HP FlexFabric 11900 Switch Series ACL and QoS Configuration Guide Part number: 5998-5262 Software version: Release 2111 and later Document version: 6W100-20140110
Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Configuring ACLs ························································································································································· 1 Overview············································································································································································ 1 Applications on the switch ························································································································
Configuring priority mapping ··································································································································· 24 Overview········································································································································································· 24 Introduction to priorities ········································································································································ 24
Tail drop ································································································································································· 56 RED and WRED ····················································································································································· 56 ECN ·······································································································································································
Appendixes································································································································································· 87 Appendix A Default priority maps ······························································································································· 87 Appendix B Introduction to packet precedences ········································································································ 88 IP precedence and D
Configuring ACLs Overview An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number. ACLs are primarily used for packet filtering. "Configuring packet filtering with ACLs" provides an example. You can use ACLs in QoS, security, routing, and other feature modules for identifying traffic. The packet drop or forwarding decisions varies with the modules that use ACLs.
For an IPv4 basic or advanced ACLs, its ACL number and name must be unique in IPv4. For an IPv6 basic or advanced ACL, its ACL number and name must be unique in IPv6. Match order The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops the match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting rules, the matching result and action to take depend on the rule order.
Rule numbering ACL rules can be manually numbered or automatically numbered. This section describes how automatic ACL rule numbering works. Rule numbering step If you do not assign an ID to the rule you are creating, the system automatically assigns it a rule ID. The rule numbering step sets the increment by which the system automatically numbers rules. For example, the default ACL rule numbering step is 5.
Tasks at a glance (Optional.) Copying an ACL (Optional.) Configuring packet filtering with ACLs Configuring a basic ACL This section describes procedures for configuring IPv4 and IPv6 basic ACLs. Configuring an IPv4 basic ACL IPv4 basic ACLs match packets based only on source IP addresses. To configure an IPv4 basic ACL: Step 4. Enter system view. Command Remarks system-view N/A By default, no ACL exists. IPv4 basic ACLs are numbered in the range of 2000 to 2999.
Step Command Remarks By default, no ACL exists. 2. 3. 4. 5. 6. IPv6 basic ACLs are numbered in the range of 2000 to 2999. Create an IPv6 basic ACL view and enter its view. acl ipv6 number acl-number [ name acl-name ] [ match-order { auto | config } ] (Optional.) Configure a description for the IPv6 basic ACL. description text By default, an IPv6 basic ACL has no ACL description. (Optional.) Set the rule numbering step. step step-value The default setting is 5. Create or edit a rule.
Step Command Remarks By default, no ACL exists. 2. 3. 4. 5. 6. IPv4 advanced ACLs are numbered in the range of 3000 to 3999. Create an IPv4 advanced ACL and enter its view. acl number acl-number [ name acl-name ] [ match-order { auto | config } ] (Optional.) Configure a description for the IPv4 advanced ACL. description text By default, an IPv4 advanced ACL has no ACL description. (Optional.) Set the rule numbering step. step step-value The default setting is 5. Create or edit a rule.
Step Command Remarks By default, no ACL exists. 2. 3. 4. 5. 6. IPv6 advanced ACLs are numbered in the range of 3000 to 3999. Create an IPv6 advanced ACL and enter its view. acl ipv6 number acl-number [ name acl-name ] [ match-order { auto | config } ] (Optional.) Configure a description for the IPv6 advanced ACL. description text By default, an IPv6 advanced ACL has no ACL description. (Optional.) Set the rule numbering step. step step-value The default setting is 5. Create or edit a rule.
Step Command Remarks By default, no ACL exists. 2. 3. 4. Ethernet frame header ACLs are numbered in the range of 4000 to 4999. Create an Ethernet frame header ACL and enter its view. acl number acl-number [ name acl-name ] [ match-order { auto | config } ] (Optional.) Configure a description for the Ethernet frame header ACL. description text By default, an Ethernet frame header ACL has no ACL description. (Optional.) Set the rule numbering step. step step-value The default setting is 5. 5.
Configuring packet filtering with ACLs This section describes procedures for applying an ACL to filter incoming or outgoing IPv4 or IPv6 packets on the specified interface. NOTE: The ACL-based packet filter function is available on Layer 2 and Layer 3 Ethernet interfaces, and VLAN interfaces. The term "interface" in this section collectively refers to these types of interfaces.
Task Command Display whether an ACL has been successfully applied to an interface for packet filtering (in standalone mode). display packet-filter { interface [ interface-type interface-number ] [ inbound | outbound ] | interface vlan-interface vlan-interface-number [ inbound | outbound ] [ slot slot-number ] } Display whether an ACL has been successfully applied to an interface for packet filtering (in IRF mode).
Figure 1 Network diagram Configuration procedure # Create a periodic time range from 8:00 to 18:00 on working days. system-view [DeviceA] time-range work 08:0 to 18:00 working-day # Create an IPv4 advanced ACL numbered 3000 and configure three rules in the ACL.
