Page 3
The H3C S5120-EI documentation set includes 10 configuration guides, which describe the software features for the H3C S5120-EI Switch Series Release 2220, and guide you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios.
Page 4
Convention Description Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ... } you select one. Square brackets enclose a set of optional syntax choices separated by vertical bars, from [ x | y | ...
Page 5
Layer 2 forwarding and other Layer 2 features. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. About the S5120-EI documentation set The H3C S5120-EI documentation set includes: Category Documents Purposes Marketing brochure Describe product specifications and benefits.
Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] –...
Configuring ACLs Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document. Overview An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number. ACLs are primarily used for packet filtering.
basic or advanced ACL, its ACL number and name must be unique among all IPv6 ACLs. You can assign an IPv4 ACL and an IPv6 ACL the same number and name. Match order The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops the match process and performs the action defined in the rule.
Traditional packet filtering matches only first fragments of packets, and allows all subsequent non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks. To avoid the risks, the H3C ACL implementation: Filters all fragments by default, including non-first fragments.
Task Remarks Configuring a basic ACL Required Configure at least one task. Configuring an advanced ACL Applicable to IPv4 and IPv6 except that simple ACLs Configuring an Ethernet frame header ACL are for IPv6. Optional Copying an ACL Applicable to IPv4 and IPv6. Optional Configuring packet filtering with ACLs Applicable to IPv4 and IPv6.
Step Command Remarks By default, no ACL exists. acl number acl-number Create an IPv4 IPv4 basic ACLs are numbered in the range of 2000 to [ name acl-name ] basic ACL and 2999. [ match-order { auto | enter its view. You can use the acl name acl-name command to enter config } ] the view of a named IPv4 ACL.
Step Command Remarks rule [ rule-id ] { deny | By default, an IPv6 basic ACL does not contain any permit } [ counting | rule. fragment | logging | If the ACL is for QoS traffic classification or packet routing [ type routing-type ] Create or edit a filtering, do not specify the fragment and routing...
Step Command Remarks By default, no ACL exists. Create an IPv6 acl ipv6 number acl6-number IPv6 advanced ACLs are numbered in the range of advanced ACL [ name acl6-name ] 3000 to 3999. and enter its [ match-order { auto | config } ] You can use the acl ipv6 name acl6-name command view.
Step Command Remarks Enter system system-view view. By default, no ACL exists. Create an acl number acl-number Ethernet frame Ethernet frame header ACLs are numbered in the [ name acl-name ] header ACL range of 4000 to 4999. [ match-order { auto | and enter its You can use the acl name acl-name command to enter config } ]...
Step Command Enter system view. system-view Copy an existing IPv4 ACL to create a acl copy { source-acl-number | name source-acl-name } to new IPv4 ACL. { dest-acl-number | name dest-acl-name } Copying an IPv6 ACL Step Command Enter system view. system-view acl ipv6 copy { source-acl6-number | name Copy an existing IPv6 ACL to generate a...
Step Command Remarks Set the interval for generating acl logging frequence By default, the interval is 0. No IPv4 and outputting IPv4 packet frequence packet filtering logs are generated. filtering logs. Applying an IPv6 ACL for packet filtering Step Command Remarks Enter system view.
Configuration example of using ACL for device management Network requirements As shown in Figure 1, configure ACLs so that: Host A can telnet to the switch only during the working time (8:30 to 18:00 of every working day). • • As a TFTP client, the switch can get files from only the server 1 1.1.1.100.
Limit the access to the TFTP server: # Create IPv4 basic ACL 2001, and configure a rule for the ACL to permit only the packets sourced from 11.1.1.100. [Switch] acl number 2001 [Switch-acl-basic-2001] rule permit source 11.1.1.100 0 [Switch-acl-basic-2001] quit # Use ACL 2001 to control the switch's access to a specific TFTP server.
QoS overview In data communications, Quality of Service (QoS) is a network’s ability to provide differentiated service guarantees for diversified traffic in terms of bandwidth, delay, jitter, and drop rate. Network resources are scarce. The contention for resources requires that QoS prioritize important traffic flows over trivial ones.
QoS techniques The QoS techniques include traffic classification, traffic policing, traffic shaping, rate limit, congestion management, and congestion avoidance. They address problems that arise at different positions of a network. Figure 4 Placement of the QoS techniques in a network As shown in Figure 4, traffic classification, traffic shaping, traffic policing, congestion management, and...
QoS configuration approaches You can configure QoS in these approaches: MQC approach • Non-MQC approach • Some features support both approaches, but some support only one. MQC approach In modular QoS configuration (MQC) approach, you configure QoS service parameters by using QoS policies (see "Configuring a QoS policy").
Configuring a QoS policy Overview A QoS policy is a set of class-behavior associations and defines the shaping, policing, or other QoS actions to take on different classes of traffic. A class is a set of match criteria for identifying traffic and it uses the AND or OR operator: •...
Configuration restrictions and guidelines If a class that uses the AND operator has multiple if-match acl, if-match acl ipv6, if-match • customer-vlan-id or if-match service-vlan-id clauses, a packet that matches any of the clauses matches the class. To successfully execute the traffic behavior associated with a traffic class that uses the AND operator, •...
Option Description Matches DSCP values. dscp dscp-list The dscp-list argument is a list of up to eight DSCP values. A DSCP value can be a number from 0 to 63 or any keyword in Table destination-mac mac-address Matches a destination MAC address. Matches the 802.1p priority of the customer network.
Defining a policy You associate a behavior with a class in a QoS policy to perform the actions defined in the behavior for the class of packets. Configuration restrictions and guidelines If an ACL is referenced by a QoS policy for defining traffic match criteria, packets matching the ACL •...
Applying the QoS policy to an interface A policy can be applied to multiple interfaces, but only one policy can be applied in inbound direction of an interface. To apply the QoS policy to an interface: Step Command Remarks Enter system view. system-view •...
Applying the QoS policy to a VLAN You can apply a QoS policy to a VLAN to regulate traffic of the VLAN. QoS policies cannot be applied to dynamic VLANs, such as VLANs created by GVRP. To apply the QoS policy to a VLAN: Step Command Remarks...
In a QoS policy for control planes, if a system index classifier is configured, the associated traffic • behavior can contain only the car action or the combination of car and accounting packet actions. In addition, if the CAR action is configured, only its CIR setting can be applied. •...
Page 36
Clear the statistics for the QoS reset qos policy control-plane slot slot-number Available in user policy applied to a control plane. [ inbound ] view...
Configuring priority mapping Overview When a packet enters a device, depending on your configuration, the device assigns a set of QoS priority parameters to the packet based on either a certain priority field carried in the packet or the port priority of the incoming port.
Priority trust mode on a port The priority trust mode on a port decides which priority is used for priority mapping table lookup. Port priority was introduced to use for priority mapping in addition to priority fields carried in packets. The Switch Series provides the following priority trust modes: Using the 802.1p priority carried in packets for priority mapping.
Table 5 Priority mapping results of not trusting packet priority (when the default dot1p-lp priority mapping table is used) Local precedence Queue ID Port priority 0 (default) The priority mapping procedure varies with the priority modes. For more information, see the subsequent section.
DSCP values rather than the marked DSCP values. Configuration guidelines You can modify priority mappings by modifying priority mapping tables, priority trust mode on a port, and port priority. H3C recommends planning QoS throughout the network before making your QoS configuration.
Step Command Remarks • Enter interface view: Use either command. interface interface-type Settings in interface view take effect on interface-number Enter interface view or the current interface. Settings in port port group view. • Enter port group view: group view take effect on all ports in the port-group manual port group.
Configuration procedure # Assign port priority to GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. Make sure that the priority of GigabitEthernet 1/0/1 is higher than that of GigabitEthernet 1/0/2, and no trusted packet priority type is configured on GigabitEthernet 1/0/1 or GigabitEthernet 1/0/2. <DeviceC>...
Figure 8 Network diagram Internet Host Host Server Server GE1/0/5 GE1/0/2 GE1/0/3 Management department R&D department GE1/0/4 GE1/0/1 Device Host Server Public servers Marketing department Configuration procedure Configure trusting port priority: # Set the port priority of GigabitEthernet 1/0/1 to 3. <Device>...
Page 45
[Device-maptbl-dot1p-lp] import 5 export 4 [Device-maptbl-dot1p-lp] quit Configure priority marking: # Mark the HTTP traffic of the management department, marketing department, and R&D department to the Internet with 802.1p priorities 4, 5, and 3, respectively. Use the priority mapping table you have configured to map the 802.1p priorities to local precedence values 6, 4, and 2, respectively, for differentiated traffic treatment.
Configuring traffic policing, traffic shaping, and rate limit Overview Traffic policing, traffic shaping, and rate limit are QoS technologies that help assign network resources, such as assign bandwidth. They increase network performance and user satisfaction. For example, you can configure a flow to use only the resources committed to it in a certain time range. This avoids network congestion caused by burst traffic.
Peak information rate (PIR)—Rate at which tokens are put into bucket E, which specifies the average • packet transmission or forwarding rate allowed by bucket E. Excess burst size (EBS)—Size of bucket E, which specifies the transient burst of traffic that bucket E •...
Traffic shaping IMPORTANT: Traffic shaping shapes the outbound traffic. Traffic shaping limits the outbound traffic rate by buffering exceeding traffic. You can use traffic shaping to adapt the traffic output rate on a device to the input traffic rate of its connected device to avoid packet loss.
The rate limit of a physical interface specifies the maximum rate for forwarding packets (including critical packets). Rate limit also uses token buckets for traffic control. With rate limit configured on an interface, all packets to be sent through the interface are handled by the token bucket at the set rate limit value. If enough tokens are in the token bucket, packets can be forwarded.
Step Command Remarks Return to system view. quit Create a behavior and enter traffic behavior behavior-name behavior view. car cir committed-information-rate [ cbs committed-burst-size [ ebs Configure a traffic policing excess-burst-size ] ] [ pir action. peak-information-rate ] [ green action ] [ yellow action ] [ red action ] Return to system view.
To configure the rate limit: Step Command Remarks Enter system view. system-view • Enter interface view: interface interface-type Use either command. interface-number Enter interface view Settings in interface view take effect on the or port group view. • Enter port group view: current interface.
Figure 13 Network diagram Configuration procedures Configure Device A: # Configure ACL 2001 and ACL 2002 to match traffic from Server and Host A, respectively. <DeviceA> system-view [DeviceA] acl number 2001 [DeviceA-acl-basic-2001] rule permit source 1.1.1.1 0 [DeviceA-acl-basic-2001] quit [DeviceA] acl number 2002 [DeviceA-acl-basic-2002] rule permit source 1.1.1.2 0 [DeviceA-acl-basic-2002] quit # Create a class named server, and use ACL 2001 as the match criterion.
Page 53
[DeviceA-qospolicy-car] quit # Apply QoS policy car to the incoming traffic of port GigabitEthernet 1/0/1. [DeviceA] interface GigabitEthernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] qos apply policy car inbound Configure Device B: # Configure advanced ACL 3001 to match HTTP traffic. <DeviceB> system-view [DeviceB] acl number 3001 [DeviceB-acl-adv-3001] rule permit tcp destination-port eq 80 [DeviceB-acl-adv-3001] quit # Create a class named http, and use ACL 3001 as the match criterion.
Configuring congestion management Overview Network congestion degrades service quality on a traditional network. Congestion is a situation where the forwarding rate decreases due to insufficient resources, resulting in extra delay. Congestion is more likely to occur in complex packet switching circumstances. Figure 14 shows two common cases:...
Figure 15 SP queuing Queue 7 High priority Packets to be sent through this port Queue 6 Sent packets Interface …… Queue 1 Sending queue Packet Queue classification scheduling Queue 0 Low priority Figure 15, SP queuing classifies eight queues on a port into eight classes, numbered 7 to 0 in descending priority order.
Figure 16 WRR queuing Assume a port provides eight output queues. WRR assigns each queue a weight value (represented by w7, w6, w5, w4, w3, w2, w1, or w0) to decide the proportion of resources assigned to the queue. On a 1000 Mbps port, you can configure the weight values of WRR queuing to 5, 5, 3, 3, 1, 1, 1, and 1 (corresponding to w7, w6, w5, w4, w3, w2, w1, and w0, respectively).
By setting the minimum guaranteed bandwidth, you can make sure that each WFQ queue is • assured of certain bandwidth. The assignable bandwidth is allocated based on the weight of each queue (assignable bandwidth • = total bandwidth – the sum of minimum guaranteed bandwidth of each queue). For example, assume the total bandwidth of a port is 10 Mbps, and the port has eight queues, with weights as 1, 1, 1, 1, 3, 3, 5, and 5 and the minimum guaranteed bandwidth as 128 kbps for each queue.
Configuration example Network requirements • Enable byte-count WRR on port GigabitEthernet 1/0/1. Assign queues 0 through 7 to the WRR group, with their weights being 1, 2, 4, 6, 8, 10, 12, and • 14, respectively. Configuration procedure # Enter system view. <Sysname>...
Step Command Remarks • Enter interface view: interface interface-type Use either command. interface-number Enter interface view or port Settings in interface view take effect on the group view. • Enter port group current interface. Settings in port group view view: take effect on all ports in the port group.
Configuring SP+WFQ queuing Configuration procedure To configure SP + WFQ queuing: Step Command Remarks Enter system view. system-view • Enter interface view: Use either command. interface interface-type Settings in interface view take effect on interface-number Enter interface view or port the current interface.
Configuring traffic filtering Traffic filtering filters traffic matching certain criteria. For example, you can filter packets sourced from a specific IP address according to network status. Configuration procedure To configure traffic filtering: Step Command Remarks Enter system view. system-view Create a class and enter traffic classifier tcl-name [ operator { and class view.
Traffic filtering configuration example Network requirements As shown in Figure 18, Host is connected to GigabitEthernet 1/0/1 of Device. Configure traffic filtering to filter the packets with source port being 21, and received on GigabitEthernet 1/0/1. Figure 18 Network diagram Host Device GE1/0/1...
Configuring priority marking Priority marking sets the priority fields or flag bits of packets to modify the priority of traffic. For example, you can use priority marking to set IP precedence or DSCP for a class of IP traffic to change its transmission priority in the network.
IMPORTANT: Do not use the remark command together with the car command in a traffic behavior to perform color-based marking. Configuration procedure To configure priority marking: Step Command Remarks Enter system view. system-view Create a class and enter traffic classifier tcl-name [ operator { and | class view.
Local precedence re-marking configuration example Network requirements As shown in Figure 19, the company’s enterprise network interconnects hosts with servers through Device. The network is described as follows: Host A and Host B are connected to GigabitEthernet 1/0/1 of Device. •...
Page 69
# Create advanced ACL 3002, and configure a rule to match packets with destination IP address 192.168.0.3. [Device] acl number 3002 [Device-acl-adv-3002] rule permit ip destination 192.168.0.3 0 [Device-acl-adv-3002] quit # Create a class named classifier_dbserver, and use ACL 3000 as the match criterion in the class. [Device] traffic classifier classifier_dbserver [Device-classifier-classifier_dbserver] if-match acl 3000 [Device-classifier-classifier_dbserver] quit...
Configuring traffic redirecting Traffic redirecting is the action of redirecting the packets matching the specific match criteria to a certain location for processing. The following redirect actions are supported: Redirecting traffic to the CPU—redirects packets that require processing by the CPU to the CPU. •...
