Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-Bandwidth management commands | 269.06 KB |
Contents
bandwidth { per-ip | per-user }
per-ip total traffic-quota per-ip monthly
bandwidth-limit output-interface enable
display traffic-policy statistics bandwidth
display traffic-policy statistics connection-limit
display traffic-policy statistics rule-hit
reset traffic-policy statistics bandwidth
reset traffic-policy statistics connection-limit
reset traffic-policy statistics rule-hit
Bandwidth management commands
accelerate activate
Use accelerate activate to manually activate rule matching acceleration.
Syntax
accelerate activate
Views
Traffic policy view
Predefined user roles
network-admin
Usage guidelines
The device also provides automatic activation if you are not to use this command to activate rule matching acceleration manually. The device detects security policy changes at specific intervals and activates rule matching acceleration automatically if any change has been made. If there are 100 or less security policies, the interval is 2 seconds. If there are over 100 security policies, the interval is 20 seconds.
To activate rule matching acceleration immediately after a rule change, you can execute this command.
Insufficient memory can cause rule matching acceleration failures. Unaccelerated rules do not take effect, and rules that have been accelerated are not affected.
If rule matching acceleration fails, rules match packets at the low speed.
Examples
# Activate rule matching acceleration.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] acceleration activate
action
Use action to specify an action for a traffic rule.
Use undo action to restore the default.
Syntax
action { deny | none | qos profile profile-name }
undo action
Default
The action for a traffic rule is none.
Views
Traffic rule view
Predefined user roles
network-admin
Parameters
deny: Drops matching packets.
none: Allows matching packets to pass through without bandwidth management.
qos profile profile-name: Specifies a traffic profile by its name to limit the rate of matching packets. The profile name is a case-insensitive string of 1 to 63 characters.
Usage guidelines
If a packet matches a traffic rule, the device performs the action specified in the traffic rule on the packet.
Examples
# Create a traffic rule named rule1, and apply traffic profile profile1 to the traffic rule.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] action qos profile profile1
Related commands
profile name
rule name
all-traffic-control enable
Use all-traffic-control enable to enable bandwidth management for traffic flows of the IP layer and upper layers.
Use undo all-traffic-control enable to restore the default.
Syntax
all-traffic-control enable
undo all-traffic-control enable
Default
Bandwidth management is performed only for traffic flows of Layer 4 and upper layers.
Views
Traffic policy view
Predefined user roles
network-admin
Usage guidelines
Use this command when there is a large number of IP traffic flows in the network.
Examples
# Enable bandwidth management for traffic flows of the IP layer and upper layers.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] all-traffic-control enable
application
Use application to configure application or application group as a match criterion.
Use undo application to delete an application or application group match criterion.
Syntax
application { app application-name | app-group application-group-name }
undo application { app application-name | app-group application-group-name }
Default
No application or application group is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
Parameters
app application-name: Specifies an application by its name, a case-insensitive string of 1 to 63 characters.
app-group application-group-name: Specifies an application group by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
You can configure multiple applications or application groups for a traffic rule to match packets.
This command enables the device to manage bandwidth by application type, such as email, P2P, IM, and web browsing.
If you specify a user-defined application that uses DCCP, SCTP, or UDP-Lite as the transport layer protocol, the application is not limited by bandwidth management. For information about user-defined applications, see DPI Configuration Guide.
Examples
# Configure P2P_General_TCP_Communications as a match criterion for traffic rule rule1.
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] application app P2P_General_TCP_Communications
Related commands
app-group (DPI Command Reference)
nbar application (DPI Command Reference)
port-mapping (DPI Command Reference)
bandwidth
Use bandwidth to set the total guaranteed bandwidth or maximum bandwidth in a traffic profile.
Use undo bandwidth to delete the total guaranteed bandwidth or maximum bandwidth setting of a traffic profile.
Syntax
bandwidth { downstream | total | upstream } { guaranteed | maximum } bandwidth-value
undo bandwidth { downstream | total | upstream } { guaranteed | maximum }
Default
The total guaranteed bandwidth and maximum bandwidth are not set in a traffic profile.
Views
Traffic profile view
Predefined user roles
network-admin
Parameters
downstream: Specifies downstream traffic (traffic from a server to a client).
total: Specifies both downstream traffic and upstream traffic.
upstream: Specifies upstream traffic (traffic from a client to a server).
guaranteed: Specifies the guaranteed bandwidth.
maximum: Specifies the maximum bandwidth. The maximum bandwidth must be greater than or equal to the guaranteed bandwidth.
bandwidth-value: Specifies the bandwidth value in the range of 8 to 100000000 kbps.
Usage guidelines
When you specify traffic profiles for parent and child traffic rules, following these restrictions and guidelines:
· The maximum bandwidth for the child traffic rule must be smaller than or equal to that for the parent traffic rule.
· The guaranteed bandwidth for a child traffic rule must be smaller than or equal to that for the parent traffic rule.
· The traffic profiles cannot be the same for the child and parent traffic rules.
An interface with small default expected bandwidth might experience traffic loss if the following conditions exist:
· There is a large amount of traffic on the interface.
· The interface uses the default expected bandwidth.
To avoid traffic loss, implicitly set the expected bandwidth to a large value for such an interface. For example, you can set the expected bandwidth of a tunnel interface to a value greater than 64 kbps (the default) if there is a large amount of traffic on the interface.
Examples
# In traffic profile profile1, set both upstream and downstream maximum bandwidth to 10000 kbps, and set both upstream and downstream guaranteed bandwidth to 5000 kbps.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] bandwidth upstream maximum 10000
[Sysname-traffic-policy-profile-profile1] bandwidth downstream maximum 10000
[Sysname-traffic-policy-profile-profile1] bandwidth upstream guaranteed 5000
[Sysname-traffic-policy-profile-profile1] bandwidth downstream guaranteed 5000
bandwidth average enable
Use bandwidth average enable to enable dynamic and even allocation for maximum bandwidth.
Use undo bandwidth average enable to disable dynamic and even allocation for maximum bandwidth.
Syntax
bandwidth average enable
undo bandwidth average enable
Default
Dynamic and even allocation for maximum bandwidth is disabled.
Views
Traffic profile view
Predefined user roles
network-admin
Usage guidelines
This command allows the device to dynamically and evenly allocate the total maximum bandwidth among all online IP addresses.
This command can be enabled only after you set the total maximum bandwidth.
Examples
# Enable dynamic and even allocation for maximum bandwidth in traffic profile profile1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] bandwidth total maximum 10000
[Sysname-traffic-policy-profile-profile1] bandwidth average enable
Related commands
bandwidth { downstream | total | upstream } maximum
bandwidth { per-ip | per-user }
Use bandwidth { per-ip | per-user } to set the per-IP or per-user maximum or guaranteed bandwidth for a traffic profile.
Use undo bandwidth { per-ip | per-user } to delete the per-IP or per-user maximum or guaranteed bandwidth setting of a traffic profile.
Syntax
bandwidth { downstream | total | upstream } { guaranteed | maximum } { per-ip | per-user } bandwidth-value
undo bandwidth { downstream | total | upstream } { guaranteed | maximum } { per-ip | per-user }
Default
The per-IP or per-user maximum bandwidth and guaranteed bandwidth are not set in a traffic profile.
Views
Traffic profile view
Predefined user roles
network-admin
Parameters
downstream: Specifies downstream traffic (traffic from a server to a client).
total: Specifies both downstream traffic and upstream traffic.
upstream: Specifies upstream traffic (traffic from a client to a server).
guaranteed: Sets the guaranteed bandwidth.
maximum: Sets the maximum bandwidth.
per-ip: Sets the per-IP bandwidth.
per-user: Sets the per-user bandwidth.
bandwidth-value: Specifies the bandwidth value in the range of 8 to 100000000 kbps.
Usage guidelines
This command allows you to manage bandwidth at finer granularity.
The per-IP or per-user maximum bandwidth cannot be greater than the total maximum bandwidth.
The per-IP or per-user guaranteed bandwidth cannot be greater than the total guaranteed bandwidth.
The per-IP or per-user guaranteed bandwidth cannot be greater than the per-IP or per-user maximum bandwidth.
Examples
# In traffic profile profile1, set both upstream and downstream per-IP maximum bandwidth to 10000 kbps.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] bandwidth upstream maximum per-ip 10000
[Sysname-traffic-policy-profile-profile1] bandwidth downstream maximum per-ip 10000
per-ip total traffic-quota per-ip monthly
Use per-ip total traffic-quota per-ip monthly to set the per-IP monthly traffic quota.
Use undo total traffic-quota per-ip monthly to restore the default.
Syntax
bandwidth total traffic-quota per-ip monthly quota-value
undo bandwidth total traffic-quota per-ip monthly
Default
The amount of traffic used by an IP address per month is not limited.
Views
Traffic profile view
Predefined user roles
network-admin
Parameters
quota-value: Specifies the per-IP monthly traffic quota in the range of 1 to 1000000000 KB.
Usage guidelines
This command limits the total amount traffic (uplink and downlink) used by an IP address per month. When the traffic used by an IP address reaches the traffic quota, the device drops packets from the IP address.
Examples
# In traffic profile prof1, set the per-IP monthly traffic quota to 5000 KB.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name prof1
[Sysname-traffic-policy-profile-prof1] bandwidth total traffic-quota per-ip monthly 5000
bandwidth-limit output-interface enable
Use bandwidth-limit output-interface enable to enable bandwidth limit for the output interface.
Use undo bandwidth-limit output-interface enable to disable bandwidth limit for the output interface.
Syntax
bandwidth-limit output-interface enable
undo bandwidth-limit output-interface enable
Default
Bandwidth limit is disabled for the output interface.
Views
Traffic policy view
Predefined user roles
network-admin
Usage guidelines
After you execute this command, the device uses the expected bandwidth (configured by using the bandwidth command) of the output interface to limit its outgoing traffic rate.
Examples
# Enable bandwidth limit for the output interface.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] bandwidth-limit output-interface enable
connection-limit count
Use connection-limit count to set the connection count limit for a traffic profile.
Use undo connection-limit count to delete the connection count limit setting of a traffic profile.
Syntax
connection-limit count { per-rule | per-ip | per-user } connection-number
undo connection-limit count { per-rule | per-ip | per-user }
Default
No connection count limit is set for a traffic profile.
Views
Traffic profile view
Predefined user roles
network-admin
Parameters
per-rule: Specifies the total connection count limit (count limit for the traffic rule associated with the traffic profile).
per-ip: Specifies the per-IP connection count limit.
per-user: Specifies the per-user connection count limit.
connection-number: Specifies the maximum number of connections allowed, in the range of 1 to 12000000.
Usage guidelines
The per-IP or per-user connection count limit cannot be greater than the total connection count limit.
You cannot set both per-IP and per-user connection count limits for one traffic profile.
Examples
# In traffic profile profile1, set the total connection count limit to 1000.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] connection-limit count per-rule 1000
# In traffic profile profile1, set the per-IP connection count limit to 500.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] connection-limit count per-ip 500
connection-limit rate
Use connection-limit rate to set the connection rate limit for a traffic profile.
Use undo connection-limit rate to delete the connection rate limit setting of a traffic profile.
