Feature Requirements |
Series |
Models |
|---|---|---|
UCLs may not take effect in Layer 2 service scenarios. Therefore, you are advised to configure ACLs in Layer 2 service scenarios. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
1, ACL sampling does not support traffic policies in shared mode. Sampling can be configured in the traffic policy using commands but does not take effect. 2, ACL sampling is supported only on common sub-interfaces. It can be configured on sub-interfaces using commands but does not take effect. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
1. Traffic on the inbound VLANIF interface: If a traffic policy is configured on both the inbound VLANIF interface and its member interfaces, the traffic policy does not take effect on the member interfaces, regardless of whether QPPB is enabled. Traffic matches the BGP flow policy, global traffic policy (ACL), traffic policy on the VLANIF interface, and QPPB policy for incoming traffic in sequence. If the actions defined in the policies are the same, the later policy takes effect. If the actions defined in the policies are different, all the policies take effect. 2. Traffic on the outbound VLANIF interface: (1) If QPPB is enabled for incoming traffic and a traffic policy is configured on both the inbound and outbound VLANIF interfaces, the traffic policy does not take effect on the inbound interface. Traffic matches the BGP flow policy, global traffic policy (ACL), traffic policy on the VLANIF interface, and QPPB policy for incoming traffic in sequence. If the actions defined in the policies are the same, the later policy takes effect. If the actions defined in the policies are different, all the policies take effect. (2) If QPPB is not enabled for incoming traffic and a traffic policy is configured on both the outbound VLANIF interface and the inbound interface of the device, both traffic policies take effect. Traffic matches the BGP flow policy, global traffic policy (ACL), traffic policy on the inbound interface of the device, traffic policy on the VLANIF interface, and QPPB policy for incoming traffic in sequence. If the actions defined in the policies are the same, the later one takes effect. If the actions defined in the policies are different, all the policies take effect. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
After ARP-MAC association is disabled, the outbound multi-field classification function on the VLANIF interface becomes invalid (ARP-MAC association is enabled by default.). |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
A shared MF classification policy cannot be bound to the BAS interface view. |
NetEngine 8000 F |
NetEngine 8000 F1A |
An MF classification policy in the BAS interface view is mutually exclusive with that in the view of the interface where BAS resides. |
NetEngine 8000 F |
NetEngine 8000 F1A |
CAR in color-aware mode is not supported on an IPv6 GRE tunnel interface. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
Only MF classification in ip-layer mode (default mode) is supported on an IPv6 GRE tunnel interface.If link-layer or all-layer is specified for MF classification on IPv6 GRE tunnel interfaces, Layer 2 rules cannot be matched. If mpls-layer is specified, MPLS rules cannot be matched. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
MIBs and NMS do not support level-2 ACL sub-policy statistics query and clearing. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
The "traffic-policy match-mpls-layer {mpls-push | mpls-pop} *" command has the following mutually exclusive relationships: The "traffic-policy match-mpls-layer mpls-pop mpls-push" and "traffic-policy match-ip-layer {mpls-push | mpls-pop}" commands are mutually exclusive. The "traffic-policy match-mpls-layer mpls-pop mpls-push" and "traffic-policy match-rule packet-type" commands are mutually exclusive. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
The outbound multi-field classification function on a VLANIF interface does not support IPv6 rules. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
A shared MF classification policy cannot be authorized to users through an RADIUS server. |
NetEngine 8000 F |
NetEngine 8000 F1A |
Hierarchical CAR and QPPB Policy CAR are mutually exclusive. If both functions are configured on the same interface, QPPB Policy CAR takes effect, and only second-level ACL in hierarchical CAR takes effect. First-level ACL CAR does not take effect. However, if hierarchical CAR is enabled and MF classification contains only level-1 CAR, both QPPB Policy CAR and hierarchical CAR take effect. 1, When hierarchical CAR and QPPB policy CAR are both configured on an interface and level-2 CAR is configured for hierarchical CAR, QPPB policy CAR takes effect, and only CAR for the second-level ACL takes effect. First-level ACL CAR does not take effect. 2, When hierarchical CAR and QPPB policy CAR are configured on an interface and one CAR (CAR is configured in a parent or child policy) is configured for hierarchical CAR, QPPB policy CAR takes effect, and the one CAR for hierarchical CAR also takes effect. Configuring only one of hierarchical CAR and CAR in ar QPPB Policy on one interface is recommended. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
When rate limiting based on Layer 3 packets is configured in a traffic policy, CAR based on the packet rate or CAR based on packet length compensation cannot be configured. Otherwise, rate limiting based on Layer 3 packets does not take effect. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
When address pool-, port pool-, or port range-based rules are configured in a traffic policy, if the number of addresses or ports in the pool decreases or the port range is shortened, the rules with lower priorities become invalid temporarily. The number of rules that become temporarily invalid is determined by the number of deleted rules. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
In the scenario where traffic enters an SRv6 tunnel/VXLAN tunnel/MPLS LDP LSP, a traffic policy is applied to an inbound interface of the tunnel/LSP's egress. If an ACL rule for matching the tunnel header is configured in the traffic policy, the traffic policy can take effect on the traffic received on the egress. After a QPPB policy is configured on the inbound interface, the traffic policy cannot match the tunnel header. As a result, the traffic policy becomes invalid. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
