H3C-QoS实例一：基于ACL实现报文过滤

要求：Host A和Host
B通过端口GigabitEthernet 1/0/1接入交换机，Host
A的IP地址为10.1.1.1。要求配置基本IPv4
ACL，实现在每天8:30～18:00的时间段内，只允许Host
A访问HR部门的服务器，拒绝其它的IP报文通过。

配置：

1.QoS策略方式

Switch：
定义时间周期
time-range working_time 8:30 to 18:00 daily

定义acl2000,匹配10.1.1.1
acl number 2000
rule 0 permit source 10.1.1.1 0 time-range working_time

定义acl2001,匹配源IP为任意地址的访问规则
acl number 20001
rule 0 permit source any time_range working_time

定义流hostA,匹配acl2000
traffic classifier hostA operator and
if-match acl 2000

定义流行为hostA
traffic behavior hostA
filter permit

定义流hostB,匹配acl20001
traffic classifier hostB operator and
if-match acl 2001

定义流行为hostB

traffic behavior hostB

filter deny

定义策略qos policy_host

qos policy policy_host

classifier hostA behavior hostA

classifier hostB behavior hostB

在G1/0/1入方向应用

ing gi 1/0/1

qos apply policy_host inboud

完整配置

#

traffic classifier classifier_hostB operator and

 if-match acl 2001

traffic classifier classifier_hostA operator and

 if-match acl 2000

#

traffic behavior behavior_hostB

 filter deny

traffic behavior behavior_hostA

 filter permit

#

qos policy policy_host

 classifier classifier_hostA behavior behavior_hostA

 classifier classifier_hostB behavior behavior_hostB

#

 time-range working_time 08:30 to 18:00 daily

#

acl number 2000

 rule 0 permit source 10.1.1.1 0 time-range working_time

acl number 2001

 rule 0 deny source any time-range working_time

#

interface GigabitEthernet1/0/1

 qos apply policy policy_host inbound

#

2.包过滤方式

time-range working_time 8:30 to 18:00 daily

acl number 2000

 rule 0 permit source 10.1.1.0 time-range working_time

 rule 5 deny source any time-range working_time

int gi 1/0/1

 packet-filter 2000 inbound

完整配置

#

 time-range working_time 08:00 to 18:00 daily

#

acl number 2000

 rule 0 permit source 10.1.1.1 0 time-range working_time

 rule 5 deny source any time-range working_time

#

interface GigabitEthernet1/0/1

 packet-filter 2000 inbound

#