接口入流量监管:
创建ACL,匹配相关服务入流量:
[AR2240]acl name importantserv [AR2240-acl-adv-importantserv]description /* QoS: Match Pub_In DNS, Service to cs5 */ [AR2240-acl-adv-importantserv]rule permit udp source-port eq 53 [AR2240-acl-adv-importantserv]rule permit tcp source-port eq 53 [AR2240-acl-adv-importantserv]acl name commonserv [AR2240-acl-adv-commonserv]description /* QoS: Match Pub_In SSH,HTTP,MAIL,FS,FTP,VPN Service to af21 */ [AR2240-acl-adv-commonserv]rule permit tcp source-port eq 22 [AR2240-acl-adv-commonserv]rule permit tcp source-port eq 2323 [AR2240-acl-adv-commonserv]rule permit tcp source-port eq 8000 [AR2240-acl-adv-commonserv]rule permit tcp source-port eq 80 [AR2240-acl-adv-commonserv]rule permit tcp source-port eq 443 [AR2240-acl-adv-commonserv]rule permit tcp source-port eq 110 [AR2240-acl-adv-commonserv]rule permit tcp source-port eq 995 [AR2240-acl-adv-commonserv]rule permit tcp source-port eq 100 [AR2240-acl-adv-commonserv]rule permit udp source-port eq 100 [AR2240-acl-adv-commonserv]rule permit tcp source-port eq 20 [AR2240-acl-adv-commonserv]rule permit tcp destination-port eq 53760 [AR2240-acl-adv-commonserv]quit
创建traffic classifier,匹配相关规则:
[AR2240]traffic classifier Pub_in_importantserv operator or [AR2240-classifier-Pub_in_importantserv]if-match acl importantserv [AR2240-classifier-Pub_in_importantserv]traffic classifier Pub_in_commonserv operator or [AR2240-classifier-Pub_in_commonserv]if-match acl commonserv [AR2240-classifier-Pub_in_commonserv]quit
Tips: 由于此台设备没有购买license,使用不了sac协议检测功能,有条件的可以使用if-match app-protocol或if-match protocol-group来进行协议匹配。
创建traffic behavior,进行流量标记、监管:
[AR2240]traffic behavior S_in_importantserv [AR2240-behavior-S_in_importantserv]remark dscp cs5 [AR2240-behavior-S_in_importantserv]car cir pct 20 [AR2240-behavior-S_in_importantserv]traffic behavior S_in_commonserv [AR2240-behavior-S_in_commonserv]remark dscp af21 [AR2240-behavior-S_in_commonserv]car cir pct 10 [AR2240-behavior-S_in_commonserv]quit
Tips: car cir pct指定峰值信息速率占接口带宽的百分比。
创建traffic policy策略:
[AR2240]traffic policy pub_remark_in [AR2240-trafficpolicy-pub_remark_in]classifier Pub_in_importantserv behavior S_in_importantserv [AR2240-trafficpolicy-pub_remark_in]classifier Pub_in_commonserv behavior S_in_commonserv [AR2240-trafficpolicy-pub_remark_in]quit
在接口入方向应用策略:
[AR2240]interface GigabitEthernet 0/0/1 [AR2240-GigabitEthernet0/0/1]traffic-policy pub_remark_in inbound [AR2240-GigabitEthernet0/0/1]quit
实际效果
- 抓包查看,匹配到的流量均已经打上标记:
