华为CE-功能记录

1. ERROR-DOWN保护机制

• 开启保护机制：

port link-flap trigger error-down //开启接口的链路震荡保护
port crc-statistics trigger error-down  //接收CRC报文超过阈值
...

interface ****
port link-flap interval {time} threshold {threshold-value} //阈值，time时间内threshold-value次，导致error-down
trap-threshold crc-statistics {threshold-value} interval {interval-value}
...

commit

• 从error-down恢复

手动恢复

shutdown
commit
undo shutdown
commit

自动恢复

系统视图下执行命令：
error-down auto-recovery cause { auto-defend | bpdu-protection | crc-statistics | dual-active | fabric-link-failure | forward-engine-buffer-failed | forward-engine-interface-failed | link-flap | loopback-detect | m-lag | mac-address-flapping | no-stack-link | portsec-reachedlimit | spine-member-exceed-limit | spine-type-unsupported | stack-config-conflict | stack-member-exceed-limit | stack-packet-defensive | storm-control | transceiver-power-low } interval {interval-value}，
配置处于ERROR DOWN状态的接口自动恢复为Up的延迟时间。经过用户设置的延迟时间后，处于ERROR DOWN状态的接口其状态自动恢复为Up的功能。

2. 流量镜像

observe-port {index} interface ge 1/0/5
#需要镜像流量的端口下，表示从1/0/4端口出的流量镜像至1/0/5端口：
interface ge 1/0/4
port-mirroring observe-port {index} outbound
#入流量镜像
port-mirroring observe-port {index} inbound

3. nqa探测机制

作用，进行连通性及链路质量的探测。

nqa test-instance {NQA test administer name} {the name of an NQA test instance}
 #检测类型
 test-type icmp
 destination-address ipv4 {dst_ip}
 interval seconds 2
 timeout 1
 probe-count 2
 #表示在指定的vpn-instance中作用
 vpn-instance {vrf}
 frequency 7
 start now

添加路由，使用nqa:

ip route-static vpn-instance {vrf} 0.0.0.0 0.0.0.0 {next-hop} track nqa {NQA test administer name} {the name of an NQA test instance}

4. 交换机实现ACL管控

acl ip-pool A
ip address {src_ip} {mask}

acl ip-pool B
ip address {src_ip} {mask}

acl ip-pool C
ip address {src_ip} {mask}

acl port-pool A1
eq {port}

acl port-pool B1
eq {port}

acl port-pool C1
eq {port} 

acl number 3000
 rule 85 permit tcp source-pool A destination {dst_ip} {mask} destination-port-pool A1
 rule 90 permit tcp source-pool B destination {dst_ip} {mask} destination-port-pool B1
 rule 95 permit tcp source-pool C destination {dst_ip} {mask} destination-port-pool C1
 rule 100 deny ip

interface 10GE 1/0/2
traffic-filter acl 3000 inbound

5. VRRP配置

拓扑图：

VRRP

参数：

• VIP: 10.10.43.1
• vrid： 2
• 关闭抢占

主：

interface Vlanif143
 description "Test Master"
 ip address 10.10.43.2 255.255.255.0
 vrrp vrid 2 virtual-ip 10.10.43.1   #vip
 vrrp vrid 2 priority 120      #优先级
 vrrp vrid 2 preempt disable  #关闭抢占

备：

interface Vlanif143
 description "Test Backup"
 ip address 10.10.43.3 255.255.255.0
 vrrp vrid 2 virtual-ip 10.10.43.1

中间的互联线，运行VRRP的心跳，可以防止VIP不必要的切换。