How to Use Traffic Policy Filter BAS Interface Traffic on NE40E Router?

Abstract

We wanted to filter some traffic for BRAS user, so thus we configured the traffic policy and applied on BAS interface, but the traffic policy did not work.

The configuration is below:

acl number 3005

rule 5 permit ip source ip-address 10.1.1.0 0.0.0.255 destination ip-address 172.16.1.0 0.0.255.255

#

traffic classifier BAS-Drop operator or

 if-match acl 3005

#

traffic behavior BAS-Drop

 deny

#

traffic policy BAS-Drop

share-mode

statistics enable

classifier BAS-Drop behavior BAS-Drop

#

#

interface Eth-Trunk1.1

statistic enable

 user-vlan 1 4094 qinq 1 4094

 pppoe-server bind Virtual-Template 1

 traffic-policy BAS-Drop inbound

 BAS

 #

  access-type layer2-subscriber

  permit-domain-list Huawei

 #

#
Handling Process
1. Doing the ping test on source device, and checking the traffic statistic.

<HUAWEI> display traffic policy statistics interface eth-trunk1.1 inbound verbose rule-BASe
interface  :eth-trunk1.1 
Traffic policy inbound: BAS-Drop 
Rule number: 1 
Current status: success 
Statistics interval: 300 
--------------------------------------------------------------------- 
Passed | Packets: 0 
| Bytes: 0 
| Rate(pps): 0 
| Rate(bps): 0 
--------------------------------------------------------------------- 
Dropped | Packets: 0 
| Bytes: 0 
| Rate(pps): 0 
| Rate(bps): 0 
---------------------------------------------------------------------

As the result shows there is no packets matched.

  1. Searching the traffic policy using scenario, in Chinese product document, it describes like this :


 It means that if traffic policy want to match BAS user traffic, the traffic policy should be configured globally. (But in English product document, there is no description about this)

  1. Changing the traffic policy to global, and doing the ping test again. The ping is reachable, and the traffic policy still did not work.
  2. The ACL is advanced ACL, it can’t match the BASuser traffic, for BAS user traffic, the UCL should be configured, so we changed the ACL to UCL, and then it worked.
Root Cause

For filtering the BAS user traffic on NE40E, the UCL should be used to match the traffic and configured the traffic policy under global.

Solution

Changing the ACL to UCL and match the source as user-group, and apply this traffic policy on global.

acl number 6005

rule 5 permit ip source user-group any destination ip-address 172.16.1.0 0.0.0.255  

#

traffic classifier BAS-Drop operator or

if-match acl 6005

#

traffic behavior BAS-Drop

deny

#

traffic policy BAS-Drop

share-mode

classifier BAS-Drop behavior BAS-Drop

#

traffic-policy BAS-Drop inbound
Suggestions

1. For Huawei: Modify the English product document description about this command;

2. For User: The BAS interface is different from other ports, and the global change may affect other traffic; thus it is recommended to ask for support from TAC.

END

Tags