No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - QoS

CloudEngine 8800, 7800, 6800, and 5800 V200R002C50

This document describes the configurations of QoS functions, including MQC, priority mapping, traffic policing, traffic shaping, interface-based rate limiting, congestion avoidance, congestion management, packet filtering, redirection, traffic statistics, and ACL-based simplified traffic policy.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring ACL-based Redirection

Example for Configuring ACL-based Redirection

Networking Requirements

In Figure 12-2, servers in the service area need to access the Internet. The data and video servers in the service area connect to the gateway router through access switch SwitchB and core switch SwitchA, and communicate with the Internet through the gateway router.

To protect the network and enterprise data, the enterprise wants to ensure security of all traffic from the Internet to servers.

Figure 12-2 Networking for configuring redirection

Configuration Roadmap

  • Connect SwitchA to the core firewall in bypass mode to filter traffic.
  • Configure the device to redirect all traffic from the Internet to the firewall because traffic entering the firewall is Layer 2 traffic.
  • Configure Layer 2 port isolation on the interface of SwitchA connected to the firewall to prevent loops, and disable MAC address learning to prevent MAC address flapping.

Procedure

  1. Create VLANs and configure interfaces to ensure Layer 2 connectivity.

    # Create VLAN 100 and VLAN 200 on SwitchB.

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchB
    [*HUAWEI] vlan batch 100 200
    [*HUAWEI] commit

    # Configure 10GE1/0/2 and 10GE1/0/3 on SwitchB as access interfaces, add 10GE1/0/2 to VLAN 200, and add 10GE1/0/3 to VLAN 100. Then configure 10GE1/0/1 as a trunk interface and add 10GE1/0/1 to VLAN 100 and VLAN 200.

    [~SwitchB] interface 10ge 1/0/2
    [~SwitchB-10GE1/0/2] port link-type access
    [*SwitchB-10GE1/0/2] port default vlan 200
    [*SwitchB-10GE1/0/2] quit
    [*SwitchB] interface 10ge 1/0/3
    [*SwitchB-10GE1/0/3] port link-type access
    [*SwitchB-10GE1/0/3] port default vlan 100
    [*SwitchB-10GE1/0/3] quit
    [*SwitchB] interface 10ge 1/0/1
    [*SwitchB-10GE1/0/1] port link-type trunk
    [*SwitchB-10GE1/0/1] port trunk allow-pass vlan 100 200
    [*SwitchB-10GE1/0/1] quit
    [*SwitchB] commit

    # Create VLAN 100 and VLAN 200 on SwitchA.

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchA
    [*HUAWEI] vlan batch 100 200
    [*HUAWEI] commit

    # Configure 10GE1/0/1, 10GE1/0/2, 10GE1/0/3, and 10GE1/0/4 on SwitchA as trunk interfaces and add them to VLAN 100 and VLAN 200. Add 10GE1/0/3 and 10GE1/0/4 to the same Layer 2 port isolation group. Then disable MAC address learning on 10GE1/0/4 to prevent MAC address flapping.

    [~SwitchA] interface 10ge 1/0/1
    [~SwitchA-10GE1/0/1] port link-type trunk
    [*SwitchA-10GE1/0/1] port trunk allow-pass vlan 100 200
    [*SwitchA-10GE1/0/1] quit
    [*SwitchA] interface 10ge 1/0/2
    [*SwitchA-10GE1/0/2] port link-type trunk
    [*SwitchA-10GE1/0/2] port trunk allow-pass vlan 100 200
    [*SwitchA-10GE1/0/2] quit
    [*SwitchA] interface 10ge 1/0/3
    [*SwitchA-10GE1/0/3] port link-type trunk
    [*SwitchA-10GE1/0/3] port trunk allow-pass vlan 100 200
    [*SwitchA-10GE1/0/3] port-isolate enable group 1
    [*SwitchA-10GE1/0/3] quit
    [*SwitchA] interface 10ge 1/0/4
    [*SwitchA-10GE1/0/4] port link-type trunk
    [*SwitchA-10GE1/0/4] port trunk allow-pass vlan 100 200
    [*SwitchA-10GE1/0/4] port-isolate enable group 1
    [*SwitchA-10GE1/0/4] mac-address learning disable
    [*SwitchA-10GE1/0/4] quit
    [*SwitchA] commit

  2. Configure ACL-based redirection so that the firewall filters traffic.

    # Configure a basic ACL to match all forwarded packets.
    [~SwitchA] acl 4001
    [*SwitchA-acl-L2-4001] rule permit vlan 100
    [*SwitchA-acl-L2-4001] rule permit vlan 200
    [*SwitchA-acl-L2-4001] quit
    [*SwitchA] commit
    # Configure redirection to a specified interface in the inbound direction of 10GE1/0/1 on SwitchA.
    [~SwitchA] interface 10ge 1/0/1
    [~SwitchA-10GE1/0/1] traffic-redirect acl 4001 interface 10ge 1/0/3 inbound
    [*SwitchA-10GE1/0/1] quit
    [*SwitchA] commit

  3. Check the traffic policy application record.

    [~SwitchA] display traffic-policy applied-record
    Total records : 1                                                               
    ------------------------------------------------------------------------------- 
    Policy Type/Name                 Apply Parameter           Slot     State       
    ------------------------------------------------------------------------------- 
    traffic-redirect                 10GE1/0/1 inbound            1     success     
    ------------------------------------------------------------------------------- 
    

Configuration Files

  • SwitchA configuration file
    #
    sysname SwitchA
    #
    vlan batch 100 200
    #
    acl number 4001  
     rule 5 permit vlan 100
     rule 10 permit vlan 200
    #
    interface 10GE1/0/1
     port link-type trunk
     port trunk allow-pass vlan 100 200
     traffic-redirect acl 4001 interface 10GE1/0/3 inbound
    #
    interface 10GE1/0/2
     port link-type trunk
     port trunk allow-pass vlan 100 200
    #
    interface 10GE1/0/3
     port link-type trunk
     port trunk allow-pass vlan 100 200
     port-isolate enable group 1
    #
    interface 10GE1/0/4
     port link-type trunk
     port trunk allow-pass vlan 100 200
     port-isolate enable group 1
     mac-address learning disable
    #
    return
    
  • SwitchB configuration file
    #
    sysname SwitchB
    #
    vlan batch 100 200
    #
    interface 10GE1/0/1
     port link-type trunk
     port trunk allow-pass vlan 100 200
    #
    interface 10GE1/0/2
     port default vlan 200
    #
    interface 10GE1/0/3
     port default vlan 100
    #
    return
    
Translation
Download
Updated: 2019-03-21

Document ID: EDOC1000166640

Views: 52705

Downloads: 221

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next