H3C H3C S7500E Series Скачать руководство пользователя

Страница: 18 / 112

1-8

You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an

existing rule in the ACL.

When the ACL match order is

auto

, a newly created rule will be inserted among the existing rules

in the depth-first match order. Note that the IDs of the rules still remain the same.

You can modify the match order of an ACL with the

acl number

acl-number

[

name acl-name

]

match-order

{

auto

config

} command but only when it does not contain any rules.

Configuring an IPv6 basic ACL

Follow these steps to configure an IPv6 basic ACL:

To do…

Use the command…

Remarks

Enter system view

system-view

––

Create an IPv6 basic ACL view

and enter its view

acl ipv6 number

acl6-number

[

name

acl6-name

]

[

match-order

{

auto

config

} ]

Required

By default, no ACL exists.

IPv6 basic ACLs are numbered in

the range 2000 to 2999.

You can use the

acl

ipv6

name

acl6-name

command to enter the

view of an existing named IPv6

ACL.

Configure a description for the

IPv6 basic ACL

description

text

Optional

By default, an IPv6 basic ACL has

no ACL description.

Set the rule numbering step

step

step-value

Optional

5 by default

Create or edit a rule

rule

[

rule-id

] {

deny

permit

}

[

fragment

logging

source

{

ipv6-address

prefix-length |

ipv6-address

prefix-length | any

} |

time-range

time-range-name

Required

By default, an IPv6 basic ACL

does not contain any rule.

To create or edit multiple rules,

repeat this step.

Note that the

logging

and

fragment

keywords are not

supported if the ACL is to be

referenced by a QoS policy for

traffic classification.

Содержание H3C S7500E Series

Страница 1: ...H3C S7500E Series Ethernet Switches ACL and QoS Configuration Guide Hangzhou H3C Technologies Co Ltd http www h3c com Document Version 20100722 C 1 01 Product Version Release 6605 and Later...

Страница 2: ...ware Secware Storware NQA VVG V2 G Vn G PSPT XGbus N Bus TiGem InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are th...

Страница 3: ...udience z Document Organization z Conventions z About the H3C S7500E Documentation Set z Obtaining Documentation z Documentation Feedback Audience This documentation is intended for z Network planners...

Страница 4: ...hich you select at least one x y Asterisk marked square brackets enclose optional syntax choices separated by vertical bars from which you may select multiple choices or none 1 n The argument or keywo...

Страница 5: ...s Pluggable Modules Manual Describes the hot swappable modules available for the Mid Range Series Ethernet Switches their external views and specifications H3C PoE DIMM Module Installation Guide Descr...

Страница 6: ...ow to use it with the PSR650 power module Power configuration H3C S7500E Power Configuration Guide Guides you to select power modules in various cases Optional cards Card manuals The S7500E series Eth...

Страница 7: ...Displaying and Maintaining ACLs 1 15 ACL Configuration Examples 1 15 IPv4 ACL Configuration Example 1 15 IPv6 ACL Configuration Example 1 17 2 QoS Overview 2 1 Introduction to QoS 2 1 Introduction to...

Страница 8: ...uckets 5 1 Traffic Policing 5 2 Traffic Shaping 5 3 Line Rate 5 4 Configuring Traffic Policing 5 5 Configuration Procedure 5 5 Configuration Example 5 6 Configuring GTS 5 7 Configuration Procedure 5 7...

Страница 9: ...ic Redirecting Overview 10 1 Configuring Traffic Redirecting 10 1 Support of Line Cards for Traffic Redirecting 10 2 11 Aggregation CAR Configuration 11 1 Aggregation CAR Overview 11 1 Referencing an...

Страница 10: ...iv 14 Appendix A Default Priority Mapping Tables 14 1 15 Appendix B Introduction to Packet Precedences 15 1 IP Precedence and DSCP Values 15 1 802 1p Priority 15 2 EXP Values 15 3 16 Index 16 1...

Страница 11: ...F Two S7500E series can be connected together to form a distributed IRF device If an S7500E series is not in any IRF it operates as a distributed device if the S7500E series is in an IRF it operates a...

Страница 12: ...onfiguration Guide z Software based application An ACL is referenced by a piece of upper layer software For example an ACL can be referenced to configure login user control behavior thus controlling T...

Страница 13: ...all IPv6 ACLs You can assign an IPv4 ACL and an IPv6 ACL the same number and name Match Order The rules in an ACL are sorted in a certain order When a packet matches a rule the device stops the match...

Страница 14: ...for the destination IPv6 address takes precedence 4 A rule with a narrower TCP UDP service port number range takes precedence 5 A rule with a smaller ID takes precedence Ethernet frame header ACL 1 A...

Страница 15: ...numbered 0 2 4 and 6 in steps of 2 When the default step is restored the rules are renumbered 0 5 15 and 15 Implementing Time Based ACL Rules You can implement ACL rules based on the time of day by a...

Страница 16: ...Creating a Time Range Follow these steps to create a time range To do Use the command Remarks Enter system view system view Create a time range time range time range name start time to end time days f...

Страница 17: ...n Set the rule numbering step step step value Optional 5 by default Create or edit a rule rule rule id deny permit fragment logging source sour addr sour wildcard any time range time range name vpn in...

Страница 18: ...iew acl ipv6 number acl6 number name acl6 name match order auto config Required By default no ACL exists IPv6 basic ACLs are numbered in the range 2000 to 2999 You can use the acl ipv6 name acl6 name...

Страница 19: ...s still remain the same You can modify the match order of an IPv6 ACL with the acl ipv6 number acl6 number name acl6 name match order auto config command but only when it does not contain any rules Co...

Страница 20: ...alue destination dest addr dest wildcard any destination port operator port1 port2 dscp dscp fragment icmp type icmp type icmp code icmp message logging precedence precedence reflective source sour ad...

Страница 21: ...CLs match packets based on the source IPv6 address destination IPv6 address protocol carried over IPv6 and other protocol header fields such as the TCP UDP source port number TCP UDP destination port...

Страница 22: ...dit a rule description rule rule id comment text Optional By default an IPv6 ACL rule has no rule description Note that z You can only modify the existing rules of an ACL that uses the match order of...

Страница 23: ...ermit cos vlan pri dest mac dest addr dest mask lsap lsap code lsap wildcard source mac sour addr source mask time range time range name type type code type wildcard Required By default an Ethernet fr...

Страница 24: ...nation ACL number is from the same category as the source ACL number z The source IPv4 or IPv6 ACL already exits but the destination IPv4 or IPv6 ACL does not Copying an IPv4 ACL Follow these steps to...

Страница 25: ...umber Available in any view Display the usage of ACL resources distributed device display acl resource slot slot number Available in any view Display the usage of ACL resources distributed IRF device...

Страница 26: ...ce 192 168 2 0 0 0 0 255 destination 192 168 4 1 0 0 0 0 time range trname Switch acl adv 3000 quit Configure a rule to control access of the Marketing Department to the salary query server Switch acl...

Страница 27: ...p_rd inbound Switch GigabitEthernet2 0 2 quit Apply QoS policy p_market to interface GigabitEthernet 2 0 3 Switch interface GigabitEthernet 2 0 3 Switch GigabitEthernet2 0 3 qos apply policy p_market...

Страница 28: ...licy p_rd to use traffic behavior b_rd for class c_rd Switch qos policy p_rd Switch qospolicy p_rd classifier c_rd behavior b_rd Switch qospolicy p_rd quit Apply QoS policy p_rd to interface GigabitEt...

Страница 29: ...for QoS to prioritize important traffic flows over trivial traffic flows When making a QoS scheme a network administrator must plan network resources carefully considering the characteristics of vario...

Страница 30: ...model imposes very great pressure on the storage and processing capabilities of devices On the other hand the Inter Serv model is poor in scalability and therefore it is hard to be deployed in the co...

Страница 31: ...r leaving a device and can be applied in both inbound and outbound directions of a port When a flow exceeds the pre set threshold some restriction or punishment measures can be taken to prevent overco...

