華為系列的交換機,支援使用MQC流分類的方式檢視IP,VLAN,MAC的封包流量,也支援簡化的ACL的簡化流政策的方式檢視流量統計,甚至可以直接檢視接口流量
對IP位址為192.168.1.10的PC限速,帶寬限制為4M。
<HUAWEI> system-view
[HUAWEI] acl 2000
[HUAWEI-acl-basic-2000] rule permit source 192.168.1.10 0.0.0.0
[HUAWEI-acl-basic-2000] quit
[HUAWEI] traffic classifier c1
[HUAWEI-classifier-c1] if-match acl 2000
[HUAWEI-classifier-c1] quit
[HUAWEI] traffic behavior b1
[HUAWEI-behavior-b1] car cir 4096
[HUAWEI-behavior-b1] quit
[HUAWEI] traffic policy p1
[HUAWEI-trafficpolicy-p1] classifier c1 behavior b1
[HUAWEI-trafficpolicy-p1] quit
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 inbound
對IP位址為192.168.1.0網段裝置進行限速,帶寬限制為50M。
[HUAWEI-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255
[HUAWEI-behavior-b1] car cir 51200
限制192.168.1.0網段裝置通路Internet的HTTP(端口号為80)流量不超過10Mbps。
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule permit tcp destination-port eq 80 source 192.168.1.0 0.0.0.255
[HUAWEI-acl-adv-3000] quit
[HUAWEI-classifier-c1] if-match acl 3000
[HUAWEI-behavior-b1] car cir 10240
禁止IP位址為192.168.1.10的PC通路網絡。
[HUAWEI-acl-basic-2000] rule deny source 192.168.1.10 0.0.0.0
[HUAWEI-behavior-b1] deny
禁止192.168.1.0網段所有裝置通路網絡。
[HUAWEI-acl-basic-2000] rule deny source 192.168.1.0 0.0.0.255
l 禁止TCP目的端口号為25的封包( SMTP)通過。
l 禁止TCP目的端口号為110的封包( POP3)通過。
l 禁止TCP目的端口号為80的封包( HTTP)通過。
[HUAWEI-acl-adv-3000] rule deny tcp destination-port eq 25
[HUAWEI-acl-adv-3000] rule deny tcp destination-port eq 110
[HUAWEI-acl-adv-3000] rule deny tcp destination-port eq 80
配置對源MAC為0000-0000-0003的封包進行流量統計。
[HUAWEI] acl 4000
[HUAWEI-acl-L2-4000] rule permit source-mac 0000-0000-0003 ffff-ffff-ffff
[HUAWEI-acl-L2-4000] quit
[HUAWEI-classifier-c1] if-match acl 4000
[HUAWEI-behavior-b1] statistic enable
[HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 outbound
[HUAWEI-acl-adv-3000] rule 0 permit icmp source 192.168.1.1 0 destination 192.168.2.1 0
[HUAWEI-acl-adv-3000] rule 5 permit icmp source 192.168.2.1 0 destination 192.168.1.1 0
統計接口發送的ARP封包和回應的ARP封包。
[HUAWEI] traffic classifier arp-request
[HUAWEI-classifier-arp-request] if-match l2-protocol arp
[HUAWEI-classifier-arp-request] if-match source-mac 1111-1111-1111
[HUAWEI-classifier-arp-request] if-match destination-mac ffff-ffff-ffff
[HUAWEI-classifier-arp-request] quit
[HUAWEI] traffic classifier arp-reply
[HUAWEI-classifier-arp-reply] if-match l2-protocol arp
[HUAWEI-classifier-arp-reply] if-match source-mac 2222-2222-2222
[HUAWEI-classifier-arp-reply] if-match destination-mac 1111-1111-1111
[HUAWEI-classifier-arp-reply] quit
[HUAWEI] traffic policy arp-request
[HUAWEI-trafficpolicy-arp-request] classifier arp-request behavior b1
[HUAWEI-trafficpolicy-arp-request] quit
[HUAWEI] traffic policy arp-reply
[HUAWEI-trafficpolicy-arp-reply] classifier arp-reply behavior b1
[HUAWEI-trafficpolicy-arp-reply] quit
[HUAWEI-GigabitEthernet0/0/1] traffic-policy arp-request inbound
[HUAWEI-GigabitEthernet0/0/1] traffic-policy arp-reply outbound
基于MQC方式配置流量統計時,雖然分類豐富多樣,但是比較繁瑣。是以,交換機提供ACL簡化流政策的方式進行。在全局,VLAN或者接口下配置traffic-statistic,對比對ACL的封包進行統計
[HUAWEI]interface gigabitethernet 0/0/1
[HUAWEI-gigabitethernet 0/0/1]traffic-statistic inbound acl 3000 rule 1
配置完成後通過display traffic-statistic 指令檢視
本文轉自YANGCHAO1987 51CTO部落格,原文連結:http://blog.51cto.com/11555417/2054941,如需轉載請自行聯系原作者
![HTTP 錯誤 403.9 - 禁止通路:連接配接的使用者過多 XP IIS伺服器連接配接數的修改[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)