H3C SR6600 Routers. ACL and QoS Configuration Guide. Hangzhou H3C Technologies Co., Ltd.

Similar documents
H3C S5120-SI Switch Series

H3C S10500 Switch Series

H3C S5120-EI Series Ethernet Switches. ACL and QoS. Configuration Guide. Hangzhou H3C Technologies Co., Ltd.

H3C MSR Series Routers

H3C S9500E Series Routing Switches

Configuring ACLs. ACL overview. ACL categories. ACL numbering and naming

HP 3600 v2 Switch Series

HP 3100 v2 Switch Series

H3C S12500-X Switch Series

H3C S9800 Switch Series

H3C SR6600/SR6600-X Routers

HP 5130 EI Switch Series

HP 5920 & 5900 Switch Series

HP Switch Series

H3C S5130-HI Switch Series

H3C WA Series WLAN Access Points. ACL and QoS Configuration Guide. Hangzhou H3C Technologies Co., Ltd.

HP FlexFabric 5930 Switch Series

H3C S5500-HI Switch Series

HP High-End Firewalls

H3C SR G Core Routers

H3C SecPath Series High-End Firewalls

Configuring priority marking 63 Priority marking overview 63 Configuring priority marking 63 Priority marking configuration example 64

Configuring global CAR 73 Overview 73 Configuring aggregate CAR 73 Configuration procedure 73 Configuration example 73

H3C S5120-EI Switch Series

H3C S5120-HI Switch Series

IPv4 ACLs, identified by ACL numbers, fall into four categories, as shown in Table 1. Table 1 IPv4 ACL categories

H3C SecPath Series High-End Firewalls

H3C SecPath Series High-End Firewalls

H3C S5120-SI Switch Series

Contents. QoS overview 1

Table of Contents 1 QoS Overview QoS Policy Configuration Priority Mapping Configuration 3-1

H3C S5120-SI Series Ethernet Switches ACL and QoS Command Reference

H3C SecPath Series High-End Firewalls

H3C S5830V2 & S5820V2 Switch Series

H3C S9500 QoS Technology White Paper

H3C MSR Router Series

H3C S5830V2 & S5820V2 Switch Series

H3C S5820X&S5800 Switch Series

H3C S9800 Switch Series

Layer 3 - IP Routing Command Reference

QoS Configuration. Overview. Introduction to QoS. QoS Policy. Class. Traffic behavior

H3C S10500 Switch Series

H3C SecPath Series Firewalls and UTM Devices

H3C S5120-HI Switch Series

H3C S10500 Switch Series

H3C SecPath Series High-End Firewalls

H3C S5130-EI Switch Series

H3C S9500 Series Routing Switches

H3C S9500E Series Routing Switches

H3C SecBlade SSL VPN Card

H3C S7500E Series Ethernet Switches. Network Management and Monitoring. Configuration Guide. Hangzhou H3C Technologies Co., Ltd.

H3C S5830V2 & S5820V2 Switch Series

H3C S3100V2 Switch Series

H3C S6300 Switch Series

H3C S10500 Switch Series

H3C S5130-EI Switch Series

H3C S5120-EI Series Ethernet Switches. Layer 3 - IP Services. Configuration Guide. Hangzhou H3C Technologies Co., Ltd.

H3C SR G Core Routers

H3C S5500-HI Switch Series

H3C S5120-EI Switch Series

HP 5120 EI Switch Series

H3C S5500-HI Switch Series

CBQ configuration example 7

H3C S5120-EI Switch Series

H3C S3600V2 Switch Series

H3C SR6600 Routers. MPLS Configuration Guide. Hangzhou H3C Technologies Co., Ltd.

H3C SR6600 Routers. Network Management and Monitoring. Command Reference. Hangzhou H3C Technologies Co., Ltd.

H3C SecPath UTM Series. Configuration Examples. Hangzhou H3C Technologies Co., Ltd. Manual Version: 5W

H3C S12500 Series Routing Switches

H3C S5120-SI Switch Series

H3C S9500 Series Routing Switches

H3C S3100V2 Switch Series

H3C S12500-X & S12500X-AF Switch Series

Table of Contents 1 QoS Overview QoS Policy Configuration Priority Mapping Configuration 3-1

H3C SecBlade IPS Cards

H3C S5500-HI Switch Series

H3C SecBlade SSL VPN Card

H3C WA Series WLAN Access Points. Layer 2 WAN Command Reference. Hangzhou H3C Technologies Co., Ltd.

H3C SR G Core Routers

H3C Firewall Devices. High Availability Configuration Guide (Comware V7) Hangzhou H3C Technologies Co., Ltd.

H3C S5820X&S5800 Switch Series

H3C SR6600 Routers. Layer 3 IP Services. Command Reference. Hangzhou H3C Technologies Co., Ltd.

H3C MSR Router Series

H3C SecPath Series Firewalls and UTM Devices

H3C S3100V2 Switch Series

H3C S7500E Switch Series

H3C S5120-EI Switch Series

QoS Technology White Paper

H3C S5120-SI Series Ethernet Switches Layer 2 LAN Switching Configuration Guide

H3C WX3000E Series Wireless Switches

H3C S7500E Series Ethernet Switches. IP Multicast. Command Reference. Hangzhou H3C Technologies Co., Ltd.

H3C S6800 Switch Series

H3C S7500E Series Ethernet Switches. Network Management and Monitoring. Configuration Guide. Hangzhou H3C Technologies Co., Ltd.

