Example for Configuring Packet Filtering
Networking Requirements
In Figure 7-2, voice, video, and data services on the enterprise's LAN are transmitted to Eth2/0/0 and Eth2/0/1 of RouterA through SwitchA and SwitchB, and to the WAN through GE1/0/0 of RouterA.
Packets of different services are identified by 802.1p priorities on the LAN. When packets reach the WAN through GE1/0/0, it is required that data packets be filtered and voice and video services be ensured.
Configuration Roadmap
- Configure interfaces so that enterprise users can access the WAN through RouterA.
- Configure traffic classifiers to classify packets based on 802.1p priorities.
- Configure traffic behaviors so that the device permits or rejects packets matching rules.
- Configure a traffic policy, bind the traffic policy to the traffic classifiers and traffic behaviors, and apply the traffic policy to Eth2/0/0 and Eth2/0/1 in the inbound direction to filter packets.
Procedure
- Create VLANs and configure interfaces.
# Create VLAN 10 and VLAN 20 on RouterA.
<Huawei> system-view [Huawei] sysname RouterA [RouterA] vlan batch 10 20
# Configure Eth2/0/0 and Eth2/0/1 on RouterA as trunk interfaces, and add Eth2/0/0 to VLAN 10 and Eth2/0/1 to VLAN 20. Configure IP address 192.168.4.1/24 for GE1/0/0.
[RouterA] interface ethernet 2/0/0 [RouterA-Ethernet2/0/0] port link-type trunk [RouterA-Ethernet2/0/0] port trunk allow-pass vlan 10 [RouterA-Ethernet2/0/0] quit [RouterA] interface ethernet 2/0/1 [RouterA-Ethernet2/0/1] port link-type trunk [RouterA-Ethernet2/0/1] port trunk allow-pass vlan 20 [RouterA-Ethernet2/0/1] quit [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 192.168.4.1 24 [RouterA-GigabitEthernet1/0/0] quit
Configure the interface on SwitchA connected to RouterA as a trunk interface and add it to VLAN 10.
Configure the interface on SwitchB connected to RouterA as a trunk interface and add it to VLAN 20.
# Create VLANIF 10 and VLANIF 20, and assign IP address 192.168.2.1/24 to VLANIF 10 and IP address 192.168.3.1/24 to VLANIF 20.
[RouterA] interface vlanif 10 [RouterA-Vlanif10] ip address 192.168.2.1 24 [RouterA-Vlanif10] quit [RouterA] interface vlanif 20 [RouterA-Vlanif20] ip address 192.168.3.1 24 [RouterA-Vlanif20] quit
# Configure IP address 192.168.4.2/24 for GE1/0/0 on RouterB.
<Huawei> system-view [Huawei] sysname RouterB [RouterB] interface gigabitethernet 1/0/0 [RouterB-GigabitEthernet1/0/0] ip address 192.168.4.2 24 [RouterB-GigabitEthernet1/0/0] quit
# Configure RouterB to interwork with the network layer of the LAN.
[RouterB] ip route-static 192.168.2.0 255.255.255.0 192.168.4.1 [RouterB] ip route-static 192.168.3.0 255.255.255.0 192.168.4.1
Configure the default gateway address 192.168.2.1/24 for enterprise users connected to SwitchA.
Configure the default gateway address 192.168.3.1/24 for enterprise users connected to SwitchB.
- Configure traffic classifiers.
# Create and configure traffic classifiers c1, c2, and c3 on RouterA to classify packets based on 802.1p priorities.
[RouterA] traffic classifier c1 [RouterA-classifier-c1] if-match 8021p 2 [RouterA-classifier-c1] quit [RouterA] traffic classifier c2 [RouterA-classifier-c2] if-match 8021p 5 [RouterA-classifier-c2] quit [RouterA] traffic classifier c3 [RouterA-classifier-c3] if-match 8021p 6 [RouterA-classifier-c3] quit
- Configure traffic behaviors.
