华为交换机配置通过流策略实现限速示例

2019年10月9日13:50:54 评论 4,924
首月免费体验

简介

流策略中,可以按照ACL对报文进行分类。基于ACL规则定义方式,可以将ACL分为基本ACL、高级ACL、二层ACL等种类。基本ACL根据源IP地址、分片信息和生效时间段等信息来定义规则。对于匹配的流量,在流行为中配置流量监管动作,可以实现限速。

访问控制列表ACL(Access Control List)是由一条或多条规则组成的集合。所谓规则,是指描述报文匹配条件的判断语句,这些条件可以是报文的源地址、目的地址、端口号等。

 

组网需求

所示,公司内部有两个部门,分别属于VLAN 10和VLAN 20。VLAN 10主要是一些服务器,对带宽要求比较高;VLAN 20只有公司员工上网,对带宽要求不是很高。公司从运营商购买的是10Mbit/s的专线。要求VLAN 20中的员工上网的带宽限制为2Mbit/s,最大不能超过4Mbit/s,超过4Mbit/s的流量全部丢弃。

配置思路

采用如下的思路配置针对不同网段用户限速:

  1. 创建VLAN,配置各接口和路由协议,实现公司和外部网络互通。
  2. Switch上配置ACL,匹配指定网段的流量。
  3. Switch上配置流分类,按照ACL对报文进行分类。
  4. Switch上配置流行为,对匹配的流量进行限速。
  5. Switch上配置流策略,绑定流分类和流行为,并应用到与SwitchA相连的GE1/0/1接口的入方向,实现限速。

操作步骤

  1. 创建VLAN,配置各接口和路由协议# 配置Switch。 
    <HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30  //创建VLAN 10、VLAN20、VLAN 30
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk  //设置接口接入类型为trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20  //将接口划分到VLAN 10和VLAN 20
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access  //设置接口接入类型为access
[Switch-GigabitEthernet1/0/2] port default vlan 30  //将接口划分到VLAN 30
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface vlanif 10  //创建VLANIF接口
[Switch-Vlanif10] ip address 192.168.1.1 255.255.255.0  //配置VLANIF接口的IP地址,此IP地址为192.168.1.0/24网段的网关
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 192.168.2.1 255.255.255.0
[Switch-Vlanif20] quit
[Switch] interface vlanif 30  //创建VLANIF接口
[Switch-Vlanif30] ip address 10.1.20.2 255.255.255.0  //配置VLANIF接口的IP地址,用于与Router互连
[Switch-Vlanif30] quit
[Switch] ip route-static 0.0.0.0 0 10.1.20.1  //配置静态路由指向外网,实现网络互通

    # 配置SwitchA。

    <HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 20  //创建VLAN 10和VLAN20
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type access  //设置接口接入类型为access
[SwitchA-GigabitEthernet1/0/1] port default vlan 10  //将接口划分到VLAN 10
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type access
[SwitchA-GigabitEthernet1/0/2] port default vlan 20
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk  //设置接口接入类型为trunk
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 10 20  //将接口划分到VLAN 10和VLAN 20
[SwitchA-GigabitEthernet1/0/3] quit

