Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-Bandwidth management commands | 406.88 KB |
Contents
bandwidth { per-ip | per-user }
per-ip total traffic-quota per-ip monthly
destination-matching after-nat
display traffic-policy hardware-rate-limit support
display traffic-policy statistics bandwidth
display traffic-policy statistics connection-limit
display traffic-policy statistics rule-hit
per-ip bandwidth-threshold max-value
per-ip bandwidth-threshold min-value
per-ip bandwidth-threshold-detect enable
per-ip bandwidth-threshold-learn duration
per-ip bandwidth-threshold-learn enable
per-ip bandwidth-threshold-learn tolerance max-value
per-ip bandwidth-threshold-learn tolerance min-value
reset traffic-policy statistics bandwidth
reset traffic-policy statistics connection-limit
reset traffic-policy statistics rule-hit
Bandwidth management commands
The following compatibility matrix shows the support of hardware platforms for bandwidth management:
|
Hardware platform |
Module type |
Bandwidth management compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
Non-default vSystems do not support some of the bandwidth management commands. For information about vSystem support for a command, see the usage guidelines on that command. For information about vSystem, see Virtual Technologies Configuration Guide.
accelerate activate
Use accelerate activate to manually activate rule matching acceleration.
Syntax
accelerate activate
Views
Traffic policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
Rule matching acceleration enhances connection establishment and packet forwarding performance, especially for a device using multiple rules to match packets from multiple users.
Rule matching acceleration does not take effect on newly added, modified, and moved rules unless the feature is activated for the rules. By default, the system automatically activates rule matching acceleration for such rules at specific intervals. The interval is 2 seconds if 100 or fewer rules exist and 20 seconds if over 100 rules exist.
To activate rule matching acceleration immediately after a rule change, you can execute this command.
If no rule change is detected, the system does not perform an activation operation.
Insufficient memory can cause rule matching acceleration failures. Unaccelerated rules do not take effect, and rules that have been accelerated are not affected.
Examples
# Activate rule matching acceleration.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] acceleration activate
action
Use action to specify an action for a traffic rule.
Use undo action to restore the default.
Syntax
action { deny | none | qos profile profile-name }
undo action
Default
The action for a traffic rule is none.
Views
Traffic rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
deny: Drops matching packets.
none: Allows matching packets to pass through without bandwidth management.
qos profile profile-name: Specifies a traffic profile by its name to limit the rate of matching packets. The profile name is a case-insensitive string of 1 to 63 characters.
Usage guidelines
If a packet matches a traffic rule, the device performs the action specified in the traffic rule on the packet.
Examples
# Create a traffic rule named rule1, and apply traffic profile profile1 to the traffic rule.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] action qos profile profile1
Related commands
profile name
rule name
all-traffic-control enable
Use all-traffic-control enable to enable bandwidth management for all IPv6 Layer 4 traffic.
Use undo all-traffic-control enable to disable bandwidth management for all IPv6 Layer 4 traffic.
Syntax
all-traffic-control enable
undo all-traffic-control enable
Default
Bandwidth management for all IPv6 Layer 4 traffic is disabled.
Views
Traffic policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
By default, bandwidth management is performed on traffic flows of TCP, UDP, ICMP, and ICMPv6. This feature enables the device to perform bandwidth management on traffic flows of all IPv6 Layer 4 traffic in addition to the supported IPv4 Layer 4 traffic.
Examples
# Enable bandwidth management for all IPv6 Layer 4 traffic.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] all-traffic-control enable
application
Use application to configure application or application group as a match criterion.
Use undo application to delete an application or application group match criterion.
Syntax
application { app application-name | app-group application-group-name }
undo application { app application-name | app-group application-group-name }
Default
No application or application group is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
context-admin
Parameters
app application-name: Specifies an application by its name, a case-insensitive string of 1 to 63 characters.
app-group application-group-name: Specifies an application group by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
Non-default vSystems do not support this command.
You can configure multiple applications or application groups for a traffic rule to match packets.
This command enables the device to manage bandwidth by application type, such as email, P2P, IM, and web browsing.
If you specify a user-defined application that uses DCCP, SCTP, or UDP-Lite as the transport layer protocol, the application is not limited by bandwidth management. For information about user-defined applications, see Security Configuration Guide.
Examples
# Configure P2P_General_TCP_Communications as a match criterion for traffic rule rule1.
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] application app P2P_General_TCP_Communications
Related commands
app-group (Security Command Reference)
nbar application (Security Command Reference)
port-mapping (Security Command Reference)
bandwidth
Use bandwidth to set the total guaranteed bandwidth or maximum bandwidth in a traffic profile.
Use undo bandwidth to delete the total guaranteed bandwidth or maximum bandwidth setting of a traffic profile.
Syntax
bandwidth { downstream | total | upstream } { guaranteed | maximum } bandwidth-value
undo bandwidth { downstream | total | upstream } { guaranteed | maximum }
Default
The total guaranteed bandwidth and maximum bandwidth are not set in a traffic profile.
Views
Traffic profile view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
downstream: Specifies downstream traffic (traffic from a server to a client).
total: Specifies both downstream traffic and upstream traffic.
upstream: Specifies upstream traffic (traffic from a client to a server).
guaranteed: Specifies the guaranteed bandwidth.
maximum: Specifies the maximum bandwidth. The maximum bandwidth must be greater than or equal to the guaranteed bandwidth.
bandwidth-value: Specifies the bandwidth value in the range of 8 to 1000000000 kbps.
Usage guidelines
When you specify traffic profiles for parent and child traffic rules, following these restrictions and guidelines:
· The maximum bandwidth for the child traffic rule must be smaller than or equal to that for the parent traffic rule.
· The guaranteed bandwidth for a child traffic rule must be smaller than or equal to that for the parent traffic rule.
· The traffic profiles cannot be the same for the child and parent traffic rules.
An interface with small default expected bandwidth might experience traffic loss if the following conditions exist:
· There is a large amount of traffic on the interface.
· The interface uses the default expected bandwidth.
To avoid traffic loss, implicitly set the expected bandwidth to a large value for such an interface.
Examples
# In traffic profile profile1, set both upstream and downstream maximum bandwidth to 10000 kbps, and set both upstream and downstream guaranteed bandwidth to 5000 kbps.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] bandwidth upstream maximum 10000
[Sysname-traffic-policy-profile-profile1] bandwidth downstream maximum 10000
[Sysname-traffic-policy-profile-profile1] bandwidth upstream guaranteed 5000
[Sysname-traffic-policy-profile-profile1] bandwidth downstream guaranteed 5000
bandwidth average enable
Use bandwidth average enable to enable dynamic and even allocation for maximum bandwidth.
Use undo bandwidth average enable to disable dynamic and even allocation for maximum bandwidth.
Syntax
bandwidth average enable
undo bandwidth average enable
Default
Dynamic and even allocation for maximum bandwidth is disabled.
Views
Traffic profile view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
This command allows the device to dynamically and evenly allocate the total maximum bandwidth among all online IP addresses.
This command can be enabled only after you set the total maximum bandwidth.
Examples
# Enable dynamic and even allocation for maximum bandwidth in traffic profile profile1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] bandwidth total maximum 10000
[Sysname-traffic-policy-profile-profile1] bandwidth average enable
Related commands
bandwidth { downstream | total | upstream } maximum
bandwidth { per-ip | per-user }
Use bandwidth { per-ip | per-user } to set the per-IP or per-user maximum or guaranteed bandwidth for a traffic profile.
Use undo bandwidth { per-ip | per-user } to delete the per-IP or per-user maximum or guaranteed bandwidth setting of a traffic profile.
Syntax
bandwidth { downstream | total | upstream } { guaranteed | maximum } { per-ip | per-user } bandwidth-value
undo bandwidth { downstream | total | upstream } { guaranteed | maximum } { per-ip | per-user }
Default
The per-IP or per-user maximum bandwidth and guaranteed bandwidth are not set in a traffic profile.
Views
Traffic profile view
Predefined user roles
network-admin
context-admin
Parameters
downstream: Specifies downstream traffic (traffic from a server to a client).
total: Specifies both downstream traffic and upstream traffic.
upstream: Specifies upstream traffic (traffic from a client to a server).
guaranteed: Sets the guaranteed bandwidth.
maximum: Sets the maximum bandwidth.
per-ip: Sets the per-IP bandwidth.
per-user: Sets the per-user bandwidth.
bandwidth-value: Specifies the bandwidth value in the range of 8 to 1000000000 kbps.
Usage guidelines
Non-default vSystems do not support this command.
This command allows you to manage bandwidth at finer granularity.
The per-IP or per-user maximum bandwidth cannot be greater than the total maximum bandwidth.
The per-IP or per-user guaranteed bandwidth cannot be greater than the total guaranteed bandwidth.
