配置流镜像示例
研发部和市场部分别通过LSWA和LSWB连接到S9300的接口GE1/0/1和接口GE1/0/2上。现在需要监控研发部和市场部的802.1p优先级为6的报文,报文的出接口为GE1/0/3。
采用如下的思路配置流镜像:
1. 在S9300上创建VLAN,并将接口GE1/0/1、GE1/0/2、GE1/0/3加入同一VLAN。
2. 将接口GE1/0/3配置为观察接口
3. 创建流分类,并配置流分类规则是匹配802.1p优先级为6的报文。
4. 创建流行为,并在流行为中配置流镜像动作。
5. 创建流策略,绑定前面创建的流分类和流行为。
6. 在接口GE1/0/1和接口1/0/2上应用流策略。
为完成此配置示例,需准备如下的数据:
· 流分类的名称为c1。
· 流行为的名称为b1。
· 流策略的名称为p1。
· 创建的VLAN编号为2。
1. 配置端口和VLAN
2. <Quidway> system-view
3. [Quidway] sysname S9300
4. [S9300] vlan 2
5. [S9300-vlan2] quit
6. [S9300] interface GigabitEthernet 1/0/1
7. [S9300-GigabitEthernet1/0/1] port link-type trunk
8. [S9300-GigabitEthernet1/0/1] port trunk pvid vlan 2
9. [S9300-GigabitEthernet1/0/1] port trunk allow-pass vlan 2
10. [S9300-GigabitEthernet1/0/1] quit
11. [S9300] interface GigabitEthernet 1/0/2
12. [S9300-GigabitEthernet1/0/2] port link-type trunk
13. [S9300-GigabitEthernet1/0/2] port trunk pvid vlan 2
14. [S9300-GigabitEthernet1/0/2] port trunk allow-pass vlan 2
15. [S9300-GigabitEthernet1/0/2] quit
16. [S9300] interface GigabitEthernet 1/0/3
17. [S9300-GigabitEthernet1/0/3] port link-type trunk
18. [S9300-GigabitEthernet1/0/3] port trunk pvid vlan 2
19. [S9300-GigabitEthernet1/0/3] port trunk allow-pass vlan 2
[S9300-GigabitEthernet1/0/3] quit
20. 配置观察端口
# 在S9300上配置GE1/0/3为流镜像的观察端口。
[S9300] observe-port 1 interface GigabitEthernet 1/0/3
21. 配置流分类
# 在S9300上创建流分类c1,并配置流分类规则为匹配802.1p优先级为6的报文。。
[S9300] traffic classifier c1
[S9300-classifier-c1] if-match vlan-8021p 6
[S9300-classifier-c1] quit
22. 配置流镜像行为
# 在S9300上创建流行为b1,并配置流镜像动作。
[S9300] traffic behavior b1
[S9300-classifier-b1] mirroring observing-port 1
[S9300-classifier-b1] quit
23. 配置流镜像策略并应用到接口上
# 在S9300上创建流策略p1,将流分类和对应的流行为进行绑定,并将流策略应用到接口GE1/0/1和GE1/0/2的入方向上,对来自研发部和市场部的报文进行监控。
[S9300] traffic policy p1
[S9300-trafficpolicy-p1] classifier c1 behavior b1
[S9300-trafficpolicy-p1] quit
[S9300] interface GigabitEthernet 1/0/1 或 interface vlan10
[S9300-GigabitEthernet1/0/1] traffic-policy p1 inbound
[S9300-GigabitEthernet1/0/1] quit
[S9300] interface GigabitEthernet 1/0/2 或 interface vlan20
[S9300-GigabitEthernet1/0/2] traffic-policy p1 inbound
[S9300-GigabitEthernet1/0/2] quit
[S9300] quit
24. 验证配置结果
# 查看流分类的配置信息。
<S9300> display traffic classifier user-defined c1
User Defined Classifier Information:
Classifier: c1
Precedence: 5
Operator: OR
Rule(s) : if-match 5 vlan-8021p 6
# 查看流策略的配置信息。
<S9300> display traffic policy user-defined p1
User Defined Traffic Policy Information:
Policy: p1
Classifier: default-class
Behavior: be
-none-
Classifier: c1
Behavior: b1
Port-mirroring to observe-port 1
# 查看报文经S9300被转发后,接口GE1/0/1、GE1/0/2和GE1/0/3的计数,或者通过Server可以看到接口GE1/0/1和GE1/0/2收发的所有报文,说明接口GE1/0/1和GE1/0/2上的报文已经被S9300镜像过来。
<S9300> display interface GigabitEthernet 1/0/1
