Professional Documents
Culture Documents
Issue
01
Date
2013-09-30
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website:
http://enterprise.huawei.com
S Series Switches
Feature Start - ACL
Intended Audience
This document is intended for:
Maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
Indicates a hazard with a high level or medium level of risk
which, if not avoided, could result in death or serious injury.
Indicates a hazard with a low level of risk which, if not
avoided, could result in minor or moderate injury.
Indicates a potentially hazardous situation that, if not avoided,
could result in equipment damage, data loss, performance
deterioration, or unanticipated results.
Provides a tip that may help you solve a problem or save time.
Provides additional information to emphasize or supplement
important points in the main text.
S Series Switches
Feature Start - ACL
Change History
Changes between document issues are cumulative. The latest document issue contains all the
changes made in earlier issues.
Issue 01 (2013-09-30)
This is the initial official release.
Contents
Contents
2 Configuration Guide......................................................................9
2.1 Scenario 1: Configuring Priority Mapping.....................................................................................................................9
2.1.1 Networking Description..............................................................................................................................................9
2.1.2 Configuration Roadmap............................................................................................................................................10
2.1.3 Configuration Example.............................................................................................................................................10
2.2 Scenario 2: Configuring Traffic Filtering.....................................................................................................................12
2.2.1 Networking Description............................................................................................................................................12
2.2.2 Configuration Roadmap............................................................................................................................................13
2.2.3 Configuration Example.............................................................................................................................................13
2.3 Scenario 3: Configuring Traffic Policing.....................................................................................................................15
2.3.1 Networking Description............................................................................................................................................15
2.3.2 Configuration Roadmap............................................................................................................................................15
2.3.3 Configuration Example.............................................................................................................................................16
Contents
2.4 Scenario 4: Configuring QinQ......................................................................................................................................19
2.4.1 Networking Description............................................................................................................................................19
2.4.2 Configuration Roadmap............................................................................................................................................19
2.4.3 Configuration Example.............................................................................................................................................20
2.5 Deployment Precautions...............................................................................................................................................22
2.5.1 Check that Traffic Policies Configured on Chassis Switches Are Applied Successfully..........................................22
2.5.2 ACLs Configured to Control FTP/Telnet/SSH Login Users Discard Packets that Do Not Match the ACLs...........22
3 Troubleshooting..........................................................................24
3.1 Troubleshooting Overview...........................................................................................................................................24
3.2 Traffic Filtering Does Not Take Effect.........................................................................................................................24
3.2.1 Fault Description.......................................................................................................................................................24
3.2.2 Troubleshooting Roadmap.........................................................................................................................................24
3.2.3 Troubleshooting Flowchart........................................................................................................................................25
3.2.4 Troubleshooting Procedure........................................................................................................................................26
3.3 Traffic Policy That Is Configured to Redirect Traffic to the Next Hop Does Not Take Effect....................................28
3.3.1 Fault Description.......................................................................................................................................................28
3.3.2 Troubleshooting Roadmap.........................................................................................................................................28
3.3.3 Troubleshooting Flowchart........................................................................................................................................29
3.3.4 Troubleshooting Procedure........................................................................................................................................29
3.4 Information Collection.................................................................................................................................................30
3.4.1 Network Topology.....................................................................................................................................................30
3.4.2 display Command List...............................................................................................................................................30
3.4.3 Switch Logs and Diagnosis Logs..............................................................................................................................31
4 Troubleshooting Cases.................................................................33
4.1 After Traffic Filtering Is Configured, Traffic Fails To Be Forwarded As Expected.....................................................33
4.1.1 Symptom and Networking.........................................................................................................................................33
4.1.2 Root Cause.................................................................................................................................................................34
4.1.3 Identification Method................................................................................................................................................34
4.1.4 Solution......................................................................................................................................................................34
4.1.5 Summary....................................................................................................................................................................35
4.2 After a Traffic Policy Is Configured to Redirect Traffic to the Next Hop, Services Are Interrupted...........................35
4.2.1 Symptom and Networking.........................................................................................................................................35
4.2.2 Root Cause.................................................................................................................................................................36
4.2.3 Identification Method................................................................................................................................................36
4.2.4 Solution......................................................................................................................................................................37
4.2.5 Summary....................................................................................................................................................................37
5 FAQ............................................................................................ 38
5.1 Does the S7700/S9700 Support Inter-Card Redirection? How Do I Configure This Function?.................................38
5.2 Why Is CAR Rate Limiting Inaccurate?.......................................................................................................................38
5.3 How Is PBR Implemented on S-series Switches?........................................................................................................39
5.4 The Traffic Behavior Is Not Set to deny, but Traffic is Discarded, Why?....................................................................39
Contents
5.5 How Do I Use a User-defined ACL?............................................................................................................................39
5.6 How Do I Know About ACL Resource Usage?...........................................................................................................40
S Series Switches
Feature Start - ACL
1 ACL Overview
ACL Overview
Categor
y
Usage Scenario
Description
Support
for
IPv4 and IPv6
ACL4
IPv4
ACL4
and
ACL6
commands are different.
