Configuring traffic policies for the USG9000

11

Traffic policy configuration for the USG9000:
Configure priority re-marking based on multi-field (MF) classification.
The following is an example of configuring priority re-marking based on MF classification.
Configuration procedure:
1. Configure an access control list (ACL).
2. Configure traffic classes.
3. Configure traffic actions.
4. Configure traffic policies based on traffic classes and actions.
5. Apply traffic policies.
Configuration example:
The USG9000 functions as the gateway on the internal network for accessing the Internet.
(3)(4)Internal network----(1)USG9000(2)---Internet

(1) GE interface 1/0/0: 1.1.1.1/24
(2) GE interface 2/0/0: 2.1.1.1/24
(3) Server: 1.1.1.3
(4) PC: 1.1.1.4
On the USG9000, apply the following priority re-marking policies for packets received by GE interface 1/0/0 from the server and PC:
Re-mark the differentiated services code point (DSCP) priority of packets sent from the server to AF43 (38).
Re-mark the DSCP priority of packets sent from the PC to CS5 (40).
Procedure:
1. Perform basic configuration. Specifically, configure interface IP addresses, add interfaces to zones, and configure inter-zone filtering policies.
2. Configure ACL rules for packets sent from the server and PC.
[USG9000] acl number 2001
[USG9000-acl-basic-2001] rule permit source 1.1.1.2 0.0.0.0
[USG9000] acl number 2002
[USG9000-acl-basic-2002] rule permit source 1.1.1.3 0.0.0.0
3. Define traffic classes.
[USG9000] traffic classifier class1
[USG9000-classifier-class1] if-match acl 2001
[USG9000] traffic classifier class2
[USG9000-classifier-class2] if-match acl 2002
[USG9000-classifier-class2] quit
4. Define traffic actions.
[USG9000] traffic behavior behavior1
[USG9000-behavior-behavior1] remark dscp af43
[USG9000-behavior-behavior1] quit
[USG9000] traffic behavior behavior2
[USG9000-behavior-behavior2] remark dscp cs5
[USG9000-behavior-behavior2] quit
5. Define traffic policies.
[USG9000] traffic policy policy1
[USG9000-trafficpolicy-policy1] classifier class1 behavior behavior1
[USG9000-trafficpolicy-policy1] classifier class2 behavior behavior2
6. Apply traffic policies.
[USG9000] interface GigabitEthernet 1/0/0
[USG9000-GigabitEthernet1/0/0] traffic-policy policy1 inbound
[USG9000-GigabitEthernet1/0/0] quit

Other related questions:
Configure a CE series switch to filter packets using a traffic policy
- Prevent a specified host from accessing a network. In the following example, the switch is configured to prevent the PC with IP address 192.168.1.10 from accessing the network. <HUAWEI> system-view [~HUAWEI] acl 2000 [*HUAWEI-acl4-basic-2000] rule deny source 192.168.1.10 0.0.0.0 [*HUAWEI-acl4-basic-2000] quit [*HUAWEI] traffic classifier c1 [*HUAWEI-classifier-c1] if-match acl 2000 [*HUAWEI-classifier-c1] quit [*HUAWEI] traffic behavior b1 [*HUAWEI-behavior-b1] deny [*HUAWEI-behavior-b1] quit [*HUAWEI] traffic policy p1 [*HUAWEI-trafficpolicy-p1] classifier c1 behavior b1 [*HUAWEI-trafficpolicy-p1] quit [*HUAWEI] interface 10ge 1/0/1 [*HUAWEI-10GE1/0/1] traffic-policy p1 inbound [*HUAWEI-10GE1/0/1] quit [*HUAWEI] commit - Prevent all devices on a specified network segment from accessing a network. In the following example, the switch is configured to prevent all devices on the network segment 192.168.1.0 from accessing the network. <HUAWEI> system-view [~HUAWEI] acl 2000 [*HUAWEI-acl4-basic-2000] rule deny source 192.168.1.0 0.0.0.255 [*HUAWEI-acl4-basic-2000] quit [*HUAWEI] traffic classifier c1 [*HUAWEI-classifier-c1] if-match acl 2000 [*HUAWEI-classifier-c1] quit [*HUAWEI] traffic behavior b1 [*HUAWEI-behavior-b1] deny [*HUAWEI-behavior-b1] quit [*HUAWEI] traffic policy p1 [*HUAWEI-trafficpolicy-p1] classifier c1 behavior b1 [*HUAWEI-trafficpolicy-p1] quit [*HUAWEI] interface 10ge 1/0/1 [*HUAWEI-10GE1/0/1] traffic-policy p1 inbound [*HUAWEI-10GE1/0/1] quit [*HUAWEI] commit - Filter specified protocol packets. - Prevent SMTP packets with TCP destination port 25 from passing through a switch. - Prevent POP3 packets with TCP destination port 110 from passing through a switch. - Prevent HTTP packets with TCP destination port 80 from passing through a switch. <HUAWEI> system-view [~HUAWEI] acl 3000 [*HUAWEI-acl4-advance-3000] rule deny tcp destination-port eq 25 [*HUAWEI-acl4-advance-3000] rule deny tcp destination-port eq 110 [*HUAWEI-acl4-advance-3000] rule deny tcp destination-port eq 80 [*HUAWEI-acl4-advance-3000] quit [*HUAWEI] traffic classifier c1 [*HUAWEI-classifier-c1] if-match acl 3000 [*HUAWEI-classifier-c1] quit [*HUAWEI] traffic behavior b1 [*HUAWEI-behavior-b1] deny [*HUAWEI-behavior-b1] quit [*HUAWEI] traffic policy p1 [*HUAWEI-trafficpolicy-p1] classifier c1 behavior b1 [*HUAWEI-trafficpolicy-p1] quit [*HUAWEI] interface 10ge 1/0/1 [*HUAWEI-10GE1/0/1] traffic-policy p1 inbound [*HUAWEI-10GE1/0/1] quit [*HUAWEI] commit

Configure a VLAN-based traffic policy on S series switch
How to configure a traffic policy on an AR
You can configure a traffic policy on an AR as follows: 1. Configure a traffic classifier. 2. Configure a traffic behavior. 3. Configure a traffic policy and bind the traffic classifier and traffic behavior to the traffic policy. 4. Apply the traffic policy on an interface. For detailed configuration, click: 1.4 Configuring MQC

Components of the security policy on the USG9000 series
A security policy consists of matching conditions and actions.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top