基于acl的简化流策略配置_第1页
基于acl的简化流策略配置_第2页
基于acl的简化流策略配置_第3页
基于acl的简化流策略配置_第4页
基于acl的简化流策略配置_第5页
已阅读5页,还剩29页未读 继续免费阅读

下载本文档

版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领

文档简介

ACL的简化流策略配关于基于ACL介绍基于ACL的简化流策略的配置注意事配置基于ACL的报文过配置基于ACL的流量(S1720、S2720、S2750、S5700LI、S5700S-LI、X-LI、S5720LI、S5720S-LI、S5720SI、S5720S-配置基于ACL的流 (S5720EI、S5720HI、S6720EI、S6720S-通过配置基于ACL的流 ,对匹配ACL规则的报文进行限速配置基于ACL的重定向(S1720GFR、S2720、S2750、S5700LI、S5700S-LIS5710-X-通过配置基于ACL的重定向,将匹配ACL规则的报文重定向到CPU或指定接配置基于ACL的重定向(S1720GW-E、S1720GWR-E、S1720GW、S1720GWRS5720LI、S5720S-LI、S5720SI、S5720S-SI、S5720EI、S5720HI、S6720EI、配置基于ACL的重标配置基于ACL的流量统通过配置基于ACL的流量统计,对匹配指定ACL规则的报文进行配置基于ACL的流镜基于ACL通过示例介绍如何应用基于ACL的简化流策略ACL介绍基于ACL的简化流策略的配置注意事涉及License支版本支持基于ACL的简化流策略的软件版本如表11-1系产支持版V200R006C10、V200R009C00、系产支持版V200R006C10、V200R009C00、V100R006C01、V200R001C00、V200R002C00、S5700S-S5710-C-S5710-X-V200R008C00、V200R009C00、V200R001C00、V200R002C00、V200R003C00、S5720S-S5720S-V200R008C00、V200R009C00、V200R002C00、V200R003C00、V200R003C00、V200R002C00、V200R003C00、系产支持版V200R008C00、V200R009C00、S6720S-V200R009C00、说明如需了解交换机软件配套详细信息,请参看以太网交换机版本配套速查特性依 当S1720、S2720EI、S2750、S5700LI、S5700S-LI、S5710-X-LI、S5720LI文过滤、流量、重标记或流量统计功能不生效:出方向配置了基于ACL的报文过滤、流量、重标记或流量统计功能ACL规则是基于VLANID接口上配置了VLANMap功能,且映射后的VLANID与ACL规则中的VLANID相同。 S5720HI不支持基于用户自定义ACL的简化流策 如果ACL规则匹配了报文的实例名称,则简化流策略下发不成功 ACL背景

用户可以根据以下原则选用traffic-filter或traffic-secure命令配置报l如果traffic-filter或traffic-secure关联的ACL没有同时被其他基于ACL的简化流策 为Deny时,仅traffic-secure、traffic-mirror和traffic-statistics命令生效,报文说明S2720、S2750EI、S5700-10P-LI-AC和S5700-10P-PWR-LI-AC使能IPv4报文三层硬件转发功后,不支持配置traffic-secure 前置

l配置相关接口的链路层属性,保证接口正常工作。l配置相应的ACL规则。说明在全局或上实现的基于的报文过滤,范围为2000~5999。在网络中用于对用户控制的基于C的报文过滤,范围为6000~9999,参考traffic-ilercl。操作

在全局或VLAN上配置报文过执行命令system-viewn执行命令traffic-filter[vlanvlan-id]inboundaclipv6bas-acl|adv-acl|nameacl-name}|l2-acl|user-aclrulerule-id],对匹配单个ACLn执行命令traffic-securevlanvlan-idinboundaclbas-acl|adv-acl|l2–acl|nameacl-namerulerule-id],对匹配单个ACL规则的入方向的报 执行命令traffic-filtervlanvlan-idoutboundaclipv6bas-acl|adv-acl|nameacl-name}|l2-acl}[rulerule-id],对匹配单个ACL规则的出 执行命令traffic-filtervlanvlan-idinbound|outboundacll2-aclnameacl-namerulerule-idaclbas-acl|adv-acl|nameacl-name}rulerule-id]或traffic-filtervlanvlan-idinbound|outboundbas-acl|adv-acl|nameacl-namerulerule-idacll2-acl|nameacl-namerulerule-id],对同时匹配二层ACL和三层ACL规则的报文进行n执行命令traffic-securevlanvlan-idinboundacll2–acl|nameacl-namerulerule-idaclbas-acl|adv-acl|nameacl-namerulerule- 执行命令system-viewn执行命令traffic-filterinboundaclipv6]{bas-acl|adv-acl|nameacl-name|l2-acl|user-aclrulerule-id],对匹配单个ACL规则的入方向n执行命令traffic-secureinboundacl{bas-acl|adv-acl|l2–acl|nameacl-namerulerule-id],对匹配单个ACL规则的入方向的报文进行过滤。n执行命令traffic-filteroutboundaclipv6bas-acl|adv-acl|nameacl-name|l2-aclrulerule-id],对匹配单个ACL规则的出方向的报文进 执行命令traffic-filterinbound|outboundacll2-acl|nameacl-name}[rulerule-id]acl{bas-acl|adv-acl|nameacl-name}[rulerule-id]或traffic-filter{inbound|outbound}acl{bas-acl|adv-acl|nameacl-namerulerule-idacll2-acl|nameacl-namerulerule-id],对同时n执行命令traffic-secureinboundacl{l2–acl|nameacl-name}[rulerule-idaclbas-acl|adv-acl|nameacl-namerulerule-id],对同时匹配二----配置基于ACL的流量(S1720、S2720、S2750、前置

