s series switches feature start-acl v1.0 d

7/26/2019 S Series Switches Feature Start-ACL V1.0 D

1/55

S Series Switches

Feature Start - ACL

Issue 01

Date 2013-09-30

HUAWEI TECHNOLOGIES CO., LTD.


2/55

opyright Huawei Technologies Co., Ltd. !"#. All rights reser$ed.

o part of this document may be reproduced or transmitted in any form or by any means without prior

itten consent of Huawei Technologies Co., Ltd.

ade%ar&s and 'er%issions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

other trademarks and trade names mentioned in this document are the property of their respective

lders.

otice

e purchased products, services and features are stipulated by the contract made between Huawei and

e customer. All or part of the products, services and features described in this document may not be

thin the purchase scope or the usage scope. nless otherwise specified in the contract, all statements,

ormation, and recommendations in this document are provided !A" #"! without warranties, guarantees

representations of any kind, either e$press or implied.e information in this document is sub%ect to change without notice. &very effort has been made in the

eparation of this document to ensure accuracy of the contents, but all statements, information, and

commendations in this document do not constitute a warranty of any kind, e$press or implied.

uawei Technologies Co., Ltd.

ddress' Huawei #ndustrial (ase

(antian, Longgang

"hen)hen *++-

/eople0s 1epublic of China

ebsite' http'33enterprise.huawei.com
http://enterprise.huawei.com/http://enterprise.huawei.com/


3/55

S Series Switches

e!t"re St!rt - ACL A#$"t This D$c"%e&t

About This Document

Purpose

This '$c"%e&t 'escri#es ACL (e!t"res, i&c)"'i&* e)e%e&t!r+ &$w)e'*e, c$&(i*"r!ti$& *"i'e,

tr$"#)esh$$ti&*, tr$"#)esh$$ti&* c!ses, !&' As.

The r$ce'"res !&' %eth$'s ($r tr$"#)esh$$ti&* ACL (!")ts !re !)s$ r$/i'e' i& this'$c"%e&t.

Intended Audience

This '$c"%e&t is i&te&'e' ($r

Tech&ic!) s"$rt e&*i&eers

!i&te&!&ce e&*i&eers

Symbol Conventions

The s+%#$)s th!t %!+ #e ($"&' i& this '$c"%e&t !re 'e(i&e' !s ($))$ws.

Symbol Description

I&'ic!tes ! h!!r' with ! hi*h )e/e) $r %e'i"% )e/e) $( ris

which, i( &$t !/$i'e', c$")' res")t i& 'e!th $r seri$"s i&"r+.

I&'ic!tes ! h!!r' with ! )$w )e/e) $( ris which, i( &$t

!/$i'e', c$")' res")t i& %i&$r $r %$'er!te i&"r+.

I&'ic!tes ! $te&ti!))+ h!!r'$"s sit"!ti$& th!t, i( &$t !/$i'e',c$")' res")t i& e4"i%e&t '!%!*e, '!t! )$ss, er($r%!&ce

'eteri$r!ti$&, $r "&!&tici!te' res")ts.

5r$/i'es ! ti th!t %!+ he) +$" s$)/e ! r$#)e% $r s!/e ti%e.

5r$/i'es !''iti$&!) i&($r%!ti$& t$ e%h!sie $r s")e%e&t

i%$rt!&t $i&ts i& the %!i& te6t.


4/55

S Series Switches

e!t"re St!rt - ACL A#$"t This D$c"%e&t

Change History

Ch!&*es #etwee& '$c"%e&t iss"es !re c"%")!ti/e. The )!test '$c"%e&t iss"e c$&t!i&s !)) thech!&*es %!'e i& e!r)ier iss"es.

Issue 01 (20130!30"

This is the i&iti!) $((ici!) re)e!se.


5/55

C$&te&ts

1 ContentsAbout This Document....................................................................... ii

1 ACL Overview...............................................................................1

1.1I&tr$'"cti$& t$ ACL.......................................................................................................................................................1

1.1.1ACL 7")es........................................................................................................................................................... ........1

1.1.2ACL C)!ssi(ic!ti$&......................................................................................................................................................1

1.1.3!tchi&* Or'er $( ACL 7")es........................................................................................................................ .......... ..2

1.1.4Ti%e 7!&*e $( !& ACL................................................................................................................................................3

1.2Tr!((ic C)!ssi(ier.............................................................................................................................................................3

1.2.1Si%)e Tr!((ic C)!ssi(ic!ti$&.......................................................................................................................................3

1.2.2C$%)e6 Tr!((ic C)!ssi(ic!ti$&....................................................................................................................................8

1.2.3L$*ic!) 7e)!ti$&shi #etwee& Tr!((ic C)!ssi(ier 7")es.......................................................................................... .....

1.3Tr!((ic :eh!/i$r..............................................................................................................................................................

1.4Tr!((ic 5$)ic+..................................................................................................................................................................;

1.5Si%)i(ie' ACL..............................................................................................................................................................UD5 s$"rce $rt &"%#er $r r!&*e

TC5>UD5 'esti&!ti$& $rt &"%#er $r r!&*e


12/55

S Series Switches

e!t"re St!rt - ACL 1 ACL O/er/iew

1.2.# #ogical $elationship bet.een +ra,c Classi%er $ules

The )$*ic!) re)!ti$&shi #etwee& tr!((ic c)!ssi(ier r")es c!& #e O7 $r AND. The 'e(!")t

re)!ti$&shi is O7 $& ch!ssis switches !&' AND $& #$6 switches.

AND

Tr!((ic c)!ssi(ier '$es &$t c$&t!i& ACL r")es.

A)) if-matchc)!"ses "se the AND re)!ti$&shi. 5!cets %!tch the tr!((ic c)!ssi(ier

$&)+ whe& the+ %!tch !)) the if-matchc)!"ses.

Tr!((ic c)!ssi(ier c$&t!i&s ACL r")es.

The )$*ic!) re)!ti$&shi is AND !%$&* !)) if-matchc)!"ses #"t O7 !%$&* !)) ACLr")es. 5!cets %!tch the tr!((ic c)!ssi(ier $&)+ whe& the !cets %!tch $&e ACL r")e

!&' !)) the if-matchc)!"ses.

$r e6!%)e, i( ! tr!((ic c)!ssi(ier seci(ies the re)!ti$&shi !%$&* the ($))$wi&* r")es

!s AND

i(-%!tch '%!c 0-0-3i(-%!tch s%!c 0-0-2

i(-%!tch !c) 3000 !c) 3000 c$&t!i&s tw$ r")es r")e er%it i s$"rce 1.1.1.1 0 !&'

r")e 10 er%it i s$"rce 2.2.2.2 0B

O&)+ !cets th!t %!tch the r")es '%!c0-0-3, s%!c0-0-2, !&' si1.1.1.1 $r'%!c0-0-3, s%!c0-0-2, !&' si2.2.2.2 c!& %!tch the tr!((ic c)!ssi(ier.

O7

A !cet %!tches ! tr!((ic c)!ssi(ier !s )$&* !s it %!tches $&e r")e i& the tr!((ic c)!ssi(ier.

$r e6!%)e, i( ! tr!((ic c)!ssi(ier seci(ies the re)!ti$&shi !%$&* the ($))$wi&* r")es !sO7

i(-%!tch '%!c 0-0-3i(-%!tch s%!c 0-0-2

i(-%!tch !c) 3000 !c) 3000 c$&t!i&s tw$ r")es r")e er%it i s$"rce 1.1.1.1 0 !&' r")e

10 er%it i s$"rce 2.2.2.2 0B

5!cets %!tch the tr!((ic c)!ssi(ier !s )$&* !s the+ %!tch !&+ $&e $( the rece'i&* if-matchc)!"ses.

1.#+ra,c /ehavior

A tr!((ic c)!ssi(ier %"st #e !ss$ci!te' with ! tr!((ic c$&tr$) !cti$& $r ! res$"rce !))$c!ti$&

!cti$& s"ch !s er%it, 'e&+, tr!((ic $)ici&*, !&' re-%!ri&* s$ th!t the switch c!& r$/i'e'i((ere&ti!te' ser/ices. These !cti$&s c$&stit"te ! tr!((ic #eh!/i$r. A switch r$/i'es the

($))$wi&* tr!((ic #eh!/i$rs #!se' $& c$%)e6 tr!((ic c)!ssi(ic!ti$&

5er%it>De&+

7e-%!ri&*

7e'irecti$&

Tr!((ic $)ici&*

)$w %irr$ri&*

Sec"rit+ !&' tr!((ic st!tistics

A)) tr!((ic #eh!/i$rs e6cet ($r 'e&+ c!& #e "se' t$*ether.


13/55

S Series Switches


5er%it>De&+

The er%it>'e&+ !cti$& is the si%)est tr!((ic c$&tr$) !cti$&, which !))$ws the switch t$

c$&tr$) &etw$r tr!((ic #+ ($rw!r'i&* $r 'isc!r'i&* !cets.

7e-%!ri&*

This !cti$& sets the rece'e&ce (ie)' i& ! !cet. 5!cets c!rr+ 'i((ere&t ri$rit+ (ie)'s $&/!ri$"s &etw$rs. $r e6!%)e, !cets c!rr+ the =02.1 (ie)' i& ! LAN, the T$S (ie)'

$& !& I5 &etw$r, !&' the E5 (ie)' $& !& 5LS &etw$r. There($re, ! switch is

re4"ire' t$ %!r ri$rit+ (ie)'s $( !cets #!se' $& the &etw$r t+e. Ge&er!))+, ! switch!t the &etw$r #$r'er re-%!rs ri$rit+ (ie)'s $( i&c$%i&* !cets. Switches withi& the

&etw$r r$/i'e $S ser/ices #!se' $& the re-%!re' ri$rit+ (ie)'s, $r re-%!r the

ri$rit+ (ie)'s #!se' $& their $w& c$&(i*"r!ti$&s.

7e'irecti$&

This !cti$& re'irects !cets t$ the C5U $( ! seci(ie' i&ter(!ce c!r', seci(ie' i&ter(!ce,

&e6t h$ !''ress, $r L!#e) Switche' 5!th LS5B #"t '$es &$t ($rw!r' !cets #!se' $&

the $ri*i&!) 'esti&!ti$& I5 !''ress. A switch s"$rts %")ti)e &e6t h$s. 5$)ic+-#!se'

r$"ti&* 5:7B is i%)e%e&te' #!se' $& re'irecti$&. A 5:7 r$"te is ! st!tic r$"te. Whe&the re'irect-t$ &e6t h$ is "&!/!i)!#)e, the switch ($rw!r's !cets #!se' $& the $ri*i&!)

($rw!r'i&* !th.

Tr!((ic $)ici&*

This tr!((ic c$&tr$) !cti$& )i%its the tr!((ic r!te !&' the res$"rces "se' #+ tr!((ic. :+

"si&* tr!((ic $)ici&*, the switch c!& 'isc!r' e6cess !cets, re-%!r the c$)$r $r

rece'e&ce, $r t!e $ther $S %e!s"res t$ c$&tr$) the tr!((ic r!te.

Tr!((ic %irr$ri&*

This !cti$& c$ies the seci(ie' '!t! !cets t$ ! seci(ie' 'esti&!ti$& t$ 'etect !&'

tr$"#)esh$$t (!")ts $& ! &etw$r.

Tr!((ic st!tistics

This !cti$& c$))ects st!tistics $& '!t! !cets $( seci(ie' ser/ice ()$ws, i&c)"'i&* the&"%#er $( ($rw!r'e' !&' 'isc!r'e' !cets !&' #+tes th!t %!tch seci(ie' tr!((ic

c)!ssi(ic!ti$& r")es. The tr!((ic st!tistics !cti$& is &$t ! $S c$&tr$) %e!s"re #"t c!& #e

"se' with $ther !cti$&s t$ i%r$/e sec"rit+ $( &etw$rs !&' !cets.

1.$+ra,c Policy5!cets c!& #e c)!ssi(ie' !cc$r'i&* t$ L!+er 2 i&($r%!ti$&, L!+er 3 i&($r%!ti$&, $r ACLs. T$

r$/i'e 'i((ere&ti!te' ser/ices ($r ser/ice ()$ws, +$" %"st #i&' ! tr!((ic c)!ssi(ier !&' ! tr!((ic#eh!/i$r t$ ! tr!((ic $)ic+ !&' !)+ the tr!((ic $)ic+. A(ter ! tr!((ic c)!ssi(ier !&' tr!((ic

#eh!/i$r !re cre!te', the+ %"st #e #$"&' t$ ! tr!((ic $)ic+ !&' !)ie' t$ ! seci(ic i&ter(!ce$r LAN, $r !)ie' *)$#!))+ t$ t!e e((ect.

A(ter ! tr!((ic $)ic+ is !)ie', the s+ste% 'e)i/ers ACLs t$ the chi. The 'e)i/eri&*

se4"e&ce $r *r$"i&* $( ACLs 'eter%i&es the $r'er i& which tr!((ic $)ic+ r")es !re %!tche'.

F$" c!& r"& the traffic policy$)ic+-&!%e[ match-order { auto | config !c$%%!&' $& !switch t$ seci(+ the %!tchi&* $r'er. I( the %!tchi&* $r'er is set t$ auto, r")es !re %!tche'

#!se' $& ri$rities $( tr!((ic c)!ssi(iers re'e(i&e' $& the s+ste%. The ri$rit+ $r'er is L!+er

2 !&' L!+er 3 i&($r%!ti$& L!+er 2 i&($r%!ti$& L!+er 3 i&($r%!ti$&. I( the %!tchi&* $r'er

is set t$ config, r")es !re %!tche' i& the $r'er i& which tr!((ic c)!ssi(iers were c$&(i*"re'.Switches th!t '$ &$t s"$rt the config%$'e "se the auto%!tchi&* $r'er #+ 'e(!")t.


14/55

S Series Switches


1.% Simpli%ed AC#

T$ %!e ! tr!((ic $)ic+ e((ecti/e, +$" &ee' t$ c$&(i*"re ACLs, tr!((ic c)!ssi(iers, !&' tr!((ic#eh!/i$rs, #i&' the tr!((ic c)!ssi(iers !&' tr!((ic #eh!/i$rs t$ the tr!((ic $)ic+, !&' !)+ it

*)$#!))+ t$ i&ter(!ces $r LANs. :$6 switches s"$rt si%)i(ie' ACLs, which e&!#)es !si%)e c$&(i*"r!ti$& r$cess. F$" $&)+ &ee' t$ c$&(i*"re !& ACL !&' #i&' the ACL t$si%)i(ie' ACL c$%%!&'s s"ch !s traffic-filtert$ %!e it e((ecti/e. Si%)i(ie' ACL

c$%%!&'s i&c)"'e traffic-filter, traffic-limit, traffic-mirror , traffic-redirect, traffic-

remar", !&' traffic-#tati#tic#. The traffic-redirect c$%%!&' re'irects !cets t$ the

seci(ie' i&ter(!ce, C5U, $r &e6t h$. The traffic-remar"c$%%!&' re-%!rs the i&($r%!ti$&i&c)"'i&* the =02.1 ri$rit+, DAC, DSC5, I5 rece'e&ce, )$c!) rece'e&ce, !&' LANs.

T!#)e 1 'escri#es si%)i(ie' ACL c$%%!&'s s"$rte' $& 'i((ere&t %$'e)s.

Table 1.5.1.1.1.1.1.1 S"$rt ($r si%)i(ie' ACL c$%%!&'s

Simpli%ed

AC#Command

200 I 22 I 300SI 300I 300HI 00 SI

tr!((ic-(i)ter S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' S"$rte'

tr!((ic-)i%it S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' S"$rte'

tr!((ic-%irr$r S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' S"$rte'

tr!((ic-re'irect N$t S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' D$es &$t

s"$rt

re'irecti$& t$

the &e6t h$.

tr!((ic-re%!r D$es &$t s"$rt

re-%!ri&* $(

DAC>CLAN>I5 rece'e&ce.

D$es &$t

s"$rt re-

%!ri&* $(CLAN.

D$es &$t

s"$rt re-

%!ri&* $(CLAN.

D$es &$t

s"$rt re-

%!ri&* $(CLAN.

S"$rte' D$es &$t

s"$rt re-

%!ri&* $(DAC>CLA

N.

tr!((ic-st!tistics S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' S"$rte'

Simpli%edAC#

Command

00S#I 00#I 10I 10HI 00I 00 HI 00 I

tr!((ic-(i)ter S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' S"$rte'

tr!((ic-)i%it S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' S"$rte'

tr!((ic-%irr$r S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' S"$rte'

tr!((ic-re'irect D$es &$ts"$rt

re'irecti$&

t$ the &e6th$.

D$es &$ts"$rt

re'irecti$&

t$ the &e6th$.

S"$rte' S"$rte' S"$rte' S"$rte' S"$rte'

tr!((ic-re%!r D$es &$t D$es &$t S"$rte' S"$rte' S"$rte' S"$rte' S"$rte'


15/55

S Series Switches


s"$rt re-

%!ri&* $(

DAC>CLAN.

s"$rt re-

%!ri&* $(

DAC>CLAN.

tr!((ic-st!tistics

S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' S"$rte'

1.) $e4ective AC#

Users (r$% ! "#)ic &etw$r !re 'e&ie' !ccess t$ ! ri/!te &etw$r #"t s$%eti%es !re

re4"ire' t$ se&' '!t! #!c t$ the ri/!te &etw$r !(ter ! "ser $& the ri/!te &etw$r !ccesses

the "#)ic &etw$r.

A(ter ! re()ecti/e ACL is c$&(i*"re', re4"est !cets i&iti!te' #+ !& e6ter&!) &etw$r "ser

c!&&$t e&ter the i&ter&!) &etw$r. Whe& ! "ser $& the i&ter&!) &etw$r se&'s ! re4"est !cet

t$ ! "ser $& the e6ter&!) &etw$r, ! re()ecti/e ACL e&tr+ is *e&er!te' $& the i&ter(!ce!cc$r'i&* t$ the s$"rce I5 !''ress, 'esti&!ti$& I5 !''ress, !&' $rt &"%#er i& the !cet.

The& the "ser $& the e6ter&!) &etw$r c!& !ccess the "ser $& the i&ter&!) &etw$r.

As sh$w& i& i*"re 1.;.1.1.1.1.1,5C # $& the e6ter&!) &etw$r c!&&$t i&iti!))+ !ccess 5C !

$& the i&ter&!) &etw$r. A(ter 5C ! se&'s ! !cet with the s$"rce I5 !''ress I5!, s$"rce

i&ter(!ce 5$rt!, 'esti&!ti$& I5 !''ress I5#, !&' 'esti&!ti$& i&ter(!ce 5$rt# t$ 5C #, the switchwith re()ecti/e ACL c$&(i*"re' *e&er!tes ! re()ecti/e ACL r")e th!t er%its !cets with the

s$"rce I5 !''ress I5#, s$"rce i&ter(!ce 5$rt#, 'esti&!ti$& I5 !''ress I5!, !&' 'esti&!ti$&

i&ter(!ce 5$rt! t$ !ss thr$"*h.

$igure 1.6.1.1.1.1.1 7e()ecti/e ACL


16/55

2 Confguration ui!e2.1 Scenario 1:Con%guring Priority apping

2.1.1 5et.or6ing 'escription

As sh$w& i& i*"re 2.1.1.1.1.1.1,the switch c$&&ects t$ ! r$"ter thr$"*h GE2>0>1. E&terrise#r!&ches 1 !&' 2 !ccess the &etw$r thr$"*h the switch !&' r$"ter. E&terrise #r!&ch 1

#e)$&*s t$ LAN 100 !&' e&terrise #r!&ch 2 #e)$&*s t$ LAN 200. E&terrise #r!&ch 1

re4"ires #etter $S *"!r!&tee. 5ri$rities $( !cets (r$% e&terrise #r!&ches 1 !&' 2 !re%!e' t$ 8 !&' 2 resecti/e)+ s$ th!t 'i((ere&ti!te' ser/ices !re r$/i'e'.

$igure 2.1.1.1.1.1.1Netw$ri&* 'i!*r!% $( ri$rit+ %!i&* #!se' $& si%)e tr!((ic c)!ssi(ic!ti$&


17/55

2.1.2 Con%guration $oadmap

The c$&(i*"r!ti$& r$!'%! is !s ($))$ws

1. Cre!te LANs !&' c$&(i*"re i&ter(!ces s$ th!t e&terrise #r!&ches 1 !&' 2 c!& c$&&ect t$ the &etw$r

thr$"*h the switch.

2. Cre!te tr!((ic c)!ssi(iers t$ c)!ssi(+ ser/ice ()$ws (r$% 'i((ere&t LANs !&' c$&(i*"re ri$rit+ %!i&* !s

the tr!((ic #eh!/i$r.

3. :i&' tr!((ic $)icies t$ GE1>0>1 !&' GE1>0>2 $& the switch resecti/e)+.

2.1.# Con%guration -ample

%tep 1 Cre!te LANs !&' c$&(i*"re i&ter(!ces.

J Cre!te LANs 100, 200, !&' 300.

< Switch > system-view

[Switch] vlan batch 100 200 300

J C$&(i*"re GE1>0>1, GE1>0>2, !&' GE2>0>1 !s tr"& i&ter(!ces, !'' GE1>0>1 !&' GE1>0>2 t$

LAN 100 !&' LAN 200, !&' !'' GE2>0>1 t$ LAN 100, LAN 200, !&' LAN 300.

[Switch] interface gigabitethernet1/0/1

[Switch-GigabitEthernet1/0/1] !rt lin"-tye tr#n"

[Switch-GigabitEthernet1/0/1] !rt tr#n" all!w-ass vlan 100

[Switch-GigabitEthernet1/0/1] $#it



[Switch-GigabitEthernet1/0/2] !rt tr#n" all!w-ass vlan 200




[Switch-GigabitEthernet2/0/1] !rt tr#n" all!w-ass vlan 100 200 300


%tep 2 C$&(i*"re tr!((ic c)!ssi(iers.

J C$&(i*"re tr!((ic c)!ssi(iers c1, c2, !&' c3$& the switch t$ c)!ssi(+ 'i((ere&t ser/ice ()$ws(r$% the e&terrise #!se' $& LAN ID.

[Switch] traffic classifier c1

[Switch-classifier-c1] if-match vlan-i% 100

[Switch-classifier-c1] $#it



18/55



%tep 3 C$&(i*"re tr!((ic #eh!/i$rs.

J C$&(i*"re tr!((ic #eh!/i$rs b1!&' b2$& the switch t$ %! ri$rities $( 'i((ere&t ser/ice

()$ws.

[Switch] traffic behavi!r b1

[Switch-behavi!r-b1] remar" &021 '

[Switch-behavi!r-b1] $#it


[Switch-behavi!r-b2] remar" &021 2


%tep 4 C$&(i*"re tr!((ic $)icies.

J C$&(i*"re tr!((ic $)icies $& the switch, #i&' the tr!((ic #eh!/i$rs !&' tr!((ic c)!ssi(iers t$

the tr!((ic $)icies, !&' !)+ the tr!((ic $)icies t$ GE1>0>1 !&' GE1>0>2.

[Switch] traffic !licy 1

[Switch-traffic!licy-1] classifier c1 behavi!r b1

[Switch- traffic!licy-1] $#it


[Switch- traffic!licy-2] classifier c2 behavi!r b2


[Switch] interface gigabitethernet 1/0/1

[Switch-GigabitEthernet1/0/1] traffic-!licy 1 inb!#n%





%tep 5 eri(+ the c$&(i*"r!ti$&.

J Chec i&($r%!ti$& !#$"t the !)ie' tr!((ic $)icies. The tr!((ic $)ic+p1is "se' !s !&e6!%)e.

[Switch]%islay traffic classifier #ser-%efine% c1

(ser )efine% *lassifier +nf!rmati!n,


19/55

*lassifier, c1

rece%ence, 10

.erat!r, .

#les , if-match vlan-i% 100

[Switch]%islay traffic behavi!r #ser-%efine% b1

(ser )efine% ehavi!r +nf!rmati!n,

ehavi!r, b1

emar",

emar" &021 '

[Switch]%islay traffic !licy #ser-%efine% 1

(ser )efine% raffic !licy +nf!rmati!n,

!licy, 1

*lassifier, c1

.erat!r, .

ehavi!r, b1

emar",

emar" &021 '

[Switch]%islay traffic-!licy alie%-rec!r% 1

-------------------------------------------------

!licy 4ame, 1

!licy +n%e5, 1

*lassifier,c1 ehavi!r,b1

-------------------------------------------------

6interface GigabitEthernet1/0/1

traffic-!licy 1 inb!#n%

sl!t 1 , s#ccess

-------------------------------------------------

!licy t!tal alie% times, 17

[Switch]


20/55

----&nd

Confguration &iles

C$&(i*"r!ti$& (i)e $( the switch

8

sysname Switch

8

vlan batch 100 200 300

8

traffic classifier c1 !erat!r !r rece%ence 10

if-match vlan-i% 100



8

traffic behavi!r b1

remar" &021 '

traffic behavi!r b2

remar" &021 2

traffic behavi!r test

8

traffic !licy 1

classifier c1 behavi!r b1

traffic !licy 2


8

interface GigabitEthernet1/0/1

!rt lin"-tye tr#n"

!rt tr#n" all!w-ass vlan 100


8



21/55

!rt lin"-tye tr#n"

!rt tr#n" all!w-ass vlan 200


8


!rt lin"-tye tr#n"

!rt tr#n" all!w-ass vlan 100 200 300

8

ret#rn

2.2 Scenario 27 Con%guring +ra,c 8iltering

2.2.1 5et.or6ing 'escription

I& i*"re 2.2.1.1.1.1.1, the switch c$&&ects t$ "sers thr$"*h GE1>0>1 !&' c$&&ects t$ ! ser/erthr$"*h GE2>0>1. It is re4"ire' th!t "sers c$&&ecte' t$ the switch '$ &$t c$%%"&ic!te with

e!ch $ther !&' $&)+ c$%%"&ic!te with the ser/er.

$igure 2.2.1.1.1.1.1Netw$ri&* 'i!*r!% $( tr!((ic (i)teri&* #!se' $& c$%)e6 tr!((ic c)!ssi(ic!ti$&

2.2.2 Con%guration $oadmap

The c$&(i*"r!ti$& r$!'%! is !s ($))$ws

1. C$&(i*"re !& ACL r")e t$ %!tch !cets with the s$"rce I5 !''ress 192.1;=.0.1>28 !&'

'esti&!ti$& I5 !''ress 192.1;=.2.100.

2. C$&(i*"re ! tr!((ic c)!ssi(ier t$ %!tch the ACL.

3. C$&(i*"re ! tr!((ic $)ic+, #i&' the tr!((ic c)!ssi(ier !&' tr!((ic #eh!/i$r t$ the tr!((ic

$)ic+, !&' !)+ the tr!((ic $)ic+ t$ the i$"&' 'irecti$& $( GE1>0>1.


22/55

2.2.# Con%guration -ample

%tep 1 C$&(i*"re !& ACL.

J C$&(i*"re !'/!&ce' ACL 3000 $& the switch t$ er%it $&)+ !cets with the s$"rce I5

!''ress 192.1;=.1.0>28 !&' 'esti&!ti$& I5 !''ress 192.1;=.2.100 !&' 'e&+ $ther I5 !cets.

[Switch] acl 3000

[Switch-acl-a%v-3000] r#le 1 ermit i s!#rce 1:71;&7170 070707299 %estinati!n

1:271;&727100 0

[Switch-acl-a%v-3000] r#le 2 %eny i

[Switch-acl-a%v-3000] $#it

%tep 2 C$&(i*"re ! tr!((ic c)!ssi(ier.

Cre!te ! tr!((ic c)!ssi(ier c1$& the switch t$ %!tch ACL 3000.


[Switch-classifier-c1] if-match acl 3000


%tep 3 C$&(i*"re ! tr!((ic #eh!/i$r.

J Cre!te ! tr!((ic #eh!/i$r b1$& the switch !&' c$&(i*"re &$ !cti$&.



%tep 4 C$&(i*"re ! tr!((ic $)ic+ !&' !)+ the tr!((ic $)ic+ t$ the i&ter(!ce.

J Cre!te ! tr!((ic $)ic+ p1$& the switch !&' #i&' the tr!((ic c)!ssi(ier !&' tr!((ic #eh!/i$r t$

the tr!((ic $)ic+.



[Switch-traffic!licy-1] $#it

J A)+ the tr!((ic $)ic+ p1t$ GE1>0>1.




[Switch] $#it


J Chec the tr!((ic $)ic+ c$&(i*"r!ti$&.

%islay acl 3000

%vance% *= 3000 2 r#les


23/55

cl?s ste is 9

r#le 1 ermit i s!#rce 1:71;&7170 070707299 %estinati!n 1:271;&727100 0

r#le 2 %eny i

%islay traffic classifier #ser-%efine%

*lassifier, c1

rece%ence, 10

.erat!r, .

#les , if-match acl 3000!tal classifier n#mber is 1

%islay traffic !licy #ser-%efine% 1


!licy, 1

*lassifier, c1

.erat!r, .

ehavi!r, b1

-4!ne-

%islay traffic-!licy alie%-rec!r%

8

-------------------------------------------------

!licy 4ame, 1

!licy +n%e5, 1


-------------------------------------------------



sl!t 1 , s#ccess

-------------------------------------------------


8

----&nd


24/55

Confguration &iles


8

sysname Switch

8

vlan batch 20

8

acl n#mber 3000

r#le 1 ermit i s!#rce 1:71;&7170 070707299 %estinati!n 1:271;&727100 0

r#le 2 %eny i

8


if-match acl 3000

8

traffic behavi!r b1

8

traffic !licy 1


8



8

ret#rn

2.# Scenario 37 Con%guring +ra,c Policing

A(ter c)!ssi(+i&* tr!((ic i&t$ 'i((ere&t t+es, the switch )i%its the r!te $( tr!((ic %!tchi&*

tr!((ic c)!ssi(ier r")es. Tr!((ic $)ici&* 'isc!r's e6cess tr!((ic t$ )i%it tr!((ic withi& ! r$er

r!&*e !&' t$ r$tect &etw$r res$"rces !&' c!rriersK i&terests.

2.#.1 5et.or6ing 'escription

As sh$w& i& i*"re 2.3.1.1.1.1.1,the switch c$&&ects t$ the r$"ter thr$"*h GE2>0>1

e&terrise "sers c!& !ccess the &etw$r thr$"*h the switch !&' r$"ter. E&terrise /$ice

ser/ices, /i'e$ ser/ices, !&' '!t! ser/ices #e)$&* t$ LAN 120, LAN 110, !&' LAN 100


25/55

resecti/e)+. O& the switch, tr!((ic $)ici&* &ee's t$ #e er($r%e' $& !cets $( 'i((ere&tser/ices t$ )i%it tr!((ic withi& ! r$er r!&*e !&' r$/i'e #!&'wi'th *"!r!&tee ($r ser/ices.

$igure 2.3.1.1.1.1.1Netw$ri&* 'i!*r!% $( tr!((ic $)ici&* #!se' $& c$%)e6 tr!((ic c)!ssi(ic!ti$&

2.#.2 Con%guration $oadmap

The c$&(i*"r!ti$& r$!'%! is !s ($))$ws

1. Cre!te LANs !&' c$&(i*"re i&ter(!ces $& the switch s$ th!t e&terrise "sers c!& !ccessthe &etw$r.

2. C$&(i*"re tr!((ic c)!ssi(iers $& the switch t$ c)!ssi(+ !cets #!se' $& their LAN IDs.

3. Cre!te ! tr!((ic $)ic+ $& the switch, #i&' tr!((ic #eh!/i$rs !&' tr!((ic c)!ssi(iers t$ thetr!((ic $)ic+, !&' !)+ the tr!((ic $)ic+ t$ the i&ter(!ce c$&&ecti&* e&terrise "sers t$the switch.

2.#.# Con%guration -ample


J Cre!te LANs 100, 110, !&' 120 $& the switch.

system-view

[@#i%way] sysname Switch

[Switch] vlan batch 100 110 120

J C$&(i*"re GE1>0>1 !&' GE2>0>1 !s tr"& i&ter(!ces !&' !'' the% t$ LAN 100, LAN110, !&' LAN 120.







26/55




%tep 2 C$&(i*"re tr!((ic c)!ssi(iers.

J C$&(i*"re tr!((ic c)!ssi(iers c1, c2, !&' c3$& the switch t$ c)!ssi(+ 'i((ere&t ser/ice ()$ws

(r$% the e&terrise #!se' $& LAN IDs.










%tep 3 C$&(i*"re tr!((ic $)ici&*.

J C$&(i*"re tr!((ic #eh!/i$rsb1, b2, !&' b3$& the switch t$ er($r% tr!((ic $)ici&* $&

'i((ere&t ser/ice ()$ws.


[Switch-behavi!r-b1] car cir 2000 ir 10000



[Switch-behavi!r-b2] car cir '000 ir 10000



[Switch-behavi!r-b3] car cir '000 ir 10000


%tep 4 C$&(i*"re ! tr!((ic $)ic+ !&' !)+ the tr!((ic $)ic+ t$ !& i&ter(!ce.

J Cre!te ! tr!((ic $)ic+ p1$& the switch, #i&' the tr!((ic #eh!/i$rs !&' tr!((ic c)!ssi(iers t$the tr!((ic $)ic+, !&' !)+ the tr!((ic $)ic+ t$ the i$"&' 'irecti$& $( GE1>0>1 t$ er($r%

tr!((ic $)ici&* !&' re-%!r ri$rities $& !cets (r$% the e&terrise.




27/55



[Switch-traffic!licy-1] $#it





J Chec i&($r%!ti$& !#$"t the tr!((ic $)ic+.

[Switch] %islay traffic classifier #ser-%efine%


*lassifier, c2

rece%ence, 19

.erat!r, .


*lassifier, c3

rece%ence, 20

.erat!r, .


*lassifier, c1

rece%ence, 10

.erat!r, .


!tal classifier n#mber is 3

[Switch] %islay traffic behavi!r #ser-%efine%


ehavi!r, b2

*!mmitte% ccess ate,

*+ '000 Abs + 10000 Abs *S 900000 byte S 1290000 byte


28/55

*!l!r B!%e, c!l!r lin%

*!nf!rm cti!n, ass

Cell!w cti!n, ass

E5cee% cti!n, %iscar%

ehavi!r, b3




*!nf!rm cti!n, ass

Cell!w cti!n, ass


ehavi!r, b1


*+ 2000 Abs + 10000 Abs *S 290000 byte S 1290000 byte


*!nf!rm cti!n, ass

Cell!w cti!n, ass


!tal behavi!r n#mber is 3

[Switch] %islay traffic !licy #ser-%efine% 1


!licy, 1

*lassifier, c1

.erat!r, .

ehavi!r, b1


*+ 2000 Abs + 10000 Abs *S 290000 byte S 1290000 byte


*!nf!rm cti!n, ass


29/55

Cell!w cti!n, ass


*lassifier, c2

.erat!r, .

ehavi!r, b2




*!nf!rm cti!n, ass

Cell!w cti!n, ass


*lassifier, c3

.erat!r, .

ehavi!r, b3




*!nf!rm cti!n, ass

Cell!w cti!n, ass


----&nd

Confguration &iles


8

sysname Switch

8

vlan batch 100 110 120

8



30/55






8

traffic behavi!r b1

car cir 2000 ir 10000 cbs 290000 bs 1290000 m!%e c!l!r-blin% green ass yell!

w ass re% %iscar%

traffic behavi!r b2

car cir '000 ir 10000 cbs 900000 bs 1290000 m!%e c!l!r-blin% green ass yell!

w ass re% %iscar%

traffic behavi!r b3

car cir '000 ir 10000 cbs 900000 bs 1290000 m!%e c!l!r-blin% green ass yell!

w ass re% %iscar%

8

traffic !licy 1




8


!rt lin"-tye tr#n"



8


!rt lin"-tye tr#n"


8


31/55

ret#rn

2.$ Scenario 97 Con%guring :in:

2.$.1 5et.or6ing 'escription

As sh$w& i& i*"re 2.8.1.1.1.1.1,e&terrise A h!s tw$ $((ices !&' "ses LAN 10. The

e&terrise e6ects th!t s$%e i&ter&!) "sers i& tw$ $((ices c!& c$%%"&ic!te thr$"*h the c!rrier

&etw$r.

$igure 2.4.1.1.1.1.1Netw$ri&* 'i!*r!% $( i& #!se' $& tr!((ic c)!ssi(iers

2.$.2 Con%guration $oadmap

The c$&(i*"r!ti$& r$!'%! ($r c$&(i*"ri&* i& $& SWITCH 1 is !s ($))$ws

1. Cre!te LANs !&' c$&(i*"re i&ter(!ces s$ th!t e&terrise "sers c!& !ccess the &etw$r

thr$"*h the switch.

2. C$&(i*"re ! tr!((ic c)!ssi(ier $& the switch t$ c)!ssi(+ !cets #!se' $& their I5 !''resses

!&' c$&(i*"re ! tr!((ic #eh!/i$r t$ !'' ! LAN t!*.

3. :i&' the tr!((ic #eh!/i$r !&' tr!((ic c)!ssi(ier t$ ! tr!((ic $)ic+ !&' !)+ the tr!((ic

$)ic+ t$ the i$"&' 'irecti$& $( i&ter(!ces.

2.$.# Con%guration -ample


J Cre!te LAN 10 !&' LAN 20.

< Switch > system-view

[Switch] vlan batch 10 20

J C$&(i*"re GE1>0>1 !&' GE1>0>2 !s h+#ri' i&ter(!ces !&' !'' GE1>0>1 t$ LAN 10 !&'

LAN 2 t$ LAN 20.


[Switch-GigabitEthernet1/0/1] !rt hybri% tagge% vlan 10

[Switch-GigabitEthernet1/0/1] !rt hybri% #ntagge% vlan 20


32/55



[Switch-GigabitEthernet1/0/2] !rt hybri% tagge% vlan 20


%tep 2 C$&(i*"re ! tr!((ic c)!ssi(ier.

J C$&(i*"re ! tr!((ic c)!ssi(ier c1$& the switch t$ !'' ! LAN t!* t$ !cets (r$%

10.10.10.1>28.

[Switch]acl 3000

[Switch -acl-a%v-3000]r#le 1 ermit i s!#rce 1071071071 070707299

[Switch -acl-a%v-3000]$#it


[Switch-classifier-c1] if-match acl 3000


%tep 3 C$&(i*"re ! tr!((ic #eh!/i$r.

J Cre!te ! tr!((ic #eh!/i$r b1$& the switch t$ !'' ! t!* t$ !cets.


[Switch-behavi!r-b1] nest t!-m!st vlan-i% 20


%tep 4 C$&(i*"re ! tr!((ic $)ic+.

J C$&(i*"re ! tr!((ic $)ic+ $& the switch, #i&' the tr!((ic #eh!/i$r !&' tr!((ic c)!ssi(ier t$ thetr!((ic $)ic+, !&' !)+ the tr!((ic $)ic+ t$ GE1>0>1 !&' GE1>0>2.








J Chec i&($r%!ti$& !#$"t the tr!((ic $)ic+.

[Switch] %islay traffic classifier #ser-%efine%


33/55


*lassifier, c1

rece%ence, ;0

.erat!r, .

#les , if-match acl 3000

!tal classifier n#mber is 1

[Switch] %islay traffic behavi!r #ser-%efine%


ehavi!r, b1

4est,

4est t!-m!st vlani% 20

!tal behavi!r n#mber is 1

[Switch] %islay traffic !licy #ser-%efine% 1


!licy, 1

*lassifier, c1

.erat!r, .

ehavi!r, b1

4est,

4est t!-m!st vlani% 20

[Switch]%islay traffic-!licy alie%-rec!r% 1

-------------------------------------------------

!licy 4ame, 1

!licy +n%e5, &


-------------------------------------------------



sl!t 1 , s#ccess


34/55


35/55

8

ret#rn

2.% 'eployment Precautions

2.%.1 Chec6 that +ra,c Policies Con%gured on ChassisS.itches Are Applied Success*ully

'e#cription( Ch!ssis switches 1007002 *e&er!te c$&(i*"r!ti$&s ($r tr!((ic $)icies th!t (!i)

t$ #e 'e)i/ere'. N$ i&($ %ess!*e is 'is)!+e' t$ i&'ic!te th!t tr!((ic $)icies (!i) t$ #e

'e)i/ere'. Users %!+ %ist!e&)+ c$&si'er th!t these tr!((ic $)icies !re s"ccess("))+ !)ie'.

)oot cau#e( Ch!ssis switches 1007002 c!& '+&!%ic!))+ "'!te tr!((ic $)ic+ i&($r%!ti$&

!&' *e&er!te c$&(i*"r!ti$&s e/e& i( tr!((ic $)icies (!i) t$ #e !)ie'. The s+ste% $&)+ rec$r's

!)ic!ti$& (!i)"re i&($r%!ti$& i& )$*s #"t 'is)!+s &$ i&($ %ess!*e.

I'e&ti(ic!ti$& %eth$' 7"& the 'is)!+ tr!((ic-$)ic+ 666 !)ie'-rec$r' c$%%!&'.

%olution 7"& the di#play traffic-policy *** applied-recordc$%%!&' t$ chec th!t

!)ic!ti$& st!t"s $( the tr!((ic $)ic+ is 'is)!+e' !s #ucce##.

ersi$&s i&/$)/e' 1007002

2.%.2 AC#s Con%gured to Control 8+P;+elnet;SSH #ogin&sers 'iscard Pac6ets that 'o 5ot atch the AC#s

'e#cription( Whe& ACLs !re re(ere&ce' #+ "er )!+er s$(tw!re t$ c$&tr$) T5>Te)&et>SSH

)$*i& "sers, !cets th!t '$ &$t %!tch the ACLs !re 'isc!r'e'.

)oot cau#e( There !re h!r'w!re ACLs !&' s$(tw!re ACLs. H!r'w!re ACLs !re i%)e%e&te'

thr$"*h the chi !&' 'e)i/ere' t$ the chi thr$"*h the tr!((ic $)icies. H!r'w!re ACLs '$ &$t

r$cess !cets th!t '$ &$t %!tch the ACLs. Whe& s$(tw!re ACLs !re re(ere&ce' #+ "er)!+er s$(tw!re t$ c$&tr$) T5>Te)&et>SSH )$*i& "sers, !cets th!t '$ &$t %!tch the ACLs !re

'isc!r'e'. H!r'w!re !&' s$(tw!re ACLs !re i%)e%e&te' 'i((ere&t)+. E&s"re th!t +$"

c$&(i*"re c$rrect ACLs.

+dentification method 7"& the di#play acl ***c$%%!&'.

%olution 7"& the di#play acl ***c$%%!&' t$ chec ACL c$&(i*"r!ti$&s !&' e&s"re th!t

c$rrect ACLs !re #$"&' t$ T5>Te)&et>SSH.

,er#ion# inoled A)) /ersi$&s


36/55

# Troubleshooting#.1+roubleshooting )vervie.

ACL is ! %$st c$%%$&)+ 'e)$+e' (e!t"re. C$%%$& ACL (!")ts i&c)"'e

Tr!((ic (i)teri&* '$es &$t t!e e((ect.

The tr!((ic $)ic+ th!t is c$&(i*"re' t$ re'irect tr!((ic t$ the &e6t h$ '$es &$t t!e e((ect.

This ch!ter 'escri#es %eth$'s t$ tr$"#)esh$$t these ACL (!")ts.

#.2+ra,c 8iltering 'oes 5ot +a6e


37/55

#.2.#+roubleshooting 8lo.chart

$igure 3.2.3.1.1.1.1 Tr$"#)esh$$ti&* ()$wch!rt


38/55

#.2.$+roubleshooting Procedure

%tep 1 Chec tr!((ic $)ic+ c$&(i*"r!ti$&s.

