HP FlexFabric 11900 Switch Series ACL and QoS Configuration Guide Part number: 5998-4064 Software version: Release 2105 and later Document version: 6W100-20130515
Legal and notice information © Copyright 2013 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Configuring ACLs ························································································································································· 1 Overview············································································································································································ 1 Applications on the switch ························································································································
Configuration guidelines ······································································································································ 18 Configuration procedure ······································································································································ 18 Defining a traffic behavior ············································································································································ 20 Defining a QoS
Impacts and countermeasures ······························································································································ 44 Congestion management techniques ·················································································································· 44 Configuration approaches and task list ······················································································································· 47 Configuring SP queuing ··················
Configuration examples ················································································································································ 62 Remarking local precedence configuration example ························································································ 62 Remarking local QoS ID configuration example ······························································································· 64 Configuring nesting····································
Conventions ···································································································································································· 88 Index ··········································································································································································· 90 v
Configuring ACLs Overview An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number. Applications on the switch An ACL is implemented in hardware or software, depending on the module that uses it. If the module is implemented in hardware (for example, the packet filter or QoS module), the ACL is applied to hardware to process traffic.
For an IPv4 basic or advanced ACLs, its ACL number and name must be unique in IPv4. For an IPv6 basic or advanced ACL, its ACL number and name must be unique in IPv6. Match order The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops the match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting rules, the matching result and action to take depend on the rule order.
in an IP address criterion, the IP address matches the criterion. All "don't care" bits are ignored. The 0s and 1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a valid wildcard mask. Rule numbering ACL rules can be manually numbered or automatically numbered. This section describes how automatic ACL rule numbering works. Rule numbering step If you do not assign an ID to the rule you are creating, the system automatically assigns it a rule ID.
Tasks at a glance (Required.) Perform at least one of the following tasks: • Configuring a basic ACL { Configuring an IPv4 basic ACL { Configuring an IPv6 basic ACL • Configuring an advanced ACL { Configuring an IPv4 advanced ACL { Configuring an IPv6 advanced ACL • Configuring an Ethernet frame header ACL (Optional.) Copying an ACL (Optional.) Configuring packet filtering with ACLs Configuring a basic ACL This section describes procedures for configuring IPv4 and IPv6 basic ACLs.
Step Command Remarks By default, an IPv4 basic ACL does not contain any rule. 5. Create or edit a rule. rule [ rule-id ] { deny | permit } [ counting | fragment | logging | source { source-address source-wildcard | any } | time-range time-range-name | vpn-instance vpn-instance-name ] * 6. (Optional.) Add or edit a rule comment. rule rule-id comment text The logging keyword takes effect only when the module (for example, packet filtering) that uses the ACL supports logging.
Step 6. (Optional.) Add or edit a rule comment. Command Remarks rule rule-id comment text By default, no rule comments are configured. Configuring an advanced ACL This section describes procedures for configuring IPv4 and IPv6 advanced ACLs.
Step 5. 6. Command Create or edit a rule. (Optional.) Add or edit a rule comment.
Step 5. 6. Command Create or edit a rule. (Optional.) Add or edit a rule comment.
Step 3. 4. Command Remarks (Optional.) Configure a description for the Ethernet frame header ACL. description text By default, an Ethernet frame header ACL has no ACL description. (Optional.) Set the rule numbering step. step step-value The default setting is 5. 5. Create or edit a rule.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Ethernet interface view or VLAN interface view. interface interface-type interface-number N/A Apply an ACL to the interface to filter packets. packet-filter [ ipv6 ] { acl-number | name acl-name } { inbound | outbound } [ hardware-count ] 3. By default, an interface does not filter packets. You can apply a maximum of one ACL to the same direction of an interface.
Task Command Display whether an ACL has been successfully applied to an interface for packet filtering (in standalone mode). display packet-filter { interface [ interface-type interface-number ] [ inbound | outbound ] | interface vlan-interface vlan-interface-number [ inbound | outbound ] [ slot slot-number ] } Display whether an ACL has been successfully applied to an interface for packet filtering (in IRF mode).
Figure 1 Network diagram Configuration procedure # Create a periodic time range from 8:00 to 18:00 on working days. system-view [DeviceA] time-range work 08:00 to 18:00 working-day # Create an IPv4 advanced ACL numbered 3000 and configure three rules in the ACL.
Reply from 192.168.0.100: bytes=32 time=1ms TTL=255 Reply from 192.168.0.100: bytes=32 time<1ms TTL=255 Reply from 192.168.0.100: bytes=32 time<1ms TTL=255 Reply from 192.168.0.100: bytes=32 time<1ms TTL=255 Ping statistics for 192.168.0.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms The output shows that the database server can be pinged.
QoS overview In data communications, Quality of Service (QoS) is a network's ability to provide differentiated service guarantees for diversified traffic in terms of bandwidth, delay, jitter, and drop rate, all of which can affect QoS. Network resources are scarce. The contention for resources requires that QoS prioritize important traffic flows over trivial ones. For example, when bandwidth is fixed, more bandwidth for one traffic flow means less bandwidth for the other traffic flows.
DiffServ model The differentiated service (DiffServ) model is a multiple-service model that can meet diverse QoS requirements. It is easy to implement and extend. DiffServ does not signal the network to reserve resources before sending data, as IntServ does. All QoS techniques in this document are based on the DiffServ model. QoS techniques overview The QoS techniques include traffic classification, traffic policing, traffic shaping, rate limit, congestion management, and congestion avoidance.
• Congestion management—Provides a resource scheduling policy to determine the packet forwarding sequence when congestion occurs. Congestion management usually applies to the outgoing traffic of a port. • Congestion avoidance—Monitors the network resource usage, and is usually applied to the outgoing traffic of a port. When congestion worsens, congestion avoidance reduces the queue length by dropping packets.
Configuring a QoS policy The switch operates in IRF or standalone (the default) mode. For information about the IRF mode, see IRF Configuration Guide. You can configure QoS by using the MQC approach or non-MQC approach. Some features support both approaches, but some support only one. Non-MQC approach In the non-MQC approach, you configure QoS service parameters without using a QoS policy. For example, you can use the rate limit feature to set a rate limit on an interface without using a QoS policy.
Figure 3 QoS policy configuration procedure Defining a traffic class Configuration guidelines If a class that uses the AND operator has multiple if-match acl, if-match acl ipv6, if-match customer-vlan-id or if-match service-vlan-id clauses, a packet that matches any of the clauses matches the class.
By default, no match criterion is configured. 3. Configure match criteria. if-match match-criteria Table 2 shows the available match criteria. For more information, see the if-match command in ACL and QoS Command Reference. Table 2 Available match criteria Option Description Matches an ACL. acl [ ipv6 ] { acl-number | name acl-name } any The acl-number argument is in the range of 2000 to 3999 for an IPv4 ACL, 2000 to 3999 for an IPv6 ACL, and 4000 to 4999 for an Ethernet frame header ACL.
Option qos-local-id local-id-value Description Matches a local QoS ID in the range of 1 to 4095. The switch supports local QoS IDs in the range of 1 to 3999. Matches the 802.1p priority of the service provider network. service-dot1p dot1p-value&<1-8> The dot1p-value&<1-8> argument is a list of 802.1p priority values. An 802.1p priority is in the range of 0 to 7. &<1-8> indicates that you can enter up to eight 802.1p priority values. Matches the service provider VLAN IDs (SVLANs).
By default, a traffic class is not associated with a traffic behavior. Associate a traffic class with a traffic behavior to create a class-behavior association in the QoS policy. 3. Repeat this step to create more class-behavior associations. classifier classifier-name behavior behavior-name [ mode dcbx ] If a class-behavior association has the mode dcbx keyword, it applies only to the Data Center Bridging Exchange Protocol (DCBX).
Applying the QoS policy to a VLAN You can apply a QoS policy to a VLAN to regulate traffic of the VLAN. Configuration restrictions and guidelines QoS policies cannot be applied to dynamic VLANs. Configuration procedure To apply the QoS policy to a VLAN: Step Command Remarks 1. Enter system view. system-view N/A 2. Apply the QoS policy to VLANs. qos vlan-policy policy-name vlan vlan-id-list { inbound | outbound } By default, no QoS policy is applied to a VLAN.
protocol group type to identify the type of packets sent to the control plane. You can reference protocol types or protocol group types in if-match commands in traffic class view for traffic classification and then re-configure traffic behaviors for these traffic classes as required. You can use the display qos policy control-plane pre-defined command to display them.
Display information about QoS policies applied to a control plane (in standalone mode). display qos policy control-plane slot slot-number [ inbound ] Display information about QoS policies applied to a control plane (in IRF mode). display qos policy control-plane chassis chassis-number slot slot-number [ inbound ] Display information about the pre-defined QoS policy applied to the control plane (in standalone mode).
Configuring priority mapping Overview When a packet arrives, depending on your configuration, a device assigns a set of QoS priority parameters to the packet based on either a certain priority field carried in the packet or the port priority of the incoming port. This process is called "priority mapping." During this process, the device can modify the priority of the packet according to the priority mapping rules.
Priority trust mode on a port The priority trust mode on a port determines which priority is used for priority mapping table lookup. Port priority was introduced to use for priority mapping in addition to the priority fields carried in packets. The Switch Series provides the following priority trust modes: Using the 802.1p priority carried in packets for priority mapping. • Table 3 Priority mapping results of trusting the 802.1p priority (when the default dot1p-lp priority mapping table is used) 802.
Priority mapping process On receiving an Ethernet packet on a port, the switch marks the scheduling priorities (local precedence and drop precedence) for the Ethernet packet. This process is done according to the priority trust mode of the receiving port and the 802.1q tagging status of the packet, as shown in Figure 4.
Figure 5 Priority mapping process for an MPLS packet Priority mapping configuration tasks You can modify priority mappings by modifying priority mapping tables, priority trust mode on a port, and port priority. To configure priority mapping, perform the following tasks: Tasks at a glance (Optional.) Configuring a priority map (Required.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter priority map view. qos map-table { dot1p-dp | dot1p-exp | dot1p-lp | dscp-dot1p| dscp-dp | dscp-dscp | exp-dot1p } The dscp-dot1p priority map does not take effect on interfaces on SF cards. Configure mappings for the priority map. 3. import import-value-list export export-value By default, the default priority maps are used. For more information, see "Appendix." Newly configured mappings overwrite the old ones.
Changing the port priority of an interface If an interface does not trust any packet priority, the device uses its port priority to look for the set of priority parameters for the incoming packets. By changing port priority, you can prioritize traffic received on different interfaces. To change the port priority of an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3.
Figure 6 Network diagram Device A Internet XG E1 /0/ 1 XG E1 /0/ 1 2 /0/ E1 G X E XG Server XGE1/0/3 Device C /1 1/0 Device B Configuration procedure # Assign port priority to Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2. Make sure that the priority of Ten-GigabitEthernet 1/0/1 is higher than that of Ten-GigabitEthernet 1/0/2, and that no trusted packet priority type is configured on Ten-GigabitEthernet 1/0/1 or Ten-GigabitEthernet 1/0/2.
Table 5 Configuration plan Traffic destination Traffic priority order Public servers R&D department > management department > marketing department Internet Management department > marketing department > R&D department Queuing plan Traffic source Output queue Queue priority R&D department 6 High Management department 4 Medium Marketing department 2 Low R&D department 2 Low Management department 6 High Marketing department 4 Medium Figure 7 Network diagram Configuration procedure 1
[Device] interface ten-gigabitethernet 1/0/2 [Device-Ten-GigabitEthernet1/0/2] qos priority 4 [Device-Ten-GigabitEthernet1/0/2] quit # Set the port priority of Ten-GigabitEthernet 1/0/3 to 5. [Device] interface ten-gigabitethernet 1/0/3 [Device-Ten-GigabitEthernet1/0/3] qos priority 5 [Device-Ten-GigabitEthernet1/0/3] quit 2. Configure the priority mapping table: # Configure the 802.1p-to-local mapping table to map 802.1p priority values 3, 4, and 5 to local precedence values 2, 6, and 4.
[Device] interface ten-gigabitethernet 1/0/1 [Device-Ten-GigabitEthernet1/0/1] qos apply policy market inbound # Configure a priority marking policy for the R&D department, and apply the policy to the incoming traffic of Ten-GigabitEthernet 1/0/2.
Configuring traffic policing, GTS, and rate limit Overview Traffic policing helps assign network resources (including bandwidth) and increase network performance. For example, you can configure a flow to use only the resources committed to it in a certain time range. This avoids network congestion caused by burst traffic. Traffic policing, Generic Traffic Shaping (GTS), and rate limit control the traffic rate and resource usage according to traffic specifications.
CBS is implemented with bucket C, and EBS with bucket E. When only the CIR is used for traffic evaluation, packets are measured against the following bucket scenarios: • If bucket C has enough tokens, packets are colored green. • If bucket C does not have enough tokens but bucket E has enough tokens, packets are colored yellow. • If neither bucket C nor bucket E has sufficient tokens, packets are colored red.
• Forwarding the packet with its precedence re-marked if the evaluation result is "conforming." Priorities that can be re-marked include 802.1p priority, DSCP precedence, and local precedence. GTS GTS supports shaping the outbound traffic. GTS limits the outbound traffic rate by buffering exceeding traffic. You can use GTS to adapt the traffic output rate on a device to the input traffic rate of its connected device to avoid packet loss.
The rate limit of a physical interface specifies the maximum rate for sending or receiving packets (including critical packets). Rate limit also uses token buckets for traffic control. When rate limit is configured on an interface, a token bucket handles all packets to be sent through the interface for rate limiting. If enough tokens are in the token bucket, packets can be forwarded. Otherwise, packets are put into QoS queues for congestion management.
Step Command Remarks Configure a traffic policing action. car cir committed-information-rate [ cbs committed-burst-size [ ebs excess-burst-size ] ] [ pir peak-information-rate ] [ green action | red action | yellow action ] * By default, no traffic policing action is configured. 7. Return to system view. quit N/A 8. Create a QoS policy and enter QoS policy view. qos policy policy-name By default, no QoS policy is configured.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the rate limit for the interface. qos lr { inbound | outbound } cir committed-information-rate [ cbs committed-burst-size ] By default, rate limit is not configured on an interface. On the Switch Series, the granularity of rate limit is 8 kbps. Displaying and maintaining traffic policing, GTS, and rate limit Execute display commands in any view.
