A series match rules must be configured to recognize the packets before they are filtered. Only when packets are identified, can the network take corresponding actions, allowing or prohibiting them to pass, according to the preset policies. Access control list (ACL) is targeted to achieve these functions.

ACLs classify packets using a series of matching rules, which can be source addresses, destination addresses and port IDs. ACLs can be used globally on the switch or just at a port, through which the switch determines whether to forward or drop the packets.

The matching rules defined in ACLs can also be imported to differentiate traffic in other situations, for example, defining traffic classification rules in QoS.

An ACL rule can include many rules, which may be defined for packets within different address ranges. Matching order is involved in matching an ACL.

I. ACLs being activated directly on hardware

ACLs can be delivered to hardware for traffic filtering and classification.

The cases when ACLs are sent directly to hardware include: referencing ACLs to provide for QoS functions, filtering and forwarding packets with ACLs.

II. ACLs being referenced by upper-level modules

ACLs may also be used to filter and classify packets processed by software. Then you can define matching order for the rules in an ACL. Two matching modes are available in this case: config (user-defined order) and auto (depth first by the system). You cannot modify the matching order once you define it for an ACL rule, unless you delete the rule and redefine the matching order.

The cases when ACLs are referenced by upper-level modules include referencing ACLs to achieve routing policies, and using ACLs to control register users and so on.

& Note:

Depth first principle means putting the statement with smaller packet range in the front. You can know the packet range by comparing IP address wildcards: The smaller the wildcard is, the smaller host range is. For example, the address 129.102.1.1 0.0.0.0 specifies the host 129.102.1.1 and address 129.102.1.1 0.0.255.255 specifies the segment 129.102.1.1 to 129.102.255.255. Then 129.102.1.1 is surely put in the front. Specifically, for the statements of basic ACL rules, directly compare the wildcards of source addresses and follow config order if the wildcards are equal; for the ACL rules used in port packet filtering, the rules configured with any are put to the end and other rules follow config order; for advanced ACL rules, first compare the wildcards of source addresses, then the wildcards of destination addresses if those of source addresses are equal, then the port IDs if the wildcards of destination addresses are still equal. Follow config order if port IDs are also equal.

& Note:

The user-defined ACL matching order takes effect only when multiple rules of one ACL are applied at the same time. For example, an ACL has two rules. If the two rules are not applied simultaneously, even if you configure the matching order to be depth first, the switch still matches them according to their application order.

If one rule is a subset of another rule in an ACL, it is recommended to apply the rules according to the range of the specified packets. The rule with the smallest range of the specified data packets is applied first, and then other rules are applied based on this principle.

1.1.2 ACLs Supported

The switch supports these types of ACLs:

l Number-based basic ACLs

l Name-based basic ACLs

l Number-based advanced ACLs

l Name-based advanced ACLs

l Number-based Layer 2 ACLs

l Name-based Layer 2 ACLs

The requirements for the various ACLs available on the switch are listed in the following table.

Table 1-1 Requirements for defining ACLs

Item	Number range	Maximum number
Number-based basic ACL	2000 to 2999	1000
Number-based advanced ACL	3000 to 3999	1000
Number-based Layer 2 ACL	4000 to 4999	1000
Name-based basic ACL	-	-
Name-based advanced ACL	-	-
Name-based Layer 2 ACL	-	-
Maximum rules for an ACL	0 to 127	128
Maximum rules for the system	-	12288

Table 1-2 Max ACL rules that can be activated on different interface cards

Interface card suppfix	MPLS support	Max number of ACL rules supported for each card/interface
B	MPLS not supported	1024
DA
DB
DC
C	MPLS supported	1023
CA
CB

A maximum of 12288 ACL rules can be activated on the whole service processor card.

& Note:

The suffix of the card can be identified through the silkscreen on the upper-right corner of the front panel of the card. For example, the silkscreen of the LSBGP12B0 is GP12B, so the suffix of the card is B.

1.2 ACL Configuration Tasks

The following table describes the ACL configuration tasks for interface cards.

Table 1-3 ACL configuration tasks interface cards

Item	Command	Description
Enter system view	system-view	-
Configure the time range	time-range time-name { start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] \| from start-time start-date [ to end-time end-date ] \| to end-time end-date }	Optional
Define a flow template	flow-template user-defined slot slotid template-info	Optional
Enter ACL view	acl { number acl-number \| name acl-name [ advanced \| basic \| link \| user ] } [ match-order { config \| auto } ]	Required
Define a rule	rule	Required
Exit ACL view	quit	-
Enter Ethernet port view	interface interface-type interface-number	The value of interface-type can only be Ethernet port type.
Apply a defined flow template in Ethernet port view	flow-template user-defined	Optional. You can perform this operation only when a flow template has been previously defined.
Activate the ACL	packet-filter inbound	Required

The following table describes the configuration tasks for service processor cards.

Table 1-4 ACL configuration tasks for service processor cards

Item	Command	Description
Enter system view	system-view	-
Configure the time range	time-range time-name { start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] \| from start-time start-date [ to end-time end-date ] \| to end-time end-date }	Optional
Enter ACL view	acl { number acl-number \| name acl-name [ advanced \| basic \| user ] } [ match-order { config \| auto } ]	Required. Service processor cards do not support Layer 2 ACL.
Define rules	rule	Required
Exit ACL view	quit	-
Enter Ethernet port view	interface interface-type interface-number	-
Configure traffic redirection in Ethernet port view to redirect the packets of a specific VLAN to a service processor card	traffic-redirect inbound ip-group { acl-number \| acl-name } [ rule rule [ system-index index ] ] { cpu \| next-hop ip-addr1 [ip-addr2] } slot slotid	Required. The slotid parameter indicates the number of the slot where the service processor card is located.
Exit Ethernet port view	quit	-
Enter VLAN view	vlan vlan-id	You must enter the VLAN view specified by the redirection function.
Activate the ACL in VLAN view	packet-filter inbound ip-group { acl-number \| acl-name } [ rule rule [ system-index index ] ] slot slotid	Required

1.2.1 Configuring Time Range

You may set such items in time range configuration: The defined time range includes absolute time range and period time range. The absolute time range is in the form of hh:mm YYYY/MM/DD; the period time range is in the format of hh:mm, day.

Perform the following configurations in system view.

Table 1-5 Configure/Delete time range

Operation	Command
Create time range	time-range time-name { start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] \| from start-time start-date [ to end-time end-date ] \| to end-time end-date }
Delete time range	undo time-range time-name [ start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] \| from start-time start-date [ to end-time end-date ] \| to end-time end-date ]

start-time and end-time days-of-the-week define period time range together. start-time start-date and end-time end-date define absolute time range together.

If a time range only defines the period time range, the time range is only active within the period time range.

If a time range only defines the absolute time range, the time range is only active within the absolute time range.

If a time range defines the period time range and the absolute time range, the time range is only active when the period time range and the absolute time range are both matched. For example, a time range defines a period time range which is from 12:00 to 14:00 every Wednesday, and defines an absolute time range which is from 00:00 2004/1/1 to 23:59 2004/12/31. This time range is only active from 12:00 to 14:00 every Wednesday in 2004.

If neither starting time nor end time is specified, the time range is 24 hours (00:00 to 24:00).

If no end date is specified, the time range is from the date of configuration till the largest date available in the system.

Currently the largest time range is 1970/01/01 to 2100/12/31 in the system.

1.2.2 Defining and Applying Flow Template

I. Defining Flow Template

Flow template defines useful information used in flow classification. For example, a template defines a quadruple: source and destination IP, source and destination TCP ports, and then only those traffic rules including all these elements can be sent to target hardware and referenced for such QoS functions as packet filtering, traffic policing, priority re-labeling. Otherwise, the rules cannot be activated on the hardware and referenced.

Perform the following configurations in system view.

Table 1-6 Define/Delete flow template

Operation	Command
Define flow template	flow-template user-defined slot slotid template-info
Delete flow template	undo flow-template user-defined slot slotid

Note that the sum of all elements should not be more than 16 bytes in length. The following table lists the length of the elements involved.

Table 1-7 Length of template elements

Name	Description	Length in template
bt-flag	BT flag bit	6 bytes
cos	The 802.1p priority in the most external 802.1QTag carried by the packet	2 bytes
s-tag-vlan	VLAN ID in the most exterior 802.1QTag carried by the packet	2 bytes
dip	Destination IP field in IP packet header	4 bytes
dmac	Destination MAC field in Ethernet packet header	6 bytes
dport	Destination port field	2 bytes
dscp	DSCP field in IP packet header	1 byte
ip-precedence	IP precedence field in IP packet header
tos	ToS field in IP packet header
exp	EXP field in MPLS packet
ethernet-protocol	Protocol field in Ethernet packet header	6 bytes
fragment-flags	Flag field of fragment in IP packed header	No bytes
icmp-code	ICMP code field	1 byte
icmp-type	ICMP type field	1 byte
c-tag-cos	The 802.1p priority in the internal 802.1QTag carried by the packet	2 bytes
c-tag-vlanid	The VLAN ID in the internal 802.1QTag carried by the packet	2 bytes
ip-protocol	Protocol field in IP packet header	1 byte
sip	Source IP field in IP packet header	4 bytes
smac	MAC field in Ethernet packet header	6 bytes
sport	Source port field	2 bytes
tcp-flag	Flag field in TCP packet header	1 byte
vlanid	Vlan ID that the switch assigns to the packet	2 bytes
vpn	The flow template pre-defined for MPLS2VPN	2 bytes

& Note:

l The numbers listed in the table are not the actual length of these elements in IP packets, but their length in flow template. DSCP field is one byte in flow template, but six bits in IP packets. You can determine whether the total length of template elements exceeds 16 bytes using these numbers.

l The dscp, exp, ip-precedence and tos fields jointly occupy one byte. One byte is occupied no matter you define one, two or three of these fields.

l The cos and s-tag-vlan fields jointly occupy two bytes. Two bytes are occupied no matter you define one or two of them. The c-tag-cos and c-tag-vlanid fields jointly occupy two bytes. Two bytes are occupied no matter you define one or two of them.

l The fragment-flags field is 0 in length in flow template, so it can be ignored when you determine whether the total length of template elements exceeds 16 bytes.

You can either use the default template or define a flow template based on your needs.

& Note:

Default flow template:

ip-protocol tcp-flag sport dport icmp-type icmp-code sip 0.0.0.0 dip 0.0.0.0 vlanid.

You cannot modify or delete the default flow template.

II. Applying Flow Template

Perform the following configurations in Ethernet port view to apply the user-defined flow template to current port.

Table 1-8 Apply/Cancel flow template

Operation	Command
Apply the user-defined flow template	flow-template user-defined
Cancel the applied flow template	undo flow-template user-defined

1.2.3 Defining ACL

The switch supports several types of ACLs, which are described in this section.