GigabitEthernet1/0/1 current state : Up
Description:HUAWEI, Quidway Series, GigabitEthernet1/0/1 Interface
Switch Port,PVID : 1,The Maximum Frame Length is 1536
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc00-1704
Port Mode: FORCE FIBER
Speed : 1000, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
Mdi : NORMAL
Last 300 seconds input rate 9849952 bits/sec, 19238 packets/sec
Last 300 seconds output rate 9849936 bits/sec, 19238 packets/sec
Input: 342496 bytes
Unicast: 0, NUnicast: 0
Discard: 0, Error : 0
Output: 0 bytes
Unicast: 0, NUnicast: 0
Discard: 0, Error : 0
<S9300> display interface GigabitEthernet 1/0/2
GigabitEthernet1/0/2 current state : Up
Description:HUAWEI, Quidway Series, GigabitEthernet1/0/1 Interface
Switch Port,PVID : 2,The Maximum Frame Length is 1536
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc00-1704
Port Mode: FORCE FIBER
Speed : 1000, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
Mdi : NORMAL
Last 300 seconds input rate 9849952 bits/sec, 19238 packets/sec
Last 300 seconds output rate 9849936 bits/sec, 19238 packets/sec
Input: 171248 bytes
Unicast: 0, NUnicast: 0
Discard: 0, Error : 0
Output: 0 bytes
Unicast: 0, NUnicast: 0
Discard: 0, Error : 0
<S9300> display interface GigabitEthernet 1/0/3
GigabitEthernet1/0/3 current state : Up
Description:HUAWEI, Quidway Series, GigabitEthernet1/0/1 Interface
Switch Port,PVID : 3,The Maximum Frame Length is 1526
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc00-1704
Port Mode: FORCE FIBER
Speed : 1000, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
Mdi : NORMAL
Last 300 seconds input rate 9849952 bits/sec, 19238 packets/sec
Last 300 seconds output rate 9849936 bits/sec, 19238 packets/sec
Input: 513744 bytes
Unicast: 0, NUnicast: 0
Discard: 0, Error : 0
Output: 0 bytes
Unicast: 0, NUnicast: 0
Discard: 0, Error : 0
· S9300的配置文件
· #
· sysname S9300
· #
· vlan batch 2
· #
· observe-port 1 interface GigabitEthernet1/0/3
· #
· traffic classifier c1 operator or precedence 5
· if-match 5 vlan-8021p 6
· #
· traffic behavior b1
· mirroring observing-port 1
· #
· traffic policy p1
· classifier c1 behavior b1
· #
· interface GigabitEthernet1/0/1
· port link-type trunk
· port trunk pvid vlan 2
· port trunk allow-pass vlan 2
· traffic-policy p1 inbound
· #
· interface GigabitEthernet1/0/2
· port link-type trunk
· port trunk pvid vlan 2
· port trunk allow-pass vlan 2
· traffic-policy p1 inbound
· #
· interface GigabitEthernet1/0/3
· port link-type trunk
· port trunk pvid vlan 2
· port trunk allow-pass vlan 2
· #
· return
转载于:https://blog.51cto.com/lawrence/744805
509
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