The per-IP or per-user guaranteed bandwidth cannot be greater than the per-IP or per-user maximum bandwidth.
Examples
# In traffic profile profile1, set both upstream and downstream per-IP maximum bandwidth to 10000 kbps.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] bandwidth upstream maximum per-ip 10000
[Sysname-traffic-policy-profile-profile1] bandwidth downstream maximum per-ip 10000
per-ip total traffic-quota per-ip monthly
Use per-ip total traffic-quota per-ip monthly to set the per-IP monthly traffic quota.
Use undo total traffic-quota per-ip monthly to restore the default.
Syntax
bandwidth total traffic-quota per-ip monthly quota-value
undo bandwidth total traffic-quota per-ip monthly
Default
The amount of traffic used by an IP address per month is not limited.
Views
Traffic profile view
Predefined user roles
network-admin
context-admin
Parameters
quota-value: Specifies the per-IP monthly traffic quota in the range of 1 to 1000000000 KB.
Usage guidelines
Non-default vSystems do not support this command.
This command limits the total amount traffic (uplink and downlink) used by an IP address per month. When the traffic used by an IP address reaches the traffic quota, the device drops packets from the IP address.
Examples
# In traffic profile prof1, set the per-IP monthly traffic quota to 5000 KB.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name prof1
[Sysname-traffic-policy-profile-prof1] bandwidth total traffic-quota per-ip monthly 5000
connection-limit count
Use connection-limit count to set the connection count limit for a traffic profile.
Use undo connection-limit count to delete the connection count limit setting of a traffic profile.
Syntax
connection-limit count { per-rule | per-ip | per-user } connection-number
undo connection-limit count { per-rule | per-ip | per-user }
Default
No connection count limit is set for a traffic profile.
Views
Traffic profile view
Predefined user roles
network-admin
context-admin
Parameters
per-rule: Specifies the total connection count limit (count limit for the traffic rule associated with the traffic profile).
per-ip: Specifies the per-IP connection count limit.
per-user: Specifies the per-user connection count limit.
connection-number: Specifies the maximum number of connections allowed, in the range of 1 to 12000000.
Usage guidelines
Non-default vSystems do not support this command.
The per-IP or per-user connection count limit cannot be greater than the total connection count limit.
You cannot set both per-IP and per-user connection count limits for one traffic profile.
Examples
# In traffic profile profile1, set the total connection count limit to 1000.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] connection-limit count per-rule 1000
# In traffic profile profile1, set the per-IP connection count limit to 500.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] connection-limit count per-ip 500
connection-limit rate
Use connection-limit rate to set the connection rate limit for a traffic profile.
Use undo connection-limit rate to delete the connection rate limit setting of a traffic profile.
Syntax
connection-limit rate { per-rule | per-ip | per-user } connection-rate
undo connection-limit rate { per-rule | per-ip | per-user }
Default
No connection rate limit is set for a traffic profile.
Views
Traffic profile view
Predefined user roles
network-admin
context-admin
Parameters
per-rule: Specifies the total connection rate limit (rate limit for the traffic rule associated with the traffic profile).
per-ip: Specifies the per-IP connection rate limit.
per-user: Specifies the per-user connection rate limit.
connection- rate: Specifies the maximum connection rate in the range of 1 to 12000000 connections per second.
Usage guidelines
Non-default vSystems do not support this command.
The per-IP or per-user connection rate limit cannot be greater than the total connection rate limit.
You cannot set both per-IP and per-user connection rate limits for one traffic profile.
Examples
# In traffic profile profile1, set the total connection rate limit to 1000 connections per second.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] connection-limit rate per-rule 1000
# In traffic profile profile1, set the per-IP connection rate limit to 500 connections per second.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] connection-limit rate per-user 500
destination-address
Use destination-address to configure a destination IP address object group as a match criterion.
Use undo destination-address to remove a destination IP address object group as a match criterion.
Syntax
destination-address address-set object-group-name
undo destination-address address-set object-group-name
Default
No destination IP address object group is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
object-group-name: Specifies an IPv4 or IPv6 address object group by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
This command is used to match the packets with the destination IP addresses in the specified address object group. You can specify multiple address object groups for a traffic rule to match destination IP addresses of packets.
Before rolling back configuration by using the configuration replace file filename command, check the address object group configuration in the traffic rule in the configuration file. The address object group configuration fails to be rolled back if two address object groups have the same name but are of different types (IPv4/IPv6).
Examples
# Configure IPv4 address object group obgroup2 for traffic rule rule1 to match destination IPv4 addresses of packets.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] destination-address address-set obgroup2
Related commands
object-group (Security Command Reference)
destination-ip
Use destination-ip to configure a destination IP address or IP address range as a match criterion.
Use undo destination-ip to remove a destination IP address or IP address range as a match criterion.
Syntax
destination-ip { ipv4 { host ip-address | range ip-address1 ip-address2 | subnet ip-address { mask-length | mask } } | ipv6 { host ipv6-address | range ipv6-address1 ipv6-address2 | subnet { ipv6-address prefix-length | ipv6-address/prefix-length } } }
undo destination-ip { ipv4 { host [ ip-address ] | range [ ip-address1 ip-address2 ] | subnet [ ip-address { mask-length | mask } ] } | ipv6 { host [ ipv6-address ] | range [ ipv6-address1 ipv6-address2 ] | subnet [ ipv6-address prefix-length | ipv6-address/prefix-length ] } }
Default
No destination IP address or IP address range is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv4: Specifies the IPv4 address type.
host ip-address: Specifies a host IPv4 address.
range ip-address1 ip-address2: Specifies an IPv4 address range by using a start address and an end address.
subnet ip-address { mask-length | mask }: Specifies a subnet IPv4 address range. The value range for the mask-length argument is 0 to 32. The mask argument specifies a subnet mask in dotted decimal notation. If you specify a mask length of 32 or mask of 255.255.255.255, the IPv4 address is a host IPv4 address.
ipv6: Specifies the IPv6 address type.
host ipv6-address: Specifies a host IPv6 address.
range ipv6-address1 ipv6-address2: Specifies an IPv6 address range by using a start address and an end address.
subnet ipv6-address prefix-length: Specifies a subnet IPv6 address. The value range for the prefix-length argument is 1 to 128. If you specify a prefix length of 128, the IPv6 address is a host IPv6 address.
Usage guidelines
If you execute this command multiple times, you can configure multiple destination IP addresses and IP address ranges as match criteria.
The total number of destination IP address match criteria and destination IP address range match criteria that one traffic rule can contain is 1024.
If you do not specify an optional parameter when executing the undo destination-ip command, all match criteria of that type will be deleted.
Examples
# Configure destination IP addresses and IP address ranges as match criteria for traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-1-rule1] destination-ip ipv4 host 1.1.1.1
[Sysname-traffic-policy-rule-1-rule1] destination-ip ipv4 range 1.1.1.1 2.2.2.2
[Sysname-traffic-policy-rule-1-rule1] destination-ip ipv4 subnet 1.1.1.0 24
[Sysname-traffic-policy-rule-1-rule1] destination-ip ipv6 host 1000::1000:1
[Sysname-traffic-policy-rule-1-rule1] destination-ip ipv6 range 1000::1000:1 2000::2000:1
[Sysname-traffic-policy-rule-1-rule1] destination-ip ipv6 subnet 1000::1000:0 64
destination-matching after-nat
Use destination-matching after-nat to use the packet information after DNAT to match a traffic policy.
Use undo destination-matching after-nat to restore the default.
Syntax
destination-matching after-nat
undo destination-matching after-nat
Default
The packet information before DNAT is used for matching.
Views
Traffic policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
If destination NAT will be performed on a flow to be managed, perform this task to match the flow with the IP address, port number, and VPN instance after DNAT. For more information about NAT, see Layer 3—IP Services Configuration Guide.
Examples
# Use the packet information after DNAT to match a traffic policy..
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] destination-matching after-nat
destination-zone
Use destination-zone to configure a destination security zone as a match criterion.
Use undo destination-zone to delete a destination security zone match criterion.
Syntax
destination-zone destination-zone-name
undo destination-zone destination-zone-name
Default
No destination security zone is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
destination-zone-name: Specifies a destination zone by its name, a case-insensitive string of 1 to 31 characters.
Examples
# Configure destination security zone zone2 as a match criterion for traffic rule rule1.
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] destination-zone zone2
Related commands
security-zone name (Security Command Reference)
disable
Use disable to disable a traffic rule.
Use undo disable to enable a traffic rule.
Syntax
disable
undo disable
Default
A traffic rule is enabled.
Views
Traffic rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
If a traffic rule is not used, use this command to disable it. A disabled traffic rule does not participate in traffic matching. You can copy, rename, and move a disabled traffic rule.
