H3C S5120-EI Series Ethernet Switches. ACL and QoS. Configuration Guide. Hangzhou H3C Technologies Co., Ltd.

Transcription

1 H3C S5120-EI Series Ethernet Switches ACL and QoS Configuration Guide Hangzhou H3C Technologies Co., Ltd. Document Version: 6W Product Version: Release 2202

2 Copyright , Hangzhou H3C Technologies Co., Ltd. and its licensors All Rights Reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. Trademarks H3C,, Aolynk,, H 3 Care,, TOP G,, IRF, NetPilot, Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V 2 G, V n G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners. Notice The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

3 Preface The H3C S5120-EI documentation set includes 10 configuration guides, which describe the software features for the S5120-EI Series Ethernet Switches and guide you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios. The ACL and QoS Configuration Guide describes fundamentals and configuration of ACL and QoS. It describes how to create IPv4 ACL and IPv6 ACL, use ACL for packet filtering, use QoS polices to control traffic, and configure common QoS techniques such as traffic policing, traffic shaping, and congestion management. This preface includes: Audience Document Organization Conventions About the H3C S5120-EI Documentation Set Obtaining Documentation Documentation Feedback Audience This documentation set is intended for: Network planners Field technical support and servicing engineers Network administrators working with the S5120-EI series Document Organization The ACL and QoS Configuration Guide comprises these parts: ACL Configuration QoS Overview QoS Configuration Approaches Priority Mapping Configuration Traffic Policing, Traffic Shaping, and Line Rate Configuration Congestion Management Configuration Traffic Filtering Configuration Priority Marking Configuration Traffic Redirecting Configuration Class-Based Accounting Configuration Appendix A Default Priority Mapping Tables Appendix B Introduction to Packet Precedences Conventions This section describes the conventions used in this documentation set. Command conventions Boldface italic Convention Description Bold text represents commands and keywords that you enter literally as shown. Italic text represents arguments that you replace with actual values.

4 Convention Description [ ] { x y... } [ x y... ] { x y... } * [ x y... ] * &<1-n> Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which you select one. Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none. Asterisk marked braces enclose a set of required syntax choices separated by vertical bars, from which you select at least one. Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you may select multiple choices or none. The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times. # A line that starts with a pound (#) sign is comments. GUI conventions Boldface > Convention Description Window names, button names, field names, and menu items are in Boldface. For example, the New User window appears; click OK. Multi-level menus are separated by angle brackets. For example, File > Create > Folder. Symbols Convention Description Means reader be careful. Improper operation may cause data loss or damage to equipment. Means a complementary description. About the H3C S5120-EI Documentation Set The H3C S5120-EI documentation set also includes: Category Documents Purposes Product description and specifications Marketing brochures Technology white papers RPS User Manual RPS Ordering Information for H3C Low-End Ethernet Switches H3C Low End Series Ethernet Switches Pluggable Modules Manual Describe product specifications and benefits. Provide an in-depth description of software features and technologies. Describes the appearances, features, and specifications of the RPS units available for the products. Provides the RPS and switch compatibility matrix and RPS cable specifications. Describes the models, appearances, and specifications of the pluggable modules available for the products.

5 Category Documents Purposes Hardware installation Software configuration Operations and maintenance Interface Card User Manual S5120-EI Series Ethernet Switches Installation Manual Pluggable SFP[SFP+][XFP] Transceiver Modules Installation Guide Interface Card User Manual Configuration guides Command references H3C Series Ethernet Switches Login Password Recovery Manual Release notes Describes the appearance and specifications of the interface card. Provides a complete guide to hardware installation and hardware specifications. Provides regulatory information and the safety instructions that must be followed during installation. Guides you through installing SFP/SFP+/XFP transceiver modules. Describes how to install the interface card. Describe software features and configuration procedures. Provide a quick reference to all available commands. Tells how to find the lost password or recover the password when the login password is lost. Provide information about the product release, including the version history, hardware and software compatibility matrix, version upgrade information, technical support information, and software upgrading. Obtaining Documentation You can access the most up-to-date H3C product documentation on the World Wide Web at Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] Provides hardware installation, software upgrading, and software feature configuration and maintenance documentation. [Products & Solutions] Provides information about products and technologies, as well as solutions. [Technical Support & Documents > Software Download] Provides the documentation released with the software version. Documentation Feedback You can your comments about product documentation to info@h3c.com. We appreciate your comments.

6 Table of Contents 1 ACL Configuration 1-1 ACL Overview 1-1 Introduction to ACL 1-1 Application of ACLs on the Switch 1-2 ACL Classification 1-2 ACL Numbering and Naming 1-3 Match Order 1-3 ACL Rule Numbering Step 1-4 Implementing Time-Based ACL Rules 1-5 IPv4 Fragments Filtering with ACLs 1-5 ACL Configuration Task List 1-5 Configuring an ACL 1-6 Creating a Time Range 1-6 Configuring a Basic ACL 1-6 Configuring an Advanced ACL 1-9 Configuring an Ethernet Frame Header ACL 1-12 Copying an ACL 1-13 Applying an ACL for Packet Filtering 1-14 Displaying and Maintaining ACLs 1-15 ACL Configuration Examples 1-16 IPv4 ACL Application Configuration Example 1-16 IPv6 ACL Application Configuration Example QoS Overview 2-1 Introduction to QoS 2-1 Introduction to QoS Service Models 2-1 Best-Effort Service Model 2-1 IntServ Service Model 2-1 DiffServ Service Model 2-2 QoS Techniques Overview 2-2 Positions of the QoS Techniques in a Network QoS Configuration Approaches 3-1 QoS Configuration Approach Overview 3-1 Non Policy-Based Configuration 3-1 Policy-Based Configuration 3-1 Configuring a QoS Policy 3-1 Defining a Class 3-2 Defining a Traffic Behavior 3-4 Defining a Policy 3-5 Applying the QoS Policy 3-5 Displaying and Maintaining QoS Policies 3-8 i

7 4 Priority Mapping Configuration 4-1 Priority Mapping Overview 4-1 Introduction to Priority Mapping 4-1 Priority Mapping Tables 4-1 Priority Trust Mode on a Port 4-2 Priority Mapping Procedure 4-2 Priority Mapping Configuration Tasks 4-3 Configuring Priority Mapping 4-4 Configuring a Priority Mapping Table 4-4 Configuring the Priority Trust Mode on a Port 4-4 Configuring the Port Priority of a Port 4-5 Displaying and Maintaining Priority Mapping 4-6 Priority Mapping Configuration Examples 4-6 Priority Mapping Table and Priority Marking Configuration Example Traffic Policing, Traffic Shaping, and Line Rate Configuration 5-1 Traffic Policing and Line Rate Overview 5-1 Traffic Evaluation and Token Buckets 5-1 Traffic Policing 5-2 Traffic Shaping 5-3 Line Rate 5-4 Configuring Traffic Policing 5-4 Configuration Procedure 5-4 Configuration Example 5-5 Configuring GTS 5-6 Configuration Procedure 5-6 Configuration Example 5-6 Configuring the Line Rate 5-6 Configuration Procedure 5-6 Configuration Example 5-7 Displaying and Maintaining Traffic Policing, GTS, and Line Rate Congestion Management Configuration 6-1 Congestion Management Overview 6-1 Causes, Impacts, and Countermeasures of Congestion 6-1 Congestion Management Policies 6-2 Congestion Management Configuration Approaches 6-4 Configuring Congestion Management 6-5 Configuring SP Queuing 6-5 Configure WRR Queuing 6-6 Configuring WFQ Queuing 6-7 Configuring SP+WRR Queues 6-8 Configuration Example 6-8 Displaying and Maintaining Congestion Management Traffic Filtering Configuration 7-1 Traffic Filtering Overview 7-1 Configuring Traffic Filtering 7-1 ii

8 Traffic Filtering Configuration Example 7-2 Traffic Filtering Configuration Example Priority Marking Configuration 8-1 Priority Marking Overview 8-1 Configuring Priority Marking 8-1 Priority Marking Configuration Example 8-2 Priority Marking Configuration Example Traffic Redirecting Configuration 9-1 Traffic Redirecting Overview 9-1 Traffic Redirecting 9-1 Configuring Traffic Redirecting Class-Based Accounting Configuration 10-1 Class-Based Accounting Overview 10-1 Configuring Class-Based Accounting 10-1 Displaying and Maintaining Traffic Accounting 10-2 Class-Based Accounting Configuration Example 10-2 Class-Based Accounting Configuration Example Appendix A Default Priority Mapping Tables Appendix B Introduction to Packet Precedences 12-1 IP Precedence and DSCP Values p Priority Index 13-1 iii

9 1 ACL Configuration This chapter includes these sections: ACL Overview ACL Configuration Task List Configuring an ACL Creating a Time Range Configuring a Basic ACL Configuring an Advanced ACL Configuring an Ethernet Frame Header ACL Copying an ACL Displaying and Maintaining ACLs ACL Configuration Examples Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document. ACL Overview This section covers these topics: Introduction to ACL Application of ACLs on the Switch ACL Classification ACL Numbering and Naming Match Order Implementing Time-Based ACL Rules IPv4 Fragments Filtering with ACLs Introduction to ACL As network scale and network traffic are increasingly growing, network security and bandwidth allocation become more and more critical to network management. Packet filtering can be used to efficiently prevent illegal users from accessing networks and to control network traffic and save network resources. Access control lists (ACL) are often used to filter packets with configured matching rules. 1-1

10 ACLs are sets of rules (or sets of permit or deny statements) that decide what packets can pass and what should be rejected based on matching criteria such as source MAC address, destination MAC address, source IP address, destination IP address, and port number. Application of ACLs on the Switch The switch supports two ACL application modes: Hardware-based application: An ACL is assigned to a piece of hardware. For example, an ACL can be referenced by QoS for traffic classification. Note that when an ACL is referenced to implement QoS, the actions defined in the ACL rules, deny or permit, do not take effect; actions to be taken on packets matching the ACL depend on the traffic behavior definition in QoS. For details about traffic behavior, see QoS Configuration Approaches in the ACL and QoS Configuration Guide. Software-based application: An ACL is referenced by a piece of upper layer software. For example, an ACL can be referenced to configure login user control behavior, thus controlling Telnet, SNMP and Web users. Note that when an ACL is reference by the upper layer software, actions to be taken on packets matching the ACL depend on those defined by the ACL rules. For details about login user control, see User Login Control in the Fundamentals Configuration Guide. When an ACL is assigned to a piece of hardware and referenced by a QoS policy for traffic classification, the switch does not take action according to the traffic behavior definition on a packet that does not match the ACL. When an ACL is referenced by a piece of software to control Telnet, SNMP, and Web login users, the switch denies all packets that do not match the ACL. For details of ACL application for packet filtering, see Applying an ACL for Packet Filtering. ACL Classification ACLs fall into three categories, as shown in Table 1-1. Table 1-1 ACL categories Category ACL number IP version Match criteria Basic ACLs 2000 to 2999 IPv4 IPv6 Source IPv4 address Source IPv6 address Advanced ACLs 3000 to 3999 IPv4 Source/destination IPv4 address, protocols over IPv4, and other Layer 3 and Layer 4 header fields 1-2

11 Category ACL number IP version Match criteria IPv6 Source/destination IPv6 address, protocols over IPv6, and other Layer 3 and Layer 4 header fields Ethernet frame header ACLs 4000 to 4999 IPv4 and IPv6 Layer 2 header fields, such as source and destination MAC addresses, 802.1p priority, and link layer protocol type ACL Numbering and Naming Each ACL category has a unique range of ACL numbers. When creating an ACL, you must assign it a number for identification, and in addition, you can also assign the ACL a name for the ease of identification. After creating an ACL with a name, you can neither rename it nor delete its name. For an Ethernet frame header ACL, the ACL number and name must be globally unique. For an IPv4 basic or advanced ACLs, its ACL number and name must be unique among all IPv4 ACLs, and for an IPv6 basic or advanced ACL, among all IPv6 ACLs. You can assign an IPv4 ACL and an IPv6 ACL the same number and name. Match Order The rules in an ACL are sorted in a certain order. When a packet matches a rule, the device stops the match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting rules, the matching result and action to take depend on the rule order. Two ACL match orders are available: config: Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a rule with a higher ID. If you use this approach, check the rules and their order carefully. auto: Sorts ACL rules in depth-first order, as described in Table 1-2. The depth-first order varies with ACL categories. Table 1-2 Sorting ACL rules in depth-first order ACL category IPv4 basic ACL IPv4 advanced ACL Depth-first rule sorting procedures 1) A rule with more 0s in the source IP address wildcard mask takes precedence. More 0s means a narrower IP address range. 2) A rule with a smaller ID takes precedence. 1) A rule configured with a specific protocol is prior to a rule with the protocol type set to IP. IP represents any protocol over IP. 2) A rule with more 0s in the source IP address wildcard mask takes precedence. More 0s means a narrower IP address range. 3) A rule with more 0s in the destination IP address wildcard mask takes precedence. 4) A rule with a narrower TCP/UDP service port number range takes precedence. 5) A rule with a smaller ID takes precedence. 1-3

12 ACL category IPv6 basic ACL IPv6 advanced ACL Depth-first rule sorting procedures 1) A rule configured with a longer prefix for the source IP address takes precedence. A longer prefix means a narrower IP address range. 2) A rule with a smaller ID takes precedence. 1) A rule configured with a specific protocol is prior to a rule with the protocol type set to IP. IP represents any protocol over IPv6. 2) A rule configured with a longer prefix for the source IPv6 address has a higher priority. 3) A rule configured with a longer prefix for the destination IPv6 address takes precedence. 4) A rule with a narrower TCP/UDP service port number range takes precedence. 5) A rule with a smaller ID takes precedence. Ethernet frame header ACL 1) A rule with more 1s in the source MAC address mask takes precedence. More 1s means a smaller MAC address. 2) A rule with more 1s in the destination MAC address mask takes precedence. 3) A rule with a smaller ID takes precedence. A wildcard mask, also called an inverse mask, is a 32-bit binary and represented in dotted decimal notation. In contrast to a network mask, the 0 bits in a wildcard mask represent do care bits, while the 1 bits represent 'don t care bits'. If the 'do care' bits in an IP address identical to the 'do care' bits in an IP address criterion, the IP address matches the criterion. All 'don t care' bits are ignored. The 0s and 1s in a wildcard mask can be noncontiguous. For example, is a valid wildcard mask. With wildcard masks, you can create more granular match criteria than network masks. ACL Rule Numbering Step What is the ACL rule numbering step If you do not assign an ID for the rule you are creating, the system automatically assigns it a rule ID. The rule numbering step sets the increment by which the system numbers rules automatically. For example, the default ACL rule numbering step is 5. If you do assign IDs to rules you are creating, they are numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between two rules. By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of inserting rules in an ACL. This feature is important for a config order ACL, where ACL rules are matched in ascending order of rule ID. Automatic rule numbering and re-numbering The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to the current highest rule ID, starting with

