H3C Access Controllers
ACL and QoS Configuration Guide
New H3C Technologies Co., Ltd.
http://www.h3c.com.hk
Document version: 6W101-20171122
Page 1: ...H3C Access Controllers ACL and QoS Configuration Guide New H3C Technologies Co Ltd http www h3c com hk Document version 6W101 20171122 ...
Page 2: ... SecPath SecCenter SecBlade Comware ITCMM and HUASAN are trademarks of New H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The information in this document is subject to change without notice Every effort has been made in the preparation of this document to ensure accuracy of the contents but all statements inform...
Page 3: ... E5208P03 WX1810H CMW710 E5215P01 WX1820H CMW710 E5208P03 WX2500H series WX2510H WX2540H WX2560H WX2510H CMW710 R5215P01 WX2540H CMW710 R5215P01 WX2560H CMW710 R5215P01 WX3000H series WX3010H WX3010H L WX3010H X WX3024H WX3024H L WX3010H CMW710 R5215P01 WX3010HL CMW710 R5215P01 WX3010HX CMW710 R5215P01 WX3024H CMW710 R5215P01 WX3024HL CMW710 R5215P01 WX3500H series WX3508H WX3510H WX3520H WX3540H ...
Page 4: ...enclose a set of optional syntax choices separated by vertical bars from which you select one or none x y Asterisk marked braces enclose a set of required syntax choices separated by vertical bars from which you select a minimum of one x y Asterisk marked square brackets enclose optional syntax choices separated by vertical bars from which you select one choice multiple choices or none 1 n The arg...
Page 5: ...sents an access controller a unified wired WLAN module or the access controller engine on a unified wired WLAN switch Represents an access point Wireless terminator unit Wireless terminator Represents a mesh access point Represents omnidirectional signals Represents directional signals Represents a security product such as a firewall UTM multiservice security gateway or load balancing device Repre...
Page 6: ... com hk Technical_Documents To obtain software version information such as release notes click http www h3c com hk Software_Download Technical support service h3c com http www h3c com hk Documentation feedback You can e mail your comments about product documentation to info h3c com We appreciate your comments ...
Page 7: ...filtering 11 Configuring SNMP notifications for packet filtering 12 Setting the packet filtering default action 12 Displaying and maintaining ACLs 13 ACL configuration example 14 Network requirements 14 Configuration procedure 14 Verifying the configuration 15 QoS overview 16 Compatibility information 16 Feature and hardware compatibility 16 Command and hardware compatibility 17 QoS service models...
Page 8: ...the MQC approach 28 Configuring traffic policing for a user profile by using the non MQC approach 29 Displaying and maintaining traffic policing 30 Configuring traffic filtering 31 Configuration procedure 31 Configuration example 31 Network requirements 31 Configuration procedure 32 Configuring priority marking 33 Configuration procedure 33 Configuration example 34 Network requirements 34 Configur...
Page 9: ...number and other Layer 3 and Layer 4 header fields Layer 2 ACLs 4000 to 4999 IPv4 and IPv6 Layer 2 header fields such as source and destination MAC addresses 802 1p priority and link layer protocol type Numbering and naming ACLs When creating an ACL you must assign it a number or name for identification You can specify an existing ACL by its number or name Each ACL type has a unique range of ACL n...
Page 10: ...ervice port number range 6 Rule configured earlier Layer 2 ACL 1 More 1s in the source MAC address mask more 1s means a smaller MAC address 2 More 1s in the destination MAC address mask 3 Rule configured earlier A wildcard mask also called an i nverse mask is a 32 bit binary number represented in dotted decimal notation In contrast to a network mask the 0 bits in a wildcard mask represent do care ...
Page 11: ...ules 5 10 13 and 15 as rules 0 2 4 and 6 Fragments filtering with ACLs Traditional packet filtering matches only first fragments of packets and al lows all subsequent non first fragments to pass through Attackers can fabricate non first fragments to attack networks To avoid the risks the ACL feature is designed as follows Filters all fragments by default including non first fragments Allows for ma...
Page 12: ...eria and functions Source and destination IP addresses Source and destination ports Transport layer protocol ICMP or ICMPv6 message type message code and message name VPN instance Logging Time range Slow forwarding requires packets to be sent to the control plane for forwarding entry calculation which affects the device forwarding performance Configuration task list Tasks at a glance Required Conf...
