所选语种没有对应资源,请选择:
菜单
技术支持 文档中心
NE20E-S V800R012C00SPC300 配置指南 - QoS 04
评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
定义流分类

定义流分类

要对网络中的流量进行基于复杂流分类的QoS配置,就需要先定义流分类。

背景信息

在待配置路由器上进行以下配置。

操作步骤

  1. 执行命令system-view,进入系统视图。
  2. (可选)配置ACL规则。

    此特性支持如下ACL:

    有关ACL的相关内容,请参见ACL配置、ACL6配置。

    • 基于接口的ACL
    • 基本ACL
    • 高级ACL
    • 用户访问控制列表
    • 基本ACL6
    • 高级ACL6
    • 基于MPLS的ACL

    • 配置基于接口的ACL

      1. 执行命令acl { name interface-based-acl-name { interface | [ interface ] number interface-based-acl-number } | [ number ] interface-based-acl-number } [ match-order { config | auto } ],创建基本ACL,并进入基于接口的ACL视图。
      2. 执行命令rule [ rule-id ] [ name rule-name ] { permit | deny } interface { interface-type interface-number | any } [ time-range time-name ] *,配置基于接口的ACL规则。

    • 配置基本ACL

      1. 执行命令acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } | [ number ] basic-acl-number } [ match-order { config | auto } ],创建基本ACL,并进入基本ACL视图。
      2. 执行命令rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *,配置基本ACL规则。

    • 配置高级ACL

      1. 执行命令acl { name advance-acl-name [ advance | [ advance ] number advance-acl-number ] | [ number ] advance-acl-number } [ match-order { config | auto } ],创建高级ACL,并进入高级ACL视图。
      2. 配置高级ACL规则

        1. 对于TCP协议,执行命令:

          rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | tcp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port operator port-number | destination-port-pool destination-port-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port operator port-number | source-port-pool source-port-pool-name } | { tcp-flag | syn-flag } { tcp-flag [ mask mask-value ] | established |{ ack [ fin | psh | rst | syn | urg ] * } | { fin [ ack | psh | rst | syn | urg ] * } | { psh [ fin | ack | rst | syn | urg ] * } | { rst [ fin | psh | ack | syn | urg ] * } | { syn [ fin | psh | rst | syn | urg ] * } | { urg [ fin | psh | rst | syn | urg ] * } } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *

        2. 对于UDP协议,执行命令:

          rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | udp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port operator port-number | destination-port-pool destination-port-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port operator port-number | source-port-pool source-port-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *

        3. 对于ICMP协议,执行命令:

          rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | icmp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | icmp-type { icmp-name | icmp-type [ to icmp-type-end ] [ icmp-code ] } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *

        4. 对于其他协议,执行命令:

          rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | gre | ip | ipinip | igmp | ospf } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *

    • 配置用户访问控制列表

      1. 执行命令acl { name ucl-acl-name [ ucl | [ ucl ] number ucl-acl-number ] | [ number ] ucl-acl-number } [ match-order { auto | config } ],创建用户访问控制列表,并进入用户访问控制列表视图。
      2. 配置用户访问控制列表规则

        1. 对于TCP协议,执行命令:

          rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | tcp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | source { { ip-address { source-ip-address { source-ip-address-mask | 0 } | any } | source-pool source-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | destination { { ip-address { destination-ip-address { destination-ip-address-mask | 0 } | any } | destination-pool destination-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | source-port operator port-number | destination-port operator port-number | syn-flag { syn-flag [ mask mask-value ] | { bit-match { established | fin | syn | rst | psh | ack | urg | ece | crw | ns } } } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | time-range time-name | logging | vlan vlan-id | inner-vlan cvlan-id ] *

        2. 对于UDP协议,执行命令:

          rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | udp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | source { { ip-address { source-ip-address { source-ip-address-mask | 0 } | any } | source-pool source-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | destination { { ip-address { destination-ip-address { destination-ip-address-mask | 0 } | any } | destination-pool destination-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | source-port operator port-number | destination-port operator port-number | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | time-range time-name | logging | vlan vlan-id | inner-vlan cvlan-id ] *

        3. 对于ICMP协议,执行命令:

          rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | icmp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | source { { ip-address { source-ip-address { source-ip-address-mask | 0 } | any } | source-pool source-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | destination { { ip-address { destination-ip-address { destination-ip-address-mask | 0 } | any } | destination-pool destination-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | icmp-type { icmp-name | icmp-type icmp-code } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | time-range time-name | logging | vlan vlan-id | inner-vlan cvlan-id ] *

        4. 对于其他协议,执行命令:

          rule [ rule-id ] [ name rule-name ] { deny | permit } { zero | protocol | gre | ip | ipinip | igmp | ospf } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | source { { ip-address { source-ip-address { source-ip-address-mask | 0 } | any } | source-pool source-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | destination { { ip-address { destination-ip-address { destination-ip-address-mask | 0 } | any } | destination-pool destination-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | time-range time-name | logging | vlan vlan-id | inner-vlan cvlan-id ] *

    • 配置基本ACL6

      1. 执行命令acl ipv6 { name basic-acl6-name [ basic ] | [ number ] basic-acl6-number } [ match-order { config | auto } ],创建基本ACL6,并进入基本ACL6视图。
      2. 执行命令rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment | source { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *,配置基本ACL6规则。

    • 配置高级ACL6

      1. 执行命令acl ipv6 { name advance-acl6-name [ advance | [ advance ] number advance-acl6-number ] | [ number ] advance-acl6-number } [ match-order { config | auto } ],创建高级ACL6,并进入高级ACL6视图。
      2. 配置高级ACL6规则

        1. 对于TCP协议,执行命令:

          rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol | tcp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | destination-port operator port | fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } source-pool source-pool-name } | source-port operator port | tcp-flag { tcp-flag [ mask mask-value ] | established | { ack | fin | psh | rst | syn | urg } * } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *

        2. 对于UDP协议,执行命令:

          rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol | udp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | destination-port operator port | fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } source-pool source-pool-name } | source-port operator port | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *

        3. 对于ICMP协议,执行命令:

          rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol | icmpv6 } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | fragment | icmp6-type { icmp6-type-name | icmp6-type [ to icmp6-type-end ] [ icmp6-code ] } | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *

        4. 对于其他协议,执行命令:

          rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol | gre | ipv6 | ipv6-ah | ipv6-esp | ospf } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *

    • 配置基于MPLS的ACL

      1. 执行命令acl { name mpls-acl-name { mpls | [ mpls ] number mpls-acl-number } | [ number ] mpls-acl-number },创建基于MPLS的ACL,并进入基于MPLS的ACL视图。
      2. 执行命令rule [ rule-id ] [ name rule-name ] { deny | permit } [ exp { exp-value | any } &<1-4> | label { label-value | any } &<1-4> | ttl { { lt | eq | gt } ttl-value | range ttl-value1 ttl-value2 | any } &<1-3> ] *,配置基于MPLS的ACL规则。
    对于报文是否匹配ACL规则,采用如下策略:
    • 如果匹配上ACL规则,且ACL规则的动作是permit,则报文会被命中。
    • 如果匹配上ACL规则,且ACL规则的动作是deny,则报文会被丢弃。
    • 如果没有匹配上ACL规则,则报文不会被命中,只进行正常转发。
    • 如果引用的ACL规则不存在,或者ACL存在但是ACL中没有定义规则,则报文不会被命中,只进行正常转发。

  3. 执行命令traffic classifier classifier-name [ operator { and | or } ],定义流分类并进入流分类视图。
  4. 请根据实际情况对流分类的匹配规则进行定义。

    • 如果定义ACL匹配规则,执行命令if-match acl acl-number

      仅支持基于报文三层和四层信息进行匹配的ACL规则。
    • 如果定义DSCP匹配规则,执行命令if-match dscp dscp-value
    • 如果定义TCP Flag匹配规则,执行命令if-match tcp syn-flag tcpflag-value
    • 如果定义IP报文优先级的匹配规则,执行命令if-match [ ipv6 ] ip-precedence ip-precedence
    • 如果定义匹配所有数据包的规则,执行命令if-match any
    • 如果定义基于MPLS EXP值的匹配规则,执行命令if-match mpls-exp exp-value

翻译
English
下载文档
更新时间:2020-07-02

文档编号:EDOC1100147127

浏览量:2124

下载量:14

平均得分:
本文档适用于这些产品

相关版本

相关文档

分享
上一页 下一页
华为企业业务APP

版权所有 © 华为技术有限公司 1998-2021。 保留一切权利。粤A2-20044005号

您正离开华为站点,前往: