评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置MPLS组网下基于复杂流分类的流量策略示例
以MPLS组网为例,介绍流分类、流行为的配置及其应用。
组网需求
如图5-5所示,PE1、P、PE2为MPLS骨干网设备,CE1和CE2为骨干网边缘接入设备。三个本地网用户通过CE1访问Internet。
在CE1上限制网段1.1.1.0的用户的接入速率为10Mbit/s,承诺突发流量尺寸为150000字节。
在CE1上限制网段2.1.1.0的用户的接入速率为5Mbit/s,承诺突发流量尺寸为100000字节。
在CE1上限制网段3.1.1.0的用户的接入速率为2Mbit/s,承诺突发流量尺寸为100000字节。
在CE1上分别标记三个网段用户业务流量的DSCP值为40、26和0。
在PE1上限制接入MPLS骨干网的接入速率为15 Mbit/s,承诺突发流量尺寸为300000字节,峰值接入速率为20 Mbit/s,峰值突发尺寸为500000字节。
在CE1上限制除dns,snmp,snmptrap和syslog类型的其它UDP协议报文的接入速率为5Mbit/s,承诺突发尺寸为100000字节,峰值接入速率为15Mbit/s,峰值突发尺寸为200000字节。
本例中interface1,interface2,interface3,interface4分别代表GE0/1/0,GE0/2/0,GE0/3/0,GE0/4/0。
配置注意事项
在配置过程中,需要注意一下事项:
- 当用户同时配置if-match any和deny时,复杂流分类将会禁止流经某个接口的所有流量通过,包括协议报文,因此请用户慎重进行上述流分类和流行为的组合配置。
- 当rule命令和流行为视图下同时配置了permit或deny动作时,只有rule命令允许通过的报文才会进行流行为的处理。只要rule命令或流行为视图中的任意一个配了deny动作,匹配规则的报文都会被丢弃。
数据准备
为完成此配置举例,需准备如下的数据:
ACL编号2001、2002、2003、3001、3002。
三个网段用户的报文的DSCP值被分别重标记为40、26、0。
三个网段用户的流量保证带宽分别为10Mbit/s、5Mbit/s、2Mbit/s,允许最大突发流量分别为150000字节、100000字节、100000字节。
CE1上其它UDP协议报文的接入速率5Mbit/s,承诺突发尺寸100000字节,峰值接入速率为15Mbit/s,峰值突发尺寸为200000字节。
PE1的接入速率15 Mbit/s,承诺突发流量尺寸300000字节,峰值接入速率20 Mbit/s,峰值突发尺寸为500000字节。
流分类、流行为、流量策略的名字以及应用的接口号。
操作步骤
- 配置各接口IP地址、路由和MPLS基本功能(略)
- 在CE1上配置复杂流分类,对三个本地网用户接入CE1的流量进行限制
# 定义ACL规则。
<CE1> system-view
[~CE1] acl number 2001[*CE1-acl-basic-2001] rule permit source 1.1.1.0 0.0.0.255[*CE1-acl-basic-2001] commit[~CE1-acl-basic-2001] quit[~CE1] acl number 2002[*CE1-acl-basic-2002] rule permit source 2.1.1.0 0.0.0.255[*CE1-acl-basic-2002] commit[~CE1-acl-basic-2002] quit[~CE1] acl number 2003[*CE1-acl-basic-2003] rule permit source 3.1.1.0 0.0.0.255[*CE1-acl-basic-2003] commit[~CE1-acl-basic-2003] quit[~CE1] acl number 3001[*CE1-acl-basic-3001] rule 0 permit udp destination-port eq dns[*CE1-acl-basic-3001] rule 1 permit udp destination-port eq snmp[*CE1-acl-basic-3001] rule 2 permit udp destination-port eq snmptrap[*CE1-acl-basic-3001] rule 3 permit udp destination-port eq syslog[*CE1-acl-basic-3001] commit[~CE1-acl-basic-3001] quit[~CE1] acl number 3002[*CE1-acl-basic-3002] rule 4 permit udp[*CE1-acl-basic-3002] commit[~CE1-acl-basic-3002] quit# 配置流分类,定义基于ACL的匹配规则。
[~CE1] traffic classifier a[*CE1-classifier-a] if-match acl 2001[*CE1-classifier-a] commit[~CE1-classifier-a] quit[~CE1] traffic classifier b[*CE1-classifier-b] if-match acl 2002[*CE1-classifier-b] commit[~CE1-classifier-b] quit[~CE1] traffic classifier c[*CE1-classifier-c] if-match acl 2003[*CE1-classifier-c] commit[~CE1-classifier-c] quit[~CE1]traffic classifier udplimit[*CE1-classifier-udplimit] if-match acl 3001[*CE1-classifier-udplimit] commit[~CE1-classifier-udplimit] quit[~CE1] traffic classifier udplimit1[*CE1-classifier-udplimit1] if-match acl 3002[*CE1-classifier-udplimit1] commit[~CE1-classifier-udplimit1] quit上述配置完成后,可以通过display traffic classifier命令查看流分类的配置信息。
[~CE1] display traffic classifier user-definedUser Defined Classifier Information:
Classifier: a
Description:
Operator: or
Rule(s):
if-match acl 2001
Classifier: b
Description:
Operator: or
Rule(s):
