HP MSR4080 User manual
HP MSR Router Series
A
CL and QoS
Configuration Guide(V7)
Part number: 5998-6351
Software version: CMW710-R0106
Document version: 6PW101-20140807
Legal and notice information
© Copyright 2014 Hewlett-Packard Development Company, L.P.
No part of this documentation may be reproduced or transmitted in any form or by any means without
prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained
herein or for incidental or consequential damages in connection with the furnishing, performance, or use
of this material.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
i
Contents
Legal and notice information·········································································································································i
Configuring ACLs························································································································································· 5
Overview············································································································································································5
ACL categories ·························································································································································5
Numbering and naming ACLs ································································································································5
Match order ······························································································································································5
Rule numbering·························································································································································6
Fragments filtering with ACLs··································································································································7
Configuration task list ·······················································································································································7
Configuring a basic ACL··················································································································································7
Configuring an IPv4 basic ACL ······························································································································8
Configuring an IPv6 basic ACL ······························································································································8
Configuring an advanced ACL········································································································································9
Configuring an IPv4 advanced ACL·······················································································································9
Configuring an IPv6 advanced ACL···················································································································· 10
Configuring an Ethernet frame header ACL················································································································ 11
Copying an ACL ···························································································································································· 12
Configuring packet filtering with ACLs ························································································································ 12
Applying an ACL to an interface for packet filtering························································································· 12
Applying an ACL to an interzone instance for packet filtering ········································································ 13
Setting the interval for generating and outputting packet filtering logs··························································· 13
Setting the packet filtering default action ··········································································································· 13
Displaying and maintaining ACLs································································································································ 14
ACL configuration example ·········································································································································· 15
Network requirements··········································································································································· 15
Configuration procedure ······································································································································ 15
Verifying the configuration··································································································································· 16
QoS overview·····························································································································································17
QoS service models ······················································································································································· 17
Best-effort service model ······································································································································· 17
IntServ model ························································································································································· 17
DiffServ model ······················································································································································· 17
QoS techniques overview ············································································································································· 17
Deploying QoS in a network ······························································································································· 18
QoS processing flow in a device ························································································································ 19
Configuring a QoS policy·········································································································································20
Non-MQC approach····················································································································································· 20
MQC approach ····························································································································································· 20
Configuration procedure diagram ······························································································································· 20
Defining a traffic class ··················································································································································· 21
Defining a traffic behavior ············································································································································ 21
Defining a QoS policy··················································································································································· 22
Configuring a parent policy································································································································· 22
Configuring a child policy···································································································································· 22
Applying the QoS policy··············································································································································· 23
Applying the QoS policy to an interface or PVC······························································································· 23
i
Applying the QoS policy to the control plane···································································································· 24
Applying the QoS policy to the management interface control plane ···························································· 25
Configuring the QoS policy-based traffic rate statistics collection period for an interface···································· 25
Displaying and maintaining QoS policies ·················································································································· 26
Configuring priority mapping ···································································································································28
Overview········································································································································································· 28
Introduction to priorities········································································································································ 28
Priority maps ·························································································································································· 28
Priority mapping configuration tasks ··························································································································· 29
Configuring an uncolored priority map······················································································································· 29
Configuring a port to trust packet priority for priority mapping ··············································································· 30
Changing the port priority of an interface ·················································································································· 30
Displaying and maintaining priority mapping············································································································ 30
Port priority configuration example······························································································································ 31
Network requirements··········································································································································· 31
Configuration procedure ······································································································································ 31
Priority mapping table and priority marking configuration example ······································································· 32
Network requirements··········································································································································· 32
Configuration procedure ······································································································································ 33
Configuring traffic policing, GTS, and rate limit ·····································································································35
Overview········································································································································································· 35
Traffic evaluation and token buckets··················································································································· 35
Traffic policing······················································································································································· 36
GTS ········································································································································································· 37
Rate limit································································································································································· 37
Configuring traffic policing··········································································································································· 38
Configuring traffic policing by using the MQC approach ··············································································· 38
Configuring traffic policing by using the non-MQC approach ········································································ 39
Configuring GTS ···························································································································································· 40
Configuring GTS by using the MQC approach································································································· 40
Configuring GTS by using the non-MQC approach ························································································· 41
Configuring the rate limit ·············································································································································· 42
Displaying and maintaining traffic policing, GTS, and rate limit············································································· 42
Traffic policing and GTS configuration example········································································································ 43
Network requirements··········································································································································· 43
Configuration procedure ······································································································································ 43
IP rate limit configuration example······························································································································· 44
Network requirements··········································································································································· 44
Configuration procedure ······································································································································ 45
Configuring congestion management ······················································································································46