ACL6
IPv6
ACL4
and
ACL6
commands are different.
Numbered
ACL
Named
ACL
Naming mode
S Series Switches
Feature Start - ACL
1 ACL Overview
independent
other.
Function
of
each
Basic
ACL
Advanced
ACL
Userdefined
ACL
User-defined
ACL
numbers range from 5000
to 5999.
Configuration order: ACL rules are matched in the order in which they were configured.
The rule that was configured first is matched first. By default, ACL rules are matched in
the configuration order.
Automatic order: The automatic order follows the depth first principle.
According to the depth first principle, a stricter matching condition represents a more accurate
ACL rule. An ACL rule can be configured based on the wildcard of IP addresses. A smaller
wildcard identifies a smaller network segment.
For example, 129.102.1.1 0.0.0.0 specifies a host with the IP address 129.102.1.1, and
129.102.1.1 0.0.0.255 specifies a network segment with addresses ranging from 129.102.1.1
S Series Switches
Feature Start - ACL
1 ACL Overview
to 129.102.1.255. The location defined by 129.102.1.1 0.0.0.0 is more specific than the
location specified by 129.102.1.1 0.0.0.255; therefore, the rule that contains 129.102.1.1
0.0.0.0 is matched first. The detailed standards are as follows:
S Series Switches
Feature Start - ACL
1 ACL Overview
IP precedence in IP packets
Outbound interface
Inbound interface
Layer 3 information:
IP precedence in IP packets
In addition to matching Layer 2 and Layer 3 information, a switch can also perform complex
traffic classification by matching the following information in ACLs:
Fragment flag
S Series Switches
Feature Start - ACL
1 ACL Overview
AND:
OR:
A packet matches a traffic classifier as long as it matches one rule in the traffic classifier.
For example, if a traffic classifier specifies the relationship among the following rules as
OR:
if-match dmac 0-0-3
if-match smac 0-0-2
if-match acl 3000 (acl 3000 contains two rules: rule 5 permit ip source 1.1.1.1 0 and rule
10 permit ip source 2.2.2.2 0)
Packets match the traffic classifier as long as they match any one of the preceding ifmatch clauses.
Permit/Deny
Re-marking
Redirection
Traffic policing
Flow mirroring
S Series Switches
Feature Start - ACL
1 ACL Overview
Permit/Deny
The permit/deny action is the simplest traffic control action, which allows the switch to
control network traffic by forwarding or discarding packets.
Re-marking
This action sets the precedence field in a packet. Packets carry different priority fields on
various networks. For example, packets carry the 802.1p field in a VLAN, the ToS field
on an IP network, and the EXP field on an MPLS network. Therefore, a switch is
required to mark priority fields of packets based on the network type. Generally, a switch
at the network border re-marks priority fields of incoming packets. Switches within the
network provide QoS services based on the re-marked priority fields, or re-mark the
priority fields based on their own configurations.
Redirection
This action redirects packets to the CPU of a specified interface card, specified interface,
next hop address, or Label Switched Path (LSP) but does not forward packets based on
the original destination IP address. A switch supports multiple next hops. Policy-based
routing (PBR) is implemented based on redirection. A PBR route is a static route. When
the redirect-to next hop is unavailable, the switch forwards packets based on the original
forwarding path.
