background image

Step

 

Command

 

Remarks

 

2. 

Create an IPv6 advanced 

ACL and enter its view.

 

acl ipv6 advanced

 { 

acl-number

 | 

name

 

acl-name

 } [ 

match-order 

auto

 | 

config

 } ] 

By default, no ACL exists. 
The value range for a numbered 

IPv6 advanced ACL is 3000 to 

3999. 
Use the 

acl ipv6 advanced

 

acl-number

 command to enter the 

view of a numbered IPv6 

advanced ACL. 
Use the 

acl

 

ipv6 advanced 

name

 

acl-name

 command to 

enter the view of a named IPv6 

advanced ACL.

 

3. 

(Optional.) Configure a 

description for the IPv6 

advanced ACL. 

description

 

text

 

By default, an IPv6 advanced 

ACL does not have a description. 

4. 

(Optional.) Set the rule 

numbering step. 

step

 

step-value

 

By default, the rule numbering 

step is 5 and the start rule ID is 0. 

5. 

Create or edit a rule. 

rule

 [ 

rule-id

 ] { 

deny

 | 

permit

 } 

protocol 

[ { { 

ack

 

ack-value

 | 

fin

 

fin-value

 | 

psh

 

psh-value

 | 

rst

 

rst-value

 | 

syn

 

syn-value

 | 

urg

 

urg-value

 } * |

 established

 } | 

destination

 { 

dest-address 

dest-prefix 

|

 

dest-address/dest-prefix 

|

 any 

} | 

destination-port operator port1

 

[

 port2 

] | 

dscp

 

dscp 

|

 flow-label

 

flow-label-value

 | 

fragment

 | 

icmp6-type

 { 

icmp6-type

 

icmp6-code 

icmp6-message

 } | 

routing

 [ 

type

 

routing-type

 ] | 

hop-by-hop

 [ 

type

 

hop-type

 ]

 

source

 { 

source-address 

source-prefix 

|

 

source-address/source-prefix 
any 

} | 

source-port operator 

port1

 [

 port2 

] |

 time-range

 

time-range-name

 ] * 

By default, IPv6 advanced ACL 

does not contain any rules. 

6. 

(Optional.) Add or edit a rule 

comment.

 

rule

 

rule-id comment

 

text

 

By default, no rule comment is 

configured.

 

 

Configuring a Layer 2 ACL 

Layer 2 ACLs, also called "Ethernet frame header ACLs," match packets based on Layer 2 Ethernet 

header fields, such as: 

 

Source MAC address. 

 

Destination MAC address. 

 

802.1p priority (VLAN priority). 

 

Link layer protocol type.  

To configure a Layer 2 ACL: 

 

Содержание WX5500H series

Страница 1: ...H3C Access Controllers ACL and QoS Configuration Guide New H3C Technologies Co Ltd http www h3c com hk Document version 6W101 20171122...

Страница 2: ...SecPath SecCenter SecBlade Comware ITCMM and HUASAN are trademarks of New H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective owners...

Страница 3: ...E5208P03 WX1810H CMW710 E5215P01 WX1820H CMW710 E5208P03 WX2500H series WX2510H WX2540H WX2560H WX2510H CMW710 R5215P01 WX2540H CMW710 R5215P01 WX2560H CMW710 R5215P01 WX3000H series WX3010H WX3010H L...

Страница 4: ...nclose a set of optional syntax choices separated by vertical bars from which you select one or none x y Asterisk marked braces enclose a set of required syntax choices separated by vertical bars from...

Страница 5: ...ents an access controller a unified wired WLAN module or the access controller engine on a unified wired WLAN switch Represents an access point Wireless terminator unit Wireless terminator Represents...

Страница 6: ...com hk Technical_Documents To obtain software version information such as release notes click http www h3c com hk Software_Download Technical support service h3c com http www h3c com hk Documentation...

Страница 7: ...iltering 11 Configuring SNMP notifications for packet filtering 12 Setting the packet filtering default action 12 Displaying and maintaining ACLs 13 ACL configuration example 14 Network requirements 1...

Страница 8: ...he MQC approach 28 Configuring traffic policing for a user profile by using the non MQC approach 29 Displaying and maintaining traffic policing 30 Configuring traffic filtering 31 Configuration proced...

Страница 9: ...umber and other Layer 3 and Layer 4 header fields Layer 2 ACLs 4000 to 4999 IPv4 and IPv6 Layer 2 header fields such as source and destination MAC addresses 802 1p priority and link layer protocol typ...

Страница 10: ...rvice port number range 6 Rule configured earlier Layer 2 ACL 1 More 1s in the source MAC address mask more 1s means a smaller MAC address 2 More 1s in the destination MAC address mask 3 Rule configur...