Syntax
connection-limit rate { per-rule | per-ip | per-user } connection-rate
undo connection-limit rate { per-rule | per-ip | per-user }
Default
No connection rate limit is set for a traffic profile.
Views
Traffic profile view
Predefined user roles
network-admin
Parameters
per-rule: Specifies the total connection rate limit (rate limit for the traffic rule associated with the traffic profile).
per-ip: Specifies the per-IP connection rate limit.
per-user: Specifies the per-user connection rate limit.
connection- rate: Specifies the maximum connection rate in the range of 1 to 12000000 connections per second.
Usage guidelines
The per-IP or per-user connection rate limit cannot be greater than the total connection rate limit.
You cannot set both per-IP and per-user connection rate limits for one traffic profile.
Examples
# In traffic profile profile1, set the total connection rate limit to 1000 connections per second.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] connection-limit rate per-rule 1000
# In traffic profile profile1, set the per-IP connection rate limit to 500 connections per second.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] connection-limit rate per-user 500
destination-address
Use destination-address to configure a destination IP address object group as a match criterion.
Use undo destination-address to remove a destination IP address object group as a match criterion.
Syntax
destination-address address-set object-group-name
undo destination-address address-set object-group-name
Default
No destination IP address object group is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
Parameters
object-group-name: Specifies an IPv4 or IPv6 address object group by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
This command is used to match the packets with the destination IP addresses in the specified address object group. You can specify multiple address object groups for a traffic rule to match destination IP addresses of packets.
Before rolling back configuration by using the configuration replace file filename command, check the address object group configuration in the traffic rule in the configuration file. The address object group configuration fails to be rolled back if two address object groups have the same name but are of different types (IPv4/IPv6).
Examples
# Configure IPv4 address object group obgroup2 for traffic rule rule1 to match destination IPv4 addresses of packets.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] destination-address address-set obgroup2
Related commands
object-group (Security Command Reference)
disable
Use disable to disable a traffic rule.
Use undo disable to enable a traffic rule.
Syntax
disable
undo disable
Default
A traffic rule is enabled.
Views
Traffic rule view
Predefined user roles
network-admin
Usage guidelines
If a traffic rule is not used, use this command to disable it. A disabled traffic rule does not participate in traffic matching. You can copy, rename, and move a disabled traffic rule.
Examples
# Disable traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] disable
display traffic-policy statistics bandwidth
Use display traffic-policy statistics bandwidth to display traffic statistics for traffic rules.
Syntax
display traffic-policy statistics bandwidth { downstream | total | upstream } { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ name rule-name ] | per-user [ user user-name ] rule rule-name }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
downstream: Displays downstream traffic statistics.
total: Displays the sum of downstream traffic statistics and upstream traffic statistics.
upstream: Displays upstream traffic statistics.
per-ip: Displays per-IP traffic statistics.
ipv4: Displays per-IP traffic statistics for IPv4 addresses.
ipv4-address: Specifies an IPv4 address. If you do not specify an IPv4 address, this command displays per-IP traffic statistics for all IPv4 addresses of the specified traffic rule.
ipv6: Displays per-IP traffic statistics for IPv6 addresses.
ipv6-address: Specifies an IPv6 address. If you do not specify an IPv6 address, this command displays per-IP traffic statistics for all IPv6 addresses of the specified traffic rule.
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters.
per-rule: Displays per-rule traffic statistics.
name rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a traffic rule, this command displays per-rule traffic statistics for all traffic rules.
per-user: Displays per-user traffic statistics.
user user-name: Specifies a user by its name, a case-insensitive string of 1 to 55 characters. If you do not specify a user, this command displays per-user traffic statistics for all users of the specified traffic rule.
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
Before displaying traffic statistics, you must execute the statistics bandwidth enable command.
You can identify whether a traffic rule works as configured by displaying the traffic statistics for the traffic rule.
Examples
# Display per-rule upstream traffic statistics for traffic rule traffic-rule.
<Sysname> display traffic-policy statistics bandwidth upstream per-rule name traffic-rule
Codes: PP(Passed Packets), PB(Passed Bytes), DP(Dropped Packets), DB(Dropped Bytes), PR(Passed Rate:kbps), DR(Drop Rate:kbps), FPP(Final Passed Packets), FPB(Final Passed Bytes), FPR(Final Passed Rate:kbps)
----------------------------------------------------------------------------------------
Rule name State Profile name PP PB DP DB PR DR FPP FPB FPR
----------------------------------------------------------------------------------------
