评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置TCAM ACL资源自定义示例
配置思路
采用如下TCAM ACL资源自定义功能:
- 使能TCAM ACL资源自定义功能。
- 配置TCAM ACL资源自定义模板和分组。
- 配置分组和业务绑定,指定业务使用的QoS自定义分组。举例中的业务名称请以设备实际显示为准。
- 将TCAM ACL资源自定义模板应用到全局。
- 配置具体的业务。
操作步骤
- 使能TCAM ACL资源自定义功能
<HUAWEI> system-view [*HUAWEI] sysname switch [~HUAWEI] commit [~Switch] system tcam acl [*Switch] commit
- 创建并配置TCAM ACL资源自定义模板,并应用到全局
# 在交换机上创建TCAM ACL资源自定义模板template1,并配置group组,并配置match、action、service和group之间的绑定关系。
[~Switch] system tcam acl template template1 [*Switch-tcam-acl-template1] commit [~Switch-tcam-acl-template1] group cpcar precedence 0 [*Switch-tcam-acl-template1-group-cpcar] match ethernet destination-mac [*Switch-tcam-acl-template1-group-cpcar] match ipv6 source-ip-high protocol ttl [*Switch-tcam-acl-template1-group-cpcar] match tcp destination-port source-port [*Switch-tcam-acl-template1-group-cpcar] match forwarding destination-interface [*Switch-tcam-acl-template1-group-cpcar] match udf ipv4-head 0 1 [*Switch-tcam-acl-template1-group-cpcar] action deny snoop redirect interface flow [*Switch-tcam-acl-template1-group-cpcar] quit [*Switch-tcam-acl-template1] group CpcarTerminated precedence 2 [*Switch-tcam-acl-template1-group-CpcarTerminated] match ip protocol [*Switch-tcam-acl-template1-group-CpcarTerminated] match udf ipv4-head 9 1 udf ipv4-head negative 2 2 udf ipv4-head 22 2 [*Switch-tcam-acl-template1-group-CpcarTerminated] action deny snoop redirect flow [*Switch-tcam-acl-template1-group-CpcarTerminated] quit [*Switch-tcam-acl-template1] group CpCarTermV6 precedence 7 [*Switch-tcam-acl-template1-group-CpCarTermV6] match udf ipv4-head 6 1 udf l2-head 42 2 [*Switch-tcam-acl-template1-group-CpCarTermV6] action snoop [*Switch-tcam-acl-template1-group-CpCarTermV6] quit [*Switch-tcam-acl-template1] group NEWQOSCAR precedence 9 [*Switch-tcam-acl-template1-group-NEWQOSCAR] match forwarding source-interface [*Switch-tcam-acl-template1-group-NEWQOSCAR] action car statistics [*Switch-tcam-acl-template1-group-NEWQOSCAR] quit [*Switch-tcam-acl-template1] group MQCNEWV6 precedence 11 [*Switch-tcam-acl-template1-group-MQCNEWV6] match ipv6 source-ip-high protocol tos [*Switch-tcam-acl-template1-group-MQCNEWV6] match forwarding vsi [*Switch-tcam-acl-template1-group-MQCNEWV6] action statistics remark local-precedence [*Switch-tcam-acl-template1-group-MQCNEWV6] quit [*Switch-tcam-acl-template1] group TUNNELSTAT precedence 13 [*Switch-tcam-acl-template1-group-TUNNELSTAT] match forwarding vsi [*Switch-tcam-acl-template1-group-TUNNELSTAT] action statistics [*Switch-tcam-acl-template1-group-TUNNELSTAT] quit [*Switch-tcam-acl-template1] service cpcar-terminatedv4 group CpcarTerminated [*Switch-tcam-acl-template1] service cpcar-terminatedv6 group CpCarTermV6 [*Switch-tcam-acl-template1] service cpcar6 group cpcar [*Switch-tcam-acl-template1] service qos-car group NEWQOSCAR [*Switch-tcam-acl-template1] service trafficpolicy6-l3 group MQCNEWV6 [*Switch-tcam-acl-template1] service vlan-statistics group TUNNELSTAT [*Switch-tcam-acl-template1] quit [*Switch] system tcam acl template template1 all [*Switch] commit
- 配置端口加入VLAN、创建VLANIF接口