Страница 11: ...les 5 10 13 and 15 as rules 0 2 4 and 6 Fragments filtering with ACLs Traditional packet filtering matches only first fragments of packets and al lows all subsequent non first fragments to pass throug...

Страница 12: ...ria and functions Source and destination IP addresses Source and destination ports Transport layer protocol ICMP or ICMPv6 message type message code and message name VPN instance Logging Time range Sl...

Страница 13: ...asic ACL Use the acl basic name acl name command to enter the view of a named IPv4 basic ACL 3 Optional Configure a description for the IPv4 basic ACL description text By default an IPv4 basic ACL doe...

Страница 14: ...ermit fragment routing type routing type source source address source prefix source address source prefix any time range time range name By default an IPv6 basic ACL does not contain any rules 6 Optio...

Страница 15: ...syn value urg urg value established destination dest address dest wildcard any destination port operator port1 port2 dscp dscp precedence precedence tos tos fragment icmp type icmp type icmp code icmp...

Страница 16: ...ny permit protocol ack ack value fin fin value psh psh value rst rst value syn syn value urg urg value established destination dest address dest prefix dest address dest prefix any destination port op...

Страница 17: ...range name By default a Layer 2 ACL does not contain any rules 6 Optional Add or edit a rule comment rule rule id comment text By default no rule comment is configured Configuring a WLAN client ACL W...

Страница 18: ...AN AP ACL 3 Optional Configure a description for the WLAN AP ACL description text By default a WLAN AP ACL does not have a description 4 Optional Set the rule numbering step step step value By default...

Страница 19: ...egation member port Applying an ACL to an interface for packet filtering The following matrix shows the feature and hardware compatibility Hardware series Model Feature compatibility WX1800H series WX...

Страница 20: ...tification instead of waiting for the next output The notification records the number of matching packets and the matched ACL rules For more information about the information center and SNMP see Netwo...

Страница 21: ...ACL rule to pass Displaying and maintaining ACLs Execute display commands in any view Task Command Display ACL configuration and match statistics display acl ipv6 mac wlan acl number all name acl name...

Страница 22: ...e work 08 0 to 18 00 working day Create an IPv4 advanced ACL numbered 3000 AC acl advanced 3000 Configure a rule to permit access from the President s office to the financial database server AC acl ip...

Страница 23: ...100 bytes 32 time 1ms TTL 255 Ping statistics for 192 168 0 100 Packets Sent 4 Received 4 Lost 0 0 loss Approximate round trip times in milli seconds Minimum 0ms Maximum 1ms Average 0ms Verify that a...

Страница 24: ...chniques Compatibility information Feature and hardware compatibility Hardware series Model QoS compatibility WX1800H series WX1804H WX1810H WX1820H Yes WX2500H series WX2510H WX2540H WX2560H Yes WX30...

Страница 25: ...uest service from the network before it sends data IntServ signals the service request with the RSVP All nodes receiving the request reserve resources as requested and maintain state information for t...

Страница 26: ...fly describes how the QoS module processes traffic 1 Traffic classifier identifies and classifies traffic for subsequent QoS actions 2 The QoS module takes various QoS actions on classified traffic as...

Страница 27: ...ng traffic and it uses the AND or OR operator If the operator is AND a packet must match all the criteria to match the traffic class If the operator is OR a packet matches the traffic class if it matc...

Страница 28: ...g and priority marking By default no action is configured for a traffic behavior Defining a QoS policy To perform actions defined in a behavior for a class of packets associate the behavior with the c...

Страница 29: ...ets include link maintenance RIP and SSH packets To apply a QoS policy to an interface Step Command Remarks 1 Enter system view system view N A 2 Enter interface view interface interface type interfac...

Страница 30: ...o apply the QoS policy to the outgoing traffic of the device traffic received by the online users Displaying and maintaining QoS policies Execute display commands in any view Task Command Display traf...

Страница 31: ...e information about these priorities see Appendixes Locally assigned priorities only have local significance They are assigned by the device only for scheduling The device supports only local preceden...

Страница 32: ...priority map lp dot1p Local 802 1p priority map lp dscp Local DSCP priority map To configure a priority map Step Command Remarks 1 Enter system view system view N A 2 Enter priority map view qos map t...

Страница 33: ...ter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Set the port priority of the interface qos priority priority value The default setting is 0 Displ...

Страница 34: ...hernet 1 0 2 No trusted packet priority type is configured on GigabitEthernet 1 0 1 or GigabitEthernet 1 0 2 AC system view AC interface gigabitethernet 1 0 1 AC GigabitEthernet1 0 1 qos priority 3 AC...

Страница 35: ...is colored green The corresponding tokens are taken away from the bucket Otherwise the packet does not conform to the specification called excess traffic and is colored red Traffic policing uses the...

Страница 36: ...iew system view N A 2 Create a traffic class and enter traffic class view traffic classifier classifier name operator and or By default no traffic class exists 3 Configure match criteria if match not...