traffic-rule Enabled profile1 726 7550 4 2961 703 497 595 6632 664.1
--------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
# Display per-IP upstream traffic statistics for all IPv4 addresses in traffic rule traffic-rule.
<Sysname> display traffic-policy statistics bandwidth upstream per-ip ipv4 rule traffic-rule
Codes: PP(Passed Packets), PB(Passed Bytes), DP(Dropped Packets), DB(Dropped Bytes), PR(Passed Rate:kbps), DR(Drop Rate:kbps), FPP(Final Passed Packets), FPB(Final Passed Bytes), FPR(Final Passed Rate:kbps)
----------------------------------------------------------------------------------------
Rule name State IP PP PB DP DB PR DR FPP FPB FPR
----------------------------------------------------------------------------------------
traffic-rule Enabled 1.1.1.1 726 75502 4 2961 703.3 497 595 6632 664.1
----------------------------------------------------------------------------------------
traffic-rule2 Enabled 1.1.1.5 756 74502 4 2901 712 488 595 6632 664.1
----------------------------------------------------------------------------------------
traffic-rule3 Enabled 1.1.1.8 756 74502 4 2951 712 488 595 6632 664.1
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
Table 1 Command output
|
Field |
Description |
|
Codes |
Acronyms for fields: · PP(Passed Packets)—Number of packets permitted by the traffic rule. · PB(Passed Bytes)—Number of bytes permitted by the traffic rule. · DP(Dropped Packets)—Number of packets dropped by the traffic rule. · DB(Dropped Bytes)—Number of bytes dropped by the traffic rule. · PR(Passed Rate:kbps)—Rate of packets permitted by the traffic rule, in kbps. · DR(Drop Rate:kbps)—Rate of packets dropped by the traffic rule, in kbps. · FPP(Final Passed Packets)—Number of packets permitted by both the traffic rule and interface bandwidth. · FPB(Final Passed Bytes)—Number of bytes permitted by both the traffic rule and interface bandwidth. · FPR(Final Passed Rate:kbps)—Rate of packets permitted by both the traffic rule and interface bandwidth, in kbps. In the case of rule nesting, the actual values of the FPP, FPB, and FPR fields are displayed only if you specify the lowest-level traffic rule in the display traffic-policy statistics bandwidth command. If you specify a non-lowest-level traffic rule, the value 0 is displayed for these fields. |
Related commands
statistics bandwidth enable
display traffic-policy statistics connection-limit
Use display traffic-policy statistics connection-limit to display connection limit statistics.
Syntax
display traffic-policy statistics connection-limit { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ name rule-name ] | per-user [ user user-name ] rule rule-name } }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
per-ip: Displays per-IP connection limit statistics.
ipv4: Displays per-IP connection limit statistics for IPv4 addresses.
ipv4-address: Specifies an IPv4 address. If you do not specify an IPv4 address, this command displays connection limit statistics for all IPv4 addresses of the specified traffic rule.
ipv6: Displays per-IP connection limit statistics for IPv6 addresses.
ipv6-address: Specifies an IPv6 address. If you do not specify an IPv6 address, this command displays connection limit statistics for all IPv6 addresses of the specified traffic rule.
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters.
per-rule: Displays per-rule connection limit statistics.
name rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a traffic rule, this command displays per-rule connection limit statistics for all traffic rules.
per-user: Displays per-user connection limit statistics.
user user-name: Specifies a user by its name, a case-insensitive string of 1 to 55 characters. If you do not specify a user, this command displays per-user connection limit statistics for all users of the specified traffic rule.
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
Before displaying connection limit statistics, you must execute the statistics connection-limit enable command.
You can identify whether a traffic rule works as configured by displaying the connection limit statistics for the traffic rule.
Examples
# Display per-IP connection limit statistics for traffic rule traffic-rule.
<Sysname> display traffic-policy statistics connection-limit per-ip ipv4 rule traffic-rule
Codes: CC(Current Connection), RC(Rejective Connection), CL(Current Limit), RRC(Rate Rejective Connection), RR(Rejective Rate), PR(Pass Rate)
----------------------------------------------------------------------------------------
Rule name State Profile name IP CC RC CL RRC RR PR
----------------------------------------------------------------------------------------
traffic-rule Enabled profile1 1.1.1.1 200 300 200 200 300 200
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
# Display per-rule connection limit statistics for traffic rule traffic-rule.
<Sysname> display traffic-policy statistics connection-limit per-rule name traffic-rule
Codes: CC(Current Connection), RC(Rejective Connection), CL(Current Limit), RRC(Rate Rejective Connection), RR(Rejective Rate), PR(Pass Rate)
----------------------------------------------------------------------------------------
Rule name State Profile name CC RC CL RRC RR PR
----------------------------------------------------------------------------------------
traffic-rule Enabled profile1 200 300 200 200 300 200
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
# Display per-user connection limit statistics for all users of traffic rule traffic-rule.
<Sysname> display traffic-policy statistics connection-limit per-user rule traffic-rule
Codes: CC(Current Connection), RC(Rejective Connection), CL(Current Limit), RRC(Rate Rejective Connection), RR(Rejective Rate), PR(Pass Rate)
----------------------------------------------------------------------------------------
Rule name State Profile name User ID User name CC RC CL RRC RR PR
----------------------------------------------------------------------------------------
traffic-rule Enabled profile1 0x3d user1 200 300 200 200 300 200
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
Table 2 Command output
|
Field |
Description |
|
Codes |
Acronyms for fields: · CC (current connections)—Number of current connections. · RC (rejected connections)—Number of connections rejected after the number of current connections reached the limit. · CL (connection limit)—Maximum number of connections allowed. · RRC(Rate Rejective Connection)—Number of connections rejected after the connection establishment rate reached the limit. · RR(Rejective Rate)—Rate of connections rejected, in connections per second. · PR(Pass Rate)—Rate of connections established, in connections per second. |
Related commands
statistics connection-limit enable
display traffic-policy statistics rule-hit
Use display traffic-policy statistics rule-hit to display rule-hit statistics.
Syntax
display traffic-policy statistics rule-hit [ rule rule-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a traffic rule, this command displays rule-hit statistics for all traffic rules.
Usage guidelines
Before displaying rule-hit statistics, you must execute the statistics rule-hit enable command.
Examples
# Display rule-hit statistics for all traffic rules.
<Sysname> display traffic-policy statistics rule-hit
----------------------------------------------------------------------------------------
Rule ID Rule name State Profile ID Profile name Hit
----------------------------------------------------------------------------------------
201 traffic-rule Enabled 21 profile1 11111
----------------------------------------------------------------------------------------
202 traffic-rule1 Enabled 22 profile2 11112
----------------------------------------------------------------------------------------
203 traffic-rule2 Enabled 23 profile1 11565
----------------------------------------------------------------------------------------
Table 3 Command output
|
Field |
Description |
|
Hit |
Number of times that a rule is matched. |
Related commands
statistics rule-hit enable
dscp
Use dscp to configure a DSCP priority as a match criterion.