Page 13: ...basic ACL Use the acl basic name acl name command to enter the view of a named IPv4 basic ACL 3 Optional Configure a description for the IPv4 basic ACL description text By default an IPv4 basic ACL does not have a description 4 Optional Set the rule numbering step step step value By default the rule numbering step is 5 and the start rule ID is 0 5 Create or edit a rule rule rule id deny permit fra...
Page 14: ...permit fragment routing type routing type source source address source prefix source address source prefix any time range time range name By default an IPv6 basic ACL does not contain any rules 6 Optional Add or edit a rule comment rule rule id comment text By default no rule comment is configured Configuring an advanced ACL This section describes procedures for configuring IPv4 and IPv6 advanced ...
Page 15: ... syn value urg urg value established destination dest address dest wildcard any destination port operator port1 port2 dscp dscp precedence precedence tos tos fragment icmp type icmp type icmp code icmp message source source address source wildcard any source port operator port1 port2 time range time range name By default an IPv4 advanced ACL does not contain any rules 6 Optional Add or edit a rule...
Page 16: ...eny permit protocol ack ack value fin fin value psh psh value rst rst value syn syn value urg urg value established destination dest address dest prefix dest address dest prefix any destination port operator port1 port2 dscp dscp flow label flow label value fragment icmp6 type icmp6 type icmp6 code icmp6 message routing type routing type hop by hop type hop type source source address source prefix...
Page 17: ...e range name By default a Layer 2 ACL does not contain any rules 6 Optional Add or edit a rule comment rule rule id comment text By default no rule comment is configured Configuring a WLAN client ACL WLAN client ACLs match packets based on the SSID that the WLAN clients use to access the WLAN You can use WLAN client ACLs to perform access control on WLAN clients To configure a WLAN client ACL Step...
Page 18: ...LAN AP ACL 3 Optional Configure a description for the WLAN AP ACL description text By default a WLAN AP ACL does not have a description 4 Optional Set the rule numbering step step step value By default the rule numbering step is 5 and the start rule ID is 0 5 Configure or edit a rule rule rule id deny permit mac mac address mac mask serial id serial id By default a WLAN AP ACL does not contain any...
Page 19: ...regation member port Applying an ACL to an interface for packet filtering The following matrix shows the feature and hardware compatibility Hardware series Model Feature compatibility WX1800H series WX1804H WX1810H WX1820H Yes WX2500H series WX2510H WX2540H WX2560H Yes WX3000H series WX3010H WX3010H L WX3010H X WX3024H WX3024H L No WX3500H series WX3508H WX3510H WX3520H WX3540H Yes WX5500E series ...
Page 20: ...otification instead of waiting for the next output The notification records the number of matching packets and the matched ACL rules For more information about the information center and SNMP see Network Management and Monitoring Configuration Guide To configure SNMP notifications for packet filtering Step Command Remarks 1 Enter system view system view N A 2 Set the interval for outputting packet...
Page 21: ... ACL rule to pass Displaying and maintaining ACLs Execute display commands in any view Task Command Display ACL configuration and match statistics display acl ipv6 mac wlan acl number all name acl name Display ACL application information for packet filtering display packet filter interface interface type interface number inbound outbound slot slot number Display detailed ACL packet filtering infor...
Page 22: ...ge work 08 0 to 18 00 working day Create an IPv4 advanced ACL numbered 3000 AC acl advanced 3000 Configure a rule to permit access from the President s office to the financial database server AC acl ipv4 adv 3000 rule permit ip source 192 168 1 0 0 0 0 255 destination 192 168 0 100 0 Configure a rule to permit access from the Financial department to the database server during working hours AC acl ...
Page 23: ...0 100 bytes 32 time 1ms TTL 255 Ping statistics for 192 168 0 100 Packets Sent 4 Received 4 Lost 0 0 loss Approximate round trip times in milli seconds Minimum 0ms Maximum 1ms Average 0ms Verify that a wireless client in the Marketing department cannot ping the database server during working hours C ping 192 168 0 100 Pinging 192 168 0 100 with 32 bytes of data Request timed out Request timed out ...
Page 24: ...echniques Compatibility information Feature and hardware compatibility Hardware series Model QoS compatibility WX1800H series WX1804H WX1810H WX1820H Yes WX2500H series WX2510H WX2540H WX2560H Yes WX3000H series WX3010H WX3010H L WX3010H X WX3024H WX3024H L Yes WX3010H WX3010H X WX3024H No WX3010H L WX3024H L WX3500H series WX3508H WX3510H WX3520H WX3540H Yes WX5500E series WX5510E WX5540E Yes WX5...
Page 25: ...quest service from the network before it sends data IntServ signals the service request with the RSVP All nodes receiving the request reserve resources as requested and maintain state information for the application flow The IntServ model demands high storage and processing capabilities because it requires all nodes along the transmission path to maintain resource state information for each flow T...
Page 26: ...efly describes how the QoS module processes traffic 1 Traffic classifier identifies and classifies traffic for subsequent QoS actions 2 The QoS module takes various QoS actions on classified traffic as configured depending on the traffic processing phase and network status For example you can configure the QoS module to perform traffic policing for incoming traffic Figure 3 QoS processing flow WAN...
Page 27: ...ing traffic and it uses the AND or OR operator If the operator is AND a packet must match all the criteria to match the traffic class If the operator is OR a packet matches the traffic class if it matches any of the criteria in the traffic class A traffic behavior defines a set of QoS actions to take on packets such as priority marking By associating a traffic behavior with a traffic class in a Qo...
Page 28: ...ng and priority marking By default no action is configured for a traffic behavior Defining a QoS policy To perform actions defined in a behavior for a class of packets associate the behavior with the class in a QoS policy To associate a traffic class with a traffic behavior in a QoS policy Step Command Remarks 1 Enter system view system view N A 2 Create a QoS policy and enter QoS policy view qos ...
Page 29: ...kets include link maintenance RIP and SSH packets To apply a QoS policy to an interface Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Apply the QoS policy to the interface qos apply policy policy name inbound outbound By default no QoS policy is applied to an interface Applying the QoS policy to a user profile The fo...
Page 30: ...to apply the QoS policy to the outgoing traffic of the device traffic received by the online users Displaying and maintaining QoS policies Execute display commands in any view Task Command Display traffic class configuration display traffic classifier system defined user defined classifier name slot slot number Display traffic behavior configuration display traffic behavior system defined user def...
Page 31: ...re information about these priorities see Appendixes Locally assigned priorities only have local significance They are assigned by the device only for scheduling The device supports only local precedence for locally assigned priorities A local precedence value corresponds to an output queue A packet with higher local precedence is assigned to a higher priority output queue to be preferentially sch...
Page 32: ... priority map lp dot1p Local 802 1p priority map lp dscp Local DSCP priority map To configure a priority map Step Command Remarks 1 Enter system view system view N A 2 Enter priority map view qos map table dot11e lp dot1p lp dscp lp lp dot11e lp dot1p lp dscp N A 3 Configure mappings for the priority map import import value list export export value By default the default priority maps are used For...
Page 33: ...nter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Set the port priority of the interface qos priority priority value The default setting is 0 Displaying and maintaining priority mapping Execute display commands in any view Task Command Display priority map configuration display qos map table dot11e lp dot1p lp dscp lp lp dot11e lp dot1p lp dscp...
Page 34: ...thernet 1 0 2 No trusted packet priority type is configured on GigabitEthernet 1 0 1 or GigabitEthernet 1 0 2 AC system view AC interface gigabitethernet 1 0 1 AC GigabitEthernet1 0 1 qos priority 3 AC GigabitEthernet1 0 1 quit AC interface gigabitethernet 1 0 2 AC GigabitEthernet1 0 2 qos priority 1 AC GigabitEthernet1 0 2 quit Internet Device A AC Server GE1 0 1 IP precedence 3 GE1 0 2 IP preced...
Page 35: ...d is colored green The corresponding tokens are taken away from the bucket Otherwise the packet does not conform to the specification called excess traffic and is colored red Traffic policing uses the single rate two color mechanism This mechanism uses one token bucket bucket C and the following parameters Committed information rate CIR Mean rate at which tokens are put into bucket C It sets the a...
Page 36: ...view system view N A 2 Create a traffic class and enter traffic class view traffic classifier classifier name operator and or By default no traffic class exists 3 Configure match criteria if match not match criteria By default no match criterion is configured For more information about the if match command see ACL and QoS Command Reference 4 Return to system view quit N A 5 Create a traffic behavi...
