H3C S5120-SI Configuration Manual
Hide thumbs Also See for S5120-SI:
Table of Contents

Advertisement

Quick Links

H3C S5120-SI Switch Series
ACL and QoS Configuration Guide
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Software version: Release 1505
Document version: 6W101-20111108

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the S5120-SI and is the answer not in the manual?

Questions and answers

Summary of Contents for H3C S5120-SI

  • Page 1 H3C S5120-SI Switch Series ACL and QoS Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: Release 1505 Document version: 6W101-20111108...
  • Page 2 SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V G, V G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The information in this document is subject to change without notice.
  • Page 3 The H3C S5120-SI documentation set includes 10 configuration guides, which describe the software features for the H3C S5120-SI Switch Series, Release 1505, and guide you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios.
  • Page 4 Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
  • Page 5 Release notes technical support information, and software upgrading. Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top navigation bar to obtain different categories of product documentation:...
  • Page 6 – Provides information about products and technologies, as well as solutions. [Technical Support & Documents > Software Download] – Provides the documentation released with the software version. Technical support customer_service@h3c.com http://www.h3c.com Documentation feedback You can e-mail your comments about product documentation to info@h3c.com. We appreciate your comments.
  • Page 7: Table Of Contents

    Contents ACL configuration ························································································································································ 1 ACL overview ····································································································································································1 ACL applications on the switch·······························································································································1 ACL categories ·························································································································································1 ACL numbering and naming ···································································································································2 Match order ······························································································································································2 ACL rule comments and rule range remarks ·········································································································3 ACL rule numbering ·················································································································································3 Implementing time-based ACL rules························································································································4 IPv4 fragment filtering with ACLs····························································································································4 ACL configuration task list················································································································································4 Configuring an ACL··························································································································································5...
  • Page 8 Priority mapping configuration task list ······················································································································· 25 Configuring priority mapping ······································································································································· 26 Configuring a priority mapping table ················································································································· 26 Configuring a port to trust packet priority for priority mapping ······································································ 26 Changing the port priority of an interface·········································································································· 27 Displaying and maintaining priority mapping············································································································ 27 Priority mapping configuration examples····················································································································...
  • Page 9 Appendix A Default priority mapping tables ···········································································································52 Appendix B Introduction to packet precedences ·····································································································53 IP precedence and DSCP values ·································································································································· 53 802.1p priority······························································································································································· 54 Index ···········································································································································································56...
  • Page 10: Acl Configuration

    ACL configuration This chapter includes these sections: ACL overview • ACL configuration task list • Configuring an ACL • • Configuring a time range Configuring a basic ACL • Configuring an advanced ACL • Configuring an Ethernet frame header ACL •...
  • Page 11: Acl Numbering And Naming

    Category ACL number IP version Match criteria Source IPv4 address, destination IPv4 address, IPv4 protocols over IPv4, and other Layer 3 and Layer 4 header fields Advanced ACLs 3000 to 3999 Source IPv6 address, destination IPv6 address, IPv6 protocols over IPv6, and other Layer 3 and Layer 4 header fields Layer 2 header fields, such as source and Ethernet frame...
  • Page 12: Acl Rule Comments And Rule Range Remarks

    ACL category Sequence of tie breakers Specific protocol type rather than IP (IP represents any protocol over IP) More 0s in the source IP address wildcard mask More 0s in the destination IP address wildcard IPv4 advanced ACL Narrower TCP/UDP service port number range Smaller ID Longer prefix for the source IP address (a longer prefix means a narrower IP address range)
  • Page 13: Implementing Time-Based Acl Rules

    numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between two rules. By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of inserting rules in an ACL. This feature is important for a config order ACL, where ACL rules are matched in ascending order of rule ID.
  • Page 14: Configuring An Acl

    Task Remarks Applying an IPv4 ACL for Packet Filtering Optional Applying an IPv6 ACL for Packet Filtering Configuring an ACL Configuring a time range Follow these steps to configure a time range: To do… Use the command… Remarks Enter system view system-view ––...
  • Page 15 To do… Use the command… Remarks Optional Configure a description for the description text By default, an IPv4 basic ACL has IPv4 basic ACL no ACL description. Optional Set the rule numbering step step step-value 5 by default. Required rule [ rule-id ] { deny | permit } By default, an IPv4 basic ACL does [ fragment | source { sour-addr Create or edit a rule...
  • Page 16: Configuring An Advanced Acl

    Configuring an advanced ACL Configuring an IPv4 advanced ACL IPv4 advanced ACLs match packets based on source and destination IP addresses, protocols over IP, and other protocol header information, such as TCP/UDP source and destination port numbers, TCP flags, ICMP message types, and ICMP message codes. IPv4 advanced ACLs also allow you to filter packets based on these priority criteria: type of service (ToS), IP precedence, and differentiated services codepoint (DSCP) priority.
  • Page 17: Configuring An Ethernet Frame Header Acl

    Configuring an IPv6 advanced ACL IPv6 advanced ACLs match packets based on the source IPv6 address, destination IPv6 address, protocol carried over IPv6, and other protocol header fields such as the TCP/UDP source port number, TCP/UDP destination port number, ICMP message type, and ICMP message code. Compared to IPv6 basic ACLs, IPv6 advanced ACLs allow more flexible and accurate filtering.
  • Page 18: Copying An Acl

    To do… Use the command… Remarks Enter system view system-view –– Required By default, no ACL exists. Ethernet frame header ACLs are acl number acl-number [ name numbered in the range 4000 to Create an Ethernet frame header acl-name ] [ match-order { auto | 4999.
  • Page 19: Packet Filtering With Acls

    To do… Use the command… Remarks Enter system view system-view — acl copy { source-acl-number | Copy an existing IPv4 ACL to name source-acl-name } to Required create a new IPv4 ACL { dest-acl-number | name dest-acl-name } Copying an IPv6 ACL Follow these steps to copy an IPv6 ACL: To do…...
  • Page 20: Displaying And Maintaining Acls

    Displaying and maintaining ACLs To do... Use the command… Remarks display acl { acl-number | all | name Display configuration and match acl-name } [ slot slot-number ] [ | { begin | Available in any view statistics for one or all IPv4 ACLs exclude | include } regular-expression ] display acl ipv6 { acl6-number | all | name Display configuration and match...
  • Page 21: Ipv6 Acl Application Configuration Example

    <DeviceA> system-view [DeviceA] time-range study 8:00 to 18:00 daily # Create IPv4 ACL 2009, and configure two rules in the ACL. One rule permits packets sourced from Host A at 192.168.1.2 and the other rule denies packets sourced from any other host during the time range study.
  • Page 22: Qos Overview

    QoS overview This chapter includes these sections: Introduction to QoS • QoS service models • QoS techniques overview • Introduction to QoS In data communications, Quality of Service (QoS) is the ability of a network to provide differentiated service guarantees for diversified traffic in terms of bandwidth, delay, jitter, and drop rate. Network resources are scarce.
  • Page 23: Diffserv Model

    The IntServ model demands high storage and processing capabilities because it requires all nodes along the transmission path to maintain resource state information for each flow. The model is suitable for small-sized or edge networks, but not large-sized networks, for example, the core layer of the Internet, where billions of flows are present.
  • Page 24 Congestion management provides a resource scheduling policy to determine the packet forwarding • sequence when congestion occurs. Congestion management usually applies to the outgoing traffic of a port. • Congestion avoidance monitors the network resource usage and is usually applied to the outgoing traffic of a port.
  • Page 25: Qos Configuration Approaches

    QoS configuration approaches This chapter includes these sections: QoS configuration approach overview • Configuring a QoS policy • QoS configuration approach overview The following approaches are available for configuring QoS: Non-policy approach Policy approach. Some features support both approaches, but some support only one. Non-policy approach In non-policy approach, you can configure QoS service parameters without using a QoS policy.
  • Page 26: Defining A Class

    Figure 4 QoS policy configuration procedure Define a class Define a behavior Define a policy Apply the policy Apply the Apply the Apply the Apply the policy to policy to a policy policy to an online VLAN globally interface users Defining a class To define a class, specify its name and then configure the match criteria in class view.
  • Page 27 match-criteria Table 2 The keyword and argument combinations for the argument Keyword and argument combination Description Matches an ACL The acl-number argument ranges from 2000 to 3999 for an IPv4 ACL, 2000 to 3999 for an IPv6 ACL, and 4000 to 4999 for an acl [ ipv6 ] { acl-number | name Ethernet frame header ACL.
  • Page 28: Defining A Traffic Behavior

    NOTE: To successfully execute the traffic behavior associated with a traffic class that uses the AND operator, define only one if-match clause for any of the following match criteria and input only one value for any of list 8021p-list the following arguments, for example, the argument: 8021p-list...
  • Page 29: Applying The Qos Policy

    To do… Use the command… Remarks Required Associate a class with a behavior classifier tcl-name behavior Repeat this step to create more in the policy behavior-name class-behavior associations. NOTE: If an ACL is referenced by a QoS policy for defining traffic match criteria, packets matching the ACL are organized as a class and the behavior defined in the QoS policy applies to the class regardless of whether the match mode of the if-match clause is deny or permit.
  • Page 30 Applying the QoS policy to online users You can apply a QoS policy to the incoming traffic from an online users. To modify a QoS policy that has already applied to an online user, you must remove the QoS policy application first. Follow these steps to apply the QoS policy to online users: To do…...
  • Page 31: Displaying And Maintaining Qos Policies

    To do… Use the command… Remarks Enter system view system-view — qos apply policy policy-name Apply the QoS policy globally Required global inbound Displaying and maintaining QoS policies To do… Use the command… Remarks display traffic classifier user-defined [ tcl-name ] Display traffic class configuration [ | { begin | exclude | include } Available in any view...
  • Page 32: Priority Mapping Configuration

    The locally assigned priorities have only local significance. They are assigned by the device for scheduling only. These priorities include the local precedence and drop precedence. Local precedence is used for queuing. The S5120-SI switches map eight local precedence values to •...
  • Page 33: Priority Mapping Tables

    The H3C S5120-SI Switch Series provide the following priority trust modes: dot1p: Uses the 802.1p priority carried in packets for priority mapping.
  • Page 34: Priority Mapping Configuration Task List

    You can modify priority mappings by modifying priority mapping tables, priority trust mode on a port, and port priority. H3C recommends that you plan QoS throughout the network before making QoS configuration. Complete the following task to configure priority mapping:...
  • Page 35: Configuring Priority Mapping

    Configuring priority mapping Configuring a priority mapping table Follow these steps to configure an uncolored priority mapping table: To do… Use the command… Remarks Enter system view system-view — qos map-table { dot1p-dot1p | Enter priority mapping table view dot1p-dscp | dot1p-lp | Required dscp-dot1p | dscp-dscp | dscp-lp } Required...
  • Page 36: Changing The Port Priority Of An Interface

    Changing the port priority of an interface Follow these steps to change the port priority of an interface: To do… Use the command… Remarks Enter system view system-view — Enter Use either command interface interface-type Enter interface Settings in interface view take effect on interface-number interface view...
  • Page 37 Table 4 Configuration plan Queuing plan Traffic Traffic priority order Local Output Queue destination Traffic source precedence queue priority R&D High department R&D department > Management Public servers management department > Medium department marketing department Marketing department Figure 6 Network diagram for priority mapping configuration Internet Host Host...
  • Page 38: Priority Mapping Table And Priority Marking Configuration Example

    # Set the port priority of GigabitEthernet 1/0/3 to 5. [Device] interface gigabitethernet 1/0/3 [Device-GigabitEthernet1/3] qos priority 5 [Device-GigabitEthernet1/3] quit Configure the priority mapping table # Configure the 802.1p-to-local priority mapping table to map 802.1p priority values 3, 4, and 5 to local precedence values 2, 6, and 4.
  • Page 39 Queuing plan Traffic Traffic priority order Traffic Local Output Queue destination source precedence queue priority R&D department Management department Internet through Management > marketing department High HTTP department > R&D department Marketing Medium department Figure 7 Network diagram for priority mapping table and priority marking configuration Internet Host Host...
  • Page 40 [Device] interface gigabitethernet 1/0/3 [Device-GigabitEthernet1/3] qos priority 5 [Device-GigabitEthernet1/3] quit Configure the priority mapping table # Configure the 802.1p-to-local priority mapping table to map 802.1p priority values 3, 4, and 5 to local precedence values 2, 6, and 4. [Device] qos map-table dot1p-lp [Device-maptbl-dot1p-lp] import 3 export 2 [Device-maptbl-dot1p-lp] import 4 export 6 [Device-maptbl-dot1p-lp] import 5 export 4...
  • Page 41 [Device] traffic behavior rd [Device-behavior-rd] remark dot1p 3 [Device-behavior-rd] quit [Device] qos policy rd [Device-qospolicy-rd] classifier http behavior rd [Device-qospolicy-rd] quit [Device] interface gigabitethernet 1/0/2 [Device-GigabitEthernet1/0/2] qos apply policy rd inbound...
  • Page 42: Line Rate Configuration

    Line rate configuration This chapter includes these sections: Line rate • Configuring the line rate • Displaying and maintaining line rate • Line rate NOTE: Line rate supports rate-limiting traffic in the inbound direction and the outbound direction. Thereafter, the outbound direction is taken for example.
  • Page 43: Configuring The Line Rate

    Configuring the line rate Configuration procedure Follow these steps to configure the line rate: To do… Use the command… Remarks Enter system view system-view — Enter Use either command Enter interface interface interface-type interface-number Settings in interface view take interface view effect on the current interface;...
  • Page 44: Congestion Management Configuration

    Congestion management configuration This chapter includes these sections: Congestion management overview • Configuring SP queuing • Configure WRR queuing • • Configuring SP+WRR queues Congestion management overview Causes, impacts, and countermeasures Network congestion degrades service quality on a traditional network. Congestion is a situation where the forwarding rate decreases due to insufficient resources, and results in extra delay.
  • Page 45 Queue scheduling processes packets by their priorities, preferentially forwarding high-priority packets. Each port on an S5120-SI switch provides four queues numbered 3, 2, 1, and 0, which are assigned to local precedence values 6 and 7, 4 and 5, 2 and 3, and 0 and 1, respectively. This section describes in detail Strict Priority (SP) queuing, Weighted Round Robin (WRR) queuing, and SP+WRR queuing.
  • Page 46 Once a queue is empty, WRR schedules the next queue immediately. The H3C S5120-SI Switch Series support group-based WRR queuing. You can assign output queues to WRR queuing group 1 and WRR queuing group 2. The switch uses WRR queuing to schedule queues in each group according to their weights, and then uses SP queuing to schedule the dequeued packets.
  • Page 47: Configuring Sp Queuing

    Figure 12 Scheduling process of WRR with two WRR queuing groups WRR Group1 Queue 0 Weight 1 Packets to be sent through this interface Queue 1 Weight 2 WRR Group2 Queue 2 Weight 1 Sending queue SP scheduling Queue 3 Weight 3 SP+WRR queuing SP+WRR queuing uses one SP queuing group and two WRR queuing groups.
  • Page 48: Configuration Example

    To do… Use the command… Remarks Enter system view system-view — Enter Use either command. interface interface-type Enter interface Settings in interface view take effect on interface-number interface view the current interface. Settings in port view or port group view take effect on all ports in the Enter port port-group manual group view...
  • Page 49: Configuration Examples

    To do… Use the command… Remarks display qos wrr interface Optional Display WRR queuing [ interface-type interface-number ] [ | configuration information { begin | exclude | include } Available in any view. regular-expression ] NOTE: To guarantee that WRR correctly schedules queues according to their weights, make sure that the queue IDs in each WRR group are contiguous.
  • Page 50: Configuration Examples

    NOTE: To guarantee that WRR correctly schedules queues according to their weights, make sure that the queue IDs in each WRR group are contiguous. Configuration examples Network requirements • Adopt SP+WRR queue scheduling algorithm on GigabitEthernet1/0/1. Configure queue 0 on GigabitEthernet1/0/1 to be in SP queue scheduling group. •...
  • Page 51: Traffic Filtering Configuration

    Traffic filtering configuration This chapter includes these sections: Traffic filtering overview • Configuring traffic filtering • Traffic filtering configuration example • Traffic filtering overview You can filter in or filter out a class of traffic by associating the class with a traffic filtering action. For example, you can filter packets sourced from a specific IP address according to network status.
  • Page 52: Traffic Filtering Configuration Example

    To do… Use the command… Remarks To an interface Applying the QoS policy to an interface — To online users Applying the QoS policy to online users — Apply the QoS policy To a VLAN Applying the QoS policy to a VLAN —...
  • Page 53 [DeviceA-qospolicy-policy] classifier classifier_1 behavior behavior_1 [DeviceA-qospolicy-policy] quit # Apply the policy named policy to the incoming traffic of GigabitEthernet 1/0/1. [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] qos apply policy policy inbound...
  • Page 54: Priority Marking Configuration

    Priority marking configuration This chapter includes these sections: Priority marking overview • Configuring priority marking • Priority marking configuration example • Priority marking overview NOTE: Priority marking can be used together with priority mapping. For more information, see the chapter “Priority mapping configuration.”...
  • Page 55: Priority Marking Configuration Example

    To do… Use the command… Remarks Create a policy and enter qos policy policy-name — policy view Associate the class with the traffic behavior in the QoS classifier tcl-name behavior behavior-name — policy Return to system view quit — To an interface Applying the QoS policy to an interface —...
  • Page 56: Configuration Procedure

    Configuration procedure # Create advanced ACL 3000, and configure a rule to match packets with destination IP address 192.168.0.1. <Device> system-view [Device] acl number 3000 [Device-acl-adv-3000] rule permit ip destination 192.168.0.1 0 [Device-acl-adv-3000] quit # Create advanced ACL 3001, and configure a rule to match packets with destination IP address 192.168.0.2.
  • Page 57 # Create a policy named policy_server, and associate classes with behaviors in the policy. [Device] qos policy policy_server [Device-qospolicy-policy_server] classifier classifier_dbserver behavior behavior_dbserver [Device-qospolicy-policy_server] classifier classifier_mserver behavior behavior_mserver [Device-qospolicy-policy_server] classifier classifier_fserver behavior behavior_fserver [Device-qospolicy-policy_server] quit # Apply the policy named policy_server to the incoming traffic of GigabitEthernet 1/0/1. [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] qos apply policy policy_server inbound [Device-GigabitEthernet1/0/1] quit...
  • Page 58: Traffic Redirecting Configuration

    Traffic redirecting configuration This chapter includes these sections: Traffic redirecting overview • Configuring traffic redirecting • Traffic redirecting overview Traffic redirecting redirects the packets matching the specific match criteria to a certain location for processing. The following redirecting actions are supported: Redirecting traffic to an interface: redirects packets that require processing by an interface to the •...
  • Page 59: Burst

    Burst This chapter includes these sections: Burst overview • Configuring burst • Burst configuration example • Burst overview The burst function improves packet buffering and forwarding performance in the following scenarios: Dense broadcast or multicast traffic and massive burst traffic are present. •...
  • Page 60: Configuration Procedure

    Figure 16 Network diagram for burst configuration Configuration Procedure # Enter system view. <Switch> system-view # Enable the burst function. [Switch] burst-mode enable...
  • Page 61: Appendix A Default Priority Mapping Tables

    Appendix A Default priority mapping tables NOTE: For the default dscp-dscp priority mapping tables, an input value yields a target value equal to it. Table 6 The default dot1p-lp and dot1p-dp priority mapping tables Input priority value dot1p-lp mapping dot1p-dp mapping Local precedence 802.1p priority (dot1p) Drop precedence (dp)
  • Page 62: Appendix B Introduction To Packet Precedences

    Appendix B Introduction to packet precedences IP precedence and DSCP values Figure 17 ToS and DS fields As shown in Figure 17, the ToS field in the IP header contains eight bits. The first three bits (0 to 2) represent IP precedence from 0 to 7. According to RFC 2474, the ToS field is redefined as the differentiated services (DS) field, where a DSCP value is represented by the first six bits (0 to 5) and is in the range 0 to 63.
  • Page 63: 802.1P Priority

    DSCP value (decimal) DSCP value (binary) Description 010100 af22 0101 10 af23 01 1010 af31 01 1 100 af32 01 1 1 10 af33 100010 af41 100100 af42 1001 10 af43 001000 010000 01 1000 100000 101000 1 10000 1 1 1000 000000 be (default) 802.1p priority...
  • Page 64 Figure 19 802.1Q tag header Byte 1 Byte 2 Byte 3 Byte 4 TPID (Tag protocol identifier) TCI (Tag control information) 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 Priority VLAN ID 5 4 3 2 1 0 7 5 4 3 2 1 0 5 4 3 2 1 0 7 5 4 3 2 1 0...
  • Page 65: Index

    Index A B C D I P Q T Displaying and maintaining ACLs,1 1 Displaying and maintaining line rate,34 ACL configuration examples,1 1 Displaying and maintaining priority mapping,27 ACL configuration task list,4 Displaying and maintaining QoS policies,22 overview,1 Introduction to QoS,13 Burst configuration example,50...

Table of Contents