Traffic policing
This traffic control action limits the traffic rate and the resources used by traffic. By
using traffic policing, the switch can discard excess packets, re-mark the color or
precedence, or take other QoS measures to control the traffic rate.
Traffic mirroring
This action copies the specified data packets to a specified destination to detect and
troubleshoot faults on a network.
Traffic statistics
This action collects statistics on data packets of specified service flows, including the
number of forwarded and discarded packets and bytes that match specified traffic
classification rules. The traffic statistics action is not a QoS control measure but can be
used with other actions to improve security of networks and packets.
S Series Switches
Feature Start - ACL
1 ACL Overview
2700- EI
2752 -EI
3700-SI
3700-EI
3700-HI
5700- SI
traffic-filter
Supported
Supported
Supported
Supported
Supported
Supported
traffic-limit
Supported
Supported
Supported
Supported
Supported
Supported
traffic-mirror
Supported
Supported
Supported
Supported
Supported
Supported
traffic-redirect
Not Supported
Supported
Supported
Supported
Supported
Does not
support
redirection to
the next hop.
traffic-remark
Does not
support remarking of
CVLAN.
Does not
support remarking of
CVLAN.
Does not
support remarking of
CVLAN.
Supported
Does not
support remarking of
DMAC/CVLA
N.
traffic-statistics
Supported
Supported
Supported
Supported
Supported
Supported
Simplified
ACL
Command
5700S-LI
5700-LI
5710-EI
5710-HI
6700-EI
5700- HI
5700- EI
traffic-filter
Supported
Supported
Supported
Supported
Supported
Supported
Supported
traffic-limit
Supported
Supported
Supported
Supported
Supported
Supported
Supported
traffic-mirror
Supported
Supported
Supported
Supported
Supported
Supported
Supported
traffic-redirect
Does not
support
redirection
to the next
hop.
Does not
support
redirection
to the next
hop.
Supported
Supported
Supported
Supported
Supported
traffic-remark
Does not
Does not
Supported
Supported
Supported
Supported
Supported
S Series Switches
Feature Start - ACL
trafficstatistics
1 ACL Overview
support remarking of
DMAC/CV
LAN.
support remarking of
DMAC/C
VLAN.
Supported
Supported
Supported
Supported
Supported
Supported
Supported
Configuration Guide
Create VLANs and configure interfaces so that enterprise branches 1 and 2 can connect to the network
through the switch.
2.
Create traffic classifiers to classify service flows from different VLANs and configure priority mapping as
the traffic behavior.
3.
# Configure GE1/0/1, GE1/0/2, and GE2/0/1 as trunk interfaces, add GE1/0/1 and GE1/0/2 to
VLAN 100 and VLAN 200, and add GE2/0/1 to VLAN 100, VLAN 200, and VLAN 300.
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2] port link-type trunk
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 200
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface gigabitethernet2/0/1
[Switch-GigabitEthernet2/0/1] port link-type trunk
[Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 100 200 300
[Switch-GigabitEthernet2/0/1] quit
Classifier: c1
Precedence: 10
Operator: OR
Rule(s) : if-match vlan-id 100
[Switch]display traffic behavior user-defined b1
User Defined Behavior Information:
Behavior: b1
Remark:
Remark 8021p 4
[Switch]display traffic policy user-defined p1
User Defined Traffic Policy Information:
Policy: p1
Classifier: c1
Operator: OR
Behavior: b1
Remark:
Remark 8021p 4
[Switch]display traffic-policy applied-record p1
------------------------------------------------Policy Name:
p1
Policy Index:
Classifier:c1
Behavior:b1
------------------------------------------------*interface GigabitEthernet1/0/1
traffic-policy p1 inbound
slot 1
success
----End
Configuration Files
Configuration file of the switch
#
sysname Switch
#
vlan batch 100 200 300
#
traffic classifier c1 operator or precedence 10
if-match vlan-id 100
traffic classifier c2 operator or precedence 15
if-match vlan-id 200
#
traffic behavior b1
remark 8021p 4
traffic behavior b2
remark 8021p 2
traffic behavior test
#
traffic policy p1
classifier c1 behavior b1
traffic policy p2
classifier c2 behavior b2
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100
traffic-policy p1 inbound
#
interface GigabitEthernet1/0/2
Configure an ACL rule to match packets with the source IP address 192.168.0.1/24 and
destination IP address 192.168.2.100.
2.
3.
Configure a traffic policy, bind the traffic classifier and traffic behavior to the traffic
policy, and apply the traffic policy to the inbound direction of GE1/0/1.
Step 4 Configure a traffic policy and apply the traffic policy to the interface.
# Create a traffic policy p1 on the switch and bind the traffic classifier and traffic behavior to
the traffic policy.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] quit
Acl's step is 5
rule 1 permit ip source 19.168.1.0 0.0.0.255 destination 192.168.2.100 0
rule 2 deny ip
<Switch> display traffic classifier user-defined
Classifier: c1
Precedence: 10
Operator: OR
Rule(s) : if-match acl 3000Total classifier number is 1
<Switch> display traffic policy user-defined p1
User Defined Traffic Policy Information:
Policy: p1
Classifier: c1
Operator: OR
Behavior: b1
-None<Switch>display traffic-policy applied-record
#
------------------------------------------------Policy Name:
p1
Policy Index:
Classifier:c1
Behavior:b1
------------------------------------------------*interface GigabitEthernet1/0/1
traffic-policy p1 inbound
slot 1
success
----End
Configuration Files
Configuration file of the switch
#
sysname Switch
#
vlan batch 20
#
acl number 3000
rule 1 permit ip source 19.168.1.0 0.0.0.255 destination 192.168.2.100 0
rule 2 deny ip
#
traffic classifier c1 operator or precedence 5
if-match acl 3000
#
traffic behavior b1
#
traffic policy p1
classifier c1 behavior b1
#
interface GigabitEthernet1/0/1
traffic-policy p1 inbound
#
return
Create VLANs and configure interfaces on the switch so that enterprise users can access
the network.
2.
Configure traffic classifiers on the switch to classify packets based on their VLAN IDs.
3.
Create a traffic policy on the switch, bind traffic behaviors and traffic classifiers to the
traffic policy, and apply the traffic policy to the interface connecting enterprise users to
the switch.
# Configure GE1/0/1 and GE2/0/1 as trunk interfaces and add them to VLAN 100, VLAN
110, and VLAN 120.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 110 120
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 2/0/1
Step 4 Configure a traffic policy and apply the traffic policy to an interface.
# Create a traffic policy p1 on the switch, bind the traffic behaviors and traffic classifiers to
the traffic policy, and apply the traffic policy to the inbound direction of GE1/0/1 to perform
traffic policing and re-mark priorities on packets from the enterprise.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
Classifier: c3
Precedence: 20
Operator: OR
Rule(s) : if-match vlan-id 100
Classifier: c1
Precedence: 10
Operator: OR
Rule(s) : if-match vlan-id 120
Total classifier number is 3
[Switch] display
Action: pass
Exceed
Action: discard
Behavior: b3
Committed Access Rate:
CIR 4000 (Kbps), PIR 10000 (Kbps), CBS 500000 (byte), PBS 1250000 (byte)
Color Mode: color Blind
Conform Action: pass
Yellow
Action: pass
Exceed
Action: discard
Behavior: b1
Committed Access Rate:
CIR 2000 (Kbps), PIR 10000 (Kbps), CBS 250000 (byte), PBS 1250000 (byte)
Color Mode: color Blind
Conform Action: pass
Yellow
Action: pass
Exceed
Action: discard
Yellow
Action: pass
Exceed
Action: discard
Classifier: c2
Operator: OR
Behavior: b2
Committed Access Rate:
CIR 4000 (Kbps), PIR 10000 (Kbps), CBS 500000 (byte), PBS 1250000 (byte)
Color Mode: color Blind
Conform Action: pass
Yellow
Action: pass
Exceed
Action: discard
Classifier: c3
Operator: OR
Behavior: b3
Committed Access Rate:
CIR 4000 (Kbps), PIR 10000 (Kbps), CBS 500000 (byte), PBS 1250000 (byte)
Color Mode: color Blind
Conform Action: pass
Yellow
Action: pass
Exceed
Action: discard
----End
Configuration Files
Configuration file of the switch
#
sysname Switch
#
vlan batch 100 110 120
#
traffic classifier c1 operator or precedence 10
return
Create VLANs and configure interfaces so that enterprise users can access the network
through the switch.
