No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Examples

Configuration Examples

This section provides configuration examples of packet filtering.

Example for Configuring Packet Filtering

Networking Requirements

As shown in Figure 13-34, the campus and server are located in different places, so they need to communicate with each other through the Internet.

It is required that the PC in the multimedia room should connect to only the FTP server and the PC in the teachers' office should connect to the FTP server or the Internet.

Figure 13-34 Networking for configuring packet filtering
Configuration Roadmap
  1. Configure the device to differentiate traffic sent from the web server to the PC in the multimedia room according to source and destination IP addresses.
  2. Configure the device to discard traffic sent from the web server to the PC in the multimedia room so that the PC in the multimedia room can access only the FTP server.

Procedure

  1. Create VLANs and configure interfaces.

    # Create VLAN 100 and VLAN 200.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch ModuleB
    [*HUAWEI] commit
    [~Switch ModuleB] vlan batch 100 200
    [*Switch ModuleB] commit
    

    # 10GE1/17/2 and 10GE1/17/3 on Switch ModuleB are access interfaces by default. Add 10GE1/17/2 to VLAN 100 and 10GE1/17/3 to VLAN 200, and configure 10GE1/17/1 as a trunk interface and add 10GE1/17/1 to VLAN 100 and VLAN 200.

    [~Switch ModuleB] interface 10ge 1/17/1
    [~Switch ModuleB-10GE1/17/1] port link-type trunk
    [*Switch ModuleB-10GE1/17/1] port trunk allow-pass vlan 100 200
    [*Switch ModuleB-10GE1/17/1] quit
    [*Switch ModuleB] interface 10ge 1/17/2
    [*Switch ModuleB-10GE1/17/2] port default vlan 100
    [*Switch ModuleB-10GE1/17/2] quit
    [*Switch ModuleB] interface 10ge 1/17/3
    [*Switch ModuleB-10GE1/17/3] port default vlan 200
    [*Switch ModuleB-10GE1/17/3] quit
    [*Switch ModuleB] commit
    

  2. Configure an ACL rule.

    # Create ACL 3001 on Switch ModuleB to match flows with source IP address 192.168.4.1 and destination IP address 192.168.2.1, that is, flows sent from the web server to the PC in the multimedia room.

    [~Switch ModuleB] acl 3001
    [*Switch ModuleB-acl4-advance-3001] rule permit ip destination 192.168.2.1 24 source 192.168.4.1 24
    [*Switch ModuleB-acl4-advance-3001] quit
    [*Switch ModuleB] commit

  3. Configure a traffic classifier.

    # Create a traffic classifier c1 on Switch ModuleB and reference ACL 3001 in the traffic classifier.

    [~Switch ModuleB] traffic classifier c1
    [*Switch ModuleB-classifier-c1] if-match acl 3001
    [*Switch ModuleB-classifier-c1] quit
    [*Switch ModuleB] commit

  4. Configure a traffic behavior.

    # Configure a traffic behavior b1 on Switch ModuleB and define the deny action.

    [~Switch ModuleB] traffic behavior b1
    [*Switch ModuleB-behavior-b1] deny
    [*Switch ModuleB-behavior-b1] quit
    [*Switch ModuleB] commit

  5. Configure a traffic policy and apply the traffic policy to 10GE1/17/1 in the outbound direction.

    # Create a traffic policy p1 on Switch ModuleB and bind the traffic policy to the traffic classifier and traffic behavior.

    [~Switch ModuleB] traffic policy p1
    [*Switch ModuleB-trafficpolicy-p1] classifier c1 behavior b1
    [*Switch ModuleB-trafficpolicy-p1] quit
    [*Switch ModuleB] commit

    # Apply the traffic policy p1 to 10GE1/17/1 in the outbound direction.

    [~Switch ModuleB] interface 10ge 1/17/1
    [~Switch ModuleB-10GE1/17/1] traffic-policy p1 outbound
    [*Switch ModuleB-10GE1/17/1] quit
    [*Switch ModuleB] commit
    [*Switch ModuleB] quit

  6. Verify the configuration.

    # View the ACL rule configuration.

    <Switch ModuleB> display acl 3001
    Advanced ACL 3001, 1 rule                                                                                                           
    ACL's step is 5                                                                                                                     
     rule 5 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 (0 times matched)                                 
    

    # View the traffic classifier configuration.

    <Switch ModuleB> display traffic classifier c1
      Traffic Classifier Information:
        Classifier: c1
          Type: OR
          Rule(s):
            if-match acl 3001

    # View the traffic policy configuration.

    <Switch ModuleB> display traffic policy p1
      Traffic Policy Information:
        Policy: p1
          Classifier: c1
            Type: OR
          Behavior: b1
            Deny

Configuration Files
  • Configuration file of Switch ModuleB
    #
    sysname Switch ModuleB
    #
    vlan batch 100 200
    #
    acl number 3001
     rule 5 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
    # 
    traffic classifier c1 type or
     if-match acl 3001
    #
    traffic behavior b1
     deny
    #
    traffic policy p1
     classifier c1 behavior b1 precedence 5 
    #
    interface 10GE1/17/1
     port link-type trunk
     port trunk allow-pass vlan 100 200
     traffic-policy p1 outbound
    #
    interface 10GE1/17/2
     port default vlan 100
    #
    interface 10GE1/17/3
     port default vlan 200
    #
    return
    
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 59689

Downloads: 3623

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next