华为S系列交换机流策略使用方式和流量统计

华为系列的交换机,支持使用MQC流分类的方式查看IP,VLAN,MAC的报文流量,也支持简化的ACL的简化流策略的方式查看流量统计,甚至可以直接查看接口流量。

主要命令
traffic classifier
traffic behavior
traffic policy
traffic-policy

操作实例:
使用流策略进行限速

根据 IP 地址进行限速

对IP地址为192.168.1.10的PC限速,带宽限制为4M。
system-view
[HUAWEI] acl 2000
[HUAWEI-acl-basic-2000] rule permit source 192.168.1.100.0.0.0
[HUAWEI-acl-basic-2000] quit
[HUAWEI] traffic classifier c1
[HUAWEI-classifier-c1] if-match acl 2000
[HUAWEI-classifier-c1] quit
[HUAWEI] traffic behavior b1
[HUAWEI-behavior-b1] car cir 4096
[HUAWEI-behavior-b1] quit
[HUAWEI] traffic policy p1
[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1
[HUAWEI-trafficpolicy-p1] quit
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 inbound

acl 3001
rule permit ip destination 1.1.1.1 0.0.0.0
rule permit ip source 1.1.1.1 0.0.0.0

对某网段设备进行限速

对IP地址为192.168.1.0网段设备进行限速,带宽限制为50M。
system-view
[HUAWEI] acl 2000
[HUAWEI-acl-basic-2000] rule permit source 192.168.1.00.0.0.255
[HUAWEI-acl-basic-2000] quit
[HUAWEI] traffic classifier c1
[HUAWEI-classifier-c1] if-match acl 2000
[HUAWEI-classifier-c1] quit
[HUAWEI] traffic behavior b1
[HUAWEI-behavior-b1] car cir 51200
[HUAWEI-behavior-b1] quit
[HUAWEI] traffic policy p1
[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1
[HUAWEI-trafficpolicy-p1] quit
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 inbound

根据 IP 地址和协议进行限速

限制192.168.1.0网段设备访问Internet的HTTP(端口号为80)流量不超过10Mbps。
system-view
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule permit tcp destination-port eq 80 source192.168.1.0 0.0.0.255
[HUAWEI-acl-adv-3000] quit
[HUAWEI] traffic classifier c1
[HUAWEI-classifier-c1] if-match acl 3000
[HUAWEI-classifier-c1] quit
[HUAWEI] traffic behavior b1
[HUAWEI-behavior-b1] car cir 10240
[HUAWEI-behavior-b1] quit
[HUAWEI] traffic policy p1
[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1
[HUAWEI-trafficpolicy-p1] quit
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 inbound

使用流策略对报文进行过滤
禁止指定主机访问网络

禁止IP地址为192.168.1.10的PC访问网络。
system-view
[HUAWEI] acl 2000
[HUAWEI-acl-basic-2000] rule deny source 192.168.1.10 0.0.0.0
[HUAWEI-acl-basic-2000] quit
[HUAWEI] traffic classifier c1
[HUAWEI-classifier-c1] if-match acl 2000
[HUAWEI-classifier-c1] quit
[HUAWEI] traffic behavior b1
[HUAWEI-behavior-b1] deny
[HUAWEI-behavior-b1] quit
[HUAWEI] traffic policy p1
[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1
[HUAWEI-trafficpolicy-p1] quit
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 inbound

禁止指定网段所有设备访问网络

禁止192.168.1.0网段所有设备访问网络。
system-view
[HUAWEI] acl 2000
[HUAWEI-acl-basic-2000] rule deny source 192.168.1.00.0.0.255
[HUAWEI-acl-basic-2000] quit
[HUAWEI] traffic classifier c1
[HUAWEI-classifier-c1] if-match acl 2000
[HUAWEI-classifier-c1] quit
[HUAWEI] traffic behavior b1
[HUAWEI-behavior-b1] deny
[HUAWEI-behavior-b1] quit
[HUAWEI] traffic policy p1
[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1
[HUAWEI-trafficpolicy-p1] quit
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 inbound

过滤指定应用协议报文

l 禁止TCP目的端口号为25的报文( SMTP)通过。
l 禁止TCP目的端口号为110的报文( POP3)通过。
l 禁止TCP目的端口号为80的报文( HTTP)通过。
system-view
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule deny tcp destination-port eq 25
[HUAWEI-acl-adv-3000] rule deny tcp destination-port eq 110
[HUAWEI-acl-adv-3000] rule deny tcp destination-port eq 80
[HUAWEI-acl-adv-3000] quit
[HUAWEI] traffic classifier c1
[HUAWEI-classifier-c1] if-match acl 3000
[HUAWEI-classifier-c1] quit
[HUAWEI] traffic behavior b1
[HUAWEI-behavior-b1] deny
[HUAWEI-behavior-b1] quit
[HUAWEI] traffic policy p1
[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1
[HUAWEI-trafficpolicy-p1] quit
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 inbound