    # 配置路由器。

    配置路由器上与Switch相连的接口的IP地址为10.1.20.1/24。

  2. 配置ACL# 在Switch上配置ACL规则,匹配来自192.168.2.0/24网段的流量。 
    [Switch] acl 3000
[Switch-acl-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255
[Switch-acl-adv-3000] quit
  3. 配置流分类# 在Switch上配置流分类,按照ACL对报文进行分类。 
    [Switch] traffic classifier c1 operator and
[Switch-classifier-c1] if-match acl 3000
[Switch-classifier-c1] quit
  4. 配置流行为# 在Switch上配置流行为,对流量进行限速。 
    [Switch] traffic behavior b1
[Switch-behavior-b1] car cir 2048 pir 4096  //配置带宽限制为2Mbit/s,最大不能超过4Mbit/s
[Switch-behavior-b1] statistic enable
[Switch-behavior-b1] quit
  5. 配置流策略并应用到接口# 在Switch上创建流策略,将流分类和对应的流行为进行绑定,并将流策略应用到与SwitchA相连的接口GE1/0/1的入方向上。 
    [Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] traffic-policy p1 inbound
[Switch-GigabitEthernet1/0/1] quit
  6. 验证配置结果# 查看ACL规则的配置信息。 
    [Switch] display acl 3000
Advanced ACL 3000, 1 rule
Acl's step is 5
 rule 5 permit ip source 192.168.2.0 0.0.0.255 (match-counter 0)

    # 查看流策略的配置信息。

    [Switch] display traffic policy user-defined p1
  User Defined Traffic Policy Information:
  Policy: p1
   Classifier: c1
    Operator: AND
     Behavior: b1
      Permit
      Committed Access Rate:
        CIR 2048 (Kbps), PIR 4096 (Kbps), CBS 256000 (byte), PBS 512000 (byte)
        Color Mode: color Blind
        Conform Action: pass
        Yellow  Action: pass
        Exceed  Action: discard
      Statistic: enable

    # 查看在接口上应用的流策略信息。当来自192.168.2.0/24网段的报文速率大于4Mbit/s时会出现丢包,该网段报文的速率被限制在4Mbit/s。

    [Switch] display traffic policy statistics interface gigabitethernet 1/0/1 inbound

 Interface:  GigabitEthernet1/0/1
 Traffic policy inbound: p1
 Rule number: 3
 Current status: success
 Statistics interval: 300   
---------------------------------------------------------------------
 Board : 1
---------------------------------------------------------------------
 Matched          |      Packets:                        82,455
                  |      Bytes:                               -
                  |      Rate(pps):                           0
                  |      Rate(bps):                           -
---------------------------------------------------------------------
   Passed         |      Packets:                        53,385
                  |      Bytes:                               -
                  |      Rate(pps):                           0
                  |      Rate(bps):                           -
---------------------------------------------------------------------
   Dropped        |      Packets:                        29,070
                  |      Bytes:                               -
                  |      Rate(pps):                           0
                  |      Rate(bps):                           -
---------------------------------------------------------------------
     Filter       |      Packets:                             0
                  |      Bytes:                               -
--------------------------------------------------------------------- 
     Car          |      Packets:                        29,070
                  |      Bytes:                               -
---------------------------------------------------------------------

配置文件

  • Switch的配置文件 
    #
sysname Switch
#
vlan batch 10 20 30
#
acl number 3000
 rule 5 permit ip source 192.168.2.0 0.0.0.255
#
traffic classifier c1 operator and precedence 5
 if-match acl 3000
#
traffic behavior b1
 permit
 car cir 2048 pir 4096 cbs 256000 pbs 512000 mode color-blind green pass yellow pass red discard
 statistic enable
#
traffic policy p1 match-order config
 classifier c1 behavior b1
#
interface Vlanif10
 ip address 192.168.1.1 255.255.255.0
#
interface Vlanif20
 ip address 192.168.2.1 255.255.255.0
#
interface Vlanif30
 ip address 10.1.20.2 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk allow-pass vlan 10 20
 traffic-policy p1 inbound
#
interface GigabitEthernet1/0/2
 port link-type access
 port default vlan 30
#
ip route-static 0.0.0.0 0.0.0.0 10.1.20.1
#
return
  • SwitchA的配置文件 
    #
sysname SwitchA
#
vlan batch 10 20
#
interface GigabitEthernet1/0/1
 port link-type access
 port default vlan 10
#
interface GigabitEthernet1/0/2
 port link-type access
 port default vlan 20
#
interface GigabitEthernet1/0/3
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
return
历史上的今天
10 月
9
weinxin
博主微信
这是我的微信扫一扫

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: