Shulou(Shulou.com)06/01 Report--

Q: how to configure the speed limit for S2300/S3300/S5300?

A: when configuring a speed limit, it is recommended:

Do not configure PIR, only CIR, CBS, PBS.

CBS = 200 * CIR.

PBS = 2 * CBS = 2 * 200 * CIR = 400 * CIR.

Where the CIR unit is Kbps,CBS and the PBS unit is Byte.

Configure exit port speed limit, speed limit 10m

In previous versions of V100R003C01, the configuration was as follows:

[Quidway] interface ethernet 0/0/1

[Quidway-Ethernet0/0/1] qos lr cir 10240 cbs 2048000

In V100R003C01 and later versions, the configuration is as follows:

[Quidway] interface ethernet 0/0/1

[Quidway-Ethernet0/0/1] qos lr outbound cir 10240 cbs 2048000

Equipped with speed limit in entry direction, speed limit is 10m

In previous versions of V100R003C01, the configuration was as follows:

[Quidway] traffic classifier c1

[Quidway-classifier-c1] if-match any

[Quidway-classifier-c1] quit

[Quidway] traffic behavior b1

[Quidway-behavior-b1] permit

[Quidway-behavior-b1] car cir 10240 cbs 2048000 pbs 4096000

[Quidway-behavior-b1] quit

[Quidway] traffic policy c1

[Quidway-trafficpolicy-c1] classifier c1 behavior b1

[Quidway-trafficpolicy-c1] quit

[Quidway] interface ethernet 0/0/1

[Quidway-Ethernet0/0/1] traffic-policy c1 inbound

In V100R003C01 and later versions, the configuration is as follows:

[Quidway] interface ethernet 0/0/1

[Quidway-Ethernet0/0/1] qos lr inbound cir 10240 cbs 2048000 description:

Flow policies can be applied to the physical interface view, Eth-Trunk view, and VLAN view (port shared bandwidth).

In S5300, the physical interface is the GigabitEthernet interface.

Q: how does S2300/S3300/S5300 configure traffic statistics?

A: suppose you need to count the Ping messages whose source IP address is 10.1.1.0 to 24 on the interface Ethernet0/0/1. The configuration is as follows:

# configure ACL rules.

[Quidway] acl number 3333

[Quidway-acl-adv-3333] rule 5 permit icmp source 10.1.1.0 0.0.0.255

[Quidway-acl-adv-3333] quit

# configure flow classification.

[Quidway] traffic classifier test

[Quidway-classifier-test] if-match acl 3333

[Quidway-classifier-test] quit

# configure flow behavior.

Previous versions of S2300/S3300/S5300 V100R005

[Quidway] traffic behavior test

[Quidway-behavior-test] count

[Quidway-behavior-test] quit

Later versions of S2300/S3300/S5300 V100R005

[Quidway] traffic behavior test

[Quidway-behavior-test] statistic enable

[Quidway-behavior-test] quit

# configure flow policy.

[Quidway] traffic policy test

[Quidway-trafficpolicy-test] classifier test behavior test

[Quidway-trafficpolicy-test] quit

Apply flow policy test on # S2300/S3300.

[Quidway] interface ethernet0/0/1

[Quidway-Ethernet0/0/1] traffic-policy test inbound

Apply flow policy test on # S5300.

[Quidway] interface gigabitethernet0/0/1

[Quidway-GigabitEthernet0/0/1] traffic-policy test inbound

After the configuration is complete, you can execute the command display traffic policy statistics interface interface-type interface-number to view traffic statistics. If you need to redo the traffic statistics, execute the command reset traffic policy statistics interface interface-type interface-number to clear the original traffic statistics.

Description:

S2300/S3300 only supports traffic statistics in the incoming direction.

S5300 supports inbound and outbound traffic statistics, but cannot count the messages originating from the CPU of the S5300 device itself.

Q: why is it that users who hang on the device cannot get the IP address after DHCP Snooping is configured?

A: after enabling DHCP Snooping, all interface states of Switch are untrusted by default. At this time, the interface connected to DHCP Server should be configured to be trusted, otherwise the DHCP Reply messages returned by DHCP Server will be discarded, so that users hanging from Switch cannot obtain the IP address assigned by DHCP Server.

Q: how to implement the IP+MAC+ port binding function through configuration?

A: S-swich implements the IP+MAC+ port binding function through DHCP Snooping's static binding table.

The idea of configuration is to configure the static binding table under VLAN first, and the IP and MAC of the static binding table are IP and MAC of PC. Then configure the IP and ARP message checking functions on the S-swich interface connected to the PC.

For example, configure the IP address 10.1.1.1 Magi MAC address 0002-0002-0002 and the interface Ethernet0/0/1 binding.

The version of V100R002 is configured as follows:

[HUAWEI] dhcp enable

[HUAWEI] dhcp snooping enable

[HUAWEI] vlan 100

[HUAWEI-vlan100] quit

[HUAWEI] interface Ethernet 0/0/1

[HUAWEI-Ethernet0/0/1] port default vlan 100

[HUAWEI-Ethernet0/0/1] dhcp snooping check user-bind enable

[HUAWEI-Ethernet0/0/1] quit

[HUAWEI] vlan 100

[HUAWEI-vlan100] dhcp snooping enable

[HUAWEI-vlan100] user-bind static ip-address 10.1.1.1 mac-address 0002-0002-0002 interface Ethernet0/0/1

The configurations for V100R003 and later versions are as follows:

[HUAWEI] dhcp enable

[HUAWEI] dhcp snooping enable

[HUAWEI] vlan 100

[HUAWEI-vlan100] quit

[HUAWEI] interface Ethernet 0/0/1

[HUAWEI-Ethernet0/0/1] port default vlan 100

[HUAWEI-Ethernet0/0/1] ip source check user-bind enable

[HUAWEI-Ethernet0/0/1] quit

[HUAWEI] vlan 100

[HUAWEI-vlan100] dhcp snooping enable

[HUAWEI-vlan100] quit

[HUAWEI] user-bind static ip-address 10.1.1.1 mac-address 0002-0002-0002 interface Ethernet0/0/1

Q: how to implement the MAC+ port binding function through configuration?

A: Switch implements MAC and port binding through the combination of flow policy and DHCP Snooping, that is, a port binds only a specific mac address (a port only allows messages in the binding table and a specific mac address to pass), but does not bind ip.

For example, the configuration port Ethernet0/0/1 only allows messages in the binding table and the source mac address 0-02-02 to pass, and other messages are discarded.

# Global enable dhcp snooping

[Quidway] dhcp snooping enable

# create ACL. Only messages with MAC address of 0-02-02 are allowed

[Quidway] acl 4000

[Quidway-acl-L2-4000] rule permit source-mac 0-02-02 ffff-ffff-ffff

[Quidway-acl-L2-4000] rule deny

# create a flow classification to match ACL 4000

[Quidway] traffic classifier c1

[Quidwayclassifier-c1] if-match acl 4000

# create a popular and flow strategy

[Quidway] traffic behavior b1

[Quidway-behavior-b1] permit

[Quidway] traffic policy p1

[Quidway-trafficpolicy-p1] classifier c1 behavior b1

The flow policy is applied under the # port to allow only messages in the binding table and the source mac address 0-02-02 to pass.

The version of V001C00R002 is configured as follows:

[Quidway] interface Ethernet 0/0/1

[Quidway-Ethernet0/0/1] port default vlan 4094

[Quidway-Ethernet0/0/1] dhcp snooping check user-bind enable

[Quidway-Ethernet0/0/1] traffic-policy p1 inbound

The configurations for V001C00R003 and later versions are as follows:

[Quidway] interface Ethernet 0/0/1

[Quidway-Ethernet0/0/1] port default vlan 4094

[Quidway-Ethernet0/0/1] ip source check user-bind enable

[Quidway-Ethernet0/0/1] traffic-policy p1 inbound

Q: how to implement IP+ port binding through configuration?

A: Switch can bind IP and port through the combination of flow policy and DHCP Snooping, that is, a port can only bind a specific source ip address (only messages in the binding table and a specific source ip address are allowed to pass), but not mac.

For example, configure port Ethernet0/0/8 to allow only messages in the binding table with the source IP address of 192.168.130.50 to pass, and to discard other IP messages.

# Global enable dhcp snoopying

[Quidway] dhcp snooping enable

# define an advanced ACL that matches the IP address 192.168.130.50

[Quidway] acl 3000

[Quidway-acl-adv-3000] rule 5 permit ip source 192.168.130.50 0

[Quidway-acl-adv-3000] rule 10 deny ip source any

[Quidway-acl-adv-3000] rule 15 deny ip destination any

# create a flow classification to match ACL

[Quidway] traffic classifier c1

[Quidwayclassifier-c1] if-match acl 3000

# create a popular and flow strategy

[Quidway] traffic behavior b1

[Quidway-behavior-b1] permit

[Quidway] traffic policy p1

[Quidway-trafficpolicy-p1] classifier c1 behavior b1

The flow policy is applied under # port. Only messages in the binding table with the source IP address of 192.168.130.50 are allowed to pass.

The version of V100R002C00 is configured as follows:

[Quidway] interface Ethernet 0/0/8

[Quidway-Ethernet0/0/8] port default vlan 4094

[Quidway-Ethernet0/0/8] dhcp snooping check user-bind enable

[Quidway-Ethernet0/0/8] traffic-policy p1 inbound

The configurations for V100R003C00 and later versions are as follows:

[Quidway] interface Ethernet 0/0/8

[Quidway-Ethernet0/0/8] port default vlan 4094

[Quidway-Ethernet0/0/8] ip source check user-bind enable

[Quidway-Ethernet0/0/8] traffic-policy p1 inbound

Q: how to prevent users from setting static IP addresses on S2300 Universe 3300 Compact 5300 Series switches?

A: prevent users from setting static IP addresses, so that only the same user data as the bound IP+MAC or the user data that the legal DHCP automatically acquires the IP address under the same interface can be passed, and other user data cannot be passed.

Although there is no am user-bind command of H3C switch in S23003300 Compact 5300 series switch, IP+MAC+ port binding can also be realized through DHCP Snooping function to prevent users from privately setting static IP address. For example, if you require that all static Ethernet0/0/1 users cannot surf the Internet except those whose static IP address is 1.1.1.2 and the MAC address is 001c-2309-9aa7. The configuration is as follows:

Configure the DHCP Snooping function of the device

# enable the global DHCP Snooping function.

[Quidway] dhcp snooping enable

# configure the VLAN to which the user side interface belongs.

[Quidway] vlan 100

[Quidway-vlan100] quit

[Quidway] interface ethernet 0/0/1

[Quidway-Ethernet0/0/1] port default vlan 100

[Quidway-Ethernet0/0/1] quit

# enable DHCP Snooping function under VLAN.

[Quidway] vlan 100

[Quidway-vlan100] dhcp snooping enable

# configure the user-side interface for message checking

[Quidway] interface ethernet 0/0/1

[Quidway-Ethernet0/0/1] dhcp snooping check arp enable

[Quidway-Ethernet0/0/1] dhcp snooping check ip enable

[Quidway-Ethernet0/0/1] quit

# configure static binding table items

[Quidway] vlan 100

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.