No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R013C00 Configuration Guide - QoS

This document describes the configurations of QoS functions, including MQC, priority mapping, traffic policing, traffic shaping, interface-based rate limiting, congestion avoidance, congestion management, packet filtering, redirection, traffic statistics, ACL-based simplified traffic policy, and HQoS.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Preventing a Specified Host to Access the External Network

Example for Preventing a Specified Host to Access the External Network

Networking Requirements

As shown in Figure 9-1, users connect to external network devices through GE2/0/1 of the switch.

During work hours from 8:30 to 18:00, GE1/0/1 filters packets and prevents access to the external network.

Figure 9-1  Networking for preventing a specified host to access the external network

Configuration Roadmap

You can define the deny action in a traffic policy to filter packets. The configuration roadmap is as follows:
  1. Configure interfaces so that users can access the external network through the Switch.
  2. Configure a time range and reference the time range in an ACL.
  3. Configure an ACL to deny packets during work hours.
  4. Configure packet filtering in the inbound direction of GE1/0/1.

Procedure

  1. Create VLANs and configure interfaces.

    # Create VLAN 10 on the Switch.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [Switch] vlan 10
    [Switch-vlan10] quit

    # Configure GE1/0/1 and GE2/0/1 on the Switch as trunk interfaces and add them to VLAN 10.

    [Switch] interface gigabitethernet 1/0/1
    [Switch-GigabitEthernet1/0/1] port link-type trunk
    [Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
    [Switch-GigabitEthernet1/0/1] quit
    [Switch] interface gigabitethernet 2/0/1
    [Switch-GigabitEthernet2/0/1] port link-type trunk
    [Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 10
    [Switch-GigabitEthernet2/0/1] quit
    NOTE:

    Configure the interface of the LSW connected to the Switch as a trunk interface and add it to VLAN 10.

    # Create VLANIF 10 and configure IP address 192.168.1.1/24 for it.

    [Switch] interface vlanif 10
    [Switch-Vlanif10] ip address 192.168.1.1 24
    [Switch-Vlanif10] quit
    NOTE:

    Configure IP address 192.168.1.2/24 for the router interface connected to the Switch.

  2. Create a periodic time range working_time that defines work hours from 8:30 to 18:00.

    [Switch] time-range working_time 08:30 to 18:00 working-day
    

  3. Configure ACL 3001 and define three rules to prevent packets from 192.168.1.10, 192.168.1.11, and 192.168.1.12 passing through during work hours.

    [Switch] acl number 3001
    [Switch-acl-adv-3001] rule deny ip source 192.168.1.10 0 time-range working_time                        
    [Switch-acl-adv-3001] rule deny ip source 192.168.1.11 0 time-range working_time
    [Switch-acl-adv-3001] rule deny ip source 192.168.1.12 0 time-range working_time
    [Switch-acl-adv-3001] quit

  4. Configure packet filtering in the inbound direction of GE1/0/1.

    [Switch] interface gigabitethernet 1/0/1
    [Switch-GigabitEthernet1/0/1] traffic-filter inbound acl 3001
    [Switch-GigabitEthernet1/0/1] quit

  5. Verify the configuration.

    # Check information about ACL rules and actions on the interface in the inbound direction.

    [Switch] display traffic-applied interface gigabitethernet 1/0/1 inbound
    -----------------------------------------------------------                     
    ACL applied inbound interface GigabitEthernet1/0/1                              
                                                                                    
    ACL 3001                                                                        
     rule 5 deny ip source 192.168.1.10 0 time-range working_time (match-counter 0)
    ACTIONS:                                                                        
     filter                                                                         
    -----------------------------------------------------------                     
                                                                                    
    ACL 3001                                                                        
     rule 10 deny ip source 192.168.1.11 0 time-range working_time (match-counter 0)
    ACTIONS:                                                                        
     filter                                                                         
    -----------------------------------------------------------                     
                                                                                    
    ACL 3001                                                                        
     rule 15 deny ip source 192.168.1.12 0 time-range working_time (match-counter 0)
    ACTIONS:                                                                        
     filter                                                                         
    -----------------------------------------------------------                                              
    

Configuration Files

  • Switch configuration file

    #
    sysname Switch
    #
    vlan batch 10
    #
    time-range working_time 08:30 to 18:00 working-day     
    # 
    acl number 3001                                                                 
     rule 5 deny ip source 192.168.1.10 0 time-range working_time                            
     rule 10 deny ip source 192.168.1.11 0 time-range working_time                            
     rule 15 deny ip source 192.168.1.12 0 time-range working_time         
    # 
    interface Vlanif10                                                              
     ip address 192.168.1.1 255.255.255.0                                           
    #                                                                               
    interface GigabitEthernet1/0/1
     port link-type trunk                                                           
     port trunk allow-pass vlan 10                                                  
     traffic-filter inbound acl 3001                                                    
    #                                                                               
    interface GigabitEthernet2/0/1
     port link-type trunk                                                           
     port trunk allow-pass vlan 10                                                  
    #
    return
    
Translation
Download
Updated: 2019-04-08

Document ID: EDOC1100065653

Views: 18644

Downloads: 45

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next