13 For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10, and 12, the newly defined rule will be numbered 15. If the ACL does not contain any rule, the first rule will be numbered 0. Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6 and 8. Likewise, after you restore the default step, ACL rules are renumbered in the default step. Assume that there are four ACL rules numbered 0, 2, 4, and 6 in steps of 2. When the default step is restored, the rules are renumbered 0, 5, 15, and 15. Implementing Time-Based ACL Rules You can implement ACL rules based on the time of day by applying a time range to them. A time-based ACL rule takes effect only in any time periods specified by the time range. Two basic types of time range are available: Periodic time range, which recurs periodically on a day or days of the week. Absolute time range, which represents only a period of time and does not recur. You may apply a time range to ACL rules before or after you create it. However, the rules using the time range can take effect only after you define the time range. IPv4 Fragments Filtering with ACLs Traditional packet filtering matched only first fragments of IPv4 packets, and allowed all subsequent non-first fragments to pass through. This mechanism resulted in security risks, because attackers may fabricate non-first fragments to attack networks. As for the configuration of a rule of an IPv4 ACL, the fragment keyword specifies that the rule applies to non-first fragment packets only, and does not apply to non-fragment packets or the first fragment packets. ACL rules that do not contain this keyword is applicable to both non-fragment packets and fragment packets. ACL Configuration Task List IPv4 configuration task list Complete the following tasks to configure an IPv4 ACL: Task Remarks Creating a Time Range Configuring an IPv4 basic ACL Configuring an IPv4 advanced ACL Configuring an Ethernet Frame Header ACL Copying an IPv4 ACL Applying an IPv4 ACL for Packet Filtering Configure at least one task 1-5

14 IPv6 ACL configuration task list Complete the following tasks to configure an IPv6 ACL: Task Remarks Creating a Time Range Configuring an IPv6 basic ACL Configuring an IPv6 Advanced ACL Configuring an Ethernet Frame Header ACL Copying an IPv6 ACL Applying an IPv6 ACL for Packet Filtering Configure at least one task Configuring an ACL Creating a Time Range Follow these steps to create a time range: To do Use the command Remarks Enter system view system-view Create a time range time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] from time1 date1 [ to time2 date2 ] to time2 date2 } By default, no time range exists. You may create time ranges identified with the same name. They are regarded as one time range whose active period is the result of ORing periodic ones, ORing absolute ones, and ANDing periodic and absolute ones. You may create a maximum of 256 uniquely named time ranges, each with 32 periodic time ranges at most and 12 absolute time ranges at most. Configuring a Basic ACL Configuring an IPv4 basic ACL IPv4 basic ACLs match packets based on only source IP address. Follow these steps to configure an IPv4 basic ACL: To do Use the command Remarks Enter system view system-view 1-6

15 To do Use the command Remarks By default, no ACL exists. Create an IPv4 basic ACL and enter its view acl number acl-number [ name acl-name ] [ match-order { auto config } ] IPv4 basic ACLs are numbered in the range 2000 to You can use the acl name acl-name command to enter the view of an existing named IPv4 ACL. Configure a description for the IPv4 basic ACL description text By default, an IPv4 basic ACL has no ACL description. Set the rule numbering step step step-value 5 by default. Create or edit a rule rule [ rule-id ] { deny permit } [ fragment logging source { sour-addr sour-wildcard any } time-range time-range-name ] * By default, an IPv4 basic ACL does not contain any rule. To create or edit multiple rules, repeat this step. Note that the logging keyword is not supported if the ACL is to be referenced by a QoS policy for traffic classification. Configure or edit a rule description rule rule-id comment text By default, an IPv4 ACL rule has no rule description. Note that: You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same. You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL. When the ACL match order is auto, a newly created rule will be inserted among the existing rules in the depth-first match order. Note that the IDs of the rules still remain the same. 1-7

16 You can modify the match order of an ACL with the acl number acl-number [ name acl-name ] match-order { auto config } command but only when it does not contain any rules. Configuring an IPv6 basic ACL Follow these steps to configure an IPv6 basic ACL: To do Use the command Remarks Enter system view system-view By default, no ACL exists. Create an IPv6 basic ACL view and enter its view acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto config } ] IPv6 basic ACLs are numbered in the range 2000 to You can use the acl ipv6 name acl6-name command to enter the view of an existing named IPv6 ACL. Configure a description for the IPv6 basic ACL description text By default, an IPv6 basic ACL has no ACL description. Set the rule numbering step step step-value 5 by default Create or edit a rule rule [ rule-id ] { deny permit } [ fragment logging source { ipv6-address prefix-length ipv6-address/prefix-length any } time-range time-range-name ]* By default, an IPv6 basic ACL does not contain any rule. To create or edit multiple rules, repeat this step. Note that the logging and fragment keywords are not supported if the ACL is to be referenced by a QoS policy for traffic classification. Configure or edit a rule description rule rule-id comment text By default, an IPv6 basic ACL rule has no rule description. Note that: 1-8

17 You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same. You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL. When the ACL match order is auto, a newly created rule will be inserted among the existing rules in the depth-first match order. Note that the IDs of the rules still remain the same. You can modify the match order of an IPv6 ACL with the acl ipv6 number acl6-number [ name acl6-name ] match-order { auto config } command but only when it does not contain any rules. Configuring an Advanced ACL Configuring an IPv4 advanced ACL IPv4 advanced ACLs match packets based on source and destination IP addresses, protocols over IP, and other protocol header information, such as TCP/UDP source and destination port numbers, TCP flags, ICMP message types, and ICMP message codes. IPv4 advanced ACLs also allow you to filter packets based on three priority criteria: type of service (ToS), IP precedence, and differentiated services codepoint (DSCP) priority. Compared with IPv4 basic ACLs, IPv4 advanced ACLs allow of more flexible and accurate filtering. Follow these steps to configure an IPv4 advanced ACL: To do Use the command Remarks Enter system view system-view By default, no ACL exists. Create an IPv4 advanced ACL and enter its view acl number acl-number [ name acl-name ] [ match-order { auto config } ] IPv4 advanced ACLs are numbered in the range 3000 to You can use the acl name acl-name command to enter the view of an existing named IPv4 ACL. Configure a description for the IPv4 advanced ACL description text By default, an IPv4 advanced ACL has no ACL description. Set the rule numbering step step step-value 5 by default. 1-9