Perform traffic control on Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 of Device B to meet the following requirements: • Limit the total incoming traffic rate of Ten-GigabitEthernet 1/0/1 to 204800 kbps and drop the excess traffic. • Limit the outgoing HTTP traffic (traffic accessing the Internet) rate of Ten-GigabitEthernet 1/0/2 to 102400 kbps and drop the excess traffic. Figure 12 Network diagram Configuration procedures 1.
[DeviceA-behavior-host] quit # Create a QoS policy named car and associate class server with behavior server and class host with behavior host. [DeviceA] qos policy car [DeviceA-qospolicy-car] classifier server behavior server [DeviceA-qospolicy-car] classifier host behavior host [DeviceA-qospolicy-car] quit # Apply QoS policy car to the incoming traffic of port Ten-GigabitEthernet 1/0/1. [DeviceA] interface Ten-GigabitEthernet 1/0/1 [DeviceA-Ten-GigabitEthernet1/0/1] qos apply policy car inbound 2.
[DeviceB-Ten-GigabitEthernet1/0/1] qos apply policy car_inbound inbound # Apply QoS policy car_outbound to the outgoing traffic of port Ten-GigabitEthernet 1/0/2.
Configuring congestion management Overview Congestion occurs on a link or node when traffic size exceeds the processing capability of the link or node. It is typical of a statistical multiplexing network and can be caused by link failures, insufficient resources, and various other causes. Impacts and countermeasures Figure 13 shows two typical congestion scenarios.
Figure 14 SP queuing In Figure 14, SP queuing classifies eight queues on a port into eight classes, numbered 7 to 0 in descending priority order. SP queuing schedules the eight queues in the descending order of priority. SP queuing sends packets in the queue with the highest priority first. When the queue with the highest priority is empty, it sends packets in the queue with the second highest priority, and so on.
Assume a port provides eight output queues. WRR assigns each queue a weight value (represented by w7, w6, w5, w4, w3, w2, w1, or w0) to decide the proportion of resources assigned to the queue. The switch implements the weight of a queue by scheduling a certain number of bytes (byte-count WRR) or packets (packet-based WRR) for that queue.
2. Schedules packets of queues in the WFQ groups based on their minimum guaranteed bandwidth settings when the SP queues are empty. 3. Uses WFQ to schedule the queues in the WFQ groups in a round robin fashion according to their weights. 4. Sends traffic of the two WFQ groups at a 1:1 ratio. Configuration approaches and task list To achieve congestion management, perform the following tasks: Tasks at a glance (Required.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable WRR queuing. qos wrr { byte-count | weight } By default, an interface uses SP queuing. 4. Configure a WRR queue. qos wrr queue-id group { 1 | 2 } { byte-count | weight } schedule-value Select an approach according to the WRR queuing type.
4. 5. Configure a WFQ queue. (Optional.) Configure the minimum guaranteed bandwidth for a WFQ queue. qos wfq queue-id group { 1 | 2 } { byte-count | weight } schedule-value qos bandwidth queue queue-id min bandwidth-value Select weight or byte-count according to the WFQ type (byte-count or packet-based) you have enabled. By default, all queues are in WFQ group 1 and have a weight of 1. The default setting is 64 kbps for each queue.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable WRR queuing on the port. qos wrr { byte-count | weight } By default, an interface uses SP queuing. 4. Assign a queue to the SP queue scheduling group. qos wrr queue-id group sp By default, all the queues of a WRR-enabled port are in WRR group 1. 5. Assign a queue to a WRR group, and configure the scheduling weight for the queue.
Configuration procedure Step 1. Enter system view. Command Remarks system-view N/A Use either command. 2. Enter interface view. interface interface-type interface-number Settings in interface view take effect on the current interface. Settings in port group view take effect on all ports in the port group. 3. Enable byte-count or packet-based WFQ queuing. qos wfq [ byte-count | weight ] By default, an interface uses SP queuing. Assign a queue to the SP queue scheduling group.