Reply from 192.168.0.100: bytes=32 time<1ms TTL=255 Reply from 192.168.0.100: bytes=32 time<1ms TTL=255 Reply from 192.168.0.100: bytes=32 time<1ms TTL=255 Ping statistics for 192.168.0.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms The output shows that the database server can be pinged. # Ping the database server from a PC in the Marketing department during the working hours. C:\> ping 192.168.0.
QoS overview In data communications, Quality of Service (QoS) provides differentiated service guarantees for diversified traffic in terms of bandwidth, delay, jitter, and drop rate, all of which can affect QoS. Network resources are limited. When configuring a QoS scheme, you must consider the characteristics of different applications. For example, when bandwidth is fixed, more bandwidth used by one user leaves less bandwidth for others.
QoS techniques overview The QoS techniques include traffic classification, traffic policing, traffic shaping, rate limit, congestion management, and congestion avoidance. The following section briefly introduces these QoS techniques. All QoS techniques in this document are based on the DiffServ model.
Configuring a QoS policy You can configure QoS by using the MQC approach or non-MQC approach. Some features support both approaches, but some support only one. Non-MQC approach In the non-MQC approach, you configure QoS service parameters without using a QoS policy. For example, you can use the rate limit feature to set a rate limit on an interface without using a QoS policy. MQC approach In the modular QoS configuration (MQC) approach, you configure QoS service parameters by using QoS policies.
Defining a traffic class Configuration guidelines If a class that uses the AND operator has multiple if-match acl, if-match acl ipv6, if-match customer-vlan-id or if-match service-vlan-id clauses, a packet that matches any of the clauses matches the class.
Table 2 Available match criteria Option Description Matches an ACL. acl [ ipv6 ] { acl-number | name acl-name } any The acl-number argument is in the range of 2000 to 3999 for an IPv4 ACL, 2000 to 3999 for an IPv6 ACL, and 4000 to 4999 for an Ethernet frame header ACL. The acl-name argument is a case-insensitive string of 1 to 63 characters, which must start with an English letter, and to avoid confusion, it cannot be all. Matches all packets. Matches the control plane protocols.
Option Description Matches the service provider VLAN IDs (SVLANs). service-vlan-id vlan-id-list source-mac mac-address The vlan-id-list argument is in the format of vlan-id-list = { vlan-id | vlan-id1 to vlan-id2 }&<1-10>, where the vlan-id, vlan-id1, and vlan-id2 arguments represent the VLAN IDs and each range from 1 to 4094, vlan-id1 must be no greater than vlan-id2, and &<1-10> indicates that you can specify up to 10 VLAN IDs or VLAN ID ranges. Matches a source MAC address.
Step Command Remarks 1. Enter system view. system-view N/A 2. Create a traffic behavior and enter traffic behavior view. traffic behavior behavior-name By default, no traffic behavior is configured. Configure actions in the traffic behavior. See the subsequent chapters, depending on the purpose of the traffic behavior: traffic policing, traffic filtering, priority marking, traffic accounting, and so on. By default, no action is configured for a traffic behavior. 3.
QoS policies applied to an interface, a VLAN, and globally are in descending order of priority. In other words, the switch first matches the criteria in the QoS policy applied to an interface. If there is a match, the switch executes the QoS policy applied to the interface and ignores the QoS policies applied to the VLAN and globally. Applying the QoS policy to an interface This feature is available on both Layer 2 and Layer 3 Ethernet interfaces.
Step Command Remarks 1. Enter system view. system-view N/A 2. Apply the QoS policy globally. qos apply policy policy-name global { inbound | outbound } By default, no QoS policy is applied globally. Applying the QoS policy to the control plane A device provides the data plane and the control plane. • Data plane—The units at the data plane (such as various dedicated forwarding chips) are responsible for receiving, transmitting, and forwarding packets.
Displaying and maintaining QoS policies Execute display commands in any view and reset commands in user view. Task Command Display traffic class configuration (in standalone mode). display traffic classifier user-defined [ classifier-name ] [ slot slot-number ] Display traffic class configuration (in IRF mode). display traffic classifier user-defined [ classifier-name ] [ chassis chassis-number slot slot-number ] Display traffic behavior configuration (in standalone mode).
Clear the statistics for a QoS policy applied globally. reset qos policy global [ inbound | outbound ] Clear the statistics for the QoS policy applied to a control plane (in standalone mode). reset qos policy control-plane slot slot-number [ inbound ] Clear the statistics for the QoS policy applied to a control plane (in IRF mode).
Configuring priority mapping Overview When a packet arrives, depending on your configuration, a device assigns a set of QoS priority parameters to the packet based on either a certain priority field carried in the packet or the port priority of the incoming port. This process is called "priority mapping." During this process, the device can modify the priority of the packet according to the priority mapping rules.