18 To do Use the command Remarks Create or edit a rule rule [ rule-id ] { deny permit } protocol [ { established { ack ack-value fin fin-value psh psh-value rst rst-value syn syn-value urg urg-value } * } destination { dest-addr dest-wildcard any } destination-port operator port1 [ port2 ] dscp dscp fragment icmp-type { icmp-type icmp-code icmp-message } logging precedence precedence reflective source { sour-addr sour-wildcard any } source-port operator port1 [ port2 ] time-range time-range-name tos tos ] * By default, an IPv4 advanced ACL does not contain any rule. To create or edit multiple rules, repeat this step. Notes that the reflective keyword is not supported. Note that if the ACL is to be referenced by a QoS policy for traffic classification, the logging keyword is not supported and the operator argument cannot be neq. Configure or edit a rule description rule rule-id comment text By default, an IPv4 ACL rule has no rule description. Note that: You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same. You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL. When the ACL match order is auto, a newly created rule will be inserted among the existing rules in the depth-first match order. Note that the IDs of the rules still remain the same. You can modify the match order of an ACL with the acl number acl-number [ name acl-name ] match-order { auto config } command but only when it does not contain any rules. Configuring an IPv6 Advanced ACL IPv6 advanced ACLs match packets based on the source IPv6 address, destination IPv6 address, protocol carried over IPv6, and other protocol header fields such as the TCP/UDP source port number, TCP/UDP destination port number, ICMP message type, and ICMP message code. Compared with IPv6 basic ACLs, they allow of more flexible and accurate filtering. 1-10

19 Follow these steps to configure an IPv6 advanced ACL: To do Use the command Remarks Enter system view system-view By default, no ACL exists. Create an IPv6 advanced ACL and enter its view acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto config } ] IPv6 advanced ACLs are numbered in the range 3000 to You can use the acl ipv6 name acl6-name command to enter the view of an existing named IPv6 ACL. Configure a description for the IPv6 advanced ACL description text By default, an IPv6 advanced ACL has no ACL description. Set the rule numbering step step step-value 5 by default. Create or edit a rule Configure or edit a rule description rule [ rule-id ] { deny permit } protocol [ { established { ack ack-value fin fin-value psh psh-value rst rst-value syn syn-value urg urg-value } * } destination { dest dest-prefix dest/dest-prefix any } destination-port operator port1 [ port2 ] dscp dscp fragment icmpv6-type { icmpv6-type icmpv6-code icmpv6-message } logging source { source source-prefix source/source-prefix any } source-port operator port1 [ port2 ] time-range time-range-name ] * rule rule-id comment text By default IPv6 advanced ACL does not contain any rule. To create or edit multiple rules, repeat this step. Note that if the ACL is to be referenced by a QoS policy for traffic classification, the logging and fragment keywords are not supported and the operator argument cannot be neq. By default, an IPv6 ACL rule has no rule description. 1-11

20 Note that: You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same. You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL. When the ACL match order is auto, a newly created rule will be inserted among the existing rules in the depth-first match order. Note that the IDs of the rules still remain the same. You can modify the match order of an IPv6 ACL with the acl ipv6 number acl6-number [ name acl6-name ] match-order { auto config } command but only when it does not contain any rules. Configuring an Ethernet Frame Header ACL Ethernet frame header ACLs, also called Layer 2 ACLs, match packets based on Layer 2 protocol header fields such as source MAC address, destination MAC address, 802.1p priority (VLAN priority), and link layer protocol type. Follow these steps to configure an Ethernet frame header ACL: To do Use the command Remarks Enter system view system-view By default, no ACL exists. Create an Ethernet frame header ACL and enter its view acl number acl-number [ name acl-name ] [ match-order { auto config } ] Ethernet frame header ACLs are numbered in the range 4000 to You can use the acl name acl-name command to enter the view of an existing named Ethernet frame header ACL. Configure a description for the Ethernet frame header ACL description text By default, an Ethernet frame header ACL has no ACL description. Set the rule numbering step step step-value 5 by default. 1-12

21 To do Use the command Remarks Create or edit a rule rule [ rule-id ] { deny permit } [ cos vlan-pri dest-mac dest-addr dest-mask lsap lsap-code lsap-wildcard source-mac sour-addr source-mask time-range time-range-name type type-code type-wildcard ]* By default, an Ethernet frame header ACL does not contain any rule. To create or edit multiple rules, repeat this step. Note that the lsap keyword is not supported if the ACL is to be referenced by a QoS policy for traffic classification. Configure or edit a rule description rule rule-id comment text By default, an Ethernet frame header ACL rule has no rule description. Note that: You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same. You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL. When the ACL match order is auto, a newly created rule will be inserted among the existing rules in the depth-first match order. Note that the IDs of the rules still remain the same. You can modify the match order of an ACL with the acl number acl-number [ name acl-name ] match-order { auto config } command but only when it does not contain any rules. Copying an ACL You can create an ACL by copying an existing ACL. The new ACL has the same properties and content as the source ACL except the ACL number and name. To copy an IPv4 or IPv6 ACL successfully, ensure that: The destination ACL number is from the same category as the source ACL number. The source IPv4 or IPv6 ACL already exits but the destination IPv4 or IPv6 ACL does not. Copying an IPv4 ACL Follow these steps to copy an IPv4 ACL: 1-13