Use undo dscp to remove all DSCP priority match criteria.
Syntax
dscp dscp-value
undo dscp dscp-value
Default
No DSCP priority is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
Parameters
dscp-value: Specifies a DSCP priority, which can only be a keyword in Table 4.
|
Keyword |
DSCP value (binary) |
DSCP value (decimal) |
|
default |
000000 |
0 |
|
af11 |
001010 |
10 |
|
af12 |
001100 |
12 |
|
af13 |
001110 |
14 |
|
af21 |
010010 |
18 |
|
af22 |
010100 |
20 |
|
af23 |
010110 |
22 |
|
af31 |
011010 |
26 |
|
af32 |
011100 |
28 |
|
af33 |
011110 |
30 |
|
af41 |
100010 |
34 |
|
af42 |
100100 |
36 |
|
af43 |
100110 |
38 |
|
cs1 |
001000 |
8 |
|
cs2 |
010000 |
16 |
|
cs3 |
011000 |
24 |
|
cs4 |
100000 |
32 |
|
cs5 |
101000 |
40 |
|
cs6 |
110000 |
48 |
|
cs7 |
111000 |
56 |
|
ef |
101110 |
46 |
Examples
# Configure DSCP priority af11 as a match criterion in traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] dscp af11
ipv6 extension-header
Use ipv6 extension-header to configure the IPv6 extension header attribute as a match criterion.
Use undo ipv6 extension-header to delete an extension header match criterion.
Syntax
ipv6 extension-header { authentication | destination | encapsulating | fragment | hop-by-hop | routing }
undo ipv6 extension-header
Default
The IPv6 extension header attribute is not used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
Parameters
nonzero: Specifies the Authentication header.
destination: Specifies the Destination Options header.
encapsulating: Specifies the Encapsulating Security Payload header.
fragment: Specifies the Fragment header.
hop-by-hop: Specifies the Hop-by-Hop Options header.
routing: Specifies the Routing header.
Usage guidelines
This command enables the device to perform bandwidth management on the IPv6 packets with the specified extension header. For more information about extension headers, see RFC 2460.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure the Destination Options header as a match criterion in traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] ipv6 extension-header destination
Related commands
ipv6 flow-label
ipv6 flow-label
Use ipv6 flow-label to configure the IPv6 flow label attribute as a match criterion.
Use undo ipv6 flow-label to delete a flow label match criterion.
Syntax
ipv6 flow-label { nonzero | zero }
undo ipv6 flow-label
Default
The IPv6 flow label attribute is not used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
Parameters
nonzero: Specifies non-zero IPv6 flow labels.
zero: Specifies the zero IPv6 flow label.
Usage guidelines
The Flow Label field in IPv6 packet headers is used to identify packets of a flow. This command enables the device to perform bandwidth management on the IPv6 packets with the specified flow label value. For more information about the Flow Label field, see RFC 2460.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure a flow label value of zero as a match criterion in traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] ipv6 flow-label zero
Related commands
ipv6 extension-header
profile name
Use profile name to create a traffic profile and enter its view, or enter the view of an existing traffic profile.
Use undo profile name to delete a traffic profile.
Syntax
profile name profile-name
undo profile name profile-name
Default
No traffic profile exists.
Views
Traffic policy view
Predefined user roles
network-admin
Parameters
profile-name: Specifies a name for the traffic profile, a case-insensitive string of 1 to 63 characters.
Usage guidelines
A traffic profile defines the bandwidth resources that can be used and takes effect after it is specified for a traffic rule.
Examples
# Create a traffic profile named profile1 and enter traffic profile view.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1]
Related commands
action
profile reference-mode
Use profile reference-mode to set the reference mode for a traffic profile.
Use undo profile reference-mode to restore the default.
Syntax
profile reference-mode { per-rule | rule-shared }
undo profile reference-mode
Default
The reference mode for a traffic profile is per-rule.
Views
Traffic profile view
Predefined user roles
network-admin
Parameters
per-rule: Specifies that each traffic rule that uses the traffic profile can reach the bandwidth limits and connection limits specified in the profile.
rule-shared: Specifies that all traffic rules that use the traffic profile share the bandwidth limits and connection limits specified in the profile.
Usage guidelines
After a traffic profile is specified for a traffic rule, the bandwidth limits and connection limits in the profile take effect. The reference mode for a traffic profile can be per-rule or rule-shared.
Examples
# Set the reference mode to rule-shared for traffic profile profile1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] profile reference-mode rule-shared
profile rename
Use profile rename to rename a traffic profile.
Syntax
profile rename old-name new-name
Views
Traffic policy view
Predefined user roles
network-admin
Parameters
old-name: Specifies the old name of the traffic profile, a case-insensitive string of 1 to 63 characters.
new-name: Specifies a new name for the traffic profile, a case-insensitive string of 1 to 63 characters. The new name cannot be an existing traffic profile name.
Examples
# Create a traffic profile named profile1, and rename traffic profile profile1 as profile2.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] quit
[Sysname-traffic-policy] profile rename profile1 profile2
remark dscp
Use remark dscp to mark the DSCP priority for packets of a traffic profile.
Use undo remark dscp to restore the default.
Syntax
remark dscp dscp-value
undo remark dscp
Default
The DSCP priority for packets of a traffic profile is not marked.
Views
Traffic profile view
Predefined user roles
network-admin
Parameters
dscp-value: Specifies a DSCP priority, which can only be a keyword in Table 4.
Usage guidelines
Network devices can classify traffic by using DSCP priorities and provide different treatment for packets with different DSCP priorities.
