ACL in traffic policy on Huawei device

We have to remember that traffic policy has 3 parts:

Classifier
Behavior
Traffic-policy

In brief, to configure a traffic policy:

define traffic class

define action to be applied to the traffic class
associate traffic classifiers and behaviors
apply the traffic policy to an interface.

Lets start from ACL.

We have possibility to configure many rules in an ACL. If the ACL is specified in if-match
clause, then a packet is matched against multiple rules. If the packet matches a rule in the
ACL, then it stops checking against the next rules.

In a case of DENY action in the ACL, the matched packet is denied, regardless of
what traffic behavior defines.
When PERMIT action is defined in the ACL, then traffic behavior is applied to the
matched packet.

Lets focus on if-match clauses now and matching order between them.

We have 2 possibilities to configure a traffic classifier:

With logic OR relationship between multiple matching rules

With logic AND relationship between multiple matching rules.
In the flowchart you can see traffic policy implementation with logic OR:

START

Check first
classifier

NO Is there If-
match?

YES

Check first If-

match

Match If- YES Applied with YES Rule permit or DENY

match? ACL? deny?

NO NO PERMIT

YES
Is there
Check next If-
another If-
match
match?
NO

Is there
Check next YES
another
classifier
classifier?
NO

Forward Execute behavior Discard

END

Notice that traffic behavior is applied for the packets that match any one of the if-match
clauses. In this situation, packet is matched against If-match clauses, in the order of the If-
match clauses configuration. This kind of traffic classifier is commonly used.

In logic AND implementation, the device combines all if-match clauses and then processes
the combination of if-match clauses according to the procedure of logic OR. If one of the if-
match clauses is applied with ACL, each rule of the ACL is combined with all of the other if-
match clauses. In this situation, the order of if-match clauses does not impact on the final
matching result.

As you know, one or more classifiers and behaviors can be configured in a traffic policy. A
packet is matched against traffic classifiers in the order, in which those classifiers have been
configured. If the packet matches a traffic classifier, no further match operation is performed.
If not, the packet is matched against the following traffic classifiers one by one. If the packet
does not match traffic classifiers at all, the packet is forwarded with no traffic policy executed.

Anyway, the order of traffic classifier can be changed by the following command:

classifier classifier-name behavior behavior-name precedence precedence

Lets try to configure a traffic policy as follows:

packets coming from source IP address 10.1.1.0/24, with DSCP 18, are then
remarked as AF31
packets coming from source IP address 172.16.1.0/24, with DSCP 18, are discarded
other packets are forwarded directly.

#
acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 dscp af21
rule 10 deny ip source 172.16.1.0 0.0.0.255 dscp af21
#
traffic classifier labnario operator or
if-match acl 3000
#
traffic behavior labnario
remark dscp af31
#
traffic policy labnario
classifier labnario behavior labnario
#
interface GigabitEthernet0/0/0
traffic-policy labnario inbound

I have a home task for you. Try to configure the same policy but using logic AND. Your traffic
policy must do the same like the one configured.

Unfortunately, awards are not provided ;)

I will publish the solution soon on Facebook.

All comments (solutions) are welcome.