manualshive.com logo in svg

H3C WA2200 Series, Configuration Manual

The H3C WA2200 Series offers exceptional networking capabilities. Easily set up and configure this advanced product using our comprehensive configuration manual. Download the manual for free from manualshive.com and unleash the full potential of your H3C WA2200 Series device.

Share
Download
background image

 

4-4 

ACL Rule Numbering 

What is the ACL rule numbering step 

If you do not assign an ID for the rule you are creating, the system automatically assigns it a rule ID. The 

rule numbering step sets the increment by which the system automatically numbers rules. For example, 

the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are 

numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between 

two rules.  

By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of 

inserting rules in an ACL. This feature is important for a config order ACL, where ACL rules are matched 

in ascending order of rule ID.  

Automatic rule numbering and re-numbering 

The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to 

the current highest rule ID, starting with 0. 

For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10, 

and 12, the newly defined rule will be numbered 15. If the ACL does not contain any rule, the first rule 

will be numbered 0.  

Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five 

rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 

0, 2, 4, 6 and 8.  

Implementing Time-Based ACL Rules 

You can implement ACL rules based on the time of day by applying a time range to them. A time-based 

ACL rule takes effect only in any time periods specified by the time range.  

Two basic types of time range are available: 

z

 

Periodic time range, which recurs periodically on a day or days of the week. 

z

 

Absolute time range, which represents only a period of time and does not recur. 

You may apply a time range to ACL rules before or after you create it. However, the rules using the time 

range can take effect only after you define the time range.  

IPv4 Fragments Filtering with ACLs 

Traditional packet filtering matches only first fragments of IPv4 packets, and allows all subsequent 

non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks.  

To avoids the risks, the H3C ACL implementation: 

z

 

Filters all fragments by default, including non-first fragments. 

z

 

Provides standard and exact match modes for matching ACLs that contain advanced attributes 

such as TCP/UDP port number and ICMP type. Standard match is the default mode. It considers 

only Layer 3 attributes. Exact match considers all header attributes defined in IPv4 ACL rules.  

ACL Configuration Task List 

IPv4 configuration task list 

Complete the following tasks to configure an IPv4 ACL: 

Summary of Contents for WA2200 Series

Page 1: ...H3C WA Series WLAN Access Points ACL and QoS Configuration Guide Hangzhou H3C Technologies Co Ltd http www h3c com Document Version 6W100 20100910 ...

Page 2: ...are Secware Storware NQA VVG V2 G Vn G PSPT XGbus N Bus TiGem InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The information in this document is subject to change without notice Every effort has been made in the preparation of this document to ensure accuracy of th...

Page 3: ...ribes the conventions used in this documentation set Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown italic Italic text represents arguments that you replace with actual values Square brackets enclose syntax choices keywords or arguments that are optional x y Braces enclose a set of required syntax choices separated b...

Page 4: ...cuments Purposes Marketing brochures Describe product specifications and benefits Product description and specifications Technology white papers Provide an in depth description of software features and technologies Compliance and safety manual Provides regulatory information and the safety instructions that must be followed during installation Quick start Guides you through initial installation an...

Page 5: ...ntation on the World Wide Web at http www h3c com Click the links on the top navigation bar to obtain different categories of product documentation Technical Support Documents Technical Documents Provides hardware installation software upgrading getting started and software feature configuration and maintenance documentation Products Solutions Provides information about products and technologies a...

Page 6: ...ced ACL 4 7 Configuring an Ethernet Frame Header ACL 4 9 Copying an ACL 4 10 Displaying and Maintaining ACLs 4 10 ACL Configuration Examples 4 10 IPv4 ACL Configuration Example 4 10 IPv6 ACL Configuration Example 4 12 5 QoS Overview 5 1 Introduction to QoS 5 1 Introduction to QoS Service Models 5 1 Best Effort Service Model 5 1 IntServ Service Model 5 2 DiffServ Service Model 5 2 QoS Techniques Ov...

Page 7: ...iority 7 3 Priority Mapping Overview 7 3 Introduction to Priority Mapping 7 3 Introduction to Priority Mapping Tables 7 4 Priority Mapping Configuration Task List 7 5 Configuring Priority Mapping 7 6 Configuring a Priority Mapping Table 7 6 Configuring a Port to Trust Packet Priority for Priority Mapping 7 6 Changing the Port Priority of an Interface 7 7 Displaying and Maintaining Priority Mapping...

Page 8: ...cess points include the WA2200 series and WA2600 series Table 1 1 shows the applicable models and software versions Table 1 1 Applicable models and software versions Series Model Software version WA2210 AG WA2200 series access points indoors WA2220 AG WA2210X G WA2200 series WA2200 series access points outdoors WA2220X AG R 1115 WA2610 AGN WA2612 AGN WA2600 series access points indoors WA2620 AGN ...

Page 9: ...S Not supported Supported 802 11n radio mode Not supported Supported 802 11n bandwidth mode Not supported Supported WLAN Configuration Guide 802 11n rate configuration Not supported Supported Optical Ethernet interface Supported on WA2210X G WA2220X AG only Not supported Layer 2 LAN Switching Configuration Guide GE interface Not supported Supported DHCP server configuration Not supported Supported...

Page 10: ... that support the 802 11b g radio mode support this command Only APs that support the 802 11b g radio mode support this command radio type Keywords dot11an and dot11gn not supported Supported WLAN service commands short gi enable Not supported Supported dot11a disabled rate mandatory rate supported rate rate value Only APs that support 802 11a radio mode support this command Only APs that support ...

Page 11: ...ching Command Reference The maximum number of unknown unicast packets allowed on an Ethernet interface per second unicast suppression ratio pps max pps pps max pps ranges from 1 to 148810 pps max pps ranges from 1 to 1488100 DHCP commands DHCP server configuration commands Not supported Supported display ipv6 dhcp client interface interface type interface number Not supported Supported display ipv...

Page 12: ...ime Range z Configuring a WLAN ACL z Configuring a Basic ACL z Configuring an Advanced ACL z Configuring an Ethernet Frame Header ACL z Copying an ACL z Displaying and Maintaining ACLs z ACL Configuration Examples Unless otherwise stated ACLs refer to both IPv4 and IPv6 ACLs throughout this document ACL Overview An access control list ACL is a set of rules or permit or deny statements for identify...

Page 13: ...s When creating an ACL you must assign it a number for identification and in addition you can also assign the ACL a name for the ease of identification After creating an ACL with a name you can neither rename it nor delete its name You cannot assign a name for a WLAN ACL For a WLAN and Ethernet frame header the ACL number and name must be globally unique For an IPv4 basic or advanced ACLs its ACL ...

Page 14: ... longer prefix means a narrower IP address range 2 Smaller ID IPv6 advanced ACL 1 Specific protocol type rather than IP IP represents any protocol over IPv6 2 Longer prefix for the source IPv6 address 3 Longer prefix for the destination IPv6 address 4 Narrower TCP UDP service port number range 5 Smaller ID Ethernet frame header ACL 1 More 1s in the source MAC address mask more 1s means a smaller M...

Page 15: ... rules numbered 5 10 13 15 and 20 changing the step from 5 to 2 causes the rules to be renumbered 0 2 4 6 and 8 Implementing Time Based ACL Rules You can implement ACL rules based on the time of day by applying a time range to them A time based ACL rule takes effect only in any time periods specified by the time range Two basic types of time range are available z Periodic time range which recurs p...

Page 16: ... To do Use the command Remarks Enter system view system view Create a time range time range time range name start time to end time days from time1 date1 to time2 date2 from time1 date1 to time2 date2 to time2 date2 Required By default no time range exists You may create time ranges identified with the same name They are regarded as one time range whose active period is the result of ORing periodic...

Page 17: ...Enter system view system view Create an IPv4 basic ACL and enter its view acl number acl number name acl name match order auto config Required By default no ACL exists IPv4 basic ACLs are numbered in the range 2000 to 2999 You can use the acl name acl name command to enter the view of an existing named IPv4 ACL Configure a description for the IPv4 basic ACL description text Optional By default an ...

Page 18: ... text Optional By default an IPv6 basic ACL rule has no rule description Configuring an Advanced ACL Configuring an IPv4 advanced ACL IPv4 advanced ACLs match packets based on source and destination IP addresses protocols over IP and other protocol header information such as TCP UDP source and destination port numbers TCP flags ICMP message types and ICMP message codes IPv4 advanced ACLs also allo...

Page 19: ... advanced ACL rule has no rule description Configuring an IPv6 Advanced ACL IPv6 advanced ACLs match packets based on the source IPv6 address destination IPv6 address protocol carried over IPv6 and other protocol header fields such as the TCP UDP source port number TCP UDP destination port number ICMP message type and ICMP message code Compared with IPv6 basic ACLs they allow of more flexible and ...

Page 20: ...2 1p priority VLAN priority and link layer protocol type Follow these steps to configure an Ethernet frame header ACL To do Use the command Remarks Enter system view system view Create an Ethernet frame header ACL and enter its view acl number acl number name acl name match order auto config Required By default no ACL exists Ethernet frame header ACLs are numbered in the range 4000 to 4999 You can...

Page 21: ... generate a new one of the same category acl ipv6 copy source acl6 number name source acl6 name to dest acl6 number name dest acl6 name Required Displaying and Maintaining ACLs To do Use the command Remarks Display configuration and match statistics for one or all IPv4 ACLs display acl acl number all name acl name Available in any view Display configuration and match statistics for one or all IPv6...

Page 22: ... a rule to allow access from the President s office to the salary server AP acl adv 3000 rule 1 permit ip source 129 111 1 2 0 0 0 0 destination 129 110 1 2 0 0 0 0 AP acl adv 3000 quit Create an advanced IPv4 ACL numbered 3001 and enter its view AP acl number 3001 Create a rule to deny access from any other department to the salary server during working hours AP acl adv 3001 rule 1 deny ip source...

Page 23: ...ddress 4050 9000 to 4050 90FF AP acl6 basic 2000 rule 1 permit source 4050 9000 120 AP acl6 basic 2000 quit Create a basic IPv6 ACL numbered 2001 and enter its view AP acl ipv6 number 2001 Create a rule to deny access from other IPv6 addresses AP acl6 basic 2001 rule 1 deny source any AP acl6 basic 2001 quit 2 Apply the ACLs Apply ACL 2000 and ACL 2001 AP traffic classifier access1 AP classifier a...

Page 24: ...The contention for resources demands that QoS prioritize important traffic flows over trivial traffic flows When making a QoS scheme a network administrator must consider the characteristics of various applications to balance the interests of diversified users and fully utilize network resources The subsequent section describes some typical QoS service models and widely used mature QoS techniques ...

Page 25: ...h maintain resource state information for each flow The model is suitable for small sized or edge networks but not large sized networks for example the core layer of the Internet where billions of flows are present For more information about RSVP see MPLS TE in the MPLS Configuration Guide DiffServ Service Model The differentiated service DiffServ model is a multiple service model that can satisfy...

Page 26: ...eshold to prevent aggressive use of network resources You can apply traffic policing to both incoming and outgoing traffic of a port z Traffic shaping proactively adapts the output rate of traffic to the network resources available on the downstream AP to eliminate packet drops Traffic shaping usually applies to the outgoing traffic of a port z Congestion management provides a resource scheduling ...

Page 27: ... subsequent QoS actions 2 The QoS module takes various QoS actions on classified traffic as configured depending on the traffic processing phase and network status For example you may configure the QoS module to perform traffic policing for incoming traffic traffic shaping for outgoing traffic congestion avoidance before congestion occurs and congestion management when congestion occurs ...

Page 28: ...ach In policy approach you configure QoS service parameters by using QoS policies A QoS policy defines the shaping policing or other QoS actions to take on different classes of traffic It is a set of class behavior associations A class is a set of match criteria for identifying traffic It uses the AND or OR operator z If the operator is AND a packet must match all the criteria to match the class z...

Page 29: ...lass if it matches any of the criteria in the class Configure match criteria if match match criteria Required For more information see the if match command in QoS in the ACL and QoS Command Reference Defining a Traffic Behavior A traffic behavior is a set of QoS actions such as traffic filtering traffic policing and priority mapping to take on a class of traffic To define a traffic behavior first ...

Page 30: ...ply the QoS policy to an interface To do Use the command Remarks Enter system view system view Define a QoS policy and enter QoS policy view qos policy policy name Required Associate a class with a behavior in the QoS policy classifier tcl name behavior behavior name Required Repeat this step to create more class behavior associations Enter interface view interface interface type interface number ...

Page 31: ...y the configuration of one or all classes in one or all QoS policies and the associated behaviors of the classes display qos policy user defined policy name classifier tcl name Available in any view Display QoS policy configuration on the specified or all interfaces display qos policy interface interface type interface number inbound outbound Available in any view ...

Page 32: ...s shown in Figure 7 1 the ToS field of the IP header contains eight bits and the first three bits 0 to 2 represent IP precedence from 0 to 7 According to RFC 2474 the ToS field of the IP header is redefined as the differentiated services DS field where a DSCP value is represented by the first six bits 0 to 5 and is in the range 0 to 63 The remaining two bits 6 and 7 are reserved Table 7 1 Descript...

Page 33: ...0 cs6 56 111000 cs7 0 000000 be default 802 1p Priority 802 1p priority lies in the Layer 2 header and is applicable to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2 Figure 7 2 An Ethernet frame with an 802 1Q tag header As shown in Figure 7 2 the 4 byte 802 1Q tag header consists of the tag protocol identifier TPID two bytes in length whose value is 0x81...

Page 34: ... 3 011 excellent effort 4 100 controlled load 5 101 video 6 110 voice 7 111 network management 802 11e Priority To provide QoS services on WLAN the 802 11e standard was developed IEEE 802 11e is a MAC layer enhancement to IEEE 802 11 IEEE 802 11e adds a 2 byte QoS Control field to the 802 11e MAC frame header Three bits of the QoS control field represents the 802 11e priority which ranges from 0 t...

Page 35: ...02 11e to local priority mapping table z dot1p lp 802 1p to local priority mapping table z dscp lp DSCP to local priority mapping table which applies to only IP packets z lp dot11e Local to 802 11e priority mapping table z lp dot1p Local to 802 1p priority mapping table z lp dscp Local to DSCP priority mapping table Table 7 4 through Table 7 7 list the default priority mapping tables Table 7 4 The...

Page 36: ...priority mapping in two approaches z Configuring priority trust mode In this approach you can configure a port to look up the priority mapping tables based on a certain priority such as 802 1p carried in incoming packets If no packet priority is trusted the port priority of the incoming port is used z Changing port priority By default all ports are assigned the port priority of zero By changing th...

Page 37: ...p lp lp dot11e lp dot1p lp dscp Optional Available in any view Configuring a Port to Trust Packet Priority for Priority Mapping You can configure the AP to trust a particular priority field carried in packets for priority mapping on ports or globally When configuring the priority trust mode for a port you can select the following keywords z dot11e Uses the 802 11e priority of the received packets ...

Page 38: ...y Mapping To do Use the command Remarks Display priority mapping table configuration information display qos map table dot11e lp dot1p lp lp dot11e lp dot1p Available in any view Display the priority trust mode and port priority of the specified interface or all interfaces display qos trust interface interface type interface number Available in any view Priority Mapping Configuration Example Netwo...

Page 39: ...Ethernet1 0 1 quit Switch 2 Configure the AP Enter system view AP system view Configure a WLAN network for each of the two departments with the SSID being PART1 and PART2 respectively Bind the two WLAN networks to WLAN BSS 1 and WLAN BSS 2 respectively AP wlan service template 1 clear AP wlan st 1 ssid PART1 AP wlan st 1 service template enable AP wlan st 1 quit Create interface WLAN BSS1 and conf...

Page 40: ...apping and configure port Ethernet 1 0 1 as a trunk port AP interface ethernet 1 0 1 AP Ethernet1 0 1 qos trust dot1p AP Ethernet1 0 1 port link type trunk Assign port Ethernet 1 0 1 to VLAN 1 through VLAN 3 AP Ethernet1 0 1 port trunk permit vlan 1 to 3 AP Ethernet1 0 1 quit With these configurations completed when you copy files to Host A and Host B or load files to Host A and Host B through the...

Page 41: ...ntaining ACLs 4 10 Displaying and Maintaining Priority Mapping 7 7 Displaying and Maintaining QoS Policies 6 3 I Introduction to Packet Precedences 7 1 Introduction to QoS Service Models 5 1 Introduction to QoS 5 1 P Priority Mapping Configuration Example 7 7 Priority Mapping Configuration Task List 7 5 Priority Mapping Overview7 3 Q QoS Configuration Approach Overview 6 1 QoS Techniques Overview ...

Reviews:

No comments

Related manuals for WA2200 Series

Hamlet HNWS108 User Manual preview
HNWS108
Brand: Hamlet Pages: 77
3Com OfficeConnect 3CRWDR100B-72 User Manual preview
OfficeConnect 3CRWDR100B-72
Brand: 3Com Pages: 118
Cerio SEFA OW-500 A1 User Manual preview
SEFA OW-500 A1
Brand: Cerio Pages: 151
H3C WA2612-AGN Web-Based Configuration Manual preview
WA2612-AGN
Brand: H3C Pages: 447
Gembird NSW-R2 User Manual preview
NSW-R2
Brand: Gembird Pages: 57
WAGO 4055144057171 Manual preview
4055144057171
Brand: WAGO Pages: 66
Linksys MAX-STREAM MR6350 Regulatory Information preview
MAX-STREAM MR6350
Brand: Linksys Pages: 28
Encore ENRXWI-SG User Manual preview
ENRXWI-SG
Brand: Encore Pages: 25
Encore ENHWI-N2 User Manual preview
ENHWI-N2
Brand: Encore Pages: 62
DQ Technology M625N User Manual preview
M625N
Brand: DQ Technology Pages: 43
BT Smart Hub 2 User Manual preview
Smart Hub 2
Brand: BT Pages: 4
Xterasys WUB1600 Manual preview
WUB1600
Brand: Xterasys Pages: 74
Zte R218 Quick Start Manual preview
R218
Brand: Zte Pages: 17
Accton Technology WB3001A Quick Installation Manual preview
WB3001A
Brand: Accton Technology Pages: 34
Accton Technology WA5001 Quick Installation Manual preview
WA5001
Brand: Accton Technology Pages: 42
Air Live WHA-5500CPE User Manual preview
WHA-5500CPE
Brand: Air Live Pages: 160
Yunlink CPE870 Manual preview
CPE870
Brand: Yunlink Pages: 13
Axis 9010 User Manual preview
9010
Brand: Axis Pages: 60

Brands by name

Popular brands

Load more brands