QoS Technology White Paper

H3C S5820X&S5800 Series Ethernet Switches

H3C Intrusion Prevention System. Command Reference. Hangzhou H3C Technologies Co., Ltd. Document Version: 5PW

Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS- CX 10.00

H3C S6300 Switch Series

H3C S5560S-EI & S5130S-HI[EI] & S5110V2 & S3100V3-EI Switch Series

H3C S7500E-XS Switch Series

Transcription:

H3C SR6600 Routers ACL and QoS Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: SR6600-CMW520-R2603 Document version: 20110627-C-1.11

Copyright 2007-2011, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved Trademarks No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. H3C,, Aolynk,, H 3 Care,, TOP G,, IRF, NetPilot, Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V 2 G, V n G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. Notice All other trademarks that may be mentioned in this manual are the property of their respective owners The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

Preface The H3C SR6600 documentation set includes 13 configuration guides, which describe the software features for the H3C SR6600 Routers and guide you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios. The ACL and QoS Configuration Guide describes fundamentals and configuration for QoS-related features, including traffic classification, traffic policing, traffic shaping, QoS policy, congestion management, congestion avoidance, priority mapping, hardware congestion management, EACL, DAR, MPLS QoS, and FR QoS. This preface includes: Audience Conventions About the H3C SR6600 documentation set Obtaining documentation Technical support Documentation feedback Audience This documentation is intended for: Network planners Field technical support and servicing engineers Network administrators working with the SR6600 Conventions This section describes the conventions used in this documentation set. Command conventions Convention Boldface Italic Description Bold text represents commands and keywords that you enter literally as shown. Italic text represents arguments that you replace with actual values. [ ] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x y... } [ x y... ] { x y... } * Braces enclose a set of required syntax choices separated by vertical bars, from which you select one. Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none. Asterisk marked braces enclose a set of required syntax choices separated by vertical bars, from which you select at least one.

Convention [ x y... ] * &<1-n> Description Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you may select multiple choices or none. The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times. # A line that starts with a pound (#) sign is comments. Symbols Convention WARNING CAUTION IMPORTANT NOTE TIP Description An alert that calls attention to important information that if not understood or followed can result in personal injury. An alert that calls attention to important information that if not understood or followed can result in data loss, data corruption, or damage to hardware or software. An alert that calls attention to essential information. An alert that contains additional or supplementary information. An alert that provides helpful information. About the H3C SR6600 documentation set The H3C SR6600 documentation set includes: Category Documents Purposes Marketing brochures Describe product specifications and benefits. Product description and specifications Hardware specifications and installation Technology white papers Card datasheets Compliance and safety manual Installation guide Card manuals H3C N68 Cabinet Installation and Remodel Introduction Provide an in-depth description of software features and technologies. Describe card specifications, features, and standards. Provides regulatory information and the safety instructions that must be followed during installation. Provides a complete guide to hardware installation and hardware specifications. Provide the hardware specifications of cards. Guides you through installing and remodeling H3C N68 cabinets.

Category Documents Purposes Software configuration Operations and maintenance Configuration guides Command references H3C SR6602 Release notes H3C SR6608 Release notes Describe software features and configuration procedures. Provide a quick reference to all available commands. Provide information about the product release, including the version history, hardware and software compatibility matrix, version upgrade information, technical support information, and software upgrading. Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] Provides hardware installation, software upgrading, and software feature configuration and maintenance documentation. [Products & Solutions] Provides information about products and technologies, as well as solutions. [Technical Support & Documents > Software Download] Provides the documentation released with the software version. Technical support customer_service@h3c.com http://www.h3c.com Documentation feedback You can e-mail your comments about product documentation to info@h3c.com. We appreciate your comments.

Contents ACL configuration 1 ACL overview 1 ACL categories 1 ACL numbering and naming 1 Match order 2 ACL rule numbering 3 Implementing time-based ACL rules 3 IPv4 fragments filtering with ACLs 3 ACL application 3 ACL configuration task list 4 Configuring an ACL 4 Configuring a time range 4 Configuring a basic ACL 5 Configuring an advanced ACL 6 Configuring an Ethernet frame header ACL 8 Copying an ACL 9 Enabling ACL acceleration for an IPv4 ACL 10 Displaying and maintaining ACLs 10 ACL configuration examples 11 IPv4 ACL configuration example 11 IPv6 ACL configuration example 13 QoS overview 16 Introduction to QoS 16 QoS service models 16 Best-effort service model 16 IntServ model 16 DiffServ model 17 QoS techniques overview 17 Applying QoS techniques in a network 17 QoS processing flow in a device 18 QoS configuration approaches 19 QoS configuration approach overview 19 Non-policy approach 19 Policy approach 19 Configuring a QoS policy 19 Defining a class 20 Defining a traffic behavior 21 Defining a policy 21 Configuring QoS policy nesting 22 Applying the QoS policy 23 Displaying and maintaining QoS policies 25 Priority mapping configuration 26 Priority mapping overview 26 Introduction to priority mapping 26 Introduction to priorities 26 Priority mapping tables 27 Priority mapping configuration tasks 27 i

Configuring priority mapping 27 Configuring a priority mapping table 27 Configuring a port to trust packet priority for priority mapping 28 Changing the port priority of an interface 28 Displaying and maintaining priority mapping 29 Priority mapping configuration examples 29 Priority trust mode configuration example 29 Priority mapping table and priority marking configuration example 30 Traffic policing, traffic shaping, and line rate configuration 33 Traffic policing, traffic shaping, and line rate overview 33 Traffic evaluation and token buckets 34 Traffic policing 34 Traffic shaping 35 Line rate 36 Configuration task list 37 Configuring traffic policing 37 Configuring traffic policing in policy approach 38 Configuring traffic policing in non-policy approach 39 Configuring GTS 39 Configuring GTS in policy approach 40 Configuring GTS in non-policy approach 40 Configuring the line rate 41 Configuring packet resequencing 41 Displaying and maintaining traffic policing, GTS, and line rate 42 Traffic policing and GTS configuration examples 42 Traffic policing and GTS configuration example 42 IP rate limiting configuration example 44 Congestion management configuration 46 Congestion management overview 46 Causes, impacts, and countermeasures of congestion 46 Congestion management policies 47 Congestion management technology comparison 52 Configuring the FIFO queue size 54 FIFO queue size configuration procedure 54 Configuration example 55 Configuring PQ 55 PQ configuration procedure 55 PQ configuration example 56 Configuring CQ 57 Configuration procedure 57 CQ configuration example 58 Configuring WFQ 59 Configuration procedure 59 WFQ configuration example 59 Configuring CBQ 60 Defining a class 61 Defining a traffic behavior 61 Defining a QoS policy 65 Applying the QoS policy 65 Configuring the maximum available interface bandwidth 66 Setting the maximum reserved bandwidth as a percentage of available bandwidth 67 Displaying and maintaining CBQ 68 CBQ configuration example 68 ii

Configuring RTP priority queuing 70 Configuration procedure 70 RTP priority queuing configuration example 70 Configuring QoS tokens 71 QoS token configuration procedure 71 QoS token configuration example 71 Configuring packet information pre-extraction 72 Configuration procedure 72 Configuration example 72 Hardware congestion management configuration 74 Hardware congestion management overview 74 Causes, impacts, and countermeasures 74 Congestion management techniques 75 Hardware congestion management configuration approaches 78 Per-queue hardware congestion management 78 Configuring SP queuing 78 Configure WRR queuing 79 Configuring WFQ queuing 80 Configuring CBQ 82 CBQ configuration task list 82 Defining a class 82 Defining a traffic behavior 83 Defining a QoS policy 84 Applying the QoS policy 84 Displaying and maintaining CBQ 85 CBQ configuration example 85 Congestion avoidance configuration 88 Congestion avoidance overview 88 Introduction to WRED configuration 89 WRED configuration approaches 89 Introduction to WRED parameters 90 Configuring WRED on an interface 90 Configuration procedure 90 Configuration example 90 Displaying and maintaining WRED 91 WRED configuration example 91 Network requirements 91 Configuration procedure 92 Traffic filtering configuration 94 Traffic filtering overview 94 Configuring traffic filtering 94 Traffic filtering configuration example 95 Traffic filtering configuration example 95 Priority marking configuration 96 Priority marking overview 96 Configuring priority marking 96 Priority marking configuration example 97 Priority marking configuration example 97 Traffic redirecting configuration 100 Traffic redirecting overview 100 Configuring traffic redirecting 100 Traffic redirecting configuration example 101 iii

Example for redirecting traffic to an interface 101 DAR configuration 104 DAR overview 104 Configuring DAR for P2P traffic recognition 104 Loading the P2P signature file 104 Configuring a P2P protocol group 105 Enabling DAR for P2P traffic recognition 105 Configuring protocol match criteria 105 Configuring DAR packet accounting 106 Displaying and maintaining DAR for other types of traffic than P2P 106 DAR configuration examples 106 P2P downloading traffic blocking configuration example 106 Class-based accounting configuration 108 Class-based accounting overview 108 Configuring class-based accounting 108 Displaying and maintaining traffic accounting 109 Class-based accounting configuration example 109 Class-based accounting configuration example 109 QPPB configuration 111 Introduction to QPPB 111 QPPB fundamentals 111 QPPB configuration task list 112 Configuring the sender 112 Configuring the route receiver 112 QPPB configuration examples 113 QPPB configuration example in an IPv4 network 113 QPPB configuration example in an MPLS L3VPN 115 QPPB configuration example in an IPv6 network 119 Appendix 122 Appendix A Acronym 122 Appendix B Default priority mapping tables 123 Priority mapping tables 123 Appendix C Introduction to packet precedences 124 IP precedence and DSCP values 124 802.1p priority 126 EXP values 126 MPLS QoS configuration 128 MPLS QoS overview 128 Configuring MPLS QoS 129 Configuring MPLS CAR 129 Configuring MPLS priority marking 129 Configuring MPLS congestion management 131 MPLS QoS configuration example 131 Configuring QoS for traffic within a VPN 131 FR QoS configuration 135 FR QoS overview 135 Introduction to FR QoS 135 FRTS 136 FR traffic policing 137 FR queuing 137 FR congestion management 138 iv

FR DE rule list 139 Configuring FR QoS 139 FR QoS configuration task list 139 Creating and configuring an FR class 139 Configuring FRTS 140 Configuring FR traffic policing 141 Configuring FR congestion management 142 Configuring FR DE rule list 142 Configuring FR queuing 143 Configuring FR fragmentation 143 Displaying and maintaining FR QoS 144 FR QoS configuration examples 145 FRTS configuration example 145 FR fragmentation configuration example 146 Index 147 v

ACL configuration This chapter includes these sections: ACL overview ACL configuration task list Displaying and maintaining ACLs ACL configuration examples NOTE: Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document. ACL overview An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number. ACLs are primarily used for packet filtering. A packet filter drops packets that match a deny rule and permits packets that match a permit rule. ACLs are also used by many modules, for example, QoS and IP routing, for traffic identification. ACL categories Category ACL number IP version Match criteria Basic ACLs 2000 to 2999 IPv4 IPv6 Source IPv4 address Source IPv6 address Advanced ACLs 3000 to 3999 IPv4 IPv6 Source/destination IPv4 address, protocols over IPv4, and other Layer 3 and Layer 4 header fields Source/destination IPv6 address, protocols over IPv6, and other Layer 3 and Layer 4 header fields Ethernet frame header ACLs 4000 to 4999 IPv4 and IPv6 Layer 2 header fields, such as source and destination MAC addresses, 802.1p priority, and link layer protocol type ACL numbering and naming Each ACL category has a unique range of ACL numbers. When creating an ACL, you must assign it a number for identification. In addition, you can assign the ACL a name for the ease of identification. After creating an ACL with a name, you can neither rename it nor delete its name. For an Ethernet frame header the ACL number and name must be globally unique. For an IPv4 basic or advanced ACLs, its ACL number and name must be unique among all IPv4 ACLs, and for an IPv6 basic or advanced ACL, among all IPv6 ACLs. You can assign an IPv4 ACL the same number and name as an IPv6 ACL. 1