The default priority maps (as shown in "Appendix A Default priority maps") are available for priority mapping. They are adequate in most cases. If a default priority map cannot meet your requirements, you can modify the priority map as required. Priority trust mode on a port The priority trust mode on a port determines which priority is used for priority mapping table lookup. Port priority was introduced to use for priority mapping in addition to the priority fields carried in packets.
The priority mapping procedure varies with the priority trust modes. For more information, see the subsequent section. Priority mapping process On receiving an Ethernet packet on a port, the switch marks the scheduling priorities (local precedence and drop precedence) for the Ethernet packet. This process is done according to the priority trust mode of the receiving port and the 802.1q tagging status of the packet, as shown in Figure 4.
Figure 5 Priority mapping process for an MPLS packet Receive a packet with MPLS labels Does the packet match conditions for local precedence or drop precedence marking? Yes No Look up the exp-dot1p map Mark it with local precedence or drop precedence Mark 802.
configure an Ethernet port as a Layer 2 or Layer 3 interface (see Layer 2—LAN Switching Configuration Guide). Configuring priority maps Step Command Remarks 1. Enter system view. system-view N/A 2. Enter priority map view. qos map-table { dot1p-dp | dot1p-exp | dot1p-lp | dscp-dot1p | dscp-dp | dscp-dscp | exp-dot1p } The dscp-dot1p priority map does not take effect on interfaces on SF cards. Configure mappings for the priority map. 3.
Changing the port priority of an interface If an interface does not trust any packet priority, the device uses its port priority to look for the set of priority parameters for the incoming packets. By changing port priority, you can prioritize traffic received on different interfaces. To change the port priority of an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3.
Figure 6 Network diagram Device A Internet XG E1 /0/ 1 XG Server XGE1/0/3 2 /0/ E1 Device C Device B Configuration procedure IMPORTANT: Make sure that the priority of Ten-GigabitEthernet 1/0/1 is higher than that of Ten-GigabitEthernet 1/0/2, and that no trusted packet priority type is configured on Ten-GigabitEthernet 1/0/1 or Ten-GigabitEthernet 1/0/2. # Assign port priority to Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2.
Table 6 Configuration plan Traffic destination Traffic priority order Public servers R&D department > management department > marketing department Internet Management department > marketing department > R&D department Queuing plan Traffic source Output queue Queue priority R&D department 6 High Management department 4 Medium Marketing department 2 Low R&D department 2 Low Management department 6 High Marketing department 4 Medium Figure 7 Network diagram Configuration procedure 1
[Device] interface Ten-GigabitEthernet 1/0/2 [Device-Ten-GigabitEthernet1/0/2] qos priority 4 [Device-Ten-GigabitEthernet1/0/2] quit # Set the port priority of Ten-GigabitEthernet 1/0/3 to 5. [Device] interface Ten-GigabitEthernet 1/0/3 [Device-Ten-GigabitEthernet1/0/3] qos priority 5 [Device-Ten-GigabitEthernet1/0/3] quit 2. Configure the 802.1p-to-local mapping table to map 802.1p priority values 3, 4, and 5 to local precedence values 2, 6, and 4.
[Device-Ten-GigabitEthernet1/0/1] qos apply policy market inbound # Configure a priority marking policy for the R&D department, and apply the policy to the incoming traffic of Ten-GigabitEthernet 1/0/2.
Configuring traffic policing, GTS, and rate limit Overview Traffic policing helps assign network resources (including bandwidth) and increase network performance. For example, you can configure a flow to use only the resources committed to it in a certain time range. This avoids network congestion caused by burst traffic. Traffic policing, Generic Traffic Shaping (GTS), and rate limit control the traffic rate and resource usage according to traffic specifications.
CBS is implemented with bucket C, and EBS with bucket E. When only the CIR is used for traffic evaluation, packets are measured against the following bucket scenarios: • If bucket C has enough tokens, packets are colored green. • If bucket C does not have enough tokens but bucket E has enough tokens, packets are colored yellow. • If neither bucket C nor bucket E has sufficient tokens, packets are colored red.
• Forwarding the packet with its precedence re-marked if the evaluation result is "conforming." Priorities that can be re-marked include 802.1p priority, DSCP precedence, and local precedence. GTS GTS supports shaping the outbound traffic. GTS limits the outbound traffic rate by buffering exceeding traffic. You can use GTS to adapt the traffic output rate on a device to the input traffic rate of its connected device to avoid packet loss.
The rate limit of a physical interface specifies the maximum rate for forwarding packets (including critical packets). Rate limit also uses token buckets for traffic control. When rate limit is configured on an interface, a token bucket handles all packets to be sent through the interface for rate limiting. If enough tokens are in the token bucket, packets can be forwarded. Otherwise, packets are put into QoS queues for congestion management.