Follow these steps to define an ACL

1) Enter the corresponding ACL view

2) Define ACL rules

& Note:

l If the time-range keyword is not selected, the ACL will be effective at any time after being activated.

l You can define multiple sub rules for the ACL by using the rule command several times.

l When the QoS/ACL action is configured under the port, if the QoS/ACL is applied without sub rules, the QoS/ACL is matched as per the matching order defined in the ACL rule; if applied with specific sub rules, the QoS/ACL is matched as per the sequence applied under the port.

l By default, ACL rules are matched in config order.

l If you want to replace an existing rule, you are recommended to use the undo command to delete the original rule first and then reconfigure the rule.

I. Defining basic ACL

Basic ACLs only make rules and process packets according to the source IP addresses.

Perform the following configurations in the specified views.

Table 1-9 Define basic ACL

Operation	Command
Enter basic ACL view (system view)	acl { number acl-number \| name acl-name basic } [ match-order { config \| auto } ]
Define an ACL rule (basic ACL view)	rule [ rule-id ] { permit \| deny } [ source { source-addr wildcard \| any } \| fragment \| time-range name \| vpn-instance instance-name ]*
Delete an ACL rule (basic ACL view)	undo rule rule-id [ source \| fragment \| time-range \| vpn-instance instance-name ]*
Delete an ACL or all ACLs (system view)	undo acl { number acl-number \| name acl-name \| all }

II. Defining advanced ACL

Advanced ACLs define classification rules and process packets according to the attributes of the packets such as source and destination IP addresses, TCP/UDP ports used, and packet priority. ACLs support three types of priority schemes: ToS (type of service) priority, IP priority and DSCP priority.

Perform the following configurations in the specified view.

Table 1-10 Define advanced ACL

Operation	Command
Enter advanced ACL view (system view)	acl { number acl-number \| name acl-name advanced } [ match-order { config \| auto } ]
Define an ACL rule (advanced ACL view)	rule [ rule-id ] { permit \| deny } protocol [ source { source-addr wildcard \| any } ] [ destination { dest-addr wildcard \| any } ] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ icmp-type type code ] [ established ] [ [ precedence precedence \| tos tos ]* \| dscp dscp ] [ fragment ] [ bt-flag ] [ time-range name ] [ vpn-instance instance-name ]
Delete an ACL rule (advanced ACL view)	undo rule rule-id [ source \| destination \| source-port \| destination-port \| icmp-type \| precedence \| tos \| dscp \| fragment \| bt-flag \| time-range \| vpn-instance ]*
Delete an ACL or all ACLs (system view)	undo acl { number acl-number \| name acl-name \| all }

Caution:

l The port1 and port2 parameters in the command listed in Table 1-10 should be TCP/UDP ports for higher-layer applications. For some common ports, you can use mnemonic symbols to replace the corresponding port numbers. For example, you can use “bgp” to represent TCP port 179, which is for BGP protocol.

l If a certain advanced ACL has been occupied by IDS, you cannot modify or delete it through commands.

l The rules with specified bt-flag cannot be used in the traffic-redirect command.

III. Defining Layer 2 ACLs

Layer 2 ACLs define the Layer 2 information such as source and destination MAC addresses, source VLAN ID, and Layer 2 protocol type in their rules and process packets according to these attributes.

Perform the following configurations in the specified view.

Table 1-11 Define Layer 2 ACLs

Operation	Command
Enter Layer 2 ACL view (system view)	acl { number acl-number \| name acl-name link } [ match-order { config \| auto } ]
Define an ACL rule (in Layer 2 ACL view)	rule [ rule-id ] { permit \| deny } [ cos cos-value \| c-tag-cos c-cos-value \| exp exp-value \| protocol-type\| ingress { { source-vlan-id [ to source-vlan-id-end ] \| source-mac-addr source-mac-wildcard \| c-tag-vlan c-tag-valnid }\| any* } \| egress { dest-mac-addr dest-mac-wildcard \| any } \| s-tag-vlan s-tag-vlanid \| time-range name ]*
Delete an ACL rule (Layer 2 ACL view)	undo rule rule-id
Delete an ACL or all ACLs (system view)	undo acl { number acl-number \| name acl-name \| all }

1.2.4 Activating ACL

After defining an ACL, you must activate it. This configuration activates those ACLs to filter or classify the packets forwarded by hardware.

For interface cards, perform the following configurations in Ethernet port view.

Table 1-12 Activate ACL

Operation	Command
Activate IP group ACL	packet-filter inbound ip-group { acl-number \| acl-name } [ rule rule [ system-index index ] ]
Deactivate IP group ACL	undo packet-filter inbound ip-group { acl-number \| acl-name } [ rule rule ]
Activate IP group ACL and link group ACL at same time	packet-filter inbound ip-group { acl-number \| acl-name } { rule rule link-group { acl-number \| acl-name } [ rule rule [ system-index index ] ] \| link-group { acl-number \| acl-name } rule rule }
Deactivate IP group ACL and link group ACL at same time	undo packet-filter inbound ip-group { acl-number \| acl-name } { rule rule link-group { acl-number \| acl-name } [ rule rule ] \| link-group { acl-number \| acl-name } rule rule }
Activate link group ACL	packet-filter inbound link-group { acl-number \| acl-name } [ rule rule [ system-index index ] ]
Deactivate link group ACL	undo packet-filter inbound link-group { acl-number \| acl-name } [ rule rule ]

For service processor cards, perform the following configurations in VLAN view.

Table 1-13 Activate ACL

Operation	Command
Activate ip group ACL	packet-filter inbound ip-group { acl-number \| acl-name } [ rule rule] [ system-index index] slot slotid
Deactivate ip group ACL	undo packet-filter inbound ip-group { acl-number \| acl-name } [ rule rule ] slot slotid

Caution:

l The syntax of the QoS/ACL command used for service processor cards (LSB1NATB0 cards in the context of this document) is somewhat different from that for interface cards. Refer to related description in the manual.

l Before executing the packet-filter command on a service processor card, you must first configure traffic redirection in Ethernet port view to redirect the packets of a specific VLAN to the service processor card.

l Service processor cards do not support Layer 2 ACL.

system-index index here is the system index for an ACL rule. When delivering a rule, the system assigns a globally unique index to it, for convenience of later retrieval. You can also assign a system index for it when delivering an ACL rule with this command. However, you are not recommended to assign a system index if not urgently necessary.

& Note:

If you remove the card with QoS/ACL configured when the system operates, the corresponding system index value is automatically released and is then used for a newly delivered flow rule. Once the system index value is occupied, the original configuration cannot be restored even you insert the removed card back.

1.3 Displaying and Debugging ACL Configurations

After these configurations are completed, you can use the display command in any view to view ACL running to check configuration result. You can clear ACL statistics using the display command in user view.

Table 1-14 Display and debug ACL configurations

Operation	Command
Display the configuration and status of the current time range	display time-range { all \| name }
Display ACL configuration	display acl config { all \| acl-number \| acl-name }
Display the total number of ACL rules applied on the specified card	display acl remaining entry slot slotid
Display ACL application information	display acl running-packet-filter { all \| interface interface-type interface-number \| vlan vlan-id }
Display the configuration information of the flow template	display flow-template [ default \| interface interface-type interface-number \| slot slotid \| user-defined ]
Clear ACL statistics	reset acl counter { all \| acl-number \| acl-name }

The display acl config command only displays the ACL matching information processed by the CPU.

See the corresponding Command Manual for description of parameters.

1.4 ACL Configuration Example

1.4.1 Advanced ACL Configuration Example

I. Network requirements

The departments in the intranet are connected through 100 Mbps ports of the switches. The research and development (R&D) department is connected through the port Ethernet2/1/1. The wage server of the financial department is at 129.110.1.2. The requirement is to configure ACLs correctly to limit that the R&D department can only access the wage server at working time from 8:00 to 18:00.

II. Network diagram

Figure 1-1 Network diagram for advanced ACL configuration

III. Configuration procedure

& Note:

Only the commands concerning ACL configuration are listed here.

1) Define the time range.

# Define the time range from 8:00 to 18:00.

[H3C] time-range H3C 8:00 to 18:00 working-day

2) Define inbound traffic to the wage server.

# Create a name-based advanced ACL “traffic-of-payserver” and enter it.

[H3C] acl name traffic-of-payserver advanced

# Define ACL rule for the wage server.

[H3C-acl-adv-traffic-of-payserver] rule 1 deny ip source any destination 129.110.1.2 0.0.0.0 time-range H3C

3) Activate the ACL.

# Activate the ACL “traffic-of-payserver”.

[H3C-Ethernet2/1/1] packet-filter inbound ip-group traffic-of-payserver

1.4.2 Basic ACL Configuration Example

I. Network requirements

With proper basic ACL configuration, during the time range from 8:00 to 18:00 everyday the switch filters the packets from the host with source IP 10.1.1.1 (the host is connected through the port Ethernet2/1/1 to the switch.)

II. Network diagram

Figure 1-2 Network diagram for basic ACL configuration

III. Configuration procedure

& Note:

Only the commands concerning ACL configuration are listed here.

1) Define the time range.

# Define the time range from 8:00 to 18:00.

[H3C] time-range H3C 8:00 to 18:00 daily

2) Define the traffic with source IP 10.1.1.1.

# Create a name-based basic ACL “traffic-of-host” and enter it.

[H3C] acl name traffic-of-host basic

# Define ACL rule for source IP 10.1.1.1.

[H3C-acl-basic-traffic-of-host] rule 1 deny source 10.1.1.1 0 time-range H3C

3) Activate the ACL.

# Activate the ACL “traffic-of-host”.

[H3C-Ethernet2/1/1] packet-filter inbound ip-group traffic-of-host

1.4.3 Layer 2 ACL Configuration Example

I. Network requirements

With proper Layer 2 ACL configuration, during the time range from 8:00 to 18:00 everyday the switch filters the packets with source MAC 00e0-fc01-0101 and destination MAC 00e0-fc01-0303 (configuring at the port Ethernet2/1/1 to the switch.)

II. Network diagram

Figure 1-3 Network diagram for Layer 2 ACL configuration

III. Configuration procedure

& Note:

Only the commands concerning ACL configuration are listed here.

1) Define the time range.

# Define the time range from 8:00 to 18:00.

[H3C] time-range H3C 8:00 to 18:00 daily

2) Define a user-defined flow template

[H3C] flow-template user-defined slot 2 ethernet-protocol smac 0-0-0 dmac 0-0-0

3) Define the traffic with source MAC 00e0-fc01-0101 and destination MAC 00e0-fc01-0303.