Examples
# Disable traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] disable
display traffic-policy hardware-rate-limit support
Use display traffic-policy hardware-rate-limit support to display the support of the device for hardware bandwidth management.
Syntax
display traffic-policy hardware-rate-limit support
The following compatibility matrix shows the support of hardware platforms for this command:
|
Hardware platform |
Module type |
Command compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
No |
|
Blade V firewall module |
No |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
No |
|
M9016-V |
Blade V firewall module |
No |
|
M9008-S M9012-S |
Blade IV firewall module |
No |
|
Intrusion prevention service (IPS) module |
No |
|
|
Video network gateway module |
No |
|
|
M9008-S-V |
Blade IV firewall module |
No |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
No |
|
M9000-AK001 |
Blade V firewall module |
No |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Usage guidelines
If you enable this feature before all service cards installed on the device can work correctly, you will be prompted that the device does not support the feature. In this case, you must troubleshoot the problematic cards and enable this feature after all service cards can work correctly. This command can help you identify whether all service cards are working correctly.
Examples
# Display the support of the device for hardware bandwidth management.
<Sysname> display traffic-policy hardware-rate-limit support
Hardware rate limiting: Supported
display traffic-policy statistics bandwidth
Use display traffic-policy statistics bandwidth to display traffic statistics for traffic rules.
Syntax
In standalone mode:
display traffic-policy statistics bandwidth { downstream | total | upstream } { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ name rule-name ] | per-user [ user user-name ] rule rule-name } [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display traffic-policy statistics bandwidth { downstream | total | upstream } { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ name rule-name ] | per-user [ user user-name ] rule rule-name } [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
downstream: Displays downstream traffic statistics.
total: Displays the sum of downstream traffic statistics and upstream traffic statistics.
upstream: Displays upstream traffic statistics.
per-ip: Displays per-IP traffic statistics. Non-default vSystems do not support this parameter.
ipv4: Displays per-IP traffic statistics for IPv4 addresses. Non-default vSystems do not support this parameter.
ipv4-address: Specifies an IPv4 address. If you do not specify an IPv4 address, this command displays per-IP traffic statistics for all IPv4 addresses of the specified traffic rule. Non-default vSystems do not support this parameter.
ipv6: Displays per-IP traffic statistics for IPv6 addresses. Non-default vSystems do not support this parameter.
ipv6-address: Specifies an IPv6 address. If you do not specify an IPv6 address, this command displays per-IP traffic statistics for all IPv6 addresses of the specified traffic rule. Non-default vSystems do not support this parameter.
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters. Non-default vSystems do not support this parameter.
per-rule: Displays per-rule traffic statistics.
name rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a traffic rule, this command displays per-rule traffic statistics for all traffic rules.
per-user: Displays per-user traffic statistics. Non-default vSystems do not support this parameter.
user user-name: Specifies a user by its name, a case-insensitive string of 1 to 55 characters. If you do not specify a user, this command displays per-user traffic statistics for all users of the specified traffic rule. Non-default vSystems do not support this parameter.
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters. Non-default vSystems do not support this parameter.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays traffic statistics for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify this option, the command displays traffic statistics for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. The cpu cpu-number option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
Before displaying traffic statistics, you must execute the statistics bandwidth enable command.
You can identify whether a traffic rule works as configured by displaying the traffic statistics for the traffic rule.
Examples
# (In standalone mode.) Display per-rule upstream traffic statistics for traffic rule traffic-rule.
<Sysname> display traffic-policy statistics bandwidth upstream per-rule name traffic-rule
Slot 1:
Codes: PP(Passed Packets), PB(Passed Bytes), DP(Dropped Packets), DB(Dropped Bytes), PR(Passed Rate:kbps), DR(Drop Rate:kbps), FPP(Final Passed Packets), FPB(Final Passed Bytes), FPR(Final Passed Rate:kbps)
----------------------------------------------------------------------------------------
Rule name State Profile name PP PB DP DB PR DR FPP FPB FPR
----------------------------------------------------------------------------------------
traffic-rule Enabled profile1 726 7550 4 2961 703 497 595 6632 664.1
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
# (In standalone mode.) Display per-IP upstream traffic statistics for all IPv4 addresses in traffic rule traffic-rule.
<Sysname> display traffic-policy statistics bandwidth upstream per-ip ipv4 rule traffic-rule
Slot 1:
Codes: PP(Passed Packets), PB(Passed Bytes), DP(Dropped Packets), DB(Dropped Bytes), PR(Passed Rate:kbps), DR(Drop Rate:kbps), FPP(Final Passed Packets), FPB(Final Passed Bytes), FPR(Final Passed Rate:kbps)
----------------------------------------------------------------------------------------
Rule name State IP PP PB DP DB PR DR FPP FPB FPR
----------------------------------------------------------------------------------------
traffic-rule Enabled 1.1.1.1 726 75502 4 2961 703.3 497 595 6632 664.1
----------------------------------------------------------------------------------------
traffic-rule2 Enabled 1.1.1.5 756 74502 4 2901 712 488 595 6632 664.1
----------------------------------------------------------------------------------------
traffic-rule3 Enabled 1.1.1.8 756 74502 4 2951 712 488 595 6632 664.1
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
Table 1 Command output
|
Field |
Description |
|
Codes |
Acronyms for fields: · PP(Passed Packets)—Number of packets permitted by the traffic rule. · PB(Passed Bytes)—Number of bytes permitted by the traffic rule. · DP(Dropped Packets)—Number of packets dropped by the traffic rule. · DB(Dropped Bytes)—Number of bytes dropped by the traffic rule. · PR(Passed Rate:kbps)—Rate of packets permitted by the traffic rule, in kbps. · DR(Drop Rate:kbps)—Rate of packets dropped by the traffic rule, in kbps. · FPP(Final Passed Packets)—Number of packets permitted by both the traffic rule and interface bandwidth. · FPB(Final Passed Bytes)—Number of bytes permitted by both the traffic rule and interface bandwidth. · FPR(Final Passed Rate:kbps)—Rate of packets permitted by both the traffic rule and interface bandwidth, in kbps. In the case of rule nesting, the actual values of the FPP, FPB, and FPR fields are displayed only if you specify the lowest-level traffic rule in the display traffic-policy statistics bandwidth command. If you specify a non-lowest-level traffic rule, the value 0 is displayed for these fields. |
Related commands
statistics bandwidth enable
display traffic-policy statistics connection-limit
Use display traffic-policy statistics connection-limit to display connection limit statistics.
Syntax
In standalone mode:
display traffic-policy statistics connection-limit { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ name rule-name ] | per-user [ user user-name ] rule rule-name } } [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display traffic-policy statistics connection-limit { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ name rule-name ] | per-user [ user user-name ] rule rule-name } } [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
per-ip: Displays per-IP connection limit statistics.
ipv4: Displays per-IP connection limit statistics for IPv4 addresses.
ipv4-address: Specifies an IPv4 address. If you do not specify an IPv4 address, this command displays connection limit statistics for all IPv4 addresses of the specified traffic rule.
ipv6: Displays per-IP connection limit statistics for IPv6 addresses.
ipv6-address: Specifies an IPv6 address. If you do not specify an IPv6 address, this command displays connection limit statistics for all IPv6 addresses of the specified traffic rule.
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters.
per-rule: Displays per-rule connection limit statistics.
name rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a traffic rule, this command displays per-rule connection limit statistics for all traffic rules.
per-user: Displays per-user connection limit statistics.
user user-name: Specifies a user by its name, a case-insensitive string of 1 to 55 characters. If you do not specify a user, this command displays per-user connection limit statistics for all users of the specified traffic rule.
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays connection limit statistics for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify this option, the command displays connection limit statistics for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. The cpu cpu-number option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
Non-default vSystems do not support this command.
Before displaying connection limit statistics, you must execute the statistics connection-limit enable command.
You can identify whether a traffic rule works as configured by displaying the connection limit statistics for the traffic rule.