Page 71
Step Command Remarks • Applying the QoS policy to an interface Choose one • Applying the QoS policy to a VLAN application Apply the QoS policy. • destination as Applying the QoS policy globally needed. • Applying the QoS policy to the control plane...
Configuring class-based accounting Class-based accounting collects statistics (in packets) on a per-traffic class basis. For example, you can define the action to collect statistics for traffic sourced from a certain IP address. By analyzing the statistics, you can determine whether anomalies have occurred and what action to take. Configuration procedure To configure class-based accounting: Step...
Class-based accounting configuration example Network requirements As shown in Figure 20, Host is connected to GigabitEthernet 1/0/1 of Device A. Configure class-based accounting to collect statistics for traffic sourced from 1.1.1.1/24 and received on GigabitEthernet 1/0/1. Figure 20 Network diagram Configuration procedure # Create basic ACL 2000, and configure a rule to match packets with source IP address 1.1.1.1.
Configuring the data buffer Overview Data buffer The Switch Series provides the data buffer to buffer packets to be sent out ports to avoid packet loss when bursty traffic causes congestion. The switch controls how a port uses the data buffer by allocating the cell resource and packet resource (called "buffer resources").
On a per-port basis—As illustrated by the vertical lines in Figure 21, the switch automatically divides • the dedicated resource among all ports evenly. On a per-queue basis—As illustrated by the horizontal lines in Figure 21, the dedicated resource of •...
H3C does not recommend modifying the data buffer parameters unless you are sure that your device will benefit from the change. If a larger buffer is needed, H3C recommends that you enable the burst function to allocate the buffer automatically.
Step Command Remarks Optional. Configure the shared buffer egress [ slot slot-number ] resource area of the cell By default, the shared resource area cell total-shared ratio ratio resource in percentage. of the cell resource is 60%. Configuring the minimum guaranteed resource size for a queue When configuring the minimum guaranteed resource size for a queue, follow these guidelines: Modifying the minimum guaranteed resource size for a queue can affect those of the other queues, •...
allocate the remaining dedicated resource space among all queues that are not manually assigned a minimum guaranteed resource space. For example, if you set the minimum guaranteed resource size to 30% for a queue, the remaining seven queues will each share 10% of the dedicated resource of the port.
Appendix A Default priority mapping tables Priority mapping tables For the default dscp-dscp mapping table, an input value yields a target value equal to it. Table 7 Default dot1p-lp and dot1p-dp priority mapping tables Input priority value dot1p-lp mapping dot1p-dp mapping 802.1p priority (dot1p) Local precedence (lp) Drop precedence (dp)
Appendix B Packet precedences IP precedence and DSCP values Figure 23 ToS and DS fields As shown in Figure 23, the ToS field in the IPv4 header contains eight bits, where the first three bits (0 to 2) represent IP precedence from 0 to 7; the Traffic Classes field in the IPv6 header contains eight bits, where the first three bits (0 to 2) represent IP precedence from 0 to 7.
DSCP value (decimal) DSCP value (binary) Description 010100 af22 010110 af23 011010 af31 011100 af32 011110 af33 100010 af41 100100 af42 100110 af43 001000 010000 011000 100000 101000 110000 111000 000000 be (default) 802.1p priority 802.1p priority lies in the Layer 2 header and applies to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2.
Page 83
Figure 25 802.1Q tag header Table 11 Description on 802.1p priority 802.1p priority (decimal) 802.1p priority (binary) Description best-effort background spare excellent-effort controlled-load video voice network-management...
Index A C D I L M N O P Q T U Defining a traffic behavior,21 Displaying and maintaining ACLs,1 1 ACL configuration task list,3 Displaying and maintaining QoS policies,25 Applying the QoS policy,22 Displaying and maintaining queue-based accounting,53 Displaying and maintaining traffic accounting,62 Changing the port priority of an...
Page 85
techniques,17 Using the burst function to configure the data buffer setup,67 Traffic filtering configuration example,55 Traffic policing configuration example,41...