# Create a name-based Layer 2 ACL “traffic-of-link” and enter it.

[H3C] acl name traffic-of-link link

# Define an ACL rule for the traffic with the source MAC address of 00e0-fc01-0101 and the destination MAC address of 00e0-fc01-0303.

[H3C-acl-link-traffic-of-link] rule 1 deny ingress 00e0-fc01-0101 0-0-0 egress 00e0-fc01-0303 0-0-0 time-range H3C

[H3C-acl-link-traffic-of-link] quit

4) Apply the user-defined flow template to the port and activate the ACL.

# Apply the user-defined flow template to Ethernet2/1/1.

[H3C] interface Ethernet2/1/1

[H3C-Ethernet2/1/1] flow-template user-defined

# Activate the ACL “traffic-of-link”.

[H3C-Ethernet2/1/1] packet-filter inbound link-group traffic-of-link

1.4.4 Example of BT Traffic Control Configuration

I. Network requirements

BitTorrent (BT) is a kind of shared software for file download. Its feature is as follows: The more people are using it to download a file, the faster the file downloads. While BT download greatly reduces the burden of the download server, it also brings dramatic increase of download traffic on the internet. As a result, the network bandwidth is greatly occupied by the BT download traffic, which influences other network services seriously. Therefore, it is necessary to control the BT traffic effectively.

The purpose of the configuration is to prohibit the BT data traffic passing through port GE7/1/8 by configuring proper ACL rules.

Caution:

LSB1XP4 series cards do not support BT traffic control configuration.

Cards with suffixes DA/DB/DC do not support BT traffic control configuration.

II. Network diagram

Figure 1-4 Network diagram for BT traffic control

III. Configuration procedure

1) Define a user-defined flow template

[H3C] flow-template user-defined slot 7 ip-protocol bt-flag sip 0.0.0.0 dport

2) Define an advanced ACL rule

[H3C] acl number 3000

[H3C-acl-adv-3000] rule 0 deny tcp bt-flag

[H3C-acl-adv-3000] quit

3) Enter the port GE7/1/8 and configure BT traffic control on the port

[H3C] interface GigabitEthernet 7/1/8

[H3C-GigabitEthernet7/1/8] flow-template user-defined

[H3C-GigabitEthernet7/1/8] packet-filter inbound ip-group 3000 rule 0

Chapter 2 QoS Configuration

2.1 QoS Overview

Conventional packet network treats all packets equally. Each switch/router processes all packets in First-in-First-out (FIFO) mode and then transfers them to the destination in the best effort, but it provides no commitment and guarantee to such transmission performance as delay and jitter.

With fast growth of computer networks, more and more data like voice and video that are sensitive to bandwidth, delay and jitter are transmitted over the network. This makes growing demands on quality of service (QoS) of networks.

Ethernet technology is a widely-used network technology dominant for independent LANs and many LANs based on Ethernet are organic parts of the Internet. In addition, Ethernet access is becoming one of the major access modes for Internet users. Therefore it is inevitable to consider Ethernet QoS if we want to achieve point-to-point global QoS solution. Ethernet switching devices then naturally need to provide different QoS guarantee for different types of services, especially for those which are sensitive to delay and jitter.

The following terms are involved in QoS.

I. Flow

It refers to all packets passing thought the switch.

II. Traffic classification

Traffic classification is the technology that identifies the packets with a specified attribute according to a specific rule. Classification rule refers to a packet filtering rule configured by an administrator. A classification rule can be very simple. For example, the switch can identify the packets of different priority levels according to the ToS (type of service) field in the packet headers. It can also be very complex. For example, it may contain information of the link layer (layer 2), network layer (layer 3) and transport layer (layer 4) and the switch classifies packets according to such information as MAC address, IP protocol, source address, destination address and port ID. Classification rule often is limited to the information encapsulated at the packet header, rarely using packet contents.

III. Packet filtering

Packet filtering refers to filtering operation applied to traffic flow. For example, the deny operation drops the traffic flow which matches the classification rule and allows other traffic to pass. Ethernet switches use complex classification rules, so that traffic flow can be filtered purposefully to enhance network security.

There are two key steps in packet filtering:

Step 1: Classify the traffic at the port according to a specific rule.

Step 2: Run filtering operation (deny or permit) to the identified traffic. By default, permit operation is selected.

IV. Traffic policing

QoS can police traffic at the ingress port, to provide better services with the limited network resources.

V. Redirection

You can re-specify forwarding direction for packets, based on QoS policy.

VI. Traffic priority

Ethernet switches can provide priority tags, including ToS, DSCP, 802.1p, and so on, for specific packets. These priority tags are applicable to different QoS models.

The following describes IP priority, ToS priority, DCSP priority, Exp priority and 802.1p priority.

1) IP priority, ToS priority, DSCP priority and Exp priority

Figure 2-1 DS field and ToS byte

As shown in Figure 2-1, the ToS field in the IP header contains 8 bits. The first three bits represent IP priority, in the range of 0 to 7; bits 3-6 stand for ToS priority, in the range of 0 to 15. RFC2474 redefines the ToS field in IP packets as DS (differentiated services) field. The first six bits denote DSCP (differentiated services codepoint) priority, in the range of 0 to 63, the latter two bits are reserved. The first three bits (bit 0~2) of DSCP priority represent Exp priority, in the range of 0 to 7.

2) 802.1p priority

802.1p priority is stored in the header of Layer 2 packets and is suitable for the case where only Layer 2 QoS guarantee, not L3 header analysis, is required.

Figure 2-2 Ethernet frame with 802.1Q tag header

In the above figure, each host supporting 802.1Q protocol adds a 4-byte 802.1Q tag header after the source address in Ethernet header.

The 802.1Q tag header contains a 2-byte TPID (Tag protocol Identifier, with the value 8100) and a 2-byte TCI (tag control information). TPID is newly defined by IEEE to represent a packet with 802.1Q tag added. The contents of 802.1Q tag header are shown in Figure 2-3.

Figure 2-3 802.1Q tag header

In the figure, the priority field in TCI stands for 802.1p priority, which consists of three bits. There are eight priority levels, numbered as 0 to 7, for determining to send which packets first when switch congestion takes place.

Since their applications are defined in detail in the 802.1p Recommendation, they are named as 802.1p priority levels.

VII. Queue scheduling

Queue scheduling is used to resolve problems of resource contention by many packets. These algorithms are often used in queue scheduling: strict priority (SP) algorithm and weighted round Robin (WRR) algorithm.

1) SP algorithm

Figure 2-4 Priority queues

SP algorithm is designed for key services. One of the characteristics of key services is these services should be processed first to minimize response delay during switch congestion. For example, there are eight outbound queues at the port, numbered respectively as 7 to 0, with priority levels in descending order.

In SP mode, the system first sends those packets of higher priority in strict accordance with priority order. Only when packets in high priority queue are all sent can those in lower priority queue be sent. This manner of putting key-service packets into high priority queue and non-key service packets into low priority queue does ensure that key-service packets are sent first, while non-key service packets are sent during the interval when no key-service packets needs to be processed.

SP algorithm also has its disadvantages: If high priority queues are full, then packets from the low priority queues may not be forwarded.

2) WRR algorithm

Each port supports eight outbound queues except that port of XP4 card only supports four queues. In WRR mode, the system processes the queues by turn, so every queue can have a service period.

See the case where the port supports eight outbound queues. Every queue is assigned with a weight value (respectively numbered as w7, w6, w5, w4, w3, w2, w1 and w0), which indicates the weight in obtaining resources. For a 100 Mbps port, the weight values are set as 50, 30, 10, 10, 50, 30, 10 and 10 (corresponding respectively to w7, w6, w5, w4, w3, w2, w1 and w0). The even the queue with the lowest priority can be allocated with a 5 Mbps bandwidth.

Another merit for WRR algorithm: Though the queues are scheduled by turn, they are not configured with fixed time quantum. If a queue has no packets, the system immediately schedules the next queue. Then bandwidth resources can be fully utilized.

VIII. Traffic mirroring

Traffic mirroring duplicates specified packets to CPU for network test and troubleshooting.

IX. Port mirroring

Port mirroring duplicates all packets at a specified port to the monitoring port for network test and troubleshooting.

X. Flow-based traffic statistics

The system can make traffic statistics based on flow for further analysis.

2.2 QoS Configuration

The following sections describe QoS configuration tasks.

l Configuring Service Parameter Allocation Rule

l Configuring Traffic Policing

l Configuring Traffic Shaping

l Configuring Traffic Priority

l Configuring Traffic Redirection

l Configuring Queue Scheduling

l Configuring Traffic Mirroring

l Configuring Port Mirroring

l Configuring Traffic Statistics

& Note:

l Before initiating any of these QoS configuration tasks, you should first define the corresponding ACL. Then you can achieve packet filtering just by activating the right ACL.

l To configure packet filtering, you need only to activate corresponding ACL. For more details, refer to the section 1.2.4 .

l In QoS configuration (including packet filter, traffic limit, traffic priority, packet redirect, traffic mirroring and traffic statistics), if the specified advanced ACL has been occupied by IDS, QoS action cannot be delivered normally.

Caution:

l The syntax of the QoS configuration command used for service processor cards (LSB1NATB0 cards in the context of this document) is somewhat different from that for interface cards. Refer to related description in the manual.

l The service processor cards now supported by the S9500 series have no egress interface, therefore, they do not support the configuration commands in Ethernet port view.

l Service processor cards do not support Layer 2 ACL.

Some of QoS terms are listed in the following table.

Table 2-1 QoS terms

Term	Description
CoS	It has the same meaning as 802.1p priority. Both refer to the priority at packet header, with the value ranging from 0 to 7.
Service parameters	Switch allocates a set of parameters, which are used in achieving QoS functions, upon receiving a packet. Four items are included: 802.1p priority, DSCP priority, local precedence and drop precedence.
Drop-precedence	One of service parameters, ranging from 0 to 2. Drop precedence is allocated when the switch receives the packet and may be when the packet is processed. Allocating drop precedence to the packet is also called coloring the packet: the packet with drop precedence 2 as red, that with drop precedence 1 as yellow and that with drop precedence 0 as green. Drop precedence is referred to when switch needs to drop packets in its congestion.
Conform-Level	The result calculated from the user-defined CIR, CBS, EBS, PIR and actual traffic when the switch runs traffic policing, in the range of 0 to 2. The parameter is used to select the remark service parameters, such as remark-cos and remark-drop, in traffic policing by means of the traffic-limit command. The packets with different conform-levels query different mapping tables. The conform-level of the packets whose traffic is smaller than cir is 0, the conform-level of the packets whose traffic is bigger than cir and smaller than pir is 1, and the conform-level of the packets whose traffic is bigger than pir is 2.It is also involved in the DSCP + Conform level —> Service parameter mapping table which is used in re-allocating service parameters to a packet with the traffic-priority command. Then Conform-Level must be 0.

2.2.1 Configuring Service Parameter Allocation Rule

QoS is based on service parameters, a set of parameters for a packet, including 802.1p priority (CoS priority), DSCP priority, EXP priority, local precedence and drop precedence.

After receiving a packet, the switch allocates a set of service parameters to it according to a specific rule. The switch first gets its local precedence and drop precedence according to the packet 802.1p priority value, by searching in the CoS —> Local-precedence mapping table and the CoS —> Drop-precedence mapping table. Default values are available for the two mapping tables, but you can also configure the mapping tables according to your needs. If the switch fails in allocating local precedence for the packet, it configures the local precedence of the packet to be the precedence of the port that receives this packet. After obtaining the packet CoS value by inverse-searching the CoS —> Local-precedence mapping table, the switch then gets its drop precedence from the CoS —> Drop-precedence mapping table.

& Note:

If a port is not configured by means of the priority command (namely, the default priority 0 is used), all tagged packets through this port will not be mapped to the local precedence according to the 802.1p priority in the tag;

When the priority command is used on the port and the parameter of the command is not 0, or when the traffic-priority command is used to mark the priority of the packet, all the tagged packets through the port will be mapped to the local precedence according to the 802.1p priority in the Tag.

I. Configuring mapping table

Perform the following configurations in system view.

Table 2-2 Configure mapping tables

Operation	Command
Configure the CoS —> Drop-precedence mapping table	qos cos-drop-precedence-map cos0-map-drop-prec cos1-map-drop-prec cos2-map-drop-prec cos3-map-drop-prec cos4-map-drop-prec cos5-map-drop-prec cos6-map-drop-prec cos7-map-drop-prec
Restore the default values of CoS —> Drop-precedence mapping table	undo qos cos-drop-precedence-map
Configure the CoS —> Local-precedence mapping table	qos cos-local-precedence-map cos0-map-local-prec cos1-map-local-prec cos2-map-local-prec cos3-map-local-prec cos4-map-local-prec cos5-map-local-prec cos6-map-local-prec cos7-map-local-prec
Restore the default values of CoS —> Local-precedence mapping table	undo qos cos-local-precedence-map

By default, the switch obtains local precedence and drop precedence according to the default mapping values.

II. Configuring default local precedence

Perform the following configurations in Ethernet port view.

Table 2-3 Configure default local precedence for port

Operation	Command
Configure default local precedence for a port	priority priority-level
Restore the default local precedence for a port	undo priority

2.2.2 Configuring Traffic Policing

Traffic policing refers to rate limit based on traffic. If the traffic threshold is exceeded, corresponding measures will be taken, for example, dropping the excessive packets or re-defining their priority levels.

In the traffic supervision action, the switch uses the service parameters allocated according to the DSCP + Conform-Level —> Service parameter mapping table and the EXP + Conform-Level —> Service parameter mapping table and the 802.1p priority values allocated according to the Local-precedence+Conform-Level —> 802.1p priority mapping table. So you should configure these three mapping tables or use their default values.

I. Configuring mapping tables

Perform the following configurations in the specified views.

Table 2-4 Configure mapping table

Operation	Command
Enter conform level view (System view)	qos conform-level conform-level-value
Configure the DSCP + Conform-Level —> Service parameters mapping table (conform level view)	dscp dscp-list : dscp-value exp-value cos-value local-precedence-value drop-precedence
Restore the default values of the DSCP + Conform-Level —> Service parameters mapping table (conform level view)	undo dscp dscp-list
Configure the EXP + Conform-Level —> Service parameters mapping table (conform level view)	exp exp-list : dscp-value exp-value cos-value local-precedence-value drop-precedence
Restore the default values of the EXP + Conform-Level —> Service parameters mapping table (conform level view)	undo exp exp-list
Configure the Local-precedence + Conform-Level —> mapping table (conform level view)	local-precedence cos-value0 cos-value1 cos-value2 cos-value3 cos-value4 cos-value5 cos-value6 cos-value7
Restore the default values of the Local-precedence + Conform-Level —> mapping table (conform level view)	undo local-precedence

The system provides default mapping tables.

II. Configuring traffic parameters (optional)

Use the following command to set the traffic parameters required before configuring traffic policing on service processor cards.

Caution:

This operation is not required for configuring traffic policing on common cards.

Perform the following configuration in system view.

Table 2-5 Configure traffic parameters

Operation	Command
Configure traffic parameters	traffic-params traffic-index cir commited-info-rate cbs commited-base-size ebs exceed-base-size [ pir peak-info-rate ]

III. Configuring traffic policing

The purpose of this configuration task is to implement traffic policing on ACL-matched data streams, and then take normal actions on data streams within the traffic limit and take other actions (discarding packets, for example) on those exceeding the limit.

For interface cards, perform the following configurations in Ethernet port view.

Table 2-6 Configure traffic policing

Operation	Command
Configure traffic policing which only applies IP group ACL	traffic-limit inbound ip-group { acl-number \| acl-name } [ rule rule [ system-index index ] ] [ tc-index index ] cir cbs ebs [ pir ] [ conform { { remark-cos \| remark-drop-priority }* \| remark-policed-service } ] [ exceed { forward \| drop } ]
Remove traffic policing setting which only applies IP group ACL	undo traffic-limit inbound ip-group { acl-number \| acl-name } [ rule rule ]
Configure traffic policing which applies IP group ACL and link group ACL at same time	traffic-limit inbound ip-group { acl-number \| acl-name } { rule rule link-group { acl-number \| acl-name } [ rule rule [ system-index index ] ] \| link-group { acl-number \| acl-name } rule rule } [ tc-index index ] cir cbs ebs [ pir ] [ conform { { remark-cos \| remark-drop-priority }* \| remark-policed-service } ] [ exceed { forward \| drop } ]
Remove traffic policing setting which applies IP group ACL and link group ACL at same time	undo traffic-limit inbound ip-group { acl-number \| acl-name } { rule rule link-group { acl-number \| acl-name } [ rule rule ] \| link-group { acl-number \| acl-name } rule rule }
Configure traffic policing which only applies link group ACL	traffic-limit inbound link-group { acl-number \| acl-name } [ rule rule [ system-index index ] ] [ tc-index index ] cir cbs ebs [ pir ] [ conform { { remark-cos \| remark-drop-priority }* \| remark-policed-service } ] [ exceed { forward \| drop } ]
Remove traffic policing setting which only applies link group ACL	undo traffic-limit inbound link-group { acl-number \| acl-name } [ rule rule ]

& Note:

It is required that CIR is less than or equal to PIR and CBS is less than or equal to EBS. You are recommended to configure CBS and EBS to numbers that are 100 to 150 times of CIR.

For service processor cards, perform the following configurations in VLAN view.

Table 2-7 Configure traffic policing

Operation	Command
Configure traffic policing which only applies IP group ACL	traffic-limit inbound ip-group { acl-number \| acl-name } [ rule rule [ system-index index ] ] traffic-index index ] [ conform { { remark-cos \| remark-policed-service } ] [ exceed { forward \| drop } ] slot slotid
Remove traffic policing setting which only applies IP group ACL	undo traffic-limit inbound ip-group { acl-number \| acl-name } [ rule rule ] slot slotid

Caution:

l Before executing the traffic-limit command on a service processor card, you must first configure traffic redirection in Ethernet port view to redirect the packets of a specific VLAN to the service processor card.

l Before configuring traffic policing, you must first define corresponding ACLs and configure the DSCP+ Conform-Level —> Service parameters mapping table and the Local-precedence + Conform-Level —> 802.1p priority mapping table.

You must first define the corresponding ACL and configure the DSCP + Conform-Level —> Service parameters mapping table and Local-precedence + Conform-Level —> mapping table before starting this configuration.

This configuration achieves traffic policing for the packets that match the ACL. If the traffic rate threshold is exceeded, corresponding measures will be taken, for example, dropping excessive packets.

tc-index index here is traffic policing index. If you configure the same index for different ACL rules during setting traffic policing, then the sum of traffic shall be limited by the traffic policing-related parameters predefined. For example, if CIR (committed information rate) of the traffic that matches ACL1 is set to 10 kbps and that for ACL2 to 10 kbps, and their traffic policing indexes are the same, then the average rate of the traffic that matches ACL1 and ACL2 shall be limited to 10kbps.

& Note:

l If you remove the card with QoS/ACL configured when the system operates, the corresponding system index value is automatically released and is then used for a newly delivered flow rule. Once the system index value is occupied, the original configuration cannot be restored even you insert the removed card back.

l When you specify the same tc-index for different traffics, the traffic policing-related parameter settings must be consistent with each other. Otherwise, the system will prompt an error.

See the corresponding Command Manual for details of the commands.

2.2.3 Configuring Traffic Shaping

Traffic shaping controls the rate of outbound packets, to ensure they are sent at relatively average rates. Traffic shaping measure tries to match packet transmission rate with the capacity of downstream devices. Its major difference from traffic policing is: Traffic shaping buffers packets at over-threshold rates to make them sent at average rates, while traffic policing drops excessive packets. Therefore, traffic shaping may increase transmission delay, but not for traffic policing.

Perform the following configurations in Ethernet port view.

Table 2-8 Configure traffic shaping

Operation	Command
Configure traffic shaping	traffic-shape [ queue queue-id ] max-rate burst-size
Remove traffic shaping setting	undo traffic-shape [ queue queue-id ]

The switch supports traffic shaping based on port, that is, all traffic on the port is shaped. It also supports traffic shaping for a specific queue. You can choose to achieve one of them by selecting different parameters in the command.

See the corresponding Command Manual for details of the commands.

2.2.4 Configuring Traffic Priority

This configuration re-labels priority value for the packets that match the ACL in these ways: using the service parameters allocated by the switch, re-allocating service parameters by searching the mapping table based on the packet DSCP value, re-allocating service parameters by searching the mapping table based on the specified DSCP value and EXP value, customizing service parameters for the packets.

For interface cards, perform the following configurations in Ethernet port view.

Table 2-9 Configure traffic priority

Operation	Command
Configure traffic priority which only applies IP group ACL	traffic-priority inbound ip-group { acl-number \| acl-name } [ rule rule [ system-index index ] ] { auto \| remark-policed-service { trust-dscp \| dscp dscp-value \| untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level } }
Remove traffic priority setting which only applies IP group ACL	undo traffic-priority inbound ip-group { acl-number \| acl-name } [ rule rule ]
Configure traffic priority which applies IP group ACL and link group ACL at same time	traffic-priority inbound ip-group { acl-number \| acl-name } { rule rule link-group { acl-number \| acl-name } [ rule rule [ system-index index ] ] \| link-group { acl-number \| acl-name } rule rule } { auto \| remark-policed-service { trust-dscp \| dscp dscp-value \| untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level } }
Remove traffic priority setting which applies IP group ACL and link group ACL at same time	undo traffic-priority inbound ip-group { acl-number \| acl-name } { rule rule link-group { acl-number \| acl-name } [ rule rule ] \| link-group { acl-number \| acl-name } rule rule }
Configure traffic priority which only applies link group ACL	traffic-priority inbound link-group { acl-number \| acl-name } [ rule rule [ system-index index ] ] { auto \| remark-policed-service { trust-dscp \| dscp dscp-value \| untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level } }
Remove traffic priority setting which only applies link group ACL	undo traffic-priority inbound link-group { acl-number \| acl-name } [ rule rule ]

For service processor cards, perform the following configurations in VLAN view.

Table 2-10 Mark packet priority

Operation	Command
Mark the packets matching Layer 3 ACL rule with priority	traffic-priority inbound ip-group { acl-number \| acl-name } [ rule rule [ system-index index ] ] { auto \| remark-policed-service { trust-dscp \| dscp dscp-value \| untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level } } slot slotid
Remove the mark	undo traffic-priority inbound ip-group { acl-number \| acl-name } [ rule rule ] slot slotid

Caution:

l Before executing the traffic-priority command on a service processor card, you must first configure traffic redirection in Ethernet port view to redirect the packets of a specific VLAN to the service processor card.

l Before performing this configuration, you must first define the corresponding ACL and configure the DSCP + Conform-Level —> Service parameters mapping table and the EXP + Conform-Level —> Service parameters mapping table.

& Note:

l For MPLS packets, other than that the dscp-value stands for their DSCP priority value, the dscp-value is also mapped to the EXP. You set the EXP value when defining the dscp-value. Note that when the S9500 switch is used as the ingress PE: for IP packets, EXP is matched according to the “DSCP+Conform-Level —> Service parameters” mapping table; for TCP and UDP packets, the value of EXP is the lower 3 bits of dscp-value. When the S9500 switch is used as ingress P, the value of EXP is the lower 3 bits of dscp-value.

l The DSCP + Conform-Level 0 —> Service parameters mapping table and the EXP + Conform-Level —> Service parameters mapping table (the mapping table for conform level 0) is used here.

See the corresponding Command Manual for details of the commands.

2.2.5 Configuring Traffic Redirection

Traffic redirection changes packet forwarding direction, to CPU, other ports, other IP addresses or other cards.

For interface cards, perform the following configurations in Ethernet port view.

Table 2-11 Configure traffic redirection

Operation	Command
Configure traffic redirection which only applies IP group ACL	traffic-redirect inbound ip-group { acl-number \| acl-name } [ rule rule [ system-index index ] ] { cpu \| interface interface-type interface-number destination-vlan { l2-vpn \| l3-vpn } \| next-hop ip-addr1 [ ip-addr2 ] \| slot slotid vlanid [ join-vlan ] }
Remove traffic redirection setting which only applies IP group ACL	undo traffic-redirect inbound ip-group { acl-number \| acl-name } [ rule rule ]
Configure traffic redirection which applies IP group ACL and link group ACL at same time	traffic-redirect inbound ip-group { acl-number \| acl-name } [ rule rule ] link-group { acl-number \| acl-name } [ rule rule ] { cpu \| interface interface-type interface-number destination-vlan { l2-vpn \| l3-vpn } \| next-hop ip-addr1 [ ip-addr2 ] \| slot slotid vlanid [ join-vlan ] }
Remove traffic redirection setting which applies IP group ACL and link group ACL at same time	undo traffic-redirect inbound ip-group { acl-number \| acl-name } { rule rule link-group { acl-number \| acl-name } [ rule rule ] \| link-group { acl-number \| acl-name } rule rule } or undo traffic-redirect inbound link-group { acl-number \| acl-name } { rule rule ip-group { acl-number \| acl-name } \| ip-group { acl-number \| acl-name } rule rule }
Configure traffic redirection which only applies link group ACL	traffic-redirect inbound link-group { acl-number \| acl-name } [ rule rule [ system-index index ] ] { cpu \| interface interface-type interface-number destination-vlan { l2-vpn \| l3-vpn } \| next-hop ip-addr1 [ ip-addr2 ] \| slot slotid vlanid [ join-vlan ] }
Remove traffic redirection setting which only applies link group ACL	undo traffic-redirect inbound link-group { acl-number \| acl-name } [ rule rule ]

For service processor cards, perform the following configurations in VLAN view.

Table 2-12 Configure traffic redirection

Operation	Command
Configure traffic redirection on packets matching Layer 3 ACL rule.	traffic-redirect inbound ip-group { acl-number \| acl-name } [ rule rule [ system-index index ] ] { cpu \| next-hop ip-addr1 [ip-addr2] } slot slotid
Remove this traffic redirection configuration on the packets matching Layer 3 ACL rule.	undo traffic-redirect inbound ip-group { acl-number \| acl-name } [ rule rule ] slot slotid

& Note:

l Traffic redirection setting is only available for the permitted rules in the ACL.

l The packet redirected to the CPU cannot be forwarded normally.

l You can achieve policy route by selecting the next-hop keyword.

l Before executing the traffic-redirect command on a service processor card, you must first configure traffic redirection in Ethernet port view to redirect the packets in Layer 3 to the service processor card and specific VLAN.

l Multicast packets are not allowed to be redirected to the service processor cards.

See the corresponding Command Manual for details of the commands. Refer to the “VLAN-QinQ” section in the manual for detailed information on the traffic-redirect { nested-vlan | modified-vlan } command.

2.2.6 Configuring Queue Scheduling

Each port supports eight outbound queues except that ports of XP4 and GV48 cards only supports four queues. The switch puts the packets into the queues according to the local precedence of packets. Queue scheduling is used to resolve problems of resource contention by many packets. The switch supports SP algorithm and WRR algorithm.

Different outbound queues at the port may use different algorithms. The switch supports three scheduling modes:

1) All-SP scheduling mode

2) All-WRR mode: A queue is selected from each of the two WRR groups during scheduling, and then the two queues are compared for priority. The queue with higher priority will be scheduled. After scheduling, another queue is selected from the WRR group containing the queue with higher priority, and the newly selected queue will be compared with the previously selected queue that has lower priority.

3) SP plus WRR mode: The outbound queues are put into different scheduling groups. SP group uses SP algorithm, WRR groups use WRR algorithm. The select one queue respectively from SP group, WRR group 1 and WRR group 2 and schedule them using SP algorithm.

You can use the following commands to configure queue scheduling.

Perform the following configurations in Ethernet port view or port group view.

Table 2-13 Configure queue scheduling

Operation	Command
Configuring queue scheduling	queue-scheduler wrr { group1 { queue-id queue-weight } &<1-8> \| group2 { queue-id queue-weight } &<1-8> }*
Restore the default setting	undo queue-scheduler [ queue-id ] &<1-8>

By default, the switch uses all-SP mode, so those queues not configured with WRR algorithm are SP mode.

See the corresponding Command Manual for details of the commands.

2.2.7 Configuring WRED Parameters

In the case of network congestion, the switch drops packets to release system resources. And then no packets are put into long-delay queues.

The switch allocates drop precedence for it when receiving a packet (also called coloring the packet). The drop precedence values range from 0 to 2, with 2 for red, 1 for yellow and 0 for green. In congestion, red packets will be first dropped, and green packets last.

You can configure drop parameters and thresholds by queue or drop precedence.

The following two drop modes are available:

1) Tail drop mode: Different queues (red, yellow and red) are allocated with different drop thresholds. When these thresholds are exceeded respectively, excessive packets will be dropped.

2) WRED drop mode: Drop precedence is taken into account in drop action. When only min-thresholds of red, yellow and green packets are exceeded, excessive packets are dropped randomly at given probability. But when max-thresholds of red, yellow and green packets are exceeded, all excessive packets will be dropped.

You must first configure WRED parameters for every outbound queue in defining drop precedence.

I. Configuring WRED parameters

The switch provides four sets of default WRED parameters, respectively numbered as 0 to 3. Each set includes 80 parameters, 10 parameters for each of the eight queues. The ten parameters are green-min-threshold, yellow-min-threshold, red-min-threshold, green-max-threshold, yellow-max-threshold, red-max-threshold, green-max-prob, yellow-max-prob, red-max-prob and exponent. Red, yellow and green packets respectively refer to those with drop precedence levels 2, 1 and 0.

You can use the following commands to configure WRED parameters.

Perform the following configurations in system view.

Table 2-14 Configure WRED parameters

Operation	Command
Enter WRED index view (system view)	wred wred-index
Restore the default WRED parameters (system view)	undo wred wred-index
Configure WRED parameters (WRED index view)	queue queue-id green-min-threshold green-max-threshold green-max-prob yellow-min-threshold yellow-max-threshold yellow-max-prob red-min-threshold red-max-threshold red-max-prob exponent
Restore the default WRED parameters (WRED index)	undo queue queue-id
Exit WRED index view (WRED index view)	quit

The command restores the parameters of the specified WRED index as the default setting. The command restores the WRED parameters related to the queue as the default setting.

The switch provides four sets of WRED parameters by default.

Caution:

When multicast packets are sent through a certain port outbound queue, it is necessary to use the queue command to increase appropriately the length parameter of the corresponding queue where packets are all dropped to ensure the best effect of the replication capability of the egress port.

See the corresponding Command Manual for details of the commands.

II. .Configuring drop algorithm

Please perform the following configurations in Ethernet port view.

Table 2-15 Configure drop algorithm

Operation	Command
Configure drop algorithm	drop-mode { tail-drop \| wred } [ wred-index ]
Restore the default algorithm	undo drop-mode

By default, tail drop mode is selected.

See the corresponding Command Manual for details of the commands.

2.2.8 Configuring Traffic Mirroring

Traffic mirroring duplicates the traffic that matches ACL rules to the CPU, for traffic analysis and monitoring.

Perform the following configurations in Ethernet port view.

Table 2-16 Configure traffic mirroring

Operation	Command
Configure traffic mirroring which only applies IP group ACL	mirrored-to inbound ip-group { acl-number \| acl-name } [ rule rule [ system-index index ] ] cpu
Remove traffic mirroring setting which only applies IP group ACL	undo mirrored-to inbound ip-group { acl-number \| acl-name } [ rule rule ]
Configure traffic mirroring which applies IP group ACL and link group ACL at same time	mirrored-to inbound ip-group { acl-number \| acl-name } { rule rule link-group { acl-number \| acl-name } [ rule rule [ system-index index ] ] \| link-group { acl-number \| acl-name } rule rule } cpu
Remove traffic mirroring setting which applies IP group ACL and link group ACL at same time	undo mirrored-to inbound ip-group { acl-number \| acl-name } { rule rule link-group { acl-number \| acl-name } [ rule rule ] \| link-group { acl-number \| acl-name } rule rule }
Configure traffic mirroring which only applies link group ACL	mirrored-to inbound link-group { acl-number \| acl-name } [ rule rule [ system-index index ] ] cpu
Remove traffic mirroring setting which only applies link group ACL	undo mirrored-to inbound link-group { acl-number \| acl-name } [ rule rule ]

& Note:

See the corresponding Command Manual for details of the commands.

2.2.9 Configuring Port Mirroring

Port mirroring duplicates data on the monitored port to the designated monitoring port, for purpose of data analysis and supervision. The switch supports multiple-to-one mirroring, that is, you can duplicate packets from multiple ports to a monitoring port.

You can also specify the monitoring direction:

l Only inbound packets

l Only outbound packets

Perform the following configurations in system view.

Table 2-17 Configure port mirroring

Operation	Command
Configure port mirroring	mirroring-group groupid { inbound \| outbound } mirroring-port-list mirrored-to monitor-port
Remove port mirroring setting	undo mirroring-group groupid

You can implement port mirroring configuration by setting mirroring groups at the port. Up to 20 mirroring groups can be configured at a port, with each group including one monitoring port and multiple monitored ports.

& Note:

S9500 series support cross-card mirroring, that is, the monitoring and monitored ports can be at different cards.

Consider these issues when configuring port mirroring:

l For intra-card mirroring, only one monitoring port can be configured for the mirroring groups in the same direction.

l For cross-card mirroring, only one monitoring port (which is on another card) can be configured for the mirroring groups in the same direction.

l You can only configure eight monitored ports for all the mirroring groups in transmit group.

l One port can act as mirroring port and mirrored port at the same time for different mirroring group.

More issues for the GV48 card (LSBM1GV48DA):

l For the mirroring (including incoming port mirroring and outgoing port mirroring) on the same GV48 card, only one monitoring port is allowed.

l For all mirroring groups configured in the system, only one monitoring port is allowed on the same GV48 card.

See the corresponding Command Manual for details of the commands.

2.2.10 Configuring Traffic Statistics

Traffic statistics count packets of designated service traffic, that is, the packets match the defined ACL among those forwarded. You can view the information with the display qos-interface traffic-statistic command.

Perform the following configurations in Ethernet port.

Table 2-18 Configure traffic statistics

Operation	Command
Configure traffic statistics which only applies IP group ACL	traffic-statistic inbound ip-group { acl-number \| acl-name } [ rule rule [ system-index index ] ] [ tc-index index ]
Remove traffic statistics setting which only applies IP group ACL	undo traffic-statistic inbound ip-group { acl-number \| acl-name } [ rule rule ]
Configure traffic statistics which only applies link group ACL	traffic-statistic inbound link-group { acl-number \| acl-name } [ rule rule [ system-index index ] ] [ tc-index index ]
Remove traffic statistics setting which only applies link group ACL	undo traffic-statistic inbound link-group { acl-number \| acl-name } [ rule rule ]
Display traffic statistics for the port	display qos-interface [ interface- type interface-number] traffic-statistic

system-index index here is the system index for an ACL rule. When delivering a rule, the system assigns a globally unique index to it, for convenience of later retrieval. You can also assign a system index for it when delivering an ACL rule with this command. However, you are not recommended to assign a system index if not urgently necessary.

& Note:

See the corresponding Command Manual for details of the commands.

2.2.11 Displaying and Debugging QoS Configuration

After these configurations are completed, you can use the display command in any view to view QoS running and check configuration result. You can clear QoS statistics using the reset traffic-statistic command in Ethernet port view.

Table 2-19 Display and debug QoS configurations

Operation	Command
Display traffic mirroring configuration of a port	display qos-interface [ interface-type interface-number ] mirrored-to
Display traffic priority configuration of a port	display qos-interface [ interface-type interface-number ] traffic-priority
Display traffic redirection configuration of a port	display qos-interface [ interface-type interface-number ] traffic-redirect
Display traffic statistics of a port	display qos-interface [ interface-type interface-number ] traffic-statistic
Display port mirroring configuration	display mirroring-group [ groupid ]
Display QoS configurations of all ports or the specified port	display qos-interface [ interface-type interface-number ] all
Display the drop mode of the port outbound queue	display qos-interface [ interface-type interface-number ] drop-mode
Display traffic limit configuration of a port	display qos-interface [ interface-type interface-number ] traffic-limit
Display queue scheduling configuration of a port	display qos-interface [ interface-type interface-number ] queue-scheduler
Display traffic shaping configuration of a port	display qos-interface [ interface-type interface-number ] traffic-shape
Display the parameter settings for traffic policing	display traffic-params [ traffic-index ]
Display QoS configuration of a VLAN	display qos-vlan [ vlan-id ] all
Display traffic priority configuration of a VLAN	display qos-vlan [ vlan-id ] traffic-priority
Display traffic limit configuration of a VLAN	display qos-vlan [ vlan-id ] traffic-limit
Display traffic direction configuration of a VLAN	display qos-vlan [ vlan-id ] traffic-redirect
Display traffic statistics of a VLAN	display qos-vlan [ vlan-id ] traffic-statistic
Display the DSCP + Conform-level —> Service parameter, EXP + Conform-level —> Service parameter and Local-precedence + Conform-level —> 802.1p priority mapping tables	display qos conform-level [ conform-level-value ] { dscp-policed-service-map [ dscp-list ] \| exp-policed-service-map \| local-precedence-cos-map }
Display the CoS —> Drop-precedence mapping table	display qos cos-drop-precedence-map
Display the CoS —> Local-precedence mapping table	display qos cos-local-precedence-map
Clear traffic statistics	reset traffic-statistic inbound { { ip-group { acl-number \| acl-name } rule rule \| link-group { acl-number \| acl-name } }* \| { ip-group { acl-number \| acl-name } \| link-group { acl-number \| acl-name } rule rule }* \| ip-group { acl-number \| acl-name } rule rule link-group { acl-number \| acl-name } rule rule }

See the corresponding Command Manual for description of display information and parameters.

2.3 QoS Configuration Example

2.3.1 Traffic Shaping Configuration Example

I. Network requirements

Set traffic shaping for the outbound queue 2 at the port GE7/1/8, with the maximum rate of 650 Kbps and the burst size of 12 KB.

II. Network diagram

Figure 2-5 Network diagram for QoS configuration

III. Configuration procedure

# Enter Ethernet port view.

[H3C] interface GigabitEthernet 7/1/8

[H3C-GigabitEthernet7/1/8]

# Set traffic shaping for the outbound queue 2 at the port: maximum rate 650 Kbps, burst size 12 KB.

[H3C-GigabitEthernet7/1/8] traffic-shape queue 2 650 12

2.3.2 Port Mirroring Configuration Example

I. Network requirements

Use one server to monitor the packets of two ports. R&D department is accessed from the port GE3/1/1 and sales department from the port GE3/1/2. The server is connected to the port GE3/1/8.

II. Network diagram

Figure 2-6 Networking for port mirroring configuration

III. Configuration procedure

# Define a mirroring group, with monitoring port as GigabitEthernet3/1/8.

[H3C] mirroring-group 1 inbound gigabitethernet3/1/1 gigabitethernet3/1/2 mirrored-to gigabitethernet3/1/8

[H3C] mirroring-group 2 outbound gigabitethernet3/1/1 gigabitethernet3/1/2 mirrored-to gigabitethernet3/1/8

2.3.3 Traffic Priority Configuration Example

I. Network requirements

Re-allocate service parameters according to the mapping table for DSCP 63 for the packets from PC1 (IP 1.0.0.1) during the time range 8:00 to 18:00 everyday.

II. Network diagram

Figure 2-7 Network diagram for priority configuration

III. Configuration procedure

1) Define the time range.

# Define the time range from 8:00 to 18:00.

[H3C] time-range H3C 8:00 to 18:00 daily

2) Define the traffic from PC1.

# Create a number-based basic ACL 2000 and enter it.

[H3C] acl number 2000

# Define ACL rule for the traffic from PC1.

[H3C-acl-basic-2000] rule 0 permit source 1.0.0.1 0 time-range H3C

3) Define the CoS—> Conform-Level mapping table.

# Define the CoS—> Conform-Level mapping table. The switch allocates drop precedence (all as 0 for the sake of simplification) for them when receiving packets.

[H3C] qos cos-drop-precedence-map 0 0 0 0 0 0 0 0

The modified CoS—> Conform-Level mapping table:

Table 2-20 Modified CoS—> Conform-Level mapping table

CoS Value	Drop-precedence
0	0
1	0
2	0
3	0
4	0
5	0
6	0
7	0

4) Define the DSCP + Conform-Level —> Service parameter mapping table.

# Define the DSCP + Conform-Level —> Service parameter mapping table. Allocate a set of service parameters for the packets from PC1 according the mapping table for DSCP 63.

[H3C] qos conform-level 0

[H3C-conform-level-0] dscp 63 : 32 4 4 4 0

The modified DSCP + Conform-Level —> Service parameter mapping table:

Table 2-21 Modified DSCP + Conform-Level —> Service parameter mapping table

DSCP	CL	Policed-DSCP	Policed-exp	Policed-802.1p	Policed-Localprec	Policed-DropPrecedence
63	0	32	4	4	4	0

5) Re-allocate service parameters for the packets from PC1.

# Re-allocate service parameters for the packets from PC1.

[H3C-GigabitEthernet7/1/1] traffic-priority inbound ip-group 2000 remark-policed-service dscp 63

2.3.4 Traffic Redirection Configuration Example

I. Network requirements

Forward the packets sent from PC1 (IP 1.0.0.1) during the time range from 8:00 to 18:00 every day to the address 2.0.0.1.

II. Network diagram

Figure 2-8 Network diagram for traffic redirection configuration

III. Configuration procedure

1) Define the time range.

# Define the time range from 8:00 to 18:00.

[H3C] time-range H3C 8:00 to 18:00 daily

2) Define the traffic from PC1.

# Create a number-based basic ACL 2000 and enter it.

[H3C] acl number 2000

# Define ACL rule for the traffic from PC1.

[H3C-acl-basic-2000] rule 0 permit source 1.0.0.1 0 time-range H3C

3) Modify the next hop for the packets from PC1.

# Define the next hop for the packets from PC1 as 2.0.0.1.

[H3C-GigabitEthernet7/1/1] traffic-redirect inbound ip-group 2000 rule 0 next-hop 2.0.0.1

2.3.5 Queue Scheduling Configuration Example

I. Network requirements

Modify the correspondence between 802.1p priority levels and local priority levels to change the mapping between 802.1p priority levels and queues. That is, put packets into outbound queues according to the new mapping. Use WRR algorithm for the queues 0 to 5 at the port GE7/1/1. Set the queues 0, 1 and 2 into WRR queue 1, with weight respectively as 20, 20 and 30; set the queues 3, 4 and 5 into WRR queue 2, with weight respectively as 20, 20 and 40. The queues 6 and 7 use SP algorithm. See Queue Scheduling for the default mapping.

Table 2-22 802.1p priority —> Local precedence mapping table

802.1p priority	Local precedence
0	7
1	6
2	5
3	4
4	3
5	2
6	1
7	0

II. Network diagram

Figure 2-9 Network diagram for queue-schedule configuration

III. Configuration procedure

# Re-specify the mapping between 802.1p priority and local precedence.

[H3C] qos cos-local-precedence-map 7 6 5 4 3 2 1 0

# Use WRR algorithm for the queues 0 to 5. Set the queues 0, 1 and 2 into WRR queue 1, with weight respectively as 20, 20 and 30; set the queues 3, 4 and 5 into WRR queue 2, with weight respectively as 20, 20 and 40. Use SP algorithm for the queues 6 and 7.

[H3C-GigabitEthernet7/1/1] queue-scheduler wrr group1 0 20 1 20 2 30 group2 3 20 4 20 5 40

[H3C] display qos-interface GigabitEthernet7/1/1 queue-scheduler

GigabitEthernet7/1/1 Port scheduling:

QID: scheduling-group weight

-----------------------------------

0 : wrr , group1 20

1 : wrr , group1 20

2 : wrr , group1 30

3 : wrr , group2 20

4 : wrr , group2 20

5 : wrr , group2 40

6 : sp 0

7 : sp 0

2.3.6 WRED Parameters Configuration Example

I. Network requirements

Set WRED parameters and drop algorithm for packets at the port GE7/1/1: Configure parameters for WRED 0; outbound queue ID is 7; green-min-threshold is 150; green-max-threshold is 500; green-max-prob is 5; yellow-min-threshold is 100; yellow-max-threshold is 150; yellow-max-prob is 10; red-min-threshold is 50; red-max-threshold is 100; red-max-prob is 15; exponent is 10; the port is in WRED drop mode; import the parameters of WRED 0.

II. Network diagram

Figure 2-10 Network diagram for WRED parameters configuration

III. Configuration procedure

1) Configure WRED parameters

# Configure parameters for WRED 0.

[H3C] wred 0

[H3C-wred-0] queue 7 150 500 5 100 150 10 50 100 15 10

2) Set drop algorithm and thresholds.

# Define the port GE7/1/1 in WRED drop mode, set the parameters of WRED 0.

[H3C-GigabitEthernet7/1/1] drop-mode wred 0

2.3.7 Traffic Statistics Configuration Example

I. Network requirements

Suppose the IP address of PC1 is 1.0.0.1 and that of PC2 is 2.0.0.1. The switch is up-linked through the port GE7/1/8. Count the packets sent from the switch to PC1 during the time range from 8:00 to 18:00 every day.

II. Network diagram

Figure 2-11 Network diagram for traffic statistics configuration

III. Configuration procedure

1) Define the time range.

# Define the time range from 8:00 to 18:00.

[H3C] time-range H3C 8:00 to 18:00 daily

2) Define the traffic from PC1.

# Define ACL rule for the traffic from PC1.

[H3C] acl number 2000

[H3C-acl-basic-2000] rule 0 permit source 1.0.0.1 0.0.0.0 time-range H3C

3) Count the packets to PC1 and display the result using the display command.

[H3C-GigabitEthernet7/1/1] traffic-statistic inbound ip-group 2000 rule 0

[H3C] display qos-interface GigabitEthernet7/1/1 traffic-statistic

GigabitEthernet7/1/1: traffic-statistic

Inbound:

Matches: Acl 2000 rule 0 running

12002688 bytes (green 1270244416 byte(s), yellow 1895874880 byte(s), red 704683968 byte(s) )

3333270 packets (green 0 byte(s), yellow 0 byte(s), red 0 byte(s) )

Chapter 3 Logon User ACL Control Configuration

3.1 Overview

Currently, an S9500 series switch provides the following three measures for remote access:

l Telnet

l Security shell (SSH)

l Simple network management protocol (SNMP)

An S9500 series switch provides security control for these three access measures to prevent unauthorized users from logging in/and accessing it. There are two levels of security controls.

l The first level is implemented by applying ACLs to filter the users that are to connect to the switch. Only authorized users are capable of accessing the switch.

At the second level, a connected user can log into the switch only after passing the password authentication.

This chapter mainly describes how to configure the first level security control over these access measures, that is, how to filter the users logging onto the switch with ACL. For detailed description about how to configure the second level security, refer to the Getting Started part of this manual.

3.2 Configuring ACL for Telnet/SSH Users

You can configure ACLs for the users who access the switch through Telnet or SSH to filter out the malicious or unauthorized connection requests before the password authentication to secure the switch.

3.2.1 Configuration Prerequisites

You have correctly configured the switch using Telnet or SSH.

3.2.2 Configuration Tasks

Table 3-1 Configuration tasks

Configuration procedure		Command	Description
Enter system view		system-view	-
Define an ACL and enter ACL view		acl number acl-number [ match-order { config \| auto } ]	Required. The command can only define a number-identified ACL
Define rules	Basic ACL view	rule [ rule-id ] { permit \| deny } [ source { source-addr wildcard \| any } \| fragment \| time-range name \| vpn-instance instance-name ]*	When Telnet and SSH users use basic and advanced ACLs, only the parameters source-addr and the wildcard, dest-addr and the wildcard parameter, and the time-range keyword in the command are valid.
	Advanced ACL view	rule [ rule-id ] { permit \| deny } protocol [ source { source-addr wildcard \| any } ] [ destination { dest-addr wildcard \| any } ] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ icmp-type type code ] [ established ] [ [ precedence precedence \| tos tos ]* \| dscp dscp ] [ fragment ] [bt-flag ] [time-range name ] [ vpn-instance instance-name ]
	Layer 2 ACL view	rule [ rule-id ] { permit \| deny } [ cos cos-value \| c-tag-cos c-cos-value \| exp exp-value \| protocol-type pppoe-data \| rarp } \| ingress { { source-vlan-id [ to source-vlan-id-end ] \| source-mac-addr source-mac-wildcard \| c-tag-vlan c-tag-vlanid }* \| any } \| egress { dest-mac-addr dest-mac-wildcard \| any } \| s-tag-vlan s-tag-vlanid \| time-range name ]*	When Telnet and SSH users use an Layer 2 ACL, only the source-mac-addr and the source-mac-wildcard parameter, and the time-range keyword in the command are valid.
Exit ACL view		quit	-
Enter user interface view		user-interface [ type ] first-number	-
Apply ACLs to restrict inbound/outbound requests of Telnet or SSH users	Apply basic or advanced ACLs	acl acl-number1 { inbound \| outbound }	The acl-number1 parameter indicates the number of the basic or advanced ACLs, in the range of 2,000 to 3,999.
	Apply Layer 2 ACLS	acl acl-number2 inbound	The acl-number2 parameter indicates the number of the Layer 2 ACL, in the range of 4,000 to 4,999.

By default, the system does not restrict incoming/outgoing requests.

& Note:

l You can only use number-based ACLs to implement the ACL control to Telnet or SSH users.

l When you use the basic or advanced ACL to implement the ACL control to Telnet or SSH users, the incoming/outgoing requests are restricted based on the source or destination IP addresses. Therefore, only the source-addr and the wildcard, and dest-addr and the wildcard parameters, and the time-range keyword in the corresponding command are valid. Similarly, when you use the Layer 2 ACL to implement the ACL control to the Telnet or SSH users, the incoming/outgoing requests are restricted based on the source MAC address. Therefore, only the source-mac-addr and the source-mac-wildcard parameters, and the time-range keyword in the corresponding command are valid.

l When you use Layer 2 ACLs to implement the ACL control to the Telnet or SSH users, only incoming requests are restricted.

l If a user fails to log in due to ACL restriction, the system logs the user failure, including the IP address, login method, user interface index value and failure reason.

3.2.3 Layer 2 ACL Control Configuration Example

I. Network requirements

Only the Telnet users with source MAC addresses 00e0-fc01-0101 and 00e0-fc01-0303 are allowed to access the switch.

II. Network diagram

Figure 3-1 Network diagram for source MAC address control over Telnet users

III. Configuration procedure

# Define an Layer 2 ACL.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] acl number 4000 match-order config

# Define rules.

[H3C-acl-link-4000] rule 1 permit ingress 00e0-fc01-0101 0000-0000-0000 [H3C-acl-link-4000] rule 2 permit ingress 00e0-fc01-0303 0000-0000-0000

[H3C-acl-link-4000] rule 3 deny ingress any

[H3C-acl-link-4000] quit

# Enter user interface view

[H3C] user-interface vty 0 4

# Apply the Layer 2 ACL to restrict incoming requests.

[H3C-user-interface-vty0-4] acl 4000 inbound

3.2.4 Basic ACL Control Configuration Example

I. Network requirements

Only the Telnet users with IP addresses of 10.110.100.52 and 10.110.100.46 can access the switch.

II. Network diagram

Figure 3-2 Network diagram for source IP control over Telnet users

III. Configuration procedure

# Define a basic ACL.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] acl number 2000 match-order config

# Define rules.

[H3C-acl-basic-2000] rule 1 permit source 10.110.100.52 0

[H3C-acl-basic-2000] rule 2 permit source 10.110.100.46 0

[H3C-acl-basic-2000] rule 3 deny source any

[H3C-acl-basic-2000] quit

# Enter user interface view.

[H3C] user-interface vty 0 4

# Apply the ACL.

[H3C-user-interface-vty0-4] acl 2000 inbound

3.3 Configuring ACL for SNMP Users

S9500 series switches can be managed remotely through network management software (NMS). Administrators can use SNMP to access an S9500 series switch. Proper ACL configuration can prevent unauthorized network management users from logging onto the switch.

3.3.1 Configuration Prerequisites

You have correctly configured log into the switch using SNMP.

