No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Using Layer 2 ACLs in QoS to Implement Traffic Policing

Example for Using Layer 2 ACLs in QoS to Implement Traffic Policing

Networking Requirements

As shown in Figure 4-21, voice, video, and data services on the LAN of the enterprise belong to VLAN10, VLAN20, and VLAN30 respectively. The services are transmitted to Eth2/0/0 of RouterA through the switch, and are then transmitted to the WAN through GE3/0/0 of RouterA.

Flow-based traffic policing needs to be performed for different service packets on RouterA to limit the rate of each service flow within a proper range, so that bandwidth can be ensured for each service. Interface-based traffic policing needs to be performed for all incoming traffic on Eth2/0/0 so that the total traffic rate of the enterprise is limited within a proper range.

Figure 4-21  Networking diagram of traffic policing

Configuration Roadmap

The following configurations are performed on the Router. The configuration roadmap is as follows:
  1. Create VLANs and VLANIF interfaces on RouterA and configure physical interfaces to ensure that enterprise users can access the WAN through RouterA.
  2. Configure traffic classifiers on RouterA to classify packets based on VLAN IDs.
  3. Configure traffic behaviors on RouterA to perform traffic policing for different service flows from the enterprise.
  4. Configure a traffic policy on RouterA, associate the traffic behaviors with traffic classifiers in the traffic policy, and apply the traffic policy to the inbound direction of the interface on RouterA connected to the switch.
  5. Configure interface-based traffic policing in the inbound direction of the interface on RouterA connected to the switch to limit the rate of all the packets.

Procedure

  1. Configure VLANs and interfaces.

    # Create VLAN10, VLAN20, and VLAN30 on RouterA.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] vlan batch 10 20 30
    

    # Configure Eth2/0/0 as a trunk interface and allow packets from VLAN10, VLAN20, and VLAN30 to pass through.

    [RouterA] interface ethernet 2/0/0
    [RouterA-Ethernet2/0/0] port link-type trunk
    [RouterA-Ethernet2/0/0] port trunk allow-pass vlan 10 20 30
    [RouterA-Ethernet2/0/0] quit
    
    NOTE:

    Configure the interface on the switch connected to RouterA as a trunk interface and allow packets from VLAN 10, VLAN 20, and VLAN 30 to pass through.

    # Create VLANIF10, VLANIF20, and VLANIF30, and assign IP addresses 192.168.1.1/24, 192.168.2.1/24, and 192.168.3.1/24 to VLANIF 10, VLANIF20, and VLANIF30 respectively.

    [RouterA] interface vlanif 10
    [RouterA-Vlanif10] ip address 192.168.1.1 24
    [RouterA-Vlanif10] quit
    [RouterA] interface vlanif 20
    [RouterA-Vlanif20] ip address 192.168.2.1 24
    [RouterA-Vlanif20] quit
    [RouterA] interface vlanif 30
    [RouterA-Vlanif30] ip address 192.168.3.1 24
    [RouterA-Vlanif30] quit
    

    # Set the IP address of GE3/0/0 to 192.168.4.1/24.

    [RouterA] interface gigabitethernet 3/0/0
    [RouterA-GigabitEthernet3/0/0] undo portswitch
    [RouterA-GigabitEthernet3/0/0] ip address 192.168.4.1 24
    [RouterA-GigabitEthernet3/0/0] quit
    

    # Configure RouterB and ensure that there are reachable routes between RouterB and RouterA.

  2. Configure traffic classifiers.

    # Configure traffic classifiers c1, c2, and c3 on RouterA to match different service flows from the enterprise based on VLAN IDs.

    [RouterA] traffic classifier c1
    [RouterA-classifier-c1] if-match vlan-id 10
    [RouterA-classifier-c1] quit
    [RouterA] traffic classifier c2
    [RouterA-classifier-c2] if-match vlan-id 20
    [RouterA-classifier-c2] quit
    [RouterA] traffic classifier c3
    [RouterA-classifier-c3] if-match vlan-id 30
    [RouterA-classifier-c3] quit
    

  3. Configure traffic behaviors.

    # Create traffic behaviors b1, b2, and b3 on RouterA to perform traffic policing for different service flows from the enterprise.

    [RouterA] traffic behavior b1
    [RouterA-behavior-b1] car cir 256
    [RouterA-behavior-b1] statistic enable
    [RouterA-behavior-b1] quit
    [RouterA] traffic behavior b2
    [RouterA-behavior-b2] car cir 4000
    [RouterA-behavior-b2] statistic enable
    [RouterA-behavior-b2] quit
    [RouterA] traffic behavior b3
    [RouterA-behavior-b3] car cir 2000
    [RouterA-behavior-b3] statistic enable
    [RouterA-behavior-b3] quit
    

  4. Configure a traffic policy and apply the traffic policy to Eth2/0/0.

    # Create a traffic policy p1 on RouterA, associate the traffic behaviors with traffic classifiers in the traffic policy, and apply the traffic policy to Eth2/0/0 in the inbound direction.

    [RouterA] traffic policy p1
    [RouterA-trafficpolicy-p1] classifier c1 behavior b1
    [RouterA-trafficpolicy-p1] classifier c2 behavior b2
    [RouterA-trafficpolicy-p1] classifier c3 behavior b3
    [RouterA-trafficpolicy-p1] quit
    [RouterA] interface ethernet 2/0/0
    [RouterA-Ethernet2/0/0] traffic-policy p1 inbound
    

  5. Configure interface-based traffic policing.

    # Configure interface-based traffic policing in the inbound direction of Eth2/0/0 on RouterA to limit the total traffic rate of the enterprise within a proper range.

    [RouterA-Ethernet2/0/0] qos car inbound cir 10000
    [RouterA-Ethernet2/0/0] quit
    

  6. Verify the configuration.

    # View the traffic classifier configuration.

    [RouterA] display traffic classifier user-defined
      User Defined Classifier Information:                                          
       Classifier: c2                                                               
        Operator: OR                                                                
        Rule(s) :
         if-match vlan-id 20                                               
       Classifier: c3                                                               
        Operator: OR                                                                
        Rule(s) : 
         if-match vlan-id 30                                               
       Classifier: c1                                                               
        Operator: OR                                                                
        Rule(s) : 
         if-match vlan-id 10                                               
    

    # View the traffic policy configuration.

    [RouterA] display traffic policy user-defined
      User Defined Traffic Policy Information:                                      
      Policy: p1                                                                    
       Classifier: c1                                                               
        Operator: OR                                                                
         Behavior: b1                                                               
          Committed Access Rate:                                                    
            CIR 256 (Kbps), PIR 0 (Kbps), CBS 48128 (byte), PBS 80128 (byte)        
            Color Mode: color Blind                                                 
            Conform Action: pass                                                    
            Yellow  Action: pass                                                    
            Exceed  Action: discard                                                 
          statistic: enable                                                         
                                                                                    
       Classifier: c2                                                               
        Operator: OR                                                                
         Behavior: b2                                                               
          Committed Access Rate:                                                    
            CIR 4000 (Kbps), PIR 0 (Kbps), CBS 752000 (byte), PBS 1252000 (byte)    
            Color Mode: color Blind                                                 
            Conform Action: pass                                                    
            Yellow  Action: pass                                                    
            Exceed  Action: discard                                                 
          statistic: enable                                                         
                                                                                    
       Classifier: c3                                                               
        Operator: OR                                                                
         Behavior: b3                                                               
          Committed Access Rate:                                                    
            CIR 2000 (Kbps), PIR 0 (Kbps), CBS 376000 (byte), PBS 626000 (byte)     
            Color Mode: color Blind                                                 
            Conform Action: pass                                                    
            Yellow  Action: pass                                                    
            Exceed  Action: discard                                                 
          statistic: enable                                                         
                                                                                    

    # View the traffic policy configuration on Eth2/0/0.

    [RouterA] display traffic policy statistics interface ethernet 2/0/0 inbound
                                                                                    
     Interface: Ethernet2/0/0
     Traffic policy inbound: p1                                                     
     Rule number: 3                                                                 
     Current status: OK!                                                            
    Item                     Sum(Packets/Bytes)               Rate(pps/bps)         
    ------------------------------------------------------------------------------- 
    Matched                            0/0                           0/0       
      Passed                           0/0                           0/0        
      Dropped                          0/0                           0/0        
        Filter                         0/0                           0/0            
        CAR                            0/0                           0/0        
      Queue Matched                    0/0                           0/0            
        Enqueued                       0/0                           0/0            
        Discarded                      0/0                           0/0            
      CAR                              0/0                           0/0  
        Green packets                  0/0                           0/0       
        Yellow packets                 0/0                           0/0            
        Red packets                    0/0                           0/0   

Configuration Files

  • RouterA configuration file
    #
     sysname RouterA
    #                                                                               
    vlan batch 10 20 30
    #                                                                               
    traffic classifier c1 operator or
     if-match vlan-id 10
    traffic classifier c2 operator or
     if-match vlan-id 20
    traffic classifier c3 operator or
     if-match vlan-id 30
    #                                                                               
    traffic behavior b1
     car cir 256 cbs 48128 pbs 80128 green pass yellow pass red discard
     statistic enable
    traffic behavior b2
     car cir 4000 cbs 752000 pbs 1252000 green pass yellow pass red discard
     statistic enable
    traffic behavior b3
     car cir 2000 cbs 376000 pbs 626000 green pass yellow pass red discard
     statistic enable
    #                                                                               
    traffic policy p1
     classifier c1 behavior b1
     classifier c2 behavior b2
     classifier c3 behavior b3
    #                                                                               
    interface Vlanif10
     ip address 192.168.1.1 255.255.255.0
    #                                                                               
    interface Vlanif20
     ip address 192.168.2.1 255.255.255.0
    #                                                                               
    interface Vlanif30
     ip address 192.168.3.1 255.255.255.0
    #                                                                               
    interface Ethernet2/0/0
     port link-type trunk
     port trunk allow-pass vlan 10 20 30
     qos car inbound cir 10000
     traffic-policy p1 inbound
    #                                                                               
    interface GigabitEthernet3/0/0
     undo portswitch
     ip address 192.168.4.1 255.255.255.0
    #                                                                               
    return
Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13621

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next