Overview········································································································································································· 46
FIFO ········································································································································································ 47
WFQ······································································································································································· 47
CBQ········································································································································································ 48
Congestion management technique comparison······························································································· 49
Configuring the FIFO queue size·································································································································· 50
Displaying and maintaining FIFO ································································································································ 51
Configuring WFQ·························································································································································· 51
Displaying and maintaining WFQ······························································································································· 52
Configuring CBQ ··························································································································································· 52
Predefined classes, traffic behaviors, and policies···························································································· 52
Defining a class ····················································································································································· 53
Defining a traffic behavior ··································································································································· 53
2
Defining a QoS policy·········································································································································· 56
Applying the QoS policy······································································································································ 56
Configuring the maximum available interface bandwidth ··············································································· 57
Setting the maximum reserved bandwidth as a percentage of available bandwidth ··································· 58
Displaying and maintaining CBQ ······················································································································· 58
CBQ configuration example ································································································································ 59
Configuring packet information pre-extraction ··········································································································· 60
Configuration procedure ······································································································································ 60
Configuration example ········································································································································· 60
Configuring congestion avoidance···························································································································62
Overview········································································································································································· 62
Tail drop································································································································································· 62
RED and WRED ····················································································································································· 62
Relationship between WRED and queuing mechanisms··················································································· 63
WRED configuration approaches························································································································ 63
WRED parameters················································································································································· 63
Configuring WRED on an interface ····························································································································· 64
Configuration procedure ······································································································································ 64
Configuration example ········································································································································· 64
Displaying and maintaining WRED ····························································································································· 65
Configuring traffic filtering ········································································································································66
Configuration procedure··············································································································································· 66
Configuration example·················································································································································· 67
Network requirements··········································································································································· 67
Configuration procedure ······································································································································ 67
Configuring priority marking·····································································································································68
Configuration procedure··············································································································································· 68
Configuration example·················································································································································· 69
Network requirements··········································································································································· 69
Configuration procedure ······································································································································ 70
Configuring traffic redirecting···································································································································72
Configuration procedure··············································································································································· 72
Configuration example·················································································································································· 73
Network requirements··········································································································································· 73
Configuration procedure ······································································································································ 73
Configuring QPPB······················································································································································75
Overview········································································································································································· 75
QPPB fundamentals························································································································································ 75
QPPB configuration task list ·········································································································································· 76
Configuring the route sender ········································································································································ 76
Configuring basic BGP functions························································································································· 76
Creating a routing policy ····································································································································· 76
Configuring the route receiver······································································································································ 76
Configuring basic BGP functions························································································································· 76
Configuring a routing policy································································································································ 76
Enabling QPPB on the route receiving interface································································································ 77
Configuring a QoS policy ···································································································································· 77
Applying the QoS policy to an interface············································································································ 77
QPPB configuration examples ······································································································································ 77
QPPB configuration example in an IPv4 network ······························································································ 77
QPPB configuration example in an MPLS L3VPN······························································································ 80
QPPB configuration example in an IPv6 network ······························································································ 88
3
4
Appendixes·································································································································································92
Appendix A Acronym···················································································································································· 92
Appendix B Default uncolored priority maps·············································································································· 93
Appendix C Introduction to packet precedences ······································································································· 94
IP precedence and DSCP values·························································································································· 94
802.1p priority······················································································································································ 95
Configuring MPLS QoS ·············································································································································97
Overview········································································································································································· 97
Configuration prerequisites··········································································································································· 97
Configuring MPLS CAR ················································································································································· 97
Configuring MPLS priority marking······························································································································ 98
Configuring time ranges········································································································································· 100
Configuration procedure·············································································································································100
Displaying and maintaining time ranges···················································································································100
Time range configuration example ····························································································································100
Support and other resources ·································································································································· 102
Contacting HP ······························································································································································102
Subscription service ············································································································································102
Related information······················································································································································102
Documents····························································································································································102
Websites·······························································································································································102
Conventions ··································································································································································103
Index ········································································································································································ 105
Configuring ACLs
In this chapter, "MSR1000" refers to MSR1002-4. "MSR2000" refers to MSR2003, MSR2004-24,
MSR2004-48. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064.