Step Command Remarks Configure a traffic policing action. car cir committed-information-rate [ cbs committed-burst-size [ ebs excess-burst-size ] ] [ pir peak-information-rate ] [ green action | red action | yellow action ] * By default, no traffic policing action is configured. 7. Return to system view. quit N/A 8. Create a QoS policy and enter QoS policy view. qos policy policy-name By default, no QoS policy is configured.
Configuring the rate limit This feature is available on both Layer 2 and Layer 3 Ethernet interfaces. The term "interface" in this section collectively refers to these two types of interfaces. You can use the port link-mode command to configure an Ethernet port as a Layer 2 or Layer 3 interface (see Layer 2—LAN Switching Configuration Guide). The rate limit of a physical interface specifies the maximum rate of incoming packets or outgoing packets. To configure the rate limit: Step Command Remarks 1.
• Server, Host A, and Host B can access the Internet through Device A and Device B. Perform traffic control on Ten-GigabitEthernet 1/0/1 of Device A for traffic received from Server and Host A, respectively, to satisfy the following requirements: • Limit the rate of traffic from Server to 102400 kbps: Transmit the conforming traffic normally, mark the excess traffic with DSCP value 0, and then transmit the traffic.
# Create a behavior named server and configure the CAR action for the behavior as follows: Set the CIR to 102400 kbps, and mark the excess packets (red packets) with DSCP value 0 and transmit them. [DeviceA] traffic behavior server [DeviceA-behavior-server] car cir 102400 red remark-dscp-pass 0 [DeviceA-behavior-server] quit # Create a behavior named host and configure the CAR action for the behavior as follows: Set the CIR to 25600 kbps.
[DeviceB-qospolicy-car_inbound] classifier class behavior car_inbound [DeviceB-qospolicy-car_inbound] quit # Create a QoS policy named car_outbound and associate class http with traffic behavior car_outbound in the QoS policy. [DeviceB] qos policy car_outbound [DeviceB-qospolicy-car_outbound] classifier http behavior car_outbound [DeviceB-qospolicy-car_outbound] quit # Apply QoS policy car_inbound to the incoming traffic of port Ten-GigabitEthernet 1/0/1.
Configuring congestion management Overview Congestion occurs on a link or node when traffic size exceeds the processing capability of the link or node. It is typical of a statistical multiplexing network and can be caused by link failures, insufficient resources, and various other causes. Figure 13 shows two typical congestion scenarios.
Figure 14 SP queuing In Figure 14, SP queuing classifies eight queues on a port into eight classes, numbered 7 to 0 in descending priority order. SP queuing schedules the eight queues in the descending order of priority. SP queuing sends packets in the queue with the highest priority first. When the queue with the highest priority is empty, it sends packets in the queue with the second highest priority, and so on.
Figure 15 WRR queuing Queue 0 Weight 1 Packets to be sent through this port Queue 1 Weight 2 Sent packets Interface …… Queue N-2 Weight N-1 Queue scheduling Packet classification Sending queue Queue N-1 Weight N Assume a port provides eight output queues. WRR assigns each queue a weight value (represented by w7, w6, w5, w4, w3, w2, w1, or w0) to decide the proportion of resources assigned to the queue.
WFQ queuing Figure 16 WFQ queuing Queue 0 Weight 1 Packets to be sent through this port Queue 1 Weight 2 Sent packets Interface …… Queue N-2 Weight N-1 Queue scheduling Packet classification Sending queue Queue N-1 Weight N WFQ is similar to WRR. The difference is that WFQ enables you to set guaranteed bandwidth that a WFQ queue can get during congestion. SP+WRR queuing You can implement SP+WRR queuing by assigning some queues to the SP group and others to WRR groups.
Configure a queue scheduling profile, as described in "Configuring a queue scheduling profile.
Configuring WRR queuing Configuration procedure To configure WRR queuing: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable byte-count or packet-based WRR queuing. qos wrr { byte-count | weight } The default queuing algorithm on an interface is byte-count SP queuing. 4. Assign a queue to a WRR group, and configure scheduling parameters for the queue.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable byte-count or packet-based WFQ queuing. qos wfq { byte-count | weight } The default queuing algorithm on an interface is SP queuing. 4. 5. Assign a queue to a WFQ group, and configure scheduling parameters for the queue. qos wfq queue-id group { 1 | 2 } { byte-count | weight } schedule-value (Optional.
Configuring SP+WRR queuing Configuration procedure To configure SP+WRR queuing: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view or port group view. interface interface-type interface-number N/A 3. Enable byte-count or packet-based WRR queuing. qos wrr { byte-count | weight } The default queuing algorithm on an interface is SP queuing. 4. Assign a queue to the SP queue scheduling group.
Configuring SP+WFQ queuing Configuration procedure To configure SP+WFQ queuing: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view or port group view. interface interface-type interface-number N/A 3. Enable byte-count or packet-based WFQ queuing. qos wfq { byte-count | weight } The default queuing algorithm on an interface is SP queuing. 4. Assign a queue to the SP queue scheduling group.
