s series switches feature start-acl v1.0 d
Post on 02-Mar-2018
230 Views
Preview:
TRANSCRIPT
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
1/55
S Series Switches
Feature Start - ACL
Issue 01
Date 2013-09-30
HUAWEI TECHNOLOGIES CO., LTD.
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
2/55
opyright Huawei Technologies Co., Ltd. !"#. All rights reser$ed.
o part of this document may be reproduced or transmitted in any form or by any means without prior
itten consent of Huawei Technologies Co., Ltd.
ade%ar&s and 'er%issions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
other trademarks and trade names mentioned in this document are the property of their respective
lders.
otice
e purchased products, services and features are stipulated by the contract made between Huawei and
e customer. All or part of the products, services and features described in this document may not be
thin the purchase scope or the usage scope. nless otherwise specified in the contract, all statements,
ormation, and recommendations in this document are provided !A" #"! without warranties, guarantees
representations of any kind, either e$press or implied.e information in this document is sub%ect to change without notice. &very effort has been made in the
eparation of this document to ensure accuracy of the contents, but all statements, information, and
commendations in this document do not constitute a warranty of any kind, e$press or implied.
uawei Technologies Co., Ltd.
ddress' Huawei #ndustrial (ase
(antian, Longgang
"hen)hen *++-
/eople0s 1epublic of China
ebsite' http'33enterprise.huawei.com
http://enterprise.huawei.com/http://enterprise.huawei.com/ -
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
3/55
S Series Switches
e!t"re St!rt - ACL A#$"t This D$c"%e&t
About This Document
Purpose
This '$c"%e&t 'escri#es ACL (e!t"res, i&c)"'i&* e)e%e&t!r+ &$w)e'*e, c$&(i*"r!ti$& *"i'e,
tr$"#)esh$$ti&*, tr$"#)esh$$ti&* c!ses, !&' As.
The r$ce'"res !&' %eth$'s ($r tr$"#)esh$$ti&* ACL (!")ts !re !)s$ r$/i'e' i& this'$c"%e&t.
Intended Audience
This '$c"%e&t is i&te&'e' ($r
Tech&ic!) s"$rt e&*i&eers
!i&te&!&ce e&*i&eers
Symbol Conventions
The s+%#$)s th!t %!+ #e ($"&' i& this '$c"%e&t !re 'e(i&e' !s ($))$ws.
Symbol Description
I&'ic!tes ! h!!r' with ! hi*h )e/e) $r %e'i"% )e/e) $( ris
which, i( &$t !/$i'e', c$")' res")t i& 'e!th $r seri$"s i&"r+.
I&'ic!tes ! h!!r' with ! )$w )e/e) $( ris which, i( &$t
!/$i'e', c$")' res")t i& %i&$r $r %$'er!te i&"r+.
I&'ic!tes ! $te&ti!))+ h!!r'$"s sit"!ti$& th!t, i( &$t !/$i'e',c$")' res")t i& e4"i%e&t '!%!*e, '!t! )$ss, er($r%!&ce
'eteri$r!ti$&, $r "&!&tici!te' res")ts.
5r$/i'es ! ti th!t %!+ he) +$" s$)/e ! r$#)e% $r s!/e ti%e.
5r$/i'es !''iti$&!) i&($r%!ti$& t$ e%h!sie $r s")e%e&t
i%$rt!&t $i&ts i& the %!i& te6t.
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
4/55
S Series Switches
e!t"re St!rt - ACL A#$"t This D$c"%e&t
Change History
Ch!&*es #etwee& '$c"%e&t iss"es !re c"%")!ti/e. The )!test '$c"%e&t iss"e c$&t!i&s !)) thech!&*es %!'e i& e!r)ier iss"es.
Issue 01 (20130!30"
This is the i&iti!) $((ici!) re)e!se.
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
5/55
C$&te&ts
1 ContentsAbout This Document....................................................................... ii
1 ACL Overview...............................................................................1
1.1I&tr$'"cti$& t$ ACL.......................................................................................................................................................1
1.1.1ACL 7")es........................................................................................................................................................... ........1
1.1.2ACL C)!ssi(ic!ti$&......................................................................................................................................................1
1.1.3!tchi&* Or'er $( ACL 7")es........................................................................................................................ .......... ..2
1.1.4Ti%e 7!&*e $( !& ACL................................................................................................................................................3
1.2Tr!((ic C)!ssi(ier.............................................................................................................................................................3
1.2.1Si%)e Tr!((ic C)!ssi(ic!ti$&.......................................................................................................................................3
1.2.2C$%)e6 Tr!((ic C)!ssi(ic!ti$&....................................................................................................................................8
1.2.3L$*ic!) 7e)!ti$&shi #etwee& Tr!((ic C)!ssi(ier 7")es.......................................................................................... .....
1.3Tr!((ic :eh!/i$r..............................................................................................................................................................
1.4Tr!((ic 5$)ic+..................................................................................................................................................................;
1.5Si%)i(ie' ACL..............................................................................................................................................................UD5 s$"rce $rt &"%#er $r r!&*e
TC5>UD5 'esti&!ti$& $rt &"%#er $r r!&*e
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
12/55
S Series Switches
e!t"re St!rt - ACL 1 ACL O/er/iew
1.2.# #ogical $elationship bet.een +ra,c Classi%er $ules
The )$*ic!) re)!ti$&shi #etwee& tr!((ic c)!ssi(ier r")es c!& #e O7 $r AND. The 'e(!")t
re)!ti$&shi is O7 $& ch!ssis switches !&' AND $& #$6 switches.
AND
Tr!((ic c)!ssi(ier '$es &$t c$&t!i& ACL r")es.
A)) if-matchc)!"ses "se the AND re)!ti$&shi. 5!cets %!tch the tr!((ic c)!ssi(ier
$&)+ whe& the+ %!tch !)) the if-matchc)!"ses.
Tr!((ic c)!ssi(ier c$&t!i&s ACL r")es.
The )$*ic!) re)!ti$&shi is AND !%$&* !)) if-matchc)!"ses #"t O7 !%$&* !)) ACLr")es. 5!cets %!tch the tr!((ic c)!ssi(ier $&)+ whe& the !cets %!tch $&e ACL r")e
!&' !)) the if-matchc)!"ses.
$r e6!%)e, i( ! tr!((ic c)!ssi(ier seci(ies the re)!ti$&shi !%$&* the ($))$wi&* r")es
!s AND
i(-%!tch '%!c 0-0-3i(-%!tch s%!c 0-0-2
i(-%!tch !c) 3000 !c) 3000 c$&t!i&s tw$ r")es r")e er%it i s$"rce 1.1.1.1 0 !&'
r")e 10 er%it i s$"rce 2.2.2.2 0B
O&)+ !cets th!t %!tch the r")es '%!c0-0-3, s%!c0-0-2, !&' si1.1.1.1 $r'%!c0-0-3, s%!c0-0-2, !&' si2.2.2.2 c!& %!tch the tr!((ic c)!ssi(ier.
O7
A !cet %!tches ! tr!((ic c)!ssi(ier !s )$&* !s it %!tches $&e r")e i& the tr!((ic c)!ssi(ier.
$r e6!%)e, i( ! tr!((ic c)!ssi(ier seci(ies the re)!ti$&shi !%$&* the ($))$wi&* r")es !sO7
i(-%!tch '%!c 0-0-3i(-%!tch s%!c 0-0-2
i(-%!tch !c) 3000 !c) 3000 c$&t!i&s tw$ r")es r")e er%it i s$"rce 1.1.1.1 0 !&' r")e
10 er%it i s$"rce 2.2.2.2 0B
5!cets %!tch the tr!((ic c)!ssi(ier !s )$&* !s the+ %!tch !&+ $&e $( the rece'i&* if-matchc)!"ses.
1.#+ra,c /ehavior
A tr!((ic c)!ssi(ier %"st #e !ss$ci!te' with ! tr!((ic c$&tr$) !cti$& $r ! res$"rce !))$c!ti$&
!cti$& s"ch !s er%it, 'e&+, tr!((ic $)ici&*, !&' re-%!ri&* s$ th!t the switch c!& r$/i'e'i((ere&ti!te' ser/ices. These !cti$&s c$&stit"te ! tr!((ic #eh!/i$r. A switch r$/i'es the
($))$wi&* tr!((ic #eh!/i$rs #!se' $& c$%)e6 tr!((ic c)!ssi(ic!ti$&
5er%it>De&+
7e-%!ri&*
7e'irecti$&
Tr!((ic $)ici&*
)$w %irr$ri&*
Sec"rit+ !&' tr!((ic st!tistics
A)) tr!((ic #eh!/i$rs e6cet ($r 'e&+ c!& #e "se' t$*ether.
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
13/55
S Series Switches
e!t"re St!rt - ACL 1 ACL O/er/iew
5er%it>De&+
The er%it>'e&+ !cti$& is the si%)est tr!((ic c$&tr$) !cti$&, which !))$ws the switch t$
c$&tr$) &etw$r tr!((ic #+ ($rw!r'i&* $r 'isc!r'i&* !cets.
7e-%!ri&*
This !cti$& sets the rece'e&ce (ie)' i& ! !cet. 5!cets c!rr+ 'i((ere&t ri$rit+ (ie)'s $&/!ri$"s &etw$rs. $r e6!%)e, !cets c!rr+ the =02.1 (ie)' i& ! LAN, the T$S (ie)'
$& !& I5 &etw$r, !&' the E5 (ie)' $& !& 5LS &etw$r. There($re, ! switch is
re4"ire' t$ %!r ri$rit+ (ie)'s $( !cets #!se' $& the &etw$r t+e. Ge&er!))+, ! switch!t the &etw$r #$r'er re-%!rs ri$rit+ (ie)'s $( i&c$%i&* !cets. Switches withi& the
&etw$r r$/i'e $S ser/ices #!se' $& the re-%!re' ri$rit+ (ie)'s, $r re-%!r the
ri$rit+ (ie)'s #!se' $& their $w& c$&(i*"r!ti$&s.