Match order The rules in an ACL are sorted in certain order. When a packet matches a rule, the device stops the match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting rules, the matching result and action to take depend on the rule order. The following ACL match orders are available: config Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a rule with a higher ID. If you use this approach, check the rule content and order carefully. auto Sorts ACL rules in depth-first order. Depth-first ordering ensures that any subset of a rule is always matched before the rule. Table 1 lists the sequence of tie breakers that depth-first ordering uses to sort rules for each type of ACL. Table 1 Sort ACL rules in depth-first order ACL category IPv4 basic ACL IPv4 advanced ACL IPv6 basic ACL IPv6 advanced ACL Ethernet frame header ACL Sequence of tie breakers 1. VPN instance 2. More 0s in the source IP address wildcard (more 0s means a narrower IP address range) 3. Smaller rule ID 4. VPN instance 5. Specific protocol type rather than IP (IP represents any protocol over IP) 6. More 0s in the source IP address wildcard mask 7. More 0s in the destination IP address wildcard 8. Narrower TCP/UDP service port number range 9. Smaller ID 10. Longer prefix for the source IP address (a longer prefix means a narrower IP address range) 11. Smaller ID 12. Specific protocol type rather than IP (IP represents any protocol over IPv6) 13. Longer prefix for the source IPv6 address 14. Longer prefix for the destination IPv6 address 15. Narrower TCP/UDP service port number range 16. Smaller ID 17. More 1s in the source MAC address mask (more 1s means a smaller MAC address) 18. More 1s in the destination MAC address mask 19. Smaller ID NOTE: A wildcard mask, also called an "inverse mask," is a 32-bit binary and represented in dotted decimal notation. In contrast to a network mask, the 0 bits in a wildcard mask represent 'do care' bits, and the 1 bits represent 'don t care' bits. If the 'do care' bits in an IP address are identical to the 'do care' bits in an IP address criterion, the IP address matches the criterion. All 'don t care' bits are ignored. The 0s and 1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a valid wildcard mask. 2

ACL rule numbering What is the ACL rule numbering step If you do not assign an ID for the rule you are creating, the system automatically assigns it a rule ID. The rule numbering step sets the increment by which the system automatically numbers rules. For example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between two rules. By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of inserting rules in an ACL. This feature is important for a config order ACL, where ACL rules are matched in ascending order of rule ID. Automatic rule numbering and re-numbering The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to the current highest rule ID, starting with 0. For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10, and 12, the newly defined rule will be numbered 15. If the ACL does not contain any rule, the first rule will be numbered 0. Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6 and 8. Implementing time-based ACL rules You can implement ACL rules based on the time of day by applying a time range to them. A time-based ACL rule takes effect only in any time periods specified by the time range. The following basic types of time range are available: Periodic time range Recurs periodically on a day or days of the week. Absolute time range Represents only a period of time and does not recur. You may apply a time range to ACL rules before or after you create it. However, the rules using the time range can take effect only after you define the time range. IPv4 fragments filtering with ACLs Traditional packet filtering matches only first fragments of IPv4 packets, and allows all subsequent non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks. To avoids the risks, the H3C ACL implementation: Filters all fragments by default, including non-first fragments. Provides ACL-based firewalls with standard and exact match modes for matching ACLs that contain advanced attributes such as TCP/UDP port number and ICMP type. Standard match is the default mode. It considers only Layer 3 attributes. Exact match considers all header attributes defined in IPv4 ACL rules. For more information, see the Security Configuration Guide. ACL application You can use ACLs in QoS, firewall, routing, and other technologies for identifying traffic. 3

ACL configuration task list IPv4 configuration task list Complete the following tasks to configure an IPv4 ACL: Task Configuring a time range Configuring an IPv4 basic ACL Configuring an IPv4 advanced ACL Configuring an Ethernet frame header ACL Copying an IPv4 ACL Enabling ACL acceleration for an IPv4 ACL Remarks Optional Configure at least one task. Optional Optional IPv6 ACL configuration task list Complete the following tasks to configure an IPv6 ACL: Task Configuring a time range Configuring an IPv6 basic ACL Configuring an IPv6 advanced ACL Configuring an Ethernet frame header ACL Copying an IPv6 ACL Remarks Optional Configure at least one task. Optional Configuring an ACL Configuring a time range Follow these steps to configure a time range: Enter system view system-view Configure a time range time-range time-range-name { start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] from time1 date1 [ to time2 date2 ] to time2 date2 } By default, no time range exists. Repeat this command with the same time range name to create multiple statements for a time range. You can create multiple statements in a time range. The active period of a time range is calculated as follows: 1. Combining all periodic statements 2. Combining all absolute statements 4

3. Taking the intersection of the two statement sets as the active period of the time range You can create a maximum of 256 time ranges, each with 32 periodic statements and 12 absolute statements at most. Configuring a basic ACL Configuring an IPv4 basic ACL IPv4 basic ACLs match packets based on only source IP address. Follow these steps to configure an IPv4 basic ACL: Enter system view system-view Create an IPv4 basic ACL and enter its view Configure a description for the IPv4 basic ACL Set the rule numbering step Create or edit a rule Configure or edit a rule description acl number acl-number [ name acl-name ] [ match-order { auto config } ] description text step step-value rule [ rule-id ] { deny permit } [ counting fragment logging source { sour-addr sour-wildcard any } time-range time-range-name vpn-instance vpn-instance-name ] * rule rule-id comment text By default, no ACL exists. IPv4 basic ACLs are numbered in the range 2000 to 2999. You can use the acl name acl-name command to enter the view of a named IPv4 ACL. Optional By default, an IPv4 basic ACL has no ACL description. Optional 5 by default. By default, an IPv4 basic ACL does not contain any rule. To create or edit multiple rules, repeat this step. The logging keyword takes effect only when the module (for example, a firewall) that uses the ACL supports logging. Optional By default, an IPv4 ACL rule has no rule description. Configuring an IPv6 basic ACL Follow these steps to configure an IPv6 basic ACL: Enter system view system-view 5