在配置基于ACL的流量之前,需要完成以下任务: 操作

在全局或VLAN上配置流量执行命令system-viewn执行命令traffic-limitvlanvlan-idinboundaclipv6bas-acl|adv-acl|nameacl-name|l2-acl|user-aclrulerule-idcircir-valuepirpir-valuecbscbs-valuepbspbs-valuegreenpassyellowdrop|passremark-8021p8021p-value|remark-dscpdscp-valuereddrop|passremark-8021p8021p-value|remark-dscpdscp-value,对匹配单个ACL规则的入方向的报文进行流量。n执行命令traffic-limitvlanvlan-id]outboundaclipv6bas-acl|adv-acl|nameacl-name|l2-aclrulerule-idcircir-valuepirpir-value[cbscbs-valuepbspbs-value][greenpass][yellowpass][red{droppass}],对匹配单个ACL规则的出方向的报文进行流量 执行命令traffic-limitvlanvlan-idinboundacll2-acl|nameacl-name}[rulerule-id]acl{bas-acl|adv-acl|nameacl-name}[rulerule-id]circir-value[pirpir-value][cbscbs-valuepbspbs-value][greenpass][yellow{drop|pass[remark-8021p8021p-value|remark-dscpdscp-value]}][red{drop|pass[remark-8021p8021p-value|remark-dscp量。 执行命令traffic-limit[vlanvlan-id]outboundacl{l2-acl|nameacl-namerulerule-idaclbas-acl|adv-acl|nameacl-namerulerule-id]circir-value[pirpir-value][cbscbs-valuepbspbs-value][greenpassyellowpassreddrop|pass,对同时匹配二层ACL和三层ACL的出方向的报文进行流量。说明 <lcbs-value≤<pbs-value ≥ 执行命令system-viewn执行命令traffic-limitinboundaclipv6bas-acl|adv-acl|nameacl-name|l2-acl|user-aclrulerule-idcircir-valuepirpir-valuecbscbs-valuepbspbs-value][greenpass][yellow{drop|pass[remark-8021p8021p-value|remark-dscpdscp-value]}][red{drop|passremark-8021p8021p-value|remark-dscpdscp-value,对匹配单个ACL规则的入方向的报文进行流量。n执行命令traffic-limitoutboundaclipv6bas-acl|adv-acl|nameacl-name|l2-aclrulerule-idcircir-valuepirpir-valuecbscbs-valuepbspbs-valuegreenpassyellowpassreddrop|pass,对匹配单个ACL规则的出方向的报文进行流量。 执行命令traffic-limitinboundacll2-acl|nameacl-namerulerule-id]aclbas-acl|adv-acl|nameacl-namerulerule-idcircir-valuepirpir-valuecbscbs-valuepbspbs-valuegreenpassyellowdrop|passremark-8021p8021p-value|remark-dscpdscp-valuereddrop|passremark-8021p8021p-value|remark-dscpdscp-value,对同时匹配二层ACL和三层ACL的入方向的报文进行流量。 执行命令traffic-limitoutboundacl{l2-acl|nameacl-name}[rulerule-idaclbas-acl|adv-acl|nameacl-namerulerule-idcircir-valuepirpir-valuecbscbs-valuepbspbs-valuegreenpassyellowpassred{drop|pass}],对同时匹配二层ACL和三层ACL的出方向的报文进行流 说明 <lcbs-value≤<pbs-value ≥----配置基于 的流量(S5720EI、S5720HIS6720EI、S6720S-通过配置基于ACL的流量,对匹配ACL规则的报文进行限速前置在配置基于ACL的流量之前,需要完成以下任务:l配置相关接口的链路层属性,保证接口正常工作。l配置相应的ACL规则。操作