I( the tr!((ic c)!ssi(ier c$&t!i&s ACL r")es, chec whether ACL r")es !re c$rrect)+ c$&(i*"re'

!&' whether )$*ic!) re)!ti$&shi $( the tr!((ic c)!ssi(ier is c$rrect. I( the tr!((ic c)!ssi(ierc$&t!i&s L!+er 2 !&' L!+er 3 i&($r%!ti$&, chec whether tr!((ic $)ices #!se' $& L!+er 2 !&'

L!+er 3 i&($r%!ti$& !re c$rrect)+ c$&(i*"re' !&' !)ie' s"ccess("))+.

%islay acl

%islay traffic classifier #ser-%efine%

%islay traffic behavi!r #ser-%efine%

%islay traffic !licy #ser-%efine%

%tep 2 C$&(i*"re the tr!((ic st!tistics ("&cti$& t$ chec whether the switch recei/es !cets.

C$&(i*"re ! tr!((ic c)!ssi(ier t$ %!tch c$rres$&'i&* !cets !&' c$&(i*"re ! tr!((ic #eh!/i$r

t$ c$))ect tr!((ic st!tistics. The ($))$wi&* e6!%)e c$))ects tr!((ic st!tistics $& !cets with the

s$"rce I5 !''ress 192.1;=.0.1.

8

acl n#mber 3000

r#le 1 ermit i s!#rce 1:271;&7071 0

8

traffic classifier test !erat!r an%

if-match acl 3000

8


statistic enable

8

traffic !licy test

classifier test behavi!r test

8


traffic-!licy test inb!#n%

8

Chec whether st!tistics $& c$rres$&'i&* !cets c!& #e c$))ecte'. I( s$, !cets with the

s$"rce I5 !''ress 192.1;=.0.1 !re recei/e' #+ the )$c!) 'e/ice. I( &$t, the !cets '$ &$t re!ch

the )$c!) 'e/ice.

%islay traffic !licy statistics interface GigabitEthernet 0/0/1 inb!#n%


39/55

+nterface, GigabitEthernet0/0/1

raffic !licy inb!#n%, test

#le n#mber, 1

*#rrent stat#s, .AD

!ar% , 0

+tem ac"ets ytes

---------------------------------------------------------------------

Batche% 0 -

--asse% 0 -

--)r!e% 0 -

--Filter 0 -

--(F - -

--* 0 -

%tep 3 C$&(i*"re the tr!((ic st!tistics ("&cti$& t$ chec whether !cets !re recei/e' #+ the $"t#$"&'

i&ter(!ce.

The %eth$' t$ c$&(i*"re the tr!((ic st!tistics ("&cti$& is the s!%e !s th!t i& ste 2. A(ter the

tr!((ic $)ic+ is c$&(i*"re', !)+ it t$ the $"t#$"&' 'irecti$& $( the $"t#$"&' i&ter(!ce.

8

acl n#mber 3000

r#le 1 ermit i s!#rce 1:271;&7071 0

8


if-match acl 3000

8

8


if-match &021 3

8


statistic enable

8

traffic !licy test


40/55

classifier test behavi!r test

8


traffic-!licy test !#tb!#n%

8

Chec whether st!tistics $& c$rres$&'i&* !cets !re c$))ecte'. I( s$, !cets h!/e #ee& se&t

(r$% the $"t#$"&' i&ter(!ce. I( &$t, !cets !re 'isc!r'e' #+ the 'e/ice.

%islay traffic !licy statistics interface GigabitEthernet 0/0/2 !#tb!#n%

+nterface, GigabitEthernet0/0/2

raffic !licy !#tb!#n%, test

#le n#mber, 1

*#rrent stat#s, .AD

!ar% , 0

+tem ac"ets ytes

---------------------------------------------------------------------

Batche% 0 -

--asse% 0 -

--)r!e% 0 -

--Filter 0 -

--(F - -

--* - -

%tep 4 Chec whether $ther c$&(i*"r!ti$&s !((ect tr!((ic ($rw!r'i&*.

Chec c$&(i*"r!ti$&s th!t %!tch the i&($r%!ti$& i& the tr!((ic c)!ssi(ier !&' whether these

c$&(i*"r!ti$&s $& LAN i&ter(!ces !((ect !cet ($rw!r'i&*.

----&nd

#.#+ra,c Policy +hat Is Con%gured to $edirect+ra,c to the 5e-t Hop 'oes 5ot +a6e


41/55

#.#.2+roubleshooting $oadmap

The tr$"#)esh$$ti&* r$!'%! is !s ($))$ws

1. Chec whether the tr!((ic $)ic+ is c$&(i*"re' c$rrect)+.

2. Chec th!t the re'irect-t$-&e6t h$ e6ists.

3. C$&(i*"re the tr!((ic st!tistics ("&cti$& t$ chec th!t !cets !re se&t t$ the &e6t h$.

#.#.#+roubleshooting 8lo.chart

$igure 3.3.3.1.1.1.1 Tr$"#)esh$$ti&* ()$wch!rt

#.#.$+roubleshooting Procedure

%tep 1 Chec whether the tr!((ic $)ic+ is c$&(i*"re' c$rrect)+.


42/55

7"& the ($))$wi&* c$%%!&'

%islay traffic-!licy test alie%-rec!r%

-------------------------------------------------

!licy 4ame, test

!licy +n%e5, 1

*lassifier,test ehavi!r,test

-------------------------------------------------


traffic-!licy test inb!#n%

sl!t 0 , s#ccess

%tep 2 Chec whether the re'irect-t$-&e6t h$ e6ists.

Chec whether the re'irect-t$-&e6t h$ e6ists #!se' $& the $"t#$"&' i&ter(!ce. I( &$t, tr!((ic

re'irecti$& c!&&$t t!e e((ect. I( s$, (i&' $"t the re!s$&s wh+ the "stre!% 'e/ice '$es &$tse&' !& A75 !cet.

%islay ar interface GigabitEthernet 0/0/10

+ ))ESS B* ))ESS E+EB CE +4EF*E H4-+4S4*E

H=4

------------------------------------------------------------------------------

------------------------------------------------------------------------------

!tal,0 )ynamic,0 Static,0 +nterface,0

%tep 3 C$&(i*"re the tr!((ic st!tistics ("&cti$& t$ chec whether !cets !re recei/e' #+ the &e6t h$

'e/ice.

C$&(i*"re ! tr!((ic #eh!/i$r t$ c$))ect tr!((ic st!tistics i& the tr!((ic $)ic+ !&' chec whether

!cet st!tistics c!& #e c$))ecte'. I( s$, !cets !re recei/e' #+ the &e6t h$ 'e/ice. I( &$t, the

&e6t h$ 'e/ice '$es &$t recei/e !&+ !cet.

----&nd

#.$ In*ormation CollectionI( the (!")t c!&&$t #e )$c!te', c$))ect the ($))$wi&* i&($r%!ti$&. I( &$&-H"!wei 'e/ices !re

i&/$)/e', c$))ect i&($r%!ti$& !cc$r'i&* t$ the c$%%!&' re(ere&ce.

#.$.1 5et.or6 +opology

C$))ect &etw$r t$$)$*+ i&($r%!ti$& i&c)"'i&* 'e/ice &!%es, s+ste% AC !''resses, !&'

&!%es $( c$&&ecte' i&ter(!ces.


43/55

#.$.2 display Command #ist

Command 'escription

'is)!+ /ersi$& Dis)!+s /ersi$& i&($r%!ti$&.'is)!+ 'e/ice Dis)!+s 'e/ice st!t"s.

'is)!+ !tch-i&($r%!ti$& Dis)!+s !tch i&($r%!ti$&.

'is)!+ c"-"s!*e s)$t slot-idB Dis)!+s C5U "s!*e.

'is)!+ %e%$r+-"s!*e s)$t slot-id) Dis)!+s %e%$r+ "s!*e.

'is)!+ c"rre&t-c$&(i*"r!ti$& Dis)!+s the 'e/ice c$&(i*"r!ti$&.

'is)!+ i&ter(!ce Dis)!+s tr!((ic $& !)) $rts e/er+ %i&"tes $r twice.

'is)!+ tr!((ic $)ic+ st!tistics i&ter(!ce

Gi*!#itEther&et 0>0>6 i$"&'>$"t#$"&'

Dis)!+s tr!((ic st!tistics.

'is)!+ !r i&ter(!ce Gi*!#itEther&et

0>0>6

Dis)!+ A75 i&($r%!ti$& $& the i&ter(!ce.

#.$.# S.itch #ogs and 'iagnosis #ogs

Ch!ssis switches

C$%%!&' ($r c$))ecti&* 'i!*&$sis i&($r%!ti$&

di#play diagno#tic-information

L$* (i)es !&' 'i!*&$sis )$*s

Ste 1 7"& the #ae logfilec$%%!&' i& the c$%%$& /iew t$ s!/e the c$&(i*"r!ti$&

(i)e.

