Forwarding Policy Configuration

forwarding strategy is the most commonly used function in traffic diversion scenarios its core function is to forward the specified traffic after acl filtering from the input port or lag to the output port it can be output to the lag group or copy multiple copies of traffic for different scenarios, and can be used in combination with tunnel stripping, timestamping , etc summary of forwarding policy configuration tasks summary of forwarding policy configuration tasks configuration order (from top to bottom) configuration content configuration creating a lag (optional) if the output is to lag, you need to create lag and add ports first creating a mirror session (optional) if the output is to mirror session, you need to create mirror session first creating an acl rule group create an acl rule group based on the type of filtering to be performed adding rules add a rule to the rule group and specify the egress port or lag (optionally configure rule based actions) binding rule groups to input ports attach the rule group to the input port or lag to complete the configuration creating a lag creating a lag add multiple ports to lag, and traffic will be load balanced when it is output from lag table 1 create lag table 1 create lag operation command description enter system configuration view configure create lag and enter lag view interface link aggregation lag id create a lag group select lag mode mode { static|flex|weight|standby } static when a lag member is down, all traffic is reloaded to other up members flex when a member of the lag is down, only the down port is reloaded to other members that are up weight the weight ratio of each port can be set on an elastic basis the sum of the weight ratios of each port is not greater than 64 standby you can additionally configure the master and standby ports and some lacp functions on top of the weight submit selected mode commit submit after selecting the mode to take effect table 2 add members to a lag group table 2 add members to a lag group operation command description enter system configuration view configure enter interface view interface ethernet id enter the port where you want to add lag members add lag common members link aggregation group lag id add lag weight member link aggregation group lag id weight weight distribute traffic based on weights the sum of the weight ratios of each port is not greater than 64 creating a standby lag (optional) creating a standby lag (optional) table 3 creating a standby lag table 3 creating a standby lag operation command description enter system configuration view configure create lag and enter lag view interface link aggregation lag id create a lag group select lag mode mode standby standby you can additionally configure the master and standby ports and some lacp functions on top of the weight setting the maximum and minimum members in a standby lag standby {min links|max links } num min links\ the minimum number of up members in the lag, if it is smaller than this value, the lag will be down as a whole max links\ maximum number of ups in the lag, if it is greater than this value, other low priority ports will be used as standby ports enable lacp preemption preempt eable after port preemption is turned on, the primary port switches to the standby port and then cuts back to the primary port when the primary port is re up preempt delay preempt delay time time delay for the standby port to switch back to the master port, in seconds, 0 300 switching port priority method standby select {priority|speed } priority sets the alternate ports with the same weight to be selected in order of port priority; alternate ports without the same weight are not switched speed the device selects spare ports with the same weight according to the rate and priority first, if there is no same rate, the spare ports are selected according to the priority spare ports without the same weight are not switched submit selected mode commit commit to take effect after selecting the mode, standby mode needs to commit to take effect after adding ports, other modes do not need to commit to add ports table 4 adding members to a standby lag group table 4 adding members to a standby lag group operation command description enter system configuration view configure enter interface view interface ethernet id enter the port where you want to add lag members adding a port to a lag group link aggregation group lag id add port member priority and weight link aggregation group lag id port priority priority weight weight priority set the priority for the members of the added standy lag, the greater the priority the higher the priority, the smaller the port id the higher the priority when the priority is the same distribute traffic based on weights the sum of the weight ratios of each port is not greater than 64 creste a mirror session creste a mirror session port mirroring means to copy an additional traffic based on the port without affecting the original service span mirroring operation command description enter system configuration view configure configure span mirroring mirror session id span direction {rx|tx|both} \[src ethernet src ethernet ] dst ethernet dst ethernet \[slice enable] span mirroring description