在全局或VLAN上配置流量执行命令system-viewn执行命令traffic-limitvlanvlan-idinboundaclipv6bas-acl|adv-acl|nameacl-name}|l2-acl|user-acl}[rulerule-id]circir-value[pirpir-valuecbscbs-valuepbspbs-valuegreendrop|passdrop|passreddrop|pass,对匹配单个ACL规则的入方向的报文进行流量。 执行命令traffic-limitvlanvlan-idoutboundaclipv6bas-acl|adv-acl|nameacl-name}|l2-acl}[rulerule-id]circir-value[pirpir-value][cbscbs-valuepbspbs-value][[green{drop|pass}][yellow{drop|pass}][red{drop|pass}]],对匹配单个ACL规则的出方向的报文进行流量。 执行命令traffic-limitvlanvlan-idinboundacll2-acl|nameacl-name}[rulerule-id]acl{bas-acl|adv-acl|nameacl-name}[rulerule-id]circir-value[pirpir-value][cbscbs-valuepbspbs-value][[green{drop|passyellowdrop|passreddrop|pass,对同时匹配二层ACL和三层ACL的入方向的报文进行流量。 执行命令traffic-limit[vlanvlan-id]outboundacl{l2-acl|nameacl-namerulerule-idaclbas-acl|adv-acl|nameacl-namerulerule-id]circir-value[pirpir-value][cbscbs-valuepbspbs-valuedrop|passyellowdrop|passreddrop|pass,对同时匹配二层和三层ACL的出方向的报文进行流量。n执行命令traffic-limitvlanvlan-idoutboundaclbas-acl|adv-acl|nameacl-namerulerule-idacll2-acl|nameacl-namerulerule-idcircir-value[pirpir-valuecbscbs-valuepbspbs-valuedrop|passyellowdrop|passreddrop|pass,对同时匹配二层和三层ACL的出方向的报文进行流量。说明 <lcbs-value≤<pbs-value ≥ 执行命令system-viewn执行命令traffic-limitinboundaclipv6bas-acl|adv-acl|nameacl-name}|l2-acl|user-acl}[rulerule-id]circir-value[pirpir-value][cbscbs-valuepbspbs-valuegreendrop|passyellowdrop|passreddrop|pass,对匹配单个ACL规则的入方向的报文进行流量监n执行命令traffic-limitoutboundaclipv6bas-acl|adv-acl|nameacl-name|l2-aclrulerule-idcircir-valuepirpir-valuecbscbs-valuepbspbs-value][[green{drop|pass}][yellow{drop|pass}][red{drop|pass}]],对匹配单个ACL规则的出方向的报文进行流量n执行命令traffic-limitinboundacl{bas-acl|adv-acl|nameacl-name}rulerule-idacll2-acl|nameacl-namerulerule-idcircir-valuepirpir-valuecbscbs-valuepbspbs-valuegreendrop|passyellowdrop|passreddrop|pass,对同时匹配二层ACL和三层ACL规则的入方向的报文进行流量。 执行命令traffic-limitinboundacll2-acl|nameacl-namerulerule-id]acl{bas-acl|adv-acl|nameacl-name}[rulerule-id]circir-value[pirpir-valuecbscbs-valuepbspbs-valuegreendrop|passdrop|passreddrop|pass,对同时匹配二层ACL和三层 执行命令traffic-limitoutboundacl{l2-acl|nameacl-name}[rulerule-idaclbas-acl|adv-acl|nameacl-namerulerule-idcircir-valuepirpir-value][cbscbs-valuepbspbs-valuegreen{drop|pass}][yellowdrop|passreddrop|pass,对同时匹配二层ACL和三层n执行命令traffic-limitoutboundaclbas-acl|adv-acl|nameacl-name}[rulerule-id]acl{l2-acl|nameacl-namerulerule-idcircir-valuepirpir-value][cbscbs-valuepbspbs-valuegreen{drop|passyellowdrop|passreddrop|pass,对同时匹配二层ACL和三层ACL规则的出方向的报文进行流量。说明 <lcbs-value≤<pbs-value ≥----配置基于 的重定向(S1720GFR、S2720、S2750S5700LI、S5700S-LI、S5710-X-通过配置基于ACL的重定向,将匹配ACL规则的报文重定向到CPU或指定接前置在配置基于ACL的重定向之前,需要完成 操作

在全局或VLAN上配置重定执行命令system-view 执行命令traffic-redirect[vlanvlan-id]inboundacl{[ipv6]{bas-acl|adv-acl|nameacl-name|l2-acl|user-aclrulerule-idcpu|interfaceinterface-typeinterface-number},对匹配单个ACL规则的入方向的报文进 执行命令traffic-redirect[vlanvlan-id]inboundacll2-acl[rulerule-id]acl{bas-acl|adv-acl|nameacl-name}[rulerule-id]{cpu|interface 执行命令traffic-redirectvlanvlan-idinboundaclbas-acl|adv-aclrulerule-idacll2-acl|nameacl-namerulerule-idcpu|interfaceinterface-typeinterface-number},对同时匹配二层和三层ACL规则的入方 执行命令traffic-redirectvlanvlan-idinboundaclnameacl-namerule-id]acl{bas-acl|adv-acl|l2-acl|nameacl-name}[rulerule-idcpu|interfaceinterface-typeinterface-number},对同时匹配二层和三层 执行命令system-viewn执行命令traffic-redirectinboundaclipv6bas-acl|adv-acl|nameacl-name|l2-acl|user-aclrulerule-idcpu|interfaceinterface-typeinterface-number},对匹配单个ACL规则的入方向的报文进行重定向。 执行命令traffic-redirectinboundacll2-acl[rulerule-id]acl{bas-acl|adv-acl|nameacl-name}[rulerule-id]{cpu|interfaceinterface-type 执行命令traffic-redirectinboundaclbas-acl|adv-aclrulerule-id{l2-acl|nameacl-name}[rulerule-id]{cpu|interfaceinterface-type 执行命令traffic-redirectinboundaclnameacl-namerulerule-id{bas-acl|adv-acl|l2-acl|nameacl-namerulerule-idcpu|interfaceinterface-typeinterface-number},对同时匹配二层和三层ACL规则的入方----前置

