manualshive.com logo in svg

H3C S5120-SI Series, Руководство по настройке, Страница: 16 / 65

Поделиться
Скачать
H3C S5120-SI Series Скачать руководство пользователя страница 16

Configuring an advanced ACL 

Configuring an IPv4 advanced ACL 

IPv4 advanced ACLs match packets based on source and destination IP addresses, protocols over IP, and 

other protocol header information, such as TCP/UDP source and destination port numbers, TCP flags, 

ICMP message types, and ICMP message codes. 
IPv4 advanced ACLs also allow you to filter packets based on these priority criteria: type of service (ToS), 

IP precedence, and differentiated services codepoint (DSCP) priority. 
Compared to IPv4 basic ACLs, IPv4 advanced ACLs allow more flexible and accurate filtering. 
Follow these steps to configure an IPv4 advanced ACL: 

To do…

 

Use the command…

 

Remarks

 

Enter system view

 

system-view 

–– 

Create an IPv4 advanced ACL and 
enter its view 

 

acl number

 

acl-number 

name 

acl-name

 ]

 

match-order

 { 

auto 

config

 } ] 

Required 
By default, no ACL exists. 
IPv4 advanced ACLs are 

numbered in the range 3000 to 

3999.  
You can use the 

acl

 

name

 

acl-name

 

command to enter the view of a 

named IPv4 ACL.

 

Configure a description for the 
IPv4 advanced ACL 

description

 

text

 

Optional 
By default, an IPv4 advanced ACL 
has no ACL description. 

Set the rule numbering step  

step

 

step-value

 

Optional 
5 by default. 

Create or edit a rule

 

rule

 [ 

rule-id

 ] { 

deny

 | 

permit

 } 

protocol 

[ { { 

ack

 

ack-value

 | 

fin

 

fin-value

 | 

psh

 

psh-value

 | 

rst

 

rst-value

 | 

syn

 

syn-value

 | 

urg

 

urg-value

 } * |

 

established

 } | 

destination

 { 

dest-addr 

dest-wildcard

 | 

any

 } | 

destination-port

 operator port1

 

[

 port2 

] | 

dscp

 

dscp 

|

 

fragment

 | 

icmp-type

 {

 icmp-type

 

icmp-code 

icmp-message

 } |

 precedence

 

precedence

 | 

reflective

 | 

source

 

{

 sour-addr sour-wildcard

 | 

any

 } | 

source-port

 operator port1

 [

 port2 

|

 time-range

 

time-range-name

 | 

tos

 

tos

 ] * 

Required 
By default, an IPv4 advanced ACL 
does not contain any rule. 
To create or edit multiple rules, 
repeat this step. 
The 

reflective

 keyword is not 

supported.  

Configure or edit a rule description 

 

rule

 

rule-id 

comment

 

text

 

Optional 
By default, an IPv4 advanced ACL 

rule has no rule description.

 

Add or edit a rule range remark 

rule

 [ 

rule-id

 ]

 

remark

 

text

 

Optional 
By default, no rule range remarks 
are configured. 

Содержание S5120-SI Series

Страница 1: ...H3C S5120 SI Switch Series ACL and QoS Configuration Guide Hangzhou H3C Technologies Co Ltd http www h3c com Software version Release 1505 Document version 6W101 20111108...

Страница 2: ...re Secware Storware NQA VVG V2 G Vn G PSPT XGbus N Bus TiGem InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the...

Страница 3: ...t and priority marking This preface includes Audience Added and modified features Conventions About the H3C S5120 SI documentation set Obtaining documentation Technical support Documentation feedback...

Страница 4: ...separated by vertical bars from which you may select multiple choices or none 1 n The argument or keyword and argument combination before the ampersand sign can be entered 1 to n times A line that sta...

Страница 5: ...stallation Manual Provides a complete guide to hardware installation and hardware specifications Provides regulatory information and the safety instructions that must be followed during installation H...

