No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Examples

Configuration Examples

This section provides an example of using MQC to implement redirection.

Example for Configuring Redirection

This example configures redirection to send all traffic from the external network to the internal network to the firewall.

Networking Requirements

As shown in Figure 13-36, servers in the service area need to access the Internet. The data server and video server in the service area connect to the gateway router through access switch SwitchB and core switch SwitchA and communicate with the Internet through the gateway.

To ensure enterprise data and network security, the customer wants to ensure security of all traffic from the Internet to servers.

Figure 13-36 PBR networking

Configuration Roadmap
  • Connect SwitchA to the core firewall in bypass mode to filter traffic.
  • Configure the device to redirect all traffic from the Internet to the firewall because traffic entering the firewall is Layer 2 traffic.
  • Configure port isolation on the interface of SwitchA connected to the firewall to prevent loops, disable MAC address learning to prevent MAC address flapping..

Procedure

  1. Create VLANs and configure interfaces to ensure Layer 2 connectivity.

    # Create VLAN 100 and VLAN 200 on Switch ModuleB.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch ModuleB
    [*HUAWEI] commit
    [~Switch ModuleB] vlan batch 100 200
    [*Switch ModuleB] commit
    

    # 10GE1/17/2 and 10GE1/17/3 on Switch ModuleB are access interfaces by default. Add 10GE1/17/2 to VLAN 200 and 10GE1/17/3 to VLAN 100, and configure 10GE1/17/1 as a trunk interface and add 10GE1/17/1 to VLAN 100 and VLAN 200.

    [~Switch ModuleB] interface 10ge 1/17/2
    [~Switch ModuleB-10GE1/17/2] port default vlan 200
    [*Switch ModuleB-10GE1/17/2] quit
    [*Switch ModuleB] interface 10ge 1/17/3
    [*Switch ModuleB-10GE1/17/3] port default vlan 100
    [*Switch ModuleB-10GE1/17/3] quit
    [*Switch ModuleB] interface 10ge 1/17/1
    [*Switch ModuleB-10GE1/17/1] port link-type trunk
    [*Switch ModuleB-10GE1/17/1] port trunk allow-pass vlan 100 200
    [*Switch ModuleB-10GE1/17/1] quit
    [*Switch ModuleB] commit

    # Create VLAN 100 and VLAN 200 on Switch ModuleA.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch ModuleA
    [*HUAWEI] commit
    [~Switch ModuleA] vlan batch 100 200
    [*Switch ModuleA] commit
    

    # Configure 10GE1/17/1, 10GE1/17/2, 10GE1/17/3, and 10GE1/17/4 on Switch ModuleA as trunk interfaces and add them to VLAN 100 and VLAN 200. Add 10GE1/17/3 and 10GE1/17/4 to the same port isolation group. Disable MAC address learning on 10GE1/17/4 to prevent MAC address flapping.

    [~Switch ModuleA] interface 10ge 1/17/1
    [~Switch ModuleA-10GE1/17/1] port link-type trunk
    [*Switch ModuleA-10GE1/17/1] port trunk allow-pass vlan 100 200
    [*Switch ModuleA-10GE1/17/1] quit
    [*Switch ModuleA] interface 10ge 1/17/2
    [*Switch ModuleA-10GE1/17/2] port link-type trunk
    [*Switch ModuleA-10GE1/17/2] port trunk allow-pass vlan 100 200
    [*Switch ModuleA-10GE1/17/2] quit
    [*Switch ModuleA] interface 10ge 1/17/3
    [*Switch ModuleA-10GE1/17/3] port link-type trunk
    [*Switch ModuleA-10GE1/17/3] port trunk allow-pass vlan 100 200
    [*Switch ModuleA-10GE1/17/3] port-isolate enable group 1
    [*Switch ModuleA-10GE1/17/3] quit
    [*Switch ModuleA] interface 10ge 1/17/4
    [*Switch ModuleA-10GE1/17/4] port link-type trunk
    [*Switch ModuleA-10GE1/17/4] port trunk allow-pass vlan 100 200
    [*Switch ModuleA-10GE1/17/4] port-isolate enable group 1
    [*Switch ModuleA-10GE1/17/4] mac-address learning disable
    [*Switch ModuleA-10GE1/17/4] quit
    [*Switch ModuleA] commit