说明操作

在全局或VLAN上配置重定执行命令system-view 执行命令traffic-redirect[vlanvlan-id]inboundacl{[ipv6]{bas-acl|adv-acl|nameacl-name}|l2-acl|user-acl}[rulerule-id]{cpu|interfaceinterface-typeinterface-number|[-instance -instance-name]ip-nexthopip-nexthop|ipv6-nexthopipv6-nexthop},对匹配单个ACL规则的 执行命令traffic-redirectvlanvlan-idinboundacll2-aclrulerule-idacl{bas-acl|adv-acl|nameacl-name}[rulerule-id]{cpu|interface-typeinterface-number|[ -instance-name]ip-nexthopip-nexthop|ipv6-nexthopipv6-nexthop},对同时匹配二层ACL和 执行命令traffic-redirectvlanvlan-idinboundaclbas-acl|adv-aclrulerule-idacll2-acl|nameacl-namerulerule-idcpu|interfaceinterface-typeinterface-number|[ -instance-name]ip-nexthopip-nexthop|ipv6-nexthopipv6-nexthop},对同时匹配二层ACL和 执行命令traffic-redirectvlanvlan-idinboundaclnameacl-namerule-id]acl{bas-acl|adv-acl|l2-acl|nameacl-name}[rulerule-id{cpu|interfaceinterface-typeinterface-number|[ instance-nameip-nexthopip-nexthop|ipv6-nexthopipv6-nexthop},对同说明S1720GW-E、S1720GWR-E、S1720GW、S1720GWR、S5720LI、S5720S-LI不支- -instance-name 执行命令system-viewn执行命令traffic-redirectinboundacl{[ipv6]{bas-acl|adv-acl|nameacl-name}|l2-acl|user-acl}[rulerule-idcpu|interfaceinterface-typeinterface-number|[-instance-instance-nameip-nexthopip- 执行命令traffic-redirectinboundacll2-acl[rulerule-id]acl{bas-acl|adv-acl|nameacl-name}[rulerule-id]{cpu|interfaceinterface-typeinterface-number|[ -instance-name]ip-nexthopip-nexthop 执行命令traffic-redirectinboundaclbas-acl|adv-aclrulerule-id{l2-acl|nameacl-name}[rulerule-id]{cpu|interfaceinterface-typeinterface-number|[ -instance-name]ip-nexthopip-nexthop|ipv6-nexthopipv6-nexthop},对同时匹配二层ACL和三层ACL的入方向 执行命令traffic-redirectinboundaclnameacl-namerulerule-idbas-acl|adv-acl|l2-acl|nameacl-namerulerule-idcpu|interfaceinterface-typeinterface-number|[ -instance-name]ip-nexthopip-nexthop|ipv6-nexthopipv6-nexthop},对同时匹配二层ACL和说明S1720GW-E、S1720GWR-E、S1720GW、S1720GWR、S5720LI、S5720S-LI不支- -instance-name----ACL的重前置 操作

