H3C WX Series Configuration Manual
  1. Manuals
  2. Brands
  3. H3C Manuals
  4. IP Access Controllers
  5. WX Series
  6. Configuration manual
H3C WX Series Configuration Manual

H3C WX Series Configuration Manual

Acl and qos
Hide thumbs Also See for WX Series:
Table of Contents

Advertisement

Quick Links

Download this manual
Abstract
This document describes ACL and QoS configurations. You can use ACL or other match
criteria to classify traffic in your network, and implement flow control based on traffic
classes. With ACL and QoS, you can well allocate the limited network resources, and
improve network usage. The intended audience includes network planners, field
technical support and servicing engineers, and network administrators working with the
WX series.
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
H3C WX Series Access Controllers
ACL and QoS Configuration Guide

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the WX Series and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for H3C WX Series

Summary of Contents for H3C WX Series

  • Page 1 H3C WX Series Access Controllers ACL and QoS Configuration Guide Abstract This document describes ACL and QoS configurations. You can use ACL or other match criteria to classify traffic in your network, and implement flow control based on traffic classes. With ACL and QoS, you can well allocate the limited network resources, and improve network usage.
  • Page 2 However, the statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied. Hangzhou H3C Technologies Co., Ltd. and its licensors shall not be liable for technical or editorial errors or omissions contained herein.

  • Page 3: Table Of Contents

    Contents 1 ACL configuration ·············································································································· 8 ACL classification ························································································································· 8 ACL numbering and naming ········································································································· 8 Match order ································································································································ 9 ACL rule numbering ···················································································································· 11 ACL rule numbering step ········································································································ 11 Automatic rule numbering and re-numbering ·········································································· 11 Implementing time-based ACL rules ···························································································· 11 IPv4 fragments filtering with ACLs ·································································································...
  • Page 4 Configuring a port to trust packet priority for priority mapping··················································· 39 Configuring the port priority of a port ······················································································ 39 Displaying and maintaining priority mapping ················································································ 40 Priority mapping configuration examples (on WX Series access controllers)····································· 41 Trusted priority type configuration example ············································································· 42 Port priority configuration example ························································································· 43 5 Traffic policing and line rate configuration ···········································································45...
  • Page 5 Configuring PQ ·························································································································· 56 PQ configuration procedure··································································································· 57 PQ configuration example on WX5002 ···················································································· 58 PQ configuration example (on any H3C WX access controllers but WX5002) ······························ 60 Configuring CQ ·························································································································· 60 Configuration procedure ······································································································· 61 CQ configuration example on WX5002···················································································· 62 CQ configuration example (on any H3C WX access controllers but WX5002) ·····························...
  • Page 6 Command conventions ········································································································· 65 Document conventions ·········································································································· 65 Symbols ································································································································ 66 Index...
  • Page 7 The models listed in this document are not applicable to all regions. Please consult your local sales office for the models applicable to your region. Support of the H3C WX series access controllers (ACs) for features may vary by AC model. For more information, see ―Feature Matrix‖ in About the WX Configuration Guides.

  • Page 8: Acl Configuration

    ACL configuration An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as the source IP address, destination IP address, and port number. ACLs are essentially used for packet filtering. A packet filter drops packets that match a deny rule and permits packets that match a permit rule.

  • Page 9: Match Order

    name for the ease of identification. After creating an ACL with a name, you can neither rename it nor delete its name. You cannot assign a name for a WLAN ACL. For a WLAN ACL, the ACL number and name must be globally unique. For an IPv4 basic or advanced ACLs, its ACL number and name must be unique among all IPv4 ACLs, and for an IPv6 basic or advanced ACL, among all IPv6 ACLs.
  • Page 10 ACL category Depth-first rule sorting procedures The rule configured with a VPN instance takes precedence. The rule configured with a specific protocol is prior to a rule with the protocol type set to IP. IP represents any protocol over IP. The rule with more 0s in the source IP address wildcard mask takes precedence.