Страница 6: ...olutions Provides information about products and technologies as well as solutions Technical Support Documents Software Download Provides the documentation released with the software version Technical...

Страница 7: ...lication configuration example 11 IPv6 ACL application configuration example 12 QoS overview 13 Introduction to QoS 13 QoS service models 13 Best effort service model 13 IntServ model 13 DiffServ mode...

Страница 8: ...sures 35 Congestion management techniques 35 Configuring SP queuing 38 Configuration procedure 38 Configuration example 39 Configure WRR queuing 39 Configuration procedure 39 Configuration examples 40...

Страница 9: ...iii Appendix A Default priority mapping tables 52 Appendix B Introduction to packet precedences 53 IP precedence and DSCP values 53 802 1p priority 54 Index 56...

Страница 10: ...s are also used by many modules for example QoS and IP routing for traffic classification and identification ACL applications on the switch An ACL is implemented in hardware or software depending on t...

Страница 11: ...que among all IPv4 ACLs and for an IPv6 basic or advanced ACL among all IPv6 ACLs You can assign an IPv4 ACL the same number and name as an IPv6 ACL Match order The rules in an ACL are sorted in a spe...

Страница 12: ...iterion the IP address matches the criterion All don t care bits are ignored The 0s and 1s in a wildcard mask can be noncontiguous For example 0 255 0 255 is a valid wildcard mask ACL rule comments an...

Страница 13: ...ACL rules You can implement ACL rules based on the time of day by applying a time range to them A time based ACL rule takes effect only in any time periods specified by the time range The following b...

Страница 14: ...of a time range is calculated as follows 1 Combining all periodic statements 2 Combining all absolute statements 3 Taking the intersection of the two statement sets as the active period of the time ra...

Страница 15: ...e an IPv6 basic ACL To do Use the command Remarks Enter system view system view Create an IPv6 basic ACL view and enter its view acl ipv6 number acl6 number name acl6 name match order auto config Requ...

Страница 16: ...cl name acl name command to enter the view of a named IPv4 ACL Configure a description for the IPv4 advanced ACL description text Optional By default an IPv4 advanced ACL has no ACL description Set th...

Страница 17: ...le rule rule id deny permit protocol ack ack value fin fin value psh psh value rst rst value syn syn value urg urg value established destination dest dest prefix dest dest prefix any destination port...

Страница 18: ...k time range time range name Required By default an Ethernet frame header ACL does not contain any rule To create or edit multiple rules repeat this step The lsap keyword is not supported if the ACL i...

Страница 19: ...CLs filter only Layer 3 packets Applying an IPv4 ACL for Packet Filtering Follow these steps to apply an IPv4 ACL for packets filtering To do Use the command Remarks Enter system view system view Ente...

Страница 20: ...ace number inbound slot slot number begin exclude include regular expression Available in any view Display the configuration and status of one or all time ranges display time range time range name all...

Страница 21: ...ffic of GigabitEthernet 1 0 1 on Device A so that every day from 8 00 to 18 00 the interface allows only packets from Host A to pass through Figure 2 Network diagram for applying an IPv6 ACL to an int...

Страница 22: ...ese techniques you can improve QoS effectively QoS service models This section covers the following typical QoS service models Best effort service model IntServ model DiffServ model Best effort servic...

Страница 23: ...rate congestion management and congestion avoidance The following sections briefly introduce these QoS techniques Applying QoS techniques in a network Figure 3 Position of the QoS techniques in a net...

Страница 24: ...when congestion occurs Congestion management usually applies to the outgoing traffic of a port Congestion avoidance monitors the network resource usage and is usually applied to the outgoing traffic o...

Страница 25: ...ch you configure QoS service parameters by using QoS policies A QoS policy defines the shaping policing or other QoS actions to take on different classes of traffic It is a set of class behavior assoc...

Страница 26: ...ps to define a class To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or Required By default the operator of a c...