在全局或VLAN上配置重标执行命令system-viewn执行命令traffic-remark[vlanvlan-id]inboundaclipv6bas-acl|adv-acl|nameacl-name|l2-acl|user-aclrulerule-id8021p8021p-value|destination-macmac-address|dscp{dscp-name|dscp-value}|ip-precedenceip-precedence-value|local-precedencelocal-precedence-value|vlan-idvlan-id},对匹配单个ACL规则的入方向的报文进行重标记。n执行命令traffic-remark[vlanvlan-idoutboundacl{[ipv6]{bas-acl|adv-acl|nameacl-name}|l2-acl}[rulerule-id]{8021p8021p-value|cvlan-idcvlan-id|dscpdscp-name|dscp-value|vlan-idvlan-id},对匹n执行命令traffic-remarkvlanvlan-idinboundacll2-aclrulerule-idacl{bas-acl|adv-acl|nameacl-name}[rulerule-id]{8021p8021p-|destination-macmac-address|dscp{dscp-name|dscp-value}|ip-precedenceip-precedence-value|local-precedencelocal-precedence-value|vlan-idvlan-id},对同时匹配二层ACL和三层ACL规则的入方向的报文 执行命令traffic-remarkvlanvlan-idinboundaclbas-acl|adv-aclrulerule-idacll2-acl|nameacl-namerulerule-id8021p8021p-value|destination-macmac-address|dscp{dscp-name|dscp-value}|ip-precedenceip-precedence-value|local-precedencelocal-precedence-value|vlan-idvlan-id},对同时匹配二层ACL和三层ACL规则的入方向的报文 执行命令traffic-remarkvlanvlan-idinboundaclnameacl-namerule-id]acl{bas-acl|adv-acl|l2-acl|nameacl-name}[rulerule-id{8021p8021p-value|destination-macmac-address|dscp{dscp-name|dscp-value}|ip-precedenceip-precedence-value|local-precedencelocal-precedence-value|vlan-idvlan-id},对同时匹配二层ACL和三层ACL规则 执行命令traffic-remarkvlanvlan-idoutboundacll2-aclrulerule-idacl{bas-acl|adv-acl|nameacl-name}[rulerule-id]{8021p8021p-|cvlan-idcvlan-id|dscpdscp-name|dscp-value|vlan-idvlan-id},对同n执行命令traffic-remarkvlanvlan-idoutboundacl{bas-acl|adv-acl}rulerule-idacll2-acl|nameacl-namerulerule-id8021pvalue|cvlan-idcvlan-id|dscp{dscp-name|dscp-value}|vlan-id 执行命令traffic-remarkvlanvlan-idoutboundaclnameacl-namerule-id]acl{bas-acl|adv-acl|l2-acl|nameacl-name}[rulerule-id{8021p8021p-value|cvlan-idcvlan-id|dscp{dscp-name|dscp-value}|说明S1720、S2720、S2750、S5700LI、S5700S-LI、S5710-X-LI、S5720LI、S5720S-LIS1720、S2720、S2750、S5700LI、S5700S-LI、S5710-X-LI、S5720LI、S5720S-LI 执行命令system-view 执行命令traffic-remarkinboundacl{[ipv6]{bas-acl|adv-acl|nameacl-name}|l2-acl|user-acl}[rulerule-id]{8021p8021p-value|destination-macmac-address|dscp{dscp-name|dscp-value}|ip-precedenceip-precedence-value|local-precedencelocal-precedence-value|vlan-idvlan-id},对匹配单个ACL规则的入方向的报文进行重标记。n执行命令traffic-remarkoutboundaclipv6bas-acl|adv-acl|nameacl-name|l2-aclrulerule-id8021p8021p-value|cvlan-idcvlan-id|dscpdscp-name|dscp-value|vlan-idvlan-id},对匹配单个ACL规则的 执行命令traffic-remarkinboundacll2-acl[rulerule-id]acl{bas-acl|adv-acl|nameacl-namerulerule-id8021p8021p-value|destination-macmac-address|dscp{dscp-name|dscp-value}|ip-precedenceip-precedence-value|local-precedencelocal-precedence-value|vlan-idvlan- 执行命令traffic-remarkinboundaclbas-acl|adv-aclrulerule-idl2-acl|nameacl-namerulerule-id8021p8021p-value|destination-macmac-address|dscp{dscp-name|dscp-value}|ip-precedenceip-precedence-value|local-precedencelocal-precedence-value|vlan-idvlan- 执行命令traffic-remarkinboundaclnameacl-namerulerule-idbas-acl|adv-acl|l2-acl|nameacl-namerulerule-id8021p8021p-value|destination-macmac-address|dscp{dscp-name|dscp-value}|ip-precedenceip-precedence-value|local-precedencelocal-precedence-value|vlan-idvlan-id},对同时匹配二层ACL和三层ACL规则的入方向的报文 执行命令traffic-remarkoutboundacll2-acl[rulerule-id]acl{bas-acl|adv-acl|nameacl-name}[rulerule-id]{8021p8021p-value|cvlan-idcvlan-id|dscpdscp-name|dscp-value|vlan-idvlan-id},对同时匹配二n执行命令traffic-remarkoutboundacl{bas-acl|adv-aclrulerule-id]acll2-acl|nameacl-namerulerule-id8021p8021p-value|cvlan-idcvlan-id|dscpdscp-name|dscp-value|vlan-idvlan-id},对同时匹配二 执行命令traffic-remarkoutboundaclnameacl-namerulerule-id{bas-acl|adv-acl|l2-acl|nameacl-name}[rulerule-id]{8021p8021p-value|cvlan-idcvlan-id|dscp{dscp-name|dscp-value}|vlan-idvlan-----

说明S1720、S2720、S2750、S5700LI、S5700S-LI、S5710-X-LI、S5720LI、S5720S-LIS1720、S2720、S2750、S5700LI、S5700S-LI、S5710-X-LI、S5720LI、S5720S-LIACL通过配置基于ACL的流量统计,对匹配指定ACL规则的报文进行前置l配置相关接口的链路层属性,保证接口正常工作。l配置相应的ACL规则。操作