22 To do Use the command Remarks Enter system view system-view Copy an existing IPv4 ACL to create a new IPv4 ACL acl copy { source-acl-number name source-acl-name } to { dest-acl-number name dest-acl-name } Copying an IPv6 ACL Follow these steps to copy an IPv6 ACL: To do Use the command Remarks Enter system view system-view Copy an existing IPv6 ACL to generate a new one of the same category acl ipv6 copy { source-acl6-number name source-acl6-name } to { dest-acl6-number name dest-acl6-name } The generated ACL does not take the name of the source ACL. Applying an ACL for Packet Filtering You can apply an ACL to filter incoming IPv4 or IPv6 packets. Configure an interval for generating and outputting packet filtering logs. The log information includes the number of matching packets and the ACL rules used in an interval. ACLs on VLAN interfaces filter only packets forwarded at Layer 3. The system logs only traffic for basic and advanced ACL rules that have the logging keyword. The packet filtering logs are sent with the informational severity level to the information center. For information about the information center, see Information Center Configuration in the Network Management and Monitoring Configuration Guide. Applying an IPv4 ACL for Packet Filtering Follow these steps to apply an IPv4 ACL for packets filtering: 1-14

23 To do Use the command Remarks Enter system view system-view Enter Ethernet interface view or VLAN interface view interface interface-type interface-number Apply an IPv4 ACL to the interface to filter IPv4 packets packet-filter { acl-number name acl-name } inbound By default, no IPv4 ACL is applied to the interface. Exit to system view quit Set the interval for generating and outputting IPv4 packet filtering logs acl logging frequence frequence By default, the interval is 0. No IPv4 packet filtering logs are generated. Applying an IPv6 ACL for Packet Filtering Follow these steps to apply an IPv6 ACL for packet filtering: To do Use the command Remarks Enter system view system-view Enter interface view interface interface-type interface-number Apply an IPv6 ACL to the interface to filter IPv6 packets packet-filter ipv6 { acl6-number name acl6-name } inbound By default, no IPv6 ACL is applied to the interface. Exit to system view quit Set the interval for generating and outputting IPv6 packet filtering logs acl ipv6 logging frequence frequence By default, the interval is 0. No IPv6 packet filtering logs are generated. Displaying and Maintaining ACLs To do... Use the command Remarks Display configuration and match statistics for one or all IPv4 ACLs display acl { acl-number all name acl-name } Available in any view 1-15

24 To do... Use the command Remarks Display configuration and match statistics for one or all IPv6 ACLs Display the usage of ACL resources Display the configuration and status of one or all time ranges Clear statistics on one or all IPv4 ACLs Clear statistics on one or all IPv6 basic and advanced ACLs display acl ipv6 { acl6-number all name acl6-name } display acl resource [ slot slot-number ] display time-range { time-range-name all } reset acl counter { acl-number all name acl-name } reset acl ipv6 counter { acl6-number all name acl6-name } Available in any view Available in any view Available in any view Available in user view Available in user view ACL Configuration Examples IPv4 ACL Application Configuration Example Network requirements As shown in Figure 1-1, apply an ACL to the inbound direction of interface GigabitEthernet 1/0/1 on Device A so that everyday from 8:00 to 18:00, the interface allows only packets sourced from Host A to pass. Configure Device A to output IPv4 packet filtering logs to the console at an interval of 10 minutes. Figure 1-1 Network diagram for applying an IPv4 ACL to an interface for packet filtering Configuration procedure # Create a time range from 08:00 to 18:00 everyday. <DeviceA> system-view [DeviceA] time-range study 8:00 to 18:00 daily # Create IPv4 ACL 2009, and configure two rules in the ACL. One permits packets sourced from Host A at and the other denies packets sourced from any other host during the time range study. Enable logging for both rules. [DeviceA] acl number 2009 [DeviceA-acl-basic-2009] rule permit source time-range study logging [DeviceA-acl-basic-2009] rule deny source any time-range study logging [DeviceA-acl-basic-2009] quit # Apply IPv4 ACL 2009 to filter incoming packets on GigabitEthernet 1/0/