id used to maintain mirror groups, supporting up to 7 groups direction the direction of the mirrored port traffic you can select input direction, output direction, or both input and output directions src ethernet select the inbound port for the mirrored traffic this command can be entered multiple times to add multiple inbound ports, also can be skipped if mirror session is used for acl mirror action dst ethernet select the outbound port for the mirrored traffic this command can be used to add multiple outbound ports slice enable enables message truncation, with a fixed truncation limit of 128 bytes rspan mirroring operation command description enter system configuration view configure create a vlan for rspan use vlan vlanid create a vlan for rspan configure rspan mirroring mirror session id rspan direction {rx|tx|both} \[src ethernet src ethernet ] dst ethernet dst ethernet remote vlan vlanid \[slice enable] rspan mirroring description id used to maintain mirror groups, supporting up to 7 groups direction the direction of the mirrored port traffic you can select input direction, output direction, or both input and output directions src ethernet select the inbound port for the mirrored traffic this command can be entered multiple times to add multiple inbound ports, also can be skipped if mirror session is used for acl mirror action dst ethernet select the outbound port for the mirrored traffic only sopprt one outbound port slice enable enables message truncation, with a fixed truncation limit of 128 bytes create an acl group and add rules create an acl group and add rules acl table acl table acl table is port specific binding ports means that the acl table is valid for traffic on those ports a single acl table can bind multiple ports, and multiple acl tables can exist on a single port, i e a "many to many" relationship acl table naming rule the acl tables’ name is supposed to be different acl table direction the acl table stage indicates the direction, optionally ingress and egress, which corresponds to whether the acl table is applied to the rx and tx direction respectively acl table type acl table type affects the match fields of the acl, in other words, determines which characteristics are used to match traffic acl table type is available as l2, l3, l3v6, ex the egress direction only supports l3/l3v6 type acl rule acl rule acl rule action ingress table 5 acl rule ingress action table 5 acl rule ingress action action key words description packet action {permit|deny} permit means forward; deny means the packet is not forwarded but can be normally trapped mirror action mirror session id used to maintain mirror groups redirect action {ethernet port | ethernets \[ port1,port2 ] | link aggregation lagid | link aggregations \[ lagid,lagid ] } support redirecting to an interface or multi interfaces or a lag or lags ports and lags can be added together add vlan vlan id add new vlan, range 1 4094 not support for multi redirections modify vlan vlan id modify outer vlan, range 1 4094 not support for multi redirections pop vlan pop outer vlan add timestamp add timestamp, ptp needs to open manually, see timestamp function description set dmac dmac modify dst mac nn\ nn\ nn\ nn\ nn\ nn egress table 6 acl rule egress action table 6 acl rule egress action action key words description packet action {permit|deny} permit means forward; deny means the packet is not forwarded but can be normally trapped acl rule match fields the supported match fields for different types of acl tables vary, and the specific match fields for each type of acl table are described below l2 acl table 7 l2 match fields table 7 l2 match fields key words description of parameters notes src mac specify source mac address nn\ nn\ nn\ nn\ nn\ nn supported only in the ingress direction dst mac specify destination mac address nn\ nn\ nn\ nn\ nn\ nn supported only in the ingress direction ethernet type specify ethernet protocol type, range 0 ffff supported only in the ingress direction outer vlan specify outer vlan id, range 1 4094 supported only in the ingress direction l3 acl table 8 l3 match fields table 8 l3 match fields key words description of parameters notes src mac specify source mac address nn\ nn\ nn\ nn\ nn\ nn supported only in the ingress direction outer vlan specify outer vlan id, range 1 4094 vlan pri specify outer vlan priority, range 0 7 ip protocol specify ip protocol, range0 255 src ip specify source ip address a b c d(/mask) dst ip specify destination ip address a b c d(/mask) icmp type specify type of icmp, range 0 16 supported only in the ingress direction icmp code specify code of icmp, range 0 5 supported only in the ingress direction src port specify l4 source port, range 0 65535 dst port specify l4 destination port, range 0 65535 ip fragment specify ip fragment any, all ip fragment packets supported only in the ingress direction src port range specify src port range, eg 1024 65535 supported only in the ingress direction dst port range specify dst port range, eg 1024 65535 supported only in the ingress direction src port exclude specify l4 source port, range 0 65535 supported only in the ingress direction dst port exclude specify l4 destination port, range 0 65535 supported only in the ingress direction dscp specify dscp of ip header, range 0 63 supported only in the ingress direction l3v6 acl table 9 l3v6 match fields table 9 l3v6 match fields key words description of parameters notes src mac specify source mac address nn\ nn\ nn\ nn\ nn\ nn supported only in the ingress direction outer vlan specify outer vlan id, range 1 4094 vlan pri specify outer vlan priority, range 0 7 ip protocol specify ip protocol, range0 255 src ipv6 specify source ip address a b(/mask) dst ipv6 specify destination ip address a b(/mask) icmpv6 type specify type of icmp, range 0 16 supported only in the ingress direction icmpv6 code specify code of icmp, range 0 5 supported only in the ingress direction src port specify l4 source port, range 0 65535 dst port specify l4 destination port, range 0 65535 src port range specify src port range, eg 1024 65535 supported only in the ingress direction dst port range specify dst port range, eg 1024 65535 supported only in the ingress direction src port exclude specify l4 source port, range 0 65535 supported only in the ingress direction dst port exclude specify l4 destination port, range 0 65535 supported only in the ingress direction dscp specify dscp of ip header, range 0 63 supported only in the ingress direction ex acl table 10 ex match fields table 10 ex match fields key words description of parameters notes src mac specify source mac address nn\ nn\ nn\ nn\ nn\ nn supported only in the ingress direction dst mac specify destination mac address nn\ nn\ nn\ nn\ nn\ nn supported only in the ingress direction ethernet type specify ethernet protocol type, range 0 ffff supported only in the ingress direction outer vlan specify outer vlan id, range 1 4094 supported only in the ingress direction src ip specify source ip address a b c d(/mask) supported only in the ingress direction tcp flags specify tcp flags, range 0 ff(flags)/0 ff(masks) supported only in the ingress direction vni specify vni, range 1 16777215 supported only in the ingress direction acl configuration acl configuration table 11 create an acl group and add rules table 11 create an acl group and add rules operation command description enter system configuration view configure create an acl group and enter acl group view access list {l2|ex|l3|l3v6 } acl name { ingress|egress} \[des crip] des crip \[priority] priority acl name the name of the acl group des crip optionally add a description for the acl group the description can be modified, but acl name cannot be modified priority acl group can add a priority the larger the prority , the higher the priority the priority is only valid for the same type among different types, the priority of ex/l2 is higher than that of l3/l3v6 add rules rule id action options \[rule options] id also indicates the priority level, in the range 0 500 rule options see \[ acl rule match fields ] for details action options see \[ acl rule action ] for details enter the interface view {interface ethernet id | interface link aggregation lag id } apply the acl table to the interface acl acl name bind acl to an interface or a link aggregation group timestamp function description timestamp function description before using the timestamp, you need to turn on the global switch of ptp first, and then enable ptp on the port for the traffic input port, so that the traffic entering from the port can obtain the ability to obtain the timestamp this function is generally used together with the timestamp function both port ptp and global ptp must be configured when used with the timestamp , the current effective time and time zone shall prevail if the time/ time zone is modified, the device needs to be restarted to take effect table 12 enable the global ptp function table 12 enable the global ptp function operation command description enter system configuration view configure configure the ptp profile ptp profile 1588v2 enable the global ptp function ptp enable enable ptp globally table 13 enable the ptp function on ingress port table 13 enable the ptp function on ingress port operation command description enter system configuration view configure enter interface view interface ethernet id enter the traffic input port where timestamp is to be added enable the ptp function on the port ptp enable enable port ptp note the timestamp exists after the source mac of the original message, marked with 0xffff, and the next four bytes are nanoseconds with an interval of 0x8000 taking the above figure as an example , the nanosecond timestamp is 0x37df04ce, and the next four bytes are seconds with an interval of 0x0000 the second timestamp is 0x685389e6, and the next two bytes are 0x0000 as an interval, followed by the ether type of the original message the final timestamp is the second timestamp + nanosecond timestamp, where the second timestamp is converted to the current date as 2025/06/19 11 54 (the number of seconds from january 1,1970 utc time after conversion to decimal) the nanosecond timestamp is 937362638 nanoseconds (converted to decimal), so the precise timestamp of the message is 2025/06/19 11 54 937362638 maintenance interface maintenance interface operation command description view acl hitcounts show counters acl clear acl hitcounts clear counters acl view lag group show link aggregation summary