在全局或VLAN上配置流量统执行命令system-view 执行命令traffic-statistic[vlanvlan-id]inboundacl{[ipv6]{bas-acl|adv-acl|nameacl-name|l2-acl|user-aclrulerule-idby-bytes],对n执行命令traffic-statistic[vlanvlan-id]outboundaclipv6]{bas-acl|adv-acl|nameacl-name}|l2-acl|user-aclrulerule-id],对匹配单个n执行命令traffic-statistic[vlanvlan-id]inboundacll2-acl[rulerule-id]aclbas-acl|adv-acl|nameacl-namerulerule-idby-bytes],对同时n执行命令traffic-statisticvlanvlan-idinboundaclbas-acl|adv-aclrulerule-idacll2-acl|nameacl-namerulerule-idby-bytes],对 执行命令traffic-statistic[vlanvlan-id]inboundaclnameacl-name[rulerule-idaclbas-acl|adv-acl|l2-acl|nameacl-namerulerule-idby-bytes],对同时匹配二层ACL和三层ACL规则的入方向的报文进行流量n执行命令traffic-statisticvlanvlan-idoutboundacll2-aclrulerule-id]acl{bas-acl|adv-acl|nameacl-name}[rulerule-id],对同时匹配二层 执行命令traffic-statistic[vlanvlan-id]outboundacl{bas-acl|adv-acl}rulerule-idacll2-acl|nameacl-namerulerule-id],对同时匹配二n执行命令traffic-statistic[vlanvlan-id]outboundaclnameacl-name[rulerule-id]aclbas-acl|adv-acl|l2-acl|nameacl-name}[rulerule-id],对 执行命令system-viewn执行命令traffic-statisticinboundaclipv6bas-acl|adv-acl|nameacl-name|l2-acl|user-aclrulerule-idby-bytes],对匹配单个ACL 执行命令traffic-statisticoutboundacl{[ipv6]{bas-acl|adv-acl|nameacl-name|l2-aclrulerule-id],对匹配单个ACL规则的出方向的报文n执行命令traffic-statisticinboundacll2-acl[rulerule-id]acl{bas-acl|adv-acl|nameacl-namerulerule-idby-bytes],对同时匹配二层n执行命令traffic-statisticinboundaclbas-acl|adv-aclrulerule-idl2-acl|nameacl-namerulerule-idby-bytes],对同时匹配二层n执行命令traffic-statisticinboundaclnameacl-namerulerule-id]bas-acl|adv-acl|l2-acl|nameacl-namerulerule-idby-bytes],对 执行命令traffic-statisticoutboundacll2-aclrulerule-idaclbas-acl|adv-acl|nameacl-name}[rulerule-id],对同时匹配二层ACL和三层n执行命令traffic-statisticoutboundacl{bas-acl|adv-acl}[rulerule-id]acll2-acl|nameacl-namerulerule-id],对同时匹配二层ACL和三层n执行命令traffic-statisticoutboundaclnameacl-namerulerule-idbas-acl|adv-acl|l2-acl|nameacl-namerulerule-id],对同时匹配二----ACL的流有关基于ACL的流镜像的配置,请参见《S1720&S2700&S5700&S6720V200R010C00配置指南-网络管理与》镜像配置中的“配置基于ACL的本地流镜像”和“配置ACL查看基于ACL的报文过滤的流量统计信背景

操作

执行以下命令查看设备上基于ACL的报文过滤的流量统计信息disytraffic-statistics[vlanvlan-id|interfaceinterface-typeinterface-number]{inbound|outbound}[acl{bas-acl|adv-acl|user-acl}[rulerule-id]]disytraffic-statistics[vlanvlan-id|interfaceinterface-typeinterface-number]{inbound|outbound}[acl{acl-name|l2-acl}[rulerule-id][acl{bas-acl|adv-acl|acl-name}[rulerule-id]]disytraffic-statisticsinterface{inbound|outbounddisytraffic-statistics[vlanvlan-id|interfaceinterface-typeinterface-number]{inbound|outbound}[aclipv6{bas-acl|adv-acl|acl-name}[rulerule-id]]----清除基于ACL的报文过滤的流量统计信背景

注注操作

执行以下命令清除设备上基于ACL的报文过滤的流量统计信息resettraffic-statistics[vlanvlan-id|interfaceinterface-typeinterface-number{inbound|outbound}[acl{bas-acl|adv-acl|user-acl}[rulerule-id]resettraffic-statistics[vlanvlan-id|interfaceinterface-typeinterface-number{inbound|outbound}[acl{acl-name|l2-acl}[rulerule-id][acl{bas-acladv-acl|acl-name}[rulerule-id]]resettraffic-statistics{interface|vlan}{inbound|outboundresettraffic-statistics[vlanvlan-id|interfaceinterface-typeinterface-number{inbound|outbound}[aclipv6{bas-acl|adv-acl|acl-name}[rulerule-id]----配置通过示例介绍如何应用基于ACL的简化流策略配置指定主机网络示组网

