中低端交换机(V5)流量统计典型配置案例
一、 组网需求:
用户PC处于vlan 100中,网关位于10500设备上。两台10500 设备配置IRF功能,10500 设备上插有两块防火墙板卡,两块防火墙板卡在vlan 200中配置vrrp 且与10500 互联,防火墙上分别采用vlan 300 、vlan 400 连接运营商。
网络中的终端用户反馈访问外网比较慢,在终端上ping 公网地址存在丢包。为了排查网络丢包的具体位置,需要对网络中的设备进行流量统计来确定具体丢包设备。
交换机的流量统计是基于硬件芯片的,流量统计可以准确确认交换机是否存在丢包。
二、 组网图:
从内网向外网的流量走向为:
Pc à5120EI(二层转发) à5800_IRF (二层转发) à10500_IRF(三层转发)à防火墙(三层转发)à10500_IRF(二层转发) àInternet
从外网向内网的流量走向为:
Internetà10500_IRF(二层转发)à 防火墙(三层转发)à10500_IRF(三层转发)à 5800_IRF (二层转发)à 5120EI(二层转发)à Pc
本次用户测试PC 发往外网的流量走向请参考拓扑图中红色箭头,回程流量正好相反。
三、 配置步骤:
1.正确配置PC 的ip地址为100.0.0.1,掩码为255.255.255.0 ,网关为100.0.0.254 。
2.配置网络中各交换机的vlan 及三层接口的ip地址及路由协议使网络可以正常互通,具体配置略。
3.选取公网上用户ping测试的目的主机地址,本案例中选取www.baidu.com (115.239.210.27)作为测试目的地址。
4.在5120EI、5800_IRF、10500_IRF配置用于流量统计的ACL 及QOS策略并下发到相应的物理端口上。
4.1在各个交换机上配置用于匹配流量的ACL 3999。
acl number 3999
rule 0 permit icmp source 100.0.0.1 0 destination 115.239.210.27 0
rule 5 permit icmp source 115.239.210.27 0 destination 100.0.0.1 0
4.2在5120EI交换机上配置用于流量统计的QOS 策略account_test。
traffic classifier account_test operator and
if-match acl 3999
#
traffic behavior account_test
accounting
#
qos policy account_test
classifier account_test behavior account_test
4.3 在5800_IRF 、10500_IRF交换机上配置用于流量统计的QOS 策略account_test。
traffic classifier account_test operator and
if-match acl 3999
#
traffic behavior account_test
accounting packet
#
qos policy account_test
classifier account_test behavior account_test
4.4在5120EI 交换机上涉及的端口上下发流量统计的QOS策略。
interface GigabitEthernet1/0/1
qos apply policy account_test inbound
#
interface GigabitEthernet1/0/2
qos apply policy account_test inbound
#
interface GigabitEthernet1/0/3
qos apply policy account_test inbound
#
4.5 在5800_IRF设备上将配置的QOS策略下发到上下行物理端口上:
interface GigabitEthernet1/0/1
qos apply policy account_test inbound
qos apply policy account_test outbound
#
interface GigabitEthernet1/0/2
qos apply policy account_test inbound
qos apply policy account_test outbound
#
interface GigabitEthernet2/0/1
qos apply policy account_test inbound
qos apply policy account_test outbound
#
interface GigabitEthernet2/0/2
qos apply policy account_test inbound
qos apply policy account_test outbound
#
4.6将10500_IRF设备上配置的QOS策略下发到上下行及连接防火墙的物理端口上:
interface GigabitEthernet1/2/0/1
qos apply policy account_test inbound
qos apply policy account_test outbound
#
interface GigabitEthernet1/2/0/2
qos apply policy account_test inbound
qos apply policy account_test outbound
#
interface GigabitEthernet2/2/0/1
qos apply policy account_test inbound
qos apply policy account_test outbound
#
interface GigabitEthernet2/2/0/2
qos apply policy account_test inbound
qos apply policy account_test outbound
#
interface Ten-GigabitEthernet1/3/0/1
qos apply policy account_test inbound
qos apply policy account_test outbound
#
interface Ten-GigabitEthernet2/3/0/1
qos apply policy account_test inbound
qos apply policy account_test outbound
5.在ping测试之前请确保5120EI 、5800_IRF、10500_IRF 上各个端口的qos 统计到的计数为零。
下面以5800_IRF 上显示为例:
display qos policy interface GigabitEthernet 1/0/1 Interface: GigabitEthernet1/0/1
Direction: Inbound
Policy: account_test
Classifier: account_test
Operator: AND
Rule(s) : If-match acl 3999
Behavior: account_test
Accounting Enable:
0 (Packets)
Direction: Outbound
Policy: account_test
Classifier: account_test
Operator: AND
Rule(s) : If-match acl 3999
Behavior: account_test
Accounting Enable:
0 (Packets)
6.在测试PC 进行PING 1000 个包进行测试。从ping的结果来看一共发送1000个报文,接收900个,丢失100个。
C:\Documents and Settings\Administrator>ping 115.239.210.27 -n 1000
Pinging 115.239.210.27 with 32 bytes of data:
Reply from 115.239.210.27: bytes=32 time=31ms TTL=53
Reply from 115.239.210.27: bytes=32 time=31ms TTL=53
Request timed out.