[Sysname-Ten-GigabitEthernet1/0/1] qos bandwidth queue 5 min 128000 [Sysname-Ten-GigabitEthernet1/0/1] qos wfq 6 group 2 weight 1 [Sysname-Ten-GigabitEthernet1/0/1] qos bandwidth queue 6 min 128000 [Sysname-Ten-GigabitEthernet1/0/1] qos wfq 7 group 2 weight 3 [Sysname-Ten-GigabitEthernet1/0/1] qos bandwidth queue 7 min 128000 Displaying and maintaining congestion management Execute display commands in any view. Task Command Display SP queuing configuration.
Configuration procedure To configure a queue scheduling profile, create the queue scheduling profile first, and then enter the queue scheduling profile view to configure its queue scheduling parameters. At last, apply the queue scheduling profile to the specified interface. When you configure a queue scheduling profile, follow these guidelines: • Only one queue scheduling profile can be applied to an interface.
Task Command Display the configuration of the specified or all queue scheduling profiles (in standalone mode). display qos qmprofile configuration [ profile-name ] [ slot slot-number ] Display the configuration of the specified or all queue scheduling profiles (in IRF mode). display qos qmprofile configuration [ profile-name ] [ chassis chassis-number slot slot-number ] Display the queue scheduling profiles already applied to interfaces.
After the configuration is completed, interface Ten-GigabitEthernet 1/0/1 performs queue scheduling as specified in queue scheduling profile qm1. Displaying and maintaining queue statistics Execute display commands in any view and reset commands in user view. Task Command Display outbound queue statistics for interfaces. display qos queue-statistics interface [ interface-type interface-number ] outbound Clear outbound queue statistics for interfaces.
Configuring congestion avoidance Overview Avoiding congestion before it occurs is a proactive approach to improving network performance. As a flow control mechanism, congestion avoidance actively monitors network resources (such as queues and memory buffers), and drops packets when congestion is expected to occur or deteriorate. When dropping packets from a source end, it cooperates with the flow control mechanism (such as TCP flow control) at the source end to regulate the network traffic size.
ECN By dropping packets, WRED alleviates the influence of congestion on the network. However, the network resources for transmitting packets from the sender to the device which drops the packets are wasted. When congestion occurs, it is a better idea to inform the sender of the congestion status and have the sender proactively slow down the packet sending rate or decrease the window size of packets. This better utilizes the network resources.
• Upper threshold and lower threshold—When the average queue size is smaller than the lower threshold, packets are not dropped. When the average queue size is between the lower threshold and the upper threshold, the packets are dropped based on the user-configured drop probability. When the average queue size exceeds the upper threshold, subsequent packets are dropped. • Drop priority—A parameter used for packet drop.
Display the configuration of a specified WRED table or all WRED tables (in standalone mode). display qos wred table [ name table-name ] [ slot slot-number ] Display the configuration of a specified WRED table or all WRED tables (in IRF mode).
[Sysname-wred-table-queue-table1] queue 7 drop-level 2 low-limit 512 high-limit 1024 discard-probability 10 [Sysname-wred-table-queue-table1] queue 7 ecn [Sysname-wred-table-queue-table1] quit # Apply the queue-based WRED table to interface Ten-GigabitEthernet 1/0/2.
Configuring traffic filtering You can filter in or filter out traffic of a class by associating the class with a traffic filtering action. For example, you can filter packets sourced from a specific IP address according to network status. Configuration procedure To configure traffic filtering: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a traffic class and enter traffic class view.
Configuration example Network requirements As shown in Figure 18, configure traffic filtering to filter the packets with source port not being 21, and received on Ten-GigabitEthernet 1/0/1. Figure 18 Network diagram Configuration procedure # Create advanced ACL 3000, and configure a rule to match packets whose source port number is 21.
Configuring priority marking Overview Priority marking sets the priority fields or flag bits of packets to modify the priority of packets. For example, you can use priority marking to set IP precedence or DSCP for a traffic class of IP packets to control the forwarding of these packets. To configure priority marking, you can associate a traffic class with a traffic behavior configured with the priority marking action to set the priority fields or flag bits of the traffic class of packets.
Configuring color-based priority marking This section describes how to configure color-based priority marking. Configuring priority marking based on colors obtained through traffic policing After traffic policing evaluates and colors packets, the device can mark traffic with various priority values (including DSCP values, 802.1p priority values, and local precedence values) by color.
Step Command Remarks Use one or more of the commands. By default, no priority marking action is configured. The switch supports local QoS IDs in the range of 1 to 3999. • Set the DSCP value for packets: remark [ green | red | yellow ] dscp dscp-value • Set the 802.1p priority for packets or configure the inner-to-outer tag priority copying function: remark [ green | red | yellow ] dot1p dot1p-value remark dot1p customer-dot1p-trust • Set the drop priority for packets: 6.