25 [DeviceA] interface GigabitEthernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] packet-filter 2009 inbound [DeviceA-GigabitEthernet1/0/1] quit # Enable the device to generate and output IPv4 packet filtering logs at 10-minute intervals. [DeviceA] acl logging frequence 10 # Configure the device to output informational log messages to the console. [DeviceA] info-center source default channel 0 log level informational IPv6 ACL Application Configuration Example Network requirements As shown in Figure 1-2, apply an IPv6 ACL to the incoming traffic of GigabitEthernet 1/0/1 on Device A, so that everyday from 8:00 to 18:00, the interface allows only packets from Host A to pass through. Configure Device A to output IPv4 packet filtering logs to the console at an interval of 10 minutes. Figure 1-2 Network diagram for applying an IPv6 ACL to an interface for packet filtering Configuration procedure # Create a time range from 08:00 to 18:00 everyday. <DeviceA> system-view [DeviceA] time-range study 8:0 to 18:0 daily # Create IPv4 ACL 2009, and configure two rules for the ACL. One permits packets sourced from Host A with the IP address 1001::2 and the other denies packets sourced from any other host during the time range study. Enable logging for both rules. [DeviceA] acl ipv6 number 2009 [DeviceA-acl6-basic-2009] rule permit source 1001::2 128 time-range study logging [DeviceA-acl6-basic-2009] rule deny source any time-range study logging [DeviceA-acl6-basic-2009] quit # Apply IPv4 ACL 2009 to filter incoming packets on GigabitEthernet 1/0/1. [DeviceA] interface GigabitEthernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] packet-filter ipv inbound [DeviceA-GigabitEthernet1/0/1] quit # Configure the device to collect and output IPv4 packet filtering logs at an interval of 10 minutes. [DeviceA] acl ipv6 logging frequence 10 # Configure the device to output informational log messages to the console. [DeviceA] info-center source default channel 0 log level informational 1-17

26 2 QoS Overview This chapter covers the following topics: Introduction to QoS Introduction to QoS Service Models QoS Techniques Overview Introduction to QoS For network traffic, the Quality of Service (QoS) involves bandwidth, delay, and packet loss rate during traffic forwarding process. In a network, you can improve the QoS by guaranteeing the bandwidth, and reducing the delay, jitter, and packet loss rate. The network resources are always scarce. QoS requirements exist on any occasion where traffic flows contend for network resources. QoS is a relative concept for traffic flows, that is, guaranteeing QoS for a certain traffic flow may damage QoS of other traffic flows. For example, in the case of fixed bandwidth, if a traffic flow gets more bandwidth, the other traffic flows will get less bandwidth and may be affected. Therefore, the network administrator should reasonably plan and allocate network resources based on the characteristics of various traffic flows, thus utilizing the network resources effectively. The following part introduces the QoS service models, and some mature QoS techniques used most widely. Using these techniques reasonably in the specific environments, you can improve the QoS effectively. Introduction to QoS Service Models This section covers three typical QoS service models: Best-effort service Integrated service (IntServ) Differentiated service (DiffServ) Best-Effort Service Model Best effort is a single service model and also the simplest service model. In the best effort service model, the network delivers the packets at its best effort but does not guarantee delay or reliability. The best-effort service model is the default model in the Internet and is applicable to most network applications. It is implemented through FIFO queuing. IntServ Service Model IntServ is a multiple services model that can accommodate multiple QoS requirements. In this model, an application must request a specific kind of service from the network before it can send data. The request is made by RSVP signaling. RSVP runs on each device from the source end to the destination end, and monitors each data flow to prevent each data flow from consuming more resources than the 2-1

27 requested, reserved, and pre-purchased resources. The Inter-Serv model can definitely identify and guarantee QoS for each data flow, and provides the most granularly differentiated QoS. However, the Inter-Serv model imposes extremely high requirements on devices. In a network with heavy data traffic, the Inter-Serv model imposes very great pressure on the storage and processing capabilities of devices. On the other hand, the Inter-Serv model is poor in scalability, and therefore, it is hard to be deployed in the core Internet network. DiffServ Service Model DiffServ is a multiple services model that can satisfy diverse QoS requirements. Unlike IntServ, DiffServ does not require an application to signal the network to reserve resources before sending data. DiffServ is easy to implement and extend. All QoS techniques mentioned in this document are based on the Diff-Serv model. QoS Techniques Overview The QoS techniques include traffic classification, traffic policing, traffic shaping, line rate, congestion management, and congestion avoidance. The following part briefly introduces these QoS techniques. Positions of the QoS Techniques in a Network Figure 2-1 Positions of the QoS techniques in a network As shown in Figure 2-1, traffic classification, traffic shaping, traffic policing, congestion management, and congestion avoidance mainly implement the following functions: Traffic classification uses certain match criteria to organize packets with different characteristics into different classes. Traffic classification is the basis for providing differentiated services. Traffic policing polices particular flows entering or leaving a device according to configured specifications and can be applied in both inbound and outbound directions of a port. When a flow exceeds the specification, some restriction or punishment measures can be taken to prevent overconsumption of network resources. 2-2

28 Traffic shaping proactively adjusts the output rate of traffic to adapt traffic to the network resources of the downstream device and avoid unnecessary packet drop. Traffic shaping is usually applied to the outgoing traffic of a port. Congestion management provides a resource scheduling policy to arrange the forwarding sequence of packets when congestion occurs. Congestion management is usually applied to the outgoing traffic of a port. Congestion avoidance monitors the usage status of network resources and is usually applied to the outgoing traffic of a port. As congestion becomes worse, it actively reduces the amount of traffic by dropping packets. 2-3

