H3C H3C S7500E Series Configuration Manual Download

Page: 22 / 112

1-12

To do…

Use the command…

Remarks

Create or edit a rule

rule

[

rule-id

] {

deny

permit

}

protocol

[ {

established

| {

ack

ack-value

fin

fin-value

psh

psh-value

rst

rst-value

syn

syn-value

urg

urg-value

} * } |

destination

{

dest dest-prefix |

dest/dest-prefix | any

} |

destination-port operator port1

[

port2

]

dscp

dscp | fragment

icmpv6-type

{

icmpv6-type

icmpv6-code

icmpv6-message

} |

logging

source

{

source source-prefix |

source/source-prefix | any

} |

source-port operator port1

[

port2

] |

time-range

time-range-name

] *

Required

By default IPv6 advanced ACL

does not contain any rule.

To create or edit multiple rules,

repeat this step.

Note that if the ACL is to be

referenced by a QoS policy for

traffic classification, the

logging

and

fragment

keywords are not

supported and the

operator

argument cannot be:

neq

, if the policy is for the

inbound traffic,

neq

range

, if the

policy is for the outbound

traffic.

Configure or edit a rule

description

rule

rule-id comment

text

Optional

By default, an IPv6 ACL rule has

no rule description.

Note that:

You can only modify the existing rules of an ACL that uses the match order of

config

. When

modifying a rule of such an ACL, you may choose to change just some of the settings, in which

case the other settings remain the same.

You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an

existing rule in the ACL.

When the ACL match order is

auto

, a newly created rule will be inserted among the existing rules

in the depth-first match order. Note that the IDs of the rules still remain the same.

You can modify the match order of an IPv6 ACL with the

acl ipv6 number

acl6-number

[

name

acl6-name

]

match-order

{

auto

config

} command but only when it does not contain any rules.

Configuring an Ethernet Frame Header ACL

Ethernet frame header ACLs, also called Layer 2 ACLs, match packets based on Layer 2 protocol

header fields such as source MAC address, destination MAC address, 802.1p priority (VLAN priority),

and link layer protocol type.

Summary of Contents for H3C S7500E Series

Page 1: ...H3C S7500E Series Ethernet Switches ACL and QoS Configuration Guide Hangzhou H3C Technologies Co Ltd http www h3c com Document Version 20100722 C 1 01 Product Version Release 6605 and Later...

Page 2: ...ware Secware Storware NQA VVG V2 G Vn G PSPT XGbus N Bus TiGem InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are th...

Page 3: ...udience z Document Organization z Conventions z About the H3C S7500E Documentation Set z Obtaining Documentation z Documentation Feedback Audience This documentation is intended for z Network planners...

Page 4: ...hich you select at least one x y Asterisk marked square brackets enclose optional syntax choices separated by vertical bars from which you may select multiple choices or none 1 n The argument or keywo...

Page 5: ...s Pluggable Modules Manual Describes the hot swappable modules available for the Mid Range Series Ethernet Switches their external views and specifications H3C PoE DIMM Module Installation Guide Descr...

Page 6: ...ow to use it with the PSR650 power module Power configuration H3C S7500E Power Configuration Guide Guides you to select power modules in various cases Optional cards Card manuals The S7500E series Eth...

Page 7: ...Displaying and Maintaining ACLs 1 15 ACL Configuration Examples 1 15 IPv4 ACL Configuration Example 1 15 IPv6 ACL Configuration Example 1 17 2 QoS Overview 2 1 Introduction to QoS 2 1 Introduction to...

Page 8: ...uckets 5 1 Traffic Policing 5 2 Traffic Shaping 5 3 Line Rate 5 4 Configuring Traffic Policing 5 5 Configuration Procedure 5 5 Configuration Example 5 6 Configuring GTS 5 7 Configuration Procedure 5 7...

Page 9: ...ic Redirecting Overview 10 1 Configuring Traffic Redirecting 10 1 Support of Line Cards for Traffic Redirecting 10 2 11 Aggregation CAR Configuration 11 1 Aggregation CAR Overview 11 1 Referencing an...

Page 10: ...iv 14 Appendix A Default Priority Mapping Tables 14 1 15 Appendix B Introduction to Packet Precedences 15 1 IP Precedence and DSCP Values 15 1 802 1p Priority 15 2 EXP Values 15 3 16 Index 16 1...

Page 11: ...F Two S7500E series can be connected together to form a distributed IRF device If an S7500E series is not in any IRF it operates as a distributed device if the S7500E series is in an IRF it operates a...

Page 12: ...onfiguration Guide z Software based application An ACL is referenced by a piece of upper layer software For example an ACL can be referenced to configure login user control behavior thus controlling T...

Page 13: ...all IPv6 ACLs You can assign an IPv4 ACL and an IPv6 ACL the same number and name Match Order The rules in an ACL are sorted in a certain order When a packet matches a rule the device stops the match...

Page 14: ...for the destination IPv6 address takes precedence 4 A rule with a narrower TCP UDP service port number range takes precedence 5 A rule with a smaller ID takes precedence Ethernet frame header ACL 1 A...

Page 15: ...numbered 0 2 4 and 6 in steps of 2 When the default step is restored the rules are renumbered 0 5 15 and 15 Implementing Time Based ACL Rules You can implement ACL rules based on the time of day by a...

Page 16: ...Creating a Time Range Follow these steps to create a time range To do Use the command Remarks Enter system view system view Create a time range time range time range name start time to end time days f...

Page 17: ...n Set the rule numbering step step step value Optional 5 by default Create or edit a rule rule rule id deny permit fragment logging source sour addr sour wildcard any time range time range name vpn in...

Page 18: ...iew acl ipv6 number acl6 number name acl6 name match order auto config Required By default no ACL exists IPv6 basic ACLs are numbered in the range 2000 to 2999 You can use the acl ipv6 name acl6 name...

Page 19: ...s still remain the same You can modify the match order of an IPv6 ACL with the acl ipv6 number acl6 number name acl6 name match order auto config command but only when it does not contain any rules Co...

Page 20: ...alue destination dest addr dest wildcard any destination port operator port1 port2 dscp dscp fragment icmp type icmp type icmp code icmp message logging precedence precedence reflective source sour ad...

Page 21: ...CLs match packets based on the source IPv6 address destination IPv6 address protocol carried over IPv6 and other protocol header fields such as the TCP UDP source port number TCP UDP destination port...

Page 22: ...dit a rule description rule rule id comment text Optional By default an IPv6 ACL rule has no rule description Note that z You can only modify the existing rules of an ACL that uses the match order of...

Page 23: ...ermit cos vlan pri dest mac dest addr dest mask lsap lsap code lsap wildcard source mac sour addr source mask time range time range name type type code type wildcard Required By default an Ethernet fr...

Page 24: ...nation ACL number is from the same category as the source ACL number z The source IPv4 or IPv6 ACL already exits but the destination IPv4 or IPv6 ACL does not Copying an IPv4 ACL Follow these steps to...

Page 25: ...umber Available in any view Display the usage of ACL resources distributed device display acl resource slot slot number Available in any view Display the usage of ACL resources distributed IRF device...

Page 26: ...ce 192 168 2 0 0 0 0 255 destination 192 168 4 1 0 0 0 0 time range trname Switch acl adv 3000 quit Configure a rule to control access of the Marketing Department to the salary query server Switch acl...

Page 27: ...p_rd inbound Switch GigabitEthernet2 0 2 quit Apply QoS policy p_market to interface GigabitEthernet 2 0 3 Switch interface GigabitEthernet 2 0 3 Switch GigabitEthernet2 0 3 qos apply policy p_market...

Page 28: ...licy p_rd to use traffic behavior b_rd for class c_rd Switch qos policy p_rd Switch qospolicy p_rd classifier c_rd behavior b_rd Switch qospolicy p_rd quit Apply QoS policy p_rd to interface GigabitEt...

Page 29: ...for QoS to prioritize important traffic flows over trivial traffic flows When making a QoS scheme a network administrator must plan network resources carefully considering the characteristics of vario...

Page 30: ...model imposes very great pressure on the storage and processing capabilities of devices On the other hand the Inter Serv model is poor in scalability and therefore it is hard to be deployed in the co...