Step Command Remarks classifier classifier-name behavior behavior-name By default, a traffic class is not associated with a traffic behavior. 10. Return to system view. quit N/A 11. Apply the QoS policy. • Applying the QoS policy to an interface • Applying the QoS policy to a VLAN • Applying the QoS policy globally 9. Associate the traffic class with the traffic behavior in the QoS policy. 12. (Optional.) Display the priority marking configuration.
Traffic source Destination Processing priority Host A, B File server Low Figure 19 Network diagram Configuration procedure # Create advanced ACL 3000, and configure a rule to match packets with destination IP address 192.168.0.1. system-view [Device] acl number 3000 [Device-acl-adv-3000] rule permit ip destination 192.168.0.1 0 [Device-acl-adv-3000] quit # Create advanced ACL 3001, and configure a rule to match packets with destination IP address 192.168.0.2.
[Device] traffic classifier classifier_fserver [Device-classifier-classifier_fserver] if-match acl 3002 [Device-classifier-classifier_fserver] quit # Create a traffic behavior named behavior_dbserver, and configure the action of setting the local precedence value to 4.
Figure 20 Network diagram IP network SwitchA XGE1/0/1 Admin dept. 192.168.1.0/24 R&D dept. 192.168.2.0/24 Marketing dept1. 192.168.3.0/24 Marketing dept2. 192.168.4.0/24 Configuration considerations • Configure two classes to match the traffic from the administration department and the R&D department, respectively, and then configure traffic policing behaviors for the two classes.
[SwitchA-classifier-rd] if-match acl 2002 [SwitchA-classifier-rd] quit # Create traffic behavior car_admin_rd, and configure traffic policing to limit the traffic rate to 102400 kbps. [SwitchA] traffic behavior car_admin_rd [SwitchA-behavior-car_admin_rd] car cir 102400 [SwitchA-behavior-car_admin_rd] quit # Create QoS policy car, and associate classes admin and rd with behavior car_admin_rd.
# In QoS policy car, associate class marketing_car with behavior marketing_car to limit the traffic rate of traffic with local QoS ID 100. [SwitchA-qospolicy-car] classifier marketing_car behavior marketing_car [SwitchA-qospolicy-car] quit # Apply QoS policy car to the incoming traffic of Ten-GigabitEthernet1/0/1.
Configuring nesting Nesting adds a VLAN tag to the matching packets to allow the VLAN-tagged packets to pass through the corresponding VLAN. For example, you can add an outer VLAN tag to packets from a customer network to a service provider network. This allows the packets to pass through the service provider network by carrying a VLAN tag assigned by the service provider. Configuration procedure To configure nesting: Step Command Remarks 1. Enter system view. system-view N/A 2.
Step Command Remarks 11. Apply the QoS policy. • Applying the QoS policy to an interface • Applying the QoS policy to a VLAN • Applying the QoS policy globally Choose one of the application destinations as needed. By default, a QoS policy is not applied. Configuration example Network requirements As shown in Figure 21, Site 1 and Site 2 in VPN A are two branches of a company, and they use VLAN 5 to transmit traffic.
# Create a QoS policy named test, and associate class test with behavior test in the QoS policy. [PE1] qos policy test [PE1-qospolicy-test] classifier test behavior test [PE1-qospolicy-test] quit # Configure the downlink port Ten-GigabitEthernet 1/0/1 as a hybrid port, and assign the port to VLAN 100 as an untagged member.
Configuring traffic redirecting Traffic redirecting is the action of redirecting the packets matching the specific match criteria to a certain location for processing. The following redirect actions are supported: • Redirecting traffic to the CPU—Redirects packets that require processing by the CPU to the CPU. • Redirecting traffic to an interface—Redirects packets that require processing by an interface to the interface.
Step Command Remarks 8. Create a QoS policy and enter QoS policy view. qos policy policy-name By default, no QoS policy exists. 9. Associate the traffic class with the traffic behavior in the QoS policy. classifier classifier-name behavior behavior-name By default, no class-behavior association is configured for a QoS policy. quit N/A 10. Return to system view. Choose one of the application destinations as needed. 11. Apply the QoS policy.
Figure 22 Network diagram Configuration procedure # Create basic ACL 2000, and configure a rule to match packets with source IP address 2.1.1.1. system-view [DeviceA] acl number 2000 [DeviceA-acl-basic-2000] rule permit source 2.1.1.1 0 [DeviceA-acl-basic-2000] quit # Create basic ACL 2001, and configure a rule to match packets with source IP address 2.1.1.2. [DeviceA] acl number 2001 [DeviceA-acl-basic-2001] rule permit source 2.1.1.
