traffic-secure (interface view)

Function

The traffic-secure command configures ACL-based packet filtering on an interface.

The undo traffic-secure command cancels ACL-based packet filtering on an interface.

By default, ACL-based packet filtering is not configured on an interface.

Format

To configure a single ACL, use the following command:

traffic-secure inbound acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ]

undo traffic-secure inbound acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ]

If both Layer 2 ACLs and Layer 3 ACLs are configured, use the following command:

traffic-secure inbound acl { l2-acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

undo traffic-secure inbound acl { l2-acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]

Parameters

Parameter	Description	Value
inbound	Filters packets in the inbound direction.	-
acl	Filters packets based on the IPv4 ACL.	-
bas-acl	Filters packets based on a specified basic ACL.	The value is an integer that ranges from 2000 to 2999.
adv-acl	Filters packets based on a specified advanced ACL.	The value is an integer that ranges from 3000 to 3999.
l2-acl	Filters packets based on a specified Layer 2 ACL.	The value is an integer that ranges from 4000 to 4999.
name acl-name	Filters packets based on a specified named ACL. acl-name specifies the name of the ACL.	The value must be the name of an existing ACL.
rule rule-id	Filters packets based on a specified ACL rule.	The value is an integer that ranges from 0 to 4294967294.

Views

VLANIF interface view, Ethernet interface view, MultiGE interface view, GE interface view, XGE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the traffic-secure command is executed on an interface, the device filters packets matching ACL rules:

If the action in an ACL rule is deny, the device discards packets matching the rule.
If the action in an ACL rule is permit, the device forwards packets matching the rule.
If no rule is matched, packets are allowed to pass through.

Precautions

If name acl-name is specified in the command, you need to run the acl name or acl ipv6 name command to create the corresponding ACL. Otherwise, the ACL-based simplified traffic policy fails to be configured.

If rule rule-id is specified in the command, you need to create an ACL and configure the corresponding rule. Otherwise, the ACL-based simplified traffic policy fails to be configured.

Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support ACL-based simplified traffic policy configuration on a VLANIF interface.

The VLAN corresponding to the VLANIF interface cannot be a Super-VLAN or MUX VLAN.
For the S5720-EI, S6720-EI, and S6720S-EI, an ACL-based simplified traffic policy that is applied to a VLANIF interface is only valid for unicast packets and Layer 3 multicast packets on the VLANIF interface.
For the S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S, an ACL-based simplified traffic policy that is applied to a VLANIF interface is only valid for unicast packets on the VLANIF interface.

On the S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI, if traffic matching traffic-secure (interface view) also matches traffic-redirect (interface view) or traffic-redirect (system view), traffic-redirect (interface view) or traffic-redirect (system view) takes effect. On the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S, if the ACL defines the permit action, traffic-redirect (interface view) or traffic-redirect (system view) and traffic-secure (interface view) take effect.

On the S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI, traffic-secure takes precedence over other ACL-based simplified traffic policy commands except traffic-redirect (interface view) and traffic-redirect (system view).

On the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S takes precedence over other ACL-based simplified traffic policy commands.

If both traffic-secure and other ACL-based simplified traffic policy commands need to be configured on the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S, and the ACL is based on the inner 802.1p priority, inner VLAN ID, or port range, configure the traffic-secure command, and then configure other ACL-based simplified traffic policy commands.

Example

# Configure the traffic filtering action on GE0/0/1 to discard the packets with source address 192.168.0.2 and mirror the packets with destination address 192.168.1.3 to the observing interface with the index of 1.

<HUAWEI> system-view
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule 5 deny ip source 192.168.0.2 0
[HUAWEI-acl-adv-3000] quit
[HUAWEI] acl name test 3001
[HUAWEI-acl-adv-test] rule 5 permit ip destination 192.168.1.3 0
[HUAWEI-acl-adv-test] quit
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] traffic-secure inbound acl 3000 
[HUAWEI-GigabitEthernet0/0/1] traffic-mirror inbound acl 3001 to observe-port 1