Страница 32: ...fines what QoS actions to take on what class of traffic for purposes such as traffic shaping or traffic policing Before configuring a QoS policy be familiar with these concepts class traffic behavior...

Страница 33: ...relationship between match criteria is AND Configure match criteria if match match criteria Required match criteria Match criterion Table 3 1 shows the available criteria Table 3 1 The keyword and ar...

Страница 34: ...rated by space You can specify up to eight VLAN IDs for this argument at a time VLAN ID is in the range 1 to 4094 destination mac mac address Matches a destination MAC address dscp dscp list Matches D...

Страница 35: ...ned match criterion system index for packets sent to the control plane The index value list argument specifies a list of up to eight system indexes The system index range is from 1 to 128 Suppose the...

Страница 36: ...s a set of QoS actions to take on a traffic class for purposes such as traffic filtering shaping policing priority marking To define a traffic behavior you must first create it and then configure QoS...

Страница 37: ...ork VLAN ID is configured in a traffic behavior we recommend you not to configure any other action in this traffic behavior Otherwise the QoS policy may not function as expected after it is applied z...

Страница 38: ...rt group view port group manual port group name Use either command Settings in interface view take effect on the current interface settings in port group view take effect on all ports in the port grou...

Страница 39: ...e user profile profile name enable Required Inactive by default z If a user profile is active the QoS policy except ACLs referenced in the QoS policy applied to it cannot be configured or removed If t...

Страница 40: ...are processing units running most routing and switching protocols and responsible for protocol packet resolution and calculation such as CPUs Compared with data plane units they allow for great packe...

Страница 41: ...use the display qos policy control plane pre defined command to display them z In a QoS policy for control planes if a system index classifier is configured the associated traffic behavior can contain...

Страница 42: ...chassis chassis number slot slot number inbound outbound Available in any view Display information about pre defined control plane QoS policies on a distributed device display qos policy control plan...

Страница 43: ...3 12...

Страница 44: ...ue to be preferentially scheduled z Drop precedence is used for making packet drop decisions Packets with the highest drop precedence are dropped preferentially When a packet enters the device from a...

Страница 45: ...d for priority mapping table lookup There are two priority trust modes on the H3C S7500E series switches z dot1p Uses the 802 1p priority carried in packets for priority mapping z dscp Uses the DSCP c...

Страница 46: ...802 1q tagged DSCP in packets Look up the dscp dp dscp dot1p and dscp dscp tables 802 1p in packets Mark the packet with 802 1p priority drop precedence and new DSCP precedence Look up the dot1p lp ta...

Страница 47: ...erforms priority marking before priority mapping and then uses the re marked packet carried priority for priority mapping or directly uses the re marked scheduling priority for traffic scheduling depe...

Страница 48: ...le in any view The 802 1p to EXP priority mapping table dot1p exp and the EXP to 802 1p priority mapping table exp dot1p are available only for the EB and SD cards Configuring the Priority Trust Mode...

Страница 49: ...group view Enter port group view port group manual port group name Use either command Settings in interface view take effect on the current interface settings in port group view take effect on all po...

Страница 50: ...1p priority of traffic from the R D department to 4 z The management department connects to GigabitEthernet 2 0 3 of Device which sets the 802 1p priority of traffic from the management department to...

Страница 51: ...0 1 quit Set the port priority of GigabitEthernet 2 0 2 to 4 Device interface gigabitethernet 2 0 2 Device GigabitEthernet2 0 2 qos priority 4 Device GigabitEthernet2 0 2 quit Set the port priority of...

Страница 52: ...Device qos policy admin Device qospolicy admin classifier http behavior admin Device qospolicy admin quit Device interface gigabitethernet 2 0 3 Device GigabitEthernet2 0 3 qos apply policy admin inb...

Страница 53: ...it it is shaped or policed to ensure that it is under the specifications Generally token buckets are used to evaluate traffic specifications Traffic Evaluation and Token Buckets Token bucket features...

Страница 54: ...the E bucket z Excess burst size EBS Size of the E bucket that is transient burst of traffic that the E bucket can forward CBS is implemented with the C bucket and EBS with the E bucket In each evalu...