"MSR4000" collectively refers to MSR4060 and MSR4080.
Overview
An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on
criteria such as source IP address, destination IP address, and port number.
ACLs are primarily used for packet filtering. "Configuring packet filtering with ACLs" provides an
example. You can use ACLs in QoS, security, routing, and other feature modules for identifying traffic.
The packet drop or forwarding decisions varies with the modules that use ACLs.
ACL categories
Cate
g
or
y
ACL number IP version
Match criteria
Basic ACLs 2000 to 2999 IPv4 Source IPv4 address.
IPv6 Source IPv6 address.
Advanced ACLs 3000 to 3999
IPv4
Source IPv4 address, destination IPv4 address,
packet priority, protocol number, and other
Layer 3 and Layer 4 header fields.
IPv6
Source IPv6 address, destination IPv6 address,
packet priority, protocol number, and other
Layer 3 and Layer 4 header fields.
Ethernet frame
header ACLs 4000 to 4999 N/A
Layer 2 header fields, such as source and
destination MAC addresses, 802.1p priority,
and link layer protocol type.
Numbering and naming ACLs
Each ACL category has a unique range of ACL numbers. When creating an ACL, you must assign it a
number. In addition, you can assign the ACL a name for ease of identification. After creating an ACL with
a name, you cannot rename it or delete its name.
For an IPv4 basic or advanced ACLs, its ACL number and name must be unique in IPv4. For an IPv6 basic
or advanced ACL, its ACL number and name must be unique in IPv6.
Match order
The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops the
match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting
rules, the matching result and action to take depend on the rule order.
5
The following ACL match orders are available:
•config—Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a
rule with a higher ID. If you use this method, check the rules and their order carefully.
•auto—Sorts ACL rules in depth-first order. Depth-first ordering makes sure any subset of a rule is
always matched before the rule. Table 1 lists the sequence of tie breakers that depth-first ordering
uses to sort rules for each type of ACL.
Table 1 Sort ACL rules in depth-first order
ACL cate
g
or
y
Se
q
uence of tie breakers
IPv4 basic ACL
1. VPN instance.
2. More 0s in the source IPv4 address wildcard (more 0s means a
narrower IPv4 address range).
3. Rule configured earlier.
IPv4 advanced ACL
1. VPN instance.
2. Specific protocol number.
3. More 0s in the source IPv4 address wildcard mask.
4. More 0s in the destination IPv4 address wildcard.
5. Narrower TCP/UDP service port number range.
6. Rule configured earlier.
IPv6 basic ACL
1. VPN instance.
2. Longer prefix for the source IPv6 address (a longer prefix means a
narrower IPv6 address range).
3. Rule configured earlier.
IPv6 advanced ACL
1. VPN instance.
2. Specific protocol number.
3. Longer prefix for the source IPv6 address.
4. Longer prefix for the destination IPv6 address.
5. Narrower TCP/UDP service port number range.
6. Rule configured earlier.
Ethernet frame
header ACL
1. More 1s in the source MAC address mask (more 1s means a smaller
MAC address).
2. More 1s in the destination MAC address mask.
3. Rule configured earlier.
A wildcard mask, also called an inverse mask, is a 32-bit binary number represented in dotted decimal
notation. In contrast to a network mask, the 0 bits in a wildcard mask represent "do care" bits, and the
1 bits represent "don't care" bits. If the "do care" bits in an IP address are identical to the "do care" bits
in an IP address criterion, the IP address matches the criterion. All "don't care" bits are ignored. The 0s
and 1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a valid wildcard mask.
Rule numbering
ACL rules can be manually numbered or automatically numbered. This section describes how automatic
ACL rule numbering works.
Rule numbering step
If you do not assign an ID to the rule you are creating, the system automatically assigns it a rule ID. The
rule numbering step sets the increment by which the system automatically numbers rules. For example, the
6
default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are
automatically numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can
insert between two rules.
By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of
inserting rules in an ACL. This feature is important for a config-order ACL, where ACL rules are matched
in ascending order of rule ID.
Automatic rule numbering and renumbering
The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to
the current highest rule ID, starting with 0.
For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10,
and 12, the newly defined rule is numbered 15. If the ACL does not contain any rule, the first rule is
numbered 0.
Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules
numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2,
4, 6, and 8.
Fragments filtering with ACLs
Traditional packet filtering matches only first fragments of packets, and allows all subsequent non-first
fragments to pass through. Attackers can fabricate non-first fragments to attack networks.
To avoid the risks, the HP ACL implementation does the follows:
•Filters all fragments by default, including non-first fragments.
•Allows for matching criteria modification, for example, filters non-first fragments only.
Configuration task list
Tasks at a
g
lance
(Required.) Perform at least one of the following tasks:
•Configuring a basic ACL
{Configuring an IPv4 basic ACL
{Configuring an IPv6 basic ACL
•Configuring an advanced ACL
{Configuring an IPv4 advanced ACL
{Configuring an IPv6 advanced ACL
•Configuring an Ethernet frame header ACL
(Optional.) Copying an ACL
(Optional.) Configuring packet filtering with ACLs
Configuring a basic ACL
This section describes procedures for configuring IPv4 and IPv6 basic ACLs.
7
Configuring an IPv4 basic ACL
IPv4 basic ACLs match packets based only on source IP addresses.
To configure an IPv4 basic ACL:
Ste
p
Command Remarks
1. Enter system view. system-view N/A
2. Create an IPv4 basic ACL and
enter its view.
acl number acl-number [ name
acl-name ] [ match-order { auto |
config } ]
By default, no ACL exists.
IPv4 basic ACLs are numbered in
the range of 2000 to 2999.
You can use the acl name acl-name
command to enter the view of a
named ACL.
3. (Optional.) Configure a
description for the IPv4 basic
ACL.
description text By default, an IPv4 basic ACL has
no ACL description.
4. (Optional.) Set the rule
numbering step. step step-value The default setting is 5.
5. Create or edit a rule.
rule [ rule-id ] { deny | permit }
[ counting | fragment |logging |
source { source-address
source-wildcard | any } |
time-range time-range-name |
vpn-instance vpn-instance-name ] *
By default, an IPv4 basic ACL does
not contain any rule.
The logging keyword takes effect
only when the module (for
example, packet filtering) that uses
the ACL supports logging.
6. (Optional.) Add or edit a rule
comment. rule rule-id comment text By default, no rule comments are
configured.
Configuring an IPv6 basic ACL
IPv6 basic ACLs match packets based only on source IP addresses.
To configure an IPv6 basic ACL:
Ste
p
Command Remarks
1. Enter system view. system-view N/A
2. Create an IPv6 basic ACL
view and enter its view.
acl ipv6 number acl-number
[ name acl-name ] [ match-order
{ auto | config } ]
By default, no ACL exists.
IPv6 basic ACLs are numbered in
the range of 2000 to 2999.
You can use the acl ipv6 name
acl-name command to enter the
view of a named ACL.
3. (Optional.) Configure a
description for the IPv6 basic
ACL.
description text By default, an IPv6 basic ACL has
no ACL description.
4. (Optional.) Set the rule
numbering step. step step-value The default setting is 5.
8
Ste
p
Command Remarks
5. Create or edit a rule.
rule [ rule-id ] { deny | permit }
[ counting | fragment |logging |
routing [ type routing-type ] |
source { source-address
source-prefix |
source-address/source-prefix |
any } | time-range
time-range-name | vpn-instance
vpn-instance-name ] *
By default, an IPv6 basic ACL does
not contain any rule.
The logging keyword takes effect
only when the module (for
example, packet filtering) that uses
the ACL supports logging.
6. (Optional.) Add or edit a rule
comment. rule rule-id comment text By default, no rule comments are
configured.
