- 产品与解决方案
- 行业解决方案
- 服务
- 支持
- 合作伙伴
- 新华三人才研学中心
- 关于我们
37-流量监管典型配置举例
本章节下载: 37-流量监管典型配置举例 (324.68 KB)
目 录
本章为您介绍了在常见组网环境下使用流量监管功能以及聚合CAR功能实现对网络中的流量进行控制的配置举例。
表1 配置适用的产品与软硬件版本关系
|
产品 |
软件版本 |
|
S5830V2&S5820V2系列以太网交换机 |
Release 2208P01,Release 2210 |
图1 流量监管配置举例组网示意图
某公司网络通过专线接入Internet,上行带宽为6Mbps,所有终端设备均以防火墙作为网关设备。现要求使用流量监管功能,对上行至Internet的流量进行分类限速:
· HTTP流量:总上行限速为3Mbps,其中研发部25台主机分配1Mbps上行带宽,单机最大上行为128Kbps;市场部40台主机分配2Mbps上行带宽,单机最大上行为256Kbps。
· IP语音流量:研发部和市场部共55台IP电话,单台通信所需带宽为32Kbps,通常情况下,按20台IP电话同时通信计算,分配上行带宽为640Kbps,为满足可能存在的瞬时多台电话同时通信需求,按25台IP电话计算突发峰值带宽为800Kbps。
· 邮件服务器代理所有客户端向外网发送电子邮件,限制上行带宽为512Kbps。
· FTP服务器为可以通过外网对分支机构提供数据服务,限制上行的FTP的数据流量不超过1Mbps。
要实现对不同特征数据流的流量监管,主要是明确匹配各业务数据的流分类规则。在本例中,需要使用ACL来匹配各种协议或来源的IP报文,并将这些分类规则与不同的流量监管动作进行绑定,即可实现对不同特征的数据进行不同的速率限制。
在一个流行为中,流量监管动作不能与重标记优先级(包括本地优先级、丢弃优先级、802.1p优先级、DSCP优先级、IP优先级)的动作同时配置,否则会导致QoS策略不能正常应用。
(1) 配置端口的VLAN属性
# 配置端口Ten-GigabitEthernet1/0/1为Trunk端口,允许VLAN10、VLAN20、VLAN30、VLAN100通过,取消允许VLAN1通过。
<SwitchA> system-view
[SwitchA] interface ten-gigabitethernet 1/0/1
[SwitchA-Ten-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-Ten-GigabitEthernet1/0/1] port trunk permit vlan 10 20 30 100
[SwitchA-Ten-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[SwitchA-Ten-GigabitEthernet1/0/1] quit
# 配置端口Ten-GigabitEthernet1/0/2为Trunk端口,允许VLAN10、VLAN20、VLAN30通过,取消允许VLAN1通过。
[SwitchA] interface ten-gigabitethernet 1/0/2
[SwitchA-Ten-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-Ten-GigabitEthernet1/0/2] port trunk permit vlan 10 20 30
[SwitchA-Ten-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[SwitchA-Ten-GigabitEthernet1/0/2] quit
# 保持端口Ten-GigabitEthernet1/0/3为Access类型,并创建VLAN100,将端口Ten-GigabitEthernet1/0/3加入VLAN100。
[SwitchA] vlan 100
[SwitchA-vlan100] quit
[SwitchA] interface ten-gigabitethernet 1/0/3
[SwitchA-Ten-GigabitEthernet1/0/3] port access vlan 100
[SwitchA-Ten-GigabitEthernet1/0/3] quit
(2) 配置对各部门上行流量进行限制的流分类和流行为
# 创建高级IPv4 ACL 3000,匹配研发部发送的HTTP流量(TCP端口80)。
[SwitchA] acl number 3000
[SwitchA-acl-adv-3000] rule permit tcp destination-port eq 80 source 192.168.1.0 0.0.0.255
[SwitchA-acl-adv-3000] quit
# 创建流分类rd_http,匹配规则为IPv4 ACL 3000。
[SwitchA] traffic classifier rd_http
[SwitchA-classifier-rd_http] if-match acl 3000
[SwitchA-classifier-rd_http] quit
# 创建流行为rd_http,动作为流量监管,承诺速率1024。
[SwitchA] traffic behavior rd_http
[SwitchA-behavior-rd_http] car cir 1024
[SwitchA-behavior-rd_http] quit
#创建高级IPv4 ACL3001,匹配市场部发送的HTTP流量。
[SwitchA] acl number 3001
[SwitchA-acl-adv-3001] rule permit tcp destination-port eq 80 source 192.168.2.0 0.0.0.255
[SwitchA-acl-adv-3001] quit
# 创建流分类mkt_http,匹配规则为IPv4 ACL 3001。
[SwitchA] traffic classifier mkt_http
[SwitchA-classifier-mkt_http] if-match acl 3001
[SwitchA-classifier-mkt_http] quit
# 创建流行为mkt_http,动作为流量监管,承诺速率为2048。
[SwitchA] traffic behavior mkt_http
[SwitchA-behavior-mkt_http] car cir 2048
[SwitchA-behavior-mkt_http] quit
(3) 配置对IP语音流量进行限制的流分类和流行为
# 创建基本IPv4 ACL 2000,匹配IP电话发送的报文。
[SwitchA] acl number 2000
[SwitchA-acl-basic-2000] rule permit source 192.168.3.0 0.0.0.255
[SwitchA-acl-basic-2000] quit
# 创建流分类ip_voice,匹配规则为IPv4 ACL 2000。
[SwitchA] traffic classifier ip_voice
[SwitchA-classifier-ip_voice] if-match acl 2000
[SwitchA-classifier-ip_voice] quit
# 创建流行为ip_voice,动作为流量监管,承诺速率为640Kbps,峰值速率为800Kbps。
[SwitchA] traffic behavior ip_voice
[SwitchA-behavior-ip_voice] car cir 640 pir 800
[SwitchA-behavior-ip_voice] quit
(4) 配置对发送电子邮件流量进行限制的流分类和流行为
# 创建高级IPv4 ACL 3002,匹配邮件服务器向外发送邮件的数据。
[SwitchA] acl number 3002
[SwitchA-acl-adv-3002] rule permit tcp destination-port eq smtp source 192.168.10.1 0.0.0.0
[SwitchA-acl-adv-3002] quit
# 创建流分类email,匹配规则为IPv4 ACL 3002。
[SwitchA] traffic classifier email
[SwitchA-classifier-email] if-match acl 3002
[SwitchA-classifier-email] quit
# 创建流行为email,动作为流量监管,承诺速率为512Kbps。
[SwitchA] traffic behavior email