[Sysname-Ten-GigabitEthernet1/0/1] qos wfq 4 group 1 weight 1 [Sysname-Ten-GigabitEthernet1/0/1] qos bandwidth queue 4 min 128000 [Sysname-Ten-GigabitEthernet1/0/1] qos wfq 5 group 1 weight 2 [Sysname-Ten-GigabitEthernet1/0/1] qos bandwidth queue 5 min 128000 [Sysname-Ten-GigabitEthernet1/0/1] qos wfq 6 group 2 weight 1 [Sysname-Ten-GigabitEthernet1/0/1] qos bandwidth queue 6 min 128000 [Sysname-Ten-GigabitEthernet1/0/1] qos wfq 7 group 2 weight 3 [Sysname-Ten-GigabitEthernet1/0/1] qos bandwidth queue 7 min
Configuring congestion avoidance Overview Avoiding congestion before it occurs is a proactive approach to improving network performance. As a flow control mechanism, congestion avoidance actively monitors network resources (such as queues and memory buffers), and drops packets when congestion is expected to occur or deteriorate. When dropping packets from a source end, it cooperates with the flow control mechanism (such as TCP flow control) at the source end to regulate the network traffic size.
sender proactively slow down the packet sending rate or decrease the window size of packets. This better utilizes the network resources. RFC 2482 defined an end-to-end congestion notification mechanism named Explicit Congestion Notification (ECN). ECN uses the DS field in the IP header to mark the congestion status along the packet transmission path.
Exponent used for average queue size calculation—The bigger the exponent is, the less sensitive the average queue size is to real-time queue size changes. The average queue size is calculated using the formula: average queue size = previous average queue size × (1-2-n) + current queue size × 2-n, where n can be configured with the qos wred weighting-constant command. • Numerator for drop probability calculation in percentage—The larger the value is, the greater the drop probability is.
WRED configuration example Network requirements Apply a WRED table to interface Ten-GigabitEthernet 1/0/2, so that the packets are dropped as follows when congestion occurs: • To use better effort to forward higher-priority traffic, configure a lower drop probability for a queue with a greater queue number. Set different drop parameters for queue 0, queue 3, and queue 7. • Drop packets according to their colors.
Configuring traffic filtering You can filter in or filter out traffic of a class by associating the class with a traffic filtering action. For example, you can filter packets sourced from a specific IP address according to network status. Configuration procedure To configure traffic filtering: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a traffic class and enter traffic class view.
Configuration example Network requirements As shown in Figure 17, configure traffic filtering to filter the packets with port 21 as the source port and received on Ten-GigabitEthernet 1/0/1. Figure 17 Network diagram Configuration procedure # Create advanced ACL 3000, and configure a rule to match packets whose source port number is 21.
Configuring priority marking Overview Priority marking sets the priority fields or flag bits of packets to modify the priority of packets. For example, you can use priority marking to set IP precedence or DSCP for a traffic class of IP packets to control the forwarding of these packets. To configure priority marking, you can associate a traffic class with a traffic behavior configured with the priority marking action to set the priority fields or flag bits of the traffic class of packets.
Configuring priority marking based on colors obtained through traffic policing After traffic policing evaluates and colors packets, the device can mark traffic with various priority values (including DSCP values, 802.1p priority values, and local precedence values) by color.
Step Command Remarks • Set the DSCP value for packets: remark [ green | red | yellow ] dscp dscp-value • Set the 802.1p priority for packets or configure the inner-to-outer tag priority copying function: remark [ green | red | yellow ] dot1p dot1p-value remark dot1p customer-dot1p-trust 6. Configure a priority marking action. Use one or more of the commands. • Set the drop priority for packets: By default, no priority marking action is configured.
Support of SF cards for priority marking When you apply a QoS policy containing a priority marking action to an interface, port group, VLAN, control plane, or globally, Table 6 shows the support of SF cards for the inbound and outbound keywords. For more information about card types and their description, see the installation guide for the Switch Series. Table 6 Support of SF cards for priority marking Action inbound outbound 802.
Figure 18 Network diagram Internet Data server Host A 192.168.0.1/24 XGE1/0/1 XGE1/0/2 Mail server 192.168.0.2/24 Host B Device File server 192.168.0.3/24 Configuration procedure # Create advanced ACL 3000, and configure a rule to match packets with destination IP address 192.168.0.1. system-view [Device] acl number 3000 [Device-acl-adv-3000] rule permit ip destination 192.168.0.
# Create a traffic behavior named behavior_dbserver, and configure the action of setting the local precedence value to 4. [Device] traffic behavior behavior_dbserver [Device-behavior-behavior_dbserver] remark local-precedence 4 [Device-behavior-behavior_dbserver] quit # Create a traffic behavior named behavior_mserver, and configure the action of setting the local precedence value to 3.
Figure 19 Network diagram IP network Switch A XGE1/0/1 Admin dept. 192.168.1.0/24 R&D dept. 192.168.2.0/24 Marketing dept. 1 192.168.3.0/24 Marketing dept. 2 192.168.4.0/24 Configuration considerations • Configure two classes to match the traffic from the administration department and the R&D department, respectively, and then configure traffic policing behaviors for the two classes.
[SwitchA-classifier-rd] if-match acl 2002 [SwitchA-classifier-rd] quit # Create traffic behavior car_admin_rd, and configure traffic policing to limit the traffic rate to 102400 kbps. [SwitchA] traffic behavior car_admin_rd [SwitchA-behavior-car_admin_rd] car cir 102400 [SwitchA-behavior-car_admin_rd] quit # Create QoS policy car, and associate classes admin and rd with behavior car_admin_rd.
# In QoS policy car, associate class marketing_car with behavior marketing_car to limit the traffic rate of traffic with local QoS ID 100. [SwitchA-qospolicy-car] classifier marketing_car behavior marketing_car [SwitchA-qospolicy-car] quit # Apply QoS policy car to the incoming traffic of Ten-GigabitEthernet1/0/1.
Configuring nesting Nesting adds a VLAN tag to the matching packets, to allow the VLAN-tagged packets to pass through the corresponding VLAN. For example, you can add an outer VLAN tag to packets from a customer network to a service provider network. This allows the packets to pass through the service provider network by carrying a VLAN tag assigned by the service provider. Configuration procedure To configure nesting: Step Command Remarks 1. Enter system view. system-view N/A 2.
Nesting configuration example Network requirements As shown in Figure 20, Site 1 and Site 2 in VPN A are two branches of a company, and they use VLAN 5 to transmit traffic. Because Site 1 and Site 2 are located in different areas, the two sites use the VPN access service of a service provider. The service provider assigns VLAN 100 to the two sites. Configure nesting, so that the two branches can communicate through the service provider network.
# Apply QoS policy test to the incoming traffic of the downlink port Ten-GigabitEthernet 1/0/1. [PE1-Ten-GigabitEthernet1/0/1] qos apply policy test inbound [PE1-Ten-GigabitEthernet1/0/1] quit # Configure the uplink port Ten-GigabitEthernet 1/0/2 as a trunk port, and assign it to VLAN 100.
Configuring traffic redirecting Traffic redirecting is the action of redirecting the packets matching the specific match criteria to a certain location for processing. The following redirect actions are supported: • Redirecting traffic to the CPU—Redirects packets that require processing by the CPU to the CPU. • Redirecting traffic to an interface—Redirects packets that require processing by an interface to the interface. Configuration procedure Step Command Remarks 1. Enter system view.
Step Command Remarks 8. Create a QoS policy and enter QoS policy view. qos policy policy-name By default, no QoS policy exists. 9. Associate the traffic class with the traffic behavior in the QoS policy. classifier classifier-name behavior behavior-name By default, no class-behavior association is configured for a QoS policy. 10. Return to system view. quit N/A 11. Apply the QoS policy.
Figure 21 Network diagram Configuration procedure # Create basic ACL 2000, and configure a rule to match packets with source IP address 2.1.1.1. system-view [DeviceA] acl number 2000 [DeviceA-acl-basic-2000] rule permit source 2.1.1.1 0 [DeviceA-acl-basic-2000] quit # Create basic ACL 2001, and configure a rule to match packets with source IP address 2.1.1.2. [DeviceA] acl number 2001 [DeviceA-acl-basic-2001] rule permit source 2.1.1.
[DeviceA] interface ten-gigabitethernet 1/0/1 [DeviceA-Ten-GigabitEthernet1/0/1] qos apply policy policy inbound 74
Configuring aggregate CAR Aggregate CAR overview An aggregate CAR action is created globally and can be directly applied to interfaces or referenced in the traffic behaviors associated with different traffic classes to police multiple traffic flows as a whole. The total rate of the traffic flows must conform to the traffic policing specifications set in the aggregate CAR action. Configuring aggregate CAR Step Command Remarks Enter system view. system-view N/A 2. Configure an aggregate CAR action.
Figure 22 Network diagram Configuration procedure # Configure an aggregate CAR according to the rate limit requirements. system-view [Device] qos car aggcar-1 aggregative cir 2560 cbs 20000 red discard # Create class 1 to match traffic of VLAN 10. Create behavior 1 and reference the aggregate CAR in the behavior.
[Device] interface ten-gigabitethernet 1/0/1 [Device-Ten-GigabitEthernet1/0/1]qos apply policy car inbound 77
Configuring class-based accounting Class-based accounting collects statistics (in packets or bytes) on a per-traffic class basis. For example, you can define the action to collect statistics for traffic sourced from a certain IP address. By analyzing the statistics, you can determine whether anomalies have occurred and what action to take. Configuration procedure Step Command Remarks 1. Enter system view. system-view N/A 2. Create a traffic class and enter traffic class view.
Step Command Remarks • In standalone mode: { { { { 12. Display traffic accounting configuration. display qos policy control-plane slot slot-number [ inbound | outbound ] display qos policy global [ slot slot-number ] [ inbound | outbound ] display qos policy interface [ interface-type interface-number ] [ inbound | outbound ] display qos vlan-policy { name policy-name | vlan [ vlan-id ] } [ slot slot-number ] [ inbound | outbound ] • In IRF mode: { { { { Available in any view.