如图11-1所示,企业用户通过Switch的接口GE0/0/2连接到外部网络设备图11-1配置指定主机网络组网IP:IP:IP:IP:配置

配置各接口,实现企业用户能通过Switch外部网络配置时间范围,用于在ACL中配置ACL,在工作时间段报文通过在接口GE0/0/1操作

步骤1创建VLAN#在Switch上创建VLAN10<<[>system-]sysname[Switch]vlan[Switch-vlan10]#[Switch][Switch]interfacegigabitethernet[Switch-GigabitEthernet0/0/1]portlink-type[Switch-GigabitEthernet0/0/1]porttrunkallow-passvlan10[Switch-GigabitEthernet0/0/1]quit[Switch]interfacegigabitethernet[Switch-GigabitEthernet0/0/2]portlink-type[Switch-GigabitEthernet0/0/2]porttrunkallow-passvlan10[Switch-GigabitEthernet0/0/2]quit说明请配置LSW与Switch对接的接口为Trunk类型,并加入VLAN10#[Switch][Switch]interfacevlanif[Switch-Vlanif10]ipaddress192.168.1.124[Switch-Vlanif10]quit说明请配置Router与Switch对接的接口IP地址为192.168.1.2/24步骤2创建周期时间段working_time,时间范围为每天的8:30~18:00[Switch]time-rangeworking_time08:30to18:00working- 步骤3配置ACL3001,配置三条规则,分别为源IP地址为192.168.1.10、192.168.1.11[Switch]acl[Switch]aclnumber[Switch-acl-adv-3001]ruledenyipsource192.168.1.100time-range[Switch-acl-adv-3001]ruledenyipsource192.168.1.110time-rangeworking_time[Switch-acl-adv-3001]ruledenyipsource192.168.1.120time-rangeworking_time[Switch-acl-adv-3001]quit步骤4在接口GE0/0/1[Switch][Switch]interfacegigabitethernet[Switch-GigabitEthernet0/0/1]traffic-filterinboundacl3001[Switch-GigabitEthernet0/0/1]quit步骤5#[Switch][Switch] ytraffic-appliedinterfacegigabitethernet0/0/1ACLappliedinboundinterfaceGigabitEthernet0/0/1ACL3001rule5denyipsource192.168.1.100time-rangeworking_time(match-counterACLrule10denyipsource192.168.1.110time-rangeworking_time(match-counter0)ACLrule15denyipsource192.168.1.120time-rangeworking_time(match-counter0)----配置

Switch的配置文##time-rangeworking_time08:30to18:00working-dayaclnumberrule5denyipsource192.168.1.100time-rangerule10denyipsource192.168.1.110time-rangerule15denyipsource192.168.1.120time-range#interfaceipaddress192.168.1.1#portlink-typetrunkporttrunkallow-passvlan10traffic-filterinboundacl3001portlink-typetrunkporttrunkallow-passvlan#配置对不VLAN组网

应的VLANID为100。具体配置需求如表11-2所示流量类图11-2流量配置组网VLANVLAN配置创建VLAN,并配置各接口,使企业能够通过Switch网络在Switch上配置ACL匹配不同的VLANID在Switch上配置基于ACL的流量,对来自企业的报文分别限速操作

步骤1创建VLAN <<[>system-]sysname[Switch]vlanbatch100110#GE0/0/2加入VLAN100、VLAN110、VLAN120[Switch][Switch]interfacegigabitethernet[Switch-GigabitEthernet0/0/1]portlink-type[Switch-GigabitEthernet0/0/1]porttrunkallow-passvlan100110120[Switch-GigabitEthernet0/0/1]quit[Switch]interfacegigabitethernet[Switch-GigabitEthernet0/0/2]portlink-type[Switch-GigabitEthernet0/0/2]porttrunkallow-passvlan100110120[Switch-GigabitEthernet0/0/2]quit步骤2配置#[Switch][Switch]acl[Switch-acl-L2-4001]rule1permitvlan-id120[Switch-acl-L2-4001]quit[Switch]acl[Switch-acl-L2-4002]rule1permitvlan-id[Switch]acl4003[Switch-acl-L2-4003]rule1permitvlan-id100[Switch-acl-L2-4003]quit步骤3#在Switch的接口GE0/0/1入方向上配置流量,对来自企业的报文进行限速[Switch][Switch]interfacegigabitethernet[Switch-GigabitEthernet0/0/1]traffic-limitinboundacl4001cir2000pir[Switch-GigabitEthernet0/0/1]traffic-limitinboundacl4002cir4000pir[Switch-GigabitEthernet0/0/1]traffic-limitinboundacl4003cir4000pir10000[Switch-GigabitEthernet0/0/1]quit步骤4#[Switch]disytraffic-appliedinterface0/0/1ACLappliedinboundinterfaceACLrule1permitvlan-id120limitcir2000,cbspir10000,pbsgreen:passyellow:passred:dropACLrule1permitvlan-id110limitcir4000,cbspir10000,pbsgreen:passyellow:passred:dropACLrule1permitvlan-id100limitcir4000,cbspir10000,pbsgreen:passyellow:passred:drop----配置

Switch的配置文##vlanbatch100110120aclnumberrule1permitvlan-idaclnumberrulerule1permitvlan-idaclnumberrule1permitvlan-id#portlink-typetrunkporttrunkallow-passvlan100110traffic-limitinboundacl4001cir2000pir10000cbs250000traffic-limitinboundacl4002cir4000pir10000cbs500000traffic-limitinboundacl4003cir4000pir10000cbs500000#portlink-typetrunkporttrunkallow-passvlan100110#配置基ACL的重定向示组网