Examples
# Mark DSCP priority af22 for packets of traffic profile profile1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] remark dscp af22
Related commands
profile name
reset traffic-policy statistics bandwidth
Use reset traffic-policy statistics bandwidth to clear traffic statistics for traffic rules.
Syntax
reset traffic-policy statistics bandwidth { downstream | total | upstream } { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ name rule-name ] | per-user [ user user-name ] rule rule-name }
Views
User view
Predefined user roles
network-admin
Parameters
downstream: Specifies downstream traffic.
total: Specifies both downstream traffic and upstream traffic.
upstream: Specifies upstream traffic.
per-ip: Clears per-IP traffic statistics.
ipv4: Clears per-IP traffic statistics for IPv4 addresses.
ipv4-address: Specifies an IPv4 address. If you do not specify an IPv4 address, this command clears per-IP traffic statistics for all IPv4 addresses of the specified traffic rule.
ipv6: Clears per-IP traffic statistics for IPv6 addresses.
ipv6-address: Specifies an IPv6 address. If you do not specify an IPv6 address, this command clears per-IP traffic statistics for all IPv6 addresses of the specified traffic rule.
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters.
per-rule: Clears per-rule traffic statistics.
name rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a traffic rule, this command clears per-rule traffic statistics for all traffic rules.
per-user: Clears per-user traffic statistics.
user user-name: Specifies a user by its name, a case-insensitive string of 1 to 55 characters. If you do not specify a user, this command clears per-user traffic statistics for all users of the specified traffic rule.
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters.
Examples
# Clear per-rule upstream traffic statistics for traffic rule traffic-rule.
<Sysname> reset traffic-policy statistics bandwidth upstream per-rule name traffic-rule
reset traffic-policy statistics connection-limit
Use reset traffic-policy statistics connection-limit to clear connection limit statistics.
Syntax
reset traffic-policy statistics connection-limit { per-ip { ipv4 [ ipv4-address ] | ipv6 [ ipv6-address ] } rule rule-name | per-rule [ name rule-name ] | per-user [ user user-name ] rule rule-name } }
Views
User view
Predefined user roles
network-admin
Parameters
per-ip: Clears per-IP connection limit statistics.
ipv4: Clears per-IP connection limit statistics for IPv4 addresses.
ipv4-address: Specifies an IPv4 address. If you do not specify an IPv4 address, this command clears connection limit statistics for all IPv4 addresses of the specified traffic rule.
ipv6: Clears per-IP connection limit statistics for IPv6 addresses.
ipv6-address: Specifies an IPv6 address. If you do not specify an IPv6 address, this command clears connection limit statistics for all IPv6 addresses of the specified traffic rule.
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters.
per-rule: Clears per-rule connection limit statistics.
name rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a traffic rule, this command clears per-rule connection limit statistics for all traffic rules.
per-user: Clears per-user connection limit statistics.
user user-name: Specifies a user by its name, a case-insensitive string of 1 to 55 characters. If you do not specify a user, this command clears per-user connection limit statistics for all users of the specified traffic rule.
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters.
Examples
# Clear per-rule connection limit statistics for traffic rule traffic-rule.
<Sysname> reset traffic-policy statistics connection-limit per-rule name traffic-rule
reset traffic-policy statistics rule-hit
Use reset traffic-policy statistics rule-hit to clear rule-hit statistics.
Syntax
reset traffic-policy statistics rule-hit [ rule rule-name ]
Views
User view
Predefined user roles
network-admin
Parameters
rule rule-name: Specifies a traffic rule by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a traffic rule, this command clears rule-hit statistics for all traffic rules.
Examples
# Clear rule-hit statistics for traffic rule traffic-rule.
<Sysname> reset traffic-policy statistics rule-hit rule traffic-rule
rule
Use rule to create a traffic rule and enter its view, or enter the view of an existing traffic rule.
Use undo rule to delete a traffic rule.
Syntax
rule rule-id
rule [ rule-id ] name rule-name [ parent parent-rule-name ]
undo rule { rule-id | name rule-name }
Default
No traffic rule exists.
Views
Traffic policy view
Predefined user roles
network-admin
Parameters
rule-id: Specifies an ID for the traffic rule, in the range of 1 to 65534. If you do not specify a rule ID, the system assigns the unused ID next to the ID used last time. If the rule ID to be assigned is greater than 65534, the system assigns the smallest available rule ID.
rule-name: Specifies a name for the traffic rule, a case-insensitive string of 1 to 63 characters. You must specify a rule name when creating a traffic rule.
parent parent-rule-name: Specifies a parent traffic rule by its name, a case-insensitive string of 1 to 63 characters. To successfully create the traffic rule, make sure the parent traffic rule already exists.
Usage guidelines
You can configure multiple traffic rules in the traffic policy. For a traffic rule, you can configure match criteria to match packets and specify the traffic profile to apply to matching packets. The device matches traffic rules in their order of appearance on the device. When a traffic rule is matched, the matching process ends and the device applies the traffic profile for the traffic rule to the traffic. If no traffic rule is matched, the device forwards the traffic.
For a new traffic rule to inherit the match criteria of an existing traffic rule, specify the existing traffic rule as the parent of the new traffic rule.
A level-4 rule cannot act as a parent rule
You can specify a parent traffic rule only when creating a traffic rule. You cannot add or modify a parent traffic rule for an existing traffic rule.
Examples
# Create a traffic rule with ID 111 and name rule1 and enter traffic rule view.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule 111 name rule1
[Sysname-traffic-policy-rule-111-rule1]
rule copy
Use rule copy to copy a traffic rule.