Страница 27: ...on mac mac address Matches a destination MAC address dscp dscp list Matches DSCP values The dscp list argument is a list of up to eight DSCP values A DSCP value can be a number from 0 to 63 or any key...

Страница 28: ...t only as IP when configuring a protocol match criterion Defining a traffic behavior A traffic behavior is a set of QoS actions such as traffic filtering shaping policing and priority marking to take...

Страница 29: ...ass references an ACL for traffic classification you cannot delete or modify the ACL such as add rules to delete rules from and modify rules of the ACL If a QoS policy has been applied to an active us...

Страница 30: ...stem view quit Activate the user profile user profile profile name enable Required Inactive by default NOTE The QoS policies applied in user profile view support only the remark and filter actions Do...

Страница 31: ...me begin exclude include regular expression Available in any view Display QoS policy configuration on the specified or all interfaces display qos policy interface interface type interface number inbou...

Страница 32: ...iorities such as 802 1p priority DSCP EXP IP precedence local precedence and drop precedence Introduction to priorities Priorities fall into the following types priorities carried in packets and prior...

Страница 33: ...adequate for priority mapping If a default priority mapping table cannot meet your requirements you can modify the priority mapping table as required Priority trust mode on a port The priority trust...

Страница 34: ...les Mark the packet with new DSCP precedence and local precedence Port priority NOTE This priority mapping procedure applies in the absence of priority marking If priority marking is configured the de...

Страница 35: ...ort group use the following keywords dot1p Uses the 802 1p priority of received packets for mapping dscp Uses the DSCP precedence of received IP packets for mapping untrust Uses port priority as the 8...

Страница 36: ...ude include regular expression Available in any view Display the trusted packet priority type on a port display qos trust interface interface type interface number begin exclude include regular expres...

Страница 37: ...erver R D department Internet Device GE1 0 3 Marketing department Host Server Host Server Management department Public servers GE1 0 4 GE1 0 5 GE1 0 2 GE1 0 1 Configuration procedure 1 Configure trust...

Страница 38: ...witch named Device to interconnect all its departments The network is described as follows The marketing department connects to GigabitEthernet 1 0 1 of Device which sets the 802 1p priority of traffi...

Страница 39: ...nternet Device GE1 0 3 Marketing department Host Server Host Server Management department Public servers GE1 0 4 GE1 0 5 GE1 0 2 GE1 0 1 Configuration procedure 1 Configure trusting port priority Set...

Страница 40: ...lass http and reference ACL 3000 in the class Device traffic classifier http Device classifier http if match acl 3000 Device classifier http quit Configure a priority marking policy for the management...

Страница 41: ...ehavior rd remark dot1p 3 Device behavior rd quit Device qos policy rd Device qospolicy rd classifier http behavior rd Device qospolicy rd quit Device interface gigabitethernet 1 0 2 Device GigabitEth...

Страница 42: ...igured on an interface all packets to be sent through the interface are handled by the token bucket at line rate When the token bucket has enough tokens packets can be forwarded otherwise packets are...

Страница 43: ...re the inbound or outbound line rate for the interface port group qos lr inbound outbound cir committed information rate Required Configuration example Limit the outbound line rate of GigabitEthernet...

Страница 44: ...sults Increased delay and jitter during packet transmission Decreased network throughput and resource use efficiency Network resource memory in particular exhaustion and system breakdown Congestion is...

Страница 45: ...n descending priority order SP queuing schedules the four queues in the descending order of priority It sends packets in the queue with the highest priority first When the queue with the highest prior...

Страница 46: ...ueuing also improves bandwidth resource use efficiency WRR schedules queues in turn and the service time for each queue is not fixed Once a queue is empty WRR schedules the next queue immediately The...

Страница 47: ...e queues in each WRR queuing group according to their weights and then uses SP queuing to schedule the dequeued packets together with the packets in the SP queuing group For example assign queues 0 an...