Configuring an advanced ACL
This section describes procedures for configuring IPv4 and IPv6 advanced ACLs.
Configuring an IPv4 advanced ACL
IPv4 advanced ACLs match packets based on the following criteria:
•Source IP addresses.
•Destination IP addresses.
•Packet priorities.
•Protocol numbers.
•Other protocol header information, such as TCP/UDP source and destination port numbers, TCP
flags, ICMP message types, and ICMP message codes.
Compared to IPv4 basic ACLs, IPv4 advanced ACLs allow more flexible and accurate filtering.
To configure an IPv4 advanced ACL:
Ste
p
Command Remarks
1. Enter system view. system-view N/A
2. Create an IPv4 advanced ACL
and enter its view.
acl number acl-number [ name
acl-name ] [ match-order { auto |
config } ]
By default, no ACL exists.
IPv4 advanced ACLs are
numbered in the range of 3000 to
3999.
You can use the acl name acl-name
command to enter the view of a
named ACL.
3. (Optional.) Configure a
description for the IPv4
advanced ACL.
description text By default, an IPv4 advanced ACL
has no ACL description.
4. (Optional.) Set the rule
numbering step. step step-value The default setting is 5.
9
Ste
p
Command Remarks
5. Create or edit a rule.
rule [ rule-id ] { deny | permit }
protocol [ { { ack ack-value | fin
fin-value | psh psh-value | rst
rst-value | syn syn-value | urg
urg-value } * | established } |
counting | destination
{ dest-address dest-wildcard |
any } | destination-port operator
port1 [ port2 ] | { dscp dscp |
{ precedence precedence | tos tos }
* } | fragment | icmp-type
{ icmp-type [ icmp-code ] |
icmp-message } | logging | source
{ source-address source-wildcard |
any } | source-port operator port1
[ port2 ] | time-range
time-range-name | vpn-instance
vpn-instance-name ] *
By default, an IPv4 advanced ACL
does not contain any rule.
The logging keyword takes effect
only when the module (for
example, packet filtering) that uses
the ACL supports logging.
6. (Optional.) Add or edit a rule
comment. rule rule-id comment text By default, no rule comments are
configured.
Configuring an IPv6 advanced ACL
IPv6 advanced ACLs match packets based on the following criteria:
•Source IPv6 addresses.
•Destination IPv6 addresses.
•Packet priorities.
•Protocol numbers.
•Other protocol header fields such as the TCP/UDP source port number, TCP/UDP destination port
number, ICMPv6 message type, and ICMPv6 message code.
Compared to IPv6 basic ACLs, IPv6 advanced ACLs allow more flexible and accurate filtering.
To configure an IPv6 advanced ACL:
Ste
p
Command Remarks
1. Enter system view. system-view N/A
2. Create an IPv6 advanced ACL
and enter its view.
acl ipv6 number acl-number
[ name acl-name ] [ match-order
{ auto | config } ]
By default, no ACL exists.
IPv6 advanced ACLs are
numbered in the range of 3000 to
3999.
You can use the acl ipv6 name
acl-name command to enter the
view of a named ACL.
3. (Optional.) Configure a
description for the IPv6
advanced ACL.
description text By default, an IPv6 advanced ACL
has no ACL description.
10
Ste
p
Command Remarks
4. (Optional.) Set the rule
numbering step. step step-value The default setting is 5.
5. Create or edit a rule.
rule [ rule-id ] { deny | permit }
protocol [ { { ack ack-value | fin
fin-value | psh psh-value | rst
rst-value | syn syn-value | urg
urg-value } * | established } |
counting | destination
{ dest-address dest-prefix |
dest-address/dest-prefix |any } |
destination-port operator port1
[port2 ] | dscp dscp |flow-label
flow-label-value | fragment |
icmp6-type { icmp6-type
icmp6-code | icmp6-message } |
logging | routing [ type
routing-type ] | hop-by-hop [ type
hop-type ] | source
{ source-address source-prefix |
source-address/source-prefix |
any } | source-port operator port1
[port2 ] | time-range
time-range-name | vpn-instance
vpn-instance-name ] *
By default, IPv6 advanced ACL
does not contain any rule.
The logging keyword takes effect
only when the module (for
example, packet filtering) that uses
the ACL supports logging.
6. (Optional.) Add or edit a rule
comment. rule rule-id comment text By default, no rule comments are
configured.
Configuring an Ethernet frame header ACL
Ethernet frame header ACLs, also called "Layer 2 ACLs," match packets based on Layer 2 protocol
header fields, such as:
•Source MAC address.
•Destination MAC address.
•802.1p priority (VLAN priority).
•Link layer protocol type.
To configure an Ethernet frame header ACL:
Ste
p
Command Remarks
1. Enter system view. system-view N/A
2. Create an Ethernet frame
header ACL and enter its
view.
acl number acl-number [ name
acl-name ] [ match-order { auto |
config } ]
By default, no ACL exists.
Ethernet frame header ACLs are
numbered in the range of 4000 to
4999.
You can use the acl name acl-name
command to enter the view of a
named ACL.
11
Ste
p
Command Remarks
3. (Optional.) Configure a
description for the Ethernet
frame header ACL.
description text
By default, an Ethernet frame
header ACL has no ACL
description.
4. (Optional.) Set the rule
numbering step. step step-value The default setting is 5.
5. Create or edit a rule.
rule [ rule-id ] { deny | permit } [ cos
vlan-pri | counting | dest-mac
dest-address dest-mask | { lsap
lsap-type lsap-type-mask | type
protocol-type protocol-type-mask }
| source-mac source-address
source-mask | time-range
time-range-name ] *
By default,an Ethernet frame
header ACL does not contain any
rule.
6. (Optional.) Add or edit a rule
comment. rule rule-id comment text By default, no rule comments are
configured.
Copying an ACL
You can create an ACL by copying an existing ACL (source ACL). The new ACL (destination ACL) has the
same properties and content as the source ACL, but not the same ACL number and name.
To successfully copy an ACL, make sure:
•The destination ACL number is from the same category as the source ACL number.
•The source ACL already exists, but the destination ACL does not.
To copy an ACL:
Ste
p
Command
1. Enter system view. system-view
2. Copy an existing ACL to create a new ACL.
acl [ ipv6 ] copy { source-acl-number | name
source-acl-name } to { dest-acl-number | name
dest-acl-name }
Configuring packet filtering with ACLs
This section describes procedures for applying an ACL to filter incoming or outgoing IPv4 or IPv6 packets
on the specified interface.
Applying an ACL to an interface for packet filtering
Ste
p
Command
Remarks
1. Enter system view. system-view N/A
2. Enter interface view. interface interface-type
interface-number
N/A
12
Ste
p
Command
Remarks
3. Apply an ACL to the interface
to filter packets.
packet-filter [ ipv6 ] { acl-number |
name acl-name } { inbound |
outbound }
By default, an interface does not
filter packets.
You can apply up to 32 ACLs to the
same direction of an interface.
Applying an ACL to an interzone instance for packet filtering
Ste
p
Command
Remarks
1. Enter system view. system-view N/A
2. Enter interzone view.
interzone source
source-zone-name destination
destination-zone-name
N/A
3. Apply an ACL to the interzone
instance to filter packets.
packet-filter [ ipv6 ] { acl-number |
name acl-name }
By default, an interzone does not
filter packets.
You can apply up to 32 ACLs to the
same interzone instance.
Setting the interval for generating and outputting packet
filtering logs
After you set the interval, the device periodically generates and outputs the packet filtering logs to the
information center, including the number of matching packets and the matched ACL rules. For more
information about information center, see Network Management and Monitoring Configuration Guide.
To set the interval for generating and outputting packet filtering logs:
Ste
p
Command
Remarks
1. Enter system view. system-view N/A
2. Set the interval for generating
and outputting packet filtering
logs.
acl [ ipv6 ] logging interval interval
The default setting is 0 minutes,
which mean that no packet filtering
logs are generated.
Setting the packet filtering default action
Ste
p
Command
Remarks
1. Enter system view. system-view N/A
2. Set the packet filtering default
action to deny. packet-filter default deny
By default, the packet filter permits
packets that do not match any ACL
rule to pass.
13
Displaying and maintaining ACLs
Execute display commands in any view and reset commands in user view.
Task Command
Display ACL configuration and match statistics. display acl [ ipv6 ] { acl-number | all | name
acl-name }
Display ACL application information for packet
filtering (MSR1000/MSR2000/MSR3000).
display packet-filter { interface [ interface-type
interface-number ] [ inbound | outbound ] | interzone
[ source source-zone-name destination
destination-zone-name ] }
Display ACL application information for packet
filtering (MSR4000).
display packet-filter { interface [ interface-type
interface-number ] [ inbound | outbound ] | interzone
[ source source-zone-name destination
destination-zone-name ] [ slot slot-number ] }
Display match statistics and default action statistics for
packet filtering ACLs.
display packet-filter statistics { interface interface-type
interface-number { inbound | outbound } [ default |
[ ipv6 ] { acl-number | name acl-name } ] | interzone
source source-zone-name destination
destination-zone-name [ [ ipv6 ] { acl-number | name
acl-name } ] } [ brief ]
Display the accumulated statistics for packet filtering
ACLs.
display packet-filter statistics sum { inbound |
outbound } [ ipv6 ] { acl-number | name acl-name }
[ brief ]
Display detailed ACL packet filtering information
(MSR1000/MSR2000/MSR3000).
display packet-filter verbose { interface interface-type
interface-number { inbound | outbound } | interzone
source source-zone-name destination
destination-zone-name } [ [ ipv6 ] { acl-number | name
acl-name } ]
Display detailed ACL packet filtering information
(MSR4000).
display packet-filter verbose { interface interface-type
interface-number { inbound | outbound } | interzone
source source-zone-name destination
destination-zone-name } [ [ ipv6 ] { acl-number | name
acl-name } ] [ slot slot-number ]
Clear ACL statistics. reset acl [ ipv6 ] counter { acl-number | all | name
acl-name }
Clear match statistics (including the accumulated
statistics) and default action statistics for packet
filtering ACLs.
reset packet-filter statistics { interface [ interface-type
interface-number ] { inbound | outbound } [ default |
[ ipv6 ] { acl-number | name acl-name } ] | interzone
[ source source-zone-name destination
destination-zone-name ] [ ipv6 ] { acl-number | name
acl-name } ] }
14
ACL configuration example
Network requirements
A company interconnects its departments through Router A. Configure an ACL to:
•Permit access from the President's office at any time to the financial database server.
•Permit access from the Financial department to the database server only during working hours (from
8:00 to 18:00) on working days.
•Deny access from any other department to the database server.
Figure 1 Network diagram
Configuration procedure
# Create a periodic time range from 8:00 to 18:00 on working days.
<RouterA> system-view
[RouterA] time-range work 08:0 to 18:00 working-day
# Create an IPv4 advanced ACL numbered 3000 and configure three rules in the ACL. One rule permits
access from the President's office to the financial database server, one rule permits access from the
Financial department to the database server during working hours, and one rule denies access from any
other department to the database server.
[RouterA] acl number 3000
[RouterA-acl-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination
192.168.0.100 0
[RouterA-acl-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255 destination
192.168.0.100 0 time-range work
[RouterA-acl-adv-3000] rule deny ip source any destination 192.168.0.100 0
[RouterA-acl-adv-3000] quit
# Apply IPv4 advanced ACL 3000 to filter outgoing packets on interface GigabitEthernet 2/1/0.
[RouterA] interface gigabitethernet 2/1/0
[RouterA-GigabitEthernet2/1/0] packet-filter 3000 outbound
15
16
[RouterA-GigabitEthernet2/1/0] quit
Verifying the configuration
# Ping the database server from a PC in the Financial department during the working hours. (All PCs in
this example use Windows XP).
C:\> ping 192.168.0.100
Pinging 192.168.0.100 with 32 bytes of data:
Reply from 192.168.0.100: bytes=32 time=1ms TTL=255
Reply from 192.168.0.100: bytes=32 time<1ms TTL=255
Reply from 192.168.0.100: bytes=32 time<1ms TTL=255
Reply from 192.168.0.100: bytes=32 time<1ms TTL=255
Ping statistics for 192.168.0.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
The output shows that the database server can be pinged.
