1. Manuals
  2. Brands
  3. HPE Manuals
  4. Switch
  5. FlexNetwork 7500 Series
  6. Configuration manual

HPE FlexNetwork 7500 Series Configuration Manual

Acl and qos configuration guide
Hide thumbs Also See for FlexNetwork 7500 Series:
Table of Contents

Advertisement

Quick Links

Download this manual
HPE FlexNetwork 7500 Switch Series
ACL and QoS Configuration Guide
Part number: 5200-1923a
Software version: 7500-CMW710-R7557P01
Document version: 6W101-20171020

Advertisement

Table of Contents
loading

Related Manuals for HPE FlexNetwork 7500 Series

Summary of Contents for HPE FlexNetwork 7500 Series

  • Page 1 HPE FlexNetwork 7500 Switch Series ACL and QoS Configuration Guide Part number: 5200-1923a Software version: 7500-CMW710-R7557P01 Document version: 6W101-20171020...
  • Page 2 © Copyright 2017 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

  • Page 3: Table Of Contents

    Contents Configuring ACLs··························································································· 1 Overview ···························································································································································· 1 ACL types ··················································································································································· 1 Numbering and naming ACLs ···················································································································· 1 Match order ················································································································································ 1 Rule numbering ·········································································································································· 2 Fragment filtering with ACLs ······················································································································ 3 Configuration task list ········································································································································· 3 Configuring a basic ACL ···································································································································· 3 Configuring an IPv4 basic ACL ··················································································································...
  • Page 4 Configuring an interface to trust packet priority for priority mapping ································································ 27 Changing the port priority of an interface ········································································································· 27 Displaying and maintaining priority mapping···································································································· 28 Priority mapping configuration examples ········································································································· 28 Port priority configuration example··········································································································· 28 Priority map and priority marking configuration example ········································································· 29 Configuring traffic policing, GTS, and rate limit ············································...
  • Page 5 Configuring priority marking ········································································· 64 Color-based priority marking ···························································································································· 64 Packet coloring methods ·························································································································· 64 Configuring color-based priority marking ································································································· 64 Configuration procedure··································································································································· 65 Priority marking configuration example ············································································································ 67 Network requirements ······························································································································ 67 Configuration procedure ··························································································································· 67 Configuring nesting ······················································································ 70 Configuration procedure···································································································································...
  • Page 6 Documentation feedback ························································································································· 94 Index ············································································································ 96...

  • Page 7: Configuring Acls

    Configuring ACLs Overview An access control list (ACL) is a set of rules for identifying traffic based on criteria such as source IP address, destination IP address, and port number. The rules are also called permit or deny statements. ACLs are primarily used for packet filtering. "Configuring packet filtering with ACLs"...

  • Page 8: Rule Numbering

    NOTE: The match order of user-defined ACLs can only be config. • auto—Sorts ACL rules in depth-first order. Depth-first ordering makes sure any subset of a rule is always matched before the rule. Table 1 lists the sequence of tie breakers that depth-first ordering uses to sort rules for each type of ACL.

  • Page 9: Fragment Filtering With Acls

    By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of inserting rules in an ACL. This feature is important for a config-order ACL, where ACL rules are matched in ascending order of rule ID. Automatic rule numbering and renumbering The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to the current highest rule ID, starting with 0.

  • Page 10: Configuring An Ipv6 Basic Acl

    Step Command Remarks By default, no ACLs exist. The value range for a numbered IPv4 basic ACL is 2000 to 2999. Use the acl number acl-number or acl basic acl-number acl basic { acl-number | name command to create a numbered acl-name } [ match-order { auto | Create an IPv4 basic ACL IPv4 basic ACL.

  • Page 11: Configuring An Advanced Acl

    Step Command Remarks (Optional.) Configure a By default, an IPv6 basic ACL description for the IPv6 basic description text does not have a description. ACL. (Optional.) Set the rule step step-value The default setting is 5. numbering step. rule [ rule-id ] { deny | permit } By default, no IPv6 basic ACL [ counting | logging | routing | rules exist.

  • Page 12: Configuring An Ipv6 Advanced Acl

    Step Command Remarks By default, no ACLs exist. The value range for a numbered IPv4 advanced ACL is 3000 to 3999. Use the acl number acl-number or acl advanced acl-number acl advanced { acl-number | command to create a numbered name acl-name } [ match-order Create an IPv4 advanced IPv4 advanced ACL.

  • Page 13: Configuring A Layer 2 Acl

    Compared to IPv6 basic ACLs, IPv6 advanced ACLs allow more flexible and accurate filtering. To configure an IPv6 advanced ACL: Step Command Remarks Enter system view. system-view By default, no ACLs exist. The value range for a numbered IPv6 advanced ACL is 3000 to 3999.