使用流策略配置流量统计
配置指定主机的统计信息

配置对源MAC为0000-0000-0003的报文进行流量统计。
system-view
[HUAWEI] acl 4000
[HUAWEI-acl-L2-4000] rule permit source-mac 0000-0000-0003ffff-ffff-ffff
[HUAWEI-acl-L2-4000] quit
[HUAWEI] traffic classifier c1
[HUAWEI-classifier-c1] if-match acl 4000
[HUAWEI-classifier-c1] quit
[HUAWEI] traffic behavior b1
[HUAWEI-behavior-b1] statistic enable
[HUAWEI-behavior-b1] quit
[HUAWEI] traffic policy p1
[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1
[HUAWEI-trafficpolicy-p1] quit
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 inbound
[HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 outbound

配置对 ICMP 报文进行统计

system-view
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule 0 permit icmp source 192.168.1.1 0destination 192.168.2.1 0
[HUAWEI-acl-adv-3000] rule 5 permit icmp source 192.168.2.1 0destination 192.168.1.1 0
[HUAWEI-acl-adv-3000] quit
[HUAWEI] traffic classifier c1
[HUAWEI-classifier-c1] if-match acl 3000
[HUAWEI-classifier-c1] quit
[HUAWEI] traffic behavior b1
[HUAWEI-behavior-b1] statistic enable
[HUAWEI-behavior-b1] quit
[HUAWEI] traffic policy p1
[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1
[HUAWEI-trafficpolicy-p1] quit
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 inbound
[HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 outbound

配置对 ARP 报文进行统计

统计接口发送的ARP报文和回应的ARP报文。
system-view
[HUAWEI] traffic classifier arp-request
[HUAWEI-classifier-arp-request] if-match l2-protocol arp
[HUAWEI-classifier-arp-request] if-match source-mac1111-1111-1111
[HUAWEI-classifier-arp-request] if-match destination-macffff-ffff-ffff
[HUAWEI-classifier-arp-request] quit
[HUAWEI] traffic classifier arp-reply
[HUAWEI-classifier-arp-reply] if-match l2-protocol arp
[HUAWEI-classifier-arp-reply] if-match source-mac2222-2222-2222
[HUAWEI-classifier-arp-reply] if-match destination-mac1111-1111-1111
[HUAWEI-classifier-arp-reply] quit
[HUAWEI] traffic behavior b1
[HUAWEI-behavior-b1] statistic enable
[HUAWEI-behavior-b1] quit
[HUAWEI] traffic policy arp-request
[HUAWEI-trafficpolicy-arp-request] classifier arp-request behaviorb1
[HUAWEI-trafficpolicy-arp-request] quit
[HUAWEI] traffic policy arp-reply
[HUAWEI-trafficpolicy-arp-reply] classifier arp-reply behaviorb1
[HUAWEI-trafficpolicy-arp-reply] quit
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] traffic-policy arp-requestinbound
[HUAWEI-GigabitEthernet0/0/1] traffic-policy arp-replyoutbound

查看报文统计信息
配置通过流策略对报文进行统计之后,可以使用如下命令查看报文统计信息。
显示全局入方向应用流策略后基于匹配规则的报文统计信息。
display traffic policy statistics interface GigabitEthernet 0/0/1inbound verbose rule
base
Interface: GigabitEthernet0/0/1
Traffic policy inbound: arp-request
Rule number: 1
Current status: OK!
Statistics interval: 300
Classifier: arp-request operator and
Behavior: b1
if-match l2-protocol arp
if-match source-mac 1111-1111-1111
if-match destination-mac ffff-ffff-ffff
Board : 0
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0

基于简化ACL简化流策略配置流量统计

基于MQC方式配置流量统计时,虽然分类丰富多样,但是比较繁琐。因此,交换机提供ACL简化流策略的方式进行。在全局,VLAN或者接口下配置traffic-statistic,对匹配ACL的报文进行统计
system-view
[HUAWEI]interface gigabitethernet 0/0/1
[HUAWEI-gigabitethernet 0/0/1]traffic-statistic inbound acl 3000rule 1
配置完成后通过display traffic-statistic 命令查看

  • 6
    点赞
  • 24
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值