Create an IPv6 basic ACL view and enter its view Configure a description for the IPv6 basic ACL Set the rule numbering step Create or edit a rule Configure or edit a rule description acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto config } ] description text step step-value rule [ rule-id ] { deny permit } [ counting fragment logging source { ipv6-address prefix-length ipv6-address/prefix-length any } time-range time-range-name ] * rule rule-id comment text By default, no ACL exists. IPv6 basic ACLs are numbered in the range 2000 to 2999. You can use the acl ipv6 name acl6-name command to enter the view of a named IPv6 ACL. Optional By default, an IPv6 basic ACL has no ACL description. Optional 5 by default By default, an IPv6 basic ACL does not contain any rule. To create or edit multiple rules, repeat this step. The logging keyword takes effect only when the module (for example, a firewall) using the ACL supports logging. Optional By default, an IPv6 basic ACL rule has no rule description. Configuring an advanced ACL Configuring an IPv4 advanced ACL IPv4 advanced ACLs match packets based on source and destination IP addresses, protocols over IP, and other protocol header information, such as TCP/UDP source and destination port numbers, TCP flags, ICMP message types, and ICMP message codes. IPv4 advanced ACLs also allow you to filter packets based on these priority criteria: type of service (ToS), IP precedence, and differentiated services codepoint (DSCP) priority. Compared to IPv4 basic ACLs, IPv4 advanced ACLs allow more flexible and accurate filtering. Follow these steps to configure an IPv4 advanced ACL: Enter system view system-view 6

Create an IPv4 advanced ACL and enter its view Configure a description for the IPv4 advanced ACL Set the rule numbering step Create or edit a rule Configure or edit a rule description acl number acl-number [ name acl-name ] [ match-order { auto config } ] description text step step-value rule [ rule-id ] { deny permit } protocol [ { { ack ack-value fin fin-value psh psh-value rst rst-value syn syn-value urg urg-value } * established } counting destination { dest-addr dest-wildcard any } destination-port operator port1 [ port2 ] dscp dscp fragment icmp-type { icmp-type icmp-code icmp-message } logging precedence precedence reflective source { sour-addr sour-wildcard any } source-port operator port1 [ port2 ] time-range time-range-name tos tos vpn-instance vpn-instance-name ] * rule rule-id comment text By default, no ACL exists. IPv4 advanced ACLs are numbered in the range 3000 to 3999. You can use the acl name acl-name command to enter the view of a named IPv4 ACL. Optional By default, an IPv4 advanced ACL has no ACL description. Optional 5 by default. By default, an IPv4 advanced ACL does not contain any rule. To create or edit multiple rules, repeat this step. The logging keyword takes effect only when the module (for example, a firewall) using the ACL supports logging. Optional By default, an IPv4 advanced ACL rule has no rule description. Configuring an IPv6 advanced ACL IPv6 advanced ACLs match packets based on the source IPv6 address, destination IPv6 address, protocol carried over IPv6, and other protocol header fields such as the TCP/UDP source port number, TCP/UDP destination port number, ICMP message type, and ICMP message code. Compared to IPv6 basic ACLs, IPv6 advanced ACLs allow more flexible and accurate filtering. Follow these steps to configure an IPv6 advanced ACL: Enter system view system-view 7

Create an IPv6 advanced ACL and enter its view Configure a description for the IPv6 advanced ACL Set the rule numbering step Create or edit a rule Configure or edit a rule description acl ipv6 number acl6-number [ name acl6-name ] [ match-order { auto config } ] description text step step-value rule [ rule-id ] { deny permit } protocol [ { { ack ack-value fin fin-value psh psh-value rst rst-value syn syn-value urg urg-value } * established } counting destination { dest dest-prefix dest/dest-prefix any } destination-port operator port1 [ port2 ] dscp dscp flow-label flow-label-value fragment icmp6-type { icmp6-type icmp6-code icmp6-message } logging source { source source-prefix source/source-prefix any } source-port operator port1 [ port2 ] time-range time-range-name ] * rule rule-id comment text By default, no ACL exists. IPv6 advanced ACLs are numbered in the range 3000 to 3999. You can use the acl ipv6 name acl6-name command to enter the view of a named IPv6 ACL. Optional By default, an IPv6 advanced ACL has no ACL description. Optional 5 by default. By default IPv6 advanced ACL does not contain any rule. To create or edit multiple rules, repeat this step. The logging keyword takes effect only when the module (for example, a firewall) using the ACL supports logging. Optional By default, an IPv6 advanced ACL rule has no rule description. Configuring an Ethernet frame header ACL Ethernet frame header ACLs, also called "Layer 2 ACLs," match packets based on Layer 2 protocol header fields such as source MAC address, destination MAC address, 802.1p priority (VLAN priority), and link layer protocol type. Follow these steps to configure an Ethernet frame header ACL: Enter system view system-view 8

Create an Ethernet frame header ACL and enter its view Configure a description for the Ethernet frame header ACL Set the rule numbering step Create or edit a rule Configure or edit a rule description acl number acl-number [ name acl-name ] [ match-order { auto config } ] description text step step-value rule [ rule-id ] { deny permit } [ cos vlan-pri counting dest-mac dest-addr dest-mask { lsap lsap-type lsap-type-mask type protocol-type protocol-type-mask } source-mac sour-addr source-mask time-range time-range-name ] * rule rule-id comment text By default, no ACL exists. Ethernet frame header ACLs are numbered in the range 4000 to 4999. You can use the acl name acl-name command to enter the view of a named Ethernet frame header ACL. Optional By default, an Ethernet frame header ACL has no ACL description. Optional 5 by default. By default, an Ethernet frame header ACL does not contain any rule. To create or edit multiple rules, repeat this step. Optional By default, an Ethernet frame header ACL rule has no rule description. Copying an ACL You can create an ACL by copying an existing ACL. The new ACL has the same properties and content as the source ACL except the ACL number and name. To successfully copy an ACL, ensure that: The destination ACL number is from the same category as the source ACL number. The source ACL already exists but the destination ACL does not. Copying an IPv4 ACL Follow these steps to copy an IPv4 ACL: Enter system view system-view Copy an existing IPv4 ACL to create a new IPv4 ACL acl copy { source-acl-number name source-acl-name } to { dest-acl-number name dest-acl-name } 9