  • Page 14: Configuring A User-Defined Acl

    • Source MAC address. • Destination MAC address. • 802.1p priority (VLAN priority). • Link layer protocol type. To configure a Layer 2 ACL: Step Command Remarks Enter system view. system-view By default, no ACLs exist. The value range for a numbered Layer 2 ACL is 4000 to 4999.

  • Page 15: Copying An Acl

    Step Command Remarks By default, no ACLs exist. The value range for a numbered user-defined ACL is 5000 to 5999. Use the acl number acl-number or acl user-defined acl-number command to create a numbered acl user-defined { acl-number | user-defined ACL. name acl-name } Create a user-defined ACL Use the acl number acl-number...

  • Page 16: Applying An Acl To An Interface For Packet Filtering

    Applying an ACL to an interface for packet filtering Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number packet-filter [ ipv6 | mac | Apply an ACL to the interface user-defined ] { acl-number | By default, an interface does not to filter packets.

  • Page 17: Setting The Packet Filtering Default Action

    Step Command Remarks The default setting is 0 minutes. Set the interval for outputting acl { logging | trap } interval By default, the device does not packet filtering logs or interval generate log entries or SNMP notifications. notifications for packet filtering. Setting the packet filtering default action Step Command...

  • Page 18: Acl Configuration Examples

    Task Command reset packet-filter statistics interface [ interface-type Clear match statistics, accumulated match statistics, and default action statistics for interface-number ] { inbound | outbound } [ [ ipv6 | mac | user-defined ] { acl-number | name acl-name } ] packet filtering ACLs.
  • Page 19 # Configure a rule to deny access to the financial database server. [Device-acl-ipv4-adv-3000] rule deny ip source any destination 192.168.0.100 0 [Device-acl-ipv4-adv-3000] quit # Apply IPv4 advanced ACL 3000 to filter outgoing packets on interface GigabitEthernet 1/0/1. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] packet-filter 3000 outbound [Device-GigabitEthernet1/0/1] quit Verifying the configuration...

  • Page 20: Qos Overview

    QoS overview In data communications, Quality of Service (QoS) provides differentiated service guarantees for diversified traffic in terms of bandwidth, delay, jitter, and drop rate, all of which can affect QoS. QoS manages network resources and prioritizes traffic to balance system resources. The following section describes typical QoS service models and widely used QoS techniques.

  • Page 21: Deploying Qos In A Network

    • Congestion avoidance. The following section briefly introduces these QoS techniques. All QoS techniques in this document are based on the DiffServ model. Deploying QoS in a network Figure 2 Position of the QoS techniques in a network Traffic direction Traffic classification Traffic policing Traffic policing...
  • Page 22 Congestion management when congestion occurs.  Figure 3 QoS processing flow Tokens Drop Other Classify the proce traffic Remark ssing Packets received Token bucket on the interface Classification Traffic policing Priority marking Toekn Drop Drop Enqueue Queue 0 Dequeue Queue 1 Classify the Other traffic...

  • Page 23: Configuring A Qos Policy

    Configuring a QoS policy You can configure QoS by using the MQC approach or non-MQC approach. Some features support both approaches, but some support only one. Non-MQC approach In the non-MQC approach, you configure QoS service parameters without using a QoS policy. For example, you can use the rate limit feature to set a rate limit on an interface without using a QoS policy.

  • Page 24: Defining A Traffic Class

    Defining a traffic class Step Command Remarks Enter system view. system-view Create a traffic class and traffic classifier classifier-name By default, no traffic class exists. enter traffic class view. [ operator { and | or } ] (Optional.) Configure a By default, no description is description for the traffic description text...

  • Page 25: Applying The Qos Policy

    Applying the QoS policy You can apply a QoS policy to the following destinations: • Interface—The QoS policy takes effect on the traffic sent or received on the interface. • VLAN—The QoS policy takes effect on the traffic sent or received on all ports in the VLAN. •...

  • Page 26: Applying The Qos Policy Globally

    Step Command Remarks Enter system view. system-view Apply the QoS policy to qos vlan-policy policy-name vlan By default, no QoS policy is applied VLANs. vlan-id-list { inbound | outbound } to a VLAN. Applying the QoS policy globally You can apply a QoS policy globally to the inbound or outbound direction of all interfaces. If the hardware resources of an interface card are insufficient, applying a QoS policy globally might fail on the interface card.

  • Page 27: Displaying And Maintaining Qos Policies

    Configuration procedure To apply the QoS policy to the control plane: Step Command Remarks Enter system view. system-view In standalone mode: QoS policies cannot be control-plane slot slot-number applied to the control planes Enter control plane of MPUs (except In IRF mode: view.
  • Page 28 Task Command (In standalone mode.) Display information about QoS policies applied display qos policy control-plane slot slot-number to a control plane. display qos policy control-plane chassis chassis-number slot (In IRF mode.) Display information about QoS policies applied to a control plane. slot-number (In standalone mode.) Display display qos policy control-plane pre-defined [ slot...

  • Page 29: Configuring Priority Mapping

    Configuring priority mapping Overview When a packet arrives, the switch assigns a set of QoS priority parameters to the packet based on either of the following: • A priority field carried in the packet. • The port priority of the incoming port. This process is called priority mapping.

  • Page 30: Priority Trust Mode

    By looking through a priority map, the switch decides which priority value to assign to a packet for subsequent packet processing. The default priority maps (as shown in Appendix B Default priority maps) are available for priority mapping. They are adequate in most cases. If a default priority map cannot meet your requirements, you can modify the priority map as required.
  • Page 31 Figure 5 Priority mapping process for an Ethernet packet Receive a packet on a port Should the packet be marked with local precedence or drop priority? Mark it with local precedence and drop priority Which priority is DSCP in packets trusted on the port? Look up dscp-dp and dscp-dscp...

  • Page 32: Priority Mapping Configuration Task List

    Figure 6 Priority mapping process for an MPLS packet Receive a packet with MPLS labels Should the packet be marked with local precedence and drop priority? Mark it with local precedence and Look up the drop priority exp-dot1p priority Mark the packet with 802.1p priority Look up the Look up the...

  • Page 33: Configuring An Interface To Trust Packet Priority For Priority Mapping

    Step Command Remarks Enter system view. system-view qos map-table { dot1p-dp | Enter priority map view. dot1p-exp | dot1p-lp | dscp-dp | dscp-dscp | exp-dot1p } By default, the default priority maps are used. For more information, see Configure mappings for import import-value-list export "Appendixes."...

  • Page 34: Displaying And Maintaining Priority Mapping

    To change the port priority of an interface: Step Command Remarks Enter system view. system-view Enter interface view. interface interface-type interface-number Set the port priority of the qos priority priority-value The default setting is 0. interface. Displaying and maintaining priority mapping Execute display commands in any view.

  • Page 35: Priority Map And Priority Marking Configuration Example

    [SwitchC] interface Ten-GigabitEthernet 1/0/2 [SwitchC-Ten-GigabitEthernet1/0/2] qos priority 1 [SwitchC-Ten-GigabitEthernet1/0/2] quit Priority map and priority marking configuration example Network requirements As shown in Figure • The Marketing department connects to Ten-GigabitEthernet 1/0/1 of the switch, which sets the 802.1p priority of traffic from the Marketing department to 3. •...
  • Page 36 Figure 8 Network diagram Internet Host Host Server Server XGE1/0/2 Management department R&D department XGE1/0/3 XGE1/0/1 XGE1/0/4 Switch Data server Host Server Mail server Public servers Marketing department Configuration procedure Configure trusting port priority: # Set the port priority of Ten-GigabitEthernet 1/0/1 to 3. <Switch>...
  • Page 37 Configuring priority marking: # Create ACL 3000 to match HTTP packets. [Switch] acl advanced 3000 [Switch-acl-ipv4-adv-3000] rule permit tcp destination-port eq 80 [Switch-acl-ipv4-adv-3000] quit # Create a class named http, and use ACL 3000 as the match criterion. [Switch] traffic classifier http [Switch-classifier-http] if-match acl 3000 [Switch-classifier-http] quit # Create a QoS policy named admin to mark HTTP packets of the Management department...

  • Page 38: Configuring Traffic Policing, Gts, And Rate Limit

    Configuring traffic policing, GTS, and rate limit Overview Traffic policing helps assign network resources (including bandwidth) and increase network performance. For example, you can configure a flow to use only the resources committed to it in a certain time range. This avoids network congestion caused by burst traffic. Traffic policing, Generic Traffic Shaping (GTS), and rate limit control the traffic rate and resource usage according to traffic specifications.

  • Page 39: Traffic Policing

    CIR—Rate at which tokens are put into bucket C. It sets the average packet transmission or  forwarding rate allowed by bucket C. CBS—Size of bucket C, which specifies the transient burst of traffic that bucket C can  forward. EBS—Size of bucket E minus size of bucket C, which specifies the transient burst of traffic ...

  • Page 40: Gts

    Figure 9 Traffic policing Put tokens into the bucket at the set rate Packets to be sent out this interface Packets sent Classify Token bucket Drop Traffic policing is widely used in policing traffic entering the ISP networks. It can classify the policed traffic and take predefined policing actions on each packet depending on the evaluation result: •...

  • Page 41: Rate Limit

    Figure 10 GTS Tokens are put into the bucket at the set rate Packets to be sent through this interface Packets sent Packet classification Token bucket Queue Packets dropped For example, in Figure 11, Switch B performs traffic policing on packets from Switch A and drops packets exceeding the limit.

  • Page 42: Configuring Traffic Policing

    Figure 12 Rate limit implementation Put tokens to the bucket at the set rate Packets to be sent Packets sent Token Queue bucket Buffer The token bucket mechanism limits traffic rate when accommodating bursts. It allows bursty traffic to be transmitted if enough tokens are available. If tokens are scarce, packets cannot be transmitted until efficient tokens are generated in the token bucket.

  • Page 43: Configuring Gts

    Step Command Remarks Return to system view. quit Create a QoS policy and enter QoS policy qos policy policy-name By default, no QoS policy exists. view. Associate the traffic class with the traffic classifier classifier-name By default, a traffic class is not behavior in the QoS behavior behavior-name associated with a traffic behavior.

  • Page 44: Displaying And Maintaining Traffic Policing, Gts, And Rate Limit

    Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, rate limiting is not qos lr outbound cir configured on an interface. Configure the rate limit committed-information-rate [ cbs for the interface. The CIR must be an integral committed-burst-size ] multiple of 8.

  • Page 45: Configuration Procedure

    Figure 13 Network diagram Server Internet Host A Switch B XGE1/0/2 XGE1/0/1 Ethernet 1.1.1.1/8 1.1.1.2/8 Host B XGE1/0/1 XGE1/0/3 Switch A XGE1/0/2 Configuration procedure Configure Switch A: # Configure ACL 2001 and ACL 2002 to match the packets from the server and Host A, respectively.
  • Page 46 [SwitchA] interface Ten-GigabitEthernet 1/0/1 [SwitchA-Ten-GigabitEthernet1/0/1] qos apply policy car inbound Configure Switch B: # Configure ACL 3001 to match HTTP packets. <SwitchB> system-view [SwitchB] acl advanced 3001 [SwitchB-acl-ipv4-adv-3001] rule permit tcp destination-port eq 80 [SwitchB-acl-ipv4-adv-3001] quit # Create a traffic class named http, and use ACL 3001 as the match criterion. [SwitchB] traffic classifier http [SwitchB-classifier-http] if-match acl 3001 [SwitchB-classifier-http] quit...

  • Page 47: Configuring Congestion Management

    Configuring congestion management Overview Congestion occurs on a link or node when traffic size exceeds the processing capability of the link or node. It is typical of a statistical multiplexing network and can be caused by link failures, insufficient resources, and various other causes. Figure 14 shows typical congestion scenarios.

  • Page 48: Wrr Queuing

    Figure 15 SP queuing Queue 7 High priority Packets to be sent through this port Queue 6 Sent packets Interface …… Queue 1 Sending queue Packet Queue classification scheduling Queue 0 Low priority Figure 15, SP queuing classifies eight queues on a port into eight classes, numbered 7 to 0 in descending priority order.

  • Page 49: Wfq Queuing

    Assume a port provides eight output queues. WRR assigns each queue a weight value (represented by w7, w6, w5, w4, w3, w2, w1, or w0). The weight value of a queue decides the proportion of resources assigned to the queue. On a 10 Gbps port, you can set the weight values to 5, 3, 1, 1, 5, 3, 1, and 1 for w7 through w0.

  • Page 50: Sp+Wfq Queuing

    d. Schedules queues in the WRR group based on their weights when all queues in the SP group are empty. SP+WFQ queuing You can implement SP+WFQ queuing by assigning some queues to the SP group and others to WFQ groups. •...

  • Page 51: Configuring Sp Queuing

    Configuring SP queuing Configuration procedure To configure SP queuing: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, SP queuing is used Configure SP queuing. qos sp on an interface. Configuration example Configure interface Ten-GigabitEthernet 1/0/1 to use SP queuing: # Enter system view <Sysname>...

  • Page 52: Configuring Wfq Queuing

    Assign queues 0 through 3 to WRR group 1, with their weights as 1, 2, 4, and 6, respectively.  Assign queues 4 through 7 to WRR group 2, with their weights as 1, 2, 4, and 6, respectively. Configuration procedure # Enter system view.
  • Page 53 Step Command Remarks Enable WFQ qos wfq { byte-count | By default, SP queuing is used on an interface. queuing. weight } By default, all queues of a WRR-enabled interface are in WFQ group 1 and have a weight of 1. qos wfq queue-id Select byte-count or weight according to the WFQ Configure a WFQ...

  • Page 54: Configuring Sp+Wrr Queuing

    Configuration example for other interface modules Network requirements Configure packet-based WFQ queuing on interface Ten-GigabitEthernet 1/0/1.  Assign weights 1, 2, 4, 6, and 8 to queues 1, 3, 4, 5, and 6, respectively.  Configuration procedure # Enter system view. <Sysname>...
  • Page 55 Configuration example for LSQ1QGS4SC0 (JC792A) and LSQM2TGS16SF0 (JH214A, JH222A) interface modules This example uses LSQM2TGS16SF0 (JH214A, JH222A) interface modules. Network requirements Configure SP+WRR queuing on interface Ten-GigabitEthernet 1/0/1, and use byte-count  WRR. Assign queues 0, 1, 2, and 3 on Ten-GigabitEthernet 1/0/1 to the SP group. ...

  • Page 56: Configuring Sp+Wfq Queuing

    Configuring SP+WFQ queuing Configuration procedure To configure SP+WFQ queuing: Step Command Remarks Enter system view. system-view Enter interface interface interface-type view. interface-number Enable byte-count qos wfq { byte-count | or packet-based By default, SP queuing is used on an interface. weight } WFQ queuing.

  • Page 57: Configuring A Queue Scheduling Profile

    # Configure SP+WFQ queuing on Ten-GigabitEthernet 1/0/1. [Sysname] interface Ten-GigabitEthernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] qos wfq weight [Sysname-Ten-GigabitEthernet1/0/1] qos wfq 0 group sp [Sysname-Ten-GigabitEthernet1/0/1] qos wfq 1 group sp [Sysname-Ten-GigabitEthernet1/0/1] qos wfq 2 group sp [Sysname-Ten-GigabitEthernet1/0/1] qos wfq 3 group sp [Sysname-Ten-GigabitEthernet1/0/1] qos wfq 4 group 1 weight 1 [Sysname-Ten-GigabitEthernet1/0/1] qos bandwidth queue 4 min 128000 [Sysname-Ten-GigabitEthernet1/0/1] qos wfq 5 group 1 weight 2 [Sysname-Ten-GigabitEthernet1/0/1] qos bandwidth queue 5 min 128000...
  • Page 58 Queue scheduling profiles support three queue scheduling algorithms: SP, WRR, and WFQ. In a queue scheduling profile, you can configure SP+WRR or SP+WFQ. When the three queue scheduling algorithms are configured, SP queues, WRR groups, and WFQ groups are scheduled in descending order of queue ID.

  • Page 59: Configuration Procedure

    Configuration procedure When you configure a queue scheduling profile, follow these restrictions and guidelines: • Only one queue scheduling profile can be applied to an interface. • You can modify the scheduling parameters in a queue scheduling profile already applied to an interface.

  • Page 60: Queue Scheduling Profile Configuration Example For Other Interface Modules

    Network requirements Configure a queue scheduling profile on interface Ten-GigabitEthernet 1/0/1 to meet the following requirements: • Queue 7 has the highest priority, and its packets are sent preferentially. • Queue 4, queue 5, and queue 6 in WRR group 1 are scheduled according to their weights, which are 1, 5, and 10, respectively.

  • Page 61: Displaying And Maintaining Queue Statistics

    Configuration procedure # Enter system view. <Sysname> system-view # Create a queue scheduling profile named qm1. [Sysname] qos qmprofile qm1 [Sysname-qmprofile-qm1] # Configure queue 7 to use SP queuing. [Sysname-qmprofile-qm1] queue 7 sp # Assign queue 1 through queue 6 to WRR group 1, with their weights as 1, 2, 4, 6, 8, and 10. [Sysname-qmprofile-qm1] queue 1 wrr group 1 weight 1 [Sysname-qmprofile-qm1] queue 2 wrr group 1 weight 2 [Sysname-qmprofile-qm1] queue 3 wrr group 1 weight 4...
  • Page 62 Task Command (In standalone mode.) Display the display qos qmprofile configuration [ profile-name ] [ slot configuration of queue scheduling slot-number ] profiles. (In IRF mode.) Display the configuration display qos qmprofile configuration [ profile-name ] [ chassis of queue scheduling profiles. chassis-number slot slot-number ] display qos qmprofile interface [ interface-type Display the queue scheduling profiles...

  • Page 63: Configuring Congestion Avoidance

    Configuring congestion avoidance Overview Avoiding congestion before it occurs is a proactive approach to improving network performance. As a flow control mechanism, congestion avoidance: • Actively monitors network resources (such as queues and memory buffers). • Drops packets when congestion is expected to occur or deteriorate. When dropping packets from a source end, congestion avoidance cooperates with the flow control mechanism at the source end to regulate the network traffic size.

  • Page 64: Configuration Restrictions And Guidelines

    • Have the sender proactively slow down the packet sending rate or decrease the window size of packets. This better utilizes the network resources. RFC 2482 defined an end-to-end congestion notification mechanism named Explicit Congestion Notification (ECN). ECN uses the DS field in the IP header to mark the congestion status along the packet transmission path.

  • Page 65: Displaying And Maintaining Wred

    • Upper threshold and lower threshold—When the average queue size is smaller than the lower threshold, packets are not dropped. When the average queue size is between the lower threshold and the upper threshold, the packets are dropped at random. The longer the queue, the higher the drop probability.

  • Page 66: Wred Configuration Example

    Task Command display qos wred table [ name table-name ] [ slot (In standalone mode.) Display the configuration of WRED tables. slot-number ] (In IRF mode.) Display the configuration of display qos wred table [ name table-name ] [ chassis WRED tables.
  • Page 67 [Sysname-wred-table-queue-table1] queue 7 ecn [Sysname-wred-table-queue-table1] quit # Apply the queue-based WRED table to interface Ten-GigabitEthernet 1/0/2. [Sysname] interface Ten-GigabitEthernet 1/0/2 [Sysname-Ten-GigabitEthernet1/0/2] qos wred apply queue-table1 [Sysname-Ten-GigabitEthernet1/0/2] quit...

  • Page 68: Configuring Traffic Filtering

    Configuring traffic filtering You can filter in or filter out traffic of a class by associating the class with a traffic filtering action. For example, you can filter packets sourced from an IP address according to network status. Configuration procedure To configure traffic filtering: Step Command...

  • Page 69: Configuration Procedure

    Figure 20 Network diagram Host Switch GE1/0/1 Configuration procedure # Create advanced ACL 3000, and configure a rule to match packets whose source port number is not 21. <Switch> system-view [Switch] acl advanced 3000 [Switch-acl-ipv4-adv-3000] rule 0 permit tcp source-port neq 21 [Switch-acl-ipv4-adv-3000] quit # Create a traffic class named classifier_1, and use ACL 3000 as the match criterion in the traffic class.

  • Page 70: Configuring Priority Marking

    Configuring priority marking Priority marking sets the priority fields or flag bits of packets to modify the priority of packets. For example, you can use priority marking to set IP precedence or DSCP for a class of IP packets to control the forwarding of these packets.

  • Page 71: Configuration Procedure

    Configuring priority marking based on colors obtained through traffic policing After traffic policing evaluates and colors packets, the switch can mark traffic with various priority values (including DSCP values, 802.1p priority values, and local precedence values) by color. Configure priority marking by using either of the following methods: •...
  • Page 72 Step Command Remarks • Set the DSCP value for packets: remark [ green | red | yellow ] dscp dscp-value • Set the 802.1p priority for packets or configure the inner-to-outer tag priority Use one of the commands. copying feature: By default, no priority marking remark [ green | red | yellow ] action is configured.

  • Page 73: Priority Marking Configuration Example

    Action Inbound Outbound DSCP marking IP precedence marking Local precedence marking Local QoS ID marking CVLAN marking SVLAN marking Priority marking configuration example Network requirements As shown in Figure 21, configure priority marking on the switch to meet the following requirements: Traffic source Destination Processing priority...
  • Page 74 [Switch-acl-ipv4-adv-3001] rule permit ip destination 192.168.0.2 0 [Switch-acl-ipv4-adv-3001] quit # Create advanced ACL 3002, and configure a rule to match packets with destination IP address 192.168.0.3. [Switch] acl advanced 3002 [Switch-acl-ipv4-adv-3002] rule permit ip destination 192.168.0.3 0 [Switch-acl-ipv4-adv-3002] quit # Create a traffic class named classifier_dbserver, and use ACL 3000 as the match criterion in the traffic class.
  • Page 75 [Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] qos apply policy policy_server inbound [Switch-GigabitEthernet1/0/1] quit...

  • Page 76: Configuring Nesting

    Configuring nesting Nesting adds a VLAN tag to the matching packets to allow the VLAN-tagged packets to pass through the corresponding VLAN. For example, you can add an outer VLAN tag to packets from a customer network to a service provider network. This allows the packets to pass through the service provider network by carrying a VLAN tag assigned by the service provider.

  • Page 77: Configuration Procedure

    • Because Site 1 and Site 2 are located in different areas, the two sites use the VPN access service of a service provider. The service provider assigns VLAN 100 to the two sites. Configure nesting, so that the two branches can communicate through the service provider network. Figure 22 Network diagram Public network GE1/0/2...
  • Page 78 [PE1-GigabitEthernet1/0/2] port trunk permit vlan 100 [PE1-GigabitEthernet1/0/2] quit Configuring PE 2 Configure PE 2 in the same way PE 1 is configured.

  • Page 79: Configuring Traffic Redirecting

    Configuring traffic redirecting Traffic redirecting redirects packets matching the specified match criteria to a location for processing. You can redirect packets to the following destinations: • CPU. • Interface. • Next hop. Configuration procedure To configure traffic redirecting: Step Command Remarks Enter system view.

  • Page 80: Traffic Redirecting Configuration Example

    Step Command Remarks Choose one of the application destinations as needed. • Applying the QoS policy to an By default, no QoS policy is interface 11. Apply the QoS policy. applied. • Applying the QoS policy to a VLAN The switch supports •...
  • Page 81 [SwitchA-acl-ipv4-basic-2000] rule permit source 2.1.1.1 0 [SwitchA-acl-ipv4-basic-2000] quit # Create basic ACL 2001, and configure a rule to match packets with source IP address 2.1.1.2. [SwitchA] acl basic 2001 [SwitchA-acl-ipv4-basic-2001] rule permit source 2.1.1.2 0 [SwitchA-acl-ipv4-basic-2001] quit # Create a traffic class named classifier_1, and use ACL 2000 as the match criterion in the traffic class.

  • Page 82: Configuring Global Car

    Configuring global CAR Overview Global committed access rate (CAR) is an approach to policing traffic flows globally. It adds flexibility to common CAR where traffic policing is performed only on a per-traffic class or per-interface basis. In this approach, CAR actions are created in system view and each can be used to police multiple traffic flows as a whole.

  • Page 83: Configuring Aggregate Car

    • Use common CAR actions to limit the rates of Internet access flow 1 and flow 2 to both 128 kbps. • Use a hierarchical CAR action to limit their total traffic rate to 192 kbps. • Use the hierarchical CAR action for both flow 1 and flow 2 in AND mode. When flow 1 is not present, flow 2 is transmitted at the maximum rate, 128 kbps.

  • Page 84: Displaying And Maintaining Global Car

    Step Command Remarks • Aggregate CAR: car name car-name hierarchy-car hierarchy-car-name [ mode { and | or } ] • Common CAR: car cir committed-information-rate [ cbs committed-burst-size [ ebs By default, no hierarchical CAR excess-burst-size ] ] [ green action action is used in a traffic Use the hierarchical | red action | yellow action ] *...

  • Page 85: Configuration Procedure

    Figure 24 Network diagram Internet Switch XGE1/0/1 VLAN10 VLAN100 Configuration procedure # Configure aggregate CAR according to the rate limit requirements. <Switch> system-view [Switch] qos car aggcar-1 aggregative cir 2560 cbs 20480 red discard # Create class 1 to match traffic of VLAN 10. Create behavior 1 and use the aggregate CAR in the behavior.
  • Page 86 [Switch] interface Ten-GigabitEthernet 1/0/1 [Switch-Ten-GigabitEthernet1/0/1]qos apply policy car inbound...

  • Page 87: Configuring Class-Based Accounting

    Configuring class-based accounting Class-based accounting collects statistics (in packets or bytes) on a per-traffic class basis. For example, you can define the action to collect statistics for traffic sourced from a certain IP address. By analyzing the statistics, you can determine whether anomalies have occurred and what action to take.

  • Page 88: Class-Based Accounting Configuration Example

    Step Command Remarks In standalone mode: • display qos policy control-plane slot slot-number • display qos policy global [ slot slot-number ] [ inbound | outbound ] • display qos policy interface [ interface-type interface-number ] [ inbound | outbound ] •...
  • Page 89 # Create a traffic class named classifier_1, and use ACL 2000 as the match criterion in the traffic class. [Switch] traffic classifier classifier_1 [Switch-classifier-classifier_1] if-match acl 2000 [Switch-classifier-classifier_1] quit # Create a traffic behavior named behavior_1, and configure the class-based accounting action. [Switch] traffic behavior behavior_1 [Switch-behavior-behavior_1] accounting [Switch-behavior-behavior_1] quit...

  • Page 90: Appendixes

    Appendixes Appendix A Acronym Table 6 Appendix A Acronym Acronym Full spelling Assured Forwarding Best Effort Committed Access Rate Committed Burst Size Committed Information Rate DCBX Data Center Bridging Exchange Protocol DiffServ Differentiated Service DSCP Differentiated Services Code Point Excess Burst Size Explicit Congestion Notification Expedited Forwarding Generic Traffic Shaping...

  • Page 91: Appendix C Introduction To Packet Precedence

    Table 7 Default dot1p-lp and dot1p-dp priority maps Input priority value dot1p-lp map dot1p-dp map dot1p Table 8 Default dscp-dp priority map Input priority value dscp-dp map dscp 0 to 7 8 to 15 16 to 23 24 to 31 32 to 39 40 to 47 48 to 55...
  • Page 92 services (DS) field. A DSCP value is represented by the first 6 bits (0 to 5) of the DS field and is in the range 0 to 63. The remaining 2 bits (6 and 7) are reserved. Table 9 IP precedence IP precedence (decimal) IP precedence (binary) Description...

  • Page 93: 802.1P Priority

    802.1p priority 802.1p priority lies in the Layer 2 header. It applies to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2. Figure 27 An Ethernet frame with an 802.1Q tag header 802.1Q header Destination...
  • Page 94 As shown in Figure 29, the EXP field is 3-bit long and is in the range of 0 to 7.

  • Page 95: Configuring Time Ranges

    Configuring time ranges You can implement a service based on the time of the day by applying a time range to it. A time-based service takes effect only in time periods specified by the time range. For example, you can implement time-based ACL rules by applying a time range to them. If a time range does not exist, the service based on the time range does not take effect.
  • Page 96 Figure 30 Network diagram Server Host A GE1/0/1 GE1/0/2 192.168.1.2/24 Device A 192.168.0.100/24 Host B 192.168.1.3/24 Configuration procedure # Create a time range for the period from 8:00 to 18:00 on working days from June 2015 to the end of the year.

  • Page 97: Document Conventions And Icons

    Document conventions and icons Conventions This section describes the conventions used in the documentation. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional.

  • Page 98: Network Topology Icons

    Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.

  • Page 99: Support And Other Resources

    Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...

  • Page 100: Websites

    For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,...
  • Page 101 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
  • Page 102 Index configuration, 77, 78 Numerics priority marking configuration, QoS global CAR, QoS packet 802.1p priority, Appendix A (Acronyms), 802.1p Appendix B (Default priority maps), priority marking configuration, Appendix C (Packet precedence), 802.1p priority applying drop precedence, ACL packet filtering (interface), QoS congestion avoidance queue-based WRED table, absolute time range (ACL),...
  • Page 103 ACL, 1, 3, 12 QoS traffic redirection, 73, 74 ACL (advanced), time range, 89, 89 ACL (basic), congestion avoidance ACL (Layer 2), configuration, ACL (user-defined), ECN, ACL packet filtering, queue-based WRED table, ACL packet filtering (interface-based), RED, ACL packet filtering applicable scope (VLAN tail drop, interface), WRED,...
  • Page 104 QoS policy application (VLAN), aggregate CAR, DiffServ QoS service model, aggregate CAR configuration, displaying configuration, ACL, hierarchical CAR, QoS congestion avoidance WRED, hierarchical CAR configuration, QoS congestion management, green packet QoS global CAR, drop precedence, QoS GTS, QoS hardware congestion management, QoS ACL-based configuration, QoS policies, QoS all-traffic configuration,...
  • Page 105 ACL configuration, QoS aggregate CAR configuration, 77, 78 ACL type, QoS class-based accounting configuration, 81, 82 limiting QoS CM configuration, QoS rate limit configuration, QoS congestion avoidance configuration, QoS rate limit display, QoS congestion avoidance WRED queue-based table, QoS rate limiting, QoS congestion avoidance+ECN, local QoS congestion management (per-queue),...
  • Page 106 QoS overview, traffic policing, QoS priority map+priority marking, packet filtering QoS priority mapping configuration, ACL applicable scope (VLAN interface), QoS priority mapping port priority, ACL configuration, 1, 3, 9, 12 QoS priority marking configuration, ACL configuration (advanced), QoS service models, ACL configuration (Layer 2), QoS techniques, ACL configuration (user-defined),...
  • Page 107 port priority, configuring QoS congestion management SP+WRR queuing, priority map +priority marking, configuring QoS global CAR, priority trust mode, configuring QoS GTS, process, configuring QoS hardware congestion trusted port packet priority, management, user priority, configuring QoS hardware congestion priority marking management queue scheduling profile, configuration, 64, 67...
  • Page 108 aggregate CAR, MQC configuration, aggregate CAR configuration, 77, 78 nesting configuration, 70, 70 Appendix A, Acronyms, network deployment, Appendix B, Default priority maps, non-MQC, Appendix C, Packet precedence, overview, best-effort service model, packet 802.1p priority, class-based accounting configuration, 81, 82 packet IP precedence and DSCP values, complicated traffic evaluation with token policy application,...
  • Page 109 priority marking configuration, QoS traffic policing configuration, Quality of Service. Use rule queuing ACL auto match order sort, QoS congestion avoidance RED, ACL automatic rule numbering, QoS congestion avoidance WRED, ACL config match order sort, QoS congestion avoidance WRED ACL numbering, configuration, ACL numbering step, QoS congestion management SP+WFQ...
  • Page 110 QoS class-based accounting configuration, QoS hardware congestion management configuration, switching QoS hardware congestion management queue scheduling profile, QoS CM configuration, QoS hardware congestion management SP queuing, table QoS hardware congestion management WFQ queuing, QoS congestion avoidance WRED queue-based table, QoS hardware congestion management WRR queuing, tail drop (QoS), QoS hierarchical CAR,...
  • Page 111 drop precedence mapping, priority marking configuration, QoS display, trapping ACL packet filtering logging+SNMP notifications, trusted port packet priority (QoS), type ACL advanced, ACL auto match order sort, ACL basic, ACL config match order sort, ACL Layer 2, ACL user-defined, user QoS priority mapping user priority, user-defined ACL type,...

Table of Contents