traffic-filter acl

Usage Scenario

In NAC network deployment, you can run the ucl-group command to classify users and configure user ACL or user ACL6 rules numbered from 6000 to 9999. You can then implement intra-group isolation (users in a group cannot communicate with each other) and inter-group isolation (users in the user group cannot communicate with users in other user groups.), and control network access rights based on the UCL group.

After configuring ACL rules 6000 to 9999, you must run the traffic-filter acl command to configure ACL-based packet filtering. The ACL rules then can take effect for the users in the UCL group.

Precautions

If the user ACL specified in the traffic-filter inbound acl command or the user ACL or user ACL6 delivered by the authentication server is incorrectly configured to block all user traffic, the switch cannot be connected and network-side protocols such as OSPF and BGP are interrupted.

For a stack of S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, or S6720-SI switches, if the value of RunningTemplate is not nac in the display system resource-template command output on a member switch that forwards traffic out, user ACL6-based packet filtering configured using the traffic-filter inbound acl ipv6 { acl-number | name acl-name } command in the system view does not take effect on the member switch.