Страница 55: ...evaluation result is excess z Modifying the DSCP priority of the conforming traffic and forwarding it Traffic Shaping Traffic shaping supports shaping traffic to the outgoing traffic Traffic shaping p...

Страница 56: ...e released traffic shaping takes out the cached packets and sends them out In this way all the traffic sent to Switch B conforms to the traffic specification defined in Switch B Line Rate Line rate su...

Страница 57: ...ng bursty traffic Line rate can only limit the total traffic rate on a physical port while traffic policing can limit the rate of a flow on a port To limit the rate of all the packets on a port using...

Страница 58: ...avior behavior name Exit policy view quit To an interface Applying the QoS policy to an interface To online users Applying the QoS policy to online users To a VLAN Applying the QoS policy to a VLAN Gl...

Страница 59: ...ing is implemented as queue based GTS that is configuring GTS parameters for packets of a certain queue Follow these steps to configure queue based GTS To do Use the command Remarks Enter system view...

Страница 60: ...oup manual port group name Use either command Settings in interface view take effect on the current interface settings in port group view take effect on all ports in the port group Configure the inbou...

Страница 61: ...ure traffic policing in policy based approach For related displaying and maintaining commands see Displaying and Maintaining QoS Policies To do Use the command Remarks Display interface GTS configurat...

Страница 62: ...delay Congestion easily occurs in complex packet switching circumstances in the Internet The following figure shows two common cases Figure 6 1 Traffic congestion causes 100M 10M 100M 10M 50M 100M 100...

Страница 63: ...atic diagram for SP queuing As shown in Figure 6 2 SP queuing classifies eight queues on a port into eight classes numbered 7 to 0 in descending priority order SP queuing schedules the eight queues st...

Страница 64: ...SP queuing that packets in low priority queues may fail to be served for a long time Another advantage of WRR queuing is that while the queues are scheduled in turn the service time for each queue is...

Страница 65: ...0 Mbps and there are five flows on the port currently with the precedence being 0 1 2 3 and 4 and the minimum guaranteed bandwidth being 128 kbps 128 kbps 128 kbps 64 kbps and 64 kbps respectively z T...

Страница 66: ...nual port group name Use either command Settings in interface view take effect on the current interface settings in port group view take effect on all ports in the port group Configure SP queuing qos...

Страница 67: ...ptional Available in any view Configuration example 1 Network requirements z Enable WRR queuing on the interface GigabitEthernet 2 0 1 z Assign queues 0 through 7 to the WRR group with their weights b...

Страница 68: ...by default Display WFQ queuing configuration display qos wfq interface interface type interface number Optional Available in any view The support of different cards for the minimum guaranteed bandwidt...

Страница 69: ...me Use either command Settings in interface view take effect on the current interface settings in port group view take effect on all ports in the port group Enable the WRR queue scheduling on the port...

Страница 70: ...t2 0 1 qos wrr 5 group 1 weight 4 Sysname GigabitEthernet2 0 1 qos wrr 6 group 1 weight 6 Sysname GigabitEthernet2 0 1 qos wrr 7 group 1 weight 8 Displaying and Maintaining Congestion Management To do...

Страница 71: ...roach to congestion avoidance In this approach when the size of a queue reaches the maximum threshold all the subsequent packets are dropped This results in global TCP synchronization That is if packe...

Страница 72: ...er the drop probability When the average queue size exceeds the upper threshold subsequent packets are dropped z Drop precedence a parameter used for packet drop The value 0 corresponds to green packe...

Страница 73: ...group Apply the WRED table qos wred apply table name Required Configuration Example Network requirements Apply a queue based WRED table to port GigabitEthernet 2 0 1 Configuration procedure Enter syst...

Страница 74: ...ion you can implement time based traffic filtering Configuring Traffic Filtering Follow these steps to configure traffic filtering To do Use the command Remarks Enter system view system view Create a...

Страница 75: ...in any view With filter deny configured for a traffic behavior the other actions except class based accounting in the traffic behavior do not take effect Support of Line Cards for the Traffic Filteri...

Страница 76: ...21 DeviceA acl basic 3000 quit Create a class named classifier_1 and reference ACL 3000 in the class DeviceA traffic classifier classifier_1 DeviceA classifier classifier_1 if match acl 3000 DeviceA c...

Страница 77: ...rity marking to set IP precedence or DSCP for a class of IP traffic to change its transmission priority in the network To configure priority marking you can associate a class with a behavior configure...

Страница 78: ...ervices and has only local significance By marking different classes of traffic with the same QoS local ID you can re classify them to apply a uniform set of QoS actions on them Exit behavior view qui...

Страница 79: ...Inbound Outbound Inbound Outbound Remarking the 802 1p precedence for packets Supported Supported Supported Not supported Supported Not supported Remarking the drop precedence for packets Supported N...

Страница 80: ...Inbound Outbound Remarking the 802 1p precedence for packets Supported Supported Supported Supported Remarking the drop precedence for packets Supported Not supported Supported Not supported Remarking...

Страница 81: ...ile server Low Figure 9 1 Network diagram for priority marking configuration Internet Host A Host B Device Data server 192 168 0 1 24 Mail server 192 168 0 2 24 File server 192 168 0 3 24 GE2 0 1 GE2...

Страница 82: ...3 Device behavior behavior_mserver quit Create a behavior named behavior_fserver and configure the action of setting the local precedence value to 2 for the behavior Device traffic behavior behavior_...

Страница 83: ...name classifier class_a if match acl 2000 Sysname classifier class_a quit Create a behavior behavior_a and configure the action of marking packets with QoS local ID 100 for the behavior Sysname traffi...

Страница 84: ...ts and the target interface should be a Layer 2 interface z Redirecting traffic to the next hop redirects packets which require processing by an interface to the interface This action is applicable to...

Страница 85: ...tually exclusive with each other in the same traffic behavior z You can use the display traffic behavior command to view the traffic redirecting configuration z A QoS policy that contains a traffic re...

Страница 86: ...r the traffic redirecting action Direction right Card category below Inbound Outbound SC LPU Supported Not Supported SA LPU Supported Not Supported EA LPU Supported Not Supported EB LPU Supported Not...

Страница 87: ...ned the parameters in the aggregation CAR z You have determined the traffic behavior to reference the aggregation CAR Configuration procedure Follow these steps to reference an aggregation CAR in a tr...

Страница 88: ...CAR reset qos car name car name Required Available in user view Configuration example Configure an aggregation CAR to rate limit the traffic of VLAN 10 and VLAN 100 received on GigabitEthernet 2 0 1 u...

Страница 89: ...car associate class 1 with behavior 1 and associate class 2 with behavior 2 Sysname qos policy car Sysname qospolicy car classifier 1 behavior 1 Sysname qospolicy car classifier 2 behavior 2 Sysname...

Страница 90: ...u can determine whether there are anomalies and what action to take Configuring Class Based Accounting Follow these steps to configure class based accounting To do Use the command Remarks Enter system...

Страница 91: ...Host is connected to GigabitEthernet 2 0 1 of Device Configure class based accounting to collect statistics for traffic sourced from 1 1 1 1 24 and received on GigabitEthernet 2 0 1 Figure 12 1 Netwo...

Страница 92: ...e incoming traffic of GigabitEthernet 2 0 1 DeviceA interface gigabitethernet 2 0 1 DeviceA GigabitEthernet2 0 1 qos apply policy policy inbound DeviceA GigabitEthernet2 0 1 quit Display traffic stati...

Страница 93: ...d QoS policy z Configuring the ONU to perform traffic policing for uplink traffic of a UNI z Configuring the UNI to tag the uplink 802 1q untagged traffic with the default VLAN tag and adding the UNI...

Страница 94: ...assigns to the ONU z Configuring high priority packet buffer for downlink traffic that the OLT sends to the specified ONU Processing on an ONU z Filtering the packets matching certain match criteria a...

Страница 95: ...the OLT port Configuring the Priority Trust Mode on a Port Configure traffic policing for uplink traffic of all ONUs through QoS Configuring Traffic Policing Configure QoS for uplink traffic Configure...

Страница 96: ...Queuing Configure the ONU to perform priority mapping for downlink traffic from the OLT according to the CoS to local precedence mapping table Priority mapping on the ONU port Set the ONU port priorit...

Страница 97: ...sent preferentially You can enable high priority packet buffering for multiple ONUs and the OLT will reserve an independent buffer for each ONU Follow these steps to configure rate limiting To do Use...

Страница 98: ...e interface type interface number Enable the ONU downlink bandwidth allocation policy and prioritize high priority packets bandwidth downstream policy enable Required By default the downlink bandwidth...

Страница 99: ...command Remarks Enter system view system view Enter ONU port view interface interface type interface number Configure the mapping between CoS precedence values and local precedence values qos cos loc...

Страница 100: ...ode Without VLAN tag The packet is tagged with the VLAN tag corresponding to the default PVID of the port and then z If the packet matches the configured traffic classification rule the packet is prio...

Страница 101: ...wise the packet is remarked with the port priority and is then forwarded Follow these steps to configure uplink traffic classification and priority remarking for a UNI To do Use the command Remarks En...

Страница 102: ...s broadcast MAC addresses or the MAC address of the ONU Priority remarking based on Ethernet priority When the VLAN operation mode is set to tag mode for a UNI and the CoS value in the traffic classif...

Страница 103: ...ra burst size ebs value outbound cir cir value pir pir value Optional The CIR should be a multiple of 64 By default traffic policing is not configured for a UNI Note that only H3C ONUs support the out...

Страница 104: ...ink bandwidth and VLAN operation mode of a UNI see ONU Remote Management Configuration and UNI Port Configuration in the Layer 2 LAN Switching Configuration Guide Configure priority remarking for UNI...

Страница 105: ...dp priority mapping tables Input priority value dot1p lp mapping dot1p dp mapping 802 1p priority dot1p Local precedence lp Drop precedence dp 0 2 0 1 0 0 2 1 0 3 3 0 4 4 0 5 5 0 6 6 0 7 7 0 Table 14...

Страница 106: ...ot1p mapping DSCP Drop precedence dp 802 1p priority dot1p 40 to 47 0 5 48 to 55 0 6 56 to 63 0 7 Table 14 3 The default exp dp priority mapping tables Input priority value exp dp mapping EXP value Dr...

Страница 107: ...According to RFC 2474 the ToS field of the IP header is redefined as the differentiated services DS field where a DSCP value is represented by the first six bits 0 to 5 and is in the range 0 to 63 The...

Страница 108: ...10 af23 26 011010 af31 28 011100 af32 30 011110 af33 34 100010 af41 36 100100 af42 38 100110 af43 8 001000 cs1 16 010000 cs2 24 011000 cs3 32 100000 cs4 40 101000 cs5 48 110000 cs6 56 111000 cs7 0 000...

Страница 109: ...ined in IEEE 802 1p Table 15 3 presents the values for 802 1p priority Figure 15 3 802 1Q tag header 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 Priority VLAN ID TPID Tag protocol identifier TCI Tag control informa...

Страница 110: ...15 4 Figure 15 4 MPLS label structure As shown in Figure 15 4 the EXP field is 3 bits long and ranges from 0 to 7...

Страница 111: ...6 6 Congestion Management Policies 6 2 Copying an ACL 1 14 Creating a Time Range 1 6 D Defining a Class3 2 Defining a Policy 3 5 Defining a Traffic Behavior 3 5 DiffServ Service Model 2 2 Displaying...

Страница 112: ...r Downlink Traffic 13 5 QoS Functions for Uplink Traffic 13 4 QoS Local ID Marking Configuration Example 9 6 T Traffic Evaluation and Token Buckets 5 1 Traffic Filtering Configuration Example 8 3 Traf...

Результаты поиска

Содержание H3C S7500E Series

Отзывы:

Похожие инструкции для H3C S7500E Series

Бренды по названию

Популярные бренды

H3C H3C S7500E Series, Руководство по настройке

Результаты поиска

Содержание H3C S7500E Series

Отзывы:

Похожие инструкции для H3C S7500E Series

Бренды по названию

Популярные бренды