< Home

traffic-redirect (system view)

Function

The traffic-redirect command configures ACL-based redirection globally or in a VLAN.

The undo traffic-redirect command cancels ACL-based redirection globally or in a VLAN.

By default, ACL-based redirection is not configured globally or in a VLAN.

When ACL-based redirection is implemented in the system or in a VLAN, the ACL number is in the range of 2000 to 5999. When ACL-based redirection is implemented on the NAC network, the ACL number is in the range of 6000 to 9999. See traffic-redirect acl.

Format

To configure a single ACL, use the following command:

traffic-redirect [ vlan vlan-id ] inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ] { cpu | interface interface-type interface-number | [ vpn-instance vpn-instance-name ] ip-nexthop ip-nexthop | ipv6-nexthop ipv6-nexthop }

undo traffic-redirect [ vlan vlan-id ] inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ]

If both Layer 2 ACLs and Layer 3 ACLs are configured, use the following command:

traffic-redirect [ vlan vlan-id ] inbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] { cpu | interface interface-type interface-number | [ vpn-instance vpn-instance-name ] ip-nexthop ip-nexthop | ipv6-nexthop ipv6-nexthop }

undo traffic-redirect [ vlan vlan-id ] inbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

traffic-redirect [ vlan vlan-id ] inbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ] { cpu | interface interface-type interface-number | [ vpn-instance vpn-instance-name ] ip-nexthop ip-nexthop | ipv6-nexthop ipv6-nexthop }

undo traffic-redirect [ vlan vlan-id ] inbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ]

traffic-redirect [ vlan vlan-id ] inbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ] { cpu | interface interface-type interface-number | [ vpn-instance vpn-instance-name ] ip-nexthop ip-nexthop | ipv6-nexthop ipv6-nexthop }

undo traffic-redirect [ vlan vlan-id ] inbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ]

Only the S5720-EI, S5720-HI, S5720I-SI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, and S6730S-S support vpn-instance vpn-instance-name.

Parameters

Parameter

Description

Value

vlan vlan-id

Specifies a VLAN ID.

The value is an integer that ranges from 1 to 4094.

inbound

Redirects packets to the inbound direction.

-

acl

Redirects packets based on the IPv4 ACL.

-

ipv6

Redirects packets based on the IPv6 ACL.

-

bas-acl

Redirects packets based on a specified basic ACL.

The value is an integer that ranges from 2000 to 2999.

adv-acl

Redirects packets based on a specified advanced ACL.

The value is an integer that ranges from 3000 to 3999.

l2-acl

Redirects packets based on a specified Layer 2 ACL.

The value is an integer that ranges from 4000 to 4999.

user-acl

Redirects packets based on a specified user-defined ACL.

The value is an integer that ranges from 5000 to 5999.

name acl-name

Redirects packets based on a specified named ACL. acl-name specifies the name of the ACL.

The value must be the name of an existing ACL.

rule rule-id

Redirects packets based on a specified ACL rule.

The value is an integer that ranges from 0 to 4294967294.

cpu

Redirects packets to the CPU.

-

interface interface-type interface-number
Redirects packets to a specified interface.

  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

vpn-instance vpn-instance-name

Redirects packets to a VPN instance.

The value must be an existing VPN instance name.

ip-nexthop ip-nexthop

Redirects packets to a next-hop IPv4 address.

The value is in dotted decimal notation.

ipv6-nexthop ipv6-nexthop

Redirects packets to a next-hop IPv6 address.

The address is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the traffic-redirect command is executed on the device, the device redirects packets matching an ACL to the CPU, a specified interface, or a specified next hop address.

Precautions

If name acl-name is specified in the command, you need to run the acl name or acl ipv6 name command to create the corresponding ACL. Otherwise, the ACL-based simplified traffic policy fails to be configured.

If rule rule-id is specified in the command, you need to create an ACL and configure the corresponding rule. Otherwise, the ACL-based simplified traffic policy fails to be configured.

If the traffic-redirect (interface view) and traffic-redirect (system view) commands are used simultaneously, the traffic-redirect (interface view) command takes effect.

When the traffic-redirect (system view) command and the traffic-filter (interface view) command or the traffic-filter (system view) command are used simultaneously, and the two commands are associated with the same ACL rule:

  • If the deny action is configured in the ACL rule, traffic is discarded.
  • If the permit action is configured in the ACL rule, traffic is redirected.

On the S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI, if traffic matching traffic-redirect (system view) also matches traffic-secure (interface view) or traffic-secure (system view), traffic-redirect (system view) takes effect. On the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S, if the ACL defines the permit action, traffic-secure (interface view) or traffic-secure (system view) and traffic-redirect (system view) take effect.

Before redirecting packets to an IPv6 address using this command, run the ipv6 neighbor command to configure a static neighbor.

Redirection to a next hop only takes effect on L3 traffic for the S2720-EI, S5720I-SI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S5735-S-I, and S5735S-S.

If packets are redirected to the CPU, a large number of packets will be sent to the CPU, affecting normal services. Exercise caution when you configure redirection to the CPU.

Example

# Configure ACL-based redirection in the inbound direction in VLAN 100, and redirect packets matching ACL 3000 to GE0/0/1.

<HUAWEI> system-view
[HUAWEI] traffic-redirect vlan 100 inbound acl 3000 interface gigabitethernet 0/0/1
Parent Topic: ACL-based Simplified Traffic Policy Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >