H3C WX5500H series User Configuration Manual
  1. Manuals
  2. Brands
  3. H3C Manuals
  4. IP Access Controllers
  5. WX5500H series
  6. User configuration manual

H3C WX5500H series User Configuration Manual

Acl and qos
Hide thumbs
Table of Contents

Advertisement

Quick Links

H3C Access Controllers
ACL and QoS Configuration Guide
New H3C Technologies Co., Ltd.
http://www.h3c.com.hk
Document version: 6W101-20171122

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the WX5500H series and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for H3C WX5500H series

Summary of Contents for H3C WX5500H series

  • Page 1 H3C Access Controllers ACL and QoS Configuration Guide New H3C Technologies Co., Ltd. http://www.h3c.com.hk Document version: 6W101-20171122...
  • Page 2 , H3CS, H3CIE, H3CNE, Aolynk, Care, , IRF, NetPilot, Netflow, SecEngine, SecPath, SecCenter, SecBlade, Comware, ITCMM and HUASAN are trademarks of New H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The information in this document is subject to change without notice.
  • Page 3 Preface The H3C access controllers documentation set describes the software features for the H3C access controllers and guide you through the software configuration procedures. These guides also provide configuration examples to help you apply software features to different network scenarios.
  • Page 4 This documentation is intended for: • Network planners. • Field technical support and servicing engineers. • Network administrators working with the H3C access controllers. Conventions The following information describes the conventions used in the documentation. Command conventions Convention Description Bold text represents commands and keywords that you enter literally as shown.
  • Page 5 It is normal that the port numbers, sample output, screenshots, and other information in the examples differ from what you have on your device. Obtaining documentation To access the most up-to-date H3C product documentation, go to the H3C website at...
  • Page 6 To obtain information about installation, configuration, and maintenance, click http://www.h3c.com.hk/Technical_Documents To obtain software version information such as release notes, click http://www.h3c.com.hk/Software_Download Technical support service@h3c.com http://www.h3c.com.hk Documentation feedback You can e-mail your comments about product documentation to info@h3c.com. We appreciate your comments.

  • Page 7: Table Of Contents

    Contents Configuring ACLs ············································································· 1 Overview ·································································································································· 1 ACL types ·························································································································· 1 Numbering and naming ACLs ································································································ 1 Match order ························································································································ 1 Rule numbering ·················································································································· 2 Fragments filtering with ACLs ································································································ 3 Compatibility information ············································································································· 3 Feature and hardware compatibility ························································································· 3 Command and hardware compatibility ·····················································································...
  • Page 8 Configuring priority mapping ····························································· 23 Overview ································································································································ 23 Introduction to priorities ······································································································ 23 Priority maps ···················································································································· 23 Priority mapping configuration tasks ····························································································· 23 Configuring a priority map ·········································································································· 24 Configuring a port to trust packet priority for priority mapping ····························································· 24 Changing the port priority of an interface ·······················································································...

  • Page 9: Configuring Acls

    Configuring ACLs Overview An access control list (ACL) is a set of rules for identifying traffic based on criteria such as source IP address, destination IP address, and por t number. The rules are also called permit or deny statements. ACLs are primarily used for packet filtering.

  • Page 10: Rule Numbering

    NOTE: The match order of WLAN client ACLs and WLAN AP ACLs can only be config. • auto—Sorts ACL rules in depth-first order. Depth-first ordering makes sure any subset of a rule is always matched before the rule. Table 1 lists the sequence of tie breakers that depth-first ordering uses to sort rules for each type of ACL.

  • Page 11: Fragments Filtering With Acls

    WX1800H series WX1810H WX1820H WX2510H WX2500H series WX2540H WX2560H Yes: WX3010H • WX3010H WX3010H-L • WX3010H-X • WX3024H WX3000H series WX3010H-X WX3024H • WX3010H-L WX3024H-L • WX3024H-L WX3508H WX3510H WX3500H series WX3520H WX3540H WX5510E WX5500E series WX5540E WX5500H series WX5540H...

  • Page 12: Command And Hardware Compatibility

    Hardware series Model ACL compatibility WX5560H WX5580H EWPXM1MAC0F EWPXM1WCME0 EWPXM2WCMD0F LSQM1WCMX20 Access controller modules LSQM1WCMX40 LSUM1WCME0 LSUM1WCMX20RT LSUM1WCMX40RT Command and hardware compatibility The WX1800H series, WX2500H series, and WX3000H series access controllers do not support the slot keyword or the slot-number argument. Configuration restrictions and guidelines Matching packets are forwarded through slow forwarding if an ACL rule contains match criteria or has functions enabled in addition to the following match criteria and functions:...

  • Page 13: Configuring A Basic Acl

    Tasks at a glance (Optional.) Configuring packet filtering with ACLs Configuring a basic ACL This section describes procedures for configuring IPv4 and IPv6 basic ACLs. Configuring an IPv4 basic ACL IPv4 basic ACLs match packets based only on source IP addresses. To configure an IPv4 basic ACL: Step Command...

  • Page 14: Configuring An Advanced Acl

    Step Command Remarks By default, no ACL exists. The value range for a numbered IPv6 basic ACL is 2000 to 2999. Use the acl ipv6 basic acl ipv6 basic { acl-number | Create an IPv6 basic ACL acl-number command to enter the name acl-name } [ match-order view and enter its view.

  • Page 15: Configuring An Ipv6 Advanced Acl

    Step Command Remarks By default, no ACL exists. The value range for a numbered IPv4 advanced ACL is 3000 to 3999. Use the acl advanced acl advanced { acl-number | Create an IPv4 advanced acl-number command to enter the name acl-name } [ match-order ACL and enter its view.

  • Page 16: Configuring A Layer 2 Acl

    Step Command Remarks By default, no ACL exists. The value range for a numbered IPv6 advanced ACL is 3000 to 3999. Use the acl ipv6 advanced acl ipv6 advanced { acl-number | Create an IPv6 advanced acl-number command to enter the name acl-name } [ match-order ACL and enter its view.

  • Page 17: Configuring A Wlan Client Acl

    Step Command Remarks Enter system view. system-view By default, no ACL exists. The value range for a numbered Layer 2 ACL is 4000 to 4999. acl mac { acl-number | name Use the acl mac acl-number Create a Layer 2 ACL and acl-name } [ match-order { auto | command to enter the view of a enter its view.

  • Page 18: Configuring A Wlan Ap Acl

    Step Command Remarks rule [ rule-id ] { deny | By default a WLAN client ACL does not Configure or edit a rule. permit } [ ssid ssid-name ] contain any rules. (Optional.) Add or edit a rule By default, no rule comment is rule rule-id comment text comment.

  • Page 19: Configuring Packet Filtering With Acls

    WX1810H WX1820H WX2510H WX2500H series WX2540H WX2560H WX3010H WX3010H-L WX3000H series WX3010H-X WX3024H WX3024H-L WX3508H WX3510H WX3500H series WX3520H WX3540H WX5510E WX5500E series WX5540E WX5540H WX5500H series WX5560H WX5580H EWPXM1MAC0F EWPXM1WCME0 EWPXM2WCMD0F LSQM1WCMX20 Access controller modules LSQM1WCMX40 LSUM1WCME0 LSUM1WCMX20RT LSUM1WCMX40RT...

  • Page 20: Configuring Snmp Notifications For Packet Filtering

    To apply an ACL to an interface for packet filtering: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number By default, an interface does not packet-filter [ ipv6 | mac ] filter packets. Apply an ACL to the interface { acl-number | name acl-name } to filter packets.

  • Page 21: Displaying And Maintaining Acls

    Hardware series Model Feature compatibility WX3520H WX3540H WX5510E WX5500E series WX5540E WX5540H WX5500H series WX5560H WX5580H EWPXM1MAC0F EWPXM1WCME0 EWPXM2WCMD0F LSQM1WCMX20 Access controller modules LSQM1WCMX40 LSUM1WCME0 LSUM1WCMX20RT LSUM1WCMX40RT To set the packet filtering default action: Step Command Remarks Enter system view.

  • Page 22: Acl Configuration Example

    ACL configuration example Network requirements A company interconnects its departments through the AC. Configure a packet filter to: • Permit access from the President's office at any time to the financial database server. • Permit access from the Financial department to the database server only during working hours (from 8:00 to 18:00) on working days.

  • Page 23: Verifying The Configuration

    [AC-acl-ipv4-adv-3000] rule deny ip source any destination 192.168.0.100 0 [AC-acl-ipv4-adv-3000] quit # Apply IPv4 advanced ACL 3000 to filter outgoing packets on interface GigabitEthernet 1/0/1. [AC] interface gigabitethernet 1/0/1 [AC-GigabitEthernet1/0/1] packet-filter 3000 outbound [AC-GigabitEthernet1/0/1] quit Verifying the configuration # Verify that a wireless client in the Financial department can ping the database server during working hours.

  • Page 24: Qos Overview

    WX3010H-L • WX3010H-X • WX3024H WX3000H series WX3010H-X WX3024H • WX3010H-L WX3024H-L • WX3024H-L WX3508H WX3510H WX3500H series WX3520H WX3540H WX5510E WX5500E series WX5540E WX5540H WX5500H series WX5560H WX5580H EWPXM1MAC0F EWPXM1WCME0 EWPXM2WCMD0F LSQM1WCMX20 Access controller modules LSQM1WCMX40 LSUM1WCME0 LSUM1WCMX20RT LSUM1WCMX40RT...

  • Page 25: Command And Hardware Compatibility

    Command and hardware compatibility The WX1800H series, WX2500H series, WX3000H series access controllers do not support the slot keyword or the slot-number argument. QoS service models This section describes several typical QoS service models. Best-effort service model The best-effort model is a s ingle-service model. The best-effort model is not as reliable as other models and does not guarantee delay-free delivery.

  • Page 26: Deploying Qos In A Network

    Deploying QoS in a network Figure 2 Position of the QoS techniques in a network Traffic direction Traffic classification Traffic policing Traffic policing Traffic policing Traffic policing As shown in Figure 2, traffic classification and traffic policing mainly implement the following functions: •...

  • Page 27: Configuring A Qos Policy

    Configuring a QoS policy You can configure QoS by using the MQC approach or non-MQC approach. Some features support both approaches, but some support only one. Non-MQC approach In the non-MQC approach, you configure QoS service parameters without using a QoS policy. MQC approach In the modular QoS configuration (MQC) approach, you configure QoS service parameters by using QoS policies.

  • Page 28: Defining A Traffic Behavior

    Step Command Remarks Create a traffic class and traffic classifier classifier-name By default, no traffic class exists. enter traffic class view. [ operator { and | or } ] By default, no match criterion is configured. Configure match criteria. if-match [ not ] match-criteria For more information, see the if-match command in ACL and QoS Command Reference.

  • Page 29: Applying The Qos Policy To An Interface

    Hardware series Model Feature compatibility WX1804H WX1800H series WX1810H WX1820H WX2510H WX2500H series WX2540H WX2560H WX3010H WX3010H-L WX3000H series WX3010H-X WX3024H WX3024H-L WX3508H WX3510H WX3500H series WX3520H WX3540H WX5510E WX5500E series WX5540E WX5540H WX5500H series WX5560H WX5580H Access controller modules EWPXM1MAC0F...

  • Page 30: Displaying And Maintaining Qos Policies

    Hardware series Model Feature compatibility EWPXM1WCME0 EWPXM2WCMD0F LSQM1WCMX20 LSQM1WCMX40 LSUM1WCME0 LSUM1WCMX20RT LSUM1WCMX40RT You can apply a QoS policy to multiple user profiles. In one direction of each user profile, only one policy can be applied. To modify a QoS policy already applied to a direction, first remove the applied QoS policy.

  • Page 31: Configuring Priority Mapping

    Configuring priority mapping Overview When a packet arrives, a device assigns a set of QoS priority parameters to the packet based on either of the following: • A priority field carried in the packet. • The port priority of the incoming port. This process is called priority mapping.

  • Page 32: Configuring A Priority Map

    • Changing port priority—If no packet priority is trusted, the port priority of the incoming port is used. By changing the port priority of a port, you change the priority of the incoming packets on the port. To configure priority mapping, perform the following tasks: Tasks at a glance (Optional.) Configuring a priority map...

  • Page 33: Changing The Port Priority Of An Interface

    To configure the trusted packet priority type on an interface: Step Command Remarks Enter system view. system-view interface interface-type Enter interface view. interface-number Configure the trusted qos trust { dot1p | dscp } By default, the port priority is trusted. packet priority type.

  • Page 34: Configuration Procedure

    Figure 5 Network diagram Device A Internet Server GE1/0/3 Device B Configuration procedure # Assign port priority to GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. Make sure the following requirements are met: • The priority of GigabitEthernet 1/0/1 is higher than that of GigabitEthernet 1/0/2. •...

  • Page 35: Configuring Traffic Policing

    Configuring traffic policing Overview Traffic policing helps assign network resources (including bandwidth) and increase network performance. For example, you can configure a flow to use only the resources committed to it in a certain time range. This avoids network congestion caused by burst traffic. Traffic policing controls the traffic rate and resource usage according to traffic specifications.

  • Page 36: Configuration Procedure

    Figure 6 Traffic policing Put tokens into the bucket at the set rate Packets to be sent out this interface Packets sent Classify Token bucket Drop Traffic policing is widely used in policing traffic entering the ISP networks. It can classify the policed traffic and take predefined policing actions on each packet depending on the evaluation result: •...

  • Page 37: Configuring Traffic Policing For A User Profile By Using The Non-Mqc Approach

    WX1804H WX1800H series WX1810H WX1820H WX2510H WX2500H series WX2540H WX2560H WX3010H WX3010H-L WX3000H series WX3010H-X WX3024H WX3024H-L WX3508H WX3510H WX3500H series WX3520H WX3540H WX5510E WX5500E series WX5540E WX5540H WX5500H series WX5560H WX5580H EWPXM1MAC0F EWPXM1WCME0 Access controller modules EWPXM2WCMD0F LSQM1WCMX20 LSQM1WCMX40...

  • Page 38: Displaying And Maintaining Traffic Policing

    Hardware series Model Feature compatibility LSUM1WCME0 LSUM1WCMX20RT LSUM1WCMX40RT When a user profile is configured, you can perform traffic policing based on users. When any user of the user profile logs in, the authentication server automatically applies the CAR parameters configured for the user profile to the user. When the user logs off, the system automatically removes the CAR configuration without manual intervention.

  • Page 39: Configuring Traffic Filtering

    Configuring traffic filtering You can filter in or filter out traffic of a class by associating the class with a traffic filtering action. For example, you can filter packets sourced from an IP address according to network status. Configuration procedure To configure traffic filtering: Step Command...

  • Page 40: Configuration Procedure

    Figure 7 Network diagram IP network GE 1/0/1 Client Configuration procedure # Create advanced ACL 3000, and configure a rule to match packets whose source port number is not 21. <AC> system-view [AC] acl advanced 3000 [AC-acl-ipv4-adv-3000] rule 0 permit tcp source-port neq 21 [AC-acl-ipv4-adv-3000] quit # Create a traffic class named classifier_1, and use ACL 3000 as the match criterion in the traffic class.

  • Page 41: Configuring Priority Marking

    Configuring priority marking Priority marking sets the priority fields or flag bits of packets to modify the priority of packets. For example, you can use priority marking to set the DSCP value for a class of IP packets to control the forwarding of these packets.

  • Page 42: Configuration Example

    Step Command Remarks 12. (Optional.) Display the display traffic behavior { system-defined | priority marking user-defined } [ behavior-name ] [ slot Available in any view. configuration. slot-number ] Configuration example Network requirements As shown in Figure 8, configure priority marking on the AC to meet the following requirements: Traffic source Destination Processing priority...
  • Page 43 [AC-acl-ipv4-adv-3002] rule permit ip destination 192.168.0.3 0 [AC-acl-ipv4-adv-3002] quit # Create a traffic class named classifier_dbserver, and use ACL 3000 as the match criterion in the traffic class. [AC] traffic classifier classifier_dbserver [AC-classifier-classifier_dbserver] if-match acl 3000 [AC-classifier-classifier_dbserver] quit # Create a traffic class named classifier_mserver, and use ACL 3001 as the match criterion in the traffic class.

  • Page 44: Appendixes

    Appendixes Appendix A Acronym Table 2 Appendix A Acronym Acronym Full spelling Best Effort Committed Access Rate Committed Burst Size Committed Information Rate DiffServ Differentiated Service DSCP Differentiated Services Code Point Excess Burst Size IntServ Integrated Service Internet Service Provider Peak Information Rate Quality of Service Type of Service...
  • Page 45 dot11e Table 5 Default dscp-lp priority map Input priority value dscp-lp map dscp 0 to 7 8 to 15 16 to 23 24 to 31 32 to 39 40 to 47 48 to 55 56 to 63 Table 6 Default lp-dot1p, lp-dot11e, and lp-dscp priority maps Input priority value lp-dot1p map lp-dot11e map...

  • Page 46: Appendix C Introduction To Packet Precedences

    Port priority Local precedence Appendix C Introduction to packet precedences IP precedence and DSCP values Figure 9 ToS and DS fields Bits: Bits: Preced Type of DSCP IPv4 ToS DS-Field ence Service byte (for IPv4,ToS octet,and for IPv6,Traffic Class octet ) Must Class Selector Currently...

  • Page 47: 802.1P Priority

    DSCP value (decimal) DSCP value (binary) Description 001110 af13 010010 af21 010100 af22 010110 af23 011010 af31 011100 af32 011110 af33 100010 af41 100100 af42 100110 af43 001000 010000 011000 100000 101000 110000 111000 000000 be (default) 802.1p priority 802.1p priority lies in the Layer 2 header. It applies to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2.

  • Page 48: 802.11E Priority

    Figure 11 802.1Q tag header Byte 1 Byte 2 Byte 3 Byte 4 TPID(Tag protocol identifier) TCI(Tag control information) 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 Priority VLAN ID 5 4 3 2 1 0 7 5 4 3 2 1 0 5 4 3 2 1 0 7 5 4 3 2 1 0...

  • Page 49: Configuring Time Ranges

    WX2560H Yes: WX3010H • WX3010H WX3010H-L • WX3010H-X • WX3024H WX3000H series WX3010H-X WX3024H • WX3010H-L WX3024H-L • WX3024H-L WX3508H WX3510H WX3500H series WX3520H WX3540H WX5510E WX5500E series WX5540E WX5540H WX5500H series WX5560H WX5580H EWPXM1MAC0F Access controller modules EWPXM1WCME0 EWPXM2WCMD0F...

  • Page 50: Configuration Procedure

    Hardware series Model Time range compatibility LSQM1WCMX20 LSQM1WCMX40 LSUM1WCME0 LSUM1WCMX20RT LSUM1WCMX40RT Configuration procedure Step Command Remarks Enter system view. system-view time-range time-range-name { start-time to end-time days [ from Create or edit a time time1 date1 ] [ to time2 date2 ] | from No time range exists.
  • Page 51 Figure 13 Network diagram Server 192.168.0.100 GE 1/0/1 IP network AP 1 AP 2 Client 1 Client 2 192.168.1.2 192.168.1.3 Configuration procedure # Create a periodic time range from 8:00 to 18:00 on working days from June 2015 to the end of the year.

  • Page 52: Index

    Index ACL packet filtering to interface, Numerics QoS policy, QoS policy (interface, PVC), QoS packet 802.11e priority, QoS policy (user profile), QoS packet 802.1p priority, auto ACL auto match order sort, ACL automatic rule numbering/renumbering, absolute time range (ACL), 41, 42 ACL command and hardware compatibility, bandwidth ACL compatibility information,...
  • Page 53 QoS MQC traffic policing, filtering QoS non-MQC traffic policing (user profile), ACL packet fragments, QoS traffic filtering configuration, 31, 31 QoS policy, QoS priority mapping, 23, 23, 25 forwarding QoS priority mapping map, ACL configuration, 1, 4, 14 ACL configuration (advanced), QoS priority mapping map (uncolored), QoS priority mapping trusted port packet ACL configuration (basic),...
  • Page 54 matching QoS service models, ACL match order auto, QoS techniques, time range configuration, 41, 42 ACL match order config, modular QoS. Use non-modular QoS. Use non-MQC non-MQC QoS traffic policing configuration, QoS traffic policing, MQC QoS non-MQC QoS traffic policing configuration, traffic policing (user profile), notifying ACL packet filtering SNMP notifications,...
  • Page 55 precedence configuring QoS priority marking, 33, 34 QoS priority mapping configuration, 23, 23, 25 configuring QoS traffic filtering, 31, 31 configuring QoS traffic policing, QoS priority mapping local precedence, priority configuring time range, 42, 42 mapping. See priority mapping copying ACL, defining QoS policy, marking.
  • Page 56 priority mapping map, 23, 24 ACL configuration (WLAN client), priority mapping map (uncolored), service QoS best-effort service model, priority mapping trusted port packet priority, priority mapping user priority, QoS DiffServ service model, priority marking configuration, 33, 34 QoS IntServ service model, QoS models, QoS command and hardware compatibility, QoS compatibility information,...
  • Page 57 QoS priority mapping trusted port packet priority, QoS priority marking configuration, 33, 34 QoS token bucket, QoS traffic behavior definition, QoS traffic class definition, QoS traffic classification, QoS traffic evaluation, QoS traffic filtering configuration, 31, 31 QoS traffic policing, 18, 27 QoS traffic policing configuration, 27, 28 QoS traffic shaping,...

This manual is also suitable for:

Wx2500h seriesWx1800h seriesWx3000h seriesWx5500e seriesWx1804hWx1810h ... Show all

Table of Contents