Configuration Examples for SAC
Networking Requirements
As shown in Figure 12-3, Telnet packets enter SwitchA through GE0/0/1. The customer wants SwitchA to identify and collect statistics on Telnet packets.
Configuration Roadmap
- Configure SA on SwitchA. Set the resource allocation mode to sac for SwitchA, enable the IAE, and enable SA on the inbound interface of packets so that the switch can identify the application of packets.
- Configure an SAC traffic policy on SwitchA. Collect statistics on traffic of Telnet packets on the inbound interface.
Procedure
- Configure SA.
# Set the resource allocation mode to sac for SwitchA.
<HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] assign resource-mode sac [SwitchA] quit
After the resource allocation mode is set to sac, you need to save the configuration and restart the switch for the configuration to take effect.
# Enable the IAE on SwitchA.
<SwitchA> system-view [SwitchA] defence engine enable
# Enable SA on GE0/0/1 of SwitchA.
[SwitchA] interface gigabitEthernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] service-awareness enable [SwitchA-GigabitEthernet0/0/1] quit
- Configure an SAC traffic policy.
# Configure traffic classifier c1 on SwitchA. Create a matching rule for classifying traffic based on the application name in the traffic classifier.
[SwitchA] traffic classifier c1 [SwitchA-classifier-c1] if-match application name Telnet [SwitchA-classifier-c1] quit
# Configure traffic behavior b1 on SwitchA. Define the action of collecting statistics on traffic in the traffic behavior so that the packet statistics can be displayed after the traffic policy is applied.
[SwitchA] traffic behavior b1 [SwitchA-behavior-b1] statistic enable [SwitchA-behavior-b1] quit
# Configure traffic policy p1 on SwitchA. Associate traffic classifier c1 with traffic behavior b1.
[SwitchA] traffic policy p1 [SwitchA-trafficpolicy-p1] classifier c1 behavior b1 [SwitchA-trafficpolicy-p1] quit
# Apply traffic policy p1 to the inbound direction of GE0/0/1 on SwitchA.
[SwitchA] interface gigabitEthernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] traffic-policy p1 inbound [SwitchA-GigabitEthernet0/0/1] quit
- Verify the configuration.
# Check application identification entries on SwitchA.
[SwitchA] display engine session application Source IP Destination IP SPort DPort ProtocolID AppName AppID Expire(S) -------------------------------------------------------------------------------------- 10.1.1.10 10.1.1.20 65146 23 6 Telnet 415 300 10.1.1.10 10.1.1.20 65146 23 6 Telnet 415 150 10.1.1.10 10.1.1.20 65063 23 6 Telnet 415 175 10.1.1.10 10.1.1.20 64997 23 6 Telnet 415 185 10.1.1.10 10.1.1.20 64970 23 6 Telnet 415 45 -------------------------------------------------------------------------------------- Total:5
# Check traffic statistics on Telnet packets.
[SwitchA] display traffic policy statistics interface gigabitethernet 0/0/1 inbound Interface: GigabitEthernet0/0/1 Traffic policy inbound: p1 Rule number: 1 Current status: success Statistics interval: 300 --------------------------------------------------------------------- Board : 0 --------------------------------------------------------------------- Matched | Packets: 21 | Bytes: 1,986 | Rate(pps): 0 | Rate(bps): 0 --------------------------------------------------------------------- Passed | Packets: 21 | Bytes: 1,986 | Rate(pps): 0 | Rate(bps): 0 --------------------------------------------------------------------- Dropped | Packets: 0 | Bytes: 0 | Rate(pps): 0 | Rate(bps): 0 --------------------------------------------------------------------- Filter | Packets: 0 | Bytes: 0 --------------------------------------------------------------------- Car | Packets: 0 | Bytes: 0 ---------------------------------------------------------------------
Configuration Files
SwitchA configuration file
#
sysname SwitchA
#
assign resource-mode sac slot 0
#
defence engine enable
#
traffic classifier c1 operator or
if-match application name Telnet
#
traffic behavior b1
statistic enable
#
traffic policy p1 match-order config
classifier c1 behavior b1
#
interface GigabitEthernet0/0/1
traffic-policy p1 inbound
service-awareness enable
#
return