HP FlexFabric 5930 Switch Series ACL and QoS Configuration Guide Part number: 5998-4563 Software version: Release 2406 & Release 2407P01 Document version: 6W101-20140404
Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Configuring ACLs ························································································································································· 1 Overview············································································································································································ 1 Applications on the switch ························································································································
Configuring priority mapping ··································································································································· 22 Overview········································································································································································· 22 Introduction to priorities ········································································································································ 22
Configuring traffic filtering ········································································································································ 54 Configuration procedure ··············································································································································· 54 Configuration example ·················································································································································· 55
Conventions ···································································································································································· 84 Index ··········································································································································································· 86 iv
Configuring ACLs Overview An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number. ACLs are primarily used for packet filtering. "Configuring packet filtering with ACLs" provides an example. You can use ACLs in QoS, security, routing, and other feature modules for identifying traffic. The packet drop or forwarding decisions varies with the modules that use ACLs.
For an IPv4 basic or advanced ACLs, its ACL number and name must be unique in IPv4. For an IPv6 basic or advanced ACL, its ACL number and name must be unique in IPv6. Match order The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops the match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting rules, the matching result and action to take depend on the rule order.
Rule numbering ACL rules can be manually numbered or automatically numbered. This section describes how automatic ACL rule numbering works. Rule numbering step If you do not assign an ID to the rule you are creating, the system automatically assigns it a rule ID. The rule numbering step sets the increment by which the system automatically numbers rules. For example, the default ACL rule numbering step is 5.
Tasks at a glance (Optional.) Configuring packet filtering with ACLs Configuring a basic ACL This section describes procedures for configuring IPv4 and IPv6 basic ACLs. Configuring an IPv4 basic ACL IPv4 basic ACLs match packets based only on source IP addresses. To configure an IPv4 basic ACL: Step 1. Enter system view. Command Remarks system-view N/A By default, no ACL exists. 2. 3. 4. IPv4 basic ACLs are numbered in the range of 2000 to 2999. Create an IPv4 basic ACL and enter its view.
Step 1. Enter system view. Command Remarks system-view N/A By default, no ACL exists. 2. 3. 4. 5. 6. IPv6 basic ACLs are numbered in the range of 2000 to 2999. Create an IPv6 basic ACL view and enter its view. acl ipv6 number acl-number [ name acl-name ] [ match-order { auto | config } ] (Optional.) Configure a description for the IPv6 basic ACL. description text By default, an IPv6 basic ACL has no ACL description. (Optional.) Set the rule numbering step.
Step Command Remarks By default, no ACL exists. 2. 3. 4. 5. 6. IPv4 advanced ACLs are numbered in the range of 3000 to 3999. Create an IPv4 advanced ACL and enter its view. acl number acl-number [ name acl-name ] [ match-order { auto | config } ] (Optional.) Configure a description for the IPv4 advanced ACL. description text By default, an IPv4 advanced ACL has no ACL description. (Optional.) Set the rule numbering step. step step-value The default setting is 5. Create or edit a rule.
Step 2. 3. 4. 5. 6. Command Remarks By default, no ACL exists. Create an IPv6 advanced ACL and enter its view. acl ipv6 number acl-number [ name acl-name ] [ match-order { auto | config } ] (Optional.) Configure a description for the IPv6 advanced ACL. description text By default, an IPv6 advanced ACL has no ACL description. (Optional.) Set the rule numbering step. step step-value The default setting is 5. Create or edit a rule.
Configuring an Ethernet frame header ACL Ethernet frame header ACLs, also called "Layer 2 ACLs," match packets based on Layer 2 protocol header fields, such as source MAC address, destination MAC address, 802.1p priority (VLAN priority), and link layer protocol type. To configure an Ethernet frame header ACL: Step 1. Enter system view. Command Remarks system-view N/A By default, no ACL exists. 2. 3. 4. Ethernet frame header ACLs are numbered in the range of 4000 to 4999.
Step Command 1. Enter system view. system-view 2. Copy an existing ACL to create a new ACL. acl [ ipv6 ] copy { source-acl-number | name source-acl-name } to { dest-acl-number | name dest-acl-name } Configuring packet filtering with ACLs This section describes procedures for applying an ACL to filter incoming or outgoing IPv4 or IPv6 packets on the specified interface. Applying an ACL to an interface for packet filtering Step Command Remarks 1. Enter system view. system-view N/A 2.
Step Set the packet filtering default action to deny. 2. Command Remarks packet-filter default deny By default, the packet filter permits packets that do not match any ACL rule to pass. Displaying and maintaining ACLs Execute display commands in any view and reset commands in user view. Task Command Display ACL configuration and match statistics. display acl [ ipv6 ] { acl-number | all | name acl-name } Display whether an ACL has been successfully applied to an interface for packet filtering.
Figure 1 Network diagram Configuration procedure # Create a periodic time range from 8:00 to 18:00 on working days. system-view [DeviceA] time-range work 08:0 to 18:00 working-day # Create an IPv4 advanced ACL numbered 3000 and configure three rules in the ACL.
Reply from 192.168.0.100: bytes=32 time<1ms TTL=255 Reply from 192.168.0.100: bytes=32 time<1ms TTL=255 Reply from 192.168.0.100: bytes=32 time<1ms TTL=255 Ping statistics for 192.168.0.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms The output shows that the database server can be pinged. # Ping the database server from a PC in the Marketing department during the working hours. C:\> ping 192.168.0.
QoS overview In data communications, Quality of Service (QoS) provides differentiated service guarantees for diversified traffic in terms of bandwidth, delay, jitter, and drop rate, all of which can affect QoS. Network resources are limited. When configuring a QoS scheme, you must consider the characteristics of different applications. For example, when bandwidth is fixed, more bandwidth used by one user leaves less bandwidth for others.
QoS techniques overview The QoS techniques include traffic classification, traffic policing, traffic shaping, rate limit, congestion management, and congestion avoidance. The following section briefly introduces these QoS techniques. All QoS techniques in this document are based on the DiffServ model.
Configuring a QoS policy You can configure QoS by using the MQC approach or non-MQC approach. Some features support both approaches, but some support only one. Non-MQC approach In the non-MQC approach, you configure QoS service parameters without using a QoS policy. For example, you can use the rate limit feature to set a rate limit on an interface without using a QoS policy. MQC approach In the modular QoS configuration (MQC) approach, you configure QoS service parameters by using QoS policies.
Defining a traffic class Configuration guidelines If a class that uses the AND operator has multiple if-match acl, if-match acl ipv6, if-match customer-vlan-id or if-match service-vlan-id clauses, a packet that matches any of the clauses matches the class.
Table 2 Available match criteria Option Description Matches an ACL. acl [ ipv6 ] { acl-number | name acl-name } any The acl-number argument is in the range of 2000 to 3999 for an IPv4 ACL, 2000 to 3999 for an IPv6 ACL, and 4000 to 4999 for an Ethernet frame header ACL. The acl-name argument is a case-insensitive string of 1 to 63 characters, which must start with an English letter, and to avoid confusion, it cannot be all. Matches all packets. Matches the control plane protocols.
Option Description Matches the service provider VLAN IDs (SVLANs). service-vlan-id vlan-id-list source-mac mac-address The vlan-id-list argument is in the format of vlan-id-list = { vlan-id | vlan-id1 to vlan-id2 }&<1-10>, where the vlan-id, vlan-id1, and vlan-id2 arguments represent the VLAN IDs and each range from 1 to 4094, vlan-id1 must be no greater than vlan-id2, and &<1-10> indicates that you can specify up to 10 VLAN IDs or VLAN ID ranges. Matches a source MAC address.
Applying the QoS policy You can apply a QoS policy to the following destinations: • An interface—The QoS policy takes effect on the traffic sent or received on the interface. • A VLAN—The QoS policy takes effect on the traffic sent or received on all ports in the VLAN. • Globally—The QoS policy takes effect on the traffic sent or received on all ports. • Control plane—The QoS policy takes effect on the traffic received on the control plane.
Step Command Remarks 1. Enter system view. system-view N/A 2. Apply the QoS policy to VLANs. qos vlan-policy policy-name vlan vlan-id-list { inbound | outbound } By default, no QoS policy is applied to a VLAN. Applying the QoS policy globally You can apply a QoS policy globally to the inbound or outbound direction of all ports. To apply the QoS policy globally: Step Command Remarks 1. Enter system view. system-view N/A 2. Apply the QoS policy globally.
Configuration procedure To apply the QoS policy to the control plane: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter control plane view. control-plane slot slot-number N/A 3. Apply the QoS policy to the control plane. qos apply policy policy-name inbound By default, no QoS policy is applied to a control plane. Displaying and maintaining QoS policies Execute display commands in any view and reset commands in user view. Task Command Display traffic class configuration.
Configuring priority mapping Overview When a packet arrives, depending on your configuration, a device assigns a set of QoS priority parameters to the packet based on either a certain priority field carried in the packet or the port priority of the incoming port. This process is called "priority mapping." During this process, the device can modify the priority of the packet according to the priority mapping rules.
Priority trust mode on a port The priority trust mode on a port determines which priority is used for priority mapping table lookup. Port priority was introduced to use for priority mapping in addition to the priority fields carried in packets. The Switch Series provides the following priority trust modes: Using the 802.1p priority carried in packets for priority mapping. • Table 3 Priority mapping results of trusting the 802.1p priority (when the default dot1p-lp priority mapping table is used) 802.
Table 5 Priority mapping results of not trusting packet priority (when the default dot1p-lp priority mapping table is used) Port priority Local precedence Queue ID 0 (default) 2 2 1 0 0 2 1 1 3 3 3 4 4 4 5 5 5 6 6 6 7 7 7 The priority mapping procedure varies with the priority trust modes. For more information, see the subsequent section.
Figure 4 Priority mapping procedure for an Ethernet packet Receive a packet on a port Does the packet match conditions for local precedence or drop precedence marking? Yes Mark it with local precedence or drop precedence No 802.1p in packets Use port priority as 802.1p priority for priority mapping No Is the packet 802.1q tagged? Yes Which priority is trusted on the port? Port priority DSCP in packets Use port priority as 802.
Tasks at a glance (Required.) Perform one of the following tasks: • Configuring a port to trust packet priority for priority mapping • Changing the port priority of an interface Configuring a priority map Step Command Remarks 1. Enter system view. system-view N/A 2. Enter priority map view. qos map-table { dot1p-dp | dot1p-lp | dscp-dot1p | dscp-dp | dscp-dscp } N/A Configure mappings for the priority map. 3.
• Configure the interface to trust the DSCP precedence. qos trust dscp 3. • Configure the interface to trust Configure the trusted packet priority type. the 802.1p priority of received packets. qos trust dot1p Use one of these commands. By default, an interface does not trust any packet priority. • Configure the interface not to trust any packet priority.
Configure Device C to preferentially process packets from Device A to Server when FortyGigE 1/0/3 of Device C is congested. Figure 5 Network diagram Device A Internet FG E1 /0/ 1 2 /0/ E1 G F Server FGE1/0/3 Device C Device B Configuration procedure # Assign port priority to FortyGigE 1/0/1 and FortyGigE 1/0/2. Make sure that the priority of FortyGigE 1/0/1 is higher than that of FortyGigE 1/0/2, and that no trusted packet priority type is configured on FortyGigE 1/0/1 or FortyGigE 1/0/2.
Table 6 Configuration plan Traffic destination Traffic priority order Public servers R&D department > management department > marketing department Internet Management department > marketing department > R&D department Queuing plan Traffic source Output queue Queue priority R&D department 6 High Management department 4 Medium Marketing department 2 Low R&D department 2 Low Management department 6 High Marketing department 4 Medium Figure 6 Network diagram Configuration procedure 1
[Device] interface FortyGigE 1/0/2 [Device-FortyGigE1/0/2] qos priority 4 [Device-FortyGigE1/0/2] quit # Set the port priority of FortyGigE 1/0/3 to 5. [Device] interface FortyGigE 1/0/3 [Device-FortyGigE1/0/3] qos priority 5 [Device-FortyGigE1/0/3] quit 2. Configure the 802.1p-to-local mapping table to map 802.1p priority values 3, 4, and 5 to local precedence values 2, 6, and 4.
[Device-FortyGigE1/0/1] qos apply policy market inbound # Configure a priority marking policy for the R&D department, and apply the policy to the incoming traffic of FortyGigE 1/0/2.
Configuring traffic policing, GTS, and rate limit Overview Traffic policing helps assign network resources (including bandwidth) and increase network performance. For example, you can configure a flow to use only the resources committed to it in a certain time range. This avoids network congestion caused by burst traffic. Traffic policing, Generic Traffic Shaping (GTS), and rate limit control the traffic rate and resource usage according to traffic specifications.
CBS is implemented with bucket C, and EBS with bucket E. When only the CIR is used for traffic evaluation, packets are measured against the following bucket scenarios: • If bucket C has enough tokens, packets are colored green. • If bucket C does not have enough tokens but bucket E has enough tokens, packets are colored yellow. • If neither bucket C nor bucket E has sufficient tokens, packets are colored red.
• Forwarding the packet with its precedence re-marked if the evaluation result is "conforming." Priorities that can be re-marked include 802.1p priority, DSCP precedence, and local precedence. GTS GTS supports shaping the outbound traffic. GTS limits the outbound traffic rate by buffering exceeding traffic. You can use GTS to adapt the traffic output rate on a device to the input traffic rate of its connected device to avoid packet loss.
The rate limit of a physical interface specifies the maximum rate for sending or receiving packets (including critical packets). Rate limit also uses token buckets for traffic control. When rate limit is configured on an interface, a token bucket handles all packets to be sent through the interface for rate limiting. If enough tokens are in the token bucket, packets can be forwarded. Otherwise, packets are put into QoS queues for congestion management.
Step Command Remarks By default, no traffic policing action is configured. 6. Configure a traffic policing action. car cir committed-information-rate [ cbs committed-burst-size [ ebs excess-burst-size ] ] [ pir peak-information-rate ] [ green action | red action | yellow action ] * 7. Return to system view. quit N/A 8. Create a QoS policy and enter QoS policy view. qos policy policy-name By default, no QoS policy is configured.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the rate limit for the interface. qos lr { inbound | outbound } cir committed-information-rate [ cbs committed-burst-size ] By default, rate limit is not configured on an interface. Displaying and maintaining traffic policing, GTS, and rate limit Execute display commands in any view. Task Command Display QoS and ACL resource usage.
Figure 11 Network diagram Configuration procedures 1. Configure Device A: # Configure ACL 2001 and ACL 2002 to match traffic from Server and Host A, respectively. system-view [DeviceA] acl number 2001 [DeviceA-acl-basic-2001] rule permit source 1.1.1.1 0 [DeviceA-acl-basic-2001] quit [DeviceA] acl number 2002 [DeviceA-acl-basic-2002] rule permit source 1.1.1.2 0 [DeviceA-acl-basic-2002] quit # Create a class named server and use ACL 2001 as the match criterion.
[DeviceA-qospolicy-car] quit # Apply QoS policy car to the incoming traffic of port FortyGigE 1/0/1. [DeviceA] interface FortyGigE 1/0/1 [DeviceA-FortyGigE1/0/1] qos apply policy car inbound 2. Configure Device B: # Configure advanced ACL 3001 to match HTTP traffic. system-view [DeviceB] acl number 3001 [DeviceB-acl-adv-3001] rule permit tcp destination-port eq 80 [DeviceB-acl-adv-3001] quit # Create a class named http and use ACL 3001 as the match criterion.
Configuring congestion management Overview Congestion occurs on a link or node when traffic size exceeds the processing capability of the link or node. It is typical of a statistical multiplexing network and can be caused by link failures, insufficient resources, and various other causes. Impacts and countermeasures Figure 12 shows two typical congestion scenarios.
Figure 13 SP queuing In Figure 13, SP queuing classifies eight queues on a port into eight classes, numbered 7 to 0 in descending priority order. SP queuing schedules the eight queues in the descending order of priority. SP queuing sends packets in the queue with the highest priority first. When the queue with the highest priority is empty, it sends packets in the queue with the second highest priority, and so on.
Assume a port provides eight output queues. WRR assigns each queue a weight value (represented by w7, w6, w5, w4, w3, w2, w1, or w0) to decide the proportion of resources assigned to the queue. The switch implements the weight of a queue by scheduling a certain number of bytes (byte-count WRR) or packets (packet-based WRR) for that queue.
3. If there is remaining bandwidth, the system schedules the traffic of queues in each WFQ group based on their weights and schedules the traffic of the two WFQ groups in the ratio of 1:1 ratio in a round robin manner. Configuration approaches and task list To achieve congestion management, perform the following tasks: Tasks at a glance (Required.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable byte-count or packet-based WRR queuing. qos wrr { byte-count | weight } By default, byte-count WRR queuing is used. Assign a queue to a WRR group, and configure scheduling parameters for the queue. 4.
4. 5. Assign a queue to a WFQ group, and configure scheduling parameters for the queue. qos wfq queue-id group { 1 | 2 } { byte-count | weight } schedule-value (Optional.) Configure the minimum guaranteed bandwidth for a WFQ queue. qos bandwidth queue queue-id min bandwidth-value Select weight or byte-count according to the WFQ type (byte-count or packet-based) you have enabled. By default, all queues are in WFQ group 1 and have a weight of 1. The default setting is 64 kbps for each queue.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable byte-count or packet-based WRR queuing. qos wrr { byte-count | weight } By default, all ports use WRR queuing. 4. Assign a queue to the SP queue scheduling group. qos wrr queue-id group sp By default, all the queues of a WRR-enabled port are in WRR group 1. 5. Assign a queue to a WRR group, and configure the scheduling weight for the queue.
Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Enable byte-count or packet-based WFQ queuing. qos wfq [ byte-count | weight ] The default queuing algorithm on an interface is WRR. Assign a queue to the SP queue scheduling group. qos wfq queue-id group sp By default, all the queues of a WFQ-enabled port are in WFQ group 1. 4. 5. 6. Assign a queue to the WFQ queue scheduling group, and configure a scheduling weight for the queue.
Displaying and maintaining congestion management Execute display commands in any view. Task Command Display SP queuing configuration. display qos queue sp interface [ interface-type interface-number ] Display WRR queuing configuration. display qos queue wrr interface [ interface-type interface-number ] Display WFQ queuing configuration.
Configuring congestion avoidance Overview Avoiding congestion before it occurs is a proactive approach to improving network performance. As a flow control mechanism, congestion avoidance actively monitors network resources (such as queues and memory buffers), and drops packets when congestion is expected to occur or deteriorate. When dropping packets from a source end, it cooperates with the flow control mechanism (such as TCP flow control) at the source end to regulate the network traffic size.
ECN By dropping packets, WRED alleviates the influence of congestion on the network. However, the network resources for transmitting packets from the sender to the device which drops the packets are wasted. When congestion occurs, it is a better idea to inform the sender of the congestion status and have the sender proactively slow down the packet sending rate or decrease the window size of packets. This better utilizes the network resources.
• Upper threshold and lower threshold—When the average queue size is smaller than the lower threshold, packets are not dropped. When the average queue size is between the lower threshold and the upper threshold, the packets are dropped based on the user-configured drop probability. When the average queue size exceeds the upper threshold, subsequent packets are dropped. • Drop precedence—A parameter used for packet drop.
• Drop packets according to their colors: { { { • In queue 0, set the drop probability to 25%, 50%, and 75% for green, yellow, and red packets, respectively. In queue 3, set the drop probability to 5%, 10%, and 25% for green, yellow, and red packets, respectively. In queue 7, set the drop probability to 1%, 5%, and 10% for green, yellow, and red packets, respectively. Enable ECN for queue 7.
53
Configuring traffic filtering You can filter in or filter out traffic of a class by associating the class with a traffic filtering action. For example, you can filter packets sourced from a specific IP address according to network status. Configuration procedure To configure traffic filtering: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a traffic class and enter traffic class view.
Step Command Remarks 12. (Optional.) Display the traffic filtering configuration. display traffic behavior user-defined [ behavior-name ] Available in any view. Configuration example Network requirements As shown in Figure 16, configure traffic filtering to filter the packets with source port being 21, and received on FortyGigE1/0/1. Figure 16 Network diagram Configuration procedure # Create advanced ACL 3000, and configure a rule to match packets whose source port number is 21.
Configuring priority marking Overview Priority marking sets the priority fields or flag bits of packets to modify the priority of packets. For example, you can use priority marking to set IP precedence or DSCP for a traffic class of IP packets to control the forwarding of these packets. To configure priority marking, you can associate a traffic class with a traffic behavior configured with the priority marking action to set the priority fields or flag bits of the traffic class of packets.
Configuring color-based priority marking This section describes how to configure color-based priority marking. Configuring priority marking based on colors obtained through traffic policing After traffic policing evaluates and colors packets, the device can mark traffic with various priority values (including DSCP values, 802.1p priority values, and local precedence values) by color.
