manualshive.com logo in svg

H3C WX Series, Configuration Manual

Share
Download
H3C WX Series Configuration Manual Download Page 10

10 

 

ACL category 

Depth-first rule sorting procedures 

IPv4 advanced 
ACL 

1.

 

The rule configured with a VPN instance takes precedence.  

2.

 

The rule configured with a specific protocol is prior to a rule with the 
protocol type set to IP. IP represents any protocol over IP. 

3.

 

The rule with more 0s in the source IP address wildcard mask takes 

precedence. More 0s means a narrower IP address range. 

4.

 

The rule with more 0s in the destination IP address wildcard mask takes 
precedence. 

5.

 

The rule with a narrower TCP/UDP service port number range takes 
precedence. 

6.

 

The rule with a smaller ID takes precedence. 

IPv6 basic ACL 

1.

 

The rule configured with a longer prefix for the source IP address takes 
precedence. A longer prefix means a narrower IP address range. 

2.

 

The rule with a smaller ID takes precedence. 

IPv6 advanced 
ACL 

1.

 

The rule configured with a specific protocol is prior to a rule with the 
protocol type set to IP. IP represents any protocol over IPv6.  

2.

 

The rule configured with a longer prefix for the source IPv6 address has a 
higher priority.  

3.

 

The rule configured with a longer prefix for the destination IPv6 address 
takes precedence.  

4.

 

The rule with a narrower TCP/UDP service port number range takes 
precedence.  

5.

 

The rule with a smaller ID takes precedence. 

Ethernet frame 
header ACL 

1.

 

The rule with more 1s in the source MAC address mask takes precedence. 

More 1s means a smaller MAC address. 

2.

 

The rule with more 1s in the destination MAC address mask takes 
precedence.  

3.

 

The rule with a smaller ID takes precedence. 

 

NOTE: 

 

Currently, the AC does not support ACL rules with the VPN instance attribute.  

 

A wildcard mask, also called an inverse mask, is a 32-bit binary and represented in dotted 
decimal notation. In contrast to a network mask, the 0 bits in a wildcard mask represent ‗do 
care‘ bits, while the 1 bits represent 'don‘t care bits.' If the 'do care' bits in an IP address are 
identical to the 'do care' bits in an IP address criterion, the IP address matches the criterion. All 
'don‘t care' bits are ignored. The 0s and 1s in a wildcard mask can be noncontiguous. For 
example, 0.255.0.255 is a valid wildcard mask.  

Summary of Contents for WX Series

Page 1: ...fy traffic in your network and implement flow control based on traffic classes With ACL and QoS you can well allocate the limited network resources and improve network usage The intended audience incl...

Page 2: ...he statements information and recommendations in this document do not constitute a warranty of any kind express or implied Hangzhou H3C Technologies Co Ltd and its licensors shall not be liable for te...

Page 3: ...task list 12 IPv4 ACL configuration task list 12 IPv6 ACL configuration task list 12 Configuring an ACL 13 Creating a time range 13 Configuring a WLAN ACL 13 Configuring a basic ACL 14 Configuring an...

Page 4: ...verview 35 Priority mapping tables 35 Priority mapping configuration tasks 37 Configuring priority mapping 38 Configuring a priority mapping table 38 Configuring a port to trust packet priority for pr...

Page 5: ...ngestion management policies 53 FIFO 53 Priority queuing 54 Custom queuing 55 Congestion management technology comparison 55 Configuring PQ 56 PQ configuration procedure 57 PQ configuration example on...

Page 6: ...6 Command conventions 65 Document conventions 65 Symbols 66 Index 67...

Page 7: ...our local sales office for the models applicable to your region Support of the H3C WX series access controllers ACs for features may vary by AC model For more information see Feature Matrix in About t...

Page 8: ...ies as shown in Table 1 Table 1 ACL categories Category ACL number IP version Match criteria WLAN ACLs 100 to 199 IPv4 Wireless client SSID Basic ACLs 2000 to 2999 IPv4 Source IPv4 address IPv6 Source...

Page 9: ...esult and action to take depend on the rule order Two ACL match orders are available config Sorts ACL rules in ascending order of rule ID A rule with a lower ID is matched before a rule with a higher...

Page 10: ...The rule configured with a longer prefix for the source IPv6 address has a higher priority 3 The rule configured with a longer prefix for the destination IPv6 address takes precedence 4 The rule with...

Page 11: ...tep to the current highest rule ID starting with 0 For example if the numbering step is 5 the default and there are five ACL rules numbered 0 5 9 10 and 12 the newly defined rule is numbered 15 If the...

Page 12: ...lt mode It considers only Layer 3 attributes Exact match considers all header attributes defined in IPv4 ACL rules ACL configuration task list IPv4 ACL configuration task list Complete the following t...

Page 13: ...ng absolute ones and ANDing periodic and absolute ones You may create a maximum of 256 uniquely named time ranges each with 32 periodic time ranges at most and 12 absolute time ranges at most Configur...

Page 14: ...on only source IP address Follow these steps to configure an IPv4 basic ACL To do Use the command Remarks Enter system view system view Create an IPv4 basic ACL and enter its view acl number acl numbe...

Page 15: ...le has no rule description Configuring an IPv6 basic ACL Follow these steps to configure an IPv6 basic ACL To do Use the command Remarks Enter system view system view Create an IPv6 basic ACL view and...

Page 16: ...n IP addresses protocols over IP and other protocol header information such as TCP UDP source and destination port numbers TCP flags ICMP message types and ICMP message codes IPv4 advanced ACLs also a...

Page 17: ...e range name tos tos Required By default an IPv4 advanced ACL does not contain any rule To create or edit multiple rules repeat this step The logging keyword takes effect only when the module using th...

Page 18: ...tablished destination dest dest prefix dest dest prefix any destination port operator port1 port2 dscp dscp fragment icmp6 type icmp6 type icmp6 code icmp6 message logging source source source prefix...

Page 19: ...tep step step value Optional 5 by default Create or edit a rule rule rule id deny permit cos vlan pri dest mac dest addr dest mask lsap lsap type lsap type mask type protocol type protocol type mask s...

Page 20: ...6 copy source acl6 number name source acl6 name to dest acl6 number name dest acl6 name Required Displaying and maintaining ACLs To do Use the command Remarks Display configuration and match statistic...

Page 21: ...CL to deny access from the wireless users in R D department to the salary server during office hours from 8 00 to 18 00 on working days Figure 1 Network diagram for ACL configuration AC GE 1 0 1 Serve...

Page 22: ...C WLAN ESS1 qos apply policy test inbound IPv6 ACL configuration example Network requirements Perform IPv6 packet filtering in the inbound direction of interface WLAN ESS 1 to deny all IPv6 packets bu...

Page 23: ...e qospolicy deny2000 classifier ipv6 2000 behavior deny Sysname qospolicy deny2000 quit 5 Apply the policy to filter incoming packets on interface WLAN ESS 1 Sysname interface WLAN ESS1 Sysname WLAN E...

Page 24: ...controller may appear different in type and number from the GE interfaces used in the examples in this manual To ensure that the precedence mapping function can operate properly use the undo l2fw fas...

Page 25: ...s that all nodes along the transmission path maintain resource state information for each flow The model is suitable for small sized or edge networks but not large sized networks for example the core...

Page 26: ...lows entering or leaving an AC and can be applied to the incoming traffic and outgoing traffic of a port When a flow exceeds the pre set threshold some restriction or punishment measures can be taken...

Page 27: ...oken bucket Traffic policing Traffic shaping Congestion avoidance CAR GTS WRED Congestion management Figure 3 shows how the QoS module processes traffic Traffic classifier identifies and classifies tr...

Page 28: ...policy defines the shaping policing or other QoS actions to take on different classes of traffic It is a set of class behavior associations A class is a set of match criteria for identifying traffic I...

Page 29: ...riteria in class view Follow these steps to define a class To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or R...

Page 30: ...steps to define a traffic behavior To do Use the command Remarks Enter system view system view Create a traffic behavior and enter traffic behavior view traffic behavior behavior name Required Config...

Page 31: ...ate a policy and enter policy view qos policy policy name Required Associate a class with a behavior in the policy classifier tcl name behavior behavior name Required Repeat this step to create more c...

Page 32: ...group view take effect on all ports in the port group Enter port group view port group manual port group name Apply the policy to the interface port group qos apply policy policy name inbound outboun...

Page 33: ...Configuration Guide Apply the QoS policy qos apply policy policy name inbound outbound Required Use the inbound keyword to apply the QoS policy to the traffic received by the online users Use the out...

Page 34: ...any view Display QoS policy configuration on the specified or all interfaces display qos policy interface interface type interface number inbound outbound Available in any view Display traffic class c...

Page 35: ...is of only local significance Local precedence is used for queuing A local precedence value corresponds to an output queue A packet with higher local precedence is assigned to a higher priority outpu...

Page 36: ...3 3 4 4 5 5 6 6 7 7 Table 4 The default dscp lp priority mapping table DSCP Local precedence lp 0 to 7 0 8 to 15 1 16 to 23 2 24 to 31 3 32 to 39 4 40 to 47 5 48 to 55 6 56 to 63 7 Table 5 The defaul...

Page 37: ...t mode In this approach you can configure a port to look up a certain priority 802 1p for example in incoming packets in the priority mapping tables If an incoming packet does not carry the trusted pr...

Page 38: ...ocal to DSCP priority mapping table Follow these steps to configure a priority mapping table To do Use the command Remarks Enter system view system view Enter priority mapping table view qos map table...

Page 39: ...r port group view port group manual port group name Configure the port to use a type of packet priority for priority mapping qos trust dot11e dot1p dscp Required By default port priority is trusted Su...

Page 40: ...ce you must log off all online users to stop the service the interface is providing On a WLAN ESS interface configured with the qos priority command the assignment of DSCP precedence varies by packet...

Page 41: ...ccess controller modules Access controller modules LS8M1WCMA0 LSQM1WCMB0 LSBM1WCM2A0 LSRM1WCM2A1 No special requirements You can directly configure Ethernet interfaces on the switch To configure wirel...

Page 42: ...gure 5 Network diagram for trusted priority type configuration AC GE 1 0 1 IP network AP 1 AP 3 AP 2 Configuration procedure 1 Enter system view AC system view 2 Enter dot1p lp priority mapping table...

Page 43: ...nd that of AP 3 is WLAN ESS 3 Figure 6 Network diagram for trusting port priority configuration AC GE 1 0 1 IP network AP 1 AP 3 AP 2 Configuration procedure 1 Enter system view AC system view 2 Disab...

Page 44: ...os priority 5 AC WLAN ESS3 quit 6 Enable service template 1 Sysname wlan service template 1 Sysname wlan st 1 service template enable NOTE For more information about WLAN ESS interfaces see WLAN Inter...

Page 45: ...ch token represents a certain forwarding capacity typically a one bit forwarding authority The system puts tokens into the bucket at a set rate When the token bucket is full the extra tokens overflow...

Page 46: ...ecifies the average packet transmission or forwarding rate allowed by bucket E Excess burst size EBS Size of bucket E which specifies the transient burst of traffic that bucket E can forward The two t...

Page 47: ...whose evaluation result is conforming Dropping the packets whose evaluation result is excess Modifying the IP precedence of the packets whose evaluation result is conforming and forwarding them Modif...

Page 48: ...packets cannot be transmitted until efficient tokens are generated in the token bucket It restricts the traffic rate to the rate for generating tokens Line rate limits the total rate of all packets on...

Page 49: ...icy and enter policy view qos policy policy name Associate the class with the traffic behavior in the QoS policy classifier tcl name behavior behavior name Exit policy view quit Apply the QoS policy T...