Reply from 115.239.210.27: bytes=32 time=31ms TTL=53
Reply from 115.239.210.27: bytes=32 time=31ms TTL=53
……
Ping statistics for 115.239.210.27:
Packets: Sent = 1000, Received = 900, Lost = 100 (10% loss),
Approximate round trip times in milli-seconds:
Minimum = 31ms, Maximum = 31ms, Average = 31ms
7.在确保PING测试完全结束后,查看各个设备上流量统计结果,从各个设备的统计结果来看网络中5800_IRF 在转发回程报文时存在丢包,丢失100个报文。
5120EI 设备G1/0/3 端口正常接收到1000个报文,G1/0/1 端口却接收到900个报文,G1/0/2 端口接收到0个报文,由于5120EI 设备仅仅支持inbound方向的流量统计,此时结合pc上ping的结果可知5120EI肯定不存在丢包。
display qos policy interface GigabitEthernet 1/0/3
Interface: GigabitEthernet1/0/3
Direction: Inbound
Policy: account_test
Classifier: account_test
Operator: AND
Rule(s) : If-match acl 3999
Behavior: account_test
Accounting Enable:
1000 (Packets)
display qos policy interface GigabitEthernet 1/0/1 Interface: GigabitEthernet1/0/1
Direction: Inbound
Policy: account_test
Classifier: account_test
Operator: AND
Rule(s) : If-match acl 3999
Behavior: account_test
Accounting Enable:
900 (Packets)
display qos policy interface GigabitEthernet 1/0/2 Interface: GigabitEthernet1/0/2
Direction: Inbound
Policy: account_test
Classifier: account_test
Operator: AND
Rule(s) : If-match acl 3999
Behavior: account_test
Accounting Enable:
0 (Packets)
5800_IRF设备G1/0/1 端口正常接收到1000个报文,G1/0/1 端口发送900个报文,这里缺少100个报文。G1/0/2 端口正常接收及发送1000个报文。G2/0/1 、G2/0/2端口接收发送报文数量为0 。由此可以知道报文在回程时被5800_IRF 给丢弃了。
display qos policy interface GigabitEthernet 1/0/1 Interface: GigabitEthernet1/0/1
Direction: Inbound
Policy: account_test
Classifier: account_test
Operator: AND
Rule(s) : If-match acl 3999
Behavior: account_test
Accounting Enable:
1000 (Packets)
Direction: Outbound
Policy: account_test
Classifier: account_test
Operator: AND
Rule(s) : If-match acl 3999
Behavior: account_test
Accounting Enable:
900 (Packets)
display qos policy interface GigabitEthernet 1/0/2 Interface: GigabitEthernet1/0/2
Direction: Inbound
Policy: account_test
Classifier: account_test
Operator: AND
Rule(s) : If-match acl 3999
Behavior: account_test
Accounting Enable:
1000 (Packets)
Direction: Outbound
Policy: account_test
Classifier: account_test
Operator: AND
Rule(s) : If-match acl 3999
Behavior: account_test
Accounting Enable:
1000 (Packets)
display qos policy interface GigabitEthernet 2/0/1 Interface: GigabitEthernet2/0/1
Direction: Inbound
Policy: account_test
Classifier: account_test
Operator: AND
Rule(s) : If-match acl 3999
Behavior: account_test
Accounting Enable:
0 (Packets)
Direction: Outbound
Policy: account_test
Classifier: account_test
Operator: AND
Rule(s) : If-match acl 3999
Behavior: account_test
Accounting Enable:
0 (Packets)
display qos policy interface GigabitEthernet 2/0/2 Interface: GigabitEthernet2/0/2
Direction: Inbound
Policy: account_test
Classifier: account_test
Operator: AND
Rule(s) : If-match acl 3999
Behavior: account_test
Accounting Enable:
0 (Packets)
Direction: Outbound
Policy: account_test
Classifier: account_test
Operator: AND
Rule(s) : If-match acl 3999
Behavior: account_test
Accounting Enable:
0 (Packets)
10500_IRF 设备GigabitEthernet1/2/0/2正常接收发送1000个报文,GigabitEthernet1/2/0/1正常接收发送1000个报文,GigabitEthernet2/2/0/2正常接收发送0个报文,GigabitEthernet2/2/0/1正常接收发送0个报文,Ten-GigabitEthernet1/3/0/1端口正常接收发送1000个报文,Ten-GigabitEthernet2/3/0/1端口正常接收发送0个报文。从流量统计来看10500_IRF 没有发生丢包。
display qos policy interface Ten-GigabitEthernet1/3/0/1 Interface: Ten-GigabitEthernet1/3/0/1
Direction: Inbound
Policy: account_test
Classifier: account_test
Operator: AND
Rule(s) : If-match acl 3999
Behavior: account_test
Accounting Enable:
1000 (Packets)
Direction: Outbound
Policy: account_test
Classifier: account_test
Operator: AND
Rule(s) : If-match acl 3999
Behavior: account_test
Accounting Enable:
1000 (Packets)
display qos policy interface Ten-GigabitEthernet2/3/0/1 Interface: Ten-GigabitEthernet2/3/0/1
Direction: Inbound
Policy: account_test
Classifier: account_test
Operator: AND
Rule(s) : If-match acl 3999
Behavior: account_test
Accounting Enable:
0 (Packets)
Direction: Outbound
Policy: account_test
Classifier: account_test
Operator: AND
Rule(s) : If-match acl 3999
Behavior: account_test
Accounting Enable:
0 (Packets)
display qos policy interface GigabitEthernet1/2/0/2 Interface: Ten-GigabitEthernet1/2/0/2
Direction: Inbound
Policy: account_test
Classifier: account_test
Operator: AND
Rule(s) : If-match acl 3999
Behavior: account_test
Accounting Enable:
1000 (Packets)
Direction: Outbound
Policy: account_test
Classifier: account_test
Operator: AND
Rule(s) : If-match acl 3999
Behavior: account_test
Accounting Enable:
1000 (Packets)
display qos policy interface GigabitEthernet1/2/0/1 Interface: Ten-GigabitEthernet1/2/0/1
Direction: Inbound
Policy: account_test
Classifier: account_test
Operator: AND
Rule(s) : If-match acl 3999
Behavior: account_test
Accounting Enable:
1000 (Packets)
Direction: Outbound
Policy: account_test
Classifier: account_test
Operator: AND
Rule(s) : If-match acl 3999
Behavior: account_test
Accounting Enable:
1000 (Packets)
display qos policy interface GigabitEthernet2/2/0/2 Interface: Ten-GigabitEthernet2/2/0/2
Direction: Inbound
Policy: account_test
Classifier: account_test
Operator: AND
Rule(s) : If-match acl 3999
Behavior: account_test
Accounting Enable:
0 (Packets)
Direction: Outbound
Policy: account_test
Classifier: account_test
Operator: AND
Rule(s) : If-match acl 3999
Behavior: account_test
Accounting Enable:
0 (Packets)
display qos policy interface GigabitEthernet2/2/0/1 Interface: Ten-GigabitEthernet2/2/0/1
Direction: Inbound
Policy: account_test
Classifier: account_test
Operator: AND
Rule(s) : If-match acl 3999
Behavior: account_test
Accounting Enable:
0 (Packets)
Direction: Outbound
Policy: account_test
Classifier: account_test
Operator: AND
Rule(s) : If-match acl 3999
Behavior: account_test
Accounting Enable:
0 (Packets)
配置关键点:
1. 设备上用于匹配流量的ACL 一定要精确匹配,如本次配置的acl 匹配报文类型ICMP,源目的IP 的反掩码配置为0。平时在处理的问题的过程中一定要严格匹配流量特征,如TCP 、UDP 报文的端口号等特征。
2. 在终端PC PING测试前一定要首先把QOS 策略下发在各个交换机的端口上,即在PING 测试前查看各个交换机的流统计结果一定要是0。
3. 查看统计的结果前一定要停止ping 测试。
4. 部分交换机配置流量统计的动作为accounting ,部分交换机为accounting packet,各个交换机的具体配置方法请参看相关设备及相关版本的操作手册。
5. QOS 必须下发到物理端口上且聚合组内的所有成员端口都需要下发。
附录(V5交换机流量统计支持情况):
该案例暂时没有网友评论
编辑评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作