Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Redirection
Networking Requirements
As shown in Figure 8-2, servers in the service area need to access the Internet. The data and video servers in the service area connect to the gateway router through access switch SwitchB and core switch SwitchA, and communicate with the Internet through the gateway router.
To ensure enterprise data and network security, the customer wants to ensure security of all traffic from the Internet to servers.
Configuration Roadmap
- Connect SwitchA to the core firewall in bypass mode to filter traffic.
- Configure SwitchA to redirect all traffic from the Internet to the firewall because traffic entering the firewall is Layer 2 traffic.
- Configure Layer 2 port isolation on the interface of SwitchA connected to the firewall to prevent loops, and disable MAC address learning to prevent MAC address flapping.
Procedure
- Create VLANs and configure interfaces to ensure Layer 2 connectivity.
# Create VLAN 100 and VLAN 200 on SwitchB.
<HUAWEI> system-view [~HUAWEI] sysname SwitchB [*HUAWEI] commit [~SwitchB] vlan batch 100 200 [*SwitchB] commit
# 10GE1/0/2 and 10GE1/0/3 on SwitchB are access interfaces by default. Add 10GE1/0/2 to VLAN 200 and 10GE1/0/3 to VLAN 100, and configure 10GE1/0/1 as a trunk interface and add 10GE1/0/1 to VLAN 100 and VLAN 200.
[~SwitchB] interface 10ge 1/0/2 [~SwitchB-10GE1/0/2] port default vlan 200 [*SwitchB-10GE1/0/2] quit [*SwitchB] interface 10ge 1/0/3 [*SwitchB-10GE1/0/3] port default vlan 100 [*SwitchB-10GE1/0/3] quit [*SwitchB] interface 10ge 1/0/1 [*SwitchB-10GE1/0/1] port link-type trunk [*SwitchB-10GE1/0/1] port trunk allow-pass vlan 100 200 [*SwitchB-10GE1/0/1] quit [*SwitchB] commit
# Create VLAN 100 and VLAN 200 on SwitchA.
<HUAWEI> system-view [~HUAWEI] sysname SwitchA [*HUAWEI] commit [~SwitchA] vlan batch 100 200 [*SwitchA] commit
# Configure 10GE1/0/1, 10GE1/0/2, 10GE1/0/3, and 10GE1/0/4 on SwitchA as trunk interfaces and add them to VLAN 100 and VLAN 200. Add 10GE1/0/3 and 10GE1/0/4 to the same Layer 2 port isolation group. Disable MAC address learning on 10GE1/0/4 to prevent MAC address flapping.
[~SwitchA] interface 10ge 1/0/1 [~SwitchA-10GE1/0/1] port link-type trunk [*SwitchA-10GE1/0/1] port trunk allow-pass vlan 100 200 [*SwitchA-10GE1/0/1] quit [*SwitchA] interface 10ge 1/0/2 [*SwitchA-10GE1/0/2] port link-type trunk [*SwitchA-10GE1/0/2] port trunk allow-pass vlan 100 200 [*SwitchA-10GE1/0/2] quit [*SwitchA] interface 10ge 1/0/3 [*SwitchA-10GE1/0/3] port link-type trunk [*SwitchA-10GE1/0/3] port trunk allow-pass vlan 100 200 [*SwitchA-10GE1/0/3] port-isolate enable group 1 [*SwitchA-10GE1/0/3] quit [*SwitchA] interface 10ge 1/0/4 [*SwitchA-10GE1/0/4] port link-type trunk [*SwitchA-10GE1/0/4] port trunk allow-pass vlan 100 200 [*SwitchA-10GE1/0/4] port-isolate enable group 1 [*SwitchA-10GE1/0/4] mac-address learning disable [*SwitchA-10GE1/0/4] quit [*SwitchA] commit
- Configure MQC to implement redirection to an interface.# Configure a traffic classifier.
[~SwitchA] traffic classifier c1 [*SwitchA-classifier-c1] if-match any [*SwitchA-classifier-c1] quit [*SwitchA] commit
# Configure a traffic behavior.[~SwitchA] traffic behavior b1 [*SwitchA-behavior-b1] redirect interface 10ge 1/0/3 [*SwitchA-behavior-b1] quit [*SwitchA] commit
# Configure a traffic policy.[~SwitchA] traffic policy p1 [*SwitchA-trafficpolicy-p1] classifier c1 behavior b1 [*SwitchA-trafficpolicy-p1] quit [*SwitchA] commit
# Apply the traffic policy to 10GE1/0/1 on SwitchA in the outbound direction.[~SwitchA] interface 10ge 1/0/1 [~SwitchA-10GE1/0/1] traffic-policy p1 inbound [*SwitchA-10GE1/0/1] quit [*SwitchA] commit [~SwitchA] quit
- Verify the configuration.
# Check the traffic classifier configuration.
<SwitchA> display traffic classifier Traffic Classifier Information: Classifier: c1 Type: OR Rule(s): if-match any Total classifier number is 1# View the traffic behavior configuration.
<SwitchA> display traffic behavior Traffic Behavior Information: Behavior: b1 Redirect: Redirect interface 10GE1/0/3 Total behavior number is 1# View the traffic policy configuration.
<SwitchA> display traffic policy Traffic Policy Information: Policy: p1 Classifier: c1 Type: OR Behavior: b1 Redirect: Redirect interface 10GE1/0/3 Total policy number is 1# Check the traffic policy record.
<SwitchA> display traffic-policy applied-record Total records : 1 -------------------------------------------------------------------------------- Policy Type/Name Apply Parameter Slot State -------------------------------------------------------------------------------- p1 10GE1/0/1(IN) 1 success --------------------------------------------------------------------------------
Configuration Files
SwitchA configuration file
# sysname SwitchA # vlan batch 100 200 # traffic classifier c1 type or if-match any # traffic behavior b1 redirect interface 10GE1/0/3 # traffic policy p1 classifier c1 behavior b1 precedence 5 # interface 10GE1/0/1 port link-type trunk port trunk allow-pass vlan 100 200 traffic-policy p1 inbound # interface 10GE1/0/2 port link-type trunk port trunk allow-pass vlan 100 200 # interface 10GE1/0/3 port link-type trunk port trunk allow-pass vlan 100 200 port-isolate enable group 1 # interface 10GE1/0/4 port link-type trunk port trunk allow-pass vlan 100 200 port-isolate enable group 1 mac-address learning disable # return
SwitchB configuration file
# sysname SwitchB # vlan batch 100 200 # interface 10GE1/0/1 port link-type trunk port trunk allow-pass vlan 100 200 # interface 10GE1/0/2 port default vlan 200 # interface 10GE1/0/3 port default vlan 100 # return