# Configure a traffic behavior named b1 on RouterA and define the deny action.
[RouterA] traffic behavior b1 [RouterA-behavior-b1] deny [RouterA-behavior-b1] quit
# Configure traffic behaviors b2 and b3 on RouterA and define the permit action.
[RouterA] traffic behavior b2 [RouterA-behavior-b2] permit [RouterA-behavior-b2] quit [RouterA] traffic behavior b3 [RouterA-behavior-b3] permit [RouterA-behavior-b3] quit
- Configure a traffic policy and apply the traffic policy to interfaces.
# Create a traffic policy named p1 on RouterA, bind the traffic behaviors and traffic classifiers to the traffic policy, and apply the traffic policy to Eth2/0/0 and Eth2/0/1 in the inbound direction to filter packets.
[RouterA] traffic policy p1 [RouterA-trafficpolicy-p1] classifier c1 behavior b1 [RouterA-trafficpolicy-p1] classifier c2 behavior b2 [RouterA-trafficpolicy-p1] classifier c3 behavior b3 [RouterA-trafficpolicy-p1] quit [RouterA] interface ethernet 2/0/0 [RouterA-Ethernet2/0/0] traffic-policy p1 inbound [RouterA-Ethernet2/0/0] quit [RouterA] interface ethernet 2/0/1 [RouterA-Ethernet2/0/1] traffic-policy p1 inbound [RouterA-Ethernet2/0/1] quit
- Verify the configuration.
# Check the traffic classifier configuration.
<RouterA> display traffic classifier user-defined User Defined Classifier Information: Classifier: c2 Operator: OR Rule(s) : if-match 8021p 5 Classifier: c3 Operator: OR Rule(s) : if-match 8021p 6 Classifier: c1 Operator: OR Rule(s) : if-match 8021p 2# Check the traffic policy record.
<Router> display traffic-policy applied-record p1 ------------------------------------------------- Policy Name: p1 Policy Index: 0 Classifier:c1 Behavior:b1 Precedence:5 Classifier:c2 Behavior:b2 Precedence:10 Classifier:c3 Behavior:b3 Precedence:15 ------------------------------------------------- *interface Ethernet2/0/0 traffic-policy p1 inbound slot 0 : success slot 2 : success Classifier: c1 Operator: OR Rule(s) : if-match 8021p 2 Behavior: b1 Deny Classifier: c2 Operator: OR Rule(s) : if-match 8021p 5 Behavior: b2 Classifier: c3 Operator: OR Rule(s) : if-match 8021p 6 Behavior: b3 *interface Ethernet2/0/1 traffic-policy p1 inbound slot 0 : success slot 2 : success Classifier: c1 Operator: OR Rule(s) : if-match 8021p 2 Behavior: b1 Deny Classifier: c2 Operator: OR Rule(s) : if-match 8021p 5 Behavior: b2 Classifier: c3 Operator: OR Rule(s) : if-match 8021p 6 Behavior: b3 ------------------------------------------------- Policy total applied times: 2.
Configuration Files
RouterA configuration file
# sysname RouterA # vlan batch 10 20 # traffic classifier c3 operator or if-match 8021p 6 traffic classifier c2 operator or if-match 8021p 5 traffic classifier c1 operator or if-match 8021p 2 # traffic behavior b3 traffic behavior b2 traffic behavior b1 deny # traffic policy p1 classifier c1 behavior b1 precedence 5 classifier c2 behavior b2 precedence 10 classifier c3 behavior b3 precedence 15 # interface Vlanif10 ip address 192.168.2.1 255.255.255.0 # interface Vlanif20 ip address 192.168.3.1 255.255.255.0 # interface Ethernet2/0/0 port link-type trunk port trunk allow-pass vlan 10 traffic-policy p1 inbound # interface Ethernet2/0/1 port link-type trunk port trunk allow-pass vlan 20 traffic-policy p1 inbound # interface GigabitEthernet1/0/0 ip address 192.168.4.1 255.255.255.0 # return
RouterB configuration file
# sysname RouterB # interface GigabitEthernet1/0/0 ip address 192.168.4.2 255.255.255.0 # ip route-static 192.168.2.0 255.255.255.0 192.168.4.1 ip route-static 192.168.3.0 255.255.255.0 192.168.4.1 # return