Hp 6125xlg User manual

HP 6125XLG Blade Switch

A

CL and QoS

Configuration Guide

Part number: 5998-3722

Software version: Release 2306

Document version: 6W100-20130912

Legal and notice information

No part of this documentation may be reproduced or transmitted in any form or by any means without

prior written consent of Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS

MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained

herein or for incidental or consequential damages in connection with the furnishing, performance, or

use of this material.

The only warranties for HP products and services are set forth in the express warranty statements

accompanying such products and services. Nothing herein should be construed as constituting an

additional warranty. HP shall not be liable for technical or editorial errors or omissions contained

herein.

i

Contents

Configuring ACLs························································································································································· 1

Overview············································································································································································1

Applications on the switch ······································································································································1

ACL categories ·························································································································································1

Numbering and naming ACLs ································································································································1

Match order ······························································································································································2

Rule numbering·························································································································································3

Fragments filtering with ACLs··································································································································3

Configuration task list ·······················································································································································3

Configuring a basic ACL··················································································································································4

Configuring an IPv4 basic ACL ······························································································································4

Configuring an IPv6 basic ACL ······························································································································4

Configuring an advanced ACL········································································································································5

Configuring an IPv4 advanced ACL·······················································································································5

Configuring an IPv6 advanced ACL·······················································································································6

Configuring an Ethernet frame header ACL···················································································································8

Copying an ACL ·······························································································································································9

Configuring packet filtering with ACLs ························································································································ 10

Applying an ACL to an interface for packet filtering························································································· 10

Setting the interval for generating and outputting packet filtering logs··························································· 10

Setting the packet filtering default action ··········································································································· 10

Displaying and maintaining ACLs································································································································ 10

ACL configuration example ·········································································································································· 11

Network requirements··········································································································································· 11

Configuration procedure ······································································································································ 12

Verifying the configuration··································································································································· 12

QoS overview·····························································································································································14

QoS service models ······················································································································································· 14

Best-effort service model ······································································································································· 14

IntServ model ························································································································································· 14

DiffServ model ······················································································································································· 14

QoS techniques overview ············································································································································· 15

Deploying QoS in a network ······························································································································· 15

Configuring a QoS policy·········································································································································16

Non-MQC approach ····················································································································································· 16

MQC approach ····························································································································································· 16

Configuration procedure diagram ······························································································································· 16

Defining a traffic class··················································································································································· 17

Configuration guidelines ······································································································································ 17

Configuration procedure ······································································································································ 17

Defining a traffic behavior ············································································································································ 19

Defining a QoS policy··················································································································································· 19

Applying the QoS policy··············································································································································· 20

Applying the QoS policy to an interface············································································································ 20

Applying the QoS policy to a VLAN··················································································································· 21

Applying the QoS policy globally······················································································································· 21

Applying the QoS policy to the control plane···································································································· 21

Displaying and maintaining QoS policies ·················································································································· 22

ii

Configuring priority mapping ···································································································································24

Overview········································································································································································· 24

Introduction to priorities········································································································································ 24

Priority maps ·························································································································································· 24

Priority trust mode on a port································································································································· 25

Priority mapping process······································································································································ 26

Priority mapping configuration tasks ··························································································································· 27

Configuring a priority map ··········································································································································· 28

Configuring a port to trust packet priority for priority mapping ··············································································· 28

Changing the port priority of an interface ·················································································································· 29

Displaying and maintaining priority mapping············································································································ 29

Port priority configuration example······························································································································ 30

Network requirements··········································································································································· 30

Configuration procedure ······································································································································ 30

Priority mapping table and priority marking configuration example ······································································· 30

Network requirements··········································································································································· 30

Configuration procedure ······································································································································ 32

Configuring traffic policing, GTS, and rate limit ·····································································································34

Overview········································································································································································· 34

Traffic evaluation and token buckets··················································································································· 34

Traffic policing······················································································································································· 35

GTS ········································································································································································· 36

Rate limit································································································································································· 37

Configuring traffic policing··········································································································································· 37

Configuring GTS ···························································································································································· 38

Configuring the rate limit ·············································································································································· 39

Displaying and maintaining traffic policing, GTS, and rate limit············································································· 39

Traffic policing and traffic shaping configuration example ······················································································ 39

Network requirements··········································································································································· 39

Configuration procedures····································································································································· 40

Configuring congestion management ······················································································································43

Overview········································································································································································· 43

Impacts and countermeasures······························································································································ 43

Congestion management techniques ·················································································································· 43

Configuration approaches and task list······················································································································· 46

Configuring SP queuing ················································································································································ 46

Configuration procedure ······································································································································ 46

Configuration example ········································································································································· 46

Configuring WRR queuing············································································································································ 46

Configuration procedure ······································································································································ 46

Configuration example ········································································································································· 47

Configuring WFQ queuing··········································································································································· 47

Configuration procedure ······································································································································ 47

Configuration example ········································································································································· 48

Configuring SP+WRR queuing ····································································································································· 49

Configuration procedure ······································································································································ 49

Configuration example ········································································································································· 49

Configuring SP+WFQ queuing ···································································································································· 50

Configuration procedure ······································································································································ 50

Configuration example ········································································································································· 50

Displaying and maintaining congestion management······························································································· 51

Configuring congestion avoidance···························································································································52

Overview········································································································································································· 52

iii

Tail drop································································································································································· 52

RED and WRED ····················································································································································· 52

ECN ········································································································································································ 53

Configuring and applying a WRED table··················································································································· 53

Displaying and maintaining WRED ····························································································································· 54

WRED configuration example ······································································································································ 55

Network requirements··········································································································································· 55

Configuration procedure ······································································································································ 55

Configuring traffic filtering ········································································································································57

Configuration procedure··············································································································································· 57

Configuration example·················································································································································· 58

Network requirements··········································································································································· 58

Configuration procedure ······································································································································ 58

Configuring priority marking·····································································································································59

Overview········································································································································································· 59

Color-based priority marking········································································································································ 59

Packet coloring methods······································································································································· 59

Configuring color-based priority marking ·········································································································· 60

Configuration procedure··············································································································································· 60

Configuration examples ················································································································································ 62

Remarking local precedence configuration example ························································································ 62

Remarking local QoS ID configuration example ······························································································· 64

Configuring nesting····················································································································································67

Configuration procedure··············································································································································· 67

Nesting configuration example ···································································································································· 68

Network requirements··········································································································································· 68

Configuration procedure ······································································································································ 68

Configuring traffic redirecting···································································································································70

Configuration procedure··············································································································································· 70

Configuration example·················································································································································· 71

Network requirements··········································································································································· 71

Configuration procedure ······································································································································ 72

Configuring aggregate CAR ·····································································································································74

Configuration procedure··············································································································································· 74

Displaying and maintaining aggregate CAR·············································································································· 74

Configuration example·················································································································································· 74

Network requirements··········································································································································· 74

Configuration procedure ······································································································································ 75

Configuring class-based accounting·························································································································77

Configuration procedure··············································································································································· 77

Configuration example·················································································································································· 78

Network requirements··········································································································································· 78

Configuration procedure ······································································································································ 78

Configuring data buffers ···········································································································································80

Configuration task list ···················································································································································· 81

Enabling the Burst function············································································································································ 81

Configuring data buffers manually ······························································································································ 82

Configuring the total shared-area ratio··············································································································· 82

Setting the maximum shared-area ratio for a queue ························································································· 82

Setting the fixed-area ratio for a queue ·············································································································· 83

iv

Applying data buffer configuration····················································································································· 83

Displaying and maintaining data buffers ···················································································································· 84

Configuring time ranges············································································································································85

Configuration procedure··············································································································································· 85

Displaying and maintaining time ranges····················································································································· 85

Time range configuration example ······························································································································ 85

Appendix ····································································································································································87

Appendix A Default priority maps ······························································································································· 87

Appendix B Introduction to packet precedences········································································································ 88

IP precedence and DSCP values·························································································································· 88

802.1p priority······················································································································································ 89

Support and other resources ·····································································································································91

Contacting HP ································································································································································ 91

Subscription service ·············································································································································· 91

Related information························································································································································ 91

Documents······························································································································································ 91

Websites································································································································································· 91

Conventions ···································································································································································· 92

Index ···········································································································································································94

1

Configuring ACLs

Overview

An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on

criteria such as source IP address, destination IP address, and port number.

ACLs are primarily used for packet filtering. "Configuring packet filtering with ACLs" provides an

example. You can use ACLs in QoS, security, routing, and other feature modules for identifying traffic.

The packet drop or forwarding decisions varies with the modules that use ACLs.

Applications on the switch

An ACL is implemented in hardware or software, depending on the module that uses it. If the module is

implemented in hardware (for example, the packet filter or QoS module), the ACL is applied to hardware

to process traffic. If the module is implemented in software (for example, the routing module or the user

interface access control module such as Telnet or SNMP), the ACL is applied to software to process

traffic.

The user interface access control module denies packets that do not match any ACL. Some modules (QoS

for example) ignore the permit or deny action in ACL rules and do not base their drop or forwarding

decisions on the action set in ACL rules. See the specified module for information about ACL application.

ACL categories

Cate

g

or

y

ACL number IP version

Match criteria

Basic ACLs 2000 to 2999 IPv4 Source IPv4 address.

IPv6 Source IPv6 address.

Advanced ACLs 3000 to 3999

IPv4

Source IPv4 address, destination IPv4 address,

packet priority, protocols over IPv4, and other

Layer 3 and Layer 4 header fields.

IPv6

Source IPv6 address, destination IPv6 address,

packet priority, protocols over IPv6, and other

Layer 3 and Layer 4 header fields.

Ethernet frame

header ACLs 4000 to 4999 N/A

Layer 2 header fields, such as source and

destination MAC addresses, 802.1p priority,

and link layer protocol type.

Numbering and naming ACLs

Each ACL category has a unique range of ACL numbers. When creating an ACL, you must assign it a

number. In addition, you can assign the ACL a name for ease of identification. After creating an ACL with

a name, you cannot rename it or delete its name.

2

For an IPv4 basic or advanced ACLs, its ACL number and name must be unique in IPv4. For an IPv6 basic

or advanced ACL, its ACL number and name must be unique in IPv6.

Match order

The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops the

match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting

rules, the matching result and action to take depend on the rule order.

The following ACL match orders are available:

•config—Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a

rule with a higher ID. If you use this approach, carefully check the rules and their order.

•auto—Sorts ACL rules in depth-first order. Depth-first ordering makes sure any subset of a rule is

always matched before the rule. Table 1 lists the sequence of tie breakers that depth-first ordering

uses to sort rules for each type of ACL.

Table 1 Sort ACL rules in depth-first order

ACL cate

g

or

y

Se

q

uence of tie breakers

IPv4 basic ACL

1. VPN instance.

2. More 0s in the source IP address wildcard (more 0s means a narrower

IP address range).

3. Rule configured earlier.

IPv4 advanced ACL

1. VPN instance.

2. Specific protocol type rather than IP (IP represents any protocol over IP).

3. More 0s in the source IP address wildcard mask.

4. More 0s in the destination IP address wildcard.

5. Narrower TCP/UDP service port number range.

6. Rule configured earlier.

IPv6 basic ACL

1. VPN instance.

2. Longer prefix for the source IP address (a longer prefix means a

narrower IP address range).

3. Rule configured earlier.

IPv6 advanced ACL

1. VPN instance.

2. Specific protocol type rather than IP (IP represents any protocol over

IPv6).

3. Longer prefix for the source IPv6 address.

4. Longer prefix for the destination IPv6 address.

5. Narrower TCP/UDP service port number range.

6. Rule configured earlier.

Ethernet frame header ACL

1. More 1s in the source MAC address mask (more 1s means a smaller

MAC address).

2. More 1s in the destination MAC address mask.

3. Rule configured earlier.

A wildcard mask, also called an inverse mask, is a 32-bit binary number represented in dotted decimal

notation. In contrast to a network mask, the 0 bits in a wildcard mask represent "do care" bits, and the

1 bits represent "don't care" bits. If the "do care" bits in an IP address are identical to the "do care" bits

in an IP address criterion, the IP address matches the criterion. All "don't care" bits are ignored. The 0s

and 1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a valid wildcard mask.

3

Rule numbering

ACL rules can be manually numbered or automatically numbered. This section describes how automatic

ACL rule numbering works.

Rule numbering step

If you do not assign an ID to the rule you are creating, the system automatically assigns it a rule ID. The

rule numbering step sets the increment by which the system automatically numbers rules. For example, the

default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are

automatically numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can

insert between two rules.

By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of

inserting rules in an ACL. This feature is important for a config-order ACL, where ACL rules are matched

in ascending order of rule ID.

Automatic rule numbering and renumbering

The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to

the current highest rule ID, starting with 0.

For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10,

and 12, the newly defined rule is numbered 15. If the ACL does not contain any rule, the first rule is

numbered 0.

Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules

numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2,

4, 6, and 8.

Fragments filtering with ACLs

Traditional packet filtering matches only first fragments of packets, and allows all subsequent non-first

fragments to pass through. Attackers can fabricate non-first fragments to attack networks.

To avoid the risks, the HP ACL implementation does the follows:

•Filters all fragments by default, including non-first fragments.

•Allows for matching criteria modification, for example, filters non-first fragments only.

Configuration task list

Tasks at a

g

lance

(Required.) Perform at least one of the following tasks:

•Configuring a basic ACL

{Configuring an IPv4 basic ACL

{Configuring an IPv6 basic ACL

•Configuring an advanced ACL

{Configuring an IPv4 advanced ACL

{Configuring an IPv6 advanced ACL

•Configuring an Ethernet frame header ACL

(Optional.) Copying an ACL

4

Tasks at a

g

lance

(Optional.) Configuring packet filtering with ACLs

Configuring a basic ACL

This section describes procedures for configuring IPv4 and IPv6 basic ACLs.

Configuring an IPv4 basic ACL

IPv4 basic ACLs match packets based only on source IP addresses.

To configure an IPv4 basic ACL:

Ste

p

Command Remarks

1. Enter system view. system-view N/A

2. Create an IPv4 basic ACL and

enter its view.

acl number acl-number [ name

acl-name ] [ match-order { auto |

config } ]

By default, no ACL exists.

IPv4 basic ACLs are numbered in

the range of 2000 to 2999.

You can use the acl name acl-name

command to enter the view of a

named ACL.

3. (Optional.) Configure a

description for the IPv4 basic

ACL.

description text By default, an IPv4 basic ACL has

no ACL description.

4. (Optional.) Set the rule

numbering step. step step-value The default setting is 5.

5. Create or edit a rule.

rule [ rule-id ] { deny | permit }

[ counting | fragment |logging |

source {source-address

source-wildcard | any } |

time-range time-range-name |

vpn-instance vpn-instance-name ] *

By default, an IPv4 basic ACL does

not contain any rule.

The logging keyword takes effect

only when the module (for

example, packet filtering) that uses

the ACL supports logging.

If an IPv4 basic ACL is for QoS

traffic classification or packet

filtering, do not specify the

vpn-instance keyword.

6. (Optional.) Add or edit a rule

comment. rule rule-id comment text By default, no rule comments are

configured.

Configuring an IPv6 basic ACL

IPv6 basic ACLs match packets based only on source IP addresses.

To configure an IPv6 basic ACL:

5

Ste

p

Command Remarks

1. Enter system view. system-view N/A

2. Create an IPv6 basic ACL

view and enter its view.

acl ipv6 number acl-number

[ name acl-name ] [ match-order

{ auto | config } ]

By default, no ACL exists.

IPv6 basic ACLs are numbered in

the range of 2000 to 2999.

You can use the acl ipv6 name

acl-name command to enter the

view of a named ACL.

3. (Optional.) Configure a

description for the IPv6 basic

ACL.

description text By default, an IPv6 basic ACL has

no ACL description.

4. (Optional.) Set the rule

numbering step. step step-value The default setting is 5.

5. Create or edit a rule.

rule [ rule-id ] { deny | permit }

[ counting | fragment |logging |

routing [ type routing-type ] |

source { source-address

source-prefix |

source-address/source-prefix |

any } | time-range

time-range-name | vpn-instance

vpn-instance-name ] *

By default, an IPv6 basic ACL does

not contain any rule.

The logging keyword takes effect

only when the module (for

example, packet filtering) that uses

the ACL supports logging.

If an IPv6 basic ACL is for QoS

traffic classification or packet

filtering, do not specify the

vpn-instance or fragment

keyword, and do not specify the

routing keyword for outbound

traffic.

6. (Optional.) Add or edit a rule

comment. rule rule-id comment text By default, no rule comments are

configured.

Configuring an advanced ACL

This section describes procedures for configuring IPv4 and IPv6 advanced ACLs.

Configuring an IPv4 advanced ACL

IPv4 advanced ACLs match packets based on source IP addresses, destination IP addresses, packet

priorities, protocols over IP, and other protocol header information, such as TCP/UDP source and

destination port numbers, TCP flags, ICMP message types, and ICMP message codes.

Compared to IPv4 basic ACLs, IPv4 advanced ACLs allow more flexible and accurate filtering.

To configure an IPv4 advanced ACL:

Ste

p

Command Remarks

1. Enter system view. system-view N/A

6

Ste

p

Command Remarks

2. Create an IPv4 advanced ACL

and enter its view.

acl number acl-number [ name

acl-name ] [ match-order { auto |

config } ]

By default, no ACL exists.

IPv4 advanced ACLs are

numbered in the range of 3000 to

3999.

You can use the acl name acl-name

command to enter the view of a

named ACL.

3. (Optional.) Configure a

description for the IPv4

advanced ACL.

description text By default, an IPv4 advanced ACL

has no ACL description.

4. (Optional.) Set the rule

numbering step. step step-value The default setting is 5.

5. Create or edit a rule.

rule [ rule-id ] { deny | permit }

protocol [ { { ack ack-value | fin

fin-value | psh psh-value | rst

rst-value | syn syn-value | urg

urg-value } * | established } |

counting | destination

{ dest-address dest-wildcard |

any } | destination-port operator

port1 [ port2 ] | { dscp dscp |

{ precedence precedence | tos tos }

* } | fragment | icmp-type

{ icmp-type [ icmp-code ] |

icmp-message } | logging | source

{ source-address source-wildcard |

any } | source-port operator port1

[ port2 ] | time-range

time-range-name | vpn-instance

vpn-instance-name ] *

By default, an IPv4 advanced ACL

does not contain any rule.

The logging keyword takes effect

only when the module (for

example, packet filtering) that uses

the ACL supports logging.

If an IPv4 advanced ACL is for QoS

traffic classification or packet

filtering, do not specify the

vpn-instance keyword or specify

neq for the operator argument.

6. (Optional.) Add or edit a rule

comment. rule rule-id comment text By default, no rule comments are

configured.

Configuring an IPv6 advanced ACL

IPv6 advanced ACLs match packets based on the source IPv6 addresses, destination IPv6 addresses,

packet priorities, protocols carried over IPv6, and other protocol header fields such as the TCP/UDP

source port number, TCP/UDP destination port number, ICMPv6 message type, and ICMPv6 message

code.

Compared to IPv6 basic ACLs, IPv6 advanced ACLs allow more flexible and accurate filtering.

To configure an IPv6 advanced ACL:

Ste

p

Command Remarks

1. Enter system view. system-view N/A

7

Ste

p

Command Remarks

2. Create an IPv6

advanced ACL and

enter its view.

acl ipv6 number acl-number [ name

acl-name ] [ match-order { auto | config } ]

By default, no ACL exists.

IPv6 advanced ACLs are

numbered in the range of 3000 to

3999.

You can use the acl ipv6 name

acl-name command to enter the

view of a named ACL.

3. (Optional.)

Configure a

description for the

IPv6 advanced ACL.

description text By default, an IPv6 advanced ACL

has no ACL description.

4. (Optional.) Set the

rule numbering step. step step-value The default setting is 5.

8

Ste

p

Command Remarks

5. Create or edit a rule.

rule [ rule-id ] { deny | permit } protocol

[ { { ack ack-value | fin fin-value | psh

psh-value | rst rst-value | syn syn-value |

urg urg-value } * | established } | counting

| destination { dest-address dest-prefix |

dest-address/dest-prefix |any } |

destination-port operator port1 [ port2 ] |

dscp dscp |flow-label flow-label-value |

fragment | icmp6-type { icmp6-type

icmp6-code | icmp6-message } | logging |

routing [ type routing-type ] | hop-by-hop

[ type hop-type ] | source { source-address

source-prefix |

source-address/source-prefix | any } |

source-port operator port1 [ port2 ] |

time-range time-range-name | vpn-instance

vpn-instance-name ] *

By default, IPv6 advanced ACL

does not contain any rule.

The logging keyword takes effect

only when the module (for

example, packet filtering) that uses

the ACL supports logging.

If an IPv6 advanced ACL is for QoS

traffic classification:

•Do not specify the vpn-instance

or fragment keyword.

•Do not specify neq for the

operator argument.

•If the ACL is for outbound QoS

traffic classification:

{Do not specify the routing,

hop-by-hop, or flow-label

keyword.

{Do not specify ipv6-ah or

ipv6-esp for the protocol

argument, nor set its value to

0, 43, 44, 51, or 60.

If an IPv6 advanced ACL is for

packet filtering:

•Do not specify the

vpn-instance, routing,

hop-by-hop, fragment, or

flow-label keyword.

•Do not specify ipv6-ah or

ipv6-esp for the protocol

argument, nor set its value to 0,

43, 44, 51, or 60.

•Do not specify neq for the

operator argument.

If an ACL is to match information in

the IPv6 packet payload, it cannot

match the packet with more than

two extension headers or with the

Encapsulating Security Payload

Header.

6. (Optional.) Add or

edit a rule comment. rule rule-id comment text By default, no rule comments are

configured.

Configuring an Ethernet frame header ACL

Ethernet frame header ACLs, also called "Layer 2 ACLs," match packets based on Layer 2 protocol

header fields, such as source MAC address, destination MAC address, 802.1p priority (VLAN priority),

and link layer protocol type.

To configure an Ethernet frame header ACL:

9

Ste

p

Command Remarks

1. Enter system view. system-view N/A

2. Create an Ethernet frame

header ACL and enter its

view.

acl number acl-number [ name

acl-name ] [ match-order { auto |

config } ]

By default, no ACL exists.

Ethernet frame header ACLs are

numbered in the range of 4000 to

4999.

You can use the acl name acl-name

command to enter the view of a

named ACL.

3. (Optional.) Configure a

description for the Ethernet

frame header ACL.

description text

By default, an Ethernet frame

header ACL has no ACL

description.

4. (Optional.) Set the rule

numbering step. step step-value The default setting is 5.

5. Create or edit a rule.

rule [ rule-id ] { deny | permit } [ cos

vlan-pri | counting | dest-mac

dest-address dest-mask | { lsap

lsap-type lsap-type-mask | type

protocol-type protocol-type-mask }

| source-mac source-address

source-mask | time-range

time-range-name ] *

By default,an Ethernet frame

header ACL does not contain any

rule.

If an Ethernet frame header ACL

with the lsap keyword specified is

used for QoS traffic classification

or packet filtering, the lsap-type

argument must be AAAA and the

lsap-type-mask argument must be

FFFF. Otherwise, the ACL cannot

be applied successfully.

6. (Optional.) Add or edit a rule

comment. rule rule-id comment text By default, no rule comments are

configured.

Copying an ACL

You can create an ACL by copying an existing ACL (source ACL). The new ACL (destination ACL) has the

same properties and content as the source ACL, but not the same ACL number and name.

To successfully copy an ACL, make sure:

•The destination ACL number is from the same category as the source ACL number.

•The source ACL already exists, but the destination ACL does not.

To copy an ACL:

Ste

p

Command

1. Enter system view. system-view

2. Copy an existing ACL to create a new ACL.

acl [ ipv6 ] copy { source-acl-number | name

source-acl-name } to { dest-acl-number | name

dest-acl-name }

10

Configuring packet filtering with ACLs

This section describes procedures for applying an ACL to filter incoming or outgoing IPv4 or IPv6 packets

on the specified interface.

Applying an ACL to an interface for packet filtering

Ste

p

Command

Remarks

1. Enter system view. system-view N/A

2. Enter interface view. interface interface-type

interface-number

N/A

3. Apply an ACL to the interface

to filter packets.

packet-filter [ ipv6 ] { acl-number |

name acl-name } { inbound |

outbound } [ hardware-count ]

By default, an interface does not

filter packets.

You can apply up to one ACL to the

same direction of an interface.

Setting the interval for generating and outputting packet

filtering logs

After you set the interval, the device periodically generates and outputs the packet filtering logs,

including the number of matching packets and the matched ACL rules. For more information about the

information center, see Network Management and Monitoring Configuration Guide.

To set the interval for generating and outputting packet filtering logs:

Ste

p

Command

Remarks

1. Enter system view. system-view N/A

2. Set the interval for generating

and outputting packet filtering

logs.

acl [ ipv6 ] logging interval interval

The default setting is 0 minutes,

which mean that no packet filtering

logs are generated.

Setting the packet filtering default action

Ste

p

Command

Remarks

1. Enter system view. system-view N/A

2. Set the packet filtering default

action to deny. packet-filter default deny

By default, the packet filter permits

packets that do not match any ACL

rule to pass.

Displaying and maintaining ACLs

Execute display commands in any view and reset commands in user view.

11

Task Command

Display ACL configuration and match statistics. display acl [ ipv6 ] { acl-number | all | name

acl-name }

Display whether an ACL has been successfully applied

to an interface for packet filtering).

display packet-filter { interface [ interface-type

interface-number ] [ inbound | outbound ] | { interface

vlan-interface vlan-interface-number [ vlan-id ] }

[ inbound | outbound ] [ slot slot-number ] }

Display match statistics for packet filtering ACLs.

display packet-filter statistics interface interface-type

interface-number { inbound | outbound } [ [ ipv6 ]

{ acl-number | name acl-name } ] [ brief ]

Display the accumulated statistics for packet filtering

ACLs.

display packet-filter statistics sum { inbound |

outbound } [ ipv6 ] { acl-number | name acl-name }

[ brief ]

Display detailed ACL packet filtering information.

display packet-filter verbose interface interface-type

interface-number { inbound | outbound } [ [ ipv6 ]

{ acl-number | name acl-name } ] [ slot slot-number ]

Display QoS and ACL resource usage. display qos-acl resource [ slot slot-number ]

Clear ACL statistics. reset acl [ ipv6 ] counter { acl-number | all | name

acl-name }

Clear match statistics (including the accumulated

statistics) for packet filtering ACLs.

reset packet-filter statistics { global | interface

[ interface-type interface-number ] | vlan [ vlan-id ] }

{ inbound | outbound } [ default | [ ipv6 ] { acl-number

| name acl-name } ]

ACL configuration example

Network requirements

A company interconnects its departments through Device A. Configure an ACL to:

•Permit access from the President's office at any time to the financial database server.

•Permit access from the Financial department to the database server only during working hours (from

8:00 to 18:00) on working days.

•Deny access from any other department to the database server.

12

Figure 1 Network diagram

Configuration procedure

# Create a periodic time range from 8:00 to 18:00 on working days.

<DeviceA> system-view

[DeviceA] time-range work 08:00 to 18:00 working-day

# Create an IPv4 advanced ACL numbered 3000 and configure three rules in the ACL. One rule permits

access from the President's office to the financial database server, one rule permits access from the

Financial department to the database server during working hours, and one rule denies access from any

other department to the database server.

[DeviceA] acl number 3000

[DeviceA-acl-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination

192.168.0.100 0

[DeviceA-acl-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255 destination

192.168.0.100 0 time-range work

[DeviceA-acl-adv-3000] rule deny ip source any destination 192.168.0.100 0

[DeviceA-acl-adv-3000] quit

# Apply IPv4 advanced ACL 3000 to filter outgoing packets on interface TwentyGigE 1/0/1.

[DeviceA] interface TwentyGigE 1/0/1

[DeviceA-TwentyGigE1/0/1] packet-filter 3000 outbound

[DeviceA-TwentyGigE1/0/1] quit

Verifying the configuration

# Ping the database server from a PC in the Financial department during the working hours. (All PCs in

this example use Windows XP).

C:\> ping 192.168.0.100

Pinging 192.168.0.100 with 32 bytes of data:

Reply from 192.168.0.100: bytes=32 time=1ms TTL=255

President's office

192.168.1.0/24 Financial department

192.168.2.0/24 Marketing department

192.168.3.0/24

Device A

TGE 1/0/1

Financial database server

192.168.0.100/24

13

Reply from 192.168.0.100: bytes=32 time<1ms TTL=255

Ping statistics for 192.168.0.100:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 1ms, Average = 0ms

The output shows that the database server can be pinged.

# Ping the database server from a PC in the Marketing department during the working hours.

C:\> ping 192.168.0.100

Pinging 192.168.0.100 with 32 bytes of data:

Request timed out.

Ping statistics for 192.168.0.100:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

The output shows the database server cannot be pinged.

# Display configuration and match statistics for IPv4 advanced ACL 3000 on Device A during the

working hours.

[DeviceA] display acl 3000

Advanced ACL 3000, named -none-, 3 rules,

ACL's step is 5

rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.100 0

rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.0.100 0 time-range work

(4 times matched) (Active)

rule 10 deny ip destination 192.168.0.100 0 (4 times matched)

The output shows that rule 5 is active. Rule 5 and rule 10 have been matched four times as the result of

the ping operations.

14

QoS overview

In data communications, Quality of Service (QoS) is a network's ability to provide differentiated service

guarantees for diversified traffic in terms of bandwidth, delay, jitter, and drop rate, all of which can affect

QoS.

Network resources are scarce. The contention for resources requires that QoS prioritize important traffic

flows over trivial ones. For example, when bandwidth is fixed, more bandwidth for one traffic flow means

less bandwidth for the other traffic flows. When making a QoS scheme, you must consider the

characteristics of various applications to balance the interests of diversified users and to utilize network

resources.

The following section describes some typical QoS service models and widely used, mature QoS

techniques.

QoS service models

This section describes several typical QoS service models.

Best-effort service model

The best-effort model is a single-service model and is also the simplest service model. In this service

model, the network does its best to deliver packets, but does not guarantee delay or reliability.

The best-effort service model is the default model in the Internet and applies to most network applications.

It uses the First In First Out (FIFO) queuing mechanism.

IntServ model

The integrated service (IntServ) model is a multiple-service model that can accommodate diverse QoS

requirements. This service model provides the most granularly differentiated QoS by identifying and

guaranteeing definite QoS for each data flow.

In the IntServ model, an application must request service from the network before it sends data. IntServ

signals the service request with the RSVP. All nodes receiving the request reserve resources as requested

and maintain state information for the application flow.

The IntServ model demands high storage and processing capabilities because it requires all nodes along

the transmission path to maintain resource state information for each flow. This model is suitable for

small-sized or edge networks, but not large-sized networks, for example, the core layer of the Internet,

where billions of flows are present.

DiffServ model

The differentiated service (DiffServ) model is a multiple-service model that can meet diverse QoS

requirements. It is easy to implement and extend. DiffServ does not signal the network to reserve

resources before sending data, as IntServ does.

HP 6125XLG User manual

Popular Switch manuals by other brands