H3C-QoS实例三：基于ACL实现报文过滤

某公司内部网络如图所示，现要求对各部门上网流量以及对工资服务器的访问做以下限制：
1.在上班时间（8:30～18:00）仅允许研发经理的主机上网，其余研发部主机只有在下班时间才能够上网。
2.无论任何时间，只有管理部的HostA（10.1.3.1）才能够访问工资服务器（11.1.1.100），其余任何主机均不能访问。

1.QoS策略方式

SwitchA:

定义时间

time-range working_time 8:30 to 18:30 working-day

定义acl 3000 匹配源地址10.1.4.3发送的HTTP报文的访问规则

acl number 3000

 rule 0 permit tcp destination-port eq 80 source 10.1.4.3 0 time-range working_time

定义acl 3001 配置在时间段working_time内匹配源IP地址为任意地址的HTTP报文的访问规则

acl number 3001

 rule 0 permit tcp destination-port eq 80 source any time-range working_time

定义流rd_manager_http,匹配acl 3000

traffic classifier rd_manager_http operator and

 if-match acl 3000

定义流行为rd_manager_http,允许报文通过

traffic behavior rd_manager_http

 filter permit

定义流rd_http,匹配acl 3001

traffic classifier rd_http operator and

 if-match acl 3001

定义流行为rd_http,拒绝报文通过

traffic behavior rd_http

 filter deny

定义qos策略rd_http,关联相应的流和流行为

qos policy rd_http

 classifier rd_manager_http behavior rd_manager_http

 classifier rd_http behavior rd_http

应用qos

int g1/0/1

 qos apply policy rd_http inbound

定义acl 3002 匹配源地址为Host A（10.1.3.1），目的地址为工资服务器（11.1.1.100）的报文

acl number 3002

 rule 0 permit destination 11.1.1.100 0 source 10.1.3.1 0

定义acl 3003 ,匹配任意源地址到工资服务器的报文

acl number 3003

 rule 0 permit destination 11.1.1.100 source any

定义流hostA,匹配3002

traffic classifier hostA operator and

 if-match acl 3002

定义流行为hostA,允许通过

tracffic behavior hostA

 filter permit

定义流hostAny,匹配acl3003

traffic classifier hostAny operator and

 if-match acl 3003

定义流行为hostAny,拒绝通过

traffic behavior hostAny

 filter deny 

定义Qos策略 salary_server,关联相应的流和流行为

qos policy salary_server

 classifier hostA hebavior hostA

 classifier hostAny hebavior hostAny

应用QoS策略

int gi1/0/2

qos apply policy salary_server inbound

完整配置
#
 time-range working_time 08:30 to 18:00 working-day
#
acl number 3000
 rule 0 permit tcp source 10.1.4.3 0 destination-port eq www time-range working_time
acl number 3001
 rule 0 deny tcp destination-port eq www time-range working_time
acl number 3002
 rule 0 permit ip source 10.1.3.1 0 destination 11.1.1.100 0
acl number 3003
 rule 0 permit ip destination 11.1.1.100 0
#
traffic classifier rd_manager_http operator and
 if-match acl 3000
traffic classifier host_a operator and
 if-match acl 3002
traffic classifier except_host_a operator and
 if-match acl 3003
traffic classifier rd_http operator and
 if-match acl 3001
#
traffic behavior rd_manager_http
 filter permit
traffic behavior host_a
 filter permit
traffic behavior except_host_a
 filter deny
traffic behavior rd_http
 filter deny
#
qos policy rd_http
 classifier rd_manager_http behavior rd_manager_http
 classifier rd_http behavior rd_http
qos policy for_salary_server
 classifier host_a behavior host_a
 classifier except_host_a behavior except_host_a
#
interface GigabitEthernet1/0/1
 qos apply policy rd_http inbound
#
interface GigabitEthernet1/0/2
 qos apply policy for_salary_server inbound

2.包过滤方式

SwitchA

time-rang working_time 8:30 to 18:00 working-day

acl number 3000

 rule 0 permit tcp destination-port  eq 80 source 10.1.4.3 0 time-range working_time

 rule 0 deny tcp destionation-port eq 80 source any time-range working_time

acl number 3001

 rule 0 permit ip source 10.1.3.1 0 destination 11.1.1.100 0

 rule 5 deny ip source any destination 11.1.100 0

int gi 1/0/1

packet-filter acl 3000 inbound

int gi 1/0/2

packet-filiter acl 3001inbound

完整配置
#
 time-range working_time 08:30 to 18:00 working-day
#
acl number 3000
 rule 0 permit tcp source 10.1.4.3 0 destination-port eq www time-range working_time
 rule 0 deny tcp destination-port eq www time-range working_time
acl number 3001
 rule 0 permit ip source 10.1.3.1 0 destination 11.1.1.100 0
 rule 0 permit ip destination 11.1.1.100 0
#
interface GigabitEthernet1/0/1
 packet-filter 3000 inbound
#
interface GigabitEthernet1/0/2
 packet-filter 3001 inbound