HP 6125 Blade Switch Series ACL and QoS Configuration Guide Part number: 5998-3159 Software version: Release 2103 Document version: 6W100-20120907...
Page 2
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
Configuring ACLs Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document. Overview An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number. ACLs are primarily used for packet filtering.
basic or advanced ACL, its ACL number and name must be unique among all IPv6 ACLs. You can assign an IPv4 ACL and an IPv6 ACL the same number and name. Match order The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops the match process and performs the action defined in the rule.
ACL rule comments and rule range remarks You can add a comment about an ACL rule to make it easy to understand. The rule comment appears below the rule statement. You can also add a rule range remark to indicate the start or end of a range of rules created for the same purpose.
Task Remarks Optional Configuring a time range Applicable to IPv4 and IPv6 ACLs. Configuring a basic ACL Required Configuring an advanced ACL Configure at least one task. Applicable to IPv4 and IPv6. Configuring an Ethernet frame header ACL Optional Copying an ACL Applicable to IPv4 and IPv6.
Step Command Remarks Enter system view. system-view By default, no ACL exists. acl number acl-number Create an IPv4 IPv4 basic ACLs are numbered in the range of 2000 to [ name acl-name ] basic ACL and 2999. [ match-order { auto | enter its view.
Step Command Remarks rule [ rule-id ] { deny | By default, an IPv6 basic ACL does not contain any permit } [ counting | rule. fragment | routing [ type If the ACL is for QoS traffic classification or packet routing-type ] | source Create or edit a filtering, do not specify the fragment and routing...
Step Command Remarks rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value } * | established } | counting | destination By default, an IPv4 advanced ACL does not { dest-addr dest-wildcard | any } contain any rule.
Page 14
Step Command Remarks Enter system system-view view. By default, no ACL exists. Create an IPv6 acl ipv6 number acl6-number IPv6 advanced ACLs are numbered in the range of advanced ACL [ name acl6-name ] 3000 to 3999. and enter its [ match-order { auto | config } ] You can use the acl ipv6 name acl6-name command view.
Configuring an Ethernet frame header ACL Ethernet frame header ACLs, also called "Layer 2 ACLs," match packets based on Layer 2 protocol header fields, such as source MAC address, destination MAC address, 802.1p priority (VLAN priority), and link layer protocol type. To configure an Ethernet frame header ACL: Step Command...
To successfully copy an ACL, make sure that: • The destination ACL number is from the same category as the source ACL number. The source ACL already exists but the destination ACL does not. • Copying an IPv4 ACL Step Command Enter system view.
Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Apply an IPv6 basic or IPv6 packet-filter ipv6 { acl6-number | By default, no IPv6 ACL is applied advanced ACL to the interface name acl6-name } { inbound | to the interface.
As an FTP server, the switch accepts the login requests from only the NMS. • Figure 1 Network diagram Configuration procedure Limit the telnet login requests: # Create a time range named telnet to cover 8:30 to 18:00 of every working day. <Switch>...
# Create IPv4 basic ACL 2002, and configure a rule for the ACL to permit only the packets sourced from 10.1.3.1. [Switch] acl number 2002 [Switch-acl-basic-2001] rule permit source 10.1.3.1 0 [Switch-acl-basic-2001] quit # Enable the FTP server on the switch. [Switch] ftp server enable # Use ACL 2001 to control FTP clients' access to the FTP server.
IPv6 packet filtering configuration example Network requirements As shown in Figure 3, apply an IPv6 ACL to the incoming traffic of GigabitEthernet 1/0/1 on Device A so that every day from 08:00 to 18:00 the interface allows only packets from Host A to pass through. Figure 3 Network diagram Configuration procedure # Create a time range from 08:00 to 18:00 every day.
QoS overview In data communications, Quality of Service (QoS) is a network’s ability to provide differentiated service guarantees for diversified traffic in terms of bandwidth, delay, jitter, and drop rate. Network resources are scarce. The contention for resources requires that QoS prioritize important traffic flows over trivial ones.
QoS techniques The QoS techniques include traffic classification, traffic policing, traffic shaping, line rate, congestion management, and congestion avoidance. They address problems that arise at different positions of a network. Figure 4 Placement of the QoS techniques in a network As shown in Figure 4, traffic classification, traffic shaping, traffic policing, congestion management, and...
QoS configuration approaches You can configure QoS in these approaches: MQC approach • Non-MQC approach • Some features support both approaches, but some support only one. MQC approach In modular QoS configuration (MQC) approach, you configure QoS service parameters by using QoS policies (see "Configuring a QoS policy").