# Ping the database server from a PC in the Marketing department during the working hours.
C:\> ping 192.168.0.100
Pinging 192.168.0.100 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.100:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
The output shows the database server cannot be pinged.
# Display configuration and match statistics for IPv4 advanced ACL 3000 on Device A during the
working hours.
[RouterA] display acl 3000
Advanced ACL 3000, named -none-, 3 rules,
ACL's step is 5
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.100 0
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.0.100 0 time-range work
(4 times matched) (Active)
rule 10 deny ip destination 192.168.0.100 0 (4 times matched)
The output shows that rule 5 is active. Rule 5 and rule 10 have been matched four times as the result of
the ping operations.
QoS overview
In data communications, Quality of Service (QoS) provides differentiated service guarantees for
diversified traffic in terms of bandwidth, delay, jitter, and drop rate, all of which can affect QoS.
QoS manages network resources and prioritizes traffic to balance system resources.
The following section describes typical QoS service models and widely used QoS techniques.
QoS service models
This section describes several typical QoS service models.
Best-effort service model
The best-effort model is a single-service model. The best-effort model is not as reliable as other models
and does not guarantee delay-free delivery.
The best-effort service model is the default model for the Internet and applies to most network
applications. It uses the First In First Out (FIFO) queuing mechanism.
IntServ model
The integrated service (IntServ) model is a multiple-service model that can accommodate diverse QoS
requirements. This service model provides the most granularly differentiated QoS by identifying and
guaranteeing definite QoS for each data flow.
In the IntServ model, an application must request service from the network before it sends data. IntServ
signals the service request with the RSVP. All nodes receiving the request reserve resources as requested
and maintain state information for the application flow. For more information about RSVP, see MPLS
Configuration Guide.
The IntServ model demands high storage and processing capabilities because it requires all nodes along
the transmission path to maintain resource state information for each flow. This model is suitable for
small-sized or edge networks, but not large-sized networks, for example, the core layer of the Internet,
where billions of flows are present.
DiffServ model
The differentiated service (DiffServ) model is a multiple-service model that can meet diverse QoS
requirements. It is easy to implement and extend. DiffServ does not signal the network to reserve
resources before sending data, as IntServ does.
QoS techniques overview
The QoS techniques include the following functions:
17
•Traffic classification.
•Traffic policing.
•Traffic shaping.
•Rate limit.
•Congestion management.
•Congestion avoidance.
The following section briefly introduces these QoS techniques.
All QoS techniques in this document are based on the DiffServ model.
Deploying QoS in a network
Figure 2 Position of the QoS techniques in a network
As shown in Figure 2, traffic classification, traffic shaping, traffic policing, congestion management, and
congestion avoidance mainly implement the following functions:
•Traffic classification—Uses match criteria to assign packets with the same characteristics to a traffic
class. Based on traffic classes, you can provide differentiated services.
•Traffic policing—Polices flows and imposes penalties to prevent aggressive use of network resources.
You can apply traffic policing to both incoming and outgoing traffic of a port.
•Traffic shaping—Adapts the output rate of traffic to the network resources available on the
downstream device to eliminate packet drops. Traffic shaping usually applies to the outgoing traffic
of a port.
•Congestion management—Provides a resource scheduling policy to determine the packet
forwarding sequence when congestion occurs. Congestion management usually applies to the
outgoing traffic of a port.
•Congestion avoidance—Monitors the network resource usage. It is usually applied to the outgoing
traffic of a port. When congestion worsens, congestion avoidance reduces the queue length by
dropping packets.
18
This manual suits for next models
13
Table of contents
Other HP Network Router manuals
HP
HP Wireless TV Connect Specification sheet
HP
HP FlexNetwork MSR Series User manual
HP
HP StorageWorks MPX200 Instruction Manual
HP
HP StorageWorks Edge Switch 2/12 User manual
HP
HP SCSI-Fibre Channel Router User manual
HP
HP 6400cl User manual
HP
HP MSR2000 Series User manual
HP
HP FlexNetwork HSR6802 User manual
HP
HP J4897A User manual
HP
HP A-MSR900 Series User manual
