified outer tag to a packet based on the VLAN tag, MAC address, IP protocol, source address, destination address, priority, or port number of an application of a user.

Precautions

  • After you run the port add-tag acl command, the following situations may occur:

    • The device does not take the original forwarding action to forward the packet that matches an ACL rule. Instead, the device adds an outer tag to the packet and forwards the packet in the VLAN specified by the added outer tag.
    • The device adds an outer tag to the packet that does not match an ACL rule based on the default VLAN of an interface.

  • A Layer 2 ACL and a Layer 3 ACL can be set in the port add-tag acl command simultaneously. The Layer 3 ACL and its rules can be configured only after the Layer 2 ACL and its rules are configured. The Layer 2 ACL number ranges from 4000 to 4999 and the Layer 3 ACL number ranges from 2000 to 2999 and 3000 to 3999.

  • This command is invalid for packets tagged with VLAN 0. If packets tagged with VLAN 0 need to be processed, configure a traffic policy on the switch.

Example

# Add the outer tag of VLAN 1001 to the packet that matches the source IP address of 192.168.0.0/16 on GE0/0/1.

<HUAWEI> system-view
[HUAWEI] acl name test 2000 
[HUAWEI-acl-basic-test] rule 1 permit source 192.168.0.0 0.0.255.255
[HUAWEI-acl-basic-test] quit
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type trunk
[HUAWEI-GigabitEthernet0/0/1] port trunk allow-pass vlan all
[HUAWEI-GigabitEthernet0/0/1] port add-tag acl 2000 rule 1 vlan 1001 priority-inherit
Parent Topic: QinQ Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >