No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R013C00 Configuration Guide - QoS

This document describes the configurations of QoS functions, including MQC, priority mapping, traffic policing, traffic shaping, interface-based rate limiting, congestion avoidance, congestion management, packet filtering, redirection, traffic statistics, ACL-based simplified traffic policy, and HQoS.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring ACL-based Redirection

Example for Configuring ACL-based Redirection

Networking Requirements

As shown in Figure 9-3, users need to access the Internet. User devices connect to the gateway router through access switch SwitchB and core switch SwitchA and communicate with the Internet through the gateway.

To ensure data and network security, users want to ensure security of all traffic from the Internet to servers. Redirection can be configured to send all traffic from the external network to the internal network to the firewall.

Figure 9-3  Networking for configuring redirection

Configuration Roadmap

  • Connect SwitchA to the core firewall in bypass mode to filter traffic.
  • Configure the device to redirect all traffic from the Internet to the firewall because traffic entering the firewall is Layer 2 traffic.
  • Configure port isolation on the interface of SwitchA connected to the firewall to prevent loops, disable MAC address learning to prevent MAC address flapping.

Procedure

  1. Create VLANs and configure interfaces to ensure Layer 2 connectivity.

    # Create VLAN 100 and VLAN 200 on SwitchB.

    <HUAWEI> system-view
    [HUAWEI] sysname SwitchB
    [SwitchB] vlan batch 100 200
    

    # Configure GE1/0/2 and GE1/0/3 on SwitchB as access interfaces, add GE1/0/2 to VLAN 200 and GE1/0/3 to VLAN 100; configure GE1/0/1 as a trunk interface and add GE1/0/1 to VLAN 100 and VLAN 200.

    [SwitchB] interface gigabitethernet 1/0/2
    [SwitchB-GigabitEthernet1/0/2] port link-type access
    [SwitchB-GigabitEthernet1/0/2] port default vlan 200
    [SwitchB-GigabitEthernet1/0/2] quit
    [SwitchB] interface gigabitethernet 1/0/3
    [SwitchB-GigabitEthernet1/0/3] port link-type access
    [SwitchB-GigabitEthernet1/0/3] port default vlan 100
    [SwitchB-GigabitEthernet1/0/3] quit
    [SwitchB] interface gigabitethernet 1/0/1
    [SwitchB-GigabitEthernet1/0/1] port link-type trunk
    [SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 200
    [SwitchB-GigabitEthernet1/0/1] quit
    

    # Create VLAN 100 and VLAN 200 on SwitchA.

    <HUAWEI> system-view
    [HUAWEI] sysname SwitchA
    [SwitchA] vlan batch 100 200
    

    # Configure GE1/0/1, GE1/0/2, GE1/0/3, and GE1/0/4 on SwitchA as trunk interfaces and add them to VLAN 100 and VLAN 200. Add GE1/0/3 and GE1/0/4 to the same port isolation group. Disable MAC address learning on GE1/0/4 to prevent MAC address flapping.

    [SwitchA] interface gigabitethernet 1/0/1
    [SwitchA-GigabitEthernet1/0/1] port link-type trunk
    [SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 200
    [SwitchA-GigabitEthernet1/0/1] quit
    [SwitchA] interface gigabitethernet 1/0/2
    [SwitchA-GigabitEthernet1/0/2] port link-type trunk
    [SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 200
    [SwitchA-GigabitEthernet1/0/2] quit
    [SwitchA] interface gigabitethernet 1/0/3
    [SwitchA-GigabitEthernet1/0/3] port link-type trunk
    [SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 100 200
    [SwitchA-GigabitEthernet1/0/3] port-isolate enable
    [SwitchA-GigabitEthernet1/0/3] quit
    [SwitchA] interface gigabitethernet 1/0/4
    [SwitchA-GigabitEthernet1/0/4] port link-type trunk
    [SwitchA-GigabitEthernet1/0/4] port trunk allow-pass vlan 100 200
    [SwitchA-GigabitEthernet1/0/4] port-isolate enable
    [SwitchA-GigabitEthernet1/0/4] mac-address learning disable
    [SwitchA-GigabitEthernet1/0/4] quit
    

  2. Configure ACL-based redirection so that the firewall filters traffic.

    # Configure a basic ACL to match all forwarded packets.
    [SwitchA] acl 4001
    [SwitchA-acl-L2-4001] rule permit vlan-id 100
    [SwitchA-acl-L2-4001] rule permit vlan-id 200
    [SwitchA-acl-L2-4001] quit
    
    # Configure redirection to a specified interface in the inbound direction of GigabitEthernet1/0/1 on SwitchA.
    [SwitchA] interface gigabitethernet 1/0/1
    [SwitchA-GigabitEthernet1/0/1] traffic-redirect inbound acl 4001 interface gigabitethernet 1/0/3
    [SwitchA-GigabitEthernet1/0/1] quit
    

  3. Verify the configuration.

    # Check information about the ACL and action on the interface in the inbound direction.

    [SwitchA] display traffic-applied interface gigabitethernet 1/0/1 inbound
    -----------------------------------------------------------                     
    ACL applied inbound interface GigabitEthernet1/0/1                              
                                                                                    
    ACL 4001                                                                        
     rule 5 permit vlan-id 100                                                      
    ACTIONS:                                                                        
     redirect interface GigabitEthernet1/0/3                                        
    -----------------------------------------------------------                     
                                                                                    
    ACL 4001                                                                        
     rule 10 permit vlan-id 200                                                     
    ACTIONS:                                                                        
     redirect interface GigabitEthernet1/0/3                                        
    ----------------------------------------------------------- 

Configuration Files

  • SwitchA configuration file
    #
    sysname SwitchA
    #
    vlan batch 100 200
    #
    acl number 4001  
     rule 5 permit vlan-id 100
     rule 10 permit vlan-id 200
    #
    interface GigabitEthernet1/0/1
     port link-type trunk
     port trunk allow-pass vlan 100 200
     traffic-redirect inbound acl 4001 interface GigabitEthernet1/0/3
    #
    interface GigabitEthernet1/0/2
     port link-type trunk
     port trunk allow-pass vlan 100 200
    #
    interface GigabitEthernet1/0/3
     port link-type trunk
     port trunk allow-pass vlan 100 200
     port-isolate enable group 1
    #
    interface GigabitEthernet1/0/4
     port link-type trunk
     mac-address learning disable
     port trunk allow-pass vlan 100 200
     port-isolate enable group 1
    #
    return
    
  • SwitchB configuration file
    #
    sysname SwitchB
    #
    vlan batch 100 200
    #
    interface GigabitEthernet1/0/1
     port link-type trunk
     port trunk allow-pass vlan 100 200
    #
    interface GigabitEthernet1/0/2
     port link-type access 
     port default vlan 200
    #
    interface GigabitEthernet1/0/3
     port link-type access
     port default vlan 100
    #
    return
    
Translation
Download
Updated: 2019-04-08

Document ID: EDOC1100065653

Views: 18245

Downloads: 45

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next