华为S系列交换机流策略使用方式和流量统计

原创

羊草 2017-12-26 22:38:46 博主文章分类：网络应用 ©著作权

©著作权归作者所有：来自51CTO博客作者羊草的原创作品，请联系作者获取转载授权，否则将追究法律责任

华为系列的交换机，支持使用MQC流分类的方式查看IP,VLAN,MAC的报文流量，也支持简化的ACL的简化流策略的方式查看流量统计，甚至可以直接查看接口流量

使用流策略进行限速

根据 IP 地址进行限速

对IP地址为192.168.1.10的PC限速，带宽限制为4M。 <HUAWEI> system-view [HUAWEI] acl 2000 [HUAWEI-acl-basic-2000] rule permit source 192.168.1.10 0.0.0.0 [HUAWEI-acl-basic-2000] quit [HUAWEI] traffic classifier c1 [HUAWEI-classifier-c1] if-match acl 2000 [HUAWEI-classifier-c1] quit [HUAWEI] traffic behavior b1 [HUAWEI-behavior-b1] car cir 4096 [HUAWEI-behavior-b1] quit [HUAWEI] traffic policy p1 [HUAWEI-trafficpolicy-p1] classifier c1 behavior b1 [HUAWEI-trafficpolicy-p1] quit [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 inbound

对某网段设备进行限速

对IP地址为192.168.1.0网段设备进行限速，带宽限制为50M。 <HUAWEI> system-view [HUAWEI] acl 2000 [HUAWEI-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 [HUAWEI-acl-basic-2000] quit [HUAWEI] traffic classifier c1 [HUAWEI-classifier-c1] if-match acl 2000 [HUAWEI-classifier-c1] quit [HUAWEI] traffic behavior b1 [HUAWEI-behavior-b1] car cir 51200 [HUAWEI-behavior-b1] quit [HUAWEI] traffic policy p1 [HUAWEI-trafficpolicy-p1] classifier c1 behavior b1 [HUAWEI-trafficpolicy-p1] quit [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 inbound

根据 IP 地址和协议进行限速

限制192.168.1.0网段设备访问Internet的HTTP（端口号为80）流量不超过10Mbps。 <HUAWEI> system-view [HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule permit tcp destination-port eq 80 source 192.168.1.0 0.0.0.255 [HUAWEI-acl-adv-3000] quit [HUAWEI] traffic classifier c1 [HUAWEI-classifier-c1] if-match acl 3000 [HUAWEI-classifier-c1] quit [HUAWEI] traffic behavior b1 [HUAWEI-behavior-b1] car cir 10240 [HUAWEI-behavior-b1] quit [HUAWEI] traffic policy p1 [HUAWEI-trafficpolicy-p1] classifier c1 behavior b1 [HUAWEI-trafficpolicy-p1] quit [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 inbound

使用流策略对报文进行过滤

禁止指定主机访问网络

禁止IP地址为192.168.1.10的PC访问网络。 <HUAWEI> system-view [HUAWEI] acl 2000 [HUAWEI-acl-basic-2000] rule deny source 192.168.1.10 0.0.0.0 [HUAWEI-acl-basic-2000] quit [HUAWEI] traffic classifier c1 [HUAWEI-classifier-c1] if-match acl 2000 [HUAWEI-classifier-c1] quit [HUAWEI] traffic behavior b1 [HUAWEI-behavior-b1] deny [HUAWEI-behavior-b1] quit [HUAWEI] traffic policy p1 [HUAWEI-trafficpolicy-p1] classifier c1 behavior b1 [HUAWEI-trafficpolicy-p1] quit [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 inbound

禁止指定网段所有设备访问网络

禁止192.168.1.0网段所有设备访问网络。 <HUAWEI> system-view [HUAWEI] acl 2000 [HUAWEI-acl-basic-2000] rule deny source 192.168.1.0 0.0.0.255 [HUAWEI-acl-basic-2000] quit [HUAWEI] traffic classifier c1 [HUAWEI-classifier-c1] if-match acl 2000 [HUAWEI-classifier-c1] quit [HUAWEI] traffic behavior b1 [HUAWEI-behavior-b1] deny [HUAWEI-behavior-b1] quit [HUAWEI] traffic policy p1 [HUAWEI-trafficpolicy-p1] classifier c1 behavior b1 [HUAWEI-trafficpolicy-p1] quit [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 inbound

过滤指定应用协议报文

l 禁止TCP目的端口号为25的报文（ SMTP）通过。 l 禁止TCP目的端口号为110的报文（ POP3）通过。 l 禁止TCP目的端口号为80的报文（ HTTP）通过。 <HUAWEI> system-view [HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule deny tcp destination-port eq 25 [HUAWEI-acl-adv-3000] rule deny tcp destination-port eq 110 [HUAWEI-acl-adv-3000] rule deny tcp destination-port eq 80 [HUAWEI-acl-adv-3000] quit [HUAWEI] traffic classifier c1 [HUAWEI-classifier-c1] if-match acl 3000 [HUAWEI-classifier-c1] quit [HUAWEI] traffic behavior b1 [HUAWEI-behavior-b1] deny [HUAWEI-behavior-b1] quit [HUAWEI] traffic policy p1 [HUAWEI-trafficpolicy-p1] classifier c1 behavior b1 [HUAWEI-trafficpolicy-p1] quit [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 inbound

