traffic-filter (AP wired port profile view)

Function

The traffic-filter command configures ACL-based IPv4, IPv6, or Layer 2 packet filtering on an AP's wired interface.

The undo traffic-filter command cancels the ACL-based IPv4, IPv6, or Layer 2 packet filtering configuration on an AP's wired interface.

By default, ACL-based IPv4, IPv6, or Layer 2 packet filtering is not configured on an AP's wired interface.

Format

traffic-filter { inbound | outbound } { ipv4 | ipv6 | l2 } acl { acl-number | name acl-name }

traffic-filter { inbound | outbound } ipv4 acl { acl-number | name acl-name } l2 acl { acl-number | name acl-name }

undo traffic-filter { inbound | outbound } { ipv4 | ipv6 | l2 } acl { acl-number | name acl-name }

undo traffic-filter { inbound | outbound } ipv4 acl { acl-number | name acl-name } l2 acl { acl-number | name acl-name }

Parameters

Parameter	Description	Value
inbound	Configures ACL-based packet filtering in the inbound direction.	-
outbound	Configures ACL-based packet filtering in the outbound direction.	-
ipv4	Configures ACL-based IPv4 packet filtering.	-
l2	Configures ACL-based Layer 2 packet filtering.	-
ipv6	Filters IPv6 packets.	-
acl	Filters packets based on the ACL.	-
acl-number	Specifies the number of an ACL.	The value is an integer that ranges from 3000 to 3031 for IPv4 ACLs and IPv6 ACLs and from 4000 to 4031 for Layer 2 ACLs. 3000 to 3031: advanced ACLs 4000 to 4031: Layer 2 ACLs
name acl-name	Filters packets based on a specified named ACL. acl-name specifies the name of the ACL.	The ACL name must exist. The value range is the same as that of the acl-number parameter.

Views

AP wired port profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

On a wireless network, administrators want to provide differentiated services for wireless users. The services may include, but are not limited to the following:

Deny or permit access of specified wireless users to specified LAN devices.
Deny access of specified wireless users to specified invalid IP addresses.

You can configure ACL-based packet filtering on an AP's wired interface for providing differentiated services.

The rules for an AP's wired interface to filter packets based on ACLs are as follows:

If the action in an ACL rule is deny, the device discards packets matching the rule.
If the action in an ACL rule is permit, the device forwards packets matching the rule.
If no rule is matched, packets are allowed to pass through.

When multiple commands are configured for ACL-based packet filtering in the same direction in the same AP wired port profile view, packets are matched against ACL rules in the sequence in which the commands are configured. If packets match a rule, the system stops the matching process and executes the specified policy. Otherwise, the system continues to match packets against the next rule. If no rule is matched, packets are allowed to pass through. The following occurs depending on whether packets match ACL rules:

If a policy contains only one ACL rule and the ACL rule is matched, the permit or deny action is performed.
If a policy contains two ACL rules and the specified action is performed only when the two ACL rules are both matched.

If the actions in the two ACL rules are both permit, the permit action is performed. Otherwise, the deny action is performed.

If an ACL contains multiple rules, packets are matched against the rules in the ascending order of rule IDs.

Prerequisites

A named ACL has been created using the acl name or acl name command.

Precautions

You can specify an empty ACL in this command, and configure this ACL later.

A maximum of eight ACL-based packet filtering policies can be configured in one direction. The policies take effect in the sequence in which they are configured. To improve match efficiency, you are advised to configure an ACL rule with a high match probability for packet filtering. When configuring each ACL rule, set a small ID for the rule with a high match probability, reducing the number of times ACL rules are matched and saving resources. To change the sequence in which packets are filtered based on ACLs, delete all related configurations and reconfigure ACL-based packet filtering.

Example

# Configure the wired interface GE0 of ap-group1 to filter incoming packets based on ACL 3000.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] wired-port-profile name wired
[HUAWEI-wlan-wired-port-wired] traffic-filter inbound ipv4 acl 3000
[HUAWEI-wlan-wired-port-wired] quit
[HUAWEI-wlan-view] ap-group name ap-group1
[HUAWEI-wlan-ap-group-ap-group1] wired-port-profile wired gigabitethernet 0