1. VLANs may not be specified in the traffic-policy command on VLAN stacking interfaces, but must be specified on other Layer 2 interfaces. 2. The traffic-policy command is configured on a VLAN stacking interface. After the VLAN stacking configuration is deleted, the traffic-policy command takes effect as follows: (1) The traffic-policy command with VLANs specified takes effect on the packets with the specified VLANs. (2) The traffic-policy command with no VLANs specified takes effect on the packets without VLAN information. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
1. VLANs may not be specified in a behavior aggregate classification configuration on a VLAN stacking interface, but must be specified on other Layer 2 interfaces. 2. Behavior aggregate classification is configured on a VLAN stacking interface. After the VLAN stacking interface configuration is deleted, the behavior aggregate classification configuration takes effect as follows: (1) The behavior aggregate classification configuration with VLANs specified takes effect on the packets with the specified VLANs. (2) The behavior aggregate classification configuration with no VLANs specified takes effect on the packets without VLAN information. If the trust upstream (inbound or outbound may or may not be specified), or qos phb enable default command is configured on an interface, behavior aggregate classification is configured. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
When a traffic policy is applied to the outbound direction of a VLANIF/VBDIF interface, the traffic policy takes effect on the board where the inbound interface of traffic resides. (1) If a traffic policy is configured on the inbound interface and the traffic behavior is discard, the traffic does not match the traffic policy of the VLANIF/VBDIF interface. (2) If a traffic policy is applied to the inbound interface and the traffic behavior is CAR, and a traffic policy is applied to the outbound direction of the VLANIF/VBDIF interface and the traffic behavior is CAR, the VLANIF/VBDIF interface's CAR and the inbound interface's CAR are performed for the traffic in sequence. In this case, the number of packets matching the traffic policy of the VLANIF/VBDIF interface is the number of matching packets before the inbound interface's CAR is performed. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
A device functions as the ingress of a VXLAN tunnel. When the well-known VXLAN port number is not explicitly specified in a global ACL rule for upstream traffic, the number of packets that travel the device through the VXLAN tunnel and match the global ACL rule is doubled. Configure rules to distinguish well-known VXLAN port numbers from non-well-known VXLAN port numbers, place them in different traffic classifiers, and associate traffic behaviors with the traffic classifiers. This workaround doubles the configuration workload and hardware TCAM resource usage. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
When an IPv6 packet has multiple extension headers, MF classification supports the matching of only the first IPv6 extension header or the first option field in the first IPv6 extension header. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
Hop-by-hop traffic can match an IPv6 hop-by-hop rule only after the rule is explicitly configured in an MF classification policy. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
If an IPv6 hop-by-hop extension header rule is configured in a PUPP policy, the rule does not take effect. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
In an L3VPN accessing SRv6 TE Policy scenario, after a traffic policy is applied to upstream traffic sent out of the SRv6 tunnel in the L3VPN view, ACL rules cannot be used to match user IP addresses in SRv6 tunnel headers. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
When MF classification is applied to the upstream direction of a GRE tunnel interface, this function does not take effect in inbound GRE tunnel scenarios. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
In L2VXLAN scenarios, the function of adding a QoS policy ID to VXLAN packets and matching packets based on the QoS policy ID takes effect only for known unicast traffic. Do not configure this function for other types of traffic in L2VXLAN scenarios. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
If the number of newly configured rules in a traffic policy exceeds the ACL capacity, the rules that have taken effect are not affected. After the board restarts, no rules in the traffic policy take effect. Before the configuration, check the remaining ACL capacity on the device to ensure that the newly configured ACL rules are within the allowed ACL capacity range. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
UCL rules cannot match user IP addresses in MPLS packets in the inbound and outbound directions of the ingress and egress PEs on an MPLS network. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
One or more next-hop IP addresses are specified for the redirection action, and the outbound interface is specified as a trunk member interface. When the working next-hop trunk member interface goes Down, traffic is interrupted, regardless of whether the route-forward keyword is configured. The outbound interface of the redirection policy must be a Layer 3 interface. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
In the following scenarios, if URPF in strict mode is configured in a traffic behavior, the URPF in loose mode is automatically changed to the URPF in strict mode. 1. Dot1q, QinQ, and flexible sub-interfaces; 2. EVC dot1q and QinQ interfaces |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |
For multicast traffic sent from the network side to the user side, BA classification configured in the AAA domain does not take effect, and the PHB configured on the BAS interface does not take effect. Multicast traffic from the network side to the user side can enter queues only based on BA classification on the network interface, but cannot enter queues based on BA classification in the AAA domain. In addition, PHB reverse mapping is not performed for outgoing packets. If the outgoing interface is a sub-interface, the 802.1p value is 0. |
NetEngine 8000 F |
NetEngine 8000 F2A/NetEngine 8000 F1A |