  2. Configure MQC to implement redirection to an interface.

    # Configure a traffic classifier.
    [~Switch ModuleA] traffic classifier c1
    [*Switch ModuleA-classifier-c1] if-match any
    [*Switch ModuleA-classifier-c1] quit
    [*Switch ModuleA] commit
    
    # Configure a traffic behavior.
    [~Switch ModuleA] traffic behavior b1
    [*Switch ModuleA-behavior-b1] redirect interface 10ge 1/17/3
    [*Switch ModuleA-behavior-b1] quit
    [*Switch ModuleA] commit
    # Configure a traffic policy.
    [~Switch ModuleA] traffic policy p1
    [*Switch ModuleA-trafficpolicy-p1] classifier c1 behavior b1
    [*Switch ModuleA-trafficpolicy-p1] quit
    [*Switch ModuleA] commit
    # Apply the traffic policy to 10GE1/17/1 on Switch ModuleA in the outbound direction.
    [~Switch ModuleA] interface 10ge 1/17/1
    [~Switch ModuleA-10GE1/17/1] traffic-policy p1 inbound
    [*Switch ModuleA-10GE1/17/1] quit
    [*Switch ModuleA] commit
    [*Switch ModuleA] quit

  3. Verify the configuration.

    # View the traffic classifier configuration.

    <Switch ModuleA> display traffic classifier 
      Traffic Classifier Information:                                                                                                   
        Classifier: c1                                                                                                                  
          Type: OR                                                                                                                      
          Rule(s):                                                                                                                      
            if-match any                                                                                                           
                                                                                                                                        
    Total classifier number is 1  

    # View the traffic behavior configuration.

    <Switch ModuleA> display traffic behavior
      Traffic Behavior Information:                                                                                                     
        Behavior: b1                                                                                                                    
          Redirect:                                                                                                                     
            Redirect interface 10GE1/17/3                                                                                                 
                                                                                                                                        
    Total behavior number is 1   

    # View the traffic policy configuration.

    <Switch ModuleA> display traffic policy
      Traffic Policy Information:                                                                                                       
        Policy: p1                                                                                                                      
          Classifier: c1                                                                                                                
            Type: OR                                                                                                                    
          Behavior: b1                                                                                                                  
            Redirect:                                                                                                                   
              Redirect interface 10GE1/17/3                                                                                              
                                                                                                                                         
    Total policy number is 1  

    # View the traffic policy record.

    <Switch ModuleA> display traffic-policy applied-record
    Total records : 1                                                               
    ------------------------------------------------------------------------------- 
    Policy Name                      Apply Parameter           Slot     State       
    ------------------------------------------------------------------------------- 
    p1                               10GE1/17/1 inbound            1     success     
    ------------------------------------------------------------------------------- 
    

Configuration Files
  • Configuration file of Switch ModuleA
    #
    sysname Switch ModuleA
    #
    vlan batch 100 200
    #
    traffic classifier c1 type or
     if-match any
    #
    traffic behavior b1
     redirect interface 10GE1/17/3
    #
    traffic policy p1
     classifier c1 behavior b1 precedence 5
    #
    interface 10GE1/17/1
     port link-type trunk
     port trunk allow-pass vlan 100 200
     traffic-policy p1 inbound
    #
    interface 10GE1/17/2
     port link-type trunk
     port trunk allow-pass vlan 100 200
    #
    interface 10GE1/17/3
     port link-type trunk
     port trunk allow-pass vlan 100 200
     port-isolate enable group 1
    #
    interface 10GE1/17/4
     port link-type trunk
     port trunk allow-pass vlan 100 200
     port-isolate enable group 1
     mac-address learning disable
    #
    return
    
  • Configuration file of Switch ModuleB
    #
    sysname Switch ModuleB
    #
    vlan batch 100 200
    #
    interface 10GE1/17/1
     port link-type trunk
     port trunk allow-pass vlan 100 200
    #
    interface 10GE1/17/2
     port default vlan 200
    #
    interface 10GE1/17/3
     port default vlan 100
    #
    return
    
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 58569

Downloads: 3621

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next