[DeviceA] interface Ten-GigabitEthernet 1/0/1 [DeviceA-Ten-GigabitEthernet1/0/1] qos apply policy policy inbound 78
Configuring aggregate CAR Aggregate CAR An aggregate CAR action is created globally and can be directly applied to interfaces or referenced in the traffic behaviors associated with different traffic classes to police multiple traffic flows as a whole. The total rate of the traffic flows must conform to the traffic policing specifications set in the aggregate CAR action. Configuring aggregate CAR Step Command Remarks Enter system view. system-view N/A 2. Configure an aggregate CAR action.
Figure 23 Network diagram Configuration procedure # Configure an aggregate CAR according to the rate limit requirements. system-view [Device] qos car aggcar-1 aggregative cir 2560 cbs 20000 red discard # Create class 1 to match traffic of VLAN 10. Create behavior 1 and reference the aggregate CAR in the behavior.
[Device] interface Ten-GigabitEthernet 1/0/1 [Device-Ten-GigabitEthernet1/0/1]qos apply policy car inbound 81
Configuring class-based accounting Class-based accounting collects statistics (in packets or bytes) on a per-traffic class basis. For example, you can define the action to collect statistics for traffic sourced from a certain IP address. By analyzing the statistics, you can determine whether anomalies have occurred and what action to take. Configuration procedure To configure class-based accounting: Step Command Remarks 1. Enter system view. system-view N/A 2.
Step Command Remarks • In standalone mode: { { { { 12. Display traffic accounting configuration.
[Device-acl-basic-2000] rule permit source 1.1.1.1 0 [Device-acl-basic-2000] quit # Create a traffic class named classifier_1, and use ACL 2000 as the match criterion in the traffic class. [Device] traffic classifier classifier_1 [Device-classifier-classifier_1] if-match acl 2000 [Device-classifier-classifier_1] quit # Create a traffic behavior named behavior_1, and configure the class-based accounting action.
Configuring time ranges You can implement a service based on the time of the day by applying a time range to it. A time-based service only takes effect in any time periods specified by the time range. For example, you can implement time-based ACL rules by applying a time range to them. If a time range does not exist, the service based on the time range does not take effect. The following basic types of time range are available: • Periodic time range—Recurs periodically on a day or days of the week.
Figure 25 Network diagram Configuration procedure # Create a periodic time range during 8:00 and 18:00 on working days from June 2013 to the end of the year. system-view [DeviceA] time-range work 8:0 to 18:0 working-day from 0:0 6/1/2013 to 24:0 12/31/2013 # Create an IPv4 basic ACL numbered 2001, and configure a rule in the ACL to permit only packets from 192.168.1.2/32 during the time range work. [DeviceA] acl number 2001 [DeviceA-acl-basic-2001] rule permit source 192.168.1.
Appendixes Appendix A Default priority maps For the default dot1p-exp, dscp-dscp, and exp-dot1p priority maps, an input value yields a target value equal to it.
Appendix B Introduction to packet precedences IP precedence and DSCP values Figure 26 ToS and DS fields Bits: 0 1 2 3 4 5 6 7 IPv4 ToS byte Preced ence RFC 1122 Type of Service RFC 1349 M B Z Must Be Zero Bits: 0 1 2 3 4 5 6 7 DSCP DS-Field (for IPv4,ToS octet,and for IPv6,Traffic Class octet ) IP Type of Service (ToS) RFC 791 Class Selector codepoints CU Currently Unused Differentiated Services Codepoint (DSCP) RFC 2474 As shown in Figure 26, the ToS field in the IP header contains eight bits
DSCP value (decimal) DSCP value (binary) Description 28 011100 af32 30 011110 af33 34 100010 af41 36 100100 af42 38 100110 af43 8 001000 cs1 16 010000 cs2 24 011000 cs3 32 100000 cs4 40 101000 cs5 48 110000 cs6 56 111000 cs7 0 000000 be (default) 802.1p priority 802.1p priority lies in the Layer 2 header and applies to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2. Figure 27 An Ethernet frame with an 802.
Table 12 Description on 802.1p priority 802.1p priority (decimal) 802.1p priority (binary) Description 0 000 best-effort 1 001 background 2 010 spare 3 011 excellent-effort 4 100 controlled-load 5 101 video 6 110 voice 7 111 network-management EXP values The EXP field is in MPLS labels for MPLS QoS purposes. Figure 29 MPLS label structure As shown in Figure 29, the EXP field is 3-bit long and is in the range of 0 to 7.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index Numerics aggregate CAR aggregate CAR, 79 802.1p aggregate CAR configuration, 79 priority marking configuration, 64 common CAR, 63 802.1p priority configuration, 79, 79, 79 drop precedence, 63 priority marking configuration, 64 802.x QoS aggregate CAR, 79 QoS packet 802.