Ste 2 7"& the #ae diag-logfilec$%%!&' i& the hi''e& /iew 'i!*&$sis /iew i&

2007001 !&' ! )!ter /ersi$&B t$ s!/e the 'i!*&$sis )$* (i)e.

Ste 3 St!rt the T5 ser/er $& the 5C !&' '$w&)$!' the ri%!r+ )$* (i)es !&'

'i!*&$sis )$* (i)es t$ the 5C.

L$* (i)es $( the !cti/e 5Us $& !& S9


44/55

L$* (i)es !&' 'i!*&$sis )$* (i)es $( the !cti/e 5Us !re %!&'!t$r+. I( ! (!")t tri**ers ! switch$/er $r

the st!&'#+ 5Us (!i), +$" %"st c$))ect )$* (i)es !&' 'i!*&$sis )$* (i)es $( the st!&'#+ 5Us. I( !CSS is t$r& '$w&, c$))ect )$* (i)es !&' 'i!*&$sis )$* (i)es $& the ($"r 5Us.

Whe& the sie $( ! )$* (i)e e6cee's the thresh$)', the switch !"t$%!tic!))+ !rchi/es the )$* (i)e !&'

s!/es it !s ! .i (i)e. $r e6!%)e, 212-11-2.5--25.log.ip !&'212-11-15.5-22-32.diag.ip!re resecti/e)+ !& !rchi/e' )$* (i)e !&' ! 'i!*&$sis )$* (i)e. The (i)e &!%e i&'ic!tes the !rchi/i&*

ti%e. There($re, c$))ect the )$* (i)e !&' 'i!*&$sis )$* (i)e *e&er!te' whe& the (!")t $cc"rs.

I( the T5 ser/er is "&!/!i)!#)e, r"& the morec$%%!&', s"ch !s more log.log. T$ c$))ect 'i!*&$sis

)$* (i)es $( 1007003 $r )!ter, r"& the di#play diag-logfilec$%%!&' i& the hi''e& /iew1007003>100700;B $r 'i!*&$sis /iew 2007001 $r )!terB, ($r e6!%)e, di#play diag-logfile

cfcard(/logfile/log.dblg. It t!es ! )$&* ti%e t$ c$))ect ! )!r*e )$* (i)e. T5 is rec$%%e&'e' ($r

'$w&)$!'i&* )$* (i)es.

:$6 switches

C$%%!&' ($r c$))ecti&* 'i!*&$sis i&($r%!ti$&

di#play diagno#tic-information

L$*s

I& 1007003 !&' 100700

Ste 1 7"& the di#playlogbufferc$%%!&' t$ c$))ect i&($r%!ti$& i& the )$* #"((er.

Ste 2 7"& the di#playtrapbufferc$%%!&' t$ c$))ect i&($r%!ti$& i& the tr!#"((er.

:$6 switches s"$rt )$* (i)e rec$r'i&* (r$% 100700; there($re, er($r% the

($))$wi&* $er!ti$&s t$ c$))ect )$* (i)es

Ste 1 7"& the #ae logfilec$%%!&' i& the c$%%$& /iew t$ s!/e the c$&(i*"r!ti$&

(i)e.

Ste 2 St!rt the T5 ser/er $& the 5C !&' '$w&)$!' the ri%!r+ )$* (i)es !&'

'i!*&$sis )$* (i)es t$ the 5C.

L$* (i)es $( #$6 switches !re s!/e' i& fla#h(/#y#logfile!&' fla#h(/re#etinfo.

I( ! CSS is t$r& '$w& $r (!i)s t$ #e reset, c$))ect )$* (i)es $( !)) 'e/ices i& the CSS.

:$6 switches h!/e $&)+ ! s%!)) &"%#er $( )$* (i)es. Se&' !)) (i)es i& 'irect$ries #y#logfile!&'

re#etinfot$ 7D ($r !&!)+sis.

Direct$ries #y#logfile$r re#etinfo%!+ &$t e6ist $& s$%e %$'e)s '"e t$ h!r'w!re restricti$&s, s$

+$" '$ &$t &ee' t$ c$))ect )$* (i)es.


45/55

$ Troubleshooting Cases$.1 A*ter +ra,c 8iltering Is Con%gured= +ra,c 8ails +o/e 8or.arded As -pected

$.1.1 Symptom and 5et.or6ing

As sh$w& i& i*"re 8.1.1.1.1.1.1,the c)ie&ts c$&&ect t$ the switch thr$"*h i&ter(!ces i&

'i((ere&t LANs. A)) the c)ie&ts !re $& the s!%e &etw$r se*%e&t 192.1;1;. ACLs !re

c$&(i*"re' t$ r$hi#it L!+er 3 c$%%"&ic!ti$&s !%$&* the c)ie&ts. H$we/er, !cets (r$% !c)ie&t c!& sti)) #e ($rw!r'e' #+ the switch t$ !&$ther c)ie&t.

$igure 4.1.1.1.1.1.1Netw$ri&* 'i!*r!%

7e)!te' c$&(i*"r!ti$&s

acl n#mber 3:::

r#le 0 ermit i %estinati!n 1:271;I7070 07072997299

8

traffic classifier %enyacl !erat!r !r rece%ence ;9939


46/55

if-match acl 3:::

8

raffic behavi!r %eny

)eny

8

raffic !licy miwangacl

*lassifier %enyacl behavi!r %eny

8

#ser-bin% mac-a%%ress 2&;e-%'&&-cfI1 interface gigabitethernet 1/0/1


%escriti!n c!nnect 4001

!rt lin"-tye access

!rt %efa#lt vlan 1190

traffic-!licy miwangacl inb!#n%

!rt-mirr!ring t! !bserve-!rt 1 inb!#n%

!rt-mirr!ring t! !bserve-!rt 1 !#tb!#n%

8



!rt lin"-tye access

!rt %efa#lt vlan 11;0




i s!#rce chec" #ser-bin% enable

8



!rt lin"-tye access


47/55

!rt %efa#lt vlan 11I0




$.1.2 $oot Cause

The s+ste% 'e)i/ers ACL r")es ($r st!tic #i&'i&* e&tries. O& the S


48/55

$igure 4.2.1.1.1.1.1Netw$ri&* 'i!*r!%

7e)!te' c$&(i*"r!ti$&sacl n#mber 3100

r#le 1 ermit i s!#rce 1007297&710 0

traffic classifier tc*!rna%i#s( rece%ence 100

if-match acl 3100

traffic classifier tc*!rnSvr1101 rece%ence 1101


traffic behavi!r b*!rna%i#s1101

re%irect vn-instance *!rn1101 i-ne5th! 1:271;&719720

traffic behavi!r b*!rnSvr1101

re%irect vn-instance *!rn1101 i-ne5th! 1:271;&719710

traffic !licy t*!rn1101

classifier tc*!rna%i#s( behavi!r b*!rna%i#s1101

classifier tc*!rnSvr1101 behavi!r b*!rnSvr1101

vlan 1101


49/55

traffic-!licy t*!rn1101 inb!#n%

$.2.2 $oot Cause

The seci(ie' &e6t-h$ !''ress '$es &$t e6ist $r the tr!((ic $)ic+ is set t$ auto, c!"si&*i&c$rrect ACL r")e %!tchi&*.

$.2.# Identi%cation ethod

%tep 1 Chec whether the tr!((ic $)ic+ with re'irect-t$-&e6t-h$ #eh!/i$r is c$rrect)+ c$&(i*"re'.

%islay traffic-!licy alie%-rec!r% t*!rn1101

--------------------------------------------------

!licy 4ame, t*!rn1101

!licy +n%e5, 10

*lassifier,tc*!rna%i#s( ehavi!r,b*!rna%i#s1101

*lassifier,tc*!rnSvr1101 ehavi!r,b*!rnSvr1101

-------------------------------------------------

6vlan 1101

traffic-!licy t*!rn1101 inb!#n%

sl!t 1 , s#ccess

sl!t 3 , s#ccess

sl!t ' , s#ccess

-------------------------------------------------


%tep 2 Chec whether the re'irect-t$-&e6t h$ e6ists. I( the ($))$wi&* i&($r%!ti$& is 'is)!+e', the

&e6t h$ '$es &$t e6ist.

%islay ar interface Hlanif 1901

+ ))ESS B* ))ESS E+EB CE +4EF*E H4-+4S4*E

H=4/*EH=4

------------------------------------------------------------------------------

1:271;&71971 101b-9':&-000f + - Hlanif1901

------------------------------------------------------------------------------

!tal,1 )ynamic,0 Static,0 +nterface,1

%tep 3 Chec whether the '$w&stre!% 'e/ice c$rrect)+ se&'s the A75 !cet th!t c!rries the &e6t-h$ !''ress. I( &$t, the )$c!) 'e/ice c!&&$t )e!r& the A75 e&tr+. I& this c!se, %$'i(+


50/55

c$&(i*"r!ti$&s $& the '$w&stre!% 'e/ice. I( the )$c!) 'e/ice )e!r&s the &e6t-h$ !''ress i&the A75 e&tr+ #"t !cets !re ($rw!r'e' t$ the i&ter(!ce 192.1;=.1.10 r!ther th!& the

i&ter(!ce 192.1;=.1.20, the !cets i&c$rrect)+ %!tch cla##ifier tcorppn)adiu#p

behaior borppn)adiu#111. This is #ec!"se !cets c!rr+ LAN 1101 !&' the%!tchi&* $r'er $( tr!((ic $)ic+ r")es is auto#+ 'e(!")t. I& auto %$'e, ! L!+er 2 ACL h!s !

hi*her ri$rit+ th!& ! L!+er 3 ACL $& ch!ssis 'e/ices there($re, the !cets re(ere&ti!))+%!tch ! L!+er 2 ACL.

----&nd

$.2.$ Solution

$'i(+ c$&(i*"r!ti$&s $& the '$w&stre!% 'e/ice s$ th!t the '$w&stre!% 'e/ice c!&

c$rrect)+ se&' A75 !cets.

Set the %!tchi&* $r'er $( tr!((ic $)ic+ r")es t$ config.

$.2.% Summary N$te th!t ri$rities $( tr!((ic c)!ssi(iers !re &$t the $r'er i& which !cets were %!tche'.

I( tr!((ic is &$t recei/e' $& the re'irect-t$-&e6t-h$ 'e/ice, chec whether the 'e/ice

)e!r&s the A75 e&tr+ $( the &e6t-h$ !''ress.

Set the %!tchi&* $r'er $( tr!((ic $)ic+ r")es t$ configs$ th!t r")es !re %!tche' i& the

$r'er i& which the+ were c$&(i*"re'.


51/55

% &A'%.1 'oes the S00;S!00 Support InterCard$edirection> Ho. 'o I Con%gure +his 8unction>

The S


52/55

%.2 ?hy Is CA$ $ate #imiting Inaccurate>

The switch c$"&ts )e&*ths $( the i&ter-(r!%e *!s !&' LAN t!*s whe& c!)c")!ti&* the CA7,which c!"ses i&!cc"r!te r!te )i%iti&*. It is rec$%%e&'e' th!t +$" "se !cets $( $/er 1000

#+tes i& CA7 tests t$ %i&i%ie the i%!ct $( i&ter-(r!%e *!s !&' LAN t!*s.

$r e6!%)e, ! ;8-#+te !cet "s"!))+ h!s !& i&ter-(r!%e *! $( 20 #+tes !&' ! LAN t!* $(

8 #+tes. There($re, the t$t!) !cet )e&*th is == #+tes ;8 #+tes M 20 #+tes M 8 #+tes ==

#+tesB. D"ri&* CA7 r!te )i%iti&*, the switch c!)c")!tes the tr!((ic r!te #!se' $& the ==-#+te

!cet )e&*th, s$ the r!te )i%iti&* res")t is i&!cc"r!te. I( the switch "ses )!r*e !cets, the)e&*ths $( i&ter-(r!%e *! !&' the LAN t!* !cc$"&t ($r ! s%!)) r$$rti$& $( the t$t!)

!cet )e&*th !&' c!"se ! )itt)e i%!ct $& the !cet r!te. There($re, the r!te )i%iti&* res")t is

%$re !cc"r!te.

%.# Ho. Is P/$ Implemented on Sseries S.itches>

S-series switches s"$rt we! 5:7. 5!cets !re sti)) ($rw!r'e' e/e& i( the seci(ie' &e6t-h$ !''ress '$es &$t e6ist.

St!rti&* (r$% 17;, the switches s"$rt %")ti)e &e6t h$s ($r re'irecti$&. The &e6t h$sw$r i& !cti/e>st!&'#+ %$'e. A %!6i%"% $( ($"r &e6t-h$ I5 !''resses c!& #e c$&(i*"re' i&

! tr!((ic #eh!/i$r. A switch 'eter%i&es the ri%!r+ !th !&' #!c" !ths !cc$r'i&* t$ the

se4"e&ce i& which &e6t-h$ I5 !''resses were c$&(i*"re'. The &e6t-h$ I5 !''ress th!t w!s

c$&(i*"re' (irst h!s the hi*hest ri$rit+ !&' this &e6t h$ is "se' !s the ri%!r+ !th. Other&e6t h$s !re "se' !s #!c" !ths. Whe& the ri%!r+ !tch is D$w&, $&e $( the #!c" !ths

is se)ecte' !s the &ew ri%!r+ !th.

%.$+he +ra,c /ehavior Is 5ot Set to deny= but+ra,c is 'iscarded= ?hy>

The tr!((ic $)ic+ %!+ re(ere&ce !& ACL with ! 'e&+ !cti$&. I( tr!((ic %!tches this ACL, the

tr!((ic is 'e&ie' e/e& whe& permit!cti$& is c$&(i*"re' i& the tr!((ic #eh!/i$r. Whe& !& ACL

is re(ere&ce' #+ ! tr!((ic $)ic+, the permit/deny!cti$&s i& the ACL !re "se' with the

permit/deny !cti$&s i& the tr!((ic #eh!/i$r. I( !deny!cti$& is 'e(i&e' either i& the ACL $r

the tr!((ic #eh!/i$r, the deny!cti$& is er($r%e'.

%.% Ho. 'o I &se a &serde%ned AC#>I& 100700 !&' ! )!ter /ersi$&, ! switch r$/i'es "ser-'e(i&e' ACLs. A "ser-'e(i&e' ACL

c!& %!tch !&+ !rt $( ! !cet. A "ser-'e(i&e' ACL c!& st!rt %!tchi&* (r$% the ($))$wi&*

(ie)'s #!se' $& the ($))$wi&* i&($r%!ti$& i& ! !cet

)2-he!'

i/8-he!' !&' i/;-he!'

)8-he!'

A "ser-'e(i&e' ACL %!tches the ($"r-#+te ch!r!cter stri&* !(ter ! seci(ie' $((set i& !&+ $(

the rece'i&* (ie)'s. The %!tche' ch!r!cter stri&* %"st #e ($"r #+tes !&' the $((set #+tes !re

set thr$"*h ! c$%%!&'.


53/55

$r e6!%)e, t$ %!tch !cets with the I5/8 TTL $( 1, r"& the ($))$wi&* c$%%!&'s

[@#i%way] acl 5000

[@#i%way-acl-#ser-9000] rule permit ipv4-head 0x01000000 0xff000000 8

The /!)"e = is the &"%#er $( $((set #+tes #e($re the TTL (ie)' i& the I5/8 !cet he!'er. TheTTL (ie)' $cc"ies $&e #+te !&' the /!)"e 0601000000 c$rres$&'s t$ TTL /!)"e 1 !(ter the

$((set (r$% the I5/8 !cet he!'er.

%.) Ho. 'o I @no. About AC# $esource &sage>F$" c!& r"& the di#play acl re#ource #lotslot-id c$%%!&' $& the switch t$ chec the ACL

res$"rce "s!*e.

E6!%)e 7"& the di#play acl re#ource #lot 3c$%%!&' t$ chec the ACL res$"rce "s!*e i&

s)$t 3.

< Switch >%islay acl res!#rce sl!t 3

Sl!t 3

Hlan-*= +nb!#n%-*= .#tb!#n%-*=

----------------------------------------------------------------------------

#le (se% 10 32: 3

#le Free 203& I&;3 1021

#le !tal 20'& &1:2 102'

Beter (se% 0 9& 0

Beter Free 0 &13' 102'

Beter !tal 0 &1:2 102'

*!#nter (se% 0 9: 1

*!#nter Free 0 &133 1023

*!#nter !tal 0 &1:2 102'

----------------------------------------------------------------------------

The ($))$wi&* t!#)e 'escri#es e!ch (ie)' i& the c$%%!&' $"t"t.

Item 'escription

S)$t S)$t ID.

)!&-ACL ACL r$cess$r i& ! LAN.


54/55

I$"&'-ACL Ustre!% ACL r$cess$r.

O"t#$"&'-ACL D$w&stre!% ACL r$cess$r.

7")e Use' N"%#er $( "se' ACL r")es.

7")e ree N"%#er $( i')e ACL r")es.

7")e T$t!) T$t!) &"%#er $( ACL r")es.

eter Use' N"%#er $( "se' %eters.

eter ree N"%#er $( i')e %eters.

eter T$t!) T$t!) &"%#er $( %eters.

C$"&ter Use' N"%#er $( "se' c$"&ters.

C$"&ter ree N"%#er $( i')e c$"&ters.

C$"&ter T$t!) T$t!) &"%#er $( c$"&ters.


55/55

S Series Switches

e!t"re St!rt - ACL A Acr$&+%s !&' A##re/i!ti$&s

A Acronyms an! AbbreviationsACL Access C$&tr$) List

CA7 C$%%itte' Access 7!te

s series switches feature start-acl v1.0 d

Documents