  • Page 11: Acl Rule Numbering

    ACL rule numbering ACL rule numbering step If you do not assign an ID for the rule you are creating, the system automatically assigns it a rule ID. The rule numbering step sets the increment by which the system automatically numbers rules. For example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are numbered 0, 5, 10, 15, and so on.

  • Page 12: Ipv4 Fragments Filtering With Acls

    This mechanism resulted in security risks, because attackers may fabricate non-first fragments to attack networks. To avoids the risks, the H3C ACL implementation: Filters all fragments by default, including non-first fragments. Provides standard and exact match modes for matching ACLs that contain advanced attributes such as TCP/UDP port number and ICMP type.

  • Page 13: Configuring An Acl

    Configuring an ACL Creating a time range Follow these steps to create a time range: To do… Use the command… Remarks Enter system view system-view –– time-range time-range-name Required { start-time to end-time days Create a time range [ from time1 date1 ] [ to By default, no time range time2 date2 ] | from time1 exists.

  • Page 14: Configuring A Basic Acl

    To do… Use the command… Remarks Required By default, a WLAN ACL rule [ rule-id ] { permit | Create or edit a rule does not contain any rule. deny } [ ssid ssid-name ] To create or edit multiple rules, repeat this step.
  • Page 15 To do… Use the command… Remarks Required By default, an IPv4 basic ACL does not contain any rule [ rule-id ] { deny | rule. permit } [ fragment | logging | source { sour-addr To create or edit multiple Create or edit a rule sour-wildcard | any } | rules, repeat this step.

  • Page 16: Configuring An Advanced Acl

    To do… Use the command… Remarks Required By default, an IPv6 basic rule [ rule-id ] { deny | ACL does not contain any permit } [ fragment | logging rule. | source { ipv6-address To create or edit multiple Create or edit a rule prefix-length | rules, repeat this step.
  • Page 17 To do… Use the command… Remarks Optional Configure a description for By default, an IPv4 description text the IPv4 advanced ACL advanced ACL has no ACL description. Optional Set the rule numbering step step step-value 5 by default rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-value | rst rst-value...

  • Page 18: Configuring An Ethernet Frame Header Acl

    To do… Use the command… Remarks Required By default, no ACL exists. IPv6 advanced ACLs are numbered in the range Create an IPv6 acl ipv6 number acl6-number 3000 to 3999. advanced ACL and [ name acl6-name ] enter its view [ match-order { auto | config } ] You can use the acl ipv6 name acl6-name...

  • Page 19: Copying An Acl

    Follow these steps to configure an Ethernet frame header ACL: To do… Use the command… Remarks Enter system view system-view –– Required By default, no ACL exists. Ethernet frame header ACLs acl number acl-number are numbered in the range Create an Ethernet frame [ name acl-name ] 4000 to 4999.

  • Page 20: Displaying And Maintaining Acls

    The source IPv4 or IPv6 ACL already exists but the destination IPv4 or IPv6 ACL does not. Copying an IPv4 ACL Follow these steps to copy an IPv4 ACL: To do… Use the command… Remarks Enter system view system-view — acl copy Required { source-acl-number | name...

  • Page 21: Acl Configuration Examples

    ACL configuration examples IPv4 ACL configuration example Network Requirements As shown in Figure 1 , a company interconnects its wireless users and servers through the access controller (AC). The salary server uses IP address 192.168.1.2. The wireless users in the research and development (R&D) department are connected to the wireless interface WLAN-ESS 1 of the AC.

  • Page 22: Ipv6 Acl Configuration Example

    Create a rule to match packets from the R&D department to the salary server in the time range: [AC-acl-adv-3000] rule 0 permit ip source any destination 192.168.1.2 0.0.0.0 time-range trname [AC-acl-adv-3000] quit Apply the ACL Apply IPv4 ACL 3000 to filter incoming packets on interface WLAN-ESS 1. [AC] traffic classifier test [AC-classifier-test] if-match acl 3000 [AC-classifier-test] quit...
  • Page 23 [Sysname] qos policy deny2000 [Sysname-qospolicy-deny2000] classifier ipv6-2000 behavior deny [Sysname-qospolicy-deny2000] quit Apply the policy to filter incoming packets on interface WLAN-ESS 1: [Sysname] interface WLAN-ESS1 [Sysname-WLAN-ESS1] qos apply policy deny2000 inbound...