Страница 48: ...uirements Configure GigabitEthernet 1 0 1 to use SP queuing 2 Configuration procedure Enter system view Sysname system view Configure GigabitEthernet1 0 1 to use SP queuing Sysname interface gigabitet...

Страница 49: ...0 1 Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 qos wrr 0 group 1 weight 10 Sysname GigabitEthernet1 0 1 qos wrr 1 group 1 weight 20 Sysname GigabitEthernet1 0 1 qos wrr 2 gr...

Страница 50: ...WRR queue scheduling group 1 with the weight being 20 Configure queue 2 and queue 3 on GigabitEthernet1 0 1 to be in WRR queue scheduling group 2 with the weight being 10 and 50 respectively 2 Config...

Страница 51: ...e chapter ACL configuration Configuring traffic filtering Follow these steps to configure traffic filtering To do Use the command Remarks Enter system view system view Create a class and enter class v...

Страница 52: ...ets with source port 21 and received on GigabitEthernet 1 0 1 Figure 14 Network diagram for traffic filtering configuration Configuration procedure Create advanced ACL 3000 and configure a rule to mat...

Страница 53: ...assifier_1 behavior behavior_1 DeviceA qospolicy policy quit Apply the policy named policy to the incoming traffic of GigabitEthernet 1 0 1 DeviceA interface gigabitethernet 1 0 1 DeviceA GigabitEther...

Страница 54: ...riority marking action to set the priority fields or flag bits of the class of packets Configuring priority marking Follow these steps to configure priority marking To do Use the command Remarks Enter...

Страница 55: ...defined behavior name begin exclude include regular expression Optional Available in any view Priority marking configuration example Network requirements As shown in Figure 15 the enterprise network...

Страница 56: ...n the class Device traffic classifier classifier_mserver Device classifier classifier_mserver if match acl 3001 Device classifier classifier_mserver quit Create a class named classifier_fserver and re...

Страница 57: ...licy policy_server classifier classifier_mserver behavior behavior_mserver Device qospolicy policy_server classifier classifier_fserver behavior behavior_fserver Device qospolicy policy_server quit Ap...

Страница 58: ...raffic redirecting To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or Configure match criteria if match match c...

Страница 59: ...the QoS performance of your device make sure that you are fully aware of the impacts when enabling the burst function Configuring burst Configuration prerequisites Make sure that the burst function is...

Страница 60: ...51 Figure 16 Network diagram for burst configuration Configuration Procedure Enter system view Switch system view Enable the burst function Switch burst mode enable...

Страница 61: ...ority value dot1p lp mapping dot1p dp mapping 802 1p priority dot1p Local precedence lp Drop precedence dp 0 2 0 1 0 0 2 1 0 3 3 0 4 4 0 5 5 0 6 6 0 7 7 0 Table 7 The default dscp dp and dscp dot1p pr...

Страница 62: ...DS field where a DSCP value is represented by the first six bits 0 to 5 and is in the range 0 to 63 The remaining two bits 6 and 7 are reserved Table 8 Description on IP precedence IP precedence decim...

Страница 63: ...lies to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2 Figure 18 An Ethernet frame with an 802 1Q tag header As shown in Figure 18 the four byte 802 1Q tag he...

Страница 64: ...1 Byte 2 0 Byte 3 Byte 4 CFI 7 5 4 3 2 1 0 7 5 4 3 2 1 0 6 6 7 5 4 3 2 1 0 7 5 4 3 2 1 0 6 6 Table 10 Description on 802 1p priority 802 1p priority decimal 802 1p priority binary Description 0 000 b...

Страница 65: ...recting 49 Congestion management overview 35 D Displaying and maintaining ACLs 1 1 Displaying and maintaining line rate 34 Displaying and maintaining priority mapping 27 Displaying and maintaining QoS...

Отзывы:

Нет отзывов