Examples
# (In standalone mode.) Display per-IP connection limit statistics for traffic rule traffic-rule.
<Sysname> display traffic-policy statistics connection-limit per-ip ipv4 rule traffic-rule
Slot 1:
Codes: CC(Current Connection), RC(Rejective Connection), CL(Current Limit), RRC(Rate Rejective Connection), RR(Rejective Rate), PR(Pass Rate)
----------------------------------------------------------------------------------------
Rule name State Profile name IP CC RC CL RRC RR PR
----------------------------------------------------------------------------------------
traffic-rule Enabled profile1 1.1.1.1 200 300 200 200 300 200
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
# (In standalone mode.) Display per-rule connection limit statistics for traffic rule traffic-rule.
<Sysname> display traffic-policy statistics connection-limit per-rule name traffic-rule
Slot 1:
Codes: CC(Current Connection), RC(Rejective Connection), CL(Current Limit), RRC(Rate Rejective Connection), RR(Rejective Rate), PR(Pass Rate)
----------------------------------------------------------------------------------------
Rule name State Profile name CC RC CL RRC RR PR
----------------------------------------------------------------------------------------
traffic-rule Enabled profile1 200 300 200 200 300 200
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
# (In standalone mode.) Display per-user connection limit statistics for all users of traffic rule traffic-rule.
<Sysname> display traffic-policy statistics connection-limit per-user rule traffic-rule
Slot 1:
Codes: CC(Current Connection), RC(Rejective Connection), CL(Current Limit), RRC(Rate Rejective Connection), RR(Rejective Rate), PR(Pass Rate)
----------------------------------------------------------------------------------------
Rule name State Profile name User ID User name CC RC CL RRC RR PR
----------------------------------------------------------------------------------------
traffic-rule Enabled profile1 0x3d user1 200 300 200 200 300 200
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
Table 2 Command output
|
Field |
Description |
|
Codes |
Acronyms for fields: · CC (current connections)—Number of current connections. · RC (rejected connections)—Number of connections rejected after the number of current connections reached the limit. · CL (connection limit)—Maximum number of connections allowed. · RRC(Rate Rejective Connection)—Number of connections rejected after the connection establishment rate reached the limit. · RR(Rejective Rate)—Rate of connections rejected, in connections per second. · PR(Pass Rate)—Rate of connections established, in connections per second. |
Related commands
statistics connection-limit enable
display traffic-policy statistics rule-hit
Use display traffic-policy statistics rule-hit to display rule-hit statistics.
Syntax
In standalone mode:
display traffic-policy statistics rule-hit [ [ beyond beyond-number ] | [ rule rule-name ] ] [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display traffic-policy statistics rule-hit [ [ beyond beyond-number ] | [ rule rule-name ] ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
beyond beyond-number: Specifies traffic rules that were hit for more than the specified number of times. The beyond-number argument specifies the number of times, in the range of 0 to 65534.
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a traffic rule, this command displays rule-hit statistics for all traffic rules.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays rule-hit statistics for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify this option, the command displays rule-hit statistics for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. The cpu cpu-number option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
Before displaying rule-hit statistics, you must execute the statistics rule-hit enable command.
Examples
# (In standalone mode.) Display rule-hit statistics for all traffic rules.
<Sysname> display traffic-policy statistics rule-hit
Slot 1:
----------------------------------------------------------------------------------------
Rule ID Rule name State Profile ID Profile name Hit
----------------------------------------------------------------------------------------
201 traffic-rule Enabled 21 profile1 11111
----------------------------------------------------------------------------------------
202 traffic-rule1 Enabled 22 profile2 11112
----------------------------------------------------------------------------------------
203 traffic-rule2 Enabled 23 profile1 11565
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
# (In standalone mode.) Display rule-hit statistics for traffic rules that were hit more than 11111 times.
<Sysname> display traffic-policy statistics rule-hit beyond 11111
Slot 1:
----------------------------------------------------------------------------------------
Rule ID Rule name State Profile ID Profile name Hit
----------------------------------------------------------------------------------------
202 traffic-rule1 Enabled 22 profile2 11112
----------------------------------------------------------------------------------------
203 traffic-rule2 Enabled 23 profile1 11565
----------------------------------------------------------------------------------------
Table 3 Command output
|
Field |
Description |
|
Hit |
Number of times that a rule is matched. |
Related commands
statistics rule-hit enable
dscp
Use dscp to configure a DSCP priority as a match criterion.
Use undo dscp to remove all DSCP priority match criteria.
Syntax
dscp dscp-value
undo dscp dscp-value
Default
No DSCP priority is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
context-admin
Parameters
dscp-value: Specifies a DSCP priority, which can only be a keyword in Table 4.
|
Keyword |
DSCP value (binary) |
DSCP value (decimal) |
|
default |
000000 |
0 |
|
af11 |
001010 |
10 |
|
af12 |
001100 |
12 |
|
af13 |
001110 |
14 |
|
af21 |
010010 |
18 |
|
af22 |
010100 |
20 |
|
af23 |
010110 |
22 |
|
af31 |
011010 |
26 |
|
af32 |
011100 |
28 |
|
af33 |
011110 |
30 |
|
af41 |
100010 |
34 |
|
af42 |
100100 |
36 |
|
af43 |
100110 |
38 |
|
cs1 |
001000 |
8 |
|
cs2 |
010000 |
16 |
|
cs3 |
011000 |
24 |
|
cs4 |
100000 |
32 |
|
cs5 |
101000 |
40 |
|
cs6 |
110000 |
48 |
|
cs7 |
111000 |
56 |
|
ef |
101110 |
46 |
Usage guidelines
Non-default vSystems do not support this command.
Examples
# Configure DSCP priority af11 as a match criterion in traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] dscp af11
hardware rate-limit
Use hardware rate-limit enable to enable hardware bandwidth management.
Use undo hardware rate-limit enable to disable hardware bandwidth management.
Syntax
hardware rate-limit enable
undo hardware rate-limit enable
The following compatibility matrix shows the support of hardware platforms for this command:
|
Hardware platform |
Module type |
Command compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
No |
|
Blade V firewall module |
No |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
No |
|
M9016-V |
Blade V firewall module |
No |
|
M9008-S M9012-S |
Blade IV firewall module |
No |
|
Intrusion prevention service (IPS) module |
No |
|
|
Video network gateway module |
No |
|
|
M9008-S-V |
Blade IV firewall module |
No |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
No |
|
M9000-AK001 |
Blade V firewall module |
No |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
Default
Hardware bandwidth management is disabled.
Views
Traffic policy view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
Application scenarios
This feature is applicable to scenarios where high forwarding performed is required and bandwidth management is used to only limit traffic rates.
Operating mechanism
By default, hardware bandwidth management is disabled and the device performs bandwidth management through software fast forwarding. Software fast forwarding requires CPU processing. When the load on the CPU is heavy, the packet processing speed will be lowered.
With this feature enabled, the device performs bandwidth management through hardware fast forwarding, which is faster in packet processing than software fast forwarding.
Restrictions and guidelines
After this feature is enabled, the device can only limit the upstream traffic rate, downstream traffic rate, and total traffic rate. Other bandwidth management functions do not take effect.
This feature cannot be used together with other Layer 4 and higher-layer services.
This feature takes effect only after hardware fast forwarding is enabled on the device. For more information about hardware fast forwarding, see fast forwarding in Layer 3—IP Services Configuration Guide.
If you enable this feature before all service cards installed on the device can work correctly, you will be prompted that the device does not support the feature. In this case, enable this feature after all service cards can work correctly.
With this feature enabled, only the first layer of traffic policy and its child traffic policy in multiple-layer parent and child traffic policies take effect.
The display traffic-policy statistics rule-hit command displays only statistics for software forwarded traffic, not for hardware forwarded traffic.
Examples
# Enable hardware bandwidth management.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] hardware rate-limit enable
Related commands
bandwidth
display traffic-policy hardware-rate-limit support
display traffic-policy statistics rule-hit
hardware fast-forwarding enable (Layer 3—IP Services Command Reference)
ipv6 extension-header
Use ipv6 extension-header to configure the IPv6 extension header attribute as a match criterion.
Use undo ipv6 extension-header to delete an extension header match criterion.
Syntax
ipv6 extension-header { authentication | destination | encapsulating | fragment | hop-by-hop | routing }
undo ipv6 extension-header
Default
The IPv6 extension header attribute is not used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
nonzero: Specifies the Authentication header.
destination: Specifies the Destination Options header.
encapsulating: Specifies the Encapsulating Security Payload header.
fragment: Specifies the Fragment header.
hop-by-hop: Specifies the Hop-by-Hop Options header.
routing: Specifies the Routing header.
Usage guidelines
This command enables the device to perform bandwidth management on the IPv6 packets with the specified extension header. For more information about extension headers, see RFC 2460.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure the Destination Options header as a match criterion in traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] ipv6 extension-header destination
Related commands
ipv6 flow-label
ipv6 flow-label
Use ipv6 flow-label to configure the IPv6 flow label attribute as a match criterion.
Use undo ipv6 flow-label to delete a flow label match criterion.
Syntax
ipv6 flow-label { nonzero | zero }
undo ipv6 flow-label
Default
The IPv6 flow label attribute is not used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
nonzero: Specifies non-zero IPv6 flow labels.
zero: Specifies the zero IPv6 flow label.
Usage guidelines
The Flow Label field in IPv6 packet headers is used to identify packets of a flow. This command enables the device to perform bandwidth management on the IPv6 packets with the specified flow label value. For more information about the Flow Label field, see RFC 2460.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure a flow label value of zero as a match criterion in traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] ipv6 flow-label zero
Related commands
ipv6 extension-header
per-ip bandwidth-threshold max-value
Use per-ip bandwidth-threshold max-value to set the per-IP static maximum bandwidth threshold.
Use undo per-ip bandwidth-threshold max-value to restore the default.
Syntax
per-ip bandwidth-threshold max-value max-value
undo per-ip bandwidth-threshold max-value
Default
The per-IP static maximum bandwidth threshold is not set.
Views
Traffic profile view
Predefined user roles
network-admin
context-admin
Parameters
max-value: Specifies the maximum bandwidth threshold in the range of 8 to 1000000000 kbps.
Usage guidelines
Non-default vSystems do not support this command.
When the device detects that the traffic rate of an IP address exceeds the maximum bandwidth threshold, it sends logs to the log host by using the fast log output feature.
If you configure both the per-IP static maximum bandwidth threshold and the per-IP dynamic threshold learning feature, the following rules apply:
· Before the device learns the average traffic rate, it uses the static maximum bandwidth threshold.
· After the device learns the average traffic rate, it uses the average traffic rate multiplied by the maximum tolerance value as the maximum bandwidth threshold.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In traffic profile news, set the per-IP static maximum bandwidth threshold to 50000 kbps.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name news
[Sysname-traffic-policy-profile-news] per-ip bandwidth-threshold max-value 50000
Related commands
per-ip bandwidth-threshold min-value
per-ip bandwidth-threshold min-value
Use per-ip bandwidth-threshold min-value to set the per-IP static minimum bandwidth threshold.
Use undo per-ip bandwidth-threshold min-value to restore the default.
Syntax
per-ip bandwidth-threshold min-value min-value
undo per-ip bandwidth-threshold min-value
Default
The per-IP static minimum bandwidth threshold is not set.
Views
Traffic profile view
Predefined user roles
network-admin
context-admin
Parameters
min-value: Specifies the minimum bandwidth threshold in the range of 8 to 1000000000 kbps.
Usage guidelines
Non-default vSystems do not support this command.
When the device detects that the traffic rate of an IP address falls below the minimum bandwidth threshold, it sends logs to the log host by using the fast log output feature.
If you configure both the per-IP static minimum bandwidth threshold and the per-IP dynamic threshold learning feature, the following rules apply:
· Before the device learns the average traffic rate, it uses the static minimum bandwidth threshold.
· After the device learns the average traffic rate, it uses the average traffic rate multiplied by the minimum tolerance value as the minimum bandwidth threshold.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In traffic profile news, set the per-IP static minimum bandwidth threshold to 500 kbps.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name news
[Sysname-traffic-policy-profile-news] per-ip bandwidth-threshold min-value 500
Related commands
per-ip bandwidth-threshold max-value
per-ip bandwidth-threshold-detect enable
Use per-ip bandwidth-threshold-detect enable to enable per-IP bandwidth threshold detection.
Use undo per-ip bandwidth-threshold-detect enable to disable per-IP bandwidth threshold detection.
Syntax
per-ip bandwidth-threshold-detect enable
undo per-ip bandwidth-threshold-detect enable
Default
Per-IP bandwidth threshold detection is disabled.
Views
Traffic profile view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
This command enables the device to monitor the traffic rates based on source IP addresses in real time to identify the maximum rate and minimum rate of each IP address.
Examples
# In traffic profile news, enable per-IP bandwidth threshold detection.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name news
[Sysname-traffic-policy-profile-news] per-ip bandwidth-threshold-detect enable
per-ip bandwidth-threshold-learn duration
Use per-ip bandwidth-threshold-learn duration to set the learning duration for per-IP dynamic threshold learning.
Use undo per-ip bandwidth-threshold-learn duration to restore the default.
Syntax
per-ip bandwidth-threshold-learn duration duration-value
undo per-ip bandwidth-threshold-learn duration
Default
The learning duration is 1440 minutes.
Views
Traffic profile view
Predefined user roles
network-admin
context-admin
Parameters
duration-value: Specifies the learning duration in the range of 1 to 1200000 minutes.
Usage guidelines
Non-default vSystems do not support this command.
After per-IP bandwidth threshold detection is enabled, the device measures the traffic rates over a user-configured duration and calculates an average rate. As a best practice, set the learning duration to be longer than 1440 minutes for the device to learn the traffic for no less than a whole day. After a learning duration ends, for the device to learn traffic again, disable and then re-enable dynamic threshold learning. The device will clear the previous learning results and perform a new learning process based on the same duration.
If you modify the duration during the learning process, the device starts a new learning process with the new duration.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In traffic profile news, set the learning duration for per-IP dynamic threshold learning to 2880 minutes.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name news
[Sysname-traffic-policy-profile-news] per-ip bandwidth-threshold-learn duration 2880
Related commands
per-ip bandwidth-threshold-learn enable
per-ip bandwidth-threshold-learn enable
Use per-ip bandwidth-threshold-learn enable to enable per-IP dynamic bandwidth threshold learning.
Use undo per-ip bandwidth-threshold-learn enable to disable per-IP dynamic bandwidth threshold learning.
Syntax
per-ip bandwidth-threshold-learn enable
undo per-ip bandwidth-threshold-learn enable
Default
Per-IP dynamic bandwidth threshold learning is disabled.
Views
Traffic profile view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
Dynamic bandwidth threshold learning is useful if you do not know the traffic patterns in a network and cannot determine appropriate bandwidth thresholds. With this feature enabled, the device measures the traffic rates over a user-configured duration and calculates an average rate. Then, the device obtains the minimum and maximum bandwidth thresholds by using the average rate multiplied by the minimum and maximum tolerance values.
If you configure both static bandwidth thresholds and the dynamic threshold learning feature for a traffic profile, the following rules apply:
· Before the device learns the average traffic rate, it uses the static bandwidth thresholds.
· After the device learns the average traffic rate, it uses the dynamic bandwidth thresholds.
Examples
# In traffic profile news, enable per-IP dynamic bandwidth threshold learning.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name news
[Sysname-traffic-policy-profile-news] per-ip bandwidth-threshold-learn enable
Related commands
per-ip bandwidth-threshold max-value
per-ip bandwidth-threshold min-value
per-ip bandwidth-threshold-learn tolerance max-value
per-ip bandwidth-threshold-learn tolerance min-value
per-ip bandwidth-threshold-learn tolerance max-value
Use per-ip bandwidth-threshold-learn tolerance max-value to set the maximum tolerance value for per-IP dynamic bandwidth threshold learning.
Use undo per-ip bandwidth-threshold-learn tolerance max-value to restore the default.
Syntax
per-ip bandwidth-threshold-learn tolerance max-value max-value
undo per-ip bandwidth-threshold-learn tolerance max-value
Default
The maximum tolerance value is not set.
Views
Traffic profile view
Predefined user roles
network-admin
context-admin
Parameters
max-value: Specifies the maximum tolerance value in the range of 1 to 4000, in percentage.
Usage guidelines
Non-default vSystems do not support this command.
The per-IP dynamic threshold learning feature uses the learned average traffic rate to multiply the maximum tolerance value to obtain the maximum bandwidth threshold. If you also configure a static maximum bandwidth threshold for the traffic profile, the dynamic maximum bandwidth threshold is used after the average traffic rate is learned.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In traffic profile news, set the maximum tolerance value for per-IP dynamic bandwidth threshold learning to 200.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name news
[Sysname-traffic-policy-profile-news] per-ip bandwidth-threshold-learn tolerance max-value 200
Related commands
per-ip bandwidth-threshold-learn tolerance min-value
per-ip bandwidth-threshold-learn tolerance min-value
Use per-ip bandwidth-threshold-learn tolerance min-value to set the minimum tolerance value for per-IP dynamic bandwidth threshold learning.
Use undo per-ip bandwidth-threshold-learn tolerance min-value to restore the default.
Syntax
per-ip bandwidth-threshold-learn tolerance min-value min-value
undo per-ip bandwidth-threshold-learn tolerance min-value
Default
The minimum tolerance value is not set.
Views
Traffic profile view
Predefined user roles
network-admin
context-admin
Parameters
min-value: Specifies the minimum tolerance value in the range of 1 to 4000, in percentage.
Usage guidelines
Non-default vSystems do not support this command.
The per-IP dynamic threshold learning feature uses the learned average traffic rate to multiply the minimum tolerance value to obtain the minimum bandwidth threshold. If you also configure a static minimum bandwidth threshold for the traffic profile, the dynamic minimum bandwidth threshold is used after the average traffic rate is learned.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In traffic profile news, set the minimum tolerance value for per-IP dynamic bandwidth threshold learning to 50.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name news
[Sysname-traffic-policy-profile-news] per-ip bandwidth-threshold-learn tolerance min-value 50
Related commands
per-ip bandwidth-threshold-learn tolerance max-value
profile name
Use profile name to create a traffic profile and enter its view, or enter the view of an existing traffic profile.
Use undo profile name to delete a traffic profile.
Syntax
profile name profile-name
undo profile name profile-name
Default
No traffic profile exists.
Views
Traffic policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
profile-name: Specifies a name for the traffic profile, a case-insensitive string of 1 to 63 characters.
Usage guidelines
A traffic profile defines the bandwidth resources that can be used and takes effect after it is specified for a traffic rule.
Examples
# Create a traffic profile named profile1 and enter traffic profile view.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1]
Related commands
action
profile reference-mode
Use profile reference-mode to set the reference mode for a traffic profile.
Use undo profile reference-mode to restore the default.
Syntax
profile reference-mode { per-rule | rule-shared }
undo profile reference-mode
Default
The reference mode for a traffic profile is per-rule.
Views
Traffic profile view
Predefined user roles
network-admin
context-admin
Parameters
per-rule: Specifies that each traffic rule that uses the traffic profile can reach the bandwidth limits and connection limits specified in the profile.
rule-shared: Specifies that all traffic rules that use the traffic profile share the bandwidth limits and connection limits specified in the profile.
Usage guidelines
Non-default vSystems do not support this command.
After a traffic profile is specified for a traffic rule, the bandwidth limits and connection limits in the profile take effect. The reference mode for a traffic profile can be per-rule or rule-shared.
Examples
# Set the reference mode to rule-shared for traffic profile profile1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] profile reference-mode rule-shared
profile rename
Use profile rename to rename a traffic profile.
Syntax
profile rename old-name new-name
Views
Traffic policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
old-name: Specifies the old name of the traffic profile, a case-insensitive string of 1 to 63 characters.
new-name: Specifies a new name for the traffic profile, a case-insensitive string of 1 to 63 characters. The new name cannot be an existing traffic profile name.
Examples
# Create a traffic profile named profile1, and rename traffic profile profile1 as profile2.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] quit
[Sysname-traffic-policy] profile rename profile1 profile2
remark dscp
Use remark dscp to mark the DSCP priority for packets of a traffic profile.
Use undo remark dscp to restore the default.
Syntax
remark dscp dscp-value
undo remark dscp
Default
The DSCP priority for packets of a traffic profile is not marked.
Views
Traffic profile view
Predefined user roles
network-admin
context-admin
Parameters
dscp-value: Specifies a DSCP priority, which can only be a keyword in Table 4.
Usage guidelines
Non-default vSystems do not support this command.
Network devices can classify traffic by using DSCP priorities and provide different treatment for packets with different DSCP priorities.
Examples
# Mark DSCP priority af22 for packets of traffic profile profile1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] remark dscp af22
Related commands
profile name
reset traffic-policy statistics bandwidth
Use reset traffic-policy statistics bandwidth to clear traffic statistics for traffic rules.
Syntax
In standalone mode:
reset traffic-policy statistics bandwidth { downstream | total | upstream } { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ name rule-name ] | per-user [ user user-name ] rule rule-name } [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
reset traffic-policy statistics bandwidth { downstream | total | upstream } { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ name rule-name ] | per-user [ user user-name ] rule rule-name } [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
User view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
downstream: Specifies downstream traffic.
total: Specifies both downstream traffic and upstream traffic.
upstream: Specifies upstream traffic.
per-ip: Clears per-IP traffic statistics. Non-default vSystems do not support this parameter.
ipv4: Clears per-IP traffic statistics for IPv4 addresses. Non-default vSystems do not support this parameter.
ipv4-address: Specifies an IPv4 address. If you do not specify an IPv4 address, this command clears per-IP traffic statistics for all IPv4 addresses of the specified traffic rule. Non-default vSystems do not support this parameter.
ipv6: Clears per-IP traffic statistics for IPv6 addresses. Non-default vSystems do not support this parameter.
ipv6-address: Specifies an IPv6 address. If you do not specify an IPv6 address, this command clears per-IP traffic statistics for all IPv6 addresses of the specified traffic rule. Non-default vSystems do not support this parameter.
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters. Non-default vSystems do not support this parameter.
per-rule: Clears per-rule traffic statistics.
name rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a traffic rule, this command clears per-rule traffic statistics for all traffic rules.
per-user: Clears per-user traffic statistics. Non-default vSystems do not support this parameter.
user user-name: Specifies a user by its name, a case-insensitive string of 1 to 55 characters. If you do not specify a user, this command clears per-user traffic statistics for all users of the specified traffic rule. Non-default vSystems do not support this parameter.
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters. Non-default vSystems do not support this parameter.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears traffic statistics for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify this option, the command clears traffic statistics for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. The cpu cpu-number option is available only if multiple CPUs are available on the specified slot.
Examples
# (In standalone mode.) Clear per-rule upstream traffic statistics for traffic rule traffic-rule on a slot.
<Sysname> reset traffic-policy statistics bandwidth upstream per-rule name traffic-rule slot 1
reset traffic-policy statistics connection-limit
Use reset traffic-policy statistics connection-limit to clear connection limit statistics.
Syntax
In standalone mode:
reset traffic-policy statistics connection-limit { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ name rule-name ] | per-user [ user user-name ] rule rule-name } } [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
reset traffic-policy statistics connection-limit { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ name rule-name ] | per-user [ user user-name ] rule rule-name } } [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
User view
Predefined user roles
network-admin
context-admin
Parameters
per-ip: Clears per-IP connection limit statistics.
ipv4: Clears per-IP connection limit statistics for IPv4 addresses.
ipv4-address: Specifies an IPv4 address. If you do not specify an IPv4 address, this command clears connection limit statistics for all IPv4 addresses of the specified traffic rule.
ipv6: Clears per-IP connection limit statistics for IPv6 addresses.
ipv6-address: Specifies an IPv6 address. If you do not specify an IPv6 address, this command clears connection limit statistics for all IPv6 addresses of the specified traffic rule.
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters.
per-rule: Clears per-rule connection limit statistics.
name rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a traffic rule, this command clears per-rule connection limit statistics for all traffic rules.
per-user: Clears per-user connection limit statistics.
user user-name: Specifies a user by its name, a case-insensitive string of 1 to 55 characters. If you do not specify a user, this command clears per-user connection limit statistics for all users of the specified traffic rule.
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears connection limit statistics for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify this option, the command clears connection limit statistics for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. The cpu cpu-number option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
Non-default vSystems do not support this command.
Examples
# (In standalone mode.) Clear per-rule connection limit statistics for traffic rule traffic-rule on a slot.
<Sysname> reset traffic-policy statistics connection-limit per-rule name traffic-rule slot 1
reset traffic-policy statistics rule-hit
Use reset traffic-policy statistics rule-hit to clear rule-hit statistics.
Syntax
In standalone mode:
reset traffic-policy statistics rule-hit [ rule rule-name ] [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
reset traffic-policy statistics rule-hit [ rule rule-name ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
User view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a traffic rule, this command clears rule-hit statistics for all traffic rules.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears rule-hit statistics for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify this option, the command clears rule-hit statistics for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. The cpu cpu-number option is available only if multiple CPUs are available on the specified slot.
Examples
# (In standalone mode.) Clear rule-hit statistics for traffic rule traffic-rule on a slot.
<Sysname> reset traffic-policy statistics rule-hit rule traffic-rule slot 1
rule
Use rule to create a traffic rule and enter its view, or enter the view of an existing traffic rule.
Use undo rule to delete a traffic rule.
Syntax
rule rule-id
rule [ rule-id ] name rule-name [ parent parent-rule-name ]
undo rule { rule-id | name rule-name }
Default
No traffic rule exists.
Views
Traffic policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
rule-id: Specifies an ID for the traffic rule, in the range of 1 to 500000. If you do not specify a rule ID, the system assigns the unused ID next to the ID used last time. If the rule ID to be assigned is greater than 500000, the system assigns the smallest available rule ID.
rule-name: Specifies a name for the traffic rule, a case-insensitive string of 1 to 63 characters. You must specify a rule name when creating a traffic rule.
parent parent-rule-name: Specifies a parent traffic rule by its name, a case-insensitive string of 1 to 63 characters. To successfully create the traffic rule, make sure the parent traffic rule already exists.
Usage guidelines
You can configure multiple traffic rules in the traffic policy. For a traffic rule, you can configure match criteria to match packets and specify the traffic profile to apply to matching packets. The device matches traffic rules in their order of appearance on the device. When a traffic rule is matched, the matching process ends and the device applies the traffic profile for the traffic rule to the traffic. If no traffic rule is matched, the device forwards the traffic.