29 3 QoS Configuration Approaches This chapter covers the following topics: QoS Configuration Approach Overview Configuring a QoS Policy QoS Configuration Approach Overview Two approaches are available for you to configure QoS: policy-based and non policy-based. Some QoS features can be configured in either approach while some can be configured only in one approach. Non Policy-Based Configuration In the non policy-based approach, you configure QoS service parameters without using a QoS policy. For example, to rate limit an interface, you can use the line rate feature to directly configure a rate limit on the interface rather than using a QoS policy. Policy-Based Configuration In the policy-based approach, QoS service parameters are configured through configuring QoS policies. A QoS policy defines what QoS actions to take on what class of traffic for purposes such as traffic shaping or traffic policing. Before configuring a QoS policy, be familiar with these concepts: class, traffic behavior, and policy. Class Classes are used to identify traffic. A class is identified by a class name and contains some match criteria for traffic identification. The relationship between the criteria is AND or OR. AND: A packet is considered as belonging to a class only when the packet matches all the criteria in the class. OR: A packet is considered as belonging to a class if it matches any of the criteria in the class. Traffic behavior A traffic behavior defines a set of QoS actions to take on packets, such as priority marking and traffic redirecting. Policy A policy associates a class with a traffic behavior to define what actions to take on which class of traffic. You can configure multiple class-behavior associations in a policy. Configuring a QoS Policy Figure 3-1 shows how to configure a QoS policy. 3-1

30 Figure 3-1 QoS policy configuration procedure Define a class Define a behavior Define a policy Apply the policy Apply the policy to an interface Apply the policy to online users Apply the policy to a VLAN Apply the policy globally Defining a Class To define a class, you need to specify a name for it and then configure match criteria in class view. Follow these steps to define a class: To do Use the command Remarks Enter system view system-view Create a class and enter class view traffic classifier tcl-name [ operator { and or } ] By default, the relationship between match criteria is AND. Configure match criteria if-match match-criteria match-criteria: Match criterion. Table 3-1 shows the available criteria. 3-2

31 Table 3-1 The keyword and argument combinations for the match-criteria argument Form Description Matches an ACL acl [ ipv6 ] { acl-number name acl-name } any customer-dot1p 8021p-list customer-vlan-id { vlan-id-list vlan-id1 to vlan-id2 } destination-mac mac-address dscp dscp-list ip-precedence ip-precedence-list protocol protocol-name service-dot1p 8021p-list service-vlan-id { vlan-id-list vlan-id1 to vlan-id2 } source-mac mac-address The acl-number argument ranges from 2000 to 4999 for an IPv4 ACL, and 2000 to 3999 for an IPv6 ACL. The acl-name argument is a case-insensitive string of 1 to 32 characters, which must start with an English letter from a to z or A to Z, and cannot be all to avoid confusion. Matches all packets Matches the 802.1p priority of the customer network. The 8021p-list argument is a list of up to eight 802.1p priority values. An 802.1p priority ranges from 0 to 7. Matches the VLAN IDs of customer networks. The vlan-id-list argument is a list of up to 8 VLAN IDs. The vlan-id1 to vlan-id2 specifies a VLAN ID range, where the vlan-id1 must be smaller than the vlan-id2. A VLAN ID ranges from 1 to Matches a destination MAC address Matches DSCP values. The dscp-list argument is a list of up to 8 DSCP values. A DSCP value can be a number from 0 to 63 or any keyword in Table Matches IP precedence. The ip-precedence-list argument is a list of up to 8 IP precedence values. An IP precedence ranges from 0 to 7. Matches a protocol. The protocol-name argument can be IP or IPv6. Matches the 802.1p priority of the service provider network. The 8021p-list argument is a list of up to eight 802.1p priority values. An 802.1p priority ranges from 0 to 7. Matches the VLAN IDs of ISP networks. The vlan-id-list is a list of up to 8 VLAN IDs. The vlan-id1 to vlan-id2 specifies a VLAN ID range, where the vlan-id1 must be smaller than the vlan-id2. A VLAN ID ranges from 1 to Matches a source MAC address 3-3

32 Suppose the logical relationship between classification rules is and. Note the following when using the if-match command to define matching rules. If multiple matching rules with the acl or acl ipv6 keyword specified are defined in a class, the actual logical relationship between these rules is or when the policy is applied. If multiple matching rules with the customer-vlan-id or service-vlan-id keyword specified are defined in a class, the actual logical relationship between these rules is or. The matching criteria listed below must be unique in a traffic class with the operator being AND. Therefore, even though you can define multiple if-match clauses for these matching criteria or input multiple values for a list argument (such as the 8021p-list argument) listed below in a traffic class, avoid doing that. Otherwise, the QoS policy referencing the class cannot be applied to interfaces successfully. customer-dot1p 8021p-list destination-mac mac-address dscp dscp-list ip-precedence ip-precedence-list service-dot1p 8021p-list source-mac mac-address To create multiple if-match clauses or specify multiple values for a list argument for any of the matching criteria listed above, ensure that the operator of the class is OR. Defining a Traffic Behavior To define a traffic behavior, you must first create it and then configure QoS actions such as priority marking and redirect in traffic behavior view. Follow these steps to define a traffic behavior: To do Use the command Remarks Enter system view system-view Create a traffic behavior and enter traffic behavior view traffic behavior behavior-name Configure other actions in the traffic behavior See the subsequent sections depending on the purpose of the traffic behavior: traffic policing, traffic filtering, traffic redirecting, priority marking, traffic accounting and so on. 3-4