Sie sind auf Seite 1von 6

S8500 Series Core Switch VLAN-ACL Configuration Guide V1.

00

For Internal Use Only

Quidway S8500 Series Core Switch VLAN-ACL Configuration Guide V1.00

Huawei-3Com Technologies Co., Ltd. All rights reserved

2005-12-6

Huawei-3Com confidential. No dispersion without permission.

Page 1 of 6

S8500 Series Core Switch VLAN-ACL Configuration Guide V1.00

For Internal Use Only

Statement
Copyright 2005 by Huawei-3Com Co., Ltd.
All product photography in this literature is intended for reference only. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei-3com Co., Ltd. All other company and product names may be trademarks of their respective companies. While every effort is made to ensure the information given is accurate, Huawei-3Com Co., Ltd. does not accept liability for any errors or mistakes which may arise. Specifications and other information in this document may be subject to change without notice.

2005-12-6

Huawei-3Com confidential. No dispersion without permission.

Page 2 of 6

S8500 Series Core Switch VLAN-ACL Configuration Guide V1.00

For Internal Use Only

1 Overview
S8500 series core switches support two ACL configuration modes: port-based ACL configuration and VLAN-based ACL configuration. The first is configured in port view, where the ACL rules cover this port; the second is configured in VLAN view, where the ACL rules cover all the ports in the VLAN. This document only describes the configuration requirements, procedures and limitations of VLAN-ACL configuration.
& Note: You only need to configure ACL in VLAN view; as a result, the corresponding ACL rules can synchronize to all the ports in the VLAN. It is unnecessary to configure ACL on each member port.

2 Configuration Requirements
For the VLAN-ACL configuration, the VLAN shall satisfy the following requirements: 1) 2) The VLAN contains member ports. Ports in the VLAN cannot be WAN interfaces such as POS, ATM, RPR, CPOS,

and CE1/CT1. 3) 4) The VLAN does not contain VPN intermixing ports. Ports in the VLAN adopt the default flow template.

3 Configuration Procedures
VLAN-ACL configuration Configuration procedure Enter view the system Command system-view acl { number acl-number | name acl-name [ advanced | basic ] } [ match-order { config | auto } ] rule quit VLAN-ACL can only adopt basic or advanced ACL and sub-rules Mandatory Description

Enter the ACL view Define a sub-rule Exit the ACL view

2005-12-6

Huawei-3Com confidential. No dispersion without permission.

Page 3 of 6

S8500 Series Core Switch VLAN-ACL Configuration Guide V1.00 Configuration procedure Command Description

For Internal Use Only

Enter the VLAN view

vlan vlan-id

VLAN-ACL distribution is not allowed in the VLAN that has POS ports or intermixing ports Optional

Configure packet filtering (activate the ACL)

packet-filter inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] traffic-limit inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] [ tc-index index ] cir cbs ebs [ pir ] [ conform { { remark-cos | remark-drop-priority }* | remark-policed-service } ] [ exceed { forward | drop } ] traffic-priority inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] { auto | remark-policed-service { trust-dscp | dscp dscp-value | untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level } }

Optional The version released in November 2005 supports this operation but not cross-chip

Perform policing

traffic

Flag the priority

packet

Optional

Optional The traffic-redirect command in VLAN view only supports redirection to the next hop and CPU, but not supports redirection to the VPLS and NAT boards or nested-vlan and modified-vlan Optional

Configuration packet redirection

traffic-redirect inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] { cpu | next-hop ip-addr1 [ ip-addr2 ] }

Configure mirroring Configure statistics

traffic

mirrored-to inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] cpu traffic-statistic inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] quit interface interface-type interface-num

traffic

Optional

Exit the VLAN view Enter the Ethernet port view Manually synchronize the VLAN-QACL configuration to the specified port View the ports in the VLAN that have synchronized the VLAN-ACL configuration

The port type can only be Ethernet port

port can-access vlan-acl vlan vlanid

Optional

display vlanid

vlan-acl-member-ports

vlan

This operation can be performed in any view

2005-12-6

Huawei-3Com confidential. No dispersion without permission.

Page 4 of 6

S8500 Series Core Switch VLAN-ACL Configuration Guide V1.00

For Internal Use Only

4 Configuration Limitations
1) l The flow template has the following limitations: VLAN-ACL can only be distributed on the port that adopts the default flow template, and the distributed ACL rule fields can only be the fields stipulated by the default flow template. l In case there is never ACL distribution in a VLAN, when the first ACL rule is distributed on a port in VLAN view, the system will check all the ports in the VLAN. The distribution is not allowed if one port adopts a user-defined flow template. l If there are VLAN-ACL distributions on some ports in a VLAN, a port that adopts a user-defined flow template can be added in the VLAN successfully. And then, when VLAN-ACL is distributed in VLAN view, the old ports can succeed while the new port fails. When the port changes from the user-defined flow template to the default flow template, the system will automatically distribute the QACL rule in the VLAN to the port. l In case a port has experienced any VLAN-ACL distribution, the system will prompt and prohibit any change to a user-defined flow template. 2) When both a port and the ports VLAN distribute QACL rules, only the QACL rule

under the port functions. VLAN-ACL will function after the QACL rule under the port is deleted and the port changes to the default flow template. Suggestion: One port only uses one mode to configure rules: port mode or VLAN mode. 3) It is not allowed to distribute VLAN-ACL (including adding and deleting rules) in a

VLAN that contains no member ports. 4) If VLAN-ACL synchronization situations are not identical on two ports, the two

ports cannot practice dynamic aggregation. 5) VLAN-ACL cannot be distributed in the VLAN to which a WAN interface is bound,

that is, VLAN-ACL cannot be distributed to a WAN interface. 6) It is not allowed to distribute VLAN-ACL in a VLAN that contains MPLS VPN

intermixing ports. On the contrary, a VLAN that has VLAN-ACL distributed cannot be applied to MPLS VPN intermixing ports any more.
2005-12-6 Huawei-3Com confidential. No dispersion without permission. Page 5 of 6

S8500 Series Core Switch VLAN-ACL Configuration Guide V1.00

For Internal Use Only

5 Solution of VLAN-ACL Synchronization Failure


When a port is added in a VLAN, it is possible that the ACL configuration of the VLAN cannot be synchronized because resources are not enough or the port adopts a user-defined flow template. You can use the following command to check which ports have had ACL rules of a specified VLAN: display vlan-acl-member-ports vlan vlanid

[Example] # Check which ports have had ACL rules of VLAN 5.


<Quidway>display vlan-acl-member-ports vlan 5 Vlan-acl member port(s): Ethernet2/1/11 Ethernet2/1/22 Ethernet2/1/25 Ethernet2/1/20 Ethernet2/1/23 Ethernet2/1/40 Ethernet2/1/21 Ethernet2/1/24

When a port is added in a VLAN, the port will automatically synchronize the QACL configuration of the VLAN. If the board on which the port is located has not enough ACL resources, however, automatic synchronization of QACL to the port will fail. In this case, you can delete part ACL configuration of other ports on the board and then use the following command to manually synchronize the ACL rules distributed in the VLAN to the specified port:

port can-access vlan-acl vlan

vlanid

[Example] # Port Ethernet3/1/1 has been added in VLAN 5, but it cannot synchronize the ACL configuration of VLAN 5 because the board in slot 3 has not enough resources. Delete part configuration of the board and manually synchronize the ACL configuration of VLAN 5 to port Ethernet3/1/1.
[Quidway-Ethernet3/1/1]port can-access vlan-acl vlan 5

2005-12-6

Huawei-3Com confidential. No dispersion without permission.

Page 6 of 6