Page 50: ...on rate Required The conforming traffic is permitted to pass through while the exceeding traffic is dropped Support for the keywords of the command varies by AC model For more information see QoS in t...

Page 51: ...ction properly make sure the committed burst size argument in the qos lr outbound cir command is greater than or equal to 1875 or committed information rate 100 16 whichever is greater Otherwise the p...

Page 52: ...n congestion scenarios Figure 10 Traffic congestion causes 100M 10M 100M 10M 50M 100M 100M 100M 100M 50M 10M 10M 1 2 Congestion may bring these negative results Increased delay and jitter during packe...

Page 53: ...uses a single queue and does not classify traffic or schedule queues FIFO delivers packets depending on their arrival order with the one arriving earlier scheduled first The only concern of FIFO is q...

Page 54: ...gned to the normal queue Each of the four queues is a FIFO queue Priority queuing schedules the four queues strictly according to the descending order of priority as shown in Figure 12 It sends packet...

Page 55: ...number of packets based on the percentage of interface bandwidth assigned for each queue out of each queue in the ascending order of queue 1 to queue 16 CQ guarantees normal packets of a certain amou...

Page 56: ...for real time and mission critical applications Need to configure low processing speed If there are no restrictions on bandwidth assigned to high priority packets low priority packets may fail to get...

Page 57: ...edence value queue bottom middle normal top Required Use a command as needed Specify the default queue for the PQ list qos pql pql index default queue bottom middle normal top Optional This command sp...

Page 58: ...WM1WCM20 No special requirements You can directly configure Ethernet interfaces on the switch To configure wireless features during the configuration process log in to the access controller module wit...

Page 59: ...C qos pql 1 local precedence 7 queue top AC qos pql 1 local precedence 1 queue bottom 3 Set the maximum queue length of the top queue to 1024 and set that of the bottom queue to 1024 AC qos pql 1 queu...

Page 60: ...gn packets with local precedence value 5 to the top queue AC qos pql 1 local precedence 5 queue top 4 Set the maximum length to 1000 for the middle queue in PQ list 1 AC qos pql 1 queue middle queue l...

Page 61: ...number Optional This command specifies the queue to which unmatched packets are assigned to By default the unmatched packets are assigned to queue 1 Set the length of a queue qos cql cql index queue q...

Page 62: ...1 inbound interface GigabitEthernet1 0 1 queue 1 3 Configure queue 1 to send 2000 bytes during a cycle of round robin queue scheduling in CQ list 1 Sysname qos cql 1 queue 1 serving 2000 4 Apply CQ li...

Page 63: ...ence value 4 to queue 1 Sysname qos cql 1 local precedence 4 queue 1 4 Set the maximum length of queue 1 to 1000 in CQ list 1 Sysname qos cql 1 queue 1 queue length 1000 5 Configure queue 1 to send 16...

Page 64: ...e Web at http www h3c com Click the links on the top navigation bar to obtain different categories of product documentation Technical Support Documents Technical Documents Provides hardware installati...

Page 65: ...erisk marked braces enclose a set of required syntax choices separated by vertical bars from which you select at least one x y Asterisk marked square brackets enclose optional syntax choices separated...

Page 66: ...text Emphasized monospace text Indication that example continues Symbols WARNING Indicates that failure to follow directions could result in bodily harm or death CAUTION Indicates that failure to foll...

Page 67: ...conventions 67 E Ethernet frame header ACL configuring 19 Ethernet interface configuration 41 60 F FIFO queuing 55 I inverse mask 10 IPv4 ACL configuration task list 12 configuration example 21 copyi...

Page 68: ...s in network 26 traffic classification 26 traffic policing polices 26 traffic shaping 26 QoS Quality of Service 24 QoS configuring defining class 29 defining policy 31 defining traffic behavior 30 dia...

Page 69: ...69 WLAN ESS interface 40...

Reviews:

No comments

Brands by name

Popular brands

Load more brands