[SwitchA-behavior-email] car cir 512
[SwitchA-behavior-email] quit
(5) 对内网FTP流量的限制
# 创建基本IPv4 ACL 2001,匹配FTP服务器发送的报文。
[SwitchA] acl number 2001
[SwitchA-acl-basic-2001] rule permit source 192.168.10.2 0.0.0.0
[SwitchA-acl-basic-2001] quit
# 创建流分类ftp,匹配规则为IPv4 ACL 2001。
[SwitchA] traffic classifier ftp
[SwitchA-classifier-ftp] if-match acl 2001
[SwitchA-classifier-ftp] quit
# 创建流行为ftp,动作为流量监管,承诺速率为1024Kbp。
[SwitchA] traffic behavior ftp
[SwitchA-behavior-ftp] car cir 1024
[SwitchA-behavior-ftp] quit
(6) 创建QoS策略并应用到相应端口。
# 创建QoS策略http&voice,并将限制各部门上网流量和IP语音流量的流分类和流行为进行分别配对。
[SwitchA] qos policy http&voice
[SwitchA-qospolicy-http&voice] classifier rd_http behavior rd_http
[SwitchA-qospolicy-http&voice] classifier mkt_http behavior mkt_http
[SwitchA-qospolicy-http&voice] classifier ip_voice behavior ip_voice
[SwitchA-qospolicy-http&voice] quit
# 将策略应用到Ten-GigabitEthernet1/0/2端口的入方向。
[SwitchA] interface ten-gigabitethernet 1/0/2
[SwitchA-Ten-GigabitEthernet1/0/2] qos apply policy http&voice inbound
[SwitchA-Ten-GigabitEthernet1/0/2] quit
# 创建QoS策略email&ftp,并将限制发送电子邮件流量和FTP流量的流分类和流行为进行分别配对。
[SwitchA] qos policy email&ftp
[SwitchA-qospolicy-email&ftp] classifier email behavior email
[SwitchA-qospolicy-email&ftp] classifier ftp behavior ftp
[SwitchA-qospolicy-email&ftp] quit
# 将策略应用到Ten-GigabitEthernet1/0/3端口的入方向。
[SwitchA] interface ten-gigabitethernet 1/0/3
[SwitchA-Ten-GigabitEthernet1/0/3] qos apply policy email&ftp inbound
[SwitchA-Ten-GigabitEthernet1/0/3] quit
(1) 配置端口及VLAN
· 在本例中,以IP电话支持发送携带VLAN标签的语音报文为例进行配置。关于IP电话如何获取VLAN信息,请参见本产品配置指导中的Voice VLAN部分。
· 如果连接IP电话的交换机上配置了自动模式的Voice VLAN功能,则接入端口上无需允许VLAN30通过。关于Voice VLAN的介绍,请参见本产品配置指导。
# 将接入主机和IP电话的所有端口都配置为Trunk口,缺省VLAN配置为VLAN20,允许VLAN20和VLAN30通过,取消允许VLAN1通过。进入批量接口视图,并绑定所有端口,可以更快速的完成配置。
<SwitchB> system-view
[SwitchB] interface range name group interface ten-gigabitethernet 1/0/1 to ten-gigabitethernet 1/0/40
[SwitchB-if-range-group] port link-type trunk
[SwitchB-if-range-group] port trunk pvid vlan 20
[SwitchB-if-range-group] port trunk permit vlan 20 30
[SwitchB-if-range-group] undo port trunk permit vlan 1
[SwitchB-if-range-group] quit
# 配置端口Ten-GigabitEthernet1/0/41为Trunk端口,允许VLAN10、VLAN30通过,取消允许VLAN1通过。
[SwitchB] interface ten-gigabitethernet 1/0/41
[SwitchB-Ten-GigabitEthernet1/0/41] port link-type trunk
[SwitchB-Ten-GigabitEthernet1/0/41] port trunk permit vlan 10 30
[SwitchB-Ten-GigabitEthernet1/0/41] undo port trunk permit vlan 1
[SwitchB-Ten-GigabitEthernet1/0/41] quit
# 配置端口Ten-GigabitEthernet1/0/42为Trunk端口,允许VLAN10、VLAN20、VLAN30通过,取消允许VLAN1通过。
[SwitchB] interface ten-gigabitethernet 1/0/42
[SwitchB-Ten-GigabitEthernet1/0/42] port link-type trunk
[SwitchB-Ten-GigabitEthernet1/0/42] port trunk permit vlan 10 20 30
[SwitchB-Ten-GigabitEthernet1/0/42] undo port trunk permit vlan 1
[SwitchB-Ten-GigabitEthernet1/0/42] quit
(2) 配置流量监管
# 创建高级IPv4 ACL 3000,匹配市场部所在网段的上行HTTP流量。
[SwitchB] acl number 3000
[SwitchB-acl-adv-3000] rule permit tcp destination-port eq 80 source 192.168.2.0 0.0.0.255
[SwitchB-acl-adv-3000] quit
# 创建流分类mkt,匹配规则为IPv4 ACL 3000。
[SwitchB] traffic classifier mkt
[SwitchB-classifier-mkt] if-match acl 3000
[SwitchB-classifier-mkt] quit
# 创建流行为mkt,动作为流量监管,承诺速率为256Kbps。
[SwitchB] traffic behavior mkt
[SwitchB-behavior-mkt] car cir 256
[SwitchB-behavior-mkt] quit
# 创建QoS策略mkt,将上面的流分类和流行为进行配对。
[SwitchB] qos policy mkt
[SwitchB-qospolicy-mkt] classifier mkt behavior mkt
[SwitchB-qospolicy-mkt] quit
# 将QoS策略mkt应用到端口组1的入方向。
[SwitchB] interface range name group
[SwitchB-if-range-group] qos apply policy mkt inbound
(1) 配置端口及VLAN
# 将接入主机和IP电话的所有端口都配置为Trunk口,缺省VLAN配置为VLAN10,允许VLAN10和VLAN30通过,取消允许VLAN1通过。进入批量接口视图,并绑定所有下行端口,可以更快速的完成配置。
<SwitchC> system-view
[SwitchC] interface range name group interface ten-gigabitethernet 1/0/1 to ten-gigabitethernet 1/0/25
[SwitchC-if-range-group] port link-type trunk
[SwitchC-if-range-group] port trunk pvid vlan 10
[SwitchC-if-range-group] port trunk permit vlan 10 30
[SwitchC-if-range-group] undo port trunk permit vlan 1
[SwitchC-if-range-group] quit
# 配置端口Ten-GigabitEthernet1/0/30为Trunk端口,允许VLAN10、VLAN30通过,取消允许VLAN1通过。
[SwitchC] interface ten-gigabitethernet 1/0/30
[SwitchC-Ten-GigabitEthernet1/0/30] port link-type trunk
[SwitchC-Ten-GigabitEthernet1/0/30] port trunk permit vlan 10 30
[SwitchC-Ten-GigabitEthernet1/0/30] undo port trunk permit vlan 1
[SwitchC-Ten-GigabitEthernet1/0/30] quit
(2) 配置流量监管
# 创建高级IPv4 ACL 3000,匹配研发部所在网段的上行HTTP流量。
[SwitchC] acl number 3000
[SwitchC-acl-adv-3000] rule permit tcp destination-port eq 80 source 192.168.1.0 0.0.0.255
[SwitchC-acl-adv-3000] quit
# 创建流分类rd,匹配规则为IPv4 ACL 3000。
[SwitchC] traffic classifier rd
[SwitchC-classifier-rd] if-match acl 3000
[SwitchC-classifier-rd] quit
# 创建流行为rd,动作为流量监管,承诺速率为128Kbps。
[SwitchC] traffic behavior rd
[SwitchC-behavior-rd] car cir 128
[SwitchC-behavior-rd] quit
# 创建QoS策略rd,将上面的流分类和流行为进行配对。
[SwitchC] qos policy rd
[SwitchC-qospolicy-rd] classifier rd behavior rd
[SwitchC-qospolicy-rd] quit
# 将QoS策略rd应用到端口组1的入方向。
[SwitchC] interface range name group
[SwitchC-if-range-group] qos apply policy rd inbound
· SwitchA的配置文件:
#
vlan 100
#
acl number 2000
rule 0 permit source 192.168.3.0 0.0.0.255
acl number 2001
rule 0 permit source 192.168.10.2 0
#
acl number 3000
rule 0 permit tcp source 192.168.1.0 0.0.0.255 destination-port eq www
acl number 3001
rule 0 permit tcp source 192.168.2.0 0.0.0.255 destination-port eq www
acl number 3002
rule 0 permit tcp source 192.168.10.1 0 destination-port eq smtp
#
traffic classifier email operator and
if-match acl 3002
traffic classifier ip_voice operator and
if-match acl 2000
traffic classifier ftp operator and
if-match acl 2001
traffic classifier rd_http operator and
if-match acl 3000
traffic classifier mkt_http operator and
if-match acl 3001
#
traffic behavior email
car cir 512 cbs 32256 ebs 512 green pass red discard yellow pass
traffic behavior ip_voice
car cir 640 cbs 40448 ebs 512 pir 800 green pass red discard yellow pass
traffic behavior ftp
car cir 1024 cbs 64000 ebs 512 green pass red discard yellow pass
traffic behavior rd_http
car cir 1024 cbs 64000 ebs 512 green pass red discard yellow pass
traffic behavior mkt_http
car cir 2048 cbs 128000 ebs 512 green pass red discard yellow pass
#
qos policy email&ftp
classifier email behavior email
classifier ftp behavior ftp
qos policy http&voice
classifier rd_http behavior rd_http
classifier mkt_http behavior mkt_http
classifier ip_voice behavior ip_voice
#
interface Ten-GigabitEthernet1/0/1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10 20 30 100
#
interface Ten-GigabitEthernet1/0/2
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10 20 30
qos apply policy http&voice inbound
#
interface Ten-GigabitEthernet1/0/3
port access vlan 100
qos apply policy email&ftp inbound
· SwitchB的配置文件:
#
interface range name group interface Ten-GigabitEthernet1/0/1 to Ten-GigabitEthernet1/0/40
#
acl number 3000
rule 0 permit tcp source 192.168.2.0 0.0.0.255 destination-port eq www
#
traffic classifier mkt operator and
if-match acl 3000
#
traffic behavior mkt
car cir 256 cbs 16384 ebs 512 green pass red discard yellow pass
#
qos policy mkt
classifier mkt behavior mkt
#
interface Ten-GigabitEthernet1/0/1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 20 30
port trunk pvid vlan 20
qos apply policy mkt inbound
#
interface Ten-GigabitEthernet1/0/2
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 20 30
port trunk pvid vlan 20
qos apply policy mkt inbound
#
interface Ten-GigabitEthernet1/0/3
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 20 30
port trunk pvid vlan 20
qos apply policy mkt inbound
……(至Ten-GigabitEthernet1/0/40略)
#
interface Ten-GigabitEthernet1/0/41
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10 30
#
interface Ten-GigabitEthernet1/0/42
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10 20 30
· SwitchC的配置文件:
#
interface range name group interface Ten-GigabitEthernet1/0/1 to Ten-GigabitEthernet1/0/25
#
acl number 3000
rule 0 permit tcp source 192.168.1.0 0.0.0.255 destination-port eq www
#
traffic classifier rd operator and
if-match acl 3000
#
traffic behavior rd
car cir 128 cbs 8192 ebs 512 green pass red discard yellow pass
#
qos policy rd
classifier rd behavior rd
#
interface Ten-GigabitEthernet1/0/1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10 30
port trunk pvid vlan 10
qos apply policy rd inbound
#
interface Ten-GigabitEthernet1/0/2
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10 30
port trunk pvid vlan 10
qos apply policy rd inbound
#
interface Ten-GigabitEthernet1/0/3
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10 30
port trunk pvid vlan 10
qos apply policy rd inbound
……(至Ten-GigabitEthernet1/0/25略)
#
interface Ten-GigabitEthernet1/0/30
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10 30
表2 配置适用的产品与软硬件版本关系
|
产品 |
软件版本 |
|
S5830V2&S5820V2系列以太网交换机 |
Release 2208P01,Release 2210 |
图2 基于VLAN的带宽分配组网示意图
如图2所示,某公司各分支机构通过交换机将数据上行至SwitchA,再由SwitchA通过专线将数据传输至公司骨干网。
各分支机构内通过VLAN来标识不同的业务数据,在Switch A的Ten-GigabitEthernet1/0/1和Ten-GigabitEthernet1/0/2端口上配置了1:1 VLAN Mapping功能,按图中所示对业务VLAN进行了重新映射,以满足骨干网中的传输策略要求。
根据线路带宽状况,现要求使用流量监管功能,实现对不同业务类型的数据进行如下的带宽分配:
· 在Switch A连接分支机构A和分支机构B的链路上,要求对上行至Switch A的各业务数据速率分别限制为:VLAN1001为400Mbps,VLAN1002为200Mbps,VLAN1003为200Mbps。对Switch A下行方向的业务数据同样根据以上数值进行限速。
· 在Switch A连接分支机构C的链路上,要求对上行至Switch A的各业务数据速率分别限制为:VLAN201为400Mbps,VLAN202为200Mbps,VLAN203为200Mbps。对Switch A下行方向的业务数据同样根据以上数值进行限速。
· 在Switch A连接公司骨干网的联路上,要求对上行至骨干网的各业务数据限速为:VLAN201为100Mbps,VLAN202为60Mbps,VLAN203为40Mbps。对下行方向数据同样根据以上数值进行限速。
为实现基于VLAN的带宽分配,需要将QoS策略中流分类匹配规则定义为匹配指定的VLAN,同时创建动作为流量监管的流行为,并将二者进行配对关联。通过创建多个这样的配对关系并将对应的QoS策略进行应用,便可以对不同VLAN的数据进行不同的速率限制,达到带宽分配的效果。
本例中的特殊之处在于存在VLAN Mapping的配置,VLAN Mapping本身也是通过流分类和流行为的配对来实现。在QoS策略中,配对的生效顺序是按照配置顺序来进行的,报文一旦匹配到一个配对,则直接执行该配对中的流行为,而不再继续匹配。因此,需要注意VLAN Mapping的配对与流量监管配对的先后顺序。
· 在端口上应用QoS策略之后,不能再改变端口QinQ功能的使能状况。因此,本例中需要在端口上先开启QinQ功能,再应用QoS策略。
· 在一个流行为中,流量监管动作不能与重标记优先级(包括本地优先级、丢弃优先级、802.1p优先级、DSCP优先级、IP优先级)的动作同时配置,否则会导致QoS策略不能正常应用。
# 创建流分类vlan201,匹配规则为匹配service-vlan-id为201。
<SwitchA> system-view
[SwitchA] traffic classifier vlan201
[SwitchA-classifier-vlan201] if-match service-vlan-id 201
[SwitchA-classifier-vlan201] quit
# 使用同样步骤创建流分类vlan202和vlan203,分别匹配service-vlan-id为202和203。
[SwitchA] traffic classifier vlan202
[SwitchA-classifier-vlan202] if-match service-vlan-id 202
[SwitchA-classifier-vlan202] quit
[SwitchA] traffic classifier vlan203
[SwitchA-classifier-vlan203] if-match service-vlan-id 203
[SwitchA-classifier-vlan203] quit
# 创建流行为car_vlan201_downlink,并配置流量监管的动作,承诺速率为400000Kbps。该动作用于在Switch A上限制由分支机构C上行的VLAN201的数据速率。
[SwitchA] traffic behavior car_vlan201_downlink
[SwitchA-behavior-car_vlan201_downlink] car cir 400000
[SwitchA-behavior-car_vlan201_downlink] quit
# 使用同样步骤创建流行为car_vlan202_downlink和car_vlan203_downlink,并配置相应的流量监管动作,分别为:承诺速率200000Kbps。
[SwitchA] traffic behavior car_vlan202_downlink
[SwitchA-behavior-car_vlan202_downlink] car cir 200000
[SwitchA-behavior-car_vlan202_downlink] quit
[SwitchA] traffic behavior car_vlan203_downlink
[SwitchA-behavior-car_vlan203_downlink] car cir 200000
[SwitchA-behavior-car_vlan203_downlink] quit
# 创建QoS策略downlink_in_c,将以上三组流分类和流行为分别进行配对。
[SwitchA] qos policy downlink_in_c
[SwitchA-qospolicy-downlink_in_c] classifier vlan201 behavior car_vlan201_downlink
[SwitchA-qospolicy-downlink_in_c] classifier vlan202 behavior car_vlan202_downlink
[SwitchA-qospolicy-downlink_in_c] classifier vlan203 behavior car_vlan203_downlink
[SwitchA-qospolicy-downlink_in_c] quit
# 将QoS策略downlink_in_c应用到Ten-GigabitEthernet1/0/3端口的入方向,即实现了对分支机构C中VLAN201、VLAN202、VLAN203的上行数据进行限速。
[SwitchA] interface ten-gigabitethernet 1/0/3
[SwitchA-Ten-GigabitEthernet1/0/3] qos apply policy downlink_in_c inbound
# 将该策略应用到Ten-GigabitEthernet1/0/3端口的出方向,即可实现在下行方向对各VLAN数据的限速。
[SwitchA-Ten-GigabitEthernet1/0/3] qos apply policy downlink_in_c outbound
# 配置端口Ten-GigabitEthernet1/0/3和Ten-GigabitEthernet1/0/10为Trunk端口,并允许VLAN201、VLAN202和VLAN203通过,取消允许VLAN1通过。
[SwitchA-Ten-GigabitEthernet1/0/3] port link-type trunk
[SwitchA-Ten-GigabitEthernet1/0/3] port trunk permit vlan 201 to 203
[SwitchA-Ten-GigabitEthernet1/0/3] undo port trunk permit vlan 1
[SwitchA-Ten-GigabitEthernet1/0/3] quit
[SwitchA] interface ten-gigabitethernet 1/0/10
[SwitchA-Ten-GigabitEthernet1/0/10] port link-type trunk
[SwitchA-Ten-GigabitEthernet1/0/10] port trunk permit vlan 201 to 203
[SwitchA-Ten-GigabitEthernet1/0/10] undo port trunk permit vlan 1
(1) 端口与VLAN的关系配置
# 配置端口Ten-GigabitEthernet1/0/1和Ten-GigabitEthernet1/0/2为Trunk端口,允许VLAN1001、VLAN1002、VLAN1003,以及VLAN201、VLAN202和VLAN203通过,取消允许VLAN1通过。同时在这两个端口上开启基本QinQ,用于实现VLAN映射功能。
[SwitchA] interface ten-gigabitethernet 1/0/1
[SwitchA-Ten-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-Ten-GigabitEthernet1/0/1] port trunk permit vlan 1001 to 1003 201 to 203
[SwitchA-Ten-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[SwitchA-Ten-GigabitEthernet1/0/1] qinq enable
[SwitchA-Ten-GigabitEthernet1/0/1] quit
[SwitchA] interface ten-gigabitethernet 1/0/2
[SwitchA-Ten-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-Ten-GigabitEthernet1/0/2] port trunk permit vlan 1001 to 1003 201 to 203
[SwitchA-Ten-GigabitEthernet1/0/2] undo port trunk permit vlan 1
[SwitchA-Ten-GigabitEthernet1/0/2] qinq enable
[SwitchA-Ten-GigabitEthernet1/0/2] quit
(2) 对上行流量进行VLAN Mapping的流分类和流行为配置
# 创建流分类1001_to_201,用于将VLAN1001映射为VLAN201的QoS策略,匹配条件为customer-vlan-id为VLAN1001。
[SwitchA] traffic classifier 1001_to_201
[SwitchA-classifier-1001_to_201] if-match customer-vlan-id 1001
[SwitchA-classifier-1001_to_201] quit
# 创建流行为1001_to_201,动作为重标记service-vlan-id为201。
[SwitchA] traffic behavior 1001_to_201
[SwitchA-behavior-1001_to_201] remark service-vlan-id 201
[SwitchA-behavior-1001_to_201] quit
# 用同样方法创建流分类1002_to_202和1003_to_203,以及流行为1002_to_202和1003_to_203,用于将VLAN1002映射为VLAN202,以及将VLAN1003映射为VLAN203。
[SwitchA] traffic classifier 1002_to_202
[SwitchA-classifier-1002_to_202] if-match customer-vlan-id 1002
[SwitchA-classifier-1002_to_202] quit
[SwitchA] traffic behavior 1002_to_202
[SwitchA-behavior-1002_to_202] remark service-vlan-id 202
[SwitchA-behavior-1002_to_202] quit
[SwitchA] traffic classifier 1003_to_203
[SwitchA-classifier-1003_to_203] if-match customer-vlan-id 1003
[SwitchA-classifier-1003_to_203] quit
[SwitchA] traffic behavior 1003_to_203
[SwitchA-behavior-1003_to_203] remark service-vlan-id 203
[SwitchA-behavior-1003_to_203] quit
(3) 对下行流量进行VLAN Mapping的流分类和流行为配置
# 创建流分类201_to_1001,用于将VLAN201映射为VLAN1001的QoS策略,匹配条件为service-vlan-id为VLAN201。
[SwitchA] traffic classifier 201_to_1001
[SwitchA-classifier-201_to_1001] if-match service-vlan-id 201
[SwitchA-classifier-201_to_1001] quit
# 创建流行为201_to_1001,动作为重标记customer-vlan-id为1001。
[SwitchA] traffic behavior 201_to_1001
[SwitchA-behavior-201_to_1001] remark customer-vlan-id 1001
[SwitchA-behavior-201_to_1001] quit
# 用同样方法创建流分类202_to_1002和203_to_1003,以及流行为202_to_1002和203_to_1003,用于将VLAN202映射为VLAN1002,以及将VLAN203映射为VLAN1003。
[SwitchA] traffic classifier 202_to_1002
[SwitchA-classifier-202_to_1002] if-match service-vlan-id 202
[SwitchA-classifier-202_to_1002] quit
[SwitchA] traffic behavior 202_to_1002
[SwitchA-behavior-202_to_1002] remark customer-vlan-id 1002
[SwitchA-behavior-202_to_1002] quit
[SwitchA] traffic classifier 203_to_1003
[SwitchA-classifier-203_to_1003] if-match service-vlan-id 203
[SwitchA-classifier-203_to_1003] quit
[SwitchA] traffic behavior 203_to_1003
[SwitchA-behavior-203_to_1003] remark customer-vlan-id 1003
[SwitchA-behavior-203_to_1003] quit
(4) 对分支机构上行流量进行限速的流分类和流行为配置
根据配置思路中的分析,对分支机构上行流量进行限速的流分类规则为匹配重标记后的VLAN,因此可以直接使用流分类201_to_1001、202_to_1002以及203_to_1003。
对于上行流量进行限速的流行为,可以直接采用上文非VLAN Mapping配置中已经配置好的流行为car_vlan201_downlink、car_vlan202_downlink和car_vlan203_downlink。
(5) 对发往分支机构的下行流量进行限速的流分类和流行为配置
# 创建流分类vlan201_downlink,匹配service-vlan-id为1001,用于对分支机构下行流量进行限速。
[SwitchA] traffic classifier vlan201_downlink
[SwitchA-classifier-vlan201_downlink] if-match service-vlan-id 1001
[SwitchA-classifier-vlan201_downlink] quit
这里需要注意的是,配置对下行流量进行限速的流分类时,需要匹配报文的service-vlan-id,但VLAN值要配置为下行重标记之后的VLAN,即VLAN1001。
# 按同样步骤创建流分类vlan202_downlink和vlan203_downlink。
[SwitchA] traffic classifier vlan202_downlink
[SwitchA-classifier-vlan202_downlink] if-match service-vlan-id 1002
[SwitchA-classifier-vlan202_downlink] quit
[SwitchA] traffic classifier vlan203_downlink
[SwitchA-classifier-vlan203_downlink] if-match service-vlan-id 1003
[SwitchA-classifier-vlan203_downlink] quit
对分支机构的下行流量进行限速的流行为,由于其限制速率与上行方向相同,因此也可以直接采用car_vlan201_downlink、car_vlan202_downlink和car_vlan203_downlink的流行为。
(6) 对向骨干网上行流量进行限速的流分类和流行为配置
对上行流量进行限速的流分类规则应为匹配重标记后的VLAN,即匹配service-vlan-id为VLAN201/202/203,因此可以直接采用流分类201_to_1001、202_to_1002以及203_to_1003。
# 创建流行为car_vlan201_uplink,并配置流量监管的动作,承诺速率为100000Kbps。该动作用于在Switch A上限制VLAN201的上行速率。
[SwitchA] traffic behavior car_vlan201_uplink
[SwitchA-behavior-car_vlan201_uplink] car cir 100000
[SwitchA-behavior-car_vlan201_uplink] quit
# 使用同样步骤创建流行为car_vlan202_uplink和car_vlan203_uplink,并配置相应的流量监管动作,分别为:car_vlan202_uplink承诺速率为60000Kbps;car_vlan203_uplink承诺速率为40000Kbps。
[SwitchA] traffic behavior car_vlan202_uplink
[SwitchA-behavior-car_vlan202_uplink] car cir 60000
[SwitchA-behavior-car_vlan202_uplink] quit
[SwitchA] traffic behavior car_vlan203_uplink
[SwitchA-behavior-car_vlan203_uplink] car cir 40000
[SwitchA-behavior-car_vlan203_uplink] quit
(7) 对骨干网下行流量进行限速的流分类和流行为配置
对骨干网下行流量进行限速的流分类规则应为匹配重标记后的VLAN,即匹配service-vlan-id为VLAN201/202/203,因此可以直接采用流分类201_to_1001、202_to_1002以及203_to_1003。
对骨干网下行流量进行限速的流行为,由于其限制速率与上行方向相同,因此也可以直接采用car_vlan201_uplink、car_vlan202_uplink和car_vlan203_uplink的流行为。
(8) 配置上行方向的QoS策略并进行应用。
在处理在由分支机构上行至骨干网的报文时,交换机将按下图顺序执行动作。
图3 上行方向报文处理流程示意图(以VLAN1001为例)
# 创建QoS策略downlink_in,策略中顺序包含VLAN映射的流分类/流行为配对和对重标记后的VLAN进行流量监管的流分类/流行为配对。
[SwitchA] qos policy downlink_in
[SwitchA-qospolicy-downlink_in] classifier 1001_to_201 behavior 1001_to_201
[SwitchA-qospolicy-downlink_in] classifier 1002_to_202 behavior 1002_to_202
[SwitchA-qospolicy-downlink_in] classifier 1003_to_203 behavior 1003_to_203
[SwitchA-qospolicy-downlink_in] classifier 201_to_1001 behavior car_vlan201_downlink
[SwitchA-qospolicy-downlink_in] classifier 202_to_1002 behavior car_vlan202_downlink
[SwitchA-qospolicy-downlink_in] classifier 203_to_1003 behavior car_vlan203_downlink
[SwitchA-qospolicy-downlink_in] quit
# 将该策略应用到Ten-GigabitEthernet1/0/1和Ten-GigabitEthernet1/0/2端口的入方向。
[SwitchA] interface ten-gigabitethernet 1/0/1
[SwitchA-Ten-GigabitEthernet1/0/1] qos apply policy downlink_in inbound
[SwitchA-Ten-GigabitEthernet1/0/1] quit
[SwitchA] interface ten-gigabitethernet 1/0/2
[SwitchA-Ten-GigabitEthernet1/0/2] qos apply policy downlink_in inbound
[SwitchA-Ten-GigabitEthernet1/0/2] quit
# 创建QoS策略uplink_out,策略中包含对骨干网上行流量进行限速的流分类和流行为配对。
[SwitchA] qos policy uplink_out
[SwitchA-qospolicy-uplink_out] classifier 201_to_1001 behavior car_vlan201_uplink
[SwitchA-qospolicy-uplink_out] classifier 202_to_1002 behavior car_vlan202_uplink
[SwitchA-qospolicy-uplink_out] classifier 203_to_1003 behavior car_vlan203_uplink
[SwitchA-qospolicy-downlink_in] quit
# 将该策略应用到Ten-GigabitEthernet1/0/10端口的出方向。
[SwitchA] interface ten-gigabitethernet 1/0/10
[SwitchA-Ten-GigabitEthernet1/0/10] qos apply policy uplink_out outbound
(9) 配置下行方向的QoS策略并应用
在处理在由骨干网下行至分支机构的报文时,交换机将按下图顺序执行动作。
图4 下行方向报文处理流程示意图(以VLAN1001为例)
# 创建QoS策略uplink_in,策略中包含对骨干网下行流量进行限速的流分类/流行为配对。
[SwitchA] qos policy uplink_in
[SwitchA-qospolicy-uplink_in] classifier 201_to_1001 behavior car_vlan201_uplink
[SwitchA-qospolicy-uplink_in] classifier 202_to_1002 behavior car_vlan202_uplink
[SwitchA-qospolicy-uplink_in] classifier 203_to_1003 behavior car_vlan203_uplink
[SwitchA-qospolicy-uplink_in] quit
# 将该策略应用到Ten-GigabitEthernet1/0/10端口的入方向。
[SwitchA] interface ten-gigabitethernet 1/0/10
[SwitchA-Ten-GigabitEthernet1/0/10] qos apply policy uplink_in inbound
[SwitchA-Ten-GigabitEthernet1/0/10] quit
# 创建QoS策略downlink_out,策略中顺序包含下行方向VLAN映射的流分类/流行为配对和对分支机构下行流量进行限速的流分类/流行为配对。
[SwitchA] qos policy downlink_out
[SwitchA-qospolicy-downlink_out] classifier 201_to_1001 behavior 201_to_1001
[SwitchA-qospolicy-downlink_out] classifier 202_to_1002 behavior 202_to_1002
[SwitchA-qospolicy-downlink_out] classifier 203_to_1003 behavior 203_to_1003
[SwitchA-qospolicy-downlink_out] classifier vlan201_downlink behavior car_vlan201_downlink
[SwitchA-qospolicy-downlink_out] classifier vlan202_downlink behavior car_vlan202_downlink
[SwitchA-qospolicy-downlink_out] classifier vlan203_downlink behavior car_vlan203_downlink
[SwitchA-qospolicy-downlink_in] quit
# 将该策略应用到Ten-GigabitEthernet1/0/1和Ten-GigabitEthernet1/0/2端口的出方向。
[SwitchA] interface ten-gigabitethernet 1/0/1
[SwitchA-Ten-GigabitEthernet1/0/1] qos apply policy downlink_out outbound
[SwitchA-Ten-GigabitEthernet1/0/1] quit
[SwitchA] interface ten-gigabitethernet 1/0/2
[SwitchA-Ten-GigabitEthernet1/0/2] qos apply policy downlink_out outbound
[SwitchA-Ten-GigabitEthernet1/0/2] quit
#
traffic classifier vlan203_downlink operator and
if-match service-vlan-id 1003
traffic classifier 1002_to_202 operator and
if-match customer-vlan-id 1002
traffic classifier 201_to_1001 operator and
if-match service-vlan-id 201
traffic classifier 1003_to_203 operator and
if-match customer-vlan-id 1003
traffic classifier 203_to_1003 operator and
if-match service-vlan-id 203
traffic classifier vlan201 operator and
if-match service-vlan-id 201
traffic classifier vlan201_downlink operator and
if-match service-vlan-id 1001
traffic classifier vlan202 operator and
if-match service-vlan-id 202
traffic classifier vlan202_downlink operator and
if-match service-vlan-id 1002
traffic classifier 202_to_1002 operator and
if-match service-vlan-id 202
traffic classifier 1001_to_201 operator and
if-match customer-vlan-id 1001
traffic classifier vlan203 operator and
if-match service-vlan-id 203
#
traffic behavior car_vlan201_downlink
car cir 400000 cbs 25000448 ebs 512 green pass red discard yellow pass
traffic behavior car_vlan202_downlink
car cir 200000 cbs 12500480 ebs 512 green pass red discard yellow pass
traffic behavior car_vlan203_downlink
car cir 200000 cbs 12500480 ebs 512 green pass red discard yellow pass
traffic behavior car_vlan201_uplink
car cir 100000 cbs 6250496 ebs 512 green pass red discard yellow pass
traffic behavior car_vlan202_uplink
car cir 60000 cbs 3750400 ebs 512 green pass red discard yellow pass
traffic behavior car_vlan203_uplink
car cir 40000 cbs 2500096 ebs 512 green pass red discard yellow pass
traffic behavior 1002_to_202
remark service-vlan-id 202
traffic behavior 201_to_1001
remark customer-vlan-id 1001
traffic behavior 1003_to_203
remark service-vlan-id 203
traffic behavior 203_to_1003
remark customer-vlan-id 1003
traffic behavior 202_to_1002
remark customer-vlan-id 1002
traffic behavior 1001_to_201
remark service-vlan-id 201
#
qos policy uplink_in
classifier 201_to_1001 behavior car_vlan201_uplink
classifier 202_to_1002 behavior car_vlan202_uplink
classifier 203_to_1003 behavior car_vlan203_uplink
qos policy uplink_out
classifier 201_to_1001 behavior car_vlan201_uplink
classifier 202_to_1002 behavior car_vlan202_uplink
classifier 203_to_1003 behavior car_vlan203_uplink
qos policy downlink_in
classifier 1001_to_201 behavior 1001_to_201
classifier 1002_to_202 behavior 1002_to_202
classifier 1003_to_203 behavior 1003_to_203
classifier 201_to_1001 behavior car_vlan201_downlink
classifier 202_to_1002 behavior car_vlan202_downlink
classifier 203_to_1003 behavior car_vlan203_downlink
qos policy downlink_in_c
classifier vlan201 behavior car_vlan201_downlink
classifier vlan202 behavior car_vlan202_downlink
classifier vlan203 behavior car_vlan203_downlink
qos policy downlink_out
classifier 201_to_1001 behavior 201_to_1001
classifier 202_to_1002 behavior 202_to_1002
classifier 203_to_1003 behavior 203_to_1003
classifier vlan201_downlink behavior car_vlan201_downlink
classifier vlan202_downlink behavior car_vlan202_downlink
classifier vlan203_downlink behavior car_vlan203_downlink
#
interface Ten-GigabitEthernet1/0/1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 201 to 203 1001 to 1003
qinq enable
qos apply policy downlink_in inbound
qos apply policy downlink_out outbound
#
interface Ten-GigabitEthernet1/0/2
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 201 to 203 1001 to 1003
qinq enable
qos apply policy downlink_in inbound
qos apply policy downlink_out outbound
#
interface Ten-GigabitEthernet1/0/10
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 201 to 203
qos apply policy uplink_in inbound
qos apply policy uplink_out outbound
表3 配置适用的产品与软硬件版本关系
|
产品 |
软件版本 |
|
S5830V2&S5820V2系列以太网交换机 |
Release 2208P01,Release 2210 |
图5 聚合CAR配置组网示意图
现有组网如图5所示,要求通过配置聚合CAR功能,对端口Ten-GigabitEthernet1/0/1接收的VLAN10和VLAN100的报文流量之和进行限制,限制速率为200M,对超出流量限制的报文采取丢弃策略。
在一个流行为中,引用聚合CAR的动作不能与重标记优先级(包括本地优先级、丢弃优先级、802.1p优先级、DSCP优先级、IP优先级)的动作同时配置,否则会导致QoS策略不能正常应用。
在本例中,假设接入层设备已经为VLAN10和VLAN100的流量添加VLAN标签,并上行发送至设备Device。
# 配置端口Ten-GigabitEthernet1/0/1为Trunk端口,允许VLAN10和VLAN100通过,取消允许VLAN1通过。
<Device> system-view
[Device] interface ten-gigabitethernet 1/0/1
[Device-Ten-GigabitEthernet1/0/1] port link-type trunk
[Device-Ten-GigabitEthernet1/0/1] port trunk permit vlan 10 100
[Device-Ten-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[Device-Ten-GigabitEthernet1/0/1] quit
# 按流量限制需求配置聚合CAR。
[Device] qos car aggcar-1 aggregative cir 200000 red discard
# 配置流分类和流行为,对VLAN10的报文采用聚合CAR的限速配置。
[Device] traffic classifier 1
[Device-classifier-1] if-match service-vlan-id 10
[Device-classifier-1] quit
[Device] traffic behavior 1
[Device-behavior-1] car name aggcar-1
[Device-behavior-1] quit
# 配置流分类和流行为,对VLAN100的报文采用聚合CAR的限速配置。
[Device] traffic classifier 2
[Device-classifier-2] if-match service-vlan-id 100
[Device-classifier-2] quit
[Device] traffic behavior 2
[Device-behavior-2] car name aggcar-1
[Device-behavior-2] quit
# 配置QoS策略car,将流分类与流行为进行绑定。
[Device] qos policy car
[Device-qospolicy-car] classifier 1 behavior 1
[Device-qospolicy-car] classifier 2 behavior 2
[Device-qospolicy-car] quit
# 将QoS策略car应用到端口Ten-GigabitEthernet1/0/1的入方向。
[Device] interface Ten-GigabitEthernet 1/0/1
[Device-Ten-GigabitEthernet1/0/1] qos apply policy car inbound
#
qos car aggcar-1 aggregative cir 200000 cbs 12500480 ebs 512 green pass yellow pass red discard
#
traffic classifier 1 operator and
if-match service-vlan-id 10
traffic classifier 2 operator and
if-match service-vlan-id 100
#
traffic behavior 1
car name aggcar-1
traffic behavior 2
car name aggcar-1
#
qos policy car
classifier 1 behavior 1
classifier 2 behavior 2
#
interface Ten-GigabitEthernet1/0/1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10 100
qos apply policy car inbound
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!
支持
售前咨询
售后咨询
人工在线咨询