Page 37: ...profile Choose one of the application destinations as needed By default no QoS policy is applied Configuring traffic policing for a user profile by using the non MQC approach The following matrix shows the feature and hardware compatibility Hardware series Model Feature compatibility WX1800H series WX1804H WX1810H WX1820H Yes WX2500H series WX2510H WX2540H WX2560H Yes WX3000H series WX3010H WX3010...
Page 38: ...p Command Remarks 1 Enter system view system view N A 2 Enter user profile view user profile profile name The configuration made in user profile view takes effect when the users are online 3 Configure a CAR policy for the user profile qos car inbound outbound any cir committed information rate cbs committed burst size By default no CAR policy is configured for a user profile The conforming traffic...
Page 39: ...figure the traffic filtering action filter deny permit By default no traffic filtering action is configured 7 Return to system view quit N A 8 Create a QoS policy and enter QoS policy view qos policy policy name By default no QoS policy exists 9 Associate the traffic class with the traffic behavior in the QoS policy classifier classifier name behavior behavior name By default a traffic class is no...
Page 40: ...sifier classifier_1 quit Create a traffic behavior named behavior_1 and configure the traffic filtering action to drop packets AC traffic behavior behavior_1 AC behavior behavior_1 filter deny AC behavior behavior_1 quit Create a QoS policy named policy and associate traffic class classifier_1 with traffic behavior behavior_1 in the QoS policy AC qos policy policy AC qospolicy policy classifier cl...
Page 41: ...e match criteria if match not match criteria By default no match criterion is configured For more information about the if match command see ACL and QoS Command Reference 4 Return to system view quit N A 5 Create a traffic behavior and enter traffic behavior view traffic behavior behavior name By default no traffic behavior exists 6 Configure a priority marking action Set the DSCP value for packet...
Page 42: ...dure Create advanced ACL 3000 and configure a rule to match packets with destination IP address 192 168 0 1 AC system view AC acl advanced 3000 AC acl ipv4 adv 3000 rule permit ip destination 192 168 0 1 0 AC acl ipv4 adv 3000 quit Create advanced ACL 3001 and configure a rule to match packets with destination IP address 192 168 0 2 AC acl advanced 3001 AC acl ipv4 adv 3001 rule permit ip destinat...
Page 43: ...server remark local precedence 4 AC behavior behavior_dbserver quit Create a traffic behavior named behavior_mserver and configure the action of setting the local precedence value to 3 AC traffic behavior behavior_mserver AC behavior behavior_mserver remark local precedence 3 AC behavior behavior_mserver quit Create a traffic behavior named behavior_fserver and configure the action of setting the ...
Page 44: ...ed Service DSCP Differentiated Services Code Point EBS Excess Burst Size IntServ Integrated Service ISP Internet Service Provider PIR Peak Information Rate QoS Quality of Service ToS Type of Service Appendix B Default priority maps Table 3 Default dot1p lp priority map Input priority value dot1p lp map dot1p lp 0 2 1 0 2 1 3 3 4 4 5 5 6 6 7 7 Table 4 Default dot11e lp priority map dot11e lp 0 2 1 ...
Page 45: ... 3 32 to 39 4 40 to 47 5 48 to 55 6 56 to 63 7 Table 6 Default lp dot1p lp dot11e and lp dscp priority maps Input priority value lp dot1p map lp dot11e map lp dscp map lp dot1p dot11e DSCP 0 1 1 0 1 2 2 8 2 0 0 16 3 3 3 24 4 4 4 32 5 5 5 40 6 6 6 48 7 7 7 56 Table 7 Default port priority local priority map Port priority Local precedence 0 0 1 1 2 2 3 3 ...
Page 46: ...63 The remaining 2 bits 6 and 7 are reserved Table 8 IP precedence IP precedence decimal IP precedence binary Description 0 000 Routine 1 001 priority 2 010 immediate 3 011 flash 4 100 flash override 5 101 critical 6 110 internet 7 111 network Table 9 DSCP values DSCP value decimal DSCP value binary Description 46 101110 ef 10 001010 af11 12 001100 af12 M B Z RFC 1122 IP Type of Service ToS RFC 79...
Page 47: ...is is not needed and QoS must be assured at Layer 2 Figure 10 An Ethernet frame with an 802 1Q tag header As shown in Figure 10 the 4 byte 802 1Q tag header contains the 2 byte tag protocol identifier TPID and the 2 byte tag control information TCI The value of the TPID is 0x8100 Figure 11 shows the format of the 802 1Q tag header The Priority field in the 802 1Q tag header is called 802 1p priori...
Page 48: ... a MAC layer enhancement to IEEE 802 11 IEEE 802 11e adds a 2 byte QoS control field to the 802 11e MAC frame header The 3 bit QoS control field represents the 802 11e priority in the range of 0 to 7 Figure 12 802 11e frame structure 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 Priority C F I VLAN ID TPID Tag protocol identifier TCI Tag control information Byte 1 Byte 2 0 Byte 3 Byte 4 7 5 4 3 2 1 0 7 5 4 3 2 1 ...
Page 49: ... name You can create a maximum of 1024 time ranges each with a maximum of 32 periodic statements and 12 absolute statements The active period of a time range is calculated as follows 1 Combining all periodic statements 2 Combining all absolute statements 3 Taking the intersection of the two statement sets as the active period of the time range Feature and hardware compatibility Hardware series Mod...
Page 50: ...me1 date1 to time2 date2 from time1 date1 to time2 date2 to time2 date2 No time range exists Displaying and maintaining time ranges Execute the display command in any view Task Command Display time range configuration and status display time range time range name all Time range configuration example Network requirements As shown in Figure 13 configure an ACL on the AC to allow Client 1 to access t...
Page 51: ...k AC acl ipv4 basic 2001 rule deny source any time range work AC acl ipv4 basic 2001 quit Apply IPv4 basic ACL 2001 to filter outgoing packets on interface GigabitEthernet 1 0 1 AC interface gigabitEthernet 1 0 1 AC GigabitEthernet1 0 1 packet filter 2001 outbound AC GigabitEthernet1 0 1 quit Verifying the configuration Display time range configuration and status on the AC AC display time range al...
Page 52: ...ms 36 Appendix B Default priority maps 36 Appendix C Packet precedence 38 applying ACL packet filtering to interface 11 QoS policy 20 QoS policy interface PVC 21 QoS policy user profile 21 auto ACL auto match order sort 1 ACL automatic rule numbering renumbering 3 B bandwidth QoS overview 16 QoS policy configuration 19 basic ACL type 1 behavior QoS traffic behavior definition 20 best effort QoS se...
Page 53: ...SCP values 38 E evaluating QoS traffic 27 QoS traffic with token bucket 27 27 F filtering ACL packet fragments 3 QoS traffic filtering configuration 31 31 forwarding ACL configuration 1 4 14 ACL configuration advanced 6 ACL configuration basic 5 ACL configuration Layer 2 8 ACL configuration WLAN AP 10 ACL configuration WLAN client 9 QoS token bucket 27 fragment ACL fragment filtering 3 H hardware ...
Page 54: ...ffic policing 27 QoS traffic policing configuration 27 28 network management ACL configuration 1 4 14 QoS overview 16 QoS priority mapping configuration 25 QoS service models 17 QoS techniques 17 time range configuration 41 42 non modular QoS Use non MQC non MQC QoS traffic policing configuration 28 non MQC QoS traffic policing user profile 29 notifying ACL packet filtering SNMP notifications 12 n...
Page 55: ...guring QoS priority mapping map uncolored 24 configuring QoS priority mapping trusted port packet priority 24 configuring QoS priority marking 33 34 configuring QoS traffic filtering 31 31 configuring QoS traffic policing 28 configuring time range 42 42 copying ACL 10 defining QoS policy 20 defining QoS traffic behavior 20 defining QoS traffic class 19 displaying ACL 13 displaying QoS policies 22 ...
Page 56: ...ation IPv4 basic 5 ACL configuration IPv6 advanced 7 ACL configuration IPv6 basic 5 ACL configuration Layer 2 8 ACL configuration WLAN AP 10 ACL configuration WLAN client 9 service QoS best effort service model 17 QoS DiffServ service model 17 QoS IntServ service model 17 QoS models 17 QoS overview 16 QoS policy configuration 19 QoS priority marking configuration 33 34 QoS techniques 17 QoS traffi...
Page 57: ...cing 18 27 QoS traffic policing configuration 27 28 QoS traffic shaping 18 traffic policing QoS display 30 trapping ACL packet filtering SNMP notifications 12 trusted port packet priority QoS 24 type ACL advanced 1 ACL auto match order sort 1 ACL basic 1 ACL config match order sort 1 ACL Layer 2 1 U user QoS policy application user profile 21 QoS priority mapping user priority 23 user profile QoS ...
