No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Using Layer 2 ACLs in QoS to Implement Traffic Policing

Example for Using Layer 2 ACLs in QoS to Implement Traffic Policing

Networking Requirements

Voice, video, and data services are transmitted in VLAN 120, VLAN 110, and VLAN 100 respectively.

Traffic policing needs to be configured on the Switch to police packets of different services so that traffic is limited within a proper range and bandwidth of each service is guaranteed.

Table 1-31 describes QoS required by different services.

Table 1-31  QoS guarantee for uplink traffic on the Switch

Traffic Type

CIR (kbit/s)

PIR (kbit/s)

Voice

2000

10000

Video

4000

10000

Data

4000

10000

Figure 1-20  Networking of traffic policing

Configuration Roadmap

The configuration roadmap is as follows:
  1. Create VLANs and configure interfaces so that the enterprise can access the Network through the Switch.
  2. Configure ACLs on the Switch to match services from different VLANs.
  3. Configure ACL-based traffic policing on the Switch to limit different packets from the enterprise.

Procedure

  1. Create VLANs and configure interfaces.

    # Create VLAN 100, VLAN 110, and VLAN 120 on the Switch.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [Switch] vlan batch 100 110 120
    

    # Configure GE1/0/1 and GE2/0/1 as trunk interfaces, and add GE1/0/1 and GE2/0/1 to VLAN 100, VLAN 110, and VLAN 120.

    [Switch] interface gigabitethernet 1/0/1
    [Switch-GigabitEthernet1/0/1] port link-type trunk
    [Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 110 120
    [Switch-GigabitEthernet1/0/1] quit
    [Switch] interface gigabitethernet 2/0/1
    [Switch-GigabitEthernet2/0/1] port link-type trunk
    [Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 100 110 120
    [Switch-GigabitEthernet2/0/1] quit

  2. Configure ACLs.

    # Configure Layer 2 ACLs on the Switch to classify different service flows from the enterprise based on the VLAN ID.

    [Switch] acl 4001
    [Switch-acl-L2-4001] rule 1 permit vlan-id 120 
    [Switch-acl-L2-4001] quit
    [Switch] acl 4002
    [Switch-acl-L2-4002] rule 1 permit vlan-id 110
    [Switch-acl-L2-4002] quit
    [Switch] acl 4003
    [Switch-acl-L2-4003] rule 1 permit vlan-id 100 
    [Switch-acl-L2-4003] quit
    

  3. Configure traffic policing.

    # Configure traffic policing in the inbound direction of GE1/0/1 on the Switch to limit different packets from the enterprise.

    [Switch] interface gigabitethernet 1/0/1
    [Switch-GigabitEthernet1/0/1] traffic-limit inbound acl 4001 cir 2000 pir 10000
    [Switch-GigabitEthernet1/0/1] traffic-limit inbound acl 4002 cir 4000 pir 10000
    [Switch-GigabitEthernet1/0/1] traffic-limit inbound acl 4003 cir 4000 pir 10000
    [Switch-GigabitEthernet1/0/1] quit
    

  4. Verify the configuration.

    # Check information about ACLs and actions on the interface in the inbound direction.

    [Switch] display traffic-applied interface gigabitethernet 1/0/1 inbound
    -----------------------------------------------------------                     
    ACL applied inbound interface GigabitEthernet1/0/1                              
                                                                                    
    ACL 4001                                                                        
     rule 1 permit vlan-id 120                                                      
    ACTIONS:                                                                        
     limit cir 2000 ,cbs 250000                                                     
           pir 10000 ,pbs 1250000                                                   
           green : pass                                                             
           yellow : pass                                                            
           red : drop                                                               
    -----------------------------------------------------------                     
                                                                                    
    ACL 4002                                                                        
     rule 1 permit vlan-id 110                                                      
    ACTIONS:                                                                        
     limit cir 4000 ,cbs 500000                                                     
           pir 10000 ,pbs 1250000                                                   
           green : pass                                                             
           yellow : pass                                                            
           red : drop                                                               
    -----------------------------------------------------------                     
                                                                                    
    ACL 4003                                                                        
     rule 1 permit vlan-id 100                                                      
    ACTIONS:                                                                        
     limit cir 4000 ,cbs 500000                                                     
           pir 10000 ,pbs 1250000                                                   
           green : pass                                                             
           yellow : pass                                                            
           red : drop                                                               
    -----------------------------------------------------------    

Configuration Files

Switch configuration file

#
sysname Switch
#
vlan batch 100 110 120
#
acl number 4001  
 rule 1 permit vlan-id 120
acl number 4002  
 rule 1 permit vlan-id 110
acl number 4003  
 rule 1 permit vlan-id 100
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk allow-pass vlan 100 110 120
 traffic-limit inbound acl 4001 cir 2000 pir 10000 cbs 250000 pbs 1250000
 traffic-limit inbound acl 4002 cir 4000 pir 10000 cbs 500000 pbs 1250000
 traffic-limit inbound acl 4003 cir 4000 pir 10000 cbs 500000 pbs 1250000
#
interface GigabitEthernet2/0/1
 port link-type trunk
 port trunk allow-pass vlan 100 110 120
#
return
Translation
Download
Updated: 2019-10-18

Document ID: EDOC1000178319

Views: 151335

Downloads: 82

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next