使用流策略配置流量统计

配置指定主机的统计信息

配置对源MAC为0000-0000-0003的报文进行流量统计。 <HUAWEI> system-view [HUAWEI] acl 4000 [HUAWEI-acl-L2-4000] rule permit source-mac 0000-0000-0003 ffff-ffff-ffff [HUAWEI-acl-L2-4000] quit [HUAWEI] traffic classifier c1 [HUAWEI-classifier-c1] if-match acl 4000 [HUAWEI-classifier-c1] quit [HUAWEI] traffic behavior b1 [HUAWEI-behavior-b1] statistic enable [HUAWEI-behavior-b1] quit [HUAWEI] traffic policy p1 [HUAWEI-trafficpolicy-p1] classifier c1 behavior b1 [HUAWEI-trafficpolicy-p1] quit [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 inbound [HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 outbound

配置对 ICMP 报文进行统计

<HUAWEI> system-view [HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule 0 permit icmp source 192.168.1.1 0 destination 192.168.2.1 0 [HUAWEI-acl-adv-3000] rule 5 permit icmp source 192.168.2.1 0 destination 192.168.1.1 0 [HUAWEI-acl-adv-3000] quit [HUAWEI] traffic classifier c1 [HUAWEI-classifier-c1] if-match acl 3000 [HUAWEI-classifier-c1] quit [HUAWEI] traffic behavior b1 [HUAWEI-behavior-b1] statistic enable [HUAWEI-behavior-b1] quit [HUAWEI] traffic policy p1 [HUAWEI-trafficpolicy-p1] classifier c1 behavior b1 [HUAWEI-trafficpolicy-p1] quit [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 inbound [HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 outbound

配置对 ARP 报文进行统计

统计接口发送的ARP报文和回应的ARP报文。 <HUAWEI> system-view [HUAWEI] traffic classifier arp-request [HUAWEI-classifier-arp-request] if-match l2-protocol arp [HUAWEI-classifier-arp-request] if-match source-mac 1111-1111-1111 [HUAWEI-classifier-arp-request] if-match destination-mac ffff-ffff-ffff [HUAWEI-classifier-arp-request] quit [HUAWEI] traffic classifier arp-reply [HUAWEI-classifier-arp-reply] if-match l2-protocol arp [HUAWEI-classifier-arp-reply] if-match source-mac 2222-2222-2222 [HUAWEI-classifier-arp-reply] if-match destination-mac 1111-1111-1111 [HUAWEI-classifier-arp-reply] quit [HUAWEI] traffic behavior b1 [HUAWEI-behavior-b1] statistic enable [HUAWEI-behavior-b1] quit [HUAWEI] traffic policy arp-request [HUAWEI-trafficpolicy-arp-request] classifier arp-request behavior b1 [HUAWEI-trafficpolicy-arp-request] quit [HUAWEI] traffic policy arp-reply [HUAWEI-trafficpolicy-arp-reply] classifier arp-reply behavior b1 [HUAWEI-trafficpolicy-arp-reply] quit [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] traffic-policy arp-request inbound [HUAWEI-GigabitEthernet0/0/1] traffic-policy arp-reply outbound

查看报文统计信息

配置通过流策略对报文进行统计之后，可以使用如下命令查看报文统计信息。显示全局入方向应用流策略后基于匹配规则的报文统计信息。 <HUAWEI> display traffic policy statistics interface GigabitEthernet 0/0/1 inbound verbose rule base Interface: GigabitEthernet0/0/1 Traffic policy inbound: arp-request Rule number: 1 Current status: OK! Statistics interval: 300 Classifier: arp-request operator and Behavior: b1 if-match l2-protocol arp if-match source-mac 1111-1111-1111 if-match destination-mac ffff-ffff-ffff Board : 0

Passed | Packets: 0 | Bytes: 0 | Rate(pps): 0

Rate(bps): 0
Dropped
Bytes: 0
Rate(pps): 0
Rate(bps): 0

基于简化ACL简化流策略配置流量统计

基于MQC方式配置流量统计时，虽然分类丰富多样，但是比较繁琐。因此，交换机提供ACL简化流策略的方式进行。在全局，VLAN或者接口下配置traffic-statistic,对匹配ACL的报文进行统计 <HUAWEI> system-view [HUAWEI]interface gigabitethernet 0/0/1 [HUAWEI-gigabitethernet 0/0/1]traffic-statistic inbound acl 3000 rule 1 配置完成后通过display traffic-statistic 命令查看