if-match acl 2002
Classifier: c
Description:
Operator: or
Rule(s):
if-match acl 2003
Classifier: udplimit
Description:
Operator: or
Rule(s) :
if-match acl 3001
Classifier: udplimit1
Description:
Operator: or
Rule(s) :
if-match acl 3002
# 定义流行为,配置流量监管并重新设置DSCP。
[~CE1] traffic behavior e[*CE1-behavior-e] car cir 10000 cbs 150000 pbs 0[*CE1-behavior-e] remark dscp 40[*CE1-behavior-e] commit[~CE1-behavior-e] quit[~CE1] traffic behavior f[*CE1-behavior-f] car cir 5000 cbs 100000 pbs 0[*CE1-behavior-f] remark dscp 26[*CE1-behavior-f] commit[~CE1-behavior-f] quit[~CE1] traffic behavior g[*CE1-behavior-g] car cir 2000 cbs 100000 pbs 0[*CE1-behavior-g] remark dscp 0[*CE1-behavior-g] commit[~CE1-behavior-g] quit[~CE1] traffic behavior udplimit[*CE1-behavior-udplimit] permit[*CE1-behavior-udplimit] commit[~CE1-behavior-udplimit] quit[~CE1] traffic behavior udplimit1[*CE1-behavior-udplimit1] car cir 5000 pir 15000 cbs 100000 pbs 200000 green pass yellow discard red discard[*CE1-behavior-udplimit1] commit[~CE1-behavior-udplimit1] quit# 定义流量策略,将流分类与流行为关联。
[~CE1] traffic policy 1[*CE1-trafficpolicy-1] classifier a behavior e[*CE1-trafficpolicy-1] commit[~CE1-trafficpolicy-1] quit[~CE1] traffic policy 2[*CE1-trafficpolicy-2] classifier b behavior f[*CE1-trafficpolicy-2] commit[~CE1-trafficpolicy-2] quit[~CE1] traffic policy 3[*CE1-trafficpolicy-3] classifier c behavior g[*CE1-trafficpolicy-3] commit[~CE1-trafficpolicy-3] quit[~CE1] traffic policy udplimit[*CE1-trafficpolicy-udplimit] classifier udplimit behavior udplimit[*CE1-trafficpolicy-udplimit] classifier udplimit1 behavior udplimit1[*CE1-trafficpolicy-3] commit[~CE1-trafficpolicy-3] quit上述配置完成后,使用display traffic policy命令可以查看流量策略、策略中定义的流分类以及与流分类相关的流行为的配置情况。
[~CE1] display traffic policy user-definedUser Defined Traffic Policy Information: Total: 4095 Used: 3 Free: 4092 Policy: 1 Total: 256 Used: 2 Free: 254 Description: Step: 5 Share-mode Classifier: a Precedence: 5 Behavior: e Committed Access Rate: CIR 10000 (Kbps), PIR 0 (Kbps), CBS 15000 (byte), PBS 0 (byte) Conform Action: pass Yellow Action: pass Exceed Action: discard Marking: Remark DSCP cs5 Classifier: default-class Precedence: 65535 Behavior: be -none- Policy: 2 Total: 256 Used: 2 Free: 254 Description: Step: 5 Share-mode Classifier: b Precedence: 5 Behavior: f Committed Access Rate: CIR 5000 (Kbps), PIR 0 (Kbps), CBS 100000 (byte), PBS 0 (byte) Conform Action: pass Yellow Action: pass Exceed Action: discard Marking: Remark DSCP af31 Classifier: default-class Precedence: 65535 Behavior: be -none- Policy: 3 Total: 256 Used: 2 Free: 254 Description: Step: 5 Share-mode Classifier: c Precedence: 5 Behavior: g Committed Access Rate: CIR 2000 (Kbps), PIR 0 (Kbps), CBS 100000 (byte), PBS 0 (byte) Conform Action: pass Yellow Action: pass Exceed Action: discard Marking: Remark DSCP default Classifier: default-class Precedence: 65535 Behavior: be -none- Policy: udplimit Total: 256 Used: 2 Free: 254 Description: Step: 5 Share-mode Classifier: udplimit Precedence: 5 Behavior: udplimit -none- Classifier: udplimit1 Precedence: 10 Behavior: udplimit1 Committed Access Rate: CIR 5000 (Kbps), PIR 15000 (Kbps), CBS 100000 (byte), PBS 200000 (byte) Conform Action: pass Yellow Action: pass Exceed Action: discard Classifier: default-class Precedence: 65535 Behavior: be -none-# 将流量策略应用到入接口上。
[~CE1] interface gigabitethernet 0/1/0
[~CE1-GigabitEthernet0/1/0] undo shutdown
[*CE1-GigabitEthernet0/1/0] traffic-policy 1 inbound
[*CE1-GigabitEthernet0/1/0] commit
[~CE1-GigabitEthernet0/1/0] quit
[~CE1] interface gigabitethernet 0/3/0
[~CE1-GigabitEthernet0/3/0] undo shutdown
[*CE1-GigabitEthernet0/3/0] traffic-policy 2 inbound
[*CE1-GigabitEthernet0/3/0] commit
[~CE1-GigabitEthernet0/3/0] quit
[~CE1] interface gigabitethernet 0/4/0
[~CE1-GigabitEthernet0/4/0] undo shutdown
[*CE1-GigabitEthernet0/4/0] traffic-policy 3 inbound
[*CE1-GigabitEthernet0/4/0] commit
[~CE1-GigabitEthernet0/4/0] quit
[~CE1] interface gigabitethernet 0/2/0
[~CE1-GigabitEthernet0/2/0] undo shutdown
[*CE1-GigabitEthernet0/2/0] traffic-policy udplimit outbound
[*CE1-GigabitEthernet0/2/0] commit
[~CE1-GigabitEthernet0/2/0] quit
- 在PE1上配置复杂流分类,对接入MPLS骨干网的流量进行限制
# 配置流分类,定义匹配规则。
<PE1> system-view
[~PE1] traffic classifier pe[*PE1-classifier-pe] if-match any[*PE1-classifier-pe] commit[~PE1-classifier-pe] quit上述配置完成后,可以通过display traffic classifier命令查看流分类的配置信息。
[~PE1] display traffic classifier user-definedUser Defined Classifier Information:
Classifier: pe
Description:
Operator: OR
Rule(s):
if-match any
# 定义流行为,配置流量监管。
[~PE1] traffic behavior pe[*PE1-behavior-pe] car cir 15000 pir 20000 cbs 300000 pbs 500000[*PE1-behavior-pe] commit[~PE1-behavior-pe] quit# 定义流量策略,将流分类与流行为关联。
[~PE1] traffic policy pe[*PE1-trafficpolicy-pe] classifier pe behavior pe[*PE1-trafficpolicy-pe] commit[~PE1-trafficpolicy-pe] quit上述配置完成后,使用display traffic policy命令可以查看流量策略、策略中定义的流分类以及与流分类相关的流行为的配置情况。
[~PE1] display traffic policy user-definedUser Defined Traffic Policy Information: Total: 4095 Used: 3 Free: 4092 Policy: 1 Description: Step: 5 Share-mode Classifier: a Precedence: 5 Behavior: e Committed Access Rate: CIR 10000 (Kbps), PIR 0 (Kbps), CBS 15000 (byte), PBS 0 (byte) Conform Action: pass Yellow Action: pass Exceed Action: discard Marking: Remark DSCP cs5 Classifier: default-class Precedence: 65535 Behavior: be -none-# 将流量策略应用到入接口上。
[~PE1] interface gigabitethernet 0/1/0
[~PE1-GigabitEthernet0/1/0] undo shutdown
[*PE1-GigabitEthernet0/1/0] traffic-policy pe inbound
[*PE1-GigabitEthernet0/1/0] commit
[~PE1-GigabitEthernet0/1/0] quit
- 检查配置结果
正确进行上述配置后,当有流量通过,在CE1和PE1上可以通过display interface命令看到接口流量根据流量策略进行了带宽保证。
配置文件
CE1配置文件
#
sysname CE1
#
acl number 2001
rule 5 permit source 1.1.1.0 0.0.0.255
acl number 2002
rule 5 permit source 2.1.1.0 0.0.0.255
acl number 2003
rule 5 permit source 3.1.1.0 0.0.0.255
acl number 3001
rule 0 permit udp destination-port eq dns
rule 1 permit udp destination-port eq snmp
rule 2 dpermit udp destination-port eq snmptrap
rule 3 permit udp destination-port eq syslog
acl number 3302
rule 4 permit udp
#
traffic classifier a operator or
if-match acl 2001
traffic classifier c operator or
if-match acl 2003
traffic classifier b operator or
if-match acl 2002
traffic classifier udplimit operator or
if-match acl 3001
traffic classifier udplimit1 operator or
if-match acl 3002
#
traffic behavior e
car cir 10000 cbs 150000 pbs 0 green pass red discard
remark dscp cs5
traffic behavior g
car cir 2000 cbs 100000 pbs 0 green pass red discard
remark dscp default
traffic behavior f
car cir 5000 cbs 100000 pbs 0 green pass red discard
remark dscp af31
traffic behavior udplimit
traffic behavior udplimit1
car cir 5000 pir 15000 cbs 100000 pbs 200000 green pass yellow discard red discard
#
traffic policy 3
classifier c behavior g precedence 5
traffic policy 2
classifier b behavior f precedence 5
traffic policy 1
classifier a behavior e precedence 5
traffic policy udplimit
classifier udplimit behavior udplimit precedence 5
classifier udplimit1 behavior udplimit1 precedence 10
#
interface GigabitEthernet0/1/0undo shutdown
ip address 1.1.1.1 255.255.255.0
traffic-policy 1 inbound
#
interface GigabitEthernet0/2/0undo shutdown
ip address 10.1.1.1 255.255.255.0
traffic-policy udplimit outbound
#
interface GigabitEthernet0/3/0undo shutdown
ip address 2.1.1.1 255.255.255.0
traffic-policy 2 inbound
#
interface GigabitEthernet0/4/0undo shutdown
ip address 3.1.1.1 255.255.255.0
traffic-policy 3 inbound
#
ospf 1
area 0.0.0.0
network 1.1.1.0 0.0.0.255
network 2.1.1.0 0.0.0.255
network 3.1.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
return
PE1配置文件
#
sysname PE1
#
mpls lsr-id 11.11.11.11
mpls
#
mpls ldp
#
traffic classifier pe operator or
if-match any
#
traffic behavior pe
car cir 15000 pir 20000 cbs 300000 pbs 500000 green pass yellow pass red discard
#
traffic policy pe
classifier pe behavior pe
#
interface GigabitEthernet0/1/0undo shutdown
ip address 10.1.1.2 255.255.255.0
traffic-policy pe inbound
#
interface GigabitEthernet0/2/0undo shutdown
ip address 10.10.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 11.11.11.11 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.10.1.0 0.0.0.255
network 11.11.11.11 0.0.0.0
#
return
P配置文件
#
sysname P
#
mpls lsr-id 33.33.33.33
mpls
#
mpls ldp
#
interface GigabitEthernet 0/1/0ip address 10.10.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet 0/2/0ip address 10.11.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 33.33.33.33 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.10.1.0 0.0.0.255
network 10.11.1.0 0.0.0.255
network 33.33.33.33 0.0.0.0
#
return
PE2配置文件
#
sysname PE2
#
mpls lsr-id 22.22.22.22
mpls
#
mpls ldp
#
interface GigabitEthernet0/1/0undo shutdown
ip address 10.12.1.2 255.255.255.0
#
interface GigabitEthernet0/2/0undo shutdown
ip address 10.11.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 22.22.22.22 255.255.255.255
#
ospf 10
area 0.0.0.0
network 10.11.1.0 0.0.0.255
network 10.12.1.0 0.0.0.255
network 22.22.22.22 0.0.0.0
#
return
CE2配置文件
#
sysname CE2
#
interface GigabitEthernet0/2/0undo shutdown
ip address 10.12.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.12.1.0 0.0.0.255
#
return