2.
Configure a traffic classifier on the switch to classify packets based on their IP addresses
and configure a traffic behavior to add a VLAN tag.
3.
Bind the traffic behavior and traffic classifier to a traffic policy and apply the traffic
policy to the inbound direction of interfaces.
# Configure GE1/0/1 and GE1/0/2 as hybrid interfaces and add GE1/0/1 to VLAN 10 and
VLAN 2 to VLAN 20.
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] port hybrid tagged vlan 10
[Switch-GigabitEthernet1/0/1] port hybrid untagged vlan 20
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2] port hybrid tagged vlan 20
[Switch-GigabitEthernet1/0/2] quit
[Switch] display
p1
Policy Index:
Classifier:c1
Behavior:b1
------------------------------------------------*interface GigabitEthernet1/0/1
traffic-policy p1 inbound
slot 1
success
----End
Configuration Files
Configuration file of the switch
#
sysname Switch
#
vlan batch 10 20
#
acl number 3000
rule 1 permit ip source 10.10.10.0 0.0.0.255
#
traffic classifier c1 operator or precedence 60
if-match acl 3000
#
traffic behavior b1
nest top-most vlan-id 20
#
traffic policy p1
classifier c1 behavior b1
#
interface GigabitEthernet1/0/1
port hybrid tagged vlan 10
port hybrid untagged vlan 20
traffic-policy p1 inbound
#
interface GigabitEthernet2/0/1
port hybrid tagged vlan 20
#
return
Troubleshooting
The traffic policy that is configured to redirect traffic to the next hop does not take effect.
Check whether traffic filtering configurations such as the subnet mask are correct on the
interface and whether traffic policies are successfully applied.
2.
3.
Configure the traffic statistics function and traffic classifiers to check whether packets
are received on the inbound interface.
4.
Configure the traffic statistics function and traffic classifiers to check whether packets
are received on the outbound interface.
Step 2 Configure the traffic statistics function to check whether the switch receives packets.
Configure a traffic classifier to match corresponding packets and configure a traffic behavior
to collect traffic statistics. The following example collects traffic statistics on packets with the
source IP address 192.168.0.1.
#
acl number 3000
rule 1 permit ip source 192.168.0.1 0
#
traffic classifier test operator and
if-match acl 3000
#
traffic behavior test
statistic enable
#
traffic policy test
classifier test behavior test
#
interface GigabitEthernet0/0/1
traffic-policy test inbound
#
Check whether statistics on corresponding packets can be collected. If so, packets with the
source IP address 192.168.0.1 are received by the local device. If not, the packets do not reach
the local device.
display traffic policy statistics interface GigabitEthernet 0/0/1 inbound
Interface: GigabitEthernet0/0/1
Traffic policy inbound: test
Rule number: 1
Current status: OK!
Board : 0
Item
Packets
Bytes
--------------------------------------------------------------------Matched
+--Passed
+--Dropped
+--Filter
+--URPF
+--CAR
Step 3 Configure the traffic statistics function to check whether packets are received by the outbound
interface.
The method to configure the traffic statistics function is the same as that in step 2. After the
traffic policy is configured, apply it to the outbound direction of the outbound interface.
#
acl number 3000
rule 1 permit ip source 192.168.0.1 0
#
traffic classifier test operator and
if-match acl 3000
#
#
traffic classifier test operator and
if-match 8021p 3
#
traffic behavior test
statistic enable
#
traffic policy test
Check whether statistics on corresponding packets are collected. If so, packets have been sent
from the outbound interface. If not, packets are discarded by the device.
display traffic policy statistics interface GigabitEthernet 0/0/2 outbound
Interface: GigabitEthernet0/0/2
Traffic policy outbound: test
Rule number: 1
Current status: OK!
Board : 0
Item
Packets
Bytes
--------------------------------------------------------------------Matched
+--Passed
+--Dropped
+--Filter
+--URPF
+--CAR
2.
3.
Configure the traffic statistics function to check that packets are sent to the next hop.
test
Policy Index:
Classifier:test
Behavior:test
------------------------------------------------*interface GigabitEthernet0/0/1
traffic-policy test inbound
slot 0
success
MAC ADDRESS
VPN-INSTANCE
VLAN
----------------------------------------------------------------------------------------------------------------------------------------------------------Total:0
Dynamic:0
Static:0
Interface:0
Step 3 Configure the traffic statistics function to check whether packets are received by the next hop
device.
Configure a traffic behavior to collect traffic statistics in the traffic policy and check whether
packet statistics can be collected. If so, packets are received by the next hop device. If not, the
next hop device does not receive any packet.
----End
Description
display version
display device
display patch-information
display current-configuration
display interface
Chassis switches
Log files of the active MPUs on an S9700 or S7700 series are stored in Cfcard:/logfile, and those of
the standby MPUs are stored in slave#cfcard:/logfile.
Version
V100R002
log.txt
diag.txt
V100R003
log.log
log.dblg
V100R006
log.log
log.dblg
V200R001
log.log
log.dblg
Log files and diagnosis log files of the active MPUs are mandatory. If a fault triggers a switchover or
the standby MPUs fail, you must collect log files and diagnosis log files of the standby MPUs. If a
CSS is torn down, collect log files and diagnosis log files on the four MPUs.
When the size of a log file exceeds the threshold, the switch automatically archives the log file and
saves it as a .zip file. For example, 2012-11-27.05-00-25.log.zip and 2012-11-15.05-22-32.diag.zip
are respectively an archived log file and a diagnosis log file. The file name indicates the archiving
time. Therefore, collect the log file and diagnosis log file generated when the fault occurs.
If the FTP server is unavailable, run the more command, such as more log.log. To collect diagnosis
log files of V100R003 or later, run the display diag-logfile command in the hidden view
(V100R003/V100R006) or diagnosis view (V200R001 or later), for example, display diag-logfile
cfcard:/logfile/log.dblg. It takes a long time to collect a large log file. FTP is recommended for
downloading log files.
Box switches
Logs
In V100R003 and V100R005:
Step 1: Run the display logbuffer command to collect information in the log buffer.
Step 2: Run the display trapbuffer command to collect information in the trap
buffer.
Box switches support log file recording from V100R006; therefore, perform the
following operations to collect log files:
Step 1: Run the save logfile command in the common view to save the configuration
file.
Step 2: Start the FTP server on the PC and download the primary log files and
diagnosis log files to the PC.
If a CSS is torn down or fails to be reset, collect log files of all devices in the CSS.
Box switches have only a small number of log files. Send all files in directories syslogfile and
resetinfo to R&D for analysis.
Directories syslogfile or resetinfo may not exist on some models due to hardware restrictions, so
you do not need to collect log files.
Troubleshooting Cases
Related configurations:
acl number 3999
rule 0 permit ip destination 192.167.0.0 0.0.255.255
#
traffic classifier denyacl operator or precedence 65535
interface GigabitEthernet1/0/0
description connect N001
port link-type access
port default vlan 1150
traffic-policy miwangacl inbound
port-mirroring to observe-port 1 inbound
port-mirroring to observe-port 1 outbound
#
interface GigabitEthernet1/0/1
description connect N002
port link-type access
port default vlan 1160
traffic-policy miwangacl inbound
port-mirroring to observe-port 1 inbound
port-mirroring to observe-port 1 outbound
ip source check user-bind enable
#
interface GigabitEthernet1/0/2
description connect N003
port link-type access
2.
