应用高级ACL配置流分类示例.doc

应用高级ACL配置流分类示例组网需求如图1所示，公司企业网通过Switch实现各部门之间的互连。要求正确配置ACL，禁止研发部门和市场部门在上班时间（8:00至17:30）访问工资查询服务器（IP地址为10.164.9.9），而总裁办公室不受限制，可以随时访问。图1 应用高级ACL配置流分类组网图 配置思路采用如下的思路配置ACL：1. 配置接口IP地址。 2. 配置时间段。 3. 配置ACL。 4. 配置流分类。 5. 配置流行为。 6. 配置流策略。 7. 在接口上应用流策略。操作步骤1. 配置接口IP地址 # 配置接口加入VLAN，并配置VLANIF接口的IP地址。规划GE1/0/1GE1/0/3分别加入VLAN10、20、30，GE2/0/1加入VLAN100。VLANIF接口的地址取所在网段的第一个IP地址。下面配置以GE1/0/1接口为例，其他接口的配置与此类似，不再赘述。 system-viewHUAWEI vlan batch 10 20 30 100HUAWEI interface gigabitethernet 1/0/1HUAWEI-GigabitEthernet1/0/1 port link-type accessHUAWEI-GigabitEthernet1/0/1 port default vlan 10HUAWEI-GigabitEthernet1/0/1 quitHUAWEI interface vlanif 10HUAWEI-Vlanif10 ip address 10.164.1.1 255.255.255.0HUAWEI-Vlanif10 quit2. 配置时间段 # 配置8:00至17:30的周期时间段。HUAWEI time-range satime 8:00 to 17:30 working-day3. 配置ACL # 配置市场部门到工资查询服务器的访问规则。HUAWEI acl 3002HUAWEI-acl-adv-3002 rule deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satimeHUAWEI-acl-adv-3002 quit# 配置研发部门到工资查询服务器的访问规则。HUAWEI acl 3003HUAWEI-acl-adv-3003 rule deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range satimeHUAWEI-acl-adv-3003 quit4. 配置基于ACL的流分类 # 配置流分类c_market，对匹配ACL 3002的报文进行分类。HUAWEI traffic classifier c_marketHUAWEI-classifier-c_market if-match acl 3002HUAWEI-classifier-c_market quit# 配置流分类c_rd，对匹配ACL 3003的报文进行分类。HUAWEI traffic classifier c_rdHUAWEI-classifier-c_rd if-match acl 3003HUAWEI-classifier-c_rd quit5. 配置流行为 # 配置流行为b_market，动作为拒绝报文通过。HUAWEI traffic behavior b_marketHUAWEI-behavior-b_market denyHUAWEI-behavior-b_market quit# 配置流行为b_rd，动作为拒绝报文通过。HUAWEI traffic behavior b_rdHUAWEI-behavior-b_rd denyHUAWEI-behavior-b_rd quit6. 配置流策略 # 配置流策略p_market，将流分类c_market与流行为b_market关联。HUAWEI traffic policy p_marketHUAWEI-trafficpolicy-p_market classifier c_market behavior b_marketHUAWEI-trafficpolicy-p_market quit# 配置流策略p_rd，将流分类c_rd与流行为b_rd关联。HUAWEI traffic policy p_rdHUAWEI-trafficpolicy-p_rd classifier c_rd behavior b_rdHUAWEI-trafficpolicy-p_rd quit7. 应用流策略 # 将流策略p_market应用到GE1/0/2接口。HUAWEI interface gigabitethernet 1/0/2HUAWEI-GigabitEthernet1/0/2 traffic-policy p_market inboundHUAWEI-GigabitEthernet1/0/2 quit# 将流策略p_rd应用到GE1/0/3接口。HUAWEI interface gigabitethernet 1/0/3HUAWEI-GigabitEthernet1/0/3 traffic-policy p_rd inboundHUAWEI-GigabitEthernet1/0/3 quit8. 验证配置结果 # 查看ACL规则的配置信息。HUAWEI display acl all Total nonempty ACL number is 2Advanced ACL 3002, 1 ruleAcls step is 5 rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime (match-counter 0)(Active)Advanced ACL 3003, 1 ruleAcls step is 5 rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime (match-counter 0)(Active) # 查看流分类的配置信息。HUAWEI display traffic classifier user-defined User Defined Classifier Information: Classifier: c_market Precedence: 5 Operator: OR Rule(s) : if-match acl 3002 Classifier: c_rd Precedence: 10 Operator: OR Rule(s) : if-match acl 3003Total classifier number is 2# 查看流策略的配置信息。HUAWEI display traffic policy user-defined User Defined Traffic Policy Information: Policy: p_market Classifier: c_market Operator: OR Behavior: b_market Deny Policy: p_rd Classifier: c_rd Operator: OR Behavior: b_rd Deny Total policy number is 2# 查看流策略的应用信息。HUAWEI display traffic-policy applied-record# - Policy Name: p_market Policy Index: 0 Classifier:c_market Behavior:b_market - *interface GigabitEthernet1/0/2 traffic-policy p_market inbound slot 0 : success - Policy total applied times: 1. # - Policy Name: p_rd Policy Index: 1 Classifier:c_rd Behavior:b_rd - *interface GigabitEthernet1/0/3 traffic-policy p_rd inbound slot 0 : success - Policy total applied times: 1. # 配置文件#vlan batch 10 20 30 100 #time-range satime 08:00 to 17:30 working-day#acl number 3002 rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime#acl number 3003 rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime#traffic classifier c_market operator or precedence 5 if-match acl 3002traffic classifier c_rd operator or precedence 10 if-match acl 3003#traffic behavior b_market denytraffic behavior b_rd deny#traffic policy p_market match-order config classifier c_market behavior b_markettraffic policy p_rd match-order config classifier c_rd behavior b_rd #interface Vlanif10 ip address 10.164.1.1 255.255.255.0#interface Vlanif20 ip address 10.164.2.1 255.255.255.0#interface Vlanif30 ip address 10.164.3.1 255.255.255.0#interface Vlanif100 ip address 10.164.9.1 255.255.255.0 #interface GigabitEthernet1/0/1 port link-type access port default vlan 10#interface GigabitEthernet1/0/2 port link-type access port default vlan 20 traff