Step Command Remarks • Set the DSCP value for packets: remark [ green | red | yellow ] dscp dscp-value • Set the 802.1p priority for packets or configure the inner-to-outer tag priority copying function: remark [ green | red | yellow ] dot1p dot1p-value remark dot1p customer-dot1p-trust • Set the drop priority for packets: 6. Configure a priority marking action.
Priority marking configuration examples Local precedence marking configuration example Network requirements As shown in Figure 17, configure priority marking on Device to meet the following requirements: Traffic source Destination Processing priority Host A, B Data server High Host A, B Mail server Medium Host A, B File server Low Figure 17 Network diagram Internet Data server Host A 192.168.0.1/24 FGE1/0/1 FGE1/0/2 Mail server 192.168.0.2/24 Host B Device File server 192.168.0.
[Device] traffic classifier classifier_dbserver [Device-classifier-classifier_dbserver] if-match acl 3000 [Device-classifier-classifier_dbserver] quit # Create a traffic class named classifier_mserver, and use ACL 3001 as the match criterion in the traffic class.
Local QoS ID marking configuration example Local QoS ID marking allows you to mark the same local QoS ID for packets of multiple classes and configure a new class to match the local QoS ID to group these packets into the new class. With this feature, you can perform QoS actions for the old classes respectively and perform other QoS actions for the new class. In this way, you can perform layers of QoS actions for the specific packets.
[SwitchA-acl-basic-2001] quit # Configure IPv4 basic ACL 2002 to match the outgoing traffic of the R&D department. [SwitchA] acl number 2002 [SwitchA-acl-basic-2002] rule permit source 192.168.2.0 0.0.0.255 [SwitchA-acl-basic-2002] quit # Create class admin, and use ACL 2001 as the match criterion. [SwitchA] traffic classifier admin [SwitchA-classifier-admin] if-match acl 2001 [SwitchA-classifier-admin] quit # Create class rd, and use ACL 2002 as the match criterion.
[SwitchA] traffic classifier marketing_car [SwitchA-classifier-marketing_car] if-match qos-local-id 100 [SwitchA-classifier-marketing_car] quit # Create behavior marketing_car, and configure traffic policing to limit the traffic rate to 204800 kbps.
Configuring nesting Nesting adds a VLAN tag to the matching packets to allow the VLAN-tagged packets to pass through the corresponding VLAN. For example, you can add an outer VLAN tag to packets from a customer network to a service provider network. This allows the packets to pass through the service provider network by carrying a VLAN tag assigned by the service provider. Configuration procedure To configure nesting: Step Command Remarks 1. Enter system view. system-view N/A 2.
Step Command Remarks 11. Apply the QoS policy. • Applying the QoS policy to an interface • Applying the QoS policy to a VLAN • Applying the QoS policy globally Choose one of the application destinations as needed. By default, a QoS policy is not applied. Configuration example Network requirements As shown in Figure 19, Site 1 and Site 2 in VPN A are two branches of a company, and they use VLAN 5 to transmit traffic.
# Create a QoS policy named test, and associate class test with behavior test in the QoS policy. [PE1] qos policy test [PE1-qospolicy-test] classifier test behavior test [PE1-qospolicy-test] quit # Configure the downlink port FortyGigE 1/0/1 as a hybrid port, and assign the port to VLAN 100 as an untagged member.
Configuring traffic redirecting Traffic redirecting is the action of redirecting the packets matching the specific match criteria to a certain location for processing. The following redirect actions are supported: • Redirecting traffic to the CPU—Redirects packets that require processing by the CPU to the CPU. • Redirecting traffic to an interface—Redirects packets that require processing by an interface to the interface.
Step Command Remarks 8. Create a QoS policy and enter QoS policy view. qos policy policy-name By default, no QoS policy exists. 9. Associate the traffic class with the traffic behavior in the QoS policy. classifier classifier-name behavior behavior-name By default, no class-behavior association is configured for a QoS policy. quit N/A • • • • Applying the QoS policy globally Choose one of the application destinations as needed.
Figure 20 Network diagram Configuration procedure # Create basic ACL 2000, and configure a rule to match packets with source IP address 2.1.1.1. system-view [DeviceA] acl number 2000 [DeviceA-acl-basic-2000] rule permit source 2.1.1.1 0 [DeviceA-acl-basic-2000] quit # Create basic ACL 2001, and configure a rule to match packets with source IP address 2.1.1.2. [DeviceA] acl number 2001 [DeviceA-acl-basic-2001] rule permit source 2.1.1.
[DeviceA] interface FortyGigE 1/0/1 [DeviceA-FortyGigE1/0/1] qos apply policy policy inbound 70
Configuring aggregate CAR An aggregate CAR action is created globally and can be directly applied to interfaces or referenced in the traffic behaviors associated with different traffic classes to police multiple traffic flows as a whole. The total rate of the traffic flows must conform to the traffic policing specifications set in the aggregate CAR action. Configuration procedure To configure aggregate CAR: Step Command Remarks Enter system view. system-view N/A 2. Configure an aggregate CAR action.
Figure 21 Network diagram Configuration procedure # Configure an aggregate CAR according to the rate limit requirements. system-view [Device] qos car aggcar-1 aggregative cir 2560 cbs 20480 red discard # Create class 1 to match traffic of VLAN 10. Create behavior 1 and reference the aggregate CAR in the behavior.
# Apply the QoS policy to the incoming traffic of FortyGigE 1/0/1.
Configuring class-based accounting Class-based accounting collects statistics (in packets or bytes) on a per-traffic class basis. For example, you can define the action to collect statistics for traffic sourced from a certain IP address. By analyzing the statistics, you can determine whether anomalies have occurred and what action to take. Configuration procedure To configure class-based accounting: Step Command Remarks 1. Enter system view. system-view N/A 2.
Step Command Remarks • display qos policy control-plane slot slot-number • display qos policy global [ slot slot-number ] [ inbound | outbound ] 12. Display traffic accounting configuration. • display qos policy interface [ interface-type interface-number ] [ inbound | outbound ] Available in any view.
# Apply the QoS policy named policy to the incoming traffic of FortyGigE 1/0/1. [Device] interface FortyGigE 1/0/1 [Device-FortyGigE1/0/1] qos apply policy policy inbound [Device-FortyGigE1/0/1] quit # Display traffic statistics to verify the configuration.
Configuring time ranges You can implement a service based on the time of the day by applying a time range to it. A time-based service only takes effect in any time periods specified by the time range. For example, you can implement time-based ACL rules by applying a time range to them. If a time range does not exist, the service based on the time range does not take effect. The following basic types of time range are available: • Periodic time range—Recurs periodically on a day or days of the week.
Figure 23 Network diagram Server Host A 192.168.1.2/24 FGE1/0/1 FGE1/0/2 Device A 192.168.0.100/24 Host B 192.168.1.3/24 Configuration procedure # Create a periodic time range during 8:00 and 18:00 on working days from June 2011 to the end of the year. system-view [DeviceA] time-range work 8:0 to 18:0 working-day from 0:0 6/1/2011 to 24:0 12/31/2011 # Create an IPv4 basic ACL numbered 2001, and configure a rule in the ACL to permit only packets from 192.168.1.
Appendixes Appendix A Default priority maps For the default dscp-dscp priority map, an input value yields a target value equal to it.
Appendix B Introduction to packet precedences IP precedence and DSCP values Figure 24 ToS and DS fields Bits: 0 1 2 3 4 5 6 7 IPv4 ToS byte Preced ence RFC 1122 Type of Service RFC 1349 M B Z Must Be Zero Bits: 0 1 2 3 4 5 6 7 DSCP DS-Field (for IPv4,ToS octet,and for IPv6,Traffic Class octet ) IP Type of Service (ToS) RFC 791 Class Selector codepoints CU Currently Unused Differentiated Services Codepoint (DSCP) RFC 2474 As shown in Figure 24, the ToS field in the IP header contains eight bits
DSCP value (decimal) DSCP value (binary) Description 28 011100 af32 30 011110 af33 34 100010 af41 36 100100 af42 38 100110 af43 8 001000 cs1 16 010000 cs2 24 011000 cs3 32 100000 cs4 40 101000 cs5 48 110000 cs6 56 111000 cs7 0 000000 be (default) 802.1p priority 802.1p priority lies in the Layer 2 header and applies to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2. Figure 25 An Ethernet frame with an 802.
Table 11 Description on 802.1p priority 802.1p priority (decimal) 802.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index numbering, 1 Numerics 802.1p aggregate CAR common CAR, 56 priority marking configuration, 57 configuration, 71, 71, 71 802.1p priority priority marking configuration, 57 drop precedence, 56 802.x QoS packet 802.
QoS traffic class definition, 16 QoS SP+WFQ queuing (group-based), 46 committed access rate.
ACL configuration (IPv6 basic), 4 differentiated services QoS token bucket, 32 traffic policing, 56 DiffServ QoS service model, 13 fragment filtering (ACL), 3 displaying G ACL time range, 77 QoS congestion avoidance WRED, 52 QoS global CAR, 71 QoS GTS, 37 QoS per-queue hardware congestion management, 48 General Traffic Shaping.
ACL configuration (IPv6 basic), 4 ACL packet filtering interface application, 9 ACL copy, 8 ACL packet filtering log interval, 9 ACL naming, 1 ACL packet fragment filtering, 3 ACL numbering, 1 ACL switch applications, 1 ACL packet filtering configuration, 9 QoS aggregate CAR configuration, 71, 71 QoS congestion avoidance with ECN, 50 L QoS congestion avoidance WRED parameters, 50 limiting QoS deployment, 14 QoS rate limit configuration, 36 QoS GTS, 34 local QoS GTS configuration, 36 QoS pr
QoS priority mapping configuration, 22 QoS rate limit, 34 QoS priority mapping priority trust mode configuration, 27 QoS traffic filtering configuration, 54, 55 QoS traffic evaluation, 32 QoS priority mapping table+priority marking configuration, 28 QoS traffic policing, 33 QoS traffic redirecting configuration, 67, 68 QoS priority marking configuration, 56, 59 QoS rate limit configuration, 32 QoS service models, 13 QoS trusted port packet priority, 26 packet coloring drop precedence, 56 QoS techni
QoS packet IP precedence and DSCP values, 80 configuring QoS class-based accounting, 74, 75 configuring QoS hardware congestion management, 43 priority mapping configuring QoS hardware congestion management WFQ queuing, 44 configuration, 22, 25 drop priority, 22 configuring QoS hardware congestion management WRR queuing, 43 interface port priority, 27 local precedence, 22 configuring QoS nesting, 64, 65 map, 22 configuring QoS per-queue hardware congestion management, 43 map configuration, 26 mapp
hardware congestion management WFQ queuing, 42 DSCP, 57 maintaining ACLs, 10 hardware congestion management WFQ queuing configuration, 44 maintaining QoS global CAR, 71 maintaining QoS policies, 21 hardware congestion management WRR queuing, 41 setting ACL packet filtering default action, 9 setting ACL packet filtering log generation and output interval, 9 hardware congestion management WRR queuing configuration, 43 Q IntServ service model, 13 QoS local QoS ID remarking, 61 ACL configuration, 1, 3
token bucket, 32 ACL configuration (IPv6 advanced), 6 traffic behavior definition, 18 ACL configuration (IPv6 basic), 4 traffic class definition, 16 QoS GTS configuration, 32 traffic classification, 14 QoS hardware congestion management configuration, 40, 43 traffic evaluation, 32 QoS per-queue hardware congestion management, 43 traffic evaluation with token bucket, 32 traffic filtering configuration, 54, 55 QoS priority mapping configuration, 22, 25 traffic policing, 14, 33 QoS priority mappin
QoS priority marking configuration, 56, 59 QoS class-based accounting configuration, 74, 75 QoS techniques, 14 QoS congestion avoidance, 14 QoS traffic filtering configuration, 54, 55 QoS congestion avoidance configuration, 49 QoS congestion avoidance with ECN, 50 setting ACL packet filtering default action, 9 QoS congestion avoidance WRED parameters, 50 ACL packet filtering log interval, 9 QoS congestion management, 14 QoS GTS, 34 SNMP QoS GTS configuration, 32, 36 ACL switch applications, 1 Q
QoS traffic class definition, 16 QoS traffic classification, 14 QoS traffic evaluation, 32 QoS traffic filtering configuration, 54, 55 QoS traffic policing, 14, 33 QoS traffic policing configuration, 32, 35 QoS traffic policing+GTS configuration, 37, 37 QoS traffic redirecting configuration, 67, 68 QoS traffic shaping, 14 traffic behavior priority marking configuration, 57 traffic policing common CAR, 56 drop precedence, 56 drop precedence mapping, 56 priority marking configuration, 57 trusted port packet p