4.1.4 Solution
Upgrade the device to V2R1 or a later version. If the traffic behavior is set to deny, the
system performs the action drop for the traffic matching the user-defined ACL. In a version
earlier than V2R1, the system performs the dropcancel action for the traffic that matches a
static binding entry. The two actions conflict with each other. On the S7700, the ACL rules of
service features take precedence over the user-defined ACL rules. Therefore, the action
specified by the static binding entry takes effect and traffic is still forwarded. In V2R1 and a
later version, the S7700 delivers ACL rules of static binding entries only to match
IP/VLAN/MAC information but no longer to deliver actions, which prevents action conflict
between the user-defined ACLs and binding entries. Actions configured in user-defined ACLs
are then executed and traffic is discarded.
4.1.5 Summary
If traffic filtering does not take effect, check whether configurations of other features affect
traffic forwarding.
Related configurations:
acl number 3100
rule 1 permit ip source 100.25.8.10 0
vlan 1101
tpCorpApn1101
Policy Index:
10
Classifier:tcCorpApnRadiusUp
Classifier:tcCorpApnSvr1101
Behavior:bCorpApnRadius1101
Behavior:bCorpApnSvr1101
------------------------------------------------*vlan 1101
traffic-policy tpCorpApn1101 inbound
slot 1
success
slot 3
success
slot 4
success
Step 2 Check whether the redirect-to-next hop exists. If the following information is displayed, the
next hop does not exist.
display arp interface Vlanif 1501
IP ADDRESS
MAC ADDRESS
EXPIRE(M) TYPE
INTERFACE
VPN-INSTANCE
VLAN/CEVLAN
-----------------------------------------------------------------------------192.168.15.1
101b-5498-000f
I -
Vlanif1501
-----------------------------------------------------------------------------Total:1
Dynamic:0
Static:0
Interface:1
Step 3 Check whether the downstream device correctly sends the ARP packet that carries the nexthop address. If not, the local device cannot learn the ARP entry. In this case, modify
configurations on the downstream device. If the local device learns the next-hop address in
the ARP entry but packets are forwarded to the interface 192.168.15.10 rather than the
interface 192.168.15.20, the packets incorrectly match classifier tcCorpApnRadiusUp
behavior bCorpApnRadius1101. This is because packets carry VLAN 1101 and the
matching order of traffic policy rules is auto by default. In auto mode, a Layer 2 ACL has a
higher priority than a Layer 3 ACL on chassis devices; therefore, the packets preferentially
match a Layer 2 ACL.
----End
4.2.4 Solution
Modify configurations on the downstream device so that the downstream device can
correctly send ARP packets.
4.2.5 Summary
Note that priorities of traffic classifiers are not the order in which packets were matched.
If traffic is not received on the redirect-to-next-hop device, check whether the device
learns the ARP entry of the next-hop address.
Set the matching order of traffic policy rules to config so that rules are matched in the
order in which they were configured.
FAQ
l2-head
l4-head
A user-defined ACL matches the four-byte character string after a specified offset in any of
the preceding fields. The matched character string must be four bytes and the offset bytes are
set through a command.
For example, to match packets with the IPv4 TTL of 1, run the following commands:
[Quidway] acl 5000
[Quidway-acl-user-5000] rule permit ipv4-head 0x01000000 0xff000000 8
The value 8 is the number of offset bytes before the TTL field in the IPv4 packet header. The
TTL field occupies one byte and the value 0x01000000 corresponds to TTL value 1 after the
offset from the IPv4 packet header.
3
Vlan-ACL
Inbound-ACL
Outbound-ACL
---------------------------------------------------------------------------Rule Used
10
329
Rule Free
2038
7863
1021
Rule Total
2048
8192
1024
Meter Used
58
Meter Free
8134
1024
Meter Total
8192
1024
Counter Used
59
Counter Free
8133
1023
Counter Total
8192
1024
----------------------------------------------------------------------------
Description
Slot
Slot ID.
Vlan-ACL
Inbound-ACL
Outbound-ACL
Rule Used
Rule Free
Rule Total
Meter Used
Meter Free
Meter Total
Counter Used
Counter Free
Counter Total
S Series Switches
Feature Start - ACL
ACL
CAR