Configuration procedure # Create basic ACL 2000, and configure a rule to match packets with source IP address 1.1.1.1. system-view [DeviceA] acl number 2000 [DeviceA-acl-basic-2000] rule permit source 1.1.1.1 0 [DeviceA-acl-basic-2000] quit # Create a traffic class named classifier_1, and use ACL 2000 as the match criterion in the traffic class.
Configuring time ranges You can implement a service based on the time of the day by applying a time range to it. A time-based service only takes effect in any time periods specified by the time range. For example, you can implement time-based ACL rules by applying a time range to them. If a time range does not exist, the service based on the time range does not take effect. The following basic types of time range are available: • Periodic time range—Recurs periodically on a day or days of the week.
Time range configuration example Network requirements As shown in Figure 24, configure an ACL on Device A to allow Host A to access the server only during 8:00 and 18:00 on working days from June 2011 to the end of the year. Figure 24 Network diagram Configuration procedure # Create a periodic time range during 8:00 and 18:00 on working days from June 2011 to the end of the year.
Appendix Appendix A Default priority maps For the default dot1p-exp, dscp-dscp, and exp-dot1p priority maps, an input value yields a target value equal to it.
Appendix B Introduction to packet precedences IP precedence and DSCP values Figure 25 ToS and DS fields Bits: 0 1 2 3 4 5 6 7 IPv4 ToS byte Preced ence RFC 1122 Type of Service RFC 1349 M B Z Must Be Zero Bits: 0 1 2 3 4 5 6 7 DSCP DS-Field (for IPv4,ToS octet,and for IPv6,Traffic Class octet ) IP Type of Service (ToS) RFC 791 Class Selector codepoints CU Currently Unused Differentiated Services Codepoint (DSCP) RFC 2474 As shown in Figure 25, the ToS field in the IP header contains 8 bits.
DSCP value (decimal) DSCP value (binary) Description 22 010110 af23 26 011010 af31 28 011100 af32 30 011110 af33 34 100010 af41 36 100100 af42 38 100110 af43 8 001000 cs1 16 010000 cs2 24 011000 cs3 32 100000 cs4 40 101000 cs5 48 110000 cs6 56 111000 cs7 0 000000 be (default) 802.1p priority 802.1p priority lies in the Layer 2 header and applies to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2.
Figure 27 802.1Q tag header Table 11 Description on 802.1p priority 802.1p priority (decimal) 802.1p priority (binary) Description 0 000 best-effort 1 001 background 2 010 spare 3 011 excellent-effort 4 100 controlled-load 5 101 video 6 110 voice 7 111 network-management EXP values The EXP field is in MPLS labels for MPLS QoS purposes. Figure 28 MPLS label structure As shown in Figure 28, the EXP field is 3-bit long and is in the range of 0 to 7.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
• HP manuals http://www.hp.com/support/manuals • HP download drivers and software http://www.hp.com/support/downloads • HP software depot http://www.software.hp.com • HP Education http://www.hp.com/learn Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values.
Convention Description An alert that provides helpful information. TIP Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch.
Index 802.1p packet fragment filtering, 3 priority marking configuration, 60 rule numbering step, 3 802.
ACL automatic rule numbering, 3 basic ACL, 4 bandwidth class-based accounting, 78 QoS overview, 14 color-based priority marking, 59 QoS policy configuration, 17 Ethernet frame header ACL, 8 basic ACLs, 1 IPv4 advanced ACL, 6 behavior IPv4 basic ACL, 4 QoS traffic behavior definition, 20 IPv6 advanced ACL, 7 best-effort QoS service model, 14 IPv6 basic ACL, 5 CAR local precedence remarking, 62 QoS aggregate CAR, 75 local QoS ID remarking, 64 QoS aggregate CAR configuration, 75 priority ma
QoS port priority, 30 WFQ queuing configuration, 48 QoS priority mapping, 25, 28 WRR queuing, 45 QoS priority mapping map, 28 WRR queuing configuration, 47 QoS priority mapping table+priority marking, control plane 31 QoS policy application, 21, 22 QoS priority mapping trusted port packet copying an ACL, 9 priority, 29 default QoS priority marking, 59, 72 ACL packet filtering default action, 10 QoS rate limit, 35, 39 defining QoS traffic filtering, 57, 58 QoS policy, 20 QoS traffic polic
congestion management, 52 ACL configuration, 1, 3, 11 QoS congestion avoidance WRED, 55 ACL Ethernet frame header configuration, 8 QoS global CAR, 75 ACL IPv4 advanced configuration, 6 QoS GTS, 40 ACL IPv4 basic configuration, 4 QoS per-port queue-based traffic statistics, 52 ACL IPv6 advanced configuration, 7 QoS policies, 23 ACL IPv6 basic configuration, 5 QoS priority mapping, 30 QoS token bucket, 35 QoS rate limit, 40 fragment filtering (ACL), 3 QoS traffic policing, 40 General Traffic
ACL naming, 1 ACLs, 1 ACL numbering, 1 nesting configuration, 68, 69 ACL packet filtering configuration, 9 network IPv6 ACL basic configuration, 4 ACL copy, 9 ACL copy, 9 ACL IPv6 advanced configuration, 7 ACL Ethernet frame header configuration, 8 ACL IPv6 basic configuration, 5 ACL interface packet filtering application, 9 ACL naming, 1 ACL IPv4 advanced configuration, 6 ACL numbering, 1 ACL IPv4 basic configuration, 4 ACL packet filtering configuration, 9 ACL IPv6 advanced configuration
QoS GTS, 37 QoS global CAR configuration, 75 QoS GTS configuration, 39 QoS GTS configuration, 35 QoS MQC configuration, 17 QoS nesting configuration, 68, 69 QoS non-MQC configuration, 17 QoS overview, 14 QoS policy application, 21 QoS policy configuration, 17 QoS policy definition, 20 QoS port priority configuration, 30 QoS priority mapping configuration, 28 QoS priority mapping configuration, 25 QoS priority mapping drop priority, 25 QoS priority mapping table+priority marking configuration,
QoS aggregate CAR, 75 parameter QoS aggregate CAR configuration, 75 QoS MQC configuration, 17 QoS congestion avoidance configuration, 53 QoS non-MQC configuration, 17 QoS congestion avoidance with ECN, 53 periodic time range configuration, 81, 82 QoS global CAR configuration, 75 policy QoS GTS, 37 QoS application, 21 QoS nesting configuration, 68, 69 QoS control plane application, 22 QoS overview, 14 QoS definition, 20 QoS policy configuration, 17 QoS global application, 22 QoS port priori
priority mapping configuring advanced ACLs, 6 configuration, 25, 28 configuring basic ACLs, 4 drop priority, 25 configuring class-based accounting, 78 interface port priority, 30 configuring color-based priority marking, 59 local precedence, 25 configuring Ethernet frame header ACLs, 8 map, 25 configuring GTS, 39 map configuration, 28 configuring IPv4 advanced ACLs, 6 mapping table+priority marking configuration, configuring IPv4 basic ACLs, 4 31 configuring IPv6 advanced ACLs, 7 port prio
configuring QoS priority mapping, 28 setting ACL packet filtering default action, 10 configuring QoS priority mapping map, 28 setting ACL packet filtering log generation and configuring QoS priority output interval, 10 mapping table+priority marking, 31 QoS configuring QoS priority mapping trusted port ACL advanced configuration, 6 packet priority, 29 ACL configuration, 1, 3 configuring QoS priority marking, 59, 72 ACL Ethernet frame header configuration, 8 configuring QoS rate limit, 39 A
congestion management SP+WRR queuing policy configuration, 17 configuration, 49 policy control plane application, 22 congestion management techniques, 44 policy definition, 20 congestion management WFQ queuing, 46 congestion management WFQ policy global application, 22 queuing policy interface application, 21 configuration, 48 policy VLAN application, 22 congestion management WRR queuing, 45 congestion management WRR pport priority configuration, 30 queuing configuration, 47 priority map
traffic filtering configuration, 57, 58 rate limit traffic policing, 15, 36 QoS configuration, 35 traffic policing configuration, 35, 38, 40 QoS rate limit configuration, 39 traffic redirection configuration, 71 QoS rate limiting, 37 traffic shaping, 15 token bucket, 35 VLAN policy application restrictions, 22 redirecting QoS policy QoS traffic redirection to CPU, 71 priority marking configuration, 60 QoS traffic redirection to interface, 71 Quality of Service.
ACL match order, 2 SNMP ACL naming, 1 ACL switch applications, 1 ACL numbering, 1 sorting ACL numbering step, 3 ACL auto match order sort, 2 security ACL config match order sort, 2 ACL advanced configuration, 6 SP queuing ACL basic configuration, 4 classifications, 44 ACL configuration, 1, 3, 11 configuration, 47 ACL Ethernet frame header configuration, 8 statistics ACL IPv4 advanced configuration, 6 class-based accounting configuration, 78 ACL IPv4 basic configuration, 4 displaying QoS
ACL Ethernet frame header configuration, 8 QoS nesting configuration, 68, 69 ACL switch applications, 1 QoS network deployment, 15 class-based accounting configuration, 78 QoS non-MQC configuration, 17 displaying QoS per-port queue-based traffic QoS overview, 14 statistics, 52 QoS policy application, 21 local precedence remarking, 62 QoS policy configuration, 17 local QoS ID remarking, 64 QoS policy control plane application, 22 QoS aggregate CAR, 75 QoS policy definition, 20 QoS aggregate C
QoS traffic redirection configuration, 71 Web QoS traffic shaping, 15 ACL switch applications, 1 traffic behavior Weighted Random Early Detection.