For a new traffic rule to inherit the match criteria of an existing traffic rule, specify the existing traffic rule as the parent of the new traffic rule.
A level-4 rule cannot act as a parent rule
You can specify a parent traffic rule only when creating a traffic rule. You cannot add or modify a parent traffic rule for an existing traffic rule.
Examples
# Create a traffic rule with ID 111 and name rule1 and enter traffic rule view.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule 111 name rule1
[Sysname-traffic-policy-rule-111-rule1]
rule copy
Use rule copy to copy a traffic rule.
Syntax
rule copy rule-name new-rule-name
Views
Traffic policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
rule-name: Specifies a traffic rule to be copied by its name, a case-insensitive string of 1 to 63 characters.
new-rule-name: Specifies a name for the new traffic rule, a case-insensitive string of 1 to 63 characters. The new name cannot be an existing traffic profile name.
Usage guidelines
If a traffic rule to be created is similar to an existing traffic rule, create the traffic rule by copying the existing traffic rule and then modify it. The new traffic rule is placed next to the copied traffic rule.
If a traffic rule to be copied has child traffic rules, only the parent traffic rule is copied.
Examples
# Create a traffic rule named rule2 by copying traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule copy rule1 rule2
rule move
Use rule move to move a traffic rule to a new position.
Syntax
rule move rule-name1 { after | before } rule-name2
Views
Traffic policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
rule-name1: Specifies a traffic rule to be moved by its name, a case-insensitive string of 1 to 63 characters. The traffic rule can be a parent or child traffic rule.
after: Moves the specified traffic rule to the position after a target traffic rule.
before: Moves the specified traffic rule to the position before a target traffic rule.
rule-name2: Specifies the target traffic rule by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
The device matches traffic with traffic rules in their order of appearance on the device. When a traffic rule is matched, the matching process ends and the device applies the traffic profile specified for the traffic rule to the traffic. If no traffic rule is matched, the device forwards the traffic.
To ensure reasonable, precise bandwidth management, configure traffic rules in ascending order of granularity. If the traffic rules are not in ascending order of granularity, you can use the rule move command to change the position of them.
You can move child traffic rules only within their parent traffic rule.
Examples
# Create two traffic rules named rule1 and rule2, and move rule1 to the position after rule2.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] quit
[Sysname-traffic-policy] rule name rule2
[Sysname-traffic-policy-rule-rule2] quit
[Sysname-traffic-policy] rule move rule1 after rule2
rule rename
Use rule rename to rename a traffic rule.
Syntax
rule rename old-rule-name new-rule-name
Views
Traffic policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
old-rule-name: Specifies the old name of the traffic rule, a case-insensitive string of 1 to 63 characters.
new-rule-name: Specifies a new name for the traffic rule, a case-insensitive string of 1 to 63 characters. The new name cannot be an existing traffic profile name.
Examples
# Create a traffic rule named rule1, and rename traffic rule rule1 as rule2.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] quit
[Sysname-traffic-policy] rule rename rule1 rule2
service
Use service to configure a service object group as a match criterion.
Use undo service to delete a service object group match criterion.
Syntax
service object-group-name
undo service [ object-group-name ]
Default
No service object group is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
object-group-name: Specifies a service object group by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
You can specify multiple service object groups for a traffic rule to match packets.
The undo service command removes all service object groups from match criteria if you do not specify a service object group or specify the system-defined service object group any.
Examples
# Specify predefined service object group ftp for traffic rule rule1 to match packets.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] service ftp
Related commands
object-group (Security Command Reference)
source-address
Use source-address to configure a source IP address object group as a match criterion.
Use undo source-address to delete a source IP address object group as a match criterion.
Syntax
source-address address-set object-group-name
undo source-address address-set object-group-name
Default
No source IP address object group is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
object-group-name: Specifies an IPv4 or IPv6 address object group by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
This command is used to match the packets with the source IP addresses in the specified address object group. You can specify multiple address object groups for a traffic rule to match source IP addresses of packets.
Before rolling back configuration by using the configuration replace file filename command, check the address object group configuration in the traffic rule in the configuration file. The address object group configuration fails to be rolled back if two address object groups have the same name but are of different types (IPv4/IPv6).
Examples
# Specify IPv4 address object group obgroup1 for traffic rule rule1 to match source IPv4 addresses of packets.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] source-address address-set obgroup1
Related commands
object-group (Security Command Reference)
source-ip
Use source-ip to configure a source IP address or IP address range as a match criterion.
Use undo source-ip to remove a source IP address or IP address range as a match criterion.
Syntax
source-ip { ipv4 { host ip-address | range ip-address1 ip-address2 | subnet ip-address { mask-length | mask } } | ipv6 { host ipv6-address | range ipv6-address1 ipv6-address2 | subnet { ipv6-address prefix-length | ipv6-address/prefix-length } } }
undo source-ip { ipv4 { host [ ip-address ] | range [ ip-address1 ip-address2 ] | subnet [ ip-address { mask-length | mask } ] } | ipv6 { host [ ipv6-address ] | range [ ipv6-address1 ipv6-address2 ] | subnet [ ipv6-address prefix-length | ipv6-address/prefix-length ] } }
Default
No source IP address or IP address range is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv4: Specifies the IPv4 address type.
host ip-address: Specifies a host IPv4 address.
range ip-address1 ip-address2: Specifies an IPv4 address range by using a start address and an end address.
subnet ip-address { mask-length | mask }: Specifies a subnet IPv4 address range. The value range for the mask-length argument is 0 to 32. The mask argument specifies a subnet mask in dotted decimal notation. If you specify a mask length of 32 or mask of 255.255.255.255, the IPv4 address is a host IPv4 address.
ipv6: Specifies the IPv6 address type.
host ipv6-address: Specifies a host IPv6 address.
range ipv6-address1 ipv6-address2: Specifies an IPv6 address range by using a start address and an end address.
subnet ipv6-address prefix-length: Specifies a subnet IPv6 address. The value range for the prefix-length argument is 1 to 128. If you specify a prefix length of 128, the IPv6 address is a host IPv6 address.
Usage guidelines
If you execute this command multiple times, you can configure multiple source IP addresses and IP address ranges as match criteria.
The total number of source IP address match criteria and source IP address range match criteria that one traffic rule can contain is 1024.
If you do not specify an optional parameter when executing the undo source-ip command, all match criteria of that type will be deleted.
Examples
# Configure source IP addresses and IP address ranges as match criteria for traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-1-rule1] source-ip ipv4 host 1.1.1.1
[Sysname-traffic-policy-rule-1-rule1] source-ip ipv4 range 1.1.1.1 2.2.2.2
[Sysname-traffic-policy-rule-1-rule1] source-ip ipv4 subnet 1.1.1.0 24
[Sysname-traffic-policy-rule-1-rule1] source-ip ipv6 host 1000::1000:1
[Sysname-traffic-policy-rule-1-rule1] source-ip ipv6 range 1000::1000:1 2000::2000:1
[Sysname-traffic-policy-rule-1-rule1] source-ip ipv6 subnet 1000::1000:0 64
source-matching after-nat
Use source-matching after-nat to use the packet information after SNAT to match a traffic policy.
Use undo source-matching after-nat to restore the default.
Syntax
source-matching after-nat
undo source-matching after-nat
Default
The packet information before SNAT is used for matching.
Views
Traffic policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
If source NAT will be performed on a flow to be managed, perform this task to match the flow with the IP address, port number, and VPN instance after SNAT. For more information about NAT, see Layer 3—IP Services Configuration Guide.
Examples
# Use the packet information after SNAT to match a traffic policy..
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] source-matching after-nat
source-zone
Use source-zone to configure a source security zone as a match criterion.
Use undo source-zone to delete a source security zone match criterion.
Syntax
source-zone source-zone-name
undo source-zone source-zone-name
Default
No source security zone is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
source-zone-name: Specifies a source zone by its name, a case-insensitive string of 1 to 31 characters.
Examples
# Configure source security zone zone1 as a match criterion in traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] source-zone zone1
Related commands
security-zone name (Security Command Reference)
statistics bandwidth enable
Use statistics bandwidth enable to enable traffic statistics collection.
Use undo statistics bandwidth enable to disable traffic statistics collection.
Syntax
statistics bandwidth enable
undo statistics bandwidth enable
Default
Traffic statistics collection is disabled.
Views
Traffic policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
This command enables the device to collect statistics about matching traffic. To view the statistics, use the display traffic-policy statistics bandwidth command.
This command affects device performance. As a best practice, configure this command only if you need to view statistics.
Examples
# Enable traffic statistics collection.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] statistics bandwidth enable
Related commands
display traffic-policy statistics bandwidth
statistics connection-limit enable
Use statistics connection-limit enable to enable connection limit statistics collection.
Use undo statistics connection-limit enable to disable connection limit statistics collection.
Syntax
statistics connection-limit enable
undo statistics connection-limit enable
Default
Connection limit statistics collection is disabled.
Views
Traffic policy view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
This command enables the device to collect statistics about matching connections. To view the statistics, use the display traffic-policy statistics connection-limit command.
This command affects device performance. As a best practice, configure this command only if you need to view statistics.
Examples
# Enable connection limit statistics collection.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] statistics connection-limit enable
Related commands
display traffic-policy statistics connection-limit
statistics rule-hit enable
Use statistics rule-hit enable to enable rule-hit statistics collection.
Use undo statistics rule-hit enable to disable rule-hit statistics collection.
Syntax
statistics rule-hit enable
undo statistics rule-hit enable
Default
Rule-hit statistics collection is disabled.
Views
Traffic policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
This command enables the device to collect rule-hit statistics. To view the statistics, use the display traffic-policy statistics rule-hit command.
This command affects device performance. As a best practice, configure this command only if you need to view statistics.
Examples
# Enable rule-hit statistics collection.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] statistics rule-hit enable
Related commands
display traffic-policy statistics rule-hit
tcp mss
Use tcp mss to set the TCP maximum segment size (MSS).
Use undo tcp mss to restore the default.
Syntax
tcp mss mss-value
undo tcp mss
Default
The TCP MSS is not set.
Views
Traffic profile view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
mss-value: Specifies the TCP MSS in the range of 128 to 9158 bytes.
Usage guidelines
The MSS specifies the maximum size of TCP segments that the peer device can send to the local device. It is negotiated during TCP connection establishment. When establishing a TCP connection, the local device advertises the MSS to the peer device. The peer device does not send TCP packets greater than the MSS. For TCP packets that exceed the MSS, the peer device fragments them before sending them.
This command takes effect only on new TCP connections and does not take effect on existing TCP connections.
This command takes effect only on IP packets. If MPLS is configured, do not set the MSS.
If you configure the MSS in both traffic profile view and interface view, the following rules apply:
· If a packet matches only the traffic rule, the smaller MSS value takes effect on the packet.
· If a packet matches both the traffic rule and a proxy policy rule, the MSS value configured in interface view takes effect on the packet. For more information about proxy policies, see DPI Configuration Guide.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the TCP MSS to 128 bytes for traffic profile profile1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile–profile1] tcp mss 128
Related commands
tcp mss (Layer 3—IP Services Command Reference)
terminal
Use terminal to configure a terminal as a match criterion.
Use undo terminal to delete a terminal match criterion.
Syntax
terminal terminal-name
undo terminal terminal-name
Default
No terminal is used as a match criterion.
Views
Traffic rule view
Predefined terminal roles
network-admin
context-admin
Parameters
terminal-name: Specifies a terminal by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not supported.
Usage guidelines
Non-default vSystems do not support this command.
You can execute this command multiple times to specify multiple terminals for a traffic rule to match packets.
Examples
# Configure terminal terminaltest as a match criterion in traffic rule news.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name news
[Sysname-traffic-policy-rule-news] terminal terminaltest
Related commands
terminal-group
terminal-group
Use terminal-group to configure a terminal group as a match criterion.
Use undo terminal-group to delete a terminal group match criterion.
Syntax
terminal-group group-name
undo terminal-group group-name
Default
No terminal group is used as a match criterion.
Views
Traffic rule view
Predefined terminal-group roles
network-admin
context-admin
Parameters
group-name: Specifies a terminal group by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not supported.
Usage guidelines
Non-default vSystems do not support this command.
You can execute this command multiple times to specify multiple terminal groups for a traffic rule to match packets.
Examples
# Configure terminal group terminalgrouptest as a match criterion in traffic rule news.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name news
[Sysname-traffic-policy-rule-news] terminal-group terminalgrouptest
Related commands
terminal
time-range
Use time-range to specify a time range during which a traffic rule is in effect.
Use undo time-range to restore the default.
Syntax
time-range time-range-name
undo time-range
Default
A traffic rule is in effect at any time.
Views
Traffic rule view
Predefined user roles
network-admin
context-admin
Parameters
time-range-name: Specifies a time range by its name, a case-insensitive string of 1 to 32 characters. To avoid confusion, do not use all as a time range name.
Usage guidelines
Non-default vSystems do not support this command.
Examples
# Specify time range work-time for traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] time-range work-time
Related commands
time-range (ACL and QoS Command Reference)
traffic-policy
Use traffic-policy to enter traffic policy view.
Use undo traffic-policy to remove all traffic policy settings.
Syntax
traffic-policy
undo traffic-policy
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
In traffic policy view, you can create and manage traffic rules.
Examples
# Enter traffic policy view.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy]
traffic-priority
Use traffic-priority to set the traffic priority for a traffic profile.
Use undo traffic-priority to restore the default.
Syntax
traffic-priority priority-value
undo traffic-priority
Default
The traffic priority is 1 for a traffic profile.
Views
Traffic profile view
Predefined user roles
network-admin
context-admin
Parameters
priority-value: Specifies the priority value in the range of 1 to 7. The larger the priority value, the higher the priority.
Usage guidelines
Non-default vSystems do not support this command.
When an interface is congested with packets of multiple traffic profiles, packets with higher priority are sent first. Packets with the same priority have the same chance of being forwarded.
Examples
# Set the traffic priority to 7 for traffic profile profile1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] traffic-priority 7
Related commands
profile name
user
Use user to configure a username as a match criterion.
Use undo user to delete a username match criterion.
Syntax
user user-name [ domain domain-name ]
undo user user-name [ domain domain-name ]
Default
No username is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
context-admin
Parameters
user-name: Specifies a username, a case-insensitive string of 1 to 55 characters. The username cannot be a, al, or all, and cannot contain the following special characters: backslashes (\), vertical bars (|), slash (/), colon (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), and at signs (@).
domain domain-name: Matches the user in an identity domain. The domain-name argument represents the identity domain name, a case-insensitive string of 1 to 255 characters. The identity domain name cannot contain the following special characters: backslashes (\), vertical bars (|), slash (/), colon (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), and at signs (@). If you do not specify this option, the system matches the user among users that do not belong to any identity domain. For more information about identity domains, see user identification in Security Configuration Guide.
Usage guidelines
Non-default vSystems do not support this command.
A username corresponds to changing IP addresses. This command implements per-user bandwidth management and facilitates bandwidth management for mobile Internet users whose IP addresses change.
Examples
# Configure username managers as a match criterion in traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] user managers
# Configure username user1 in identity domain dpi as a match criterion in traffic rule myrule.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name myrule
[Sysname-traffic-policy-rule-myrule] user user1 domain dpi
Related commands
local-user (Security Command Reference)
user-identity enable (Security Command Reference)
user-identity static-user (Security Command Reference)
user-group
Use user-group to configure a user group as a match criterion.
Use undo user-group to delete a user group match criterion.
Syntax
user-group user-group-name [ domain domain-name ]
undo user-group user-group-name [ domain domain-name ]
Default
No user group is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
context-admin
Parameters
user-group-name: Specifies a user group by its name, a case-insensitive string of 1 to 200 characters.
domain domain-name: Matches the user group in an identity domain. The domain-name argument represents the identity domain name, a case-insensitive string of 1 to 255 characters. The identity domain name cannot contain the following special characters: backslashes (\), vertical bars (|), slash (/), colon (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), and at signs (@). If you do not specify this option, the system matches the user group among user groups that do not belong to any identity domain. For more information about identity domains, see user identification in Security Configuration Guide.
Usage guidelines
Non-default vSystems do not support this command.
A user group corresponds to changing IP addresses. This command implements per-user-group bandwidth management and facilitates bandwidth management for mobile Internet users whose IP addresses change.
Examples
# Configure user group mak as a match criterion in traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] user-group mak
# Configure user group usergroup1 in identity domain dpi as a match criterion in traffic rule myrule.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name myrule
[Sysname-traffic-policy-rule-myrule] user-group usergroup1 domain dpi
Related commands
user-group (Security Command Reference)
user-identity enable (Security Command Reference)
vrf
Use vrf to configure a VPN instance as a match criterion.
Use undo user-group to delete a VPN instance match criterion.
Syntax
user-group user-group-name [ domain domain-name ]
undo user-group user-group-name [ domain domain-name ]
Default
A traffic rule applies to packets in the publick network and packets in each VPN instance.
Views
Traffic rule view
Predefined user roles
network-admin
context-admin
Parameters
vrf-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. For more information about VPN, see MPLS L3VPN in MPLS Configuration Guide.
Usage guidelines
Non-default vSystems do not support this command.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure VPN instance vpn1 as a match criterion in traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] vrf vpn1