Syntax
rule copy rule-name new-rule-name
Views
Traffic policy view
Predefined user roles
network-admin
Parameters
rule-name: Specifies a traffic rule to be copied by its name, a case-insensitive string of 1 to 63 characters.
new-rule-name: Specifies a name for the new traffic rule, a case-insensitive string of 1 to 63 characters. The new name cannot be an existing traffic profile name.
Usage guidelines
If a traffic rule to be created is similar to an existing traffic rule, create the traffic rule by copying the existing traffic rule and then modify it. The new traffic rule is placed next to the copied traffic rule.
If a traffic rule to be copied has child traffic rules, only the parent traffic rule is copied.
Examples
# Create a traffic rule named rule2 by copying traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule copy rule1 rule2
rule move
Use rule move to move a traffic rule to a new position.
Syntax
rule move rule-name1 { after | before } rule-name2
Views
Traffic policy view
Predefined user roles
network-admin
Parameters
rule-name1: Specifies a traffic rule to be moved by its name, a case-insensitive string of 1 to 63 characters. The traffic rule can be a parent or child traffic rule.
after: Moves the specified traffic rule to the position after a target traffic rule.
before: Moves the specified traffic rule to the position before a target traffic rule.
rule-name2: Specifies the target traffic rule by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
The device matches traffic with traffic rules in their order of appearance on the device. When a traffic rule is matched, the matching process ends and the device applies the traffic profile specified for the traffic rule to the traffic. If no traffic rule is matched, the device forwards the traffic.
To ensure reasonable, precise bandwidth management, configure traffic rules in ascending order of granularity. If the traffic rules are not in ascending order of granularity, you can use the rule move command to change the position of them.
You can move child traffic rules only within their parent traffic rule.
Examples
# Create two traffic rules named rule1 and rule2, and move rule1 to the position after rule2.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] quit
[Sysname-traffic-policy] rule name rule2
[Sysname-traffic-policy-rule-rule2] quit
[Sysname-traffic-policy] rule move rule1 after rule2
rule rename
Use rule rename to rename a traffic rule.
Syntax
rule rename old-rule-name new-rule-name
Views
Traffic policy view
Predefined user roles
network-admin
Parameters
old-rule-name: Specifies the old name of the traffic rule, a case-insensitive string of 1 to 63 characters.
new-rule-name: Specifies a new name for the traffic rule, a case-insensitive string of 1 to 63 characters. The new name cannot be an existing traffic profile name.
Examples
# Create a traffic rule named rule1, and rename traffic rule rule1 as rule2.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] quit
[Sysname-traffic-policy] rule rename rule1 rule2
service
Use service to configure a service object group as a match criterion.
Use undo service to delete a service object group match criterion.
Syntax
service object-group-name
undo service [ object-group-name ]
Default
No service object group is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
Parameters
object-group-name: Specifies a service object group by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
You can specify multiple service object groups for a traffic rule to match packets.
The undo service command removes all service object groups from match criteria if you do not specify a service object group or specify the system-defined service object group any.
Examples
# Specify predefined service object group ftp for traffic rule rule1 to match packets.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] service ftp
Related commands
object-group (Security Command Reference)
source-address
Use source-address to configure a source IP address object group as a match criterion.
Use undo source-address to delete a source IP address object group as a match criterion.
Syntax
source-address address-set object-group-name
undo source-address address-set object-group-name
Default
No source IP address object group is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
Parameters
object-group-name: Specifies an IPv4 or IPv6 address object group by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
This command is used to match the packets with the source IP addresses in the specified address object group. You can specify multiple address object groups for a traffic rule to match source IP addresses of packets.
Before rolling back configuration by using the configuration replace file filename command, check the address object group configuration in the traffic rule in the configuration file. The address object group configuration fails to be rolled back if two address object groups have the same name but are of different types (IPv4/IPv6).
Examples
# Specify IPv4 address object group obgroup1 for traffic rule rule1 to match source IPv4 addresses of packets.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] source-address address-set obgroup1
Related commands
object-group (Security Command Reference)
statistics bandwidth enable
Use statistics bandwidth enable to enable traffic statistics collection.
Use undo statistics bandwidth enable to disable traffic statistics collection.
Syntax
statistics bandwidth enable
undo statistics bandwidth enable
Default
Traffic statistics collection is disabled.
Views
Traffic policy view
Predefined user roles
network-admin
Usage guidelines
This command enables the device to collect statistics about matching traffic. To view the statistics, use the display traffic-policy statistics bandwidth command.
This command affects device performance. As a best practice, configure this command only if you need to view statistics.
Examples
# Enable traffic statistics collection.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] statistics bandwidth enable
Related commands
display traffic-policy statistics bandwidth
statistics connection-limit enable
Use statistics connection-limit enable to enable connection limit statistics collection.
Use undo statistics connection-limit enable to disable connection limit statistics collection.
Syntax
statistics connection-limit enable
undo statistics connection-limit enable
Default
Connection limit statistics collection is disabled.
Views
Traffic policy view
Predefined user roles
network-admin
Usage guidelines
This command enables the device to collect statistics about matching connections. To view the statistics, use the display traffic-policy statistics connection-limit command.
This command affects device performance. As a best practice, configure this command only if you need to view statistics.
Examples
# Enable connection limit statistics collection.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] statistics connection-limit enable
Related commands
display traffic-policy statistics connection-limit
statistics rule-hit enable
Use statistics rule-hit enable to enable rule-hit statistics collection.
Use undo statistics rule-hit enable to disable rule-hit statistics collection.
Syntax
statistics rule-hit enable
undo statistics rule-hit enable
Default
Rule-hit statistics collection is disabled.
Views
Traffic policy view
Predefined user roles
network-admin
Usage guidelines
This command enables the device to collect rule-hit statistics. To view the statistics, use the display traffic-policy statistics rule-hit command.
This command affects device performance. As a best practice, configure this command only if you need to view statistics.