  • Page 24: Qos Overview

    QoS overview In data communications, Quality of Service (QoS) is the ability of a network to provide differentiated service guarantees for diversified traffic regarding bandwidth, delay, jitter, and drop rate. Network resources are always scarce. The contention for resources demands that QoS prioritize important traffic flows over trivial traffic flows.

  • Page 25: Intserv Model

    IntServ model The integrated service (IntServ) model is a multiple-service model that can accommodate diverse QoS requirements. It provides the most granularly differentiated QoS by identifying and guaranteeing definite QoS for each data flow. In the IntServ model, an application must request service from the network before it sends data.

  • Page 26: Applying Qos Techniques In A Network

    Applying QoS techniques in a network Figure 2 Positions of the QoS techniques in a network Traffic direction Traffic classification Traffic policing Traffic policing Congestion management Congestion management Congestion avoidance Congestion avoidance Traffic shaping Traffic shaping Traffic policing Traffic policing As shown in Figure 2 , traffic classification, traffic shaping, traffic policing, congestion...

  • Page 27: Qos Processing Flow In An Ac

    QoS processing flow in an AC Figure 3 QoS processing flow Tokens Drop Other Classify the proce traffic Remark ssing Packets received Token bucket on the interface Classification Traffic policing Priority marking Toekn Drop Drop Enqueue Queue 0 Dequeue Queue 1 Classify the Other traffic...

  • Page 28: Qos Configuration Approaches

    QoS configuration approaches Two approaches are available for configuring QoS: Non-policy approach Policy approach Some features support both approaches, but some support only one. Non-policy approach In non-policy approach, you configure QoS service parameters directly without using a QoS policy. For example, you can use the line rate feature to set a rate limit on an interface without using a QoS policy.

  • Page 29: Defining A Class

    Figure 4 QoS policy configuration procedure Define a class Define a behavior Define a policy Apply the policy Apply the Apply the policy to an policy to interface or online users Defining a class To define a class, specify its name and then configure the match criteria in class view. Follow these steps to define a class: To do…...

  • Page 30: Defining A Traffic Behavior

    To do… Use the command… Remarks Required For more information, see Configure match criteria if-match match-criteria the if-match command in QoS in the ACL and QoS Command Reference. Optional Display information about a display traffic classifier specific or all classes user-defined [ tcl-name ] Available in any view Defining a traffic behavior...

  • Page 31: Defining A Policy

    On the WX5002, if a deny rule in the ACL is matched, the if-match clause is ignored and the matching process continues. On any other WX series ACs, the ACL is used for classification only and thus the permit/deny action in ACL rules is ignored. Actions taken on matching packets are defined in traffic...

  • Page 32: Applying The Qos Policy

    Applying the QoS policy You can apply a QoS policy to different occasions: Applied to an interface, the policy takes effect on the traffic sent or received on the interface. Applied to a user profile, the policy takes effect on the traffic sent or received by the online users of the user profile.
  • Page 33 Applying the QoS policy to online users You can apply a QoS policy to traffic of multiple online users, but only one policy can be applied in one traffic direction. To modify a QoS policy already applied in a certain direction, remove the QoS policy application first.

  • Page 34: Displaying And Maintaining Qos Policies

    Displaying and maintaining QoS policies To do… Use the command… Remarks Display user-defined QoS display qos policy user-defined Available in any policy configuration [ policy-name [ classifier tcl-name ] ] view Display QoS policy display qos policy interface Available in any configuration on the [ interface-type interface-number ] view...