Copying an IPv6 ACL Follow these steps to copy an IPv6 ACL: Enter system view system-view Copy an existing IPv6 ACL to generate a new one of the same category acl ipv6 copy { source-acl6-number name source-acl6-name } to { dest-acl6-number name dest-acl6-name } Enabling ACL acceleration for an IPv4 ACL ACL acceleration speeds up ACL lookup. The acceleration effect increases with the number of ACL rules. ACL acceleration uses memory. To achieve the best trade-off between memory and ACL processing performance, H3C recommends you enable ACL acceleration for large ACLs. For example, when you use a large ACL for a session-based service, such as NAT or ASPF, you can enable ACL acceleration to avoid session timeouts caused by ACL processing delays. Enable ACL acceleration in an ACL after you have finished editing ACL rules. ACL acceleration always uses ACL criteria that have been set before it is enabled for rule matching. It does not synchronize with any subsequent match criterion changes. Follow these steps to enable ACL acceleration for an IPv4 ACL: Enter system view system-view Enable ACL acceleration for an IPv4 ACL acl accelerate number acl-number Disabled by default. The ACL must exist. Only IPv4 basic ACLs and advanced ACLs support ACL acceleration. CAUTION: ACL acceleration is not available for ACLs that contain a non-contiguous wildcard mask. After you modify an IPv4 ACL with ACL acceleration enabled, disable and re-enable ACL acceleration to ensure correct rule matching. Displaying and maintaining ACLs To do... Use the command Remarks Display the IPv4 ACL configuration and match statistics (centralized device) display acl { acl-number all name acl-name } [ { begin exclude include } regular-expression ] Available in any view Display the IPv4 ACL configuration and match statistics (distributed device) display acl { acl-number all name acl-name } [ slot slot-number ] [ { begin exclude include } regular-expression ] Available in any view 10

To do... Use the command Remarks Display information about the IPv4 ACL acceleration feature Display the IPv6 ACL configuration and match statistics (centralized device) Display the IPv6 ACL configuration and match statistics (distributed device) Display the usage of ACL rules (distributed device) Display the configuration and status of one or all time ranges Clear statistics for one or all IPv4 ACLs Clear statistics for one or all IPv6 basic and advanced ACLs display acl accelerate { acl-number all } [ { begin exclude include } regular-expression ] display acl ipv6 { acl6-number all name acl6-name } [ { begin exclude include } regular-expression ] display acl ipv6 { acl6-number all name acl6-name } [ slot slot-number ] [ { begin exclude include } regular-expression ] display acl resource [ slot slot-number ] [ { begin exclude include } regular-expression ] display time-range { time-range-name all } [ { begin exclude include } regular-expression ] reset acl counter { acl-number all name acl-name } reset acl ipv6 counter { acl6-number all name acl6-name } Available in any view Available in any view Available in any view Available in any view Available in any view Available in user view Available in user view ACL configuration examples IPv4 ACL configuration example Network requirements A company interconnects its departments through Router A. Configure an ACL to: Permit access from the President's office at any time to the financial database server. Permit access from the Financial department to the database server only during working hours (from 8:00 to 18:00) on working days. Deny access from any other department to the database server. 11

Figure 1 Network diagram for IPv4 ACL configuration Configuration procedure Verification # Create a periodic time range from 8:00 to 18:00 on working days. <RouterA> system-view [RouterA] time-range work 8:0 to 18:0 working-day # Create an IPv4 advanced ACL numbered 3000 and configure three rules in the ACL. One rule permits access from the President s office to the financial database server, one rule permits access from the Financial department to the database server during working hours, and one rule denies access from any other department to the database server. [RouterA] acl number 3000 [RouterA-acl-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.100 0 [RouterA-acl-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.0.100 0 time-range work [RouterA-acl-adv-3000] rule deny ip source any destination 192.168.0.100 0 [RouterA-acl-adv-3000] quit # Enable IPv4 firewall, and apply IPv4 ACL 3000 to filter outgoing packets on interface GigabitEthernet 1/0/1. [RouterA] firewall enable [RouterA] interface gigabitethernet 1/0/1 [RouterA-GigabitEthernet1/0/1] firewall packet-filter 3000 outbound [RouterA-Ethernet1/1] quit # Ping the database server from a PC in the Financial department during the working hours. (All PCs in this example use Windows XP). C:\> ping 192.168.0.100 Pinging 192.168.0.100 with 32 bytes of data: Reply from 192.168.0.100: bytes=32 time=1ms TTL=255 Reply from 192.168.0.100: bytes=32 time<1ms TTL=255 12

Reply from 192.168.0.100: bytes=32 time<1ms TTL=255 Reply from 192.168.0.100: bytes=32 time<1ms TTL=255 Ping statistics for 192.168.0.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms The output shows that the database server can be pinged. # Ping the database server from a PC in the Marketing department during the working hours. C:\> ping 192.168.0.100 Pinging 192.168.0.100 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 192.168.0.100: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The output shows that hat the database server cannot be pinged. # Display configuration and match statistics for IPv4 ACL 3000 on Router A during the working hours. [RouterA] display acl 3000 Advanced ACL 3000, named -none-, 3 rules, ACL's step is 5 rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.100 0 rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.0.100 0 time-range work (4 times matched) (Active) rule 10 deny ip destination 192.168.0.100 0 (4 times matched) The output shows that rule 5 is active. Rule 5 and rule 10 have been matched four times as the result of the ping operations. IPv6 ACL configuration example Network requirements A company interconnects its departments through Router A. Configure an ACL to: Permit access from the President's office at any time to the financial database server. Permit access from the Financial department to the database server only during working hours (from 8:00 to 18:00) on working days. Deny access from any other department to the database server. 13