3.3.2 Configuration Tasks

Table 3-2 Configuration tasks

Configuration procedure		Command	Description
Enter system view		system-view	-
Define an ACL and enter ACL view		acl number acl-number [ match-order { config \| auto } ]	Required. This command can only define a number-based basic ACL. The acl-number parameter ranges from 2,000 to 2,999.
Define basic ACL rules		rule [ rule-id ] { permit \| deny } [ source { source-addr wildcard \| any } \| fragment \| time-range name \| vpn-instance instance-name ]*	Required
Exit ACL view		quit	-
Apply the ACL to control SNMP users	Apply the ACL in the snmp-agent community command	snmp-agent community { read \| write } community-name [ mib-view view-name ] [ acl acl-number ]	The SNMP community name is a feature of SNMP V1 and SNMP V2. Applying an ACL in the snmp-agent community command filters the network management systems based on SNMP V1 and SNMP V2.
	Apply the ACL in the snmp-agent group command	snmp-agent group { v1 \| v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ] snmp-agent group v3 group-name [ authentication \| privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ]	The SNMP group and user name are features of SNMP V2 and later. Applying ACLs in the snmp-agent group, snmp-agent group v3, snmp-agent usm-user, and snmp-agent usm-user v3 commands filters the network management systems based on SNMP V2 and later. If you apply ACLs in these two groups of commands simultaneously, the switch filters network management users according to the both features.
	Import the ACL into the snmp-agent usm-user command	snmp-agent usm-user { v1 \| v2c } user-name group-name [ acl acl-number ] snmp-agent usm-user v3 user-name group-name [ authentication-mode { md5 \| sha } auth-password ] [ privacy-mode des56 priv-password ] [ acl acl-number ]

& Note:

l you can apply different ACLs in the snmp-agent community, snmp-agent group and snmp-agent usm-use commands.

l You can only apply number-based basic ACLs to implement ACL control over SNMP users.

For the detailed description of these commands, refer to the Command Manual.

3.3.3 ACL Control over SNMP Users Configuration Example

I. Network requirements

Only SNMP users from 10.110.100.52 and 10.110.100.46 can access the switch.

II. Network diagram

Figure 3-3 Network diagram for ACL control over SNMP users

III. Configuration procedure

# Define a basic ACL and the rules.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] acl number 2000 match-order config

[H3C-acl-baisc-2000] rule 1 permit source 10.110.100.52 0

[H3C-acl-baisc-2000] rule 2 permit source 10.110.100.46 0

[H3C-acl-basic-2000] rule 3 deny source any

[H3C-acl-baisc-2000] quit

# Apply the ACL.

[H3C] snmp-agent community read H3C acl 2000

[H3C] snmp-agent group v3 H3Cgroup acl 2000

[H3C] snmp-agent usm-user v3 H3C user H3Cgroup acl 2000

Chapter 4 VLAN-ACL Configuration

4.1 VLAN-ACL Overview

VLAN-ACL is VLAN-based ACL. You can configure QACL for a VLAN to control accesses made to all ports in the VLAN.

VLAN-ACL enables you to manage a network in an easier way. After you configure QACL for a VLAN, the system synchronizes the configuration to all member ports in the VLAN automatically. Therefore you need not to configure QACL for every port.

4.2 VLAN-ACL Configuration

4.2.1 Configuration Prerequisites

The VLAN for which you configure QACL must meet the following requirements:

l The VLAN has member ports.

l The VLAN has no POS ports.

l The VLAN has no MPLS intermixing ports.

l The default flow template is applied to ports in the VLAN.

4.2.2 Configuring a VLAN-ACL

Table 4-1 Configure a VLAN-ACL

Configuration step	Command	Description
Enter system view	system-view	-
Create an ACL and enter the corresponding view	acl { number acl-number \| name acl-name [ advanced \| basic ] } [ match-order { config \| auto } ]	Only basic or advanced ACL and the rules are applicable to VLAN-ACL.
Define a rule	rule	Required
Quit ACL view	quit	-
Enter VLAN view	vlan vlan-id	VLAN-ACL is prohibited from being applied to the VLAN containing POS or MPLS intermixing ports.
Configure packet filtering (activating ACLs)	packet-filter inbound ip-group { acl-number \| acl-name } [ rule rule [ system-index index ] ]	Optional
	traffic-limit inbound ip-group { acl-number \| acl-name } [ rule rule [ system-index index ] ] [ tc-index index ] cir cbs ebs [ pir ] [ conform { { remark-cos \| remark-drop-priority }* \| remark-policed-service } ] [ exceed { forward \| drop } ]
Tag priority for packets	traffic-priority inbound ip-group { acl-number \| acl-name } [ rule rule [ system-index index ] ] { auto \| remark-policed-service { trust-dscp \| dscp dscp-value \| untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level } }	Optional
Configure packet redirection	traffic-redirect inbound ip-group { acl-number \| acl-name } [ rule rule [ system-index index ] ] { cpu \| next-hop ip-addr1 [ ip-addr2 ] }	Optional When executed in VLAN view, the traffic-redirect command only redirects packets to the next hop and CPU instead of ports or service processor cards. In this case, the nested-vlan or modified-vlan keyword are not supported.
Configure traffic mirroring	mirrored-to inbound ip-group { acl-number \| acl-name } [ rule rule [ system-index index ] ] cpu	Optional
Configure traffic statistics	traffic-statistic inbound ip-group { acl-number \| acl-name } [ rule rule [ system-index index ] ]	Optional
Quit VLAN view	Quit-	-
Enter Ethernet port view	interface interface-type interface-number	The port type can only be Ethernet.
Synchronize manually QACL configuration to specified ports	port can-access vlan-acl vlan vlan-id	Optional
View the ports to which the VLAN-ACL configuration is synchronized in the VLAN	display vlan-acl-member-ports vlan vlan-id	You can use this command in any view.

The VLAN-ACL configuration is subject to the following limitations:

1) Limitations on flow templates:

l The system only applies VLAN-ACL to ports with the default flow template applied. The applied ACL rule field must be specified by the default flow template.

l If no port in a VLAN has ACL rules applied to, the system checks all ports in the VLAN when applying an ACL rule in VLAN view and prohibits the ACL rule from being applied if a port in the VLAN has a customized flow template applied to.

l If a VLAN-ACL is applied to some of the ports in a VLAN, a port with a customized flow template applied to can be added to the VLAN. But the system will fail to apply the VLAN-ACL to the newly added port. That is, you can apply the VLAN-ACL in VLAN view to all the ports in the VLAN except the newly added one. However, if the port delete the self-defined flow template, the system will apply QACL rules in the VLAN to the new port automatically.

l You will fail to change the flow template applied to a port with a VLAN-ACL already applied to a customized flow template.

2) If both a VLAN and one of its ports have QACL rules applied, only those applied to the port work. In this case, the VLAN-ACL takes effect only after the QACL rules and the self-defined flow template on the port are deleted.

3) When the VLAN contains no ports, the system is prohibited from applying VLAN-ACL (including adding and deleting rules).

4) Two ports differing in VLAN-ACL configuration cannot be aggregated dynamically.

5) A VLAN-ACL is prohibited from being applied to a VLAN bounded to POS ports. That is, VLAN-ACL is prohibited from being applied to POS ports.

6) A VLAN-ACL is prohibited from being applied to a VLAN containing intermixing ports. Similarly, a VLAN with a VLAN-ACL applied to is prohibited from being used for MPLS intermixing.

Caution:

VLAN-ACL does not take effect on the ports of the XP4 card.

4.2.3 VLAN-ACL Configuration Example

I. Network requirements

Set the next hop IP address of all the packets forwarded by GigabitEthernet7/1/1 and GigabitEthernet7/1/2 ports from 8:00 to 18:00 every day to 3.0.0.1.

II. Network diagram

Figure 4-1 Network diagram for VLAN-ACL configuration

III. Configuration procedure

1) Define the time range.

# Define the time range from 8:00 to 18:00.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] time-range H3C 8:00 to 18:00 daily

2) Define traffic rules.

# Create ACL 2000 and enter the corresponding view.

[H3C] acl number 2000

# Define traffic classification rules for packets , and allow packets to pass during the specified time period.

[H3C-acl-basic-2000] rule 0 permit source any time-range H3C

[H3C-acl-basic-2000] quit

3) Configure packet redirection in VLAN 2.

# Set the next hop IP addresses of all the packets forwarded on ports in VLAN 2 to 3.0.0.1.

[H3C] vlan 2

[H3C-vlan2] traffic-redirect inbound ip-group 2000 rule 0 next-hop 3.0.0.1

4) View configuration.

# View whether VLAN-ACL is configured on all ports in VLAN 2 (ports GigabitEthernet7/1/1 and GigabitEthernet7/1/2).

[H3C-vlan2] display vlan-acl-member-ports vlan 2

Vlan-acl member port(s):

GigabitEthernet7/1/1 GigabitEthernet7/1/2

H3C S9500 Series Routing Switches Operation Manual-(V1.01)

I. ACLs being activated directly on hardware

II. ACLs being referenced by upper-level modules

1.1.2 ACLs Supported

1.2 ACL Configuration Tasks

1.2.1 Configuring Time Range

I. Defining Flow Template

II. Applying Flow Template

I. Defining basic ACL

II. Defining advanced ACL

III. Defining Layer 2 ACLs

I. Network requirements

II. Network diagram

III. Configuration procedure

I. Network requirements

II. Network diagram

III. Configuration procedure

I. Network requirements

II. Network diagram

III. Configuration procedure

I. Network requirements

II. Network diagram

III. Configuration procedure

I. Flow

II. Traffic classification

III. Packet filtering

IV. Traffic policing

V. Redirection

VI. Traffic priority

VII. Queue scheduling

VIII. Traffic mirroring

IX. Port mirroring

X. Flow-based traffic statistics

2.2 QoS Configuration

I. Configuring mapping table

II. Configuring default local precedence

I. Configuring mapping tables

II. Configuring traffic parameters (optional)

III. Configuring traffic policing

I. Configuring WRED parameters

II. .Configuring drop algorithm

2.3.1 Traffic Shaping Configuration Example

I. Network requirements

II. Network diagram

III. Configuration procedure

I. Network requirements

II. Network diagram

III. Configuration procedure

I. Network requirements

II. Network diagram

III. Configuration procedure

I. Network requirements

II. Network diagram

III. Configuration procedure

I. Network requirements

II. Network diagram

III. Configuration procedure

I. Network requirements

II. Network diagram

III. Configuration procedure

I. Network requirements

II. Network diagram

III. Configuration procedure

I. Network requirements

II. Network diagram

III. Configuration procedure

3.2.4 Basic ACL Control Configuration Example

I. Network requirements

II. Network diagram

III. Configuration procedure

3.3.3 ACL Control over SNMP Users Configuration Example

I. Network requirements

II. Network diagram

III. Configuration procedure

4.2.3 VLAN-ACL Configuration Example

I. Network requirements

II. Network diagram

III. Configuration procedure

Intelligent Terminal Products

Product Support Services