Examples
# Enable rule-hit statistics collection.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] statistics rule-hit enable
Related commands
display traffic-policy statistics rule-hit
tcp mss
Use tcp mss to set the TCP maximum segment size (MSS).
Use undo tcp mss to restore the default.
Syntax
tcp mss mss-value
undo tcp mss
Default
The TCP MSS is not set.
Views
Traffic profile view
Predefined user roles
network-admin
Parameters
mss-value: Specifies the TCP MSS in the range of 128 to 9158 bytes.
Usage guidelines
The MSS specifies the maximum size of TCP segments that the peer device can send to the local device. It is negotiated during TCP connection establishment. When establishing a TCP connection, the local device advertises the MSS to the peer device. The peer device does not send TCP packets greater than the MSS. For TCP packets that exceed the MSS, the peer device fragments them before sending them.
This command takes effect only on new TCP connections and does not take effect on existing TCP connections.
This command takes effect only on IP packets. If MPLS is configured, do not set the MSS.
If you configure the MSS in both traffic profile view and interface view, the smaller MSS value takes effect.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the TCP MSS to 128 bytes for traffic profile profile1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile–profile1] tcp mss 128
Related commands
tcp mss (Network Connectivity Command Reference)
time-range
Use time-range to specify a time range during which a traffic rule is in effect.
Use undo time-range to restore the default.
Syntax
time-range time-range-name
undo time-range
Default
A traffic rule is in effect at any time.
Views
Traffic rule view
Predefined user roles
network-admin
Parameters
time-range-name: Specifies a time range by its name, a case-insensitive string of 1 to 32 characters.
Examples
# Specify time range work-time for traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] time-range work-time
Related commands
time-range(Security Command Reference)
traffic-policy
Use traffic-policy to enter traffic policy view.
Use undo traffic-policy to remove all traffic policy settings.
Syntax
traffic-policy
undo traffic-policy
Views
System view
Predefined user roles
network-admin
Usage guidelines
In traffic policy view, you can create and manage traffic rules.
Examples
# Enter traffic policy view.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy]
traffic-priority
Use traffic-priority to set the traffic priority for a traffic profile.
Use undo traffic-priority to restore the default.
Syntax
traffic-priority priority-value
undo traffic-priority
Default
The traffic priority is 1 for a traffic profile.
Views
Traffic profile view
Predefined user roles
network-admin
Parameters
priority-value: Specifies the priority value in the range of 1 to 7. The larger the priority value, the higher the priority.
Usage guidelines
When an interface is congested with packets of multiple traffic profiles, packets with higher priority are sent first. Packets with the same priority have the same chance of being forwarded.
Examples
# Set the traffic priority to 7 for traffic profile profile1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] profile name profile1
[Sysname-traffic-policy-profile-profile1] traffic-priority 7
Related commands
profile name
user
Use user to configure a username as a match criterion.
Use undo user to delete a username match criterion.
Syntax
user user-name [ domain domain-name ]
undo user user-name [ domain domain-name ]
Default
No username is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
Parameters
user-name: Specifies a username, a case-insensitive string of 1 to 55 characters. The username cannot be a, al, or all, and cannot contain the following special characters: backslashes (\), vertical bars (|), slash (/), colon (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), and at signs (@).
domain domain-name: Matches the user in an identity domain. The domain-name argument represents the identity domain name, a case-insensitive string of 1 to 255 characters. The identity domain name cannot contain the following special characters: backslashes (\), vertical bars (|), slash (/), colon (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), and at signs (@). If you do not specify this option, the system matches the user among users that do not belong to any identity domain. For more information about identity domains, see user identification in Security Configuration Guide.
Usage guidelines
A username corresponds to changing IP addresses. This command implements per-user bandwidth management and facilitates bandwidth management for mobile Internet users whose IP addresses change.
Examples
# Configure username managers as a match criterion in traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] user managers
# Configure username user1 in identity domain dpi as a match criterion in traffic rule myrule.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name myrule
[Sysname-traffic-policy-rule-myrule] user user1 domain dpi
Related commands
local-user (Security Command Reference)
user-identity enable (Security Command Reference)
user-identity static-user (Security Command Reference)
user-group
Use user-group to configure a user group as a match criterion.
Use undo user-group to delete a user group match criterion.
Syntax
user-group user-group-name [ domain domain-name ]
undo user-group user-group-name [ domain domain-name ]
Default
No user group is used as a match criterion.
Views
Traffic rule view
Predefined user roles
network-admin
Parameters
user-group-name: Specifies a user group by its name, a case-insensitive string of 1 to 200 characters.
domain domain-name: Matches the user group in an identity domain. The domain-name argument represents the identity domain name, a case-insensitive string of 1 to 255 characters. The identity domain name cannot contain the following special characters: backslashes (\), vertical bars (|), slash (/), colon (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), and at signs (@). If you do not specify this option, the system matches the user group among user groups that do not belong to any identity domain. For more information about identity domains, see user identification in Security Configuration Guide.
Usage guidelines
A user group corresponds to changing IP addresses. This command implements per-user-group bandwidth management and facilitates bandwidth management for mobile Internet users whose IP addresses change.
Examples
# Configure user group mak as a match criterion in traffic rule rule1.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name rule1
[Sysname-traffic-policy-rule-rule1] user-group mak
# Configure user group usergroup1 in identity domain dpi as a match criterion in traffic rule myrule.
<Sysname> system-view
[Sysname] traffic-policy
[Sysname-traffic-policy] rule name myrule
[Sysname-traffic-policy-rule-myrule] user-group usergroup1 domain dpi
Related commands
user-group (Security Command Reference)
user-identity enable (Security Command Reference)