Configuring a QoS policy Overview A QoS policy is a set of class-behavior associations and defines the shaping, policing, or other QoS actions to take on different classes of traffic. A class is a set of match criteria for identifying traffic and it uses the AND or OR operator: •...
Configuration restrictions and guidelines If a class that uses the AND operator has multiple if-match acl, if-match acl ipv6, if-match • customer-vlan-id or if-match service-vlan-id clauses, a packet that matches any of the clauses matches the class. To successfully execute the traffic behavior associated with a traffic class that uses the AND operator, •...
Option Description Matches DSCP values. dscp dscp-list The dscp-list argument is a list of up to eight DSCP values. A DSCP value can be a number from 0 to 63 or any keyword in Table destination-mac mac-address Matches a destination MAC address. Matches the 802.1p priority of the customer network.
Defining a policy You associate a behavior with a class in a QoS policy to perform the actions defined in the behavior for the class of packets. Configuration restrictions and guidelines If an ACL is referenced by a QoS policy for defining traffic match criteria, packets matching the ACL •...
If a QoS policy has been applied to an active user profile, you cannot modify classes, behaviors, and class-behavior associations of the QoS policy, or delete the QoS policy. Applying the QoS policy to an interface A policy can be applied to multiple interfaces, but only one policy can be applied in one direction (inbound or outbound) of an interface.
Step Command Remarks Return to system quit view. Activate the user user-profile profile-name By default, a user profile is inactive. profile. enable Applying the QoS policy to a VLAN You can apply a QoS policy to a VLAN to regulate traffic of the VLAN. QoS policies cannot be applied to dynamic VLANs, such as VLANs created by GVRP.
Page 30
display qos vlan-policy { name policy-name | vlan Display VLAN QoS policy Available in any vlan-id } [ slot slot-number ] [ inbound | outbound ] configuration. [ | { begin | exclude | include } view regular-expression ] display qos policy global [ slot slot-number ] Display information about QoS Available in any [ inbound | outbound ] [ | { begin | exclude |...
Configuring priority mapping Overview When a packet enters a device, depending on your configuration, the device assigns a set of QoS priority parameters to the packet based on either a certain priority field carried in the packet or the port priority of the incoming port.
Priority trust mode on a port The priority trust mode on a port decides which priority is used for priority mapping table lookup. Port priority was introduced to use for priority mapping in addition to priority fields carried in packets. The HP Blade 6125 Switch Series provides the following priority trust modes: Using the 802.1p priority carried in packets for priority mapping.
priority for traffic scheduling depending on your configuration. Neither priority trust mode configuration on the port nor port priority configuration takes effect. Configuration guidelines You can modify priority mappings by modifying priority mapping tables, priority trust mode on a port, and port priority.
Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Set the port priority of qos priority priority-value The default port priority is 0. the interface. Displaying priority mappings Task Command Remarks Display priority display qos map-table [ dot1p-dp | dot1p-lp | dscp-dot1p mapping table | dscp-dp | dscp-dscp ] [ | { begin | exclude | include } Available in any view...
Configuration procedure # Assign port priority to GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. Make sure that the priority of GigabitEthernet 1/0/1 is higher than that of GigabitEthernet 1/0/2, and no trusted packet priority type is configured on GigabitEthernet 1/0/1 or GigabitEthernet 1/0/2. <DeviceC>...
Figure 8 Network diagram Internet Host Host Server Server GE1/0/5 GE1/0/2 GE1/0/3 Management department R&D department GE1/0/4 GE1/0/1 Device Host Server Public servers Marketing department Configuration procedure Configure trusting port priority: # Set the port priority of GigabitEthernet 1/0/1 to 3. <Device>...
Page 37
[Device-maptbl-dot1p-lp] import 5 export 4 [Device-maptbl-dot1p-lp] quit Configure priority marking: # Mark the HTTP traffic of the management department, marketing department, and R&D department to the Internet with 802.1p priorities 4, 5, and 3, respectively. Use the priority mapping table you have configured to map the 802.1p priorities to local precedence values 6, 4, and 2, respectively, for differentiated traffic treatment.
Configuring traffic policing, traffic shaping, and line rate Overview Traffic policing, traffic shaping, and rate limit are QoS technologies that help assign network resources, such as assign bandwidth. They increase network performance and user satisfaction. For example, you can configure a flow to use only the resources committed to it in a certain time range. This avoids network congestion caused by burst traffic.
Peak information rate (PIR)—Rate at which tokens are put into bucket E, which specifies the average • packet transmission or forwarding rate allowed by bucket E. Excess burst size (EBS)—Size of bucket E, which specifies the transient burst of traffic that bucket E •...
Traffic shaping IMPORTANT: Traffic shaping shapes the outbound traffic. Traffic shaping limits the outbound traffic rate by buffering exceeding traffic. You can use traffic shaping to adapt the traffic output rate on a device to the input traffic rate of its connected device to avoid packet loss.
The line rate of a physical interface specifies the maximum rate for forwarding packets (including critical packets). Line rate also uses token buckets for traffic control. With line rate configured on an interface, all packets to be sent through the interface are handled by the token bucket at line rate. If enough tokens are in the token bucket, packets can be forwarded.
Step Command Remarks Return to system view. quit Create a behavior and enter traffic behavior behavior-name behavior view. car cir committed-information-rate [ cbs committed-burst-size [ ebs Configure a traffic policing excess-burst-size ] ] [ pir N/A. action. peak-information-rate ] [ green action ] [ yellow action ] [ red action ] Return to system view.
interface interface-type Enter interface view. interface-number qos lr { inbound | outbound } Configure the line cir committed-information-rate rate for the interface. [ cbs committed-burst-size ] Displaying and maintaining traffic policing, GTS, and line rate On the HP Blade 6125 Switch Series, you can configure traffic policing in MQC approach. For more information about the displaying and maintaining commands, see "Displaying and maintaining QoS policies."...
Figure 13 Network diagram Configuration procedures Configure Device A: # Configure ACL 2001 and ACL 2002 to match traffic from Server and Host A, respectively. <DeviceA> system-view [DeviceA] acl number 2001 [DeviceA-acl-basic-2001] rule permit source 1.1.1.1 0 [DeviceA-acl-basic-2001] quit [DeviceA] acl number 2002 [DeviceA-acl-basic-2002] rule permit source 1.1.1.2 0 [DeviceA-acl-basic-2002] quit # Create a class named server, and use ACL 2001 as the match criterion.
Page 45
[DeviceA-qospolicy-car] quit # Apply QoS policy car to the incoming traffic of port GigabitEthernet 1/0/1. [DeviceA] interface GigabitEthernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] qos apply policy car inbound Configure Device B: # Configure advanced ACL 3001 to match HTTP traffic. <DeviceB> system-view [DeviceB] acl number 3001 [DeviceB-acl-adv-3001] rule permit tcp destination-port eq 80 [DeviceB-acl-adv-3001] quit # Create a class named http, and use ACL 3001 as the match criterion.
Configuring congestion management Overview Network congestion degrades service quality on a traditional network. Congestion is a situation where the forwarding rate decreases due to insufficient resources, resulting in extra delay. Congestion is more likely to occur in complex packet switching circumstances. Figure 14 shows two common cases:...
Figure 15 SP queuing Queue 7 High priority Packets to be sent through this port Queue 6 Sent packets Interface …… Queue 1 Sending queue Packet Queue classification scheduling Queue 0 Low priority Figure 15, SP queuing classifies eight queues on a port into eight classes, numbered 7 to 0 in descending priority order.
Assume a port provides eight output queues. WRR assigns each queue a weight value (represented by w7, w6, w5, w4, w3, w2, w1, or w0) to decide the proportion of resources assigned to the queue. The Switch Series supports byte-count weight (which determines the weight by the number of bytes scheduled in a cycle) or packet-based weight (which determines the weight by the number of packets scheduled in a cycle).
The bandwidth percentage assigned to each flow is (precedence value of the flow + 1)/total • assignable bandwidth quota. The bandwidth percentages for the flows are 1/15, 2/15, 3/15, 4/15, and 5/15, respectively. • The bandwidth assigned to a queue = the minimum guaranteed bandwidth + the bandwidth allocated to the queue from the assignable bandwidth.
Configuration example Network requirements Configure WFQ queues on an interface and assign the scheduling weight 2, 5, 10, 10, and 10 to queue 1, queue 3, queue 4, queue 5, and queue 6, respectively. Configuration procedure # Enter system view. <Sysname>...
Configuration example Network requirements • Configure SP+WRR queue scheduling algorithm on GigabitEthernet 1/0/1, and use packet-based WRR. Configure queue 0, queue 1, queue 2, and queue 3 on GigabitEthernet 1/0/1 to be in SP queue • scheduling group. • Configure queue 4, queue 5, queue 6, and queue 7 on GigabitEthernet 1/0/1 to use WRR queuing, with the weight 2, 4, 6, and 8, respectively.
Step Command Remarks Configure the minimum Optional. qos bandwidth queue queue-id guaranteed bandwidth for a min bandwidth-value 64 kbps for each queue by default. queue. NOTE: To guarantee successful WFQ configuration, make sure that the scheduling weight type (byte-count or packet-based) is the same as the WFQ queuing type (byte-count or packet-based) when you configure the scheduling weight for a WFQ queue.
Configuring congestion avoidance Overview Avoiding congestion before it occurs is a proactive approach to improving network performance. As a flow control mechanism, congestion avoidance actively monitors network resources (such as queues and memory buffers), and drops packets when congestion is expected to occur or deteriorate. Compared with end-to-end flow control, this flow control mechanism controls the load of more flows in a device.
is below the upper threshold, the switch drops packets at the user-configured drop probability. When the queue size reaches the upper threshold, all subsequent packets are dropped. Drop precedence—A parameter used in packet drop. Value 0 represents green packets, 1 •...
Displaying and maintaining WRED Task Command Remarks Display WRED configuration display qos wred interface [ interface-type information on the interface or all interface-number ] [ | { begin | exclude | Available in any view interfaces. include } regular-expression ] Display configuration information display qos wred table [ table-name ] [ | about a WRED table or all WRED...
Configuring traffic filtering Traffic filtering filters traffic matching certain criteria. For example, you can filter packets sourced from a specific IP address according to network status. Configuration procedure To configure traffic filtering: Step Command Remarks Enter system view. system-view Create a class and enter traffic classifier tcl-name [ operator { and class view.
Traffic filtering configuration example Network requirements As shown in Figure 18, Host is connected to GigabitEthernet 1/0/1 of Device. Configure traffic filtering to filter the packets with source port being 21, and received on GigabitEthernet 1/0/1. Figure 18 Network diagram Host Device GE1/0/1...
Configuring priority marking Priority marking sets the priority fields or flag bits of packets to modify the priority of traffic. For example, you can use priority marking to set IP precedence or DSCP for a class of IP traffic to change its transmission priority in the network.
Step Command Remarks Create a policy and qos policy policy-name enter policy view. Associate the class with the traffic behavior in the classifier tcl-name behavior behavior-name QoS policy. Return to system view. quit • Applying the QoS policy to an interface •...
Figure 19 Network diagram Configuration procedure # Create advanced ACL 3000, and configure a rule to match packets with destination IP address 192.168.0.1. <Device> system-view [Device] acl number 3000 [Device-acl-adv-3000] rule permit ip destination 192.168.0.1 0 [Device-acl-adv-3000] quit # Create advanced ACL 3001, and configure a rule to match packets with destination IP address 192.168.0.2.
# Create a behavior named behavior_dbserver, and configure the action of setting the local precedence value to 4. [Device] traffic behavior behavior_dbserver [Device-behavior-behavior_dbserver] remark local-precedence 4 [Device-behavior-behavior_dbserver] quit # Create a behavior named behavior_mserver, and configure the action of setting the local precedence value to 3.
Page 64
# Create a class class_a to match both packets with source MAC address 0001-0001-0001 and packets with source IP 1.1.1.1. <Sysname> system-view [Sysname] traffic classifier class_a operator or [Sysname-classifier-class_a] if-match source-mac 1-1-1 [Sysname-classifier-class_a] if-match acl 2000 [Sysname-classifier-class_a] quit # Create a behavior behavior_a, and configure the action of marking packets with local QoS ID 100 for the behavior.
Configuring traffic redirecting Traffic redirecting is the action of redirecting the packets matching the specific match criteria to a certain location for processing. The following redirect actions are supported: Redirecting traffic to the CPU—redirects packets that require processing by the CPU to the CPU. •...
Step Command Remarks Associate the class with the traffic behavior in the QoS classifier tcl-name behavior behavior-name policy. Return to system view. quit Choose one • Applying the QoS policy to an interface application Apply the QoS policy. • Applying the QoS policy to a VLAN destination as •...
Page 67
[DeviceA-acl-basic-2000] rule permit source 2.1.1.1 0 [DeviceA-acl-basic-2000] quit # Create basic ACL 2001, and configure a rule to match packets with source IP address 2.1.1.2. [DeviceA] acl number 2001 [DeviceA-acl-basic-2001] rule permit source 2.1.1.2 0 [DeviceA-acl-basic-2001] quit # Create a class named classifier_1, and use ACL 2000 as the match criterion in the class. [DeviceA] traffic classifier classifier_1 [DeviceA-classifier-classifier_1] if-match acl 2000 [DeviceA-classifier-classifier_1] quit...
Configuring aggregate CAR Overview An aggregate CAR action is created globally and can be directly applied to interfaces or referenced in the traffic behaviors associated with different traffic classes to police multiple traffic flows as a whole. The total rate of the traffic flows must conform to the traffic policing specifications set in the aggregate CAR action.
Displaying and maintaining aggregate CAR configuration Task Command Remarks display qos car name [ car-name ] Display statistics for aggregate [ | { begin | exclude | include } Available in any view CAR actions. regular-expression ] Clear statistics for aggregate CAR reset qos car name [ car-name ] Available in user view actions.
Page 70
[Sysname] traffic classifier 1 [Sysname-classifier-1] if-match service-vlan-id 10 [Sysname-classifier-1] quit [Sysname] traffic behavior 1 [Sysname-behavior-1] car name aggcar-1 [Sysname-behavior-1] quit # Create class 2 to match traffic of VLAN 100; create behavior 2, and reference the aggregate CAR in the behavior. [Sysname] traffic classifier 2 [Sysname-classifier-2] if-match service-vlan-id 100 [Sysname-classifier-2] quit...
Configuring class-based accounting Class-based accounting collects statistics (in packets or bytes) on a per-traffic class basis. For example, you can define the action to collect statistics for traffic sourced from a certain IP address. By analyzing the statistics, you can determine whether anomalies have occurred and what action to take. Configuration procedure To configure class-based accounting: Step...
Class-based accounting configuration example Network requirements As shown in Figure 22, Host is connected to GigabitEthernet 1/0/1 of Device A. Configure class-based accounting to collect statistics for traffic sourced from 1.1.1.1/24 and received on GigabitEthernet 1/0/1. Figure 22 Network diagram Configuration procedure # Create basic ACL 2000, and configure a rule to match packets with source IP address 1.1.1.1.
Configuring burst The burst function improves packet buffering and forwarding performance in the following scenarios: Dense broadcast or multicast traffic and massive burst traffic are present. • High-speed traffic is forwarded over a low-speed link or traffic received from multiple interfaces at •...
Appendix A Default priority mapping tables Uncolored priority mapping tables For the default dscp-dscp mapping table, an input value yields a target value equal to it. Table 5 Default dot1p-lp and dot1p-dp priority mapping tables Input priority value dot1p-lp mapping dot1p-dp mapping 802.1p priority (dot1p) Local precedence (lp)
Appendix B Packet precedences IP precedence and DSCP values Figure 24 ToS and DS fields As shown in Figure 24, the ToS field in the IPv4 header contains eight bits, where the first three bits (0 to 2) represent IP precedence from 0 to 7; the Traffic Classes field in the IPv6 header contains eight bits, where the first three bits (0 to 2) represent IP precedence from 0 to 7.
DSCP value (decimal) DSCP value (binary) Description 010100 af22 010110 af23 011010 af31 011100 af32 011110 af33 100010 af41 100100 af42 100110 af43 001000 010000 011000 100000 101000 110000 111000 000000 be (default) 802.1p priority 802.1p priority lies in the Layer 2 header and applies to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2.
Page 79
Figure 26 802.1Q tag header Table 9 Description on 802.1p priority 802.1p priority (decimal) 802.1p priority (binary) Description best-effort background spare excellent-effort controlled-load video voice network-management...
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.com/support Before contacting HP, collect the following information: Product model names and numbers • • Technical support registration number (if applicable) Product serial numbers •...
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 82
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Index A B C D I L M N O P Q R T U Contacting HP,74 Conventions,75 ACL configuration task list,3 Copying an ACL,9 Aggregate CAR configuration example,63 Applying the QoS policy,21 Defining a class,18 Defining a policy,21 Burst configuration example,68 Defining a traffic behavior,20...
Page 84
Overview,62 Overview,25 Redirect-to-next hop configuration example,60 Related information,74 Packet filtering with ACLs,10 Priority mapping table and priority marking Traffic filtering configuration example,53 configuration example,29 Traffic policing configuration example,37 Priority trust mode configuration example,28 Uncolored priority mapping tables,70 QoS service models,15 techniques,16...