Страница 37: ...rofile Choose one of the application destinations as needed By default no QoS policy is applied Configuring traffic policing for a user profile by using the non MQC approach The following matrix shows...

Страница 38: ...Command Remarks 1 Enter system view system view N A 2 Enter user profile view user profile profile name The configuration made in user profile view takes effect when the users are online 3 Configure...

Страница 39: ...igure the traffic filtering action filter deny permit By default no traffic filtering action is configured 7 Return to system view quit N A 8 Create a QoS policy and enter QoS policy view qos policy p...

Страница 40: ...ifier classifier_1 quit Create a traffic behavior named behavior_1 and configure the traffic filtering action to drop packets AC traffic behavior behavior_1 AC behavior behavior_1 filter deny AC behav...

Страница 41: ...match criteria if match not match criteria By default no match criterion is configured For more information about the if match command see ACL and QoS Command Reference 4 Return to system view quit N...

Страница 42: ...ure Create advanced ACL 3000 and configure a rule to match packets with destination IP address 192 168 0 1 AC system view AC acl advanced 3000 AC acl ipv4 adv 3000 rule permit ip destination 192 168 0...

Страница 43: ...erver remark local precedence 4 AC behavior behavior_dbserver quit Create a traffic behavior named behavior_mserver and configure the action of setting the local precedence value to 3 AC traffic behav...

Страница 44: ...d Service DSCP Differentiated Services Code Point EBS Excess Burst Size IntServ Integrated Service ISP Internet Service Provider PIR Peak Information Rate QoS Quality of Service ToS Type of Service Ap...

Страница 45: ...3 32 to 39 4 40 to 47 5 48 to 55 6 56 to 63 7 Table 6 Default lp dot1p lp dot11e and lp dscp priority maps Input priority value lp dot1p map lp dot11e map lp dscp map lp dot1p dot11e DSCP 0 1 1 0 1 2...

Страница 46: ...3 The remaining 2 bits 6 and 7 are reserved Table 8 IP precedence IP precedence decimal IP precedence binary Description 0 000 Routine 1 001 priority 2 010 immediate 3 011 flash 4 100 flash override 5...

Страница 47: ...s is not needed and QoS must be assured at Layer 2 Figure 10 An Ethernet frame with an 802 1Q tag header As shown in Figure 10 the 4 byte 802 1Q tag header contains the 2 byte tag protocol identifier...

Страница 48: ...a MAC layer enhancement to IEEE 802 11 IEEE 802 11e adds a 2 byte QoS control field to the 802 11e MAC frame header The 3 bit QoS control field represents the 802 11e priority in the range of 0 to 7 F...

Страница 49: ...name You can create a maximum of 1024 time ranges each with a maximum of 32 periodic statements and 12 absolute statements The active period of a time range is calculated as follows 1 Combining all pe...

Страница 50: ...e1 date1 to time2 date2 from time1 date1 to time2 date2 to time2 date2 No time range exists Displaying and maintaining time ranges Execute the display command in any view Task Command Display time ran...

Страница 51: ...AC acl ipv4 basic 2001 rule deny source any time range work AC acl ipv4 basic 2001 quit Apply IPv4 basic ACL 2001 to filter outgoing packets on interface GigabitEthernet 1 0 1 AC interface gigabitEth...

Страница 52: ...s 36 Appendix B Default priority maps 36 Appendix C Packet precedence 38 applying ACL packet filtering to interface 11 QoS policy 20 QoS policy interface PVC 21 QoS policy user profile 21 auto ACL aut...

Страница 53: ...CP values 38 E evaluating QoS traffic 27 QoS traffic with token bucket 27 27 F filtering ACL packet fragments 3 QoS traffic filtering configuration 31 31 forwarding ACL configuration 1 4 14 ACL config...

Страница 54: ...fic policing 27 QoS traffic policing configuration 27 28 network management ACL configuration 1 4 14 QoS overview 16 QoS priority mapping configuration 25 QoS service models 17 QoS techniques 17 time...

Страница 55: ...uring QoS priority mapping map uncolored 24 configuring QoS priority mapping trusted port packet priority 24 configuring QoS priority marking 33 34 configuring QoS traffic filtering 31 31 configuring...

Страница 56: ...tion IPv4 basic 5 ACL configuration IPv6 advanced 7 ACL configuration IPv6 basic 5 ACL configuration Layer 2 8 ACL configuration WLAN AP 10 ACL configuration WLAN client 9 service QoS best effort serv...

Страница 57: ...ing 18 27 QoS traffic policing configuration 27 28 QoS traffic shaping 18 traffic policing QoS display 30 trapping ACL packet filtering SNMP notifications 12 trusted port packet priority QoS 24 type A...

Отзывы: