The traffic-filter command configures ACL-based packet filtering in a traffic profile.
The undo traffic-filter command cancels configuration of ACL-based packet filtering in a traffic profile.
By default, ACL-based packet filtering is not configured in a traffic profile.
traffic-filter { inbound | outbound } { ipv4 | ipv6 | l2 } acl { acl-number | name acl-name }
traffic-filter { inbound | outbound } ipv4 acl { acl-number | name acl-name } l2 acl { acl-number | name acl-name }
undo traffic-filter { inbound | outbound } { ipv4 | ipv6 | l2 } acl { acl-number | name acl-name }
undo traffic-filter { inbound | outbound } ipv4 acl { acl-number | name acl-name } l2 acl { acl-number | name acl-name }
Parameter |
Description |
Value |
|---|---|---|
inbound |
Configures ACL-based packet filtering in the inbound direction. |
- |
outbound |
Configures ACL-based packet filtering in the outbound direction. |
- |
ipv4 |
Configures ACL-based IPv4 packet filtering. |
- |
ipv6 |
Configures ACL-based IPv6 packet filtering. |
- |
l2 |
Configures ACL-based Layer 2 packet filtering. |
- |
acl acl-number |
Specifies the number of an ACL. |
The value is an integer that ranges from 3000 to 3031 and from 6000 to 6031 for IPv4 ACLs.
|
name acl-name |
Filters packets based on a specified named ACL. acl-name specifies the name of an ACL. |
The value is a string of 1 to 65 case-sensitive characters without spaces and must begin with a letter. The value range of acl-number corresponding to acl-name is 3000 to 3031, and 6000 to 6031. |
Usage Scenario
When the traffic-filter command is configured in the traffic profile view, the device first matches packets against ACLs and then performs the action according to the matched policy.
When multiple traffic-filter commands are configured for ACL-based packet filtering in the same direction in the same traffic profile, packets are matched against the next rule in the sequence in which the commands are configured. If packets match a rule, the device executes the specified policy and stops the matching process. Otherwise, the device continues to match packets against the next rule. If no rule is matched, the packets are allowed to pass through.
If an ACL contains multiple rules, packets match against the rules in the ascending order of rule IDs. If packets match a rule, the device considers that the ACL is matched and stops the matching process. Otherwise, the device continues to match packets against the next rule. If no rule is matched, the device considers that this ACL is not matched. To improve match efficiency, you are advised to configure an ACL rule with a high match probability first and set a small ID for the rule. This will reduce the number of times ACL rules are matched and save resources.
Prerequisites
The device has been enabled to process STA IPv6 services of STAs using the sta-ipv6-service enable command.
Precautions
The traffic-filter command can reference a numbered ACL rule that is not configured. You can configure the referenced ACL rule after running this command.
You can only configure a maximum of eight ACL rules in the same direction. The sequence in which ACL rules takes effect follows the sequence in which the rules are configured. To change the current packet filtering rules, delete all the related configurations and reconfigure the ACL-based packet filtering.
# Create the traffic profile p1 and configure packet filtering in the inbound direction based on the ACL that permits packets with the source IPv4 address 192.168.0.2/32.
<HUAWEI> system-view [HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule 5 permit ip source 192.168.0.2 0 [HUAWEI-acl-adv-3000] quit [HUAWEI] wlan [HUAWEI-wlan-view] traffic-profile name p1 [HUAWEI-wlan-traffic-prof-p1] traffic-filter inbound ipv4 acl 3000