LayLaySwitchALaySwitch用户用户配置

为了防止出现环路,在SwitchA与相连的接口上配置端口,并配MAC地址学习防止MAC漂移操作

步骤1创建VLAN#<<[>system-]sysname[SwitchB]vlanbatch100#配置SwitchB上接口GE0/0/2和GE0/0/3的接口类型为Access,并将GE0/0/2加入[SwitchB][SwitchB]interfacegigabitethernet[SwitchB-GigabitEthernet0/0/2]portlink-typeaccess[SwitchB-GigabitEthernet0/0/2]portdefaultvlan200[SwitchB-GigabitEthernet0/0/2]quit[SwitchB]interfacegigabitethernet[SwitchB-GigabitEthernet0/0/3]portlink-typeaccess[SwitchB-GigabitEthernet0/0/3]portdefaultvlan100[SwitchB-GigabitEthernet0/0/3]quit[SwitchB]interfacegigabitethernet[SwitchB-GigabitEthernet0/0/1]portlink-type[SwitchB-GigabitEthernet0/0/1]porttrunkallow-passvlan100200[SwitchB-GigabitEthernet0/0/1]quit#<<[>system-]sysname[SwitchA]vlanbatch100配置SwitchA上接口GE0/0/1、GE0/0/2、GE0/0/3和GE0/0/4接口类型为Trunk,并将它[SwitchA][SwitchA]interfacegigabitethernet[SwitchA-GigabitEthernet0/0/1]portlink-type[SwitchA-GigabitEthernet0/0/1]porttrunkallow-passvlan100200[SwitchA-GigabitEthernet0/0/1]quit[SwitchA]interfacegigabitethernet[SwitchA-GigabitEthernet0/0/2]portlink-type[SwitchA-GigabitEthernet0/0/2]porttrunkallow-passvlan100200[SwitchA-GigabitEthernet0/0/2]quit[SwitchA]interfacegigabitethernet[SwitchA-GigabitEthernet0/0/3]portlink-type[SwitchA-GigabitEthernet0/0/3]porttrunkallow-passvlan100200[SwitchA-GigabitEthernet0/0/3]port-isolateenable[SwitchA-GigabitEthernet0/0/3]quit[SwitchA]interfacegigabitethernet0/0/4[SwitchA-GigabitEthernet0/0/4]portlink-type[SwitchA-GigabitEthernet0/0/4]porttrunkallow-passvlan100200[SwitchA-GigabitEthernet0/0/4]port-isolateenable[SwitchA-GigabitEthernet0/0/4]quit步骤2配置基于ACL的重定向实现流量过#[SwitchA][SwitchA]acl[SwitchA-acl-L2-4001]rulepermitvlan-id100[SwitchA-acl-L2-4001]rulepermitvlan-id200[SwitchA-acl-L2-4001]quit#[SwitchA][SwitchA]interfacegigabitethernet[SwitchA-GigabitEthernet0/0/1]traffic-redirectinboundacl4001interfacegigabitethernet0/0/3[SwitchA-GigabitEthernet0/0/1]quit步骤3#[SwitchA]disytraffic-appliedinterface0/0/1ACLappliedinboundinterfaceACLrule5permitvlan-id100redirectinterfaceACLrule10permitvlan-id200redirectinterface----配置

SwitchA的配置文##vlanbatch100200aclnumberrule5permitvlan-idrule10permitvlan-id#portlink-typetrunkporttrunkallow-passvlan100traffic-redirectinboundacl4001interface#portlink-typetrunkporttrunkallow-passvlan100#portlink-typetrunkporttrunkallow-passvlan100200port-isolateenablegroup1#portlink-typetrunkmac-addresslearningporttrunkallow-passvlan100200port-isolateenablegroup1# SwitchB的配置文##vlanbatch100200portlink-typetrunkporttrunkallow-passvlan100#portlink-typeaccessportdefaultvlan#portlink-typeaccessportportdefaultvlan#配置基于 的简化流策略进行优先级映射示组网

如图11-4所示,Switch通过接口GE0/0/3与路由器互连,企业部门1和企业部门2可经Switch和路由器网络。企业部门1和企业部门2的VLANID分别为100、200CoreCore VLAN100 配置创建VLAN,并配置各接口,企业部门1和企业部门2都能够通过Switch网络配置ACL,根据不同的VLAN在Switch入接口GE0/0/1和GE0/0/2操作

步骤1创建VLAN#<<[>system-]sysname[Switch]vlanbatch100#将接口GE0/0/1、GE0/0/2、GE0/0/3的接入类型分别配置为trunk,并分别将接口[Switch][Switch]interfacegigabitethernet[Switch-GigabitEthernet0/0/1]portlink-type[Switch-GigabitEthernet0/0/1]porttrunkallow-passvlan100[Switch-GigabitEthernet0/0/1]quit[Switch]interfacegigabitethernet[Switch-GigabitEthernet0/0/2]portlink-type[Switch-GigabitEthernet0/0/2]porttrunkallow-passvlan200[Switch-GigabitEthernet0/0/2]quit[Switch]interfacegigabitethernet[Switch-GigabitEthernet0/0/3]portlink-type[Switch-GigabitEthernet0/0/3]porttrunkallow-passvlan100200[Switch-GigabitEthernet0/0/3]quit步骤2在Switch上配置ACL4001和ACL4002,根据VLANID[Switch][Switch]acl[Switc

温馨提示

  • 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
  • 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
  • 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
  • 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
  • 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
  • 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
  • 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

评论

0/150

提交评论