# 配置交换机接口10GE4/0/20、10GE4/0/22、10GE4/0/24、10GE4/0/26的接入类型为trunk,并将接口10GE4/0/20加入VLAN 2000,将接口10GE4/0/22加入VLAN 2001、VLAN 3010,接口10GE4/0/24加入VLAN3011,接口10GE4/0/26加入VLAN 3012。
[~Switch] vlan batch 2000 2001 3010 to 3012 [*Switch] commit [~Switch] interface 10ge 4/0/20 [~Switch-10GE4/0/20] port link-type trunk [*Switch-10GE4/0/20] port trunk allow-pass vlan 2000 [*Switch-10GE4/0/20] undo port trunk allow-pass vlan 1 [*Switch-10GE4/0/20] quit [*Switch] interface 10ge 4/0/22 [*Switch-10GE4/0/22] port link-type trunk [*Switch-10GE4/0/22] port trunk allow-pass vlan 3010 2001 [*Switch-10GE4/0/22] undo port trunk allow-pass vlan 1 [*Switch-10GE4/0/22] quit [*Switch] interface 10ge 4/0/24 [*Switch-10GE4/0/24] port link-type trunk [*Switch-10GE4/0/24] port trunk allow-pass vlan 3011 [*Switch-10GE4/0/24] undo port trunk allow-pass vlan 1 [*Switch-10GE4/0/24] quit [*Switch] interface 10ge 4/0/26 [*Switch-10GE4/0/26] port link-type trunk [*Switch-10GE4/0/26] port trunk allow-pass vlan 3012 [*Switch-10GE4/0/26] undo port trunk allow-pass vlan 1 [*Switch-10GE4/0/26] quit [*Switch] commit
# 创建VLANIF接口3010、3011、3012,并配置IP地址
[~Switch] interface vlanif 3010 [*Switch-Vlanif3010] ip address 192.168.0.1 24 [*Switch-Vlanif3010] quit [*Switch] interface vlanif 3011 [*Switch-Vlanif3011] ip address 192.168.1.1 24 [*Switch-Vlanif3011] quit [*Switch] interface vlanif 3012 [*Switch-Vlanif3012] ip address 192.168.2.1 24 [*Switch-Vlanif3012] quit [*Switch] commit
# 创建VLANIF接口2000、2001,并配置IPv6地址
[~Switch] interface vlanif 2000 [*Switch-Vlanif2000] ipv6 enable [*Switch-Vlanif2000] ipv6 address FC00::100 64 [*Switch-Vlanif2000] quit [*Switch] interface vlanif 2001 [*Switch-Vlanif2001] ipv6 enable [*Switch-Vlanif2001] ipv6 address FC00::101 64 [*Switch-Vlanif2001] quit [*Switch] commit
# 配置路由
[~Switch] ospf 1 [*Switch-ospf-1] area 1 [*Switch-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255 [*Switch-ospf-1-area-0.0.0.1] network 192.168.2.0 0.0.0.255 [*Switch-ospf-1-area-0.0.0.1] network 192.168.3.0 0.0.0.255 [*Switch-ospf-1-area-0.0.0.1] quit [*Switch-ospf-1] quit [*Switch] commit
- 配置流策略业务
# 在交换机上创建流分类c6、c7,流行为b6、b7,创建流策略p6、p7,并且绑定流分类和流行为。
[~Switch] traffic classifier c6 [*Switch-classifier-c6] if-match ipv6 dscp af11 [*Switch-classifier-c6] quit [*Switch] traffic behavior b6 [*Switch-behavior-b6] remark local-precedence af4 [*Switch-behavior-b6] quit [*Switch] traffic policy p6 [*Switch-trafficpolicy-p6] classifier c6 behavior b6 [*Switch-trafficpolicy-p6] quit [*Switch] acl ipv6 3000 [*Switch-acl6-advance-3000] rule 5 permit ipv6 source FC00::100 64 dscp 12 [*Switch-acl6-advance-3000] quit [*Switch] traffic classifier c7 [*Switch-classifier-c7] if-match ipv6 acl 3000 [*Switch-classifier-c7] quit [*Switch] traffic behavior b7 [*Switch-behavior-b7] statistics enable [*Switch-behavior-b7] quit [*Switch] traffic policy p7 [*Switch-trafficpolicy-p7] classifier c7 behavior b7 [*Switch-trafficpolicy-p7] quit [*Switch] commit
# 将流策略p6和p7分别应用到VLAN2000、VLAN2001上。
[~Switch] vlan 2000 [~Switch-vlan2000] traffic-policy p6 inbound [*Switch-vlan2000] quit [*Switch] vlan 2001 [*Switch-vlan2001] traffic-policy p7 inbound [*Switch-vlan2001] commit [~Switch-vlan2001] quit
- 配置QoS CAR业务,在Switch上创建QoS模板qoscar1,并在接口上应用该模板
[~Switch] qos car qoscar1 cir 300 mbps [~Switch] interface 10GE 4/0/22 [~Switch-10GE4/0/22] qos car inbound qoscar1 [*Switch-10GE4/0/22] commit [~Switch-10GE4/0/22] quit
- 配置VLAN统计业务,在Switch上VLAN2000使能统计功能。
[~Switch] vlan 2000 [~Switch-vlan2000] statistics enable [*Switch-vlan2000] commit [~Switch-vlan2000] quit