7e'irecti$&
This !cti$& re'irects !cets t$ the C5U $( ! seci(ie' i&ter(!ce c!r', seci(ie' i&ter(!ce,
&e6t h$ !''ress, $r L!#e) Switche' 5!th LS5B #"t '$es &$t ($rw!r' !cets #!se' $&
the $ri*i&!) 'esti&!ti$& I5 !''ress. A switch s"$rts %")ti)e &e6t h$s. 5$)ic+-#!se'
r$"ti&* 5:7B is i%)e%e&te' #!se' $& re'irecti$&. A 5:7 r$"te is ! st!tic r$"te. Whe&the re'irect-t$ &e6t h$ is "&!/!i)!#)e, the switch ($rw!r's !cets #!se' $& the $ri*i&!)
($rw!r'i&* !th.
Tr!((ic $)ici&*
This tr!((ic c$&tr$) !cti$& )i%its the tr!((ic r!te !&' the res$"rces "se' #+ tr!((ic. :+
"si&* tr!((ic $)ici&*, the switch c!& 'isc!r' e6cess !cets, re-%!r the c$)$r $r
rece'e&ce, $r t!e $ther $S %e!s"res t$ c$&tr$) the tr!((ic r!te.
Tr!((ic %irr$ri&*
This !cti$& c$ies the seci(ie' '!t! !cets t$ ! seci(ie' 'esti&!ti$& t$ 'etect !&'
tr$"#)esh$$t (!")ts $& ! &etw$r.
Tr!((ic st!tistics
This !cti$& c$))ects st!tistics $& '!t! !cets $( seci(ie' ser/ice ()$ws, i&c)"'i&* the&"%#er $( ($rw!r'e' !&' 'isc!r'e' !cets !&' #+tes th!t %!tch seci(ie' tr!((ic
c)!ssi(ic!ti$& r")es. The tr!((ic st!tistics !cti$& is &$t ! $S c$&tr$) %e!s"re #"t c!& #e
"se' with $ther !cti$&s t$ i%r$/e sec"rit+ $( &etw$rs !&' !cets.
1.$+ra,c Policy5!cets c!& #e c)!ssi(ie' !cc$r'i&* t$ L!+er 2 i&($r%!ti$&, L!+er 3 i&($r%!ti$&, $r ACLs. T$
r$/i'e 'i((ere&ti!te' ser/ices ($r ser/ice ()$ws, +$" %"st #i&' ! tr!((ic c)!ssi(ier !&' ! tr!((ic#eh!/i$r t$ ! tr!((ic $)ic+ !&' !)+ the tr!((ic $)ic+. A(ter ! tr!((ic c)!ssi(ier !&' tr!((ic
#eh!/i$r !re cre!te', the+ %"st #e #$"&' t$ ! tr!((ic $)ic+ !&' !)ie' t$ ! seci(ic i&ter(!ce$r LAN, $r !)ie' *)$#!))+ t$ t!e e((ect.
A(ter ! tr!((ic $)ic+ is !)ie', the s+ste% 'e)i/ers ACLs t$ the chi. The 'e)i/eri&*
se4"e&ce $r *r$"i&* $( ACLs 'eter%i&es the $r'er i& which tr!((ic $)ic+ r")es !re %!tche'.
F$" c!& r"& the traffic policy$)ic+-&!%e[ match-order { auto | config !c$%%!&' $& !switch t$ seci(+ the %!tchi&* $r'er. I( the %!tchi&* $r'er is set t$ auto, r")es !re %!tche'
#!se' $& ri$rities $( tr!((ic c)!ssi(iers re'e(i&e' $& the s+ste%. The ri$rit+ $r'er is L!+er
2 !&' L!+er 3 i&($r%!ti$& L!+er 2 i&($r%!ti$& L!+er 3 i&($r%!ti$&. I( the %!tchi&* $r'er
is set t$ config, r")es !re %!tche' i& the $r'er i& which tr!((ic c)!ssi(iers were c$&(i*"re'.Switches th!t '$ &$t s"$rt the config%$'e "se the auto%!tchi&* $r'er #+ 'e(!")t.
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
14/55
S Series Switches
e!t"re St!rt - ACL 1 ACL O/er/iew
1.% Simpli%ed AC#
T$ %!e ! tr!((ic $)ic+ e((ecti/e, +$" &ee' t$ c$&(i*"re ACLs, tr!((ic c)!ssi(iers, !&' tr!((ic#eh!/i$rs, #i&' the tr!((ic c)!ssi(iers !&' tr!((ic #eh!/i$rs t$ the tr!((ic $)ic+, !&' !)+ it
*)$#!))+ t$ i&ter(!ces $r LANs. :$6 switches s"$rt si%)i(ie' ACLs, which e&!#)es !si%)e c$&(i*"r!ti$& r$cess. F$" $&)+ &ee' t$ c$&(i*"re !& ACL !&' #i&' the ACL t$si%)i(ie' ACL c$%%!&'s s"ch !s traffic-filtert$ %!e it e((ecti/e. Si%)i(ie' ACL
c$%%!&'s i&c)"'e traffic-filter, traffic-limit, traffic-mirror , traffic-redirect, traffic-
remar", !&' traffic-#tati#tic#. The traffic-redirect c$%%!&' re'irects !cets t$ the
seci(ie' i&ter(!ce, C5U, $r &e6t h$. The traffic-remar"c$%%!&' re-%!rs the i&($r%!ti$&i&c)"'i&* the =02.1 ri$rit+, DAC, DSC5, I5 rece'e&ce, )$c!) rece'e&ce, !&' LANs.
T!#)e 1 'escri#es si%)i(ie' ACL c$%%!&'s s"$rte' $& 'i((ere&t %$'e)s.
Table 1.5.1.1.1.1.1.1 S"$rt ($r si%)i(ie' ACL c$%%!&'s
Simpli%ed
AC#Command
200 I 22 I 300SI 300I 300HI 00 SI
tr!((ic-(i)ter S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' S"$rte'
tr!((ic-)i%it S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' S"$rte'
tr!((ic-%irr$r S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' S"$rte'
tr!((ic-re'irect N$t S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' D$es &$t
s"$rt
re'irecti$& t$
the &e6t h$.
tr!((ic-re%!r D$es &$t s"$rt
re-%!ri&* $(
DAC>CLAN>I5 rece'e&ce.
D$es &$t
s"$rt re-
%!ri&* $(CLAN.
D$es &$t
s"$rt re-
%!ri&* $(CLAN.
D$es &$t
s"$rt re-
%!ri&* $(CLAN.
S"$rte' D$es &$t
s"$rt re-
%!ri&* $(DAC>CLA
N.
tr!((ic-st!tistics S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' S"$rte'
Simpli%edAC#
Command
00S#I 00#I 10I 10HI 00I 00 HI 00 I
tr!((ic-(i)ter S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' S"$rte'
tr!((ic-)i%it S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' S"$rte'
tr!((ic-%irr$r S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' S"$rte'
tr!((ic-re'irect D$es &$ts"$rt
re'irecti$&
t$ the &e6th$.
D$es &$ts"$rt
re'irecti$&
t$ the &e6th$.
S"$rte' S"$rte' S"$rte' S"$rte' S"$rte'
tr!((ic-re%!r D$es &$t D$es &$t S"$rte' S"$rte' S"$rte' S"$rte' S"$rte'
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
15/55
S Series Switches
e!t"re St!rt - ACL 1 ACL O/er/iew
s"$rt re-
%!ri&* $(
DAC>CLAN.
s"$rt re-
%!ri&* $(
DAC>CLAN.
tr!((ic-st!tistics
S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' S"$rte' S"$rte'
1.) $e4ective AC#
Users (r$% ! "#)ic &etw$r !re 'e&ie' !ccess t$ ! ri/!te &etw$r #"t s$%eti%es !re
re4"ire' t$ se&' '!t! #!c t$ the ri/!te &etw$r !(ter ! "ser $& the ri/!te &etw$r !ccesses
the "#)ic &etw$r.
A(ter ! re()ecti/e ACL is c$&(i*"re', re4"est !cets i&iti!te' #+ !& e6ter&!) &etw$r "ser
c!&&$t e&ter the i&ter&!) &etw$r. Whe& ! "ser $& the i&ter&!) &etw$r se&'s ! re4"est !cet
t$ ! "ser $& the e6ter&!) &etw$r, ! re()ecti/e ACL e&tr+ is *e&er!te' $& the i&ter(!ce!cc$r'i&* t$ the s$"rce I5 !''ress, 'esti&!ti$& I5 !''ress, !&' $rt &"%#er i& the !cet.
The& the "ser $& the e6ter&!) &etw$r c!& !ccess the "ser $& the i&ter&!) &etw$r.
As sh$w& i& i*"re 1.;.1.1.1.1.1,5C # $& the e6ter&!) &etw$r c!&&$t i&iti!))+ !ccess 5C !
$& the i&ter&!) &etw$r. A(ter 5C ! se&'s ! !cet with the s$"rce I5 !''ress I5!, s$"rce
i&ter(!ce 5$rt!, 'esti&!ti$& I5 !''ress I5#, !&' 'esti&!ti$& i&ter(!ce 5$rt# t$ 5C #, the switchwith re()ecti/e ACL c$&(i*"re' *e&er!tes ! re()ecti/e ACL r")e th!t er%its !cets with the
s$"rce I5 !''ress I5#, s$"rce i&ter(!ce 5$rt#, 'esti&!ti$& I5 !''ress I5!, !&' 'esti&!ti$&
i&ter(!ce 5$rt! t$ !ss thr$"*h.
$igure 1.6.1.1.1.1.1 7e()ecti/e ACL
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
16/55
2 Confguration ui!e2.1 Scenario 1:Con%guring Priority apping
2.1.1 5et.or6ing 'escription
As sh$w& i& i*"re 2.1.1.1.1.1.1,the switch c$&&ects t$ ! r$"ter thr$"*h GE2>0>1. E&terrise#r!&ches 1 !&' 2 !ccess the &etw$r thr$"*h the switch !&' r$"ter. E&terrise #r!&ch 1
#e)$&*s t$ LAN 100 !&' e&terrise #r!&ch 2 #e)$&*s t$ LAN 200. E&terrise #r!&ch 1
re4"ires #etter $S *"!r!&tee. 5ri$rities $( !cets (r$% e&terrise #r!&ches 1 !&' 2 !re%!e' t$ 8 !&' 2 resecti/e)+ s$ th!t 'i((ere&ti!te' ser/ices !re r$/i'e'.
$igure 2.1.1.1.1.1.1Netw$ri&* 'i!*r!% $( ri$rit+ %!i&* #!se' $& si%)e tr!((ic c)!ssi(ic!ti$&
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
17/55
2.1.2 Con%guration $oadmap
The c$&(i*"r!ti$& r$!'%! is !s ($))$ws
1. Cre!te LANs !&' c$&(i*"re i&ter(!ces s$ th!t e&terrise #r!&ches 1 !&' 2 c!& c$&&ect t$ the &etw$r
thr$"*h the switch.
2. Cre!te tr!((ic c)!ssi(iers t$ c)!ssi(+ ser/ice ()$ws (r$% 'i((ere&t LANs !&' c$&(i*"re ri$rit+ %!i&* !s
the tr!((ic #eh!/i$r.
3. :i&' tr!((ic $)icies t$ GE1>0>1 !&' GE1>0>2 $& the switch resecti/e)+.
2.1.# Con%guration -ample
%tep 1 Cre!te LANs !&' c$&(i*"re i&ter(!ces.
J Cre!te LANs 100, 200, !&' 300.
< Switch > system-view
[Switch] vlan batch 100 200 300
J C$&(i*"re GE1>0>1, GE1>0>2, !&' GE2>0>1 !s tr"& i&ter(!ces, !'' GE1>0>1 !&' GE1>0>2 t$
LAN 100 !&' LAN 200, !&' !'' GE2>0>1 t$ LAN 100, LAN 200, !&' LAN 300.
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] !rt lin"-tye tr#n"
[Switch-GigabitEthernet1/0/1] !rt tr#n" all!w-ass vlan 100
[Switch-GigabitEthernet1/0/1] $#it
[Switch] interface gigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2] !rt lin"-tye tr#n"
[Switch-GigabitEthernet1/0/2] !rt tr#n" all!w-ass vlan 200
[Switch-GigabitEthernet1/0/2] $#it
[Switch] interface gigabitethernet2/0/1
[Switch-GigabitEthernet2/0/1] !rt lin"-tye tr#n"
[Switch-GigabitEthernet2/0/1] !rt tr#n" all!w-ass vlan 100 200 300
[Switch-GigabitEthernet2/0/1] $#it
%tep 2 C$&(i*"re tr!((ic c)!ssi(iers.
J C$&(i*"re tr!((ic c)!ssi(iers c1, c2, !&' c3$& the switch t$ c)!ssi(+ 'i((ere&t ser/ice ()$ws(r$% the e&terrise #!se' $& LAN ID.
[Switch] traffic classifier c1
[Switch-classifier-c1] if-match vlan-i% 100
[Switch-classifier-c1] $#it
[Switch] traffic classifier c2
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
18/55
[Switch-classifier-c2] if-match vlan-i% 200
[Switch-classifier-c2] $#it
%tep 3 C$&(i*"re tr!((ic #eh!/i$rs.
J C$&(i*"re tr!((ic #eh!/i$rs b1!&' b2$& the switch t$ %! ri$rities $( 'i((ere&t ser/ice
()$ws.
[Switch] traffic behavi!r b1
[Switch-behavi!r-b1] remar" &021 '
[Switch-behavi!r-b1] $#it
[Switch] traffic behavi!r b2
[Switch-behavi!r-b2] remar" &021 2
[Switch-behavi!r-b2] $#it
%tep 4 C$&(i*"re tr!((ic $)icies.
J C$&(i*"re tr!((ic $)icies $& the switch, #i&' the tr!((ic #eh!/i$rs !&' tr!((ic c)!ssi(iers t$
the tr!((ic $)icies, !&' !)+ the tr!((ic $)icies t$ GE1>0>1 !&' GE1>0>2.
[Switch] traffic !licy 1
[Switch-traffic!licy-1] classifier c1 behavi!r b1
[Switch- traffic!licy-1] $#it
[Switch] traffic !licy 2
[Switch- traffic!licy-2] classifier c2 behavi!r b2
[Switch- traffic!licy-2] $#it
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] traffic-!licy 1 inb!#n%
[Switch-GigabitEthernet1/0/1] $#it
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] traffic-!licy 2 inb!#n%
[Switch-GigabitEthernet1/0/2] $#it
%tep 5 eri(+ the c$&(i*"r!ti$&.
J Chec i&($r%!ti$& !#$"t the !)ie' tr!((ic $)icies. The tr!((ic $)ic+p1is "se' !s !&e6!%)e.
[Switch]%islay traffic classifier #ser-%efine% c1
(ser )efine% *lassifier +nf!rmati!n,
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
19/55
*lassifier, c1
rece%ence, 10
.erat!r, .
#les , if-match vlan-i% 100
[Switch]%islay traffic behavi!r #ser-%efine% b1
(ser )efine% ehavi!r +nf!rmati!n,
ehavi!r, b1
emar",
emar" &021 '
[Switch]%islay traffic !licy #ser-%efine% 1
(ser )efine% raffic !licy +nf!rmati!n,
!licy, 1
*lassifier, c1
.erat!r, .
ehavi!r, b1
emar",
emar" &021 '
[Switch]%islay traffic-!licy alie%-rec!r% 1
-------------------------------------------------
!licy 4ame, 1
!licy +n%e5, 1
*lassifier,c1 ehavi!r,b1
-------------------------------------------------
6interface GigabitEthernet1/0/1
traffic-!licy 1 inb!#n%
sl!t 1 , s#ccess
-------------------------------------------------
!licy t!tal alie% times, 17
[Switch]
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
20/55
----&nd
Confguration &iles
C$&(i*"r!ti$& (i)e $( the switch
8
sysname Switch
8
vlan batch 100 200 300
8
traffic classifier c1 !erat!r !r rece%ence 10
if-match vlan-i% 100
traffic classifier c2 !erat!r !r rece%ence 19
if-match vlan-i% 200
8
traffic behavi!r b1
remar" &021 '
traffic behavi!r b2
remar" &021 2
traffic behavi!r test
8
traffic !licy 1
classifier c1 behavi!r b1
traffic !licy 2
classifier c2 behavi!r b2
8
interface GigabitEthernet1/0/1
!rt lin"-tye tr#n"
!rt tr#n" all!w-ass vlan 100
traffic-!licy 1 inb!#n%
8
interface GigabitEthernet1/0/2
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
21/55
!rt lin"-tye tr#n"
!rt tr#n" all!w-ass vlan 200
traffic-!licy 2 inb!#n%
8
interface GigabitEthernet2/0/1
!rt lin"-tye tr#n"
!rt tr#n" all!w-ass vlan 100 200 300
8
ret#rn
2.2 Scenario 27 Con%guring +ra,c 8iltering
2.2.1 5et.or6ing 'escription
I& i*"re 2.2.1.1.1.1.1, the switch c$&&ects t$ "sers thr$"*h GE1>0>1 !&' c$&&ects t$ ! ser/erthr$"*h GE2>0>1. It is re4"ire' th!t "sers c$&&ecte' t$ the switch '$ &$t c$%%"&ic!te with
e!ch $ther !&' $&)+ c$%%"&ic!te with the ser/er.
$igure 2.2.1.1.1.1.1Netw$ri&* 'i!*r!% $( tr!((ic (i)teri&* #!se' $& c$%)e6 tr!((ic c)!ssi(ic!ti$&
2.2.2 Con%guration $oadmap
The c$&(i*"r!ti$& r$!'%! is !s ($))$ws
1. C$&(i*"re !& ACL r")e t$ %!tch !cets with the s$"rce I5 !''ress 192.1;=.0.1>28 !&'
'esti&!ti$& I5 !''ress 192.1;=.2.100.
2. C$&(i*"re ! tr!((ic c)!ssi(ier t$ %!tch the ACL.
3. C$&(i*"re ! tr!((ic $)ic+, #i&' the tr!((ic c)!ssi(ier !&' tr!((ic #eh!/i$r t$ the tr!((ic
$)ic+, !&' !)+ the tr!((ic $)ic+ t$ the i$"&' 'irecti$& $( GE1>0>1.
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
22/55
2.2.# Con%guration -ample
%tep 1 C$&(i*"re !& ACL.
J C$&(i*"re !'/!&ce' ACL 3000 $& the switch t$ er%it $&)+ !cets with the s$"rce I5
!''ress 192.1;=.1.0>28 !&' 'esti&!ti$& I5 !''ress 192.1;=.2.100 !&' 'e&+ $ther I5 !cets.
[Switch] acl 3000
[Switch-acl-a%v-3000] r#le 1 ermit i s!#rce 1:71;&7170 070707299 %estinati!n
1:271;&727100 0
[Switch-acl-a%v-3000] r#le 2 %eny i
[Switch-acl-a%v-3000] $#it
%tep 2 C$&(i*"re ! tr!((ic c)!ssi(ier.
Cre!te ! tr!((ic c)!ssi(ier c1$& the switch t$ %!tch ACL 3000.
[Switch] traffic classifier c1
[Switch-classifier-c1] if-match acl 3000
[Switch-classifier-c1] $#it
%tep 3 C$&(i*"re ! tr!((ic #eh!/i$r.
J Cre!te ! tr!((ic #eh!/i$r b1$& the switch !&' c$&(i*"re &$ !cti$&.
[Switch] traffic behavi!r b1
[Switch-behavi!r-b1] $#it
%tep 4 C$&(i*"re ! tr!((ic $)ic+ !&' !)+ the tr!((ic $)ic+ t$ the i&ter(!ce.
J Cre!te ! tr!((ic $)ic+ p1$& the switch !&' #i&' the tr!((ic c)!ssi(ier !&' tr!((ic #eh!/i$r t$
the tr!((ic $)ic+.
[Switch] traffic !licy 1
[Switch-traffic!licy-1] classifier c1 behavi!r b1
[Switch-traffic!licy-1] $#it
J A)+ the tr!((ic $)ic+ p1t$ GE1>0>1.
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] traffic-!licy 1 inb!#n%
[Switch-GigabitEthernet1/0/1] $#it
[Switch] $#it
%tep 5 eri(+ the c$&(i*"r!ti$&.
J Chec the tr!((ic $)ic+ c$&(i*"r!ti$&.
%islay acl 3000
%vance% *= 3000 2 r#les
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
23/55
cl?s ste is 9
r#le 1 ermit i s!#rce 1:71;&7170 070707299 %estinati!n 1:271;&727100 0
r#le 2 %eny i
%islay traffic classifier #ser-%efine%
*lassifier, c1
rece%ence, 10
.erat!r, .
#les , if-match acl 3000!tal classifier n#mber is 1
%islay traffic !licy #ser-%efine% 1
(ser )efine% raffic !licy +nf!rmati!n,
!licy, 1
*lassifier, c1
.erat!r, .
ehavi!r, b1
-4!ne-
%islay traffic-!licy alie%-rec!r%
8
-------------------------------------------------
!licy 4ame, 1
!licy +n%e5, 1
*lassifier,c1 ehavi!r,b1
-------------------------------------------------
6interface GigabitEthernet1/0/1
traffic-!licy 1 inb!#n%
sl!t 1 , s#ccess
-------------------------------------------------
!licy t!tal alie% times, 17
8
----&nd
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
24/55
Confguration &iles
C$&(i*"r!ti$& (i)e $( the switch
8
sysname Switch
8
vlan batch 20
8
acl n#mber 3000
r#le 1 ermit i s!#rce 1:71;&7170 070707299 %estinati!n 1:271;&727100 0
r#le 2 %eny i
8
traffic classifier c1 !erat!r !r rece%ence 9
if-match acl 3000
8
traffic behavi!r b1
8
traffic !licy 1
classifier c1 behavi!r b1
8
interface GigabitEthernet1/0/1
traffic-!licy 1 inb!#n%
8
ret#rn
2.# Scenario 37 Con%guring +ra,c Policing
A(ter c)!ssi(+i&* tr!((ic i&t$ 'i((ere&t t+es, the switch )i%its the r!te $( tr!((ic %!tchi&*
tr!((ic c)!ssi(ier r")es. Tr!((ic $)ici&* 'isc!r's e6cess tr!((ic t$ )i%it tr!((ic withi& ! r$er
r!&*e !&' t$ r$tect &etw$r res$"rces !&' c!rriersK i&terests.
2.#.1 5et.or6ing 'escription
As sh$w& i& i*"re 2.3.1.1.1.1.1,the switch c$&&ects t$ the r$"ter thr$"*h GE2>0>1
e&terrise "sers c!& !ccess the &etw$r thr$"*h the switch !&' r$"ter. E&terrise /$ice
ser/ices, /i'e$ ser/ices, !&' '!t! ser/ices #e)$&* t$ LAN 120, LAN 110, !&' LAN 100
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
25/55
resecti/e)+. O& the switch, tr!((ic $)ici&* &ee's t$ #e er($r%e' $& !cets $( 'i((ere&tser/ices t$ )i%it tr!((ic withi& ! r$er r!&*e !&' r$/i'e #!&'wi'th *"!r!&tee ($r ser/ices.
$igure 2.3.1.1.1.1.1Netw$ri&* 'i!*r!% $( tr!((ic $)ici&* #!se' $& c$%)e6 tr!((ic c)!ssi(ic!ti$&
2.#.2 Con%guration $oadmap
The c$&(i*"r!ti$& r$!'%! is !s ($))$ws
1. Cre!te LANs !&' c$&(i*"re i&ter(!ces $& the switch s$ th!t e&terrise "sers c!& !ccessthe &etw$r.
2. C$&(i*"re tr!((ic c)!ssi(iers $& the switch t$ c)!ssi(+ !cets #!se' $& their LAN IDs.
3. Cre!te ! tr!((ic $)ic+ $& the switch, #i&' tr!((ic #eh!/i$rs !&' tr!((ic c)!ssi(iers t$ thetr!((ic $)ic+, !&' !)+ the tr!((ic $)ic+ t$ the i&ter(!ce c$&&ecti&* e&terrise "sers t$the switch.
2.#.# Con%guration -ample
%tep 1 Cre!te LANs !&' c$&(i*"re i&ter(!ces.
J Cre!te LANs 100, 110, !&' 120 $& the switch.
system-view
[@#i%way] sysname Switch
[Switch] vlan batch 100 110 120
J C$&(i*"re GE1>0>1 !&' GE2>0>1 !s tr"& i&ter(!ces !&' !'' the% t$ LAN 100, LAN110, !&' LAN 120.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] !rt lin"-tye tr#n"
[Switch-GigabitEthernet1/0/1] !rt tr#n" all!w-ass vlan 100 110 120
[Switch-GigabitEthernet1/0/1] $#it
[Switch] interface gigabitethernet 2/0/1
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
26/55
[Switch-GigabitEthernet2/0/1] !rt lin"-tye tr#n"
[Switch-GigabitEthernet2/0/1] !rt tr#n" all!w-ass vlan 100 110 120
[Switch-GigabitEthernet2/0/1] $#it
%tep 2 C$&(i*"re tr!((ic c)!ssi(iers.
J C$&(i*"re tr!((ic c)!ssi(iers c1, c2, !&' c3$& the switch t$ c)!ssi(+ 'i((ere&t ser/ice ()$ws
(r$% the e&terrise #!se' $& LAN IDs.
[Switch] traffic classifier c1
[Switch-classifier-c1] if-match vlan-i% 120
[Switch-classifier-c1] $#it
[Switch] traffic classifier c2
[Switch-classifier-c2] if-match vlan-i% 110
[Switch-classifier-c2] $#it
[Switch] traffic classifier c3
[Switch-classifier-c3] if-match vlan-i% 100
[Switch-classifier-c3] $#it
%tep 3 C$&(i*"re tr!((ic $)ici&*.
J C$&(i*"re tr!((ic #eh!/i$rsb1, b2, !&' b3$& the switch t$ er($r% tr!((ic $)ici&* $&
'i((ere&t ser/ice ()$ws.
[Switch] traffic behavi!r b1
[Switch-behavi!r-b1] car cir 2000 ir 10000
[Switch-behavi!r-b1] $#it
[Switch] traffic behavi!r b2
[Switch-behavi!r-b2] car cir '000 ir 10000
[Switch-behavi!r-b2] $#it
[Switch] traffic behavi!r b3
[Switch-behavi!r-b3] car cir '000 ir 10000
[Switch-behavi!r-b3] $#it
%tep 4 C$&(i*"re ! tr!((ic $)ic+ !&' !)+ the tr!((ic $)ic+ t$ !& i&ter(!ce.
J Cre!te ! tr!((ic $)ic+ p1$& the switch, #i&' the tr!((ic #eh!/i$rs !&' tr!((ic c)!ssi(iers t$the tr!((ic $)ic+, !&' !)+ the tr!((ic $)ic+ t$ the i$"&' 'irecti$& $( GE1>0>1 t$ er($r%
tr!((ic $)ici&* !&' re-%!r ri$rities $& !cets (r$% the e&terrise.
[Switch] traffic !licy 1
[Switch-traffic!licy-1] classifier c1 behavi!r b1
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
27/55
[Switch-traffic!licy-1] classifier c2 behavi!r b2
[Switch-traffic!licy-1] classifier c3 behavi!r b3
[Switch-traffic!licy-1] $#it
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] traffic-!licy 1 inb!#n%
[Switch-GigabitEthernet1/0/1] $#it
%tep 5 eri(+ the c$&(i*"r!ti$&.
J Chec i&($r%!ti$& !#$"t the tr!((ic $)ic+.
[Switch] %islay traffic classifier #ser-%efine%
(ser )efine% *lassifier +nf!rmati!n,
*lassifier, c2
rece%ence, 19
.erat!r, .
#les , if-match vlan-i% 110
*lassifier, c3
rece%ence, 20
.erat!r, .
#les , if-match vlan-i% 100
*lassifier, c1
rece%ence, 10
.erat!r, .
#les , if-match vlan-i% 120
!tal classifier n#mber is 3
[Switch] %islay traffic behavi!r #ser-%efine%
(ser )efine% ehavi!r +nf!rmati!n,
ehavi!r, b2
*!mmitte% ccess ate,
*+ '000 Abs + 10000 Abs *S 900000 byte S 1290000 byte
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
28/55
*!l!r B!%e, c!l!r lin%
*!nf!rm cti!n, ass
Cell!w cti!n, ass
E5cee% cti!n, %iscar%
ehavi!r, b3
*!mmitte% ccess ate,
*+ '000 Abs + 10000 Abs *S 900000 byte S 1290000 byte
*!l!r B!%e, c!l!r lin%
*!nf!rm cti!n, ass
Cell!w cti!n, ass
E5cee% cti!n, %iscar%
ehavi!r, b1
*!mmitte% ccess ate,
*+ 2000 Abs + 10000 Abs *S 290000 byte S 1290000 byte
*!l!r B!%e, c!l!r lin%
*!nf!rm cti!n, ass
Cell!w cti!n, ass
E5cee% cti!n, %iscar%
!tal behavi!r n#mber is 3
[Switch] %islay traffic !licy #ser-%efine% 1
(ser )efine% raffic !licy +nf!rmati!n,
!licy, 1
*lassifier, c1
.erat!r, .
ehavi!r, b1
*!mmitte% ccess ate,
*+ 2000 Abs + 10000 Abs *S 290000 byte S 1290000 byte
*!l!r B!%e, c!l!r lin%
*!nf!rm cti!n, ass
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
29/55
Cell!w cti!n, ass
E5cee% cti!n, %iscar%
*lassifier, c2
.erat!r, .
ehavi!r, b2
*!mmitte% ccess ate,
*+ '000 Abs + 10000 Abs *S 900000 byte S 1290000 byte
*!l!r B!%e, c!l!r lin%
*!nf!rm cti!n, ass
Cell!w cti!n, ass
E5cee% cti!n, %iscar%
*lassifier, c3
.erat!r, .
ehavi!r, b3
*!mmitte% ccess ate,
*+ '000 Abs + 10000 Abs *S 900000 byte S 1290000 byte
*!l!r B!%e, c!l!r lin%
*!nf!rm cti!n, ass
Cell!w cti!n, ass
E5cee% cti!n, %iscar%
----&nd
Confguration &iles
C$&(i*"r!ti$& (i)e $( the switch
8
sysname Switch
8
vlan batch 100 110 120
8
traffic classifier c1 !erat!r !r rece%ence 10
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
30/55
if-match vlan-i% 120
traffic classifier c2 !erat!r !r rece%ence 19
if-match vlan-i% 110
traffic classifier c3 !erat!r !r rece%ence 20
if-match vlan-i% 100
8
traffic behavi!r b1
car cir 2000 ir 10000 cbs 290000 bs 1290000 m!%e c!l!r-blin% green ass yell!
w ass re% %iscar%
traffic behavi!r b2
car cir '000 ir 10000 cbs 900000 bs 1290000 m!%e c!l!r-blin% green ass yell!
w ass re% %iscar%
traffic behavi!r b3
car cir '000 ir 10000 cbs 900000 bs 1290000 m!%e c!l!r-blin% green ass yell!
w ass re% %iscar%
8
traffic !licy 1
classifier c1 behavi!r b1
classifier c2 behavi!r b2
classifier c3 behavi!r b3
8
interface GigabitEthernet1/0/1
!rt lin"-tye tr#n"
!rt tr#n" all!w-ass vlan 100 110 120
traffic-!licy 1 inb!#n%
8
interface GigabitEthernet2/0/1
!rt lin"-tye tr#n"
!rt tr#n" all!w-ass vlan 100 110 120
8
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
31/55
ret#rn
2.$ Scenario 97 Con%guring :in:
2.$.1 5et.or6ing 'escription
As sh$w& i& i*"re 2.8.1.1.1.1.1,e&terrise A h!s tw$ $((ices !&' "ses LAN 10. The
e&terrise e6ects th!t s$%e i&ter&!) "sers i& tw$ $((ices c!& c$%%"&ic!te thr$"*h the c!rrier
&etw$r.
$igure 2.4.1.1.1.1.1Netw$ri&* 'i!*r!% $( i& #!se' $& tr!((ic c)!ssi(iers
2.$.2 Con%guration $oadmap
The c$&(i*"r!ti$& r$!'%! ($r c$&(i*"ri&* i& $& SWITCH 1 is !s ($))$ws
1. Cre!te LANs !&' c$&(i*"re i&ter(!ces s$ th!t e&terrise "sers c!& !ccess the &etw$r
thr$"*h the switch.
2. C$&(i*"re ! tr!((ic c)!ssi(ier $& the switch t$ c)!ssi(+ !cets #!se' $& their I5 !''resses
!&' c$&(i*"re ! tr!((ic #eh!/i$r t$ !'' ! LAN t!*.
3. :i&' the tr!((ic #eh!/i$r !&' tr!((ic c)!ssi(ier t$ ! tr!((ic $)ic+ !&' !)+ the tr!((ic
$)ic+ t$ the i$"&' 'irecti$& $( i&ter(!ces.
2.$.# Con%guration -ample
%tep 1 Cre!te LANs !&' c$&(i*"re i&ter(!ces.
J Cre!te LAN 10 !&' LAN 20.
< Switch > system-view
[Switch] vlan batch 10 20
J C$&(i*"re GE1>0>1 !&' GE1>0>2 !s h+#ri' i&ter(!ces !&' !'' GE1>0>1 t$ LAN 10 !&'
LAN 2 t$ LAN 20.
[Switch] interface gigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1] !rt hybri% tagge% vlan 10
[Switch-GigabitEthernet1/0/1] !rt hybri% #ntagge% vlan 20
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
32/55
[Switch-GigabitEthernet1/0/1] $#it
[Switch] interface gigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2] !rt hybri% tagge% vlan 20
[Switch-GigabitEthernet1/0/2] $#it
%tep 2 C$&(i*"re ! tr!((ic c)!ssi(ier.
J C$&(i*"re ! tr!((ic c)!ssi(ier c1$& the switch t$ !'' ! LAN t!* t$ !cets (r$%
10.10.10.1>28.
[Switch]acl 3000
[Switch -acl-a%v-3000]r#le 1 ermit i s!#rce 1071071071 070707299
[Switch -acl-a%v-3000]$#it
[Switch] traffic classifier c1
[Switch-classifier-c1] if-match acl 3000
[Switch-classifier-c1] $#it
%tep 3 C$&(i*"re ! tr!((ic #eh!/i$r.
J Cre!te ! tr!((ic #eh!/i$r b1$& the switch t$ !'' ! t!* t$ !cets.
[Switch] traffic behavi!r b1
[Switch-behavi!r-b1] nest t!-m!st vlan-i% 20
[Switch-behavi!r-b1] $#it
%tep 4 C$&(i*"re ! tr!((ic $)ic+.
J C$&(i*"re ! tr!((ic $)ic+ $& the switch, #i&' the tr!((ic #eh!/i$r !&' tr!((ic c)!ssi(ier t$ thetr!((ic $)ic+, !&' !)+ the tr!((ic $)ic+ t$ GE1>0>1 !&' GE1>0>2.
[Switch] traffic !licy 1
[Switch-traffic!licy-1] classifier c1 behavi!r b1
[Switch- traffic!licy-1] $#it
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] traffic-!licy 1 inb!#n%
[Switch-GigabitEthernet1/0/1] $#it
%tep 5 eri(+ the c$&(i*"r!ti$&.
J Chec i&($r%!ti$& !#$"t the tr!((ic $)ic+.
[Switch] %islay traffic classifier #ser-%efine%
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
33/55
(ser )efine% *lassifier +nf!rmati!n,
*lassifier, c1
rece%ence, ;0
.erat!r, .
#les , if-match acl 3000
!tal classifier n#mber is 1
[Switch] %islay traffic behavi!r #ser-%efine%
(ser )efine% ehavi!r +nf!rmati!n,
ehavi!r, b1
4est,
4est t!-m!st vlani% 20
!tal behavi!r n#mber is 1
[Switch] %islay traffic !licy #ser-%efine% 1
(ser )efine% raffic !licy +nf!rmati!n,
!licy, 1
*lassifier, c1
.erat!r, .
ehavi!r, b1
4est,
4est t!-m!st vlani% 20
[Switch]%islay traffic-!licy alie%-rec!r% 1
-------------------------------------------------
!licy 4ame, 1
!licy +n%e5, &
*lassifier,c1 ehavi!r,b1
-------------------------------------------------
6interface GigabitEthernet1/0/1
traffic-!licy 1 inb!#n%
sl!t 1 , s#ccess
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
34/55
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
35/55
8
ret#rn
2.% 'eployment Precautions
2.%.1 Chec6 that +ra,c Policies Con%gured on ChassisS.itches Are Applied Success*ully
'e#cription( Ch!ssis switches 1007002 *e&er!te c$&(i*"r!ti$&s ($r tr!((ic $)icies th!t (!i)
t$ #e 'e)i/ere'. N$ i&($ %ess!*e is 'is)!+e' t$ i&'ic!te th!t tr!((ic $)icies (!i) t$ #e
'e)i/ere'. Users %!+ %ist!e&)+ c$&si'er th!t these tr!((ic $)icies !re s"ccess("))+ !)ie'.
)oot cau#e( Ch!ssis switches 1007002 c!& '+&!%ic!))+ "'!te tr!((ic $)ic+ i&($r%!ti$&
!&' *e&er!te c$&(i*"r!ti$&s e/e& i( tr!((ic $)icies (!i) t$ #e !)ie'. The s+ste% $&)+ rec$r's
!)ic!ti$& (!i)"re i&($r%!ti$& i& )$*s #"t 'is)!+s &$ i&($ %ess!*e.
I'e&ti(ic!ti$& %eth$' 7"& the 'is)!+ tr!((ic-$)ic+ 666 !)ie'-rec$r' c$%%!&'.
%olution 7"& the di#play traffic-policy *** applied-recordc$%%!&' t$ chec th!t
!)ic!ti$& st!t"s $( the tr!((ic $)ic+ is 'is)!+e' !s #ucce##.
ersi$&s i&/$)/e' 1007002
2.%.2 AC#s Con%gured to Control 8+P;+elnet;SSH #ogin&sers 'iscard Pac6ets that 'o 5ot atch the AC#s
'e#cription( Whe& ACLs !re re(ere&ce' #+ "er )!+er s$(tw!re t$ c$&tr$) T5>Te)&et>SSH
)$*i& "sers, !cets th!t '$ &$t %!tch the ACLs !re 'isc!r'e'.
)oot cau#e( There !re h!r'w!re ACLs !&' s$(tw!re ACLs. H!r'w!re ACLs !re i%)e%e&te'
thr$"*h the chi !&' 'e)i/ere' t$ the chi thr$"*h the tr!((ic $)icies. H!r'w!re ACLs '$ &$t
r$cess !cets th!t '$ &$t %!tch the ACLs. Whe& s$(tw!re ACLs !re re(ere&ce' #+ "er)!+er s$(tw!re t$ c$&tr$) T5>Te)&et>SSH )$*i& "sers, !cets th!t '$ &$t %!tch the ACLs !re
'isc!r'e'. H!r'w!re !&' s$(tw!re ACLs !re i%)e%e&te' 'i((ere&t)+. E&s"re th!t +$"
c$&(i*"re c$rrect ACLs.
+dentification method 7"& the di#play acl ***c$%%!&'.
%olution 7"& the di#play acl ***c$%%!&' t$ chec ACL c$&(i*"r!ti$&s !&' e&s"re th!t
c$rrect ACLs !re #$"&' t$ T5>Te)&et>SSH.
,er#ion# inoled A)) /ersi$&s
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
36/55
# Troubleshooting#.1+roubleshooting )vervie.
ACL is ! %$st c$%%$&)+ 'e)$+e' (e!t"re. C$%%$& ACL (!")ts i&c)"'e
Tr!((ic (i)teri&* '$es &$t t!e e((ect.
The tr!((ic $)ic+ th!t is c$&(i*"re' t$ re'irect tr!((ic t$ the &e6t h$ '$es &$t t!e e((ect.
This ch!ter 'escri#es %eth$'s t$ tr$"#)esh$$t these ACL (!")ts.
#.2+ra,c 8iltering 'oes 5ot +a6e
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
37/55
#.2.#+roubleshooting 8lo.chart
$igure 3.2.3.1.1.1.1 Tr$"#)esh$$ti&* ()$wch!rt
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
38/55
#.2.$+roubleshooting Procedure
%tep 1 Chec tr!((ic $)ic+ c$&(i*"r!ti$&s.
I( the tr!((ic c)!ssi(ier c$&t!i&s ACL r")es, chec whether ACL r")es !re c$rrect)+ c$&(i*"re'
!&' whether )$*ic!) re)!ti$&shi $( the tr!((ic c)!ssi(ier is c$rrect. I( the tr!((ic c)!ssi(ierc$&t!i&s L!+er 2 !&' L!+er 3 i&($r%!ti$&, chec whether tr!((ic $)ices #!se' $& L!+er 2 !&'
L!+er 3 i&($r%!ti$& !re c$rrect)+ c$&(i*"re' !&' !)ie' s"ccess("))+.
%islay acl
%islay traffic classifier #ser-%efine%
%islay traffic behavi!r #ser-%efine%
%islay traffic !licy #ser-%efine%
%tep 2 C$&(i*"re the tr!((ic st!tistics ("&cti$& t$ chec whether the switch recei/es !cets.
C$&(i*"re ! tr!((ic c)!ssi(ier t$ %!tch c$rres$&'i&* !cets !&' c$&(i*"re ! tr!((ic #eh!/i$r
t$ c$))ect tr!((ic st!tistics. The ($))$wi&* e6!%)e c$))ects tr!((ic st!tistics $& !cets with the
s$"rce I5 !''ress 192.1;=.0.1.
8
acl n#mber 3000
r#le 1 ermit i s!#rce 1:271;&7071 0
8
traffic classifier test !erat!r an%
if-match acl 3000
8
traffic behavi!r test
statistic enable
8
traffic !licy test
classifier test behavi!r test
8
interface GigabitEthernet0/0/1
traffic-!licy test inb!#n%
8
Chec whether st!tistics $& c$rres$&'i&* !cets c!& #e c$))ecte'. I( s$, !cets with the
s$"rce I5 !''ress 192.1;=.0.1 !re recei/e' #+ the )$c!) 'e/ice. I( &$t, the !cets '$ &$t re!ch
the )$c!) 'e/ice.
%islay traffic !licy statistics interface GigabitEthernet 0/0/1 inb!#n%
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
39/55
+nterface, GigabitEthernet0/0/1
raffic !licy inb!#n%, test
#le n#mber, 1
*#rrent stat#s, .AD
!ar% , 0
+tem ac"ets ytes
---------------------------------------------------------------------
Batche% 0 -
--asse% 0 -
--)r!e% 0 -
--Filter 0 -
--(F - -
--* 0 -
%tep 3 C$&(i*"re the tr!((ic st!tistics ("&cti$& t$ chec whether !cets !re recei/e' #+ the $"t#$"&'
i&ter(!ce.
The %eth$' t$ c$&(i*"re the tr!((ic st!tistics ("&cti$& is the s!%e !s th!t i& ste 2. A(ter the
tr!((ic $)ic+ is c$&(i*"re', !)+ it t$ the $"t#$"&' 'irecti$& $( the $"t#$"&' i&ter(!ce.
8
acl n#mber 3000
r#le 1 ermit i s!#rce 1:271;&7071 0
8
traffic classifier test !erat!r an%
if-match acl 3000
8
8
traffic classifier test !erat!r an%
if-match &021 3
8
traffic behavi!r test
statistic enable
8
traffic !licy test
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
40/55
classifier test behavi!r test
8
interface GigabitEthernet0/0/2
traffic-!licy test !#tb!#n%
8
Chec whether st!tistics $& c$rres$&'i&* !cets !re c$))ecte'. I( s$, !cets h!/e #ee& se&t
(r$% the $"t#$"&' i&ter(!ce. I( &$t, !cets !re 'isc!r'e' #+ the 'e/ice.
%islay traffic !licy statistics interface GigabitEthernet 0/0/2 !#tb!#n%
+nterface, GigabitEthernet0/0/2
raffic !licy !#tb!#n%, test
#le n#mber, 1
*#rrent stat#s, .AD
!ar% , 0
+tem ac"ets ytes
---------------------------------------------------------------------
Batche% 0 -
--asse% 0 -
--)r!e% 0 -
--Filter 0 -
--(F - -
--* - -
%tep 4 Chec whether $ther c$&(i*"r!ti$&s !((ect tr!((ic ($rw!r'i&*.
Chec c$&(i*"r!ti$&s th!t %!tch the i&($r%!ti$& i& the tr!((ic c)!ssi(ier !&' whether these
c$&(i*"r!ti$&s $& LAN i&ter(!ces !((ect !cet ($rw!r'i&*.
----&nd
#.#+ra,c Policy +hat Is Con%gured to $edirect+ra,c to the 5e-t Hop 'oes 5ot +a6e
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
41/55
#.#.2+roubleshooting $oadmap
The tr$"#)esh$$ti&* r$!'%! is !s ($))$ws
1. Chec whether the tr!((ic $)ic+ is c$&(i*"re' c$rrect)+.
2. Chec th!t the re'irect-t$-&e6t h$ e6ists.
3. C$&(i*"re the tr!((ic st!tistics ("&cti$& t$ chec th!t !cets !re se&t t$ the &e6t h$.
#.#.#+roubleshooting 8lo.chart
$igure 3.3.3.1.1.1.1 Tr$"#)esh$$ti&* ()$wch!rt
#.#.$+roubleshooting Procedure
%tep 1 Chec whether the tr!((ic $)ic+ is c$&(i*"re' c$rrect)+.
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
42/55
7"& the ($))$wi&* c$%%!&'
%islay traffic-!licy test alie%-rec!r%
-------------------------------------------------
!licy 4ame, test
!licy +n%e5, 1
*lassifier,test ehavi!r,test
-------------------------------------------------
6interface GigabitEthernet0/0/1
traffic-!licy test inb!#n%
sl!t 0 , s#ccess
%tep 2 Chec whether the re'irect-t$-&e6t h$ e6ists.
Chec whether the re'irect-t$-&e6t h$ e6ists #!se' $& the $"t#$"&' i&ter(!ce. I( &$t, tr!((ic
re'irecti$& c!&&$t t!e e((ect. I( s$, (i&' $"t the re!s$&s wh+ the "stre!% 'e/ice '$es &$tse&' !& A75 !cet.
%islay ar interface GigabitEthernet 0/0/10
+ ))ESS B* ))ESS E+EB CE +4EF*E H4-+4S4*E
H=4
------------------------------------------------------------------------------
------------------------------------------------------------------------------
!tal,0 )ynamic,0 Static,0 +nterface,0
%tep 3 C$&(i*"re the tr!((ic st!tistics ("&cti$& t$ chec whether !cets !re recei/e' #+ the &e6t h$
'e/ice.
C$&(i*"re ! tr!((ic #eh!/i$r t$ c$))ect tr!((ic st!tistics i& the tr!((ic $)ic+ !&' chec whether
!cet st!tistics c!& #e c$))ecte'. I( s$, !cets !re recei/e' #+ the &e6t h$ 'e/ice. I( &$t, the
&e6t h$ 'e/ice '$es &$t recei/e !&+ !cet.
----&nd
#.$ In*ormation CollectionI( the (!")t c!&&$t #e )$c!te', c$))ect the ($))$wi&* i&($r%!ti$&. I( &$&-H"!wei 'e/ices !re
i&/$)/e', c$))ect i&($r%!ti$& !cc$r'i&* t$ the c$%%!&' re(ere&ce.
#.$.1 5et.or6 +opology
C$))ect &etw$r t$$)$*+ i&($r%!ti$& i&c)"'i&* 'e/ice &!%es, s+ste% AC !''resses, !&'
&!%es $( c$&&ecte' i&ter(!ces.
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
43/55
#.$.2 display Command #ist
Command 'escription
'is)!+ /ersi$& Dis)!+s /ersi$& i&($r%!ti$&.'is)!+ 'e/ice Dis)!+s 'e/ice st!t"s.
'is)!+ !tch-i&($r%!ti$& Dis)!+s !tch i&($r%!ti$&.
'is)!+ c"-"s!*e s)$t slot-idB Dis)!+s C5U "s!*e.
'is)!+ %e%$r+-"s!*e s)$t slot-id) Dis)!+s %e%$r+ "s!*e.
'is)!+ c"rre&t-c$&(i*"r!ti$& Dis)!+s the 'e/ice c$&(i*"r!ti$&.
'is)!+ i&ter(!ce Dis)!+s tr!((ic $& !)) $rts e/er+ %i&"tes $r twice.
'is)!+ tr!((ic $)ic+ st!tistics i&ter(!ce
Gi*!#itEther&et 0>0>6 i$"&'>$"t#$"&'
Dis)!+s tr!((ic st!tistics.
'is)!+ !r i&ter(!ce Gi*!#itEther&et
0>0>6
Dis)!+ A75 i&($r%!ti$& $& the i&ter(!ce.
#.$.# S.itch #ogs and 'iagnosis #ogs
Ch!ssis switches
C$%%!&' ($r c$))ecti&* 'i!*&$sis i&($r%!ti$&
di#play diagno#tic-information
L$* (i)es !&' 'i!*&$sis )$*s
Ste 1 7"& the #ae logfilec$%%!&' i& the c$%%$& /iew t$ s!/e the c$&(i*"r!ti$&
(i)e.
Ste 2 7"& the #ae diag-logfilec$%%!&' i& the hi''e& /iew 'i!*&$sis /iew i&
2007001 !&' ! )!ter /ersi$&B t$ s!/e the 'i!*&$sis )$* (i)e.
Ste 3 St!rt the T5 ser/er $& the 5C !&' '$w&)$!' the ri%!r+ )$* (i)es !&'
'i!*&$sis )$* (i)es t$ the 5C.
L$* (i)es $( the !cti/e 5Us $& !& S9
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
44/55
L$* (i)es !&' 'i!*&$sis )$* (i)es $( the !cti/e 5Us !re %!&'!t$r+. I( ! (!")t tri**ers ! switch$/er $r
the st!&'#+ 5Us (!i), +$" %"st c$))ect )$* (i)es !&' 'i!*&$sis )$* (i)es $( the st!&'#+ 5Us. I( !CSS is t$r& '$w&, c$))ect )$* (i)es !&' 'i!*&$sis )$* (i)es $& the ($"r 5Us.
Whe& the sie $( ! )$* (i)e e6cee's the thresh$)', the switch !"t$%!tic!))+ !rchi/es the )$* (i)e !&'
s!/es it !s ! .i (i)e. $r e6!%)e, 212-11-2.5--25.log.ip !&'212-11-15.5-22-32.diag.ip!re resecti/e)+ !& !rchi/e' )$* (i)e !&' ! 'i!*&$sis )$* (i)e. The (i)e &!%e i&'ic!tes the !rchi/i&*
ti%e. There($re, c$))ect the )$* (i)e !&' 'i!*&$sis )$* (i)e *e&er!te' whe& the (!")t $cc"rs.
I( the T5 ser/er is "&!/!i)!#)e, r"& the morec$%%!&', s"ch !s more log.log. T$ c$))ect 'i!*&$sis
)$* (i)es $( 1007003 $r )!ter, r"& the di#play diag-logfilec$%%!&' i& the hi''e& /iew1007003>100700;B $r 'i!*&$sis /iew 2007001 $r )!terB, ($r e6!%)e, di#play diag-logfile
cfcard(/logfile/log.dblg. It t!es ! )$&* ti%e t$ c$))ect ! )!r*e )$* (i)e. T5 is rec$%%e&'e' ($r
'$w&)$!'i&* )$* (i)es.
:$6 switches
C$%%!&' ($r c$))ecti&* 'i!*&$sis i&($r%!ti$&
di#play diagno#tic-information
L$*s
I& 1007003 !&' 100700
Ste 1 7"& the di#playlogbufferc$%%!&' t$ c$))ect i&($r%!ti$& i& the )$* #"((er.
Ste 2 7"& the di#playtrapbufferc$%%!&' t$ c$))ect i&($r%!ti$& i& the tr!#"((er.
:$6 switches s"$rt )$* (i)e rec$r'i&* (r$% 100700; there($re, er($r% the
($))$wi&* $er!ti$&s t$ c$))ect )$* (i)es
Ste 1 7"& the #ae logfilec$%%!&' i& the c$%%$& /iew t$ s!/e the c$&(i*"r!ti$&
(i)e.
Ste 2 St!rt the T5 ser/er $& the 5C !&' '$w&)$!' the ri%!r+ )$* (i)es !&'
'i!*&$sis )$* (i)es t$ the 5C.
L$* (i)es $( #$6 switches !re s!/e' i& fla#h(/#y#logfile!&' fla#h(/re#etinfo.
I( ! CSS is t$r& '$w& $r (!i)s t$ #e reset, c$))ect )$* (i)es $( !)) 'e/ices i& the CSS.
:$6 switches h!/e $&)+ ! s%!)) &"%#er $( )$* (i)es. Se&' !)) (i)es i& 'irect$ries #y#logfile!&'
re#etinfot$ 7D ($r !&!)+sis.
Direct$ries #y#logfile$r re#etinfo%!+ &$t e6ist $& s$%e %$'e)s '"e t$ h!r'w!re restricti$&s, s$
+$" '$ &$t &ee' t$ c$))ect )$* (i)es.
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
45/55
$ Troubleshooting Cases$.1 A*ter +ra,c 8iltering Is Con%gured= +ra,c 8ails +o/e 8or.arded As -pected
$.1.1 Symptom and 5et.or6ing
As sh$w& i& i*"re 8.1.1.1.1.1.1,the c)ie&ts c$&&ect t$ the switch thr$"*h i&ter(!ces i&
'i((ere&t LANs. A)) the c)ie&ts !re $& the s!%e &etw$r se*%e&t 192.1;1;. ACLs !re
c$&(i*"re' t$ r$hi#it L!+er 3 c$%%"&ic!ti$&s !%$&* the c)ie&ts. H$we/er, !cets (r$% !c)ie&t c!& sti)) #e ($rw!r'e' #+ the switch t$ !&$ther c)ie&t.
$igure 4.1.1.1.1.1.1Netw$ri&* 'i!*r!%
7e)!te' c$&(i*"r!ti$&s
acl n#mber 3:::
r#le 0 ermit i %estinati!n 1:271;I7070 07072997299
8
traffic classifier %enyacl !erat!r !r rece%ence ;9939
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
46/55
if-match acl 3:::
8
raffic behavi!r %eny
)eny
8
raffic !licy miwangacl
*lassifier %enyacl behavi!r %eny
8
#ser-bin% mac-a%%ress 2&;e-%'&&-cfI1 interface gigabitethernet 1/0/1
interface GigabitEthernet1/0/0
%escriti!n c!nnect 4001
!rt lin"-tye access
!rt %efa#lt vlan 1190
traffic-!licy miwangacl inb!#n%
!rt-mirr!ring t! !bserve-!rt 1 inb!#n%
!rt-mirr!ring t! !bserve-!rt 1 !#tb!#n%
8
interface GigabitEthernet1/0/1
%escriti!n c!nnect 4002
!rt lin"-tye access
!rt %efa#lt vlan 11;0
traffic-!licy miwangacl inb!#n%
!rt-mirr!ring t! !bserve-!rt 1 inb!#n%
!rt-mirr!ring t! !bserve-!rt 1 !#tb!#n%
i s!#rce chec" #ser-bin% enable
8
interface GigabitEthernet1/0/2
%escriti!n c!nnect 4003
!rt lin"-tye access
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
47/55
!rt %efa#lt vlan 11I0
traffic-!licy miwangacl inb!#n%
!rt-mirr!ring t! !bserve-!rt 1 inb!#n%
!rt-mirr!ring t! !bserve-!rt 1 !#tb!#n%
$.1.2 $oot Cause
The s+ste% 'e)i/ers ACL r")es ($r st!tic #i&'i&* e&tries. O& the S
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
48/55
$igure 4.2.1.1.1.1.1Netw$ri&* 'i!*r!%
7e)!te' c$&(i*"r!ti$&sacl n#mber 3100
r#le 1 ermit i s!#rce 1007297&710 0
traffic classifier tc*!rna%i#s( rece%ence 100
if-match acl 3100
traffic classifier tc*!rnSvr1101 rece%ence 1101
if-match vlan-i% 1101
traffic behavi!r b*!rna%i#s1101
re%irect vn-instance *!rn1101 i-ne5th! 1:271;&719720
traffic behavi!r b*!rnSvr1101
re%irect vn-instance *!rn1101 i-ne5th! 1:271;&719710
traffic !licy t*!rn1101
classifier tc*!rna%i#s( behavi!r b*!rna%i#s1101
classifier tc*!rnSvr1101 behavi!r b*!rnSvr1101
vlan 1101
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
49/55
traffic-!licy t*!rn1101 inb!#n%
$.2.2 $oot Cause
The seci(ie' &e6t-h$ !''ress '$es &$t e6ist $r the tr!((ic $)ic+ is set t$ auto, c!"si&*i&c$rrect ACL r")e %!tchi&*.
$.2.# Identi%cation ethod
%tep 1 Chec whether the tr!((ic $)ic+ with re'irect-t$-&e6t-h$ #eh!/i$r is c$rrect)+ c$&(i*"re'.
%islay traffic-!licy alie%-rec!r% t*!rn1101
--------------------------------------------------
!licy 4ame, t*!rn1101
!licy +n%e5, 10
*lassifier,tc*!rna%i#s( ehavi!r,b*!rna%i#s1101
*lassifier,tc*!rnSvr1101 ehavi!r,b*!rnSvr1101
-------------------------------------------------
6vlan 1101
traffic-!licy t*!rn1101 inb!#n%
sl!t 1 , s#ccess
sl!t 3 , s#ccess
sl!t ' , s#ccess
-------------------------------------------------
!licy t!tal alie% times, 17
%tep 2 Chec whether the re'irect-t$-&e6t h$ e6ists. I( the ($))$wi&* i&($r%!ti$& is 'is)!+e', the
&e6t h$ '$es &$t e6ist.
%islay ar interface Hlanif 1901
+ ))ESS B* ))ESS E+EB CE +4EF*E H4-+4S4*E
H=4/*EH=4
------------------------------------------------------------------------------
1:271;&71971 101b-9':&-000f + - Hlanif1901
------------------------------------------------------------------------------
!tal,1 )ynamic,0 Static,0 +nterface,1
%tep 3 Chec whether the '$w&stre!% 'e/ice c$rrect)+ se&'s the A75 !cet th!t c!rries the &e6t-h$ !''ress. I( &$t, the )$c!) 'e/ice c!&&$t )e!r& the A75 e&tr+. I& this c!se, %$'i(+
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
50/55
c$&(i*"r!ti$&s $& the '$w&stre!% 'e/ice. I( the )$c!) 'e/ice )e!r&s the &e6t-h$ !''ress i&the A75 e&tr+ #"t !cets !re ($rw!r'e' t$ the i&ter(!ce 192.1;=.1.10 r!ther th!& the
i&ter(!ce 192.1;=.1.20, the !cets i&c$rrect)+ %!tch cla##ifier tcorppn)adiu#p
behaior borppn)adiu#111. This is #ec!"se !cets c!rr+ LAN 1101 !&' the%!tchi&* $r'er $( tr!((ic $)ic+ r")es is auto#+ 'e(!")t. I& auto %$'e, ! L!+er 2 ACL h!s !
hi*her ri$rit+ th!& ! L!+er 3 ACL $& ch!ssis 'e/ices there($re, the !cets re(ere&ti!))+%!tch ! L!+er 2 ACL.
----&nd
$.2.$ Solution
$'i(+ c$&(i*"r!ti$&s $& the '$w&stre!% 'e/ice s$ th!t the '$w&stre!% 'e/ice c!&
c$rrect)+ se&' A75 !cets.
Set the %!tchi&* $r'er $( tr!((ic $)ic+ r")es t$ config.
$.2.% Summary N$te th!t ri$rities $( tr!((ic c)!ssi(iers !re &$t the $r'er i& which !cets were %!tche'.
I( tr!((ic is &$t recei/e' $& the re'irect-t$-&e6t-h$ 'e/ice, chec whether the 'e/ice
)e!r&s the A75 e&tr+ $( the &e6t-h$ !''ress.
Set the %!tchi&* $r'er $( tr!((ic $)ic+ r")es t$ configs$ th!t r")es !re %!tche' i& the
$r'er i& which the+ were c$&(i*"re'.
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
51/55
% &A'%.1 'oes the S00;S!00 Support InterCard$edirection> Ho. 'o I Con%gure +his 8unction>
The S
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
52/55
%.2 ?hy Is CA$ $ate #imiting Inaccurate>
The switch c$"&ts )e&*ths $( the i&ter-(r!%e *!s !&' LAN t!*s whe& c!)c")!ti&* the CA7,which c!"ses i&!cc"r!te r!te )i%iti&*. It is rec$%%e&'e' th!t +$" "se !cets $( $/er 1000
#+tes i& CA7 tests t$ %i&i%ie the i%!ct $( i&ter-(r!%e *!s !&' LAN t!*s.
$r e6!%)e, ! ;8-#+te !cet "s"!))+ h!s !& i&ter-(r!%e *! $( 20 #+tes !&' ! LAN t!* $(
8 #+tes. There($re, the t$t!) !cet )e&*th is == #+tes ;8 #+tes M 20 #+tes M 8 #+tes ==
#+tesB. D"ri&* CA7 r!te )i%iti&*, the switch c!)c")!tes the tr!((ic r!te #!se' $& the ==-#+te
!cet )e&*th, s$ the r!te )i%iti&* res")t is i&!cc"r!te. I( the switch "ses )!r*e !cets, the)e&*ths $( i&ter-(r!%e *! !&' the LAN t!* !cc$"&t ($r ! s%!)) r$$rti$& $( the t$t!)
!cet )e&*th !&' c!"se ! )itt)e i%!ct $& the !cet r!te. There($re, the r!te )i%iti&* res")t is
%$re !cc"r!te.
%.# Ho. Is P/$ Implemented on Sseries S.itches>
S-series switches s"$rt we! 5:7. 5!cets !re sti)) ($rw!r'e' e/e& i( the seci(ie' &e6t-h$ !''ress '$es &$t e6ist.
St!rti&* (r$% 17;, the switches s"$rt %")ti)e &e6t h$s ($r re'irecti$&. The &e6t h$sw$r i& !cti/e>st!&'#+ %$'e. A %!6i%"% $( ($"r &e6t-h$ I5 !''resses c!& #e c$&(i*"re' i&
! tr!((ic #eh!/i$r. A switch 'eter%i&es the ri%!r+ !th !&' #!c" !ths !cc$r'i&* t$ the
se4"e&ce i& which &e6t-h$ I5 !''resses were c$&(i*"re'. The &e6t-h$ I5 !''ress th!t w!s
c$&(i*"re' (irst h!s the hi*hest ri$rit+ !&' this &e6t h$ is "se' !s the ri%!r+ !th. Other&e6t h$s !re "se' !s #!c" !ths. Whe& the ri%!r+ !tch is D$w&, $&e $( the #!c" !ths
is se)ecte' !s the &ew ri%!r+ !th.
%.$+he +ra,c /ehavior Is 5ot Set to deny= but+ra,c is 'iscarded= ?hy>
The tr!((ic $)ic+ %!+ re(ere&ce !& ACL with ! 'e&+ !cti$&. I( tr!((ic %!tches this ACL, the
tr!((ic is 'e&ie' e/e& whe& permit!cti$& is c$&(i*"re' i& the tr!((ic #eh!/i$r. Whe& !& ACL
is re(ere&ce' #+ ! tr!((ic $)ic+, the permit/deny!cti$&s i& the ACL !re "se' with the
permit/deny !cti$&s i& the tr!((ic #eh!/i$r. I( !deny!cti$& is 'e(i&e' either i& the ACL $r
the tr!((ic #eh!/i$r, the deny!cti$& is er($r%e'.
%.% Ho. 'o I &se a &serde%ned AC#>I& 100700 !&' ! )!ter /ersi$&, ! switch r$/i'es "ser-'e(i&e' ACLs. A "ser-'e(i&e' ACL
c!& %!tch !&+ !rt $( ! !cet. A "ser-'e(i&e' ACL c!& st!rt %!tchi&* (r$% the ($))$wi&*
(ie)'s #!se' $& the ($))$wi&* i&($r%!ti$& i& ! !cet
)2-he!'
i/8-he!' !&' i/;-he!'
)8-he!'
A "ser-'e(i&e' ACL %!tches the ($"r-#+te ch!r!cter stri&* !(ter ! seci(ie' $((set i& !&+ $(
the rece'i&* (ie)'s. The %!tche' ch!r!cter stri&* %"st #e ($"r #+tes !&' the $((set #+tes !re
set thr$"*h ! c$%%!&'.
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
53/55
$r e6!%)e, t$ %!tch !cets with the I5/8 TTL $( 1, r"& the ($))$wi&* c$%%!&'s
[@#i%way] acl 5000
[@#i%way-acl-#ser-9000] rule permit ipv4-head 0x01000000 0xff000000 8
The /!)"e = is the &"%#er $( $((set #+tes #e($re the TTL (ie)' i& the I5/8 !cet he!'er. TheTTL (ie)' $cc"ies $&e #+te !&' the /!)"e 0601000000 c$rres$&'s t$ TTL /!)"e 1 !(ter the
$((set (r$% the I5/8 !cet he!'er.
%.) Ho. 'o I @no. About AC# $esource &sage>F$" c!& r"& the di#play acl re#ource #lotslot-id c$%%!&' $& the switch t$ chec the ACL
res$"rce "s!*e.
E6!%)e 7"& the di#play acl re#ource #lot 3c$%%!&' t$ chec the ACL res$"rce "s!*e i&
s)$t 3.
< Switch >%islay acl res!#rce sl!t 3
Sl!t 3
Hlan-*= +nb!#n%-*= .#tb!#n%-*=
----------------------------------------------------------------------------
#le (se% 10 32: 3
#le Free 203& I&;3 1021
#le !tal 20'& &1:2 102'
Beter (se% 0 9& 0
Beter Free 0 &13' 102'
Beter !tal 0 &1:2 102'
*!#nter (se% 0 9: 1
*!#nter Free 0 &133 1023
*!#nter !tal 0 &1:2 102'
----------------------------------------------------------------------------
The ($))$wi&* t!#)e 'escri#es e!ch (ie)' i& the c$%%!&' $"t"t.
Item 'escription
S)$t S)$t ID.
)!&-ACL ACL r$cess$r i& ! LAN.
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
54/55
I$"&'-ACL Ustre!% ACL r$cess$r.
O"t#$"&'-ACL D$w&stre!% ACL r$cess$r.
7")e Use' N"%#er $( "se' ACL r")es.
7")e ree N"%#er $( i')e ACL r")es.
7")e T$t!) T$t!) &"%#er $( ACL r")es.
eter Use' N"%#er $( "se' %eters.
eter ree N"%#er $( i')e %eters.
eter T$t!) T$t!) &"%#er $( %eters.
C$"&ter Use' N"%#er $( "se' c$"&ters.
C$"&ter ree N"%#er $( i')e c$"&ters.
C$"&ter T$t!) T$t!) &"%#er $( c$"&ters.
-
7/26/2019 S Series Switches Feature Start-ACL V1.0 D
55/55
S Series Switches
e!t"re St!rt - ACL A Acr$&+%s !&' A##re/i!ti$&s
A Acronyms an! AbbreviationsACL Access C$&tr$) List
CA7 C$%%itte' Access 7!te
top related