  • Page 35: Priority Mapping Configuration

    Priority mapping is implemented with priority mapping tables and involves priorities including 802.11e priority, 802.1p priority, DSCP, and local precedence on the H3C WX series access controllers. Local precedence is assigned by the AC and is of only local significance. Local precedence is used for queuing.
  • Page 36 Table 3 The default dot1p-lp priority mapping table 802.1p priority (dot1p) Local precedence (lp) Table 4 The default dscp-lp priority mapping table DSCP Local precedence (lp) 0 to 7 8 to 15 16 to 23 24 to 31 32 to 39 40 to 47 48 to 55 56 to 63...

  • Page 37: Priority Mapping Configuration Tasks

    Table 6 The default port priority-to-local priority mapping table Port priority Local precedence (lp) Table 7 The default lp-dscp priority mapping table Local precedence (lp) DSCP Priority mapping configuration tasks You can configure priority mapping in two approaches: Configuring priority trust mode. In this approach, you can configure a port to look up a certain priority, 802.1p for example, in incoming packets, in the priority mapping tables.

  • Page 38: Configuring Priority Mapping

    Enter the view of the priority mapping qos map-table table to be modified. Enter priority mapping { dot11e-lp | dot1p-lp Support of the H3C WX series access table view | dscp-lp | lp-dot11e controllers for priority mapping tables may | lp-dot1p | lp-dscp } vary by AC model.

  • Page 39: Configuring A Port To Trust Packet Priority For Priority Mapping

    Configuring a port to trust packet priority for priority mapping This feature is available only on Layer 2 ports. You can configure a Layer 2 port to trust one of the following priority fields in incoming packets: dot11e: Uses the 802.11e priority of incoming packets for mapping. dot1p: Uses the 802.1p priority of incoming packets for mapping.

  • Page 40: Displaying And Maintaining Priority Mapping

    Follow these steps to configure the port priority of a port: To do… Use the command… Remarks Enter system view system-view — Enter Use either command. interface interface-type interface Enter Settings in interface view interface-number view interface (Ethernet or WLAN-ESS) take view or effect on the current interface.

  • Page 41: Priority Mapping Configuration Examples (On Wx Series Access Controllers)

    To do… Use the command… Remarks Available in any view Support fort the keywords of Display information about display qos trust interface the command varies by AC the priority trust mode on a [ interface-type model. For more port interface-number ] information, see QoS in the ACL and QoS Command Reference.

  • Page 42: Trusted Priority Type Configuration Example

    Hardware Ethernet interface configuration prerequisites WX5002 No special requirements. You can directly WX5002V2 configure a GE interface on the access controller. WX5004 Trusted priority type configuration example Network requirements As shown in Figure 5 , the AC processes packets for AP 1, AP 2, and AP 3. Configure the AC to enqueue packets according to their 802.1p priority and use the user-defined priority mapping tables for priority mappings.

  • Page 43: Port Priority Configuration Example

    Port priority configuration example Network requirements As shown in Figure 6 , the AC processes the packets of AP 1, AP 2, and AP 3. Configure the AC to ensure that: Incoming packets are assigned local precedence values through priority mapping based on the port priority of receiving ports.
  • Page 44 [AC-WLAN-ESS2] qos priority 3 [AC-WLAN-ESS2] quit Set the priority of interface WLAN-ESS 3 to 5: [AC] interface WLAN-ESS 3 [AC-WLAN-ESS3] qos priority 5 [AC-WLAN-ESS3] quit Enable service template 1: [Sysname] wlan service-template 1 [Sysname-wlan-st-1] service-template enable NOTE: For more information about WLAN-ESS interfaces, see WLAN Interface in the WLAN Configuration Guide.

  • Page 45: Traffic Policing And Line Rate Configuration

    Traffic policing and line rate configuration Traffic policing, traffic shaping, and rate limit are QoS techniques that help assign network resources such as bandwidth. They increase network performance and user satisfaction. For example, you can configure a flow to use only the resources committed to it in a certain time range, thus avoiding network congestion caused by burst traffic.

  • Page 46: Complicated Evaluation

    Each arriving packet is evaluated. In each evaluation, if the number of tokens in the bucket is enough, the traffic conforms to the specification and the tokens for forwarding the packet are taken away; if the number of tokens in the bucket is not enough, the traffic is excessive.

  • Page 47: Line Rate

    the total. If the traffic of a certain session exceeds the limit, traffic policing can drop the packets or reset the IP precedence of the packets. See Figure 8 Figure 8 Schematic diagram for traffic policing Tokens are put into the bucket at the set rate Packets to be sent through this interface...

  • Page 48: Configuration Task List

    forwarded. Otherwise, packets are put into QoS queues for congestion management. In this way, the traffic passing the physical interface is controlled. See Figure 9 Figure 9 Line rate implementation Put tokens into the bucket at the set rate Packets to be forwarded via this interface Packets sent Token...

  • Page 49: Configuring Traffic Policing In Policy-Based Approach

    Configuring traffic policing in non policy-based approach NOTE: Support of the H3C WX series access controllers for this feature may vary by AC model. For more information, see Compatibility Matrices. With a user profile configured, you can perform traffic policing based on users. When any user of the user profile logs in, the authentication server automatically applies the CAR configured for the user profile to the user.

  • Page 50: Configuring Line Rate

    Configuring line rate NOTE: Support of the H3C WX series access controllers for this feature may vary by AC model. For more information, see Compatibility Matrices. The line rate of a physical interface specifies the maximum rate of outgoing packets.

  • Page 51: Displaying And Maintaining Line Rate

    To do… Use the command… Remarks Enter Use either command Enter interface interface-type interface interface Settings in interface view take interface-number view view or effect on the current port interface. Settings in port Enter port port-group manual group group view take effect on all group port-group-name view...

  • Page 52: Congestion Management Configuration

    Congestion management configuration NOTE: Support of the H3C WX series access controllers for features may vary by AC model. For more information, see Compatibility Matrices. Causes, impacts, and countermeasures of congestion Congestion occurs on a link or node when traffic size exceeds the processing capability of the link or node.

  • Page 53: Congestion Management Policies

    Congestion management policies Queuing is a common technology used for congestion management. It classifies traffic into queues and picks out packets from each queue following a certain algorithm. There are various queuing algorithms, each addressing a particular network traffic problem. Your choice of algorithm affects bandwidth assignment, delay, and jitter significantly.

  • Page 54: Priority Queuing

    Priority queuing Figure 12 Priority queuing (PQ) Priority queuing is designed for mission-critical applications. The key feature of mission-critical applications is that they require preferential service to reduce the response delay when congestion occurs. Priority queuing can flexibly determine the order of forwarding packets by network protocol (for example, IP), incoming interface, packet length, source/destination address, and so on.

  • Page 55: Custom Queuing

    Custom queuing Figure 13 Custom queuing (CQ) CQ organizes packets into 16 classes (corresponding to 16 queues) by certain match criteria. A certain class of packets enters the corresponding custom queue according to FIFO queuing. Queues 1 through 16 are customer queues, as shown in Figure 13 .

  • Page 56: Configuring Pq

    mentioned to offer powerful QoS capabilities, meeting different QoS requirements of different applications. Table 9 compares these queuing technologies for efficient use. Table 9 Congestion management technology comparison Number of Type Advantages Disadvantages queues All packets are treated equally. The available bandwidth, delay and drop probability are determined by the arrival order of the packets.

  • Page 57: Pq Configuration Procedure

    PQ configuration procedure You can configure PQ by applying a PQ list to an interface. For an interface, the latest applied PQ list overwrites the previous one. Follow these steps to configure PQ: To do... Use the command... Remarks Enter system view system-view —...

  • Page 58: Pq Configuration Example On Wx5002

    PQ configuration example on WX5002 Table 10 describes the Ethernet interface configuration prerequisites on different WX series access controllers. Table 10 Ethernet interface configuration prerequisites Hardware Ethernet interface configuration prerequisites No special requirements. You can directly LS8M1WCMA0 configure Ethernet interfaces on the switch. LSQM1WCMB0 To configure wireless features during the LSBM1WCM2A0...
  • Page 59 Figure 14 Network diagram for PQ configuration Server GE 1/0/1 IP network AP 1 AP 2 Client A Client B Configuration procedure Enter system view: <AC> system-view [AC] undo l2fw fast-forwarding Configure PQ list 1 to assign packets with local precedence value 7 to the top queue and packets with local precedence value 1 to the bottom queue: [AC] qos pql 1 local-precedence 7 queue top [AC] qos pql 1 local-precedence 1 queue bottom...

  • Page 60: Pq Configuration Example (On Any H3C Wx Access Controllers But Wx5002)

    PQ configuration example (on any H3C WX access controllers but WX5002) NOTE: For Ethernet interface configuration prerequisites on different H3C WX access controllers, see Table 10 . This configuration example was created on WX3024. Network requirements As shown in Figure 14 , Client A and Client B get data from Server through the AC.

  • Page 61: Configuration Procedure

    Configuration procedure Follow these steps to configure CQ: To do... Use the command... Remarks Enter system view system-view — qos cql cql-index protocol protocol-name queue-key key-value queue queue-number qos cql cql-index inbound-interface Optional Configure a CQ list interface-type Use a command as needed. interface-number queue queue-number qos cql cql-index...

  • Page 62: Cq Configuration Example On Wx5002

    [Sysname-GigabitEthernet1/0/1] qos cq cql 1 [Sysname-GigabitEthernet1/0/1] qos trust dot1p CQ configuration example (on any H3C WX access controllers but WX5002) NOTE: For Ethernet interface configuration prerequisites on different H3C WX access controllers, see Table 10 . This configuration example was created on WX3024.
  • Page 63 Network requirements Configure CQ to assign packets from interface GigabitEthernet 1/0/1 to queue 1 and specify queue 1 to send 1635000 bytes during a cycle of round robin queue scheduling. Configuration procedure Enter system view: <Sysname> system-view Configure queue 1 as the default queue in CQ list 1: [Sysname]qos cql 1 default-queue 1 Configure CQ list 1 to assign packets with local precedence value 4 to queue 1: [Sysname]qos cql 1 local-precedence 4 queue 1...

  • Page 64: Support And Other Resources

    Web-based Configuration Guide the WX Series WLAN Access Controllers. Contact us You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support &...

  • Page 65: Typographical Conventions And Symbols

    Convention Element Blue text: Table 10 Cross-reference links and email addresses Blue underlined text: Website addresses http://www.h3c.com Bold text • Keys that are pressed • Text entered into a GUI element, such as a box • GUI elements that are clicked or selected, such as...

  • Page 66: Symbols

    Text emphasis Italic text Monospace text • File and directory names • System output • Code • Commands, their arguments, and argument values Monospace italic text • Code variables • Command variables Monospace bold text Emphasized monospace text Indication that example continues Symbols WARNING! Indicates that failure to follow directions could result in bodily harm or death.

  • Page 67: Index

    Index access control list inverse mask, 10 defined, 8 IPv4 ACL configuration task list, 12 categories, 8 configuration example, 21 displaying and maintaining, 20 copying, 20 IPv4 configuration example, 21 fragments filtering with ACLs, 12 IPv6 configuration example, 22 IPv4 advanced ACL, configuring, 16 match orders, 9 IPv4 basic ACL, configuring, 14 numbering and naming, 9...
  • Page 68 trusted priority type configuration, 43 policy approach, 28 trusting port priority configuration, 44 QoS policy applying to interface, 32 applying to online users, 33 displaying and maintaining, 34 queuing port priority, configuring, 40 custom, 57 priority mapping FIFO, 55 changing port priority, 38 priority, 56 configuration tasks, 37 configuring port to trust packet priority, 39...
  • Page 69 WLAN-ESS interface, 40...

This manual is also suitable for:

Wx5002

Table of Contents