Page 31: ...r leaving a device and can be applied in both inbound and outbound directions of a port When a flow exceeds the pre set threshold some restriction or punishment measures can be taken to prevent overco...

Page 32: ...fines what QoS actions to take on what class of traffic for purposes such as traffic shaping or traffic policing Before configuring a QoS policy be familiar with these concepts class traffic behavior...

Page 33: ...relationship between match criteria is AND Configure match criteria if match match criteria Required match criteria Match criterion Table 3 1 shows the available criteria Table 3 1 The keyword and ar...

Page 34: ...rated by space You can specify up to eight VLAN IDs for this argument at a time VLAN ID is in the range 1 to 4094 destination mac mac address Matches a destination MAC address dscp dscp list Matches D...

Page 35: ...ned match criterion system index for packets sent to the control plane The index value list argument specifies a list of up to eight system indexes The system index range is from 1 to 128 Suppose the...

Page 36: ...s a set of QoS actions to take on a traffic class for purposes such as traffic filtering shaping policing priority marking To define a traffic behavior you must first create it and then configure QoS...

Page 37: ...ork VLAN ID is configured in a traffic behavior we recommend you not to configure any other action in this traffic behavior Otherwise the QoS policy may not function as expected after it is applied z...

Page 38: ...rt group view port group manual port group name Use either command Settings in interface view take effect on the current interface settings in port group view take effect on all ports in the port grou...

Page 39: ...e user profile profile name enable Required Inactive by default z If a user profile is active the QoS policy except ACLs referenced in the QoS policy applied to it cannot be configured or removed If t...

Page 40: ...are processing units running most routing and switching protocols and responsible for protocol packet resolution and calculation such as CPUs Compared with data plane units they allow for great packe...

Page 41: ...use the display qos policy control plane pre defined command to display them z In a QoS policy for control planes if a system index classifier is configured the associated traffic behavior can contain...

Page 42: ...chassis chassis number slot slot number inbound outbound Available in any view Display information about pre defined control plane QoS policies on a distributed device display qos policy control plan...

Page 43: ...3 12...

Page 44: ...ue to be preferentially scheduled z Drop precedence is used for making packet drop decisions Packets with the highest drop precedence are dropped preferentially When a packet enters the device from a...

Page 45: ...d for priority mapping table lookup There are two priority trust modes on the H3C S7500E series switches z dot1p Uses the 802 1p priority carried in packets for priority mapping z dscp Uses the DSCP c...

Page 46: ...802 1q tagged DSCP in packets Look up the dscp dp dscp dot1p and dscp dscp tables 802 1p in packets Mark the packet with 802 1p priority drop precedence and new DSCP precedence Look up the dot1p lp ta...

Page 47: ...erforms priority marking before priority mapping and then uses the re marked packet carried priority for priority mapping or directly uses the re marked scheduling priority for traffic scheduling depe...

Page 48: ...le in any view The 802 1p to EXP priority mapping table dot1p exp and the EXP to 802 1p priority mapping table exp dot1p are available only for the EB and SD cards Configuring the Priority Trust Mode...

Page 49: ...group view Enter port group view port group manual port group name Use either command Settings in interface view take effect on the current interface settings in port group view take effect on all po...

Page 50: ...1p priority of traffic from the R D department to 4 z The management department connects to GigabitEthernet 2 0 3 of Device which sets the 802 1p priority of traffic from the management department to...

Page 51: ...0 1 quit Set the port priority of GigabitEthernet 2 0 2 to 4 Device interface gigabitethernet 2 0 2 Device GigabitEthernet2 0 2 qos priority 4 Device GigabitEthernet2 0 2 quit Set the port priority of...

Page 52: ...Device qos policy admin Device qospolicy admin classifier http behavior admin Device qospolicy admin quit Device interface gigabitethernet 2 0 3 Device GigabitEthernet2 0 3 qos apply policy admin inb...

Page 53: ...it it is shaped or policed to ensure that it is under the specifications Generally token buckets are used to evaluate traffic specifications Traffic Evaluation and Token Buckets Token bucket features...

Page 54: ...the E bucket z Excess burst size EBS Size of the E bucket that is transient burst of traffic that the E bucket can forward CBS is implemented with the C bucket and EBS with the E bucket In each evalu...

Page 55: ...evaluation result is excess z Modifying the DSCP priority of the conforming traffic and forwarding it Traffic Shaping Traffic shaping supports shaping traffic to the outgoing traffic Traffic shaping p...

Page 56: ...e released traffic shaping takes out the cached packets and sends them out In this way all the traffic sent to Switch B conforms to the traffic specification defined in Switch B Line Rate Line rate su...

Page 57: ...ng bursty traffic Line rate can only limit the total traffic rate on a physical port while traffic policing can limit the rate of a flow on a port To limit the rate of all the packets on a port using...

Page 58: ...avior behavior name Exit policy view quit To an interface Applying the QoS policy to an interface To online users Applying the QoS policy to online users To a VLAN Applying the QoS policy to a VLAN Gl...

Page 59: ...ing is implemented as queue based GTS that is configuring GTS parameters for packets of a certain queue Follow these steps to configure queue based GTS To do Use the command Remarks Enter system view...

Page 60: ...oup manual port group name Use either command Settings in interface view take effect on the current interface settings in port group view take effect on all ports in the port group Configure the inbou...

Page 61: ...ure traffic policing in policy based approach For related displaying and maintaining commands see Displaying and Maintaining QoS Policies To do Use the command Remarks Display interface GTS configurat...

Page 62: ...delay Congestion easily occurs in complex packet switching circumstances in the Internet The following figure shows two common cases Figure 6 1 Traffic congestion causes 100M 10M 100M 10M 50M 100M 100...

Page 63: ...atic diagram for SP queuing As shown in Figure 6 2 SP queuing classifies eight queues on a port into eight classes numbered 7 to 0 in descending priority order SP queuing schedules the eight queues st...

Page 64: ...SP queuing that packets in low priority queues may fail to be served for a long time Another advantage of WRR queuing is that while the queues are scheduled in turn the service time for each queue is...

Page 65: ...0 Mbps and there are five flows on the port currently with the precedence being 0 1 2 3 and 4 and the minimum guaranteed bandwidth being 128 kbps 128 kbps 128 kbps 64 kbps and 64 kbps respectively z T...

Page 66: ...nual port group name Use either command Settings in interface view take effect on the current interface settings in port group view take effect on all ports in the port group Configure SP queuing qos...

Page 67: ...ptional Available in any view Configuration example 1 Network requirements z Enable WRR queuing on the interface GigabitEthernet 2 0 1 z Assign queues 0 through 7 to the WRR group with their weights b...

Page 68: ...by default Display WFQ queuing configuration display qos wfq interface interface type interface number Optional Available in any view The support of different cards for the minimum guaranteed bandwidt...

Page 69: ...me Use either command Settings in interface view take effect on the current interface settings in port group view take effect on all ports in the port group Enable the WRR queue scheduling on the port...

Page 70: ...t2 0 1 qos wrr 5 group 1 weight 4 Sysname GigabitEthernet2 0 1 qos wrr 6 group 1 weight 6 Sysname GigabitEthernet2 0 1 qos wrr 7 group 1 weight 8 Displaying and Maintaining Congestion Management To do...

Page 71: ...roach to congestion avoidance In this approach when the size of a queue reaches the maximum threshold all the subsequent packets are dropped This results in global TCP synchronization That is if packe...

Page 72: ...er the drop probability When the average queue size exceeds the upper threshold subsequent packets are dropped z Drop precedence a parameter used for packet drop The value 0 corresponds to green packe...

Page 73: ...group Apply the WRED table qos wred apply table name Required Configuration Example Network requirements Apply a queue based WRED table to port GigabitEthernet 2 0 1 Configuration procedure Enter syst...

Page 74: ...ion you can implement time based traffic filtering Configuring Traffic Filtering Follow these steps to configure traffic filtering To do Use the command Remarks Enter system view system view Create a...

Page 75: ...in any view With filter deny configured for a traffic behavior the other actions except class based accounting in the traffic behavior do not take effect Support of Line Cards for the Traffic Filteri...

Page 76: ...21 DeviceA acl basic 3000 quit Create a class named classifier_1 and reference ACL 3000 in the class DeviceA traffic classifier classifier_1 DeviceA classifier classifier_1 if match acl 3000 DeviceA c...

Page 77: ...rity marking to set IP precedence or DSCP for a class of IP traffic to change its transmission priority in the network To configure priority marking you can associate a class with a behavior configure...

Page 78: ...ervices and has only local significance By marking different classes of traffic with the same QoS local ID you can re classify them to apply a uniform set of QoS actions on them Exit behavior view qui...

Page 79: ...Inbound Outbound Inbound Outbound Remarking the 802 1p precedence for packets Supported Supported Supported Not supported Supported Not supported Remarking the drop precedence for packets Supported N...

Page 80: ...Inbound Outbound Remarking the 802 1p precedence for packets Supported Supported Supported Supported Remarking the drop precedence for packets Supported Not supported Supported Not supported Remarking...

Page 81: ...ile server Low Figure 9 1 Network diagram for priority marking configuration Internet Host A Host B Device Data server 192 168 0 1 24 Mail server 192 168 0 2 24 File server 192 168 0 3 24 GE2 0 1 GE2...

Page 82: ...3 Device behavior behavior_mserver quit Create a behavior named behavior_fserver and configure the action of setting the local precedence value to 2 for the behavior Device traffic behavior behavior_...

Page 83: ...name classifier class_a if match acl 2000 Sysname classifier class_a quit Create a behavior behavior_a and configure the action of marking packets with QoS local ID 100 for the behavior Sysname traffi...

Page 84: ...ts and the target interface should be a Layer 2 interface z Redirecting traffic to the next hop redirects packets which require processing by an interface to the interface This action is applicable to...

Page 85: ...tually exclusive with each other in the same traffic behavior z You can use the display traffic behavior command to view the traffic redirecting configuration z A QoS policy that contains a traffic re...

Page 86: ...r the traffic redirecting action Direction right Card category below Inbound Outbound SC LPU Supported Not Supported SA LPU Supported Not Supported EA LPU Supported Not Supported EB LPU Supported Not...

Page 87: ...ned the parameters in the aggregation CAR z You have determined the traffic behavior to reference the aggregation CAR Configuration procedure Follow these steps to reference an aggregation CAR in a tr...

Page 88: ...CAR reset qos car name car name Required Available in user view Configuration example Configure an aggregation CAR to rate limit the traffic of VLAN 10 and VLAN 100 received on GigabitEthernet 2 0 1 u...

Page 89: ...car associate class 1 with behavior 1 and associate class 2 with behavior 2 Sysname qos policy car Sysname qospolicy car classifier 1 behavior 1 Sysname qospolicy car classifier 2 behavior 2 Sysname...

Page 90: ...u can determine whether there are anomalies and what action to take Configuring Class Based Accounting Follow these steps to configure class based accounting To do Use the command Remarks Enter system...

Page 91: ...Host is connected to GigabitEthernet 2 0 1 of Device Configure class based accounting to collect statistics for traffic sourced from 1 1 1 1 24 and received on GigabitEthernet 2 0 1 Figure 12 1 Netwo...

Page 92: ...e incoming traffic of GigabitEthernet 2 0 1 DeviceA interface gigabitethernet 2 0 1 DeviceA GigabitEthernet2 0 1 qos apply policy policy inbound DeviceA GigabitEthernet2 0 1 quit Display traffic stati...

Page 93: ...d QoS policy z Configuring the ONU to perform traffic policing for uplink traffic of a UNI z Configuring the UNI to tag the uplink 802 1q untagged traffic with the default VLAN tag and adding the UNI...

Page 94: ...assigns to the ONU z Configuring high priority packet buffer for downlink traffic that the OLT sends to the specified ONU Processing on an ONU z Filtering the packets matching certain match criteria a...

Page 95: ...the OLT port Configuring the Priority Trust Mode on a Port Configure traffic policing for uplink traffic of all ONUs through QoS Configuring Traffic Policing Configure QoS for uplink traffic Configure...

Page 96: ...Queuing Configure the ONU to perform priority mapping for downlink traffic from the OLT according to the CoS to local precedence mapping table Priority mapping on the ONU port Set the ONU port priorit...

Page 97: ...sent preferentially You can enable high priority packet buffering for multiple ONUs and the OLT will reserve an independent buffer for each ONU Follow these steps to configure rate limiting To do Use...

Page 98: ...e interface type interface number Enable the ONU downlink bandwidth allocation policy and prioritize high priority packets bandwidth downstream policy enable Required By default the downlink bandwidth...

Page 99: ...command Remarks Enter system view system view Enter ONU port view interface interface type interface number Configure the mapping between CoS precedence values and local precedence values qos cos loc...

Page 100: ...ode Without VLAN tag The packet is tagged with the VLAN tag corresponding to the default PVID of the port and then z If the packet matches the configured traffic classification rule the packet is prio...

Page 101: ...wise the packet is remarked with the port priority and is then forwarded Follow these steps to configure uplink traffic classification and priority remarking for a UNI To do Use the command Remarks En...

Page 102: ...s broadcast MAC addresses or the MAC address of the ONU Priority remarking based on Ethernet priority When the VLAN operation mode is set to tag mode for a UNI and the CoS value in the traffic classif...

Page 103: ...ra burst size ebs value outbound cir cir value pir pir value Optional The CIR should be a multiple of 64 By default traffic policing is not configured for a UNI Note that only H3C ONUs support the out...

Page 104: ...ink bandwidth and VLAN operation mode of a UNI see ONU Remote Management Configuration and UNI Port Configuration in the Layer 2 LAN Switching Configuration Guide Configure priority remarking for UNI...

Page 105: ...dp priority mapping tables Input priority value dot1p lp mapping dot1p dp mapping 802 1p priority dot1p Local precedence lp Drop precedence dp 0 2 0 1 0 0 2 1 0 3 3 0 4 4 0 5 5 0 6 6 0 7 7 0 Table 14...

Page 106: ...ot1p mapping DSCP Drop precedence dp 802 1p priority dot1p 40 to 47 0 5 48 to 55 0 6 56 to 63 0 7 Table 14 3 The default exp dp priority mapping tables Input priority value exp dp mapping EXP value Dr...

Page 107: ...According to RFC 2474 the ToS field of the IP header is redefined as the differentiated services DS field where a DSCP value is represented by the first six bits 0 to 5 and is in the range 0 to 63 The...

Page 108: ...10 af23 26 011010 af31 28 011100 af32 30 011110 af33 34 100010 af41 36 100100 af42 38 100110 af43 8 001000 cs1 16 010000 cs2 24 011000 cs3 32 100000 cs4 40 101000 cs5 48 110000 cs6 56 111000 cs7 0 000...

Page 109: ...ined in IEEE 802 1p Table 15 3 presents the values for 802 1p priority Figure 15 3 802 1Q tag header 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 Priority VLAN ID TPID Tag protocol identifier TCI Tag control informa...

Page 110: ...15 4 Figure 15 4 MPLS label structure As shown in Figure 15 4 the EXP field is 3 bits long and ranges from 0 to 7...

Page 111: ...6 6 Congestion Management Policies 6 2 Copying an ACL 1 14 Creating a Time Range 1 6 D Defining a Class3 2 Defining a Policy 3 5 Defining a Traffic Behavior 3 5 DiffServ Service Model 2 2 Displaying...

Page 112: ...r Downlink Traffic 13 5 QoS Functions for Uplink Traffic 13 4 QoS Local ID Marking Configuration Example 9 6 T Traffic Evaluation and Token Buckets 5 1 Traffic Filtering Configuration Example 8 3 Traf...

Search results

Summary of Contents for H3C S7500E Series

Reviews:

Related manuals for H3C S7500E Series

Brands by name

Popular brands

H3C H3C S7500E Series, Configuration Manual

Search results

Summary of Contents for H3C S7500E Series

Reviews:

Related manuals for H3C S7500E Series

Brands by name

Popular brands