traffic-filter (system view)
Function
The traffic-filter command configures ACL-based packet filtering globally or in a VLAN.
The undo traffic-filter command cancels ACL-based packet filtering globally or in a VLAN.
By default, ACL-based packet filtering is not configured globally or in a VLAN.
When ACL-based packet filtering is implemented in the system or in a VLAN, the ACL number is in the range of 2000 to 5999. When ACL-based packet filtering is implemented for user access control on the NAC network, the ACL number is in the range of 6000 to 9999. See traffic-filter acl.
Format
To configure ACL-based packet filtering in the inbound direction on a switch, use the following command:
traffic-filter [ vlan vlan-id ] inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ]
undo traffic-filter [ vlan vlan-id ] inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ]
traffic-filter inbound acl [ ipv6 ] ucl-acl
undo traffic-filter inbound acl [ ipv6 ] ucl-acl
To configure ACL-based packet filtering in the outbound direction on a switch, use the following command:
traffic-filter [ vlan vlan-id ] outbound acl { [ ipv6 ] {bas-acl | adv-acl | name acl-name } | l2-acl } [ rule rule-id ]
undo traffic-filter [ vlan vlan-id ] outbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl } [ rule rule-id ]
If both Layer 2 ACLs and Layer 3 ACLs are configured, use the following command:
traffic-filter [ vlan vlan-id ] { inbound | outbound } acl { l2-acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]
undo traffic-filter [ vlan vlan-id ] { inbound | outbound } acl { l2-acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]
traffic-filter [ vlan vlan-id ] { inbound | outbound } acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]
undo traffic-filter [ vlan vlan-id ] { inbound | outbound } acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]
Parameters
Parameter |
Description |
Value |
|---|---|---|
vlan vlan-id |
Configures ACL-based packet filtering in a specified VLAN. |
The value is an integer that ranges from 1 to 4094. |
inbound |
Configures ACL-based packet filtering in the inbound direction. |
- |
outbound |
Configures ACL-based packet filtering in the outbound direction. NOTE:
Packet filtering based on the user-defined ACL cannot be applied to the outbound direction. |
- |
acl |
Filters packets based on the IPv4 ACL. |
- |
ipv6 |
Filters packets based on the IPv6 ACL. |
- |
bas-acl |
Filters packets based on a specified basic ACL. |
The value is an integer that ranges from 2000 to 2999. |
adv-acl |
Filters packets based on a specified advanced ACL. |
The value is an integer that ranges from 3000 to 3999. |
l2-acl |
Filters packets based on a specified Layer 2 ACL. |
The value is an integer that ranges from 4000 to 4999. |
user-acl |
Filters packets based on a specified user-defined ACL. |
The value is an integer that ranges from 5000 to 5999. |
name acl-name |
Specifies the name of an ACL. |
The value must be the name of an existing ACL. |
rule rule-id |
Filters packets based on a specified ACL rule. |
The value is an integer that ranges from 0 to 4294967294. |
Usage Guidelines
Usage Scenario
After the traffic-filter command is executed on the device, the device filters packets matching an ACL rule:
- If the action in the ACL rule is deny, the device discards packets matching the rule.
- If the action in the ACL rule is permit, the device forwards packets matching the rule.
- If no rule is matched, packets are allowed to pass through.
Precautions
If name acl-name is specified in the command, you need to run the acl name or acl ipv6 name command to create the corresponding ACL. Otherwise, the ACL-based simplified traffic policy fails to be configured.
If rule rule-id is specified in the command, you need to create an ACL and configure the corresponding rule. Otherwise, the ACL-based simplified traffic policy fails to be configured.
If the traffic-filter (system view) and traffic-filter (interface view) commands are used simultaneously, and the associated ACLs are non-user-defined ACL, the traffic-filter (interface view) command takes effect.
When the deny action is defined in the ACL rule associated with the traffic-filter command, the ACL rule can only be associated with the traffic-mirror (interface view), traffic-mirror (system view), traffic-statistic (interface view), or traffic-statistic (system view) command. If the ACL rule is associated with other simplified traffic policies, the simplified traffic policies may not take effect.
When the permit action is defined in the ACL rule associated with the traffic-filter command, the ACL rule can be associated with other simplified traffic policies.
When the ACL rule containing the logging field is associated with the traffic-filter command, logs are recorded when packets are discarded or forwarded.
After traffic policing is configured on an interface, the number of packets that can be forwarded on the interface every second is relevant to the packet length calculation method. By default, the device calculates the 20-byte inter-frame gap and preamble. That is, the device calculates the actual packet length plus 20-byte inter-frame gap and preamble.
- Outbound ACL-based packet filtering is configured, and the ACL is based on VLAN IDs.
- VLAN mapping is also configured on the interface, and the mapped VLAN ID is the same as the VLAN ID in ACL-based packet filtering.
If an ACL rule defines deny and traffic-filter based on the ACL is applied to the outbound direction on the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735-S-I, S5735S-S, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S, when packets match the ACL rule, control packets of ICMP, OSPF, BGP, RIP, SNMP, and Telnet sent by the CPU are discarded. This affects relevant protocol functions.
Example
# Configure ACL-based packet filtering in VLAN 100. The ACL rejects packets with source IP address 192.168.0.2/32.
<HUAWEI> system-view [HUAWEI] vlan 100 [HUAWEI-vlan100] quit [HUAWEI] acl name test 3000 [HUAWEI-acl-adv-test] rule 5 deny ip source 192.168.0.2 0 [HUAWEI-acl-adv-test] quit [HUAWEI] traffic-filter vlan 100 inbound acl name test