< Home

traffic-filter (interface view)

Function

The traffic-filter command applies an ACL to an interface to filter packets on the interface.

The undo traffic-filter command cancels the configuration.

By default, no ACL is applied to an interface to filter packets on the interface.

Format

Use the following command in the inbound direction on an interface:

traffic-filter inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ]

undo traffic-filter inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ]

Use the following command in the outbound direction on an interface:

traffic-filter outbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl } [ rule rule-id ]

undo traffic-filter outbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl } [ rule rule-id ]

If both Layer 2 ACLs and Layer 3 ACLs are configured, use the following command:

traffic-filter { inbound | outbound } acl { l2-acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

undo traffic-filter { inbound | outbound } acl { l2-acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

traffic-filter { inbound | outbound } acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]

undo traffic-filter { inbound | outbound } acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]

Parameters

Parameter

Description

Value

inbound

Configures ACL-based packet filtering in the inbound direction on an interface.

-

outbound

Configures ACL-based packet filtering in the outbound direction on an interface.

-

acl

Filters packets based on the IPv4 ACL.

-

ipv6

Configures IPv6 ACL-based packet filtering.

-

bas-acl

Filters packets based on a specified basic ACL.

The value is an integer that ranges from 2000 to 2999.

adv-acl

Filters packets based on a specified advanced ACL.

The value is an integer that ranges from 3000 to 3999.

l2-acl

Filters packets based on a specified Layer 2 ACL.

The value is an integer that ranges from 4000 to 4999.

user-acl

Filters packets based on a specified user-defined ACL.

The value is an integer that ranges from 5000 to 5999.

name acl-name

Filters packets based on a specified named ACL. acl-name specifies the name of the ACL.

The value must be the name of an existing ACL.

rule rule-id

Filters packets based on a specified ACL rule.

The value is an integer that ranges from 0 to 4294967294.

Views

VLANIF interface view, Ethernet interface view, MultiGE interface view, GE interface view, XGE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the traffic-filter command is executed on an interface, the device filters packets matching ACL rules:

  • If the action in an ACL rule is deny, the device discards packets matching the rule.
  • If the action in an ACL rule is permit, the device forwards packets matching the rule.
  • If no rule is matched, packets are allowed to pass through.

Precautions

If name acl-name is specified in the command, you need to run the acl name or acl ipv6 name command to create the corresponding ACL. Otherwise, the ACL-based simplified traffic policy fails to be configured.

If rule rule-id is specified in the command, you need to create an ACL and configure the corresponding rule. Otherwise, the ACL-based simplified traffic policy fails to be configured.

Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support ACL-based simplified traffic policy configuration on a VLANIF interface.

  • The VLAN corresponding to the VLANIF interface cannot be a Super-VLAN or MUX VLAN.

  • For the S5720-EI, S6720-EI, and S6720S-EI, an ACL-based simplified traffic policy that is applied to a VLANIF interface is only valid for unicast packets and Layer 3 multicast packets on the VLANIF interface.

  • For the S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S, an ACL-based simplified traffic policy that is applied to a VLANIF interface is only valid for unicast packets on the VLANIF interface.

If the traffic-filter (system view) and traffic-filter (interface view) commands are used simultaneously, and the associated ACLs are non-user-defined ACL, the traffic-filter (interface view) command takes effect.

When the deny action is defined in the ACL rule associated with the traffic-filter command, the ACL rule can only be associated with the traffic-mirror (interface view), traffic-mirror (system view), traffic-statistic (interface view), or traffic-statistic (system view) command. If the ACL rule is associated with other simplified traffic policies, the simplified traffic policies may not take effect.

When the permit action is defined in the ACL rule associated with the traffic-filter command, the ACL rule can be associated with other simplified traffic policies.

When the ACL rule containing the logging field is associated with the traffic-filter command, logs are recorded when packets are discarded or forwarded.

After traffic policing is configured on an interface, the number of packets that can be forwarded on the interface every second is relevant to the packet length calculation method. By default, the device calculates the 20-byte inter-frame gap and preamble. That is, the device calculates the actual packet length plus 20-byte inter-frame gap and preamble.

Outbound ACL-based packet filtering on an interface does not take effect on the S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI if:
  • Outbound ACL-based packet filtering is configured, and the ACL is based on VLAN IDs.
  • VLAN mapping is also configured on the interface, and the mapped VLAN ID is the same as the VLAN ID in ACL-based packet filtering.

If an ACL rule defines deny and traffic-filter based on the ACL is applied to the outbound direction on the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735-S-I, S5735S-S, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S, when packets match the ACL rule, control packets of ICMP, OSPF, BGP, RIP, SNMP, and Telnet sent by the CPU are discarded. This affects relevant protocol functions.

Example

# On the GE0/0/1, configure packet filtering based on the ACL that rejects packets with source IP address 192.168.0.2/32.

<HUAWEI> system-view
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule 5 deny ip source 192.168.0.2 0
[HUAWEI-acl-adv-3000] quit
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] traffic-filter inbound acl 3000
Parent Topic: ACL-based Simplified Traffic Policy Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >