advertisement
HPE FlexNetwork 5130 EI Switch Series
ACL and QoS
Configuration Guide
Part number: 5200-3945
Software version: Release 32xx
Document version: 6W100-20170525
© Copyright 2015, 2017 Hewlett Packard Enterprise Development LP
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Java and Oracle are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
Contents
Configuring ACLs ············································································· 1
QoS overview ················································································ 12
Configuring a QoS policy ································································· 15
Configuring priority mapping ····························································· 21
i
Configuring traffic policing, GTS, and rate limit ····································· 30
Configuring congestion management ················································· 39
Configuring congestion avoidance ····················································· 48
Configuring traffic filtering ································································ 52
ii
Configuring priority marking ······························································ 55
Configuring nesting ········································································· 59
Configuring traffic redirecting ···························································· 62
Configuring global CAR ··································································· 66
Configuring class-based accounting ··················································· 72
Appendixes ··················································································· 75
Configuring data buffers ·································································· 80
Configuring time ranges ··································································· 84
iii
Document conventions and icons ······················································ 86
Support and other resources ···························································· 88
Index ··························································································· 90
iv
Configuring ACLs
About ACLs
An access control list (ACL) is a set of rules for identifying traffic based on criteria such as source IP address, destination IP address, and port number. The rules are also called permit or deny statements.
ACLs are primarily used for packet filtering. You can also use ACLs in QoS, security, routing, and other modules for identifying traffic. The packet drop or forwarding decisions depend on the modules that use ACLs.
Numbering and naming ACLs
When creating an ACL, you must assign it a number or name for identification. You can specify an existing ACL by its number or name. Each ACL type has a unique range of ACL numbers.
For a basic ACL or an advanced ACL, it can share the same ACL number and name in IPv4 and IPv6.
For other ACL types, the ACL number and name must be globally unique.
ACL types
Basic ACLs
Advanced ACLs
Layer 2 ACLs
2000 to 2999
3000 to 3999
4000 to 4999
IPv4
IPv6
IPv4
IPv6
IPv4 and IPv6
Source IPv4 address.
Source IPv6 address.
Source IPv4 address, destination IPv4 address, packet priority, protocol number, and other Layer 3 and Layer 4 header fields.
Source IPv6 address, destination IPv6 address, packet priority, protocol number, and other Layer 3 and Layer 4 header fields.
Layer 2 header fields, such as source and destination MAC addresses, 802.1p priority, and link layer protocol type.
Rule numbering
ACL rules can be manually numbered or automatically numbered. This section describes how automatic ACL rule numbering works.
Rule numbering step
If you do not assign an ID to the rule you are creating, the system automatically assigns it a rