Hp 6125xlg User manual

HP 6125XLG Blade Switch

A

CL and QoS

Configuration Guide

Part number: 5998-3722

Software version: Release 2306

Document version: 6W100-20130912

Legal and notice information

No part of this documentation may be reproduced or transmitted in any form or by any means without

prior written consent of Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS

MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained

herein or for incidental or consequential damages in connection with the furnishing, performance, or

use of this material.

The only warranties for HP products and services are set forth in the express warranty statements

accompanying such products and services. Nothing herein should be construed as constituting an

additional warranty. HP shall not be liable for technical or editorial errors or omissions contained

herein.

i

Contents

Configuring ACLs························································································································································· 1

Overview············································································································································································1

Applications on the switch ······································································································································1

ACL categories ·························································································································································1

Numbering and naming ACLs ································································································································1

Match order ······························································································································································2

Rule numbering·························································································································································3

Fragments filtering with ACLs··································································································································3

Configuration task list ·······················································································································································3

Configuring a basic ACL··················································································································································4

Configuring an IPv4 basic ACL ······························································································································4

Configuring an IPv6 basic ACL ······························································································································4

Configuring an advanced ACL········································································································································5

Configuring an IPv4 advanced ACL·······················································································································5

Configuring an IPv6 advanced ACL·······················································································································6

Configuring an Ethernet frame header ACL···················································································································8

Copying an ACL ·······························································································································································9

Configuring packet filtering with ACLs ························································································································ 10

Applying an ACL to an interface for packet filtering························································································· 10

Setting the interval for generating and outputting packet filtering logs··························································· 10

Setting the packet filtering default action ··········································································································· 10

Displaying and maintaining ACLs································································································································ 10

ACL configuration example ·········································································································································· 11

Network requirements··········································································································································· 11

Configuration procedure ······································································································································ 12

Verifying the configuration··································································································································· 12

QoS overview·····························································································································································14

QoS service models ······················································································································································· 14

Best-effort service model ······································································································································· 14

IntServ model ························································································································································· 14

DiffServ model ······················································································································································· 14

QoS techniques overview ············································································································································· 15

Deploying QoS in a network ······························································································································· 15

Configuring a QoS policy·········································································································································16

Non-MQC approach ····················································································································································· 16

MQC approach ····························································································································································· 16

Configuration procedure diagram ······························································································································· 16

Defining a traffic class··················································································································································· 17

Configuration guidelines ······································································································································ 17

Configuration procedure ······································································································································ 17

Defining a traffic behavior ············································································································································ 19

Defining a QoS policy··················································································································································· 19

Applying the QoS policy··············································································································································· 20

Applying the QoS policy to an interface············································································································ 20

Applying the QoS policy to a VLAN··················································································································· 21

Applying the QoS policy globally······················································································································· 21

Applying the QoS policy to the control plane···································································································· 21

Displaying and maintaining QoS policies ·················································································································· 22

ii

Configuring priority mapping ···································································································································24

Overview········································································································································································· 24

Introduction to priorities········································································································································ 24

Priority maps ·························································································································································· 24

Priority trust mode on a port································································································································· 25

Priority mapping process······································································································································ 26

Priority mapping configuration tasks ··························································································································· 27

Configuring a priority map ··········································································································································· 28

Configuring a port to trust packet priority for priority mapping ··············································································· 28

Changing the port priority of an interface ·················································································································· 29

Displaying and maintaining priority mapping············································································································ 29

Port priority configuration example······························································································································ 30

Network requirements··········································································································································· 30

Configuration procedure ······································································································································ 30

Priority mapping table and priority marking configuration example ······································································· 30

Network requirements··········································································································································· 30

Configuration procedure ······································································································································ 32

Configuring traffic policing, GTS, and rate limit ·····································································································34

Overview········································································································································································· 34

Traffic evaluation and token buckets··················································································································· 34

Traffic policing······················································································································································· 35

GTS ········································································································································································· 36

Rate limit································································································································································· 37

Configuring traffic policing··········································································································································· 37

Configuring GTS ···························································································································································· 38

Configuring the rate limit ·············································································································································· 39

Displaying and maintaining traffic policing, GTS, and rate limit············································································· 39

Traffic policing and traffic shaping configuration example ······················································································ 39

Network requirements··········································································································································· 39

Configuration procedures····································································································································· 40

Configuring congestion management ······················································································································43

Overview········································································································································································· 43

Impacts and countermeasures······························································································································ 43

Congestion management techniques ·················································································································· 43

Configuration approaches and task list······················································································································· 46

Configuring SP queuing ················································································································································ 46

Configuration procedure ······································································································································ 46

Configuration example ········································································································································· 46

Configuring WRR queuing············································································································································ 46

Configuration procedure ······································································································································ 46

Configuration example ········································································································································· 47

Configuring WFQ queuing··········································································································································· 47

Configuration procedure ······································································································································ 47

Configuration example ········································································································································· 48

Configuring SP+WRR queuing ····································································································································· 49

Configuration procedure ······································································································································ 49

Configuration example ········································································································································· 49

Configuring SP+WFQ queuing ···································································································································· 50

Configuration procedure ······································································································································ 50

Configuration example ········································································································································· 50

Displaying and maintaining congestion management······························································································· 51

Configuring congestion avoidance···························································································································52

Overview········································································································································································· 52

iii

Tail drop································································································································································· 52

RED and WRED ····················································································································································· 52

ECN ········································································································································································ 53

Configuring and applying a WRED table··················································································································· 53

Displaying and maintaining WRED ····························································································································· 54

WRED configuration example ······································································································································ 55

Network requirements··········································································································································· 55

Configuration procedure ······································································································································ 55

Configuring traffic filtering ········································································································································57

Configuration procedure··············································································································································· 57

Configuration example·················································································································································· 58

Network requirements··········································································································································· 58

Configuration procedure ······································································································································ 58

Configuring priority marking·····································································································································59

Overview········································································································································································· 59

Color-based priority marking········································································································································ 59

Packet coloring methods······································································································································· 59

Configuring color-based priority marking ·········································································································· 60

Configuration procedure··············································································································································· 60

Configuration examples ················································································································································ 62

Remarking local precedence configuration example ························································································ 62

Remarking local QoS ID configuration example ······························································································· 64

Configuring nesting····················································································································································67

Configuration procedure··············································································································································· 67

Nesting configuration example ···································································································································· 68

Network requirements··········································································································································· 68

Configuration procedure ······································································································································ 68

Configuring traffic redirecting···································································································································70

Configuration procedure··············································································································································· 70

Configuration example·················································································································································· 71

Network requirements··········································································································································· 71

Configuration procedure ······································································································································ 72

Configuring aggregate CAR ·····································································································································74

Configuration procedure··············································································································································· 74

Displaying and maintaining aggregate CAR·············································································································· 74

Configuration example·················································································································································· 74

Network requirements··········································································································································· 74

Configuration procedure ······································································································································ 75

Configuring class-based accounting·························································································································77

Configuration procedure··············································································································································· 77

Configuration example·················································································································································· 78

Network requirements··········································································································································· 78

Configuration procedure ······································································································································ 78

Configuring data buffers ···········································································································································80

Configuration task list ···················································································································································· 81

Enabling the Burst function············································································································································ 81

Configuring data buffers manually ······························································································································ 82

Configuring the total shared-area ratio··············································································································· 82

Setting the maximum shared-area ratio for a queue ························································································· 82

Setting the fixed-area ratio for a queue ·············································································································· 83

iv

Applying data buffer configuration····················································································································· 83

Displaying and maintaining data buffers ···················································································································· 84

Configuring time ranges············································································································································85

Configuration procedure··············································································································································· 85

Displaying and maintaining time ranges····················································································································· 85

Time range configuration example ······························································································································ 85

Appendix ····································································································································································87

Appendix A Default priority maps ······························································································································· 87

Appendix B Introduction to packet precedences········································································································ 88

IP precedence and DSCP values·························································································································· 88

802.1p priority······················································································································································ 89

Support and other resources ·····································································································································91

Contacting HP ································································································································································ 91

Subscription service ·············································································································································· 91

Related information························································································································································ 91

Documents······························································································································································ 91

Websites································································································································································· 91

Conventions ···································································································································································· 92

Index ···········································································································································································94

1

Configuring ACLs

Overview

An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on

criteria such as source IP address, destination IP address, and port number.

ACLs are primarily used for packet filtering. "Configuring packet filtering with ACLs" provides an

example. You can use ACLs in QoS, security, routing, and other feature modules for identifying traffic.

The packet drop or forwarding decisions varies with the modules that use ACLs.

Applications on the switch

An ACL is implemented in hardware or software, depending on the module that uses it. If the module is

implemented in hardware (for example, the packet filter or QoS module), the ACL is applied to hardware

to process traffic. If the module is implemented in software (for example, the routing module or the user

interface access control module such as Telnet or SNMP), the ACL is applied to software to process

traffic.

The user interface access control module denies packets that do not match any ACL. Some modules (QoS

for example) ignore the permit or deny action in ACL rules and do not base their drop or forwarding

decisions on the action set in ACL rules. See the specified module for information about ACL application.

ACL categories

Cate

g

or

y

ACL number IP version

Match criteria

Basic ACLs 2000 to 2999 IPv4 Source IPv4 address.

IPv6 Source IPv6 address.

Advanced ACLs 3000 to 3999

IPv4

Source IPv4 address, destination IPv4 address,

packet priority, protocols over IPv4, and other

Layer 3 and Layer 4 header fields.

IPv6

Source IPv6 address, destination IPv6 address,

packet priority, protocols over IPv6, and other

Layer 3 and Layer 4 header fields.

Ethernet frame

header ACLs 4000 to 4999 N/A

Layer 2 header fields, such as source and

destination MAC addresses, 802.1p priority,

and link layer protocol type.

Numbering and naming ACLs

Each ACL category has a unique range of ACL numbers. When creating an ACL, you must assign it a

number. In addition, you can assign the ACL a name for ease of identification. After creating an ACL with

a name, you cannot rename it or delete its name.

2

For an IPv4 basic or advanced ACLs, its ACL number and name must be unique in IPv4. For an IPv6 basic

or advanced ACL, its ACL number and name must be unique in IPv6.

Match order

The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops the

match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting

rules, the matching result and action to take depend on the rule order.

The following ACL match orders are available:

•config—Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a

rule with a higher ID. If you use this approach, carefully check the rules and their order.

•auto—Sorts ACL rules in depth-first order. Depth-first ordering makes sure any subset of a rule is

always matched before the rule. Table 1 lists the sequence of tie breakers that depth-first ordering

uses to sort rules for each type of ACL.

Table 1 Sort ACL rules in depth-first order

ACL cate

g

or

y

Se

q

uence of tie breakers

IPv4 basic ACL

1. VPN instance.

2. More 0s in the source IP address wildcard (more 0s means a narrower

IP address range).

3. Rule configured earlier.

IPv4 advanced ACL

1. VPN instance.

2. Specific protocol type rather than IP (IP represents any protocol over IP).

3. More 0s in the source IP address wildcard mask.

4. More 0s in the destination IP address wildcard.

5. Narrower TCP/UDP service port number range.

6. Rule configured earlier.

IPv6 basic ACL

1. VPN instance.

2. Longer prefix for the source IP address (a longer prefix means a

narrower IP address range).

3. Rule configured earlier.

IPv6 advanced ACL

1. VPN instance.

2. Specific protocol type rather than IP (IP represents any protocol over

IPv6).

3. Longer prefix for the source IPv6 address.

4. Longer prefix for the destination IPv6 address.

5. Narrower TCP/UDP service port number range.

6. Rule configured earlier.

Ethernet frame header ACL

1. More 1s in the source MAC address mask (more 1s means a smaller

MAC address).

2. More 1s in the destination MAC address mask.

3. Rule configured earlier.

A wildcard mask, also called an inverse mask, is a 32-bit binary number represented in dotted decimal

notation. In contrast to a network mask, the 0 bits in a wildcard mask represent "do care" bits, and the

1 bits represent "don't care" bits. If the "do care" bits in an IP address are identical to the "do care" bits

in an IP address criterion, the IP address matches the criterion. All "don't care" bits are ignored. The 0s

and 1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a valid wildcard mask.

3

Rule numbering

ACL rules can be manually numbered or automatically numbered. This section describes how automatic

ACL rule numbering works.

Rule numbering step

If you do not assign an ID to the rule you are creating, the system automatically assigns it a rule ID. The

rule numbering step sets the increment by which the system automatically numbers rules. For example, the

default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are

automatically numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can

insert between two rules.

By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of

inserting rules in an ACL. This feature is important for a config-order ACL, where ACL rules are matched

in ascending order of rule ID.

Automatic rule numbering and renumbering

The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to

the current highest rule ID, starting with 0.

For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10,

and 12, the newly defined rule is numbered 15. If the ACL does not contain any rule, the first rule is

numbered 0.

Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules

numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2,

4, 6, and 8.

Fragments filtering with ACLs

Traditional packet filtering matches only first fragments of packets, and allows all subsequent non-first

fragments to pass through. Attackers can fabricate non-first fragments to attack networks.

To avoid the risks, the HP ACL implementation does the follows:

•Filters all fragments by default, including non-first fragments.

•Allows for matching criteria modification, for example, filters non-first fragments only.

Configuration task list

Tasks at a

g

lance

(Required.) Perform at least one of the following tasks:

•Configuring a basic ACL

{Configuring an IPv4 basic ACL

{Configuring an IPv6 basic ACL

•Configuring an advanced ACL

{Configuring an IPv4 advanced ACL

{Configuring an IPv6 advanced ACL

•Configuring an Ethernet frame header ACL

(Optional.) Copying an ACL

4

Tasks at a

g

lance

(Optional.) Configuring packet filtering with ACLs

Configuring a basic ACL

This section describes procedures for configuring IPv4 and IPv6 basic ACLs.

Configuring an IPv4 basic ACL

IPv4 basic ACLs match packets based only on source IP addresses.

To configure an IPv4 basic ACL:

Ste

p

Command Remarks

1. Enter system view. system-view N/A

2. Create an IPv4 basic ACL and

enter its view.

acl number acl-number [ name

acl-name ] [ match-order { auto |

config } ]

By default, no ACL exists.

IPv4 basic ACLs are numbered in

the range of 2000 to 2999.

You can use the acl name acl-name

command to enter the view of a

named ACL.

3. (Optional.) Configure a

description for the IPv4 basic

ACL.

description text By default, an IPv4 basic ACL has

no ACL description.

4. (Optional.) Set the rule

numbering step. step step-value The default setting is 5.

5. Create or edit a rule.

rule [ rule-id ] { deny | permit }

[ counting | fragment |logging |

source {source-address

source-wildcard | any } |

time-range time-range-name |

vpn-instance vpn-instance-name ] *

By default, an IPv4 basic ACL does

not contain any rule.

The logging keyword takes effect

only when the module (for

example, packet filtering) that uses

the ACL supports logging.

If an IPv4 basic ACL is for QoS

traffic classification or packet

filtering, do not specify the

vpn-instance keyword.

6. (Optional.) Add or edit a rule

comment. rule rule-id comment text By default, no rule comments are

configured.

Configuring an IPv6 basic ACL

IPv6 basic ACLs match packets based only on source IP addresses.

To configure an IPv6 basic ACL:

HP 6125XLG User manual

Popular Switch manuals by other brands