Figure 2 Network diagram for IPv6 ACL configuration Configuration procedure Verification # Create a periodic time range from 8:00 to 18:00 on working days. <RouterA> system-view [RouterA] time-range work 8:0 to 18:0 working-day # Create an IPv6 advanced ACL numbered 3000 and configure three rules in the ACL. One rule permits access from the President s office to the database server, one rule permits access from the Financial department to the database server during working hours, and one rule denies access from other departments to the database server. [RouterA] acl ipv6 number 3000 [RouterA-acl6-adv-3000] rule permit ipv6 source 1001:: 16 destination 1000::100 128 [RouterA-acl6-adv-3000] rule permit ipv6 source 1002:: 16 destination 1000::100 128 time-range work [RouterA-acl6-adv-3000] rule deny ipv6 source any destination 1000::100 128 [RouterA-acl6-adv-3000] quit # Enable IPv6 firewall, and apply IPv6 ACL 3000 to filter outgoing packets on interface GigabitEthernet 1/0/1. [RouterA] firewall ipv6 enable [RouterA] interface gigabitethernet 1/0/1 [RouterA-GigabitEthernet1/0/1] firewall packet-filter ipv6 3000 outbound # Ping the database server from a PC in the Financial department during the working hours. (All PCs in this example use Windows XP). C:\> ping 1000::100 Pinging 1000::100 with 32 bytes of data: Reply from 1000::100: time<1ms Reply from 1000::100: time<1ms Reply from 1000::100: time<1ms Reply from 1000::100: time<1ms Ping statistics for 1000::100: 14

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms The output shows that the database server can be pinged. # Ping the database server from a PC in the Marketing department during the working hours. C:\> ping 1000::100 Pinging 1000::100 with 32 bytes of data: Destination net unreachable. Destination net unreachable. Destination net unreachable. Destination net unreachable. Ping statistics for 1000::100: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), The output shows that hat the database server cannot be pinged. # Display configuration and match statistics for IPv6 ACL 3000 on Router A during the working hours. [RouterA] display acl 3000 Advanced IPv6 ACL 3000, named -none-, 3 rules, ACL's step is 5 rule 0 permit ipv6 source 1001::/16 destination 1000::100/128 rule 5 permit ipv6 source 1002::/16 destination 1000::100/128 time-range work (4 times matched) (Active) rule 10 deny ipv6 destination 1000::100/128 (4 times matched) The output shows that rule 5 is active. Rule 5 and rule 10 have been matched four times as the result of the ping operations. 15

QoS overview This chapter includes these sections: Introduction to QoS QoS service models QoS techniques overview Introduction to QoS In data communications, Quality of Service (QoS) is the ability of a network to provide differentiated service guarantees for diverse traffic in terms of bandwidth, delay, jitter, and drop rate. Network resources are scarce. The contention for resources requires that QoS prioritize important traffic flows over trivial ones. When making a QoS scheme, you must consider the characteristics of various applications to balance the interests of diversified users and fully utilize network resources. The following section describes some typical QoS service models and widely used mature QoS techniques. QoS service models This section covers three typical QoS service models: Best-effort service model IntServ model DiffServ model Best-effort service model Best effort is a single service model and also the simplest service model. In the best effort service model, the network does its best to deliver packets but does not guarantee delay or reliability. The best-effort service model is the default model in the Internet and applies to most network applications. It uses the first in first out (FIFO) queuing mechanism. IntServ model The integrated service (IntServ) model is a multiple-service model that can accommodate diverse QoS requirements. It provides the most granularly differentiated QoS by identifying and guaranteeing definite QoS for each data flow. In the IntServ model, an application must request service from the network before it sends data. IntServ signals the service request with the Resource Reservation Protocol (RSVP). All nodes that receive the request reserve resources as requested and maintain state information for the application flow. The IntServ model demands high storage and processing capabilities, because it requires that all nodes along the transmission path maintain resource state information for each flow. The model is suitable for 16

small-sized or edge networks, but not large-sized networks, for example, the core layer of the Internet, where billions of flows are present. NOTE: For more information about RSVP, see the MPLS Configuration Guide. DiffServ model The differentiated service (DiffServ) model is a multiple-service model that can satisfy diverse QoS requirements. It is easy to implement and extend. DiffServ does not signal the network to reserve resources before sending data, as IntServ does. All QoS techniques in this document are based on the Diff-Serv model. QoS techniques overview The QoS techniques fall into traffic classification, traffic policing, traffic shaping, line rate, congestion management, and congestion avoidance. The following sections briefly introduce these QoS techniques. Applying QoS techniques in a network Figure 3 Position of the QoS techniques in a network As shown in Figure 3, traffic classification, traffic shaping, traffic policing, congestion management, and congestion avoidance mainly implement the following functions: Traffic classification uses certain match criteria to assign packets with the same characteristics to a class. Based on classes, you can provide differentiated services. Traffic policing polices flows entering or leaving a device, and imposes penalties on traffic flows that exceed the pre-set threshold to prevent aggressive use of network resources. You can apply traffic policing to both incoming and outgoing traffic of a port. Traffic shaping proactively adapts the output rate of traffic to the network resources available on the downstream device to eliminate packet drops. Traffic shaping usually applies to the outgoing traffic of a port. 17