QoS congestion management WFQ queuing, 48 ACL Ethernet frame header, 1 changing QoS congestion management WRR queuing, 48 QoS GTS, 34, 38 QoS priority mapping interface port priority, 29 QoS nesting, 72, 73 classifying QoS class-based accounting, 82, 83 QoS policy, 15 QoS traffic class definition, 16 QoS priority mapping, 24, 27 committed access rate.
E D default ECN QoS congestion avoidance, 57 ACL packet filtering default action, 9 defining Ethernet frame header ACL QoS policy, 19 category, 1 QoS traffic behavior, 18 QoS traffic class, 16 configuration, 7 evaluating deploying QoS traffic, 34 QoS traffic with token bucket, 34, 34, 34 QoS in network, 14 detecting QoS congestion avoidance RED, 56 QoS congestion avoidance WRED, 56 device Explicit Congestion Notification.
ACL configuration (advanced), 5 naming ACL configuration (Ethernet frame header), 7 ACL copy, 8 ACL configuration (IPv6 advanced), 6 ACLs, 1 QoS class-based accounting configuration, 82, 83 nesting configuration, 72, 73 network QoS traffic filtering configuration, 61, 62 ACL configuration (basic), 4 IPv4 ACL configuration (Ethernet frame header), 7 ACL configuration (IPv4 advanced), 5 ACL configuration (IPv4 advanced), 5 ACL configuration (IPv4 basic), 4 ACL configuration (IPv4 basic), 4 ACL
QoS priority mapping trusted port packet priority, 28 ACL copy, 8 ACL rule numbering step, 3 QoS rate limit, 36 QoS rate limit configuration, 39 QoS traffic behavior definition, 18 QoS traffic class definition, 16 ACLs, 1 P packet ACL configuration, 3, 10 QoS traffic evaluation, 34 ACL filtering interface application, 9 QoS traffic policing, 35 ACL fragment filtering, 3 network management ACL packet fragment filtering, 3 ACL configuration, 1, 3, 10 ACL switch applications, 1 ACL configuration (a
policy procedure QoS application, 19 applying ACL packet filtering to interface, 9 QoS control plane application, 21 applying QoS congestion avoidance queue-based WRED table, 57 QoS definition, 19 QoS global application, 20 applying QoS policy, 19 QoS interface application, 20 applying QoS policy globally, 20 applying QoS policy to control plane, 21 QoS MQC configuration, 15 applying QoS policy to interface, 20 QoS non-MQC configuration, 15 applying QoS policy to VLAN, 20 QoS policy configurat
ACL configuration (advanced), 5 configuring QoS congestion management WRR queuing, 48 ACL configuration (Ethernet frame header), 7 configuring QoS congestion managementon a per-port basis, 47 ACL switch applications, 1 configuring QoS nesting, 72, 73 aggregate CAR configuration, 79, 79, 79 aggregate CAR, 79 configuring QoS priority mapping, 27 Appendix C (Packet precedence), 88 configuring QoS priority mapping map, 27 best-effort service model, 13 configuring QoS priority mapping map (uncolored)
traffic class definition, 16 displaying policies, 22 displaying priority mapping, 29 traffic classification, 14 displaying rate limit, 39 traffic evaluation, 34 displaying traffic policing, 39 traffic evaluation with token bucket, 34, 34 GTS, 36 traffic filtering configuration, 61, 62 GTS configuration, 34, 38 traffic policing, 14, 35 IntServ service model, 13 traffic policing configuration, 34 local precedence marking configuration, 66 traffic policing+GTS configuration, 39 local QoS ID rema
ACL configuration (IPv4 advanced), 5 QoS traffic redirecting to interface, 75, 76 ACL configuration (IPv4 basic), 4 restrictions ACL configuration (IPv6 advanced), 6 QoS VLAN policy application, 20 ACL configuration (IPv6 basic), 4 routing ACL packet fragment filtering, 3 ACL configuration, 1, 3, 10 ACL configuration (advanced), 5 service ACL configuration (basic), 4 local precedence marking configuration, 66 ACL configuration (Ethernet frame header), 7 QoS aggregate CAR configuration, 79 ACL
QoS congestion management WRR queuing configuration, 48 time ACL time range configuration, 85, 85 QoS congestion managementon a per-port basis, 47 time range configuration, 85, 85 QoS GTS, 36 displaying, 85 QoS GTS configuration, 34, 38 token bucket QoS MQC configuration, 15 QoS complicated traffic evaluation, 34 QoS nesting configuration, 72, 73 QoS traffic evaluation, 34, 34 QoS network deployment, 14 QoS traffic forwarding, 34 QoS non-MQC configuration, 15 token bucket mechanism QoS overv
traffic policing common CAR, 63 drop precedence, 63 drop precedence mapping, 63 priority marking configuration, 64 trusted port packet priority (QoS), 28 U user QoS priority mapping user priority, 24 V VLAN QoS nesting configuration, 72, 73 QoS policy application, 19 QoS policy VLAN application, 20 W Web ACL switch applications, 1 weighted random early detection.
