华为交换机：配置重定向示例

华为交换机：配置重定向示例
通过配置重定向将外网到内网的全部流量送至防火墙进行安全过滤。

组网需求
如图1所示，某公司由于业务需要，用户有访问Internet的需求。用户通过接入层交换机SwitchB和核心层交换机SwitchA以及接入网关Router与Internet进行通信。
为了保证公司数据和网络的安全性，用户希望保证Internet到服务器全部流量的安全性。
配置思路
    出于安全性考虑，在SwitchA上旁挂一台核心防火墙Firewall，对流量进行安全过滤。
    由于进入防火墙的流量是二层流量，因此通过重定向到接口将来自Internet的所有流量重定向到防火墙进行安全过滤。
    为了防止出现环路，在SwitchA与防火墙相连的接口上配置端口隔离，并配置禁止MAC地址学习防止MAC漂移。
操作步骤
（1）创建VLAN并配置各接口，保证二层互通
    # 在SwitchB上创建VLAN100和VLAN200。
    <HUAWEI> system-view
    [HUAWEI] sysname SwitchB
    [SwitchB] vlan batch 100 200
    # 配置SwitchB上接口GE1/0/2和GE1/0/3的接口类型为Access，并将GE1/0/2加入VLAN200，将GE1/0/3加入VLAN100，配置GE1/0/1的接口类型为Trunk，并将GE1/0/1加入VLAN100和VLAN200。
    [SwitchB] interface gigabitethernet 1/0/2
    [SwitchB-GigabitEthernet1/0/2] port link-type access
    [SwitchB-GigabitEthernet1/0/2] port default vlan 200
    [SwitchB-GigabitEthernet1/0/2] quit
    [SwitchB] interface gigabitethernet 1/0/3
    [SwitchB-GigabitEthernet1/0/3] port link-type access
    [SwitchB-GigabitEthernet1/0/3] port default vlan 100
    [SwitchB-GigabitEthernet1/0/3] quit
    [SwitchB] interface gigabitethernet 1/0/1
    [SwitchB-GigabitEthernet1/0/1] port link-type trunk
    [SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 200
    [SwitchB-GigabitEthernet1/0/1] quit
    # 在SwitchA上创建VLAN100和VLAN200。
    <HUAWEI> system-view
    [HUAWEI] sysname SwitchA
    [SwitchA] vlan batch 100 200
    # 配置SwitchA上接口GE1/0/1、GE1/0/2、GE1/0/3和GE1/0/4接口类型为Trunk，并将它们都加入VLAN100和VLAN200。将接口GEGE1/0/3和GE1/0/4加入同一个端口隔离组，配置接口GE1/0/4禁止MAC地址学习防止MAC漂移。
    [SwitchA] interface gigabitethernet 1/0/1
    [SwitchA-GigabitEthernet1/0/1] port link-type trunk
    [SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 200
    [SwitchA-GigabitEthernet1/0/1] quit
    [SwitchA] interface gigabitethernet 1/0/2
    [SwitchA-GigabitEthernet1/0/2] port link-type trunk
    [SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 200
    [SwitchA-GigabitEthernet1/0/2] quit
    [SwitchA] interface gigabitethernet 1/0/3
    [SwitchA-GigabitEthernet1/0/3] port link-type trunk
    [SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 100 200
    [SwitchA-GigabitEthernet1/0/3] port-isolate enable
    [SwitchA-GigabitEthernet1/0/3] quit
    [SwitchA] interface gigabitethernet 1/0/4
    [SwitchA-GigabitEthernet1/0/4] port link-type trunk
    [SwitchA-GigabitEthernet1/0/4] port trunk allow-pass vlan 100 200
    [SwitchA-GigabitEthernet1/0/4] port-isolate enable
    [SwitchA-GigabitEthernet1/0/4] mac-address learning disable
    [SwitchA-GigabitEthernet1/0/4] quit
（2）配置MQC实现重定向到接口
# 配置流分类。
[SwitchA] traffic classifier c1
[SwitchA-classifier-c1] if-match any
[SwitchA-classifier-c1] quit
# 配置流行为。
[SwitchA] traffic behavior b1
[SwitchA-behavior-b1] redirect interface gigabitethernet 1/0/3
[SwitchA-behavior-b1] quit
# 配置流策略。
[SwitchA] traffic policy p1
[SwitchA-trafficpolicy-p1] classifier c1 behavior b1
[SwitchA-trafficpolicy-p1] quit
# 在SwitchA的GigabitEthernet1/0/1入方向应用流策略。
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] traffic-policy p1 inbound
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] quit

（3）验证配置结果
# 查看流分类的配置信息。
<SwitchA> display traffic classifier user-defined c1
 User Defined Classifier Information:                                          
  Classifier: c1                                                               
   Precedence: 5                                                               
   Operator: OR                                                                
   Rule(s) : if-match any  
# 查看流行为的配置信息。
<SwitchA> display traffic behavior user-defined b1
  User Defined Behavior Information:                                            
    Behavior: b1                                                                
      Permit                                                        
      Redirect: no forced                                                                 
        Redirect interface GigabitEthernet1/0/3    
# 查看流策略的配置信息。
<SwitchA> display traffic policy user-defined p1
  User Defined Traffic Policy Information:                                      
  Policy: p1                                                                    
   Classifier: c1                                                               
    Operator: OR                                                                
     Behavior: b1                                                               
      Permit                                                        
      Redirect: no forced                                                                 
        Redirect interface GigabitEthernet1/0/3   
# 查看流策略的应用信息。
<SwitchA> display traffic-policy applied-record
#                                                                               
-------------------------------------------------                               
  Policy Name:   p1                                                             
  Policy Index:  0                                                              
     Classifier:c1     Behavior:b1                                              
-------------------------------------------------                               
 *interface GigabitEthernet1/0/1                                              
    traffic-policy p1 inbound                                                   
      slot 1    :  success                                                      
-------------------------------------------------                               
  Policy total applied times: 1.                                                
#    

QoS服务质量（列表、list、全）qoslist

http://www.zh-cjh.com/wenzhangguilei/2180.html

文章归类、所有文章列表、LISTLIST
http://www.zh-cjh.com/wangzhangonggao/2195.html