Congestion management provides a resource scheduling policy to determine the packet forwarding sequence when congestion occurs. Congestion management usually applies to the outgoing traffic of a port. Congestion avoidance monitors the network resource usage and is usually applied to the outgoing traffic of a port. When congestion worsens, congestion avoidance actively reduces the queue length by dropping packets. QoS processing flow in a device Figure 4 briefly describes how the QoS module processes traffic: 1. Traffic classifier identifies and classifies traffic for subsequent QoS actions. 2. The QoS module takes various QoS actions on classified traffic as configured, depending on the traffic processing phase and network status. For example, you may configure the QoS module to perform traffic policing for incoming traffic, traffic shaping for outgoing traffic, congestion avoidance before congestion occurs, and congestion management when congestion occurs. Figure 4 QoS processing flow Tokens Drop Classify the traffic CAR Remark Other proce ssing Packets received on the interface Classification Token bucket Traffic policing Priority marking Toekn Drop Drop Enqueue Queue 0 Dequeue Classify the traffic CAR GTS Other proces sing WRED Queuing Queue 1 Queue 2 Packets to be sent out the interface Classification Token bucket Traffic policing Traffic shaping Congestion avoidance Queue N Queues Congestion management Transmit 18

QoS configuration approaches This chapter includes these sections: QoS configuration approach overview Configuring a QoS policy QoS configuration approach overview The following approaches are available for configuring QoS: Non-policy approach and Policy approach. Some features support both approaches, but some support only one. Non-policy approach In non-policy approach, you can configure QoS service parameters directly without using a QoS policy. For example, you can use the line rate feature to set a rate limit on an interface without using a QoS policy. Policy approach In policy approach, you configure QoS service parameters by using QoS policies. A QoS policy defines the shaping, policing, or other QoS actions to take on different classes of traffic. It is a set of class-behavior associations. A class is a set of match criteria for identifying traffic. It uses the AND or OR operator: If the operator is AND, a packet must match all the criteria to match the class. If the operator is OR, a packet matches the class if it matches any of the criteria in the class. A traffic behavior defines a set of QoS actions to take on packets, such as priority marking and redirect. By associating a traffic behavior with a class in a QoS policy, you apply the specific set of QoS actions to the class of traffic. Configuring a QoS policy Figure 5 shows how to configure a QoS policy. 19

Figure 5 QoS policy configuration procedure Define a class Define a behavior Define a policy Apply the policy To an interface or PVC To online users To a VLAN Defining a class To define a class, specify its name and then configure the match criteria in class view. The system pre-defines some classes and defines general match criteria for them. A user-defined class cannot be named the same as a system-defined class. You can use these pre-defined classes when defining a policy. The system-defined classes include: The default class default-class: Matches the default traffic. DSCP-based pre-defined classes ef, af1, af2, af3, af4: Matches IP DSCP value ef, af1, af2, af3, af4 respectively. IP precedence-based pre-defined classes ip-prec0, ip-prec1, ip-prec7: Matches IP precedence value 0, 1, 7 respectively. MPLS EXP-based pre-defined classes mpls-exp0, mpls-exp1, mpls-exp7: Matches MPLS EXP value 0, 1, 7 respectively. Follow these steps to define a class: Enter system view system-view 20

By default, the operator of a class is AND. Create a class and enter class view Configure match criteria traffic classifier tcl-name [ operator { and or } ] if-match [ not ] match-criteria The operator of a class can be AND or OR. AND: A packet is assigned to a class only when the packet matches all the criteria in the class. OR: A packet is assigned to a class if it matches any of the criteria in the class. For more information, see the if-match command in the ACL and QoS Command Reference. Defining a traffic behavior A traffic behavior is a set of QoS actions (such as traffic filtering, shaping, policing, and priority marking) to take on a class of traffic. To define a traffic behavior, first create it and then configure QoS actions (such as priority marking and traffic redirecting) in traffic behavior view. The system pre-defines some traffic behaviors and defines general QoS actions for them. A user-defined behavior cannot be named the same as a system-defined behavior. You can use these behaviors when defining a policy. The system-defined behaviors include: ef: Expedited forwarding af: Assured forwarding be: Best-effort be-flow-based Follow these steps to define a traffic behavior: Enter system view system-view Create a traffic behavior and enter traffic behavior view traffic behavior behavior-name Configure actions in the traffic behavior See the subsequent chapters, depending on the purpose of the traffic behavior: traffic policing, traffic filtering, traffic redirecting, priority marking, traffic accounting, and so on. Defining a policy You associate a behavior with a class in a QoS policy to perform the actions defined in the behavior for the class of packets. A QoS policy can contain multiple class-to-behavior associations, which are matched in the order they are configured. 21

The system provides a pre-defined QoS policy named default. It includes the associations between predefined classes and predefined traffic behaviors: Class ef with behavior ef. Classes af1 through af4 with behavior af. Class default-class with behavior be. You cannot name a user-defined QoS policy the same as the system-defined QoS policy. Follow these steps to associate a class with a behavior in a policy: Enter system view system-view Create a policy and enter policy view Associate a class with a behavior in the policy qos policy policy-name classifier tcl-name behavior behavior-name Repeat this step to create more class-behavior associations. NOTE: The QoS module ignores ACL match clauses that contain a deny rule. If a deny rule is encountered when examining an ACL match clause, the QoS module ignores the clause and moves to the next one. To use a Layer 2 ACL in a QoS policy, do not configure any rule with the lasp keyword in the ACL. Configuring QoS policy nesting You can reference a QoS policy in a traffic behavior to re-classify the traffic class associated with the behavior and take action on the re-classified traffic as defined in the policy. The QoS policy referenced in the traffic behavior is called the child policy ; the QoS policy that references the behavior is called the parent policy. Follow these steps to nest a child QoS policy in a parent QoS policy: Enter system view system-view Create a class for the parent policy and enter class view traffic classifier tcl-name [ operator { and or } ] Configure match criteria if-match [ not ] match-criteria Return to system view quit Create a behavior for the parent policy and enter behavior view traffic behavior behavior-name Nest the child QoS policy traffic-policy policy-name The QoS policy specified for the policy-name argument must already exist. Return to system view quit 22