评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置IP报文复杂流分类示例
以IP报文为例,介绍复杂流分类的配置。
组网需求
如图5-1所示,通过在DeviceC上配置复杂流分类,可实现对DeviceA与DeviceB之间的访问控制,并可以通过流量统计验证报文的收发情况。
本例中interface1,interface2分别代表GE0/1/0,GE0/2/0。
操作步骤
- 定义ACL规则。
<HUAWEI> system-view
[~HUAWEI] sysname DeviceC[*HUAWEI] commit[~DeviceC] acl number 3333[*DeviceC-acl-adv-3333]rule 5 permit ip source 1.1.1.1 0 destination 2.2.2.2 0[*DeviceC-acl-adv-3333]rule 10 permit ip source 2.2.2.2 0 destination 1.1.1.1 0[*DeviceC-acl-adv-3333] commit[~DeviceC-acl-adv-3333] quit - 定义流分类。
[~DeviceC] traffic classifier c1[*DeviceC-classifier-c1] if-match acl 3333[*DeviceC-classifier-c1] commit[~DeviceC-classifier-c1] quit - 定义流行为。
[~DeviceC] traffic behavior b1[*DeviceC-behavior-b1] permit[*DeviceC-behavior-b1] commit[~DeviceC-behavior-b1] quit - 定义流量策略。
[~DeviceC] traffic policy p1[*DeviceC-trafficpolicy-p1] classifier c1 behavior b1[*DeviceC-trafficpolicy-p1] share-mode[*DeviceC-trafficpolicy-p1] statistic enable[*DeviceC-trafficpolicy-p1] commit[~DeviceC-trafficpolicy-p1] quit - 应用流量策略。
[~DeviceC] interface gigabitethernet 0/1/0
[~DeviceC-GigabitEthernet0/1/0] traffic-policy p1 inbound
[*DeviceC-GigabitEthernet0/1/0] traffic-policy p1 outbound
[*DeviceC-GigabitEthernet0/1/0] commit
[~DeviceC-GigabitEthernet0/1/0] quit
[~DeviceC] interface gigabitethernet 0/2/0
[~DeviceC-GigabitEthernet0/2/0] traffic-policy p1 inbound
[*DeviceC-GigabitEthernet0/2/0] traffic-policy p1 outbound
[*DeviceC-GigabitEthernet0/2/0] commit
[~DeviceC-GigabitEthernet0/2/0] quit
- 检查配置结果。
进行上述配置后,可以首先在DeviceA上执行ping 2.2.2.2命令,来对DeviceB进行ping操作,再在DeviceC上通过display traffic policy statistics命令来查看DeviceA与DeviceB之间的流量统计情况。
[~DeviceC] display traffic policy statistics interface gigabitethernet 0/1/0 inbound
Info: The statistics is shared because the policy is shared. Interface: GigabitEthernet0/1/0 Traffic policy inbound: p1 Traffic policy applied at 2017-08-30 18:30:20 Statistics enabled at 2017-08-30 18:30:20 Statistics last cleared: Never Rule number: 1 IPv4, 0 IPv6 Current status: OK! Item Packets Bytes ------------------------------------------------------------------- Matched 5 500 +--Passed 4 400 +--Dropped 1 100 Last 30 seconds rate Item pps bps ------------------------------------------------------------------- Matched 5 500 +--Passed 4 400 +--Dropped 1 100
DeviceC的配置文件
# sysname DeviceC # acl number 3333 rule 5 permit ip source 1.1.1.1 0 destination 2.2.2.2 0 rule 10 permit ip source 2.2.2.2 0 destination 1.1.1.1 0 # traffic classifier c1 if-match acl 3333 # traffic behavior b1 permit # traffic policy p1 share-mode statistic enable classifier c1 behavior b1 # interface GigabitEthernet0/1/0 traffic-policy p1 inbound traffic-policy p1 outbound # interface GigabitEthernet0/2/0 traffic-policy p1 inbound traffic-policy p1 outbound
