The traffic-secure command configures ACL-based packet filtering globally or in a VLAN.
The undo traffic-secure command cancels ACL-based packet filtering globally or in a VLAN.
By default, ACL-based packet filtering is not configured globally or in a VLAN.
To configure a single ACL, use the following command:
traffic-secure [ vlan vlan-id ] inbound acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ]
undo traffic-secure [ vlan vlan-id ] inbound acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ]
If both Layer 2 ACLs and Layer 3 ACLs are configured, use the following command:
traffic-secure [ vlan vlan-id ] inbound acl { l2-acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]
undo traffic-secure [ vlan vlan-id ] inbound acl { l2-acl | name acl-name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]
Parameter |
Description |
Value |
|---|---|---|
vlan vlan-id |
Configures ACL-based packet filtering in a specified VLAN. |
The value is an integer that ranges from 1 to 4094. |
inbound |
Filters packets in the inbound direction. |
- |
acl |
Filters packets based on the IPv4 ACL. |
- |
bas-acl |
Filters packets based on a specified basic ACL. |
The value is an integer that ranges from 2000 to 2999. |
adv-acl |
Filters packets based on a specified advanced ACL. |
The value is an integer that ranges from 3000 to 3999. |
l2-acl |
Filters packets based on a specified Layer 2 ACL. |
The value is an integer that ranges from 4000 to 4999. |
name acl-name |
Filters packets based on a specified named ACL. acl-name specifies the name of the ACL. |
The value must be the name of an existing ACL. |
rule rule-id |
Filters packets based on a specified ACL rule. |
The value is an integer that ranges from 0 to 4294967294. |
Usage Scenario
After the traffic-secure command is executed on the device, the device filters packets matching ACL rules:
Precautions
If name acl-name is specified in the command, you need to run the acl name or acl ipv6 name command to create the corresponding ACL. Otherwise, the ACL-based simplified traffic policy fails to be configured.
If rule rule-id is specified in the command, you need to create an ACL and configure the corresponding rule. Otherwise, the ACL-based simplified traffic policy fails to be configured.
On the S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI, if traffic matching traffic-secure (system view) also matches traffic-redirect (interface view) or traffic-redirect (system view), traffic-redirect (interface view) or traffic-redirect (system view) takes effect. On the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S, if the ACL defines the permit action, traffic-redirect (interface view) or traffic-redirect (system view) and traffic-secure (system view) take effect.
On the S2720-EI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI, traffic-secure takes precedence over other ACL-based simplified traffic policy commands except traffic-redirect (interface view) and traffic-redirect (system view).
On the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S, traffic-secure takes precedence over other ACL-based simplified traffic policy commands.
If both traffic-secure and other ACL-based simplified traffic policy commands need to be configured on the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S, and the ACL is based on the inner 802.1p priority, inner VLAN ID, or port range, configure the traffic-secure command, and then configure other ACL-based simplified traffic policy commands.
# Configure the traffic filtering action globally to discard the packets with source address 192.168.0.2 and mirror the packets with destination address 192.168.1.3 to the observing interface with the index of 1.
<HUAWEI> system-view [HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule 5 deny ip source 192.168.0.2 0 [HUAWEI-acl-adv-3000] quit [HUAWEI] acl name test 3001 [HUAWEI-acl-adv-test] rule 5 permit ip destination 192.168.1.3 0 [HUAWEI-acl-adv-test] quit [HUAWEI] traffic-secure inbound acl 3000 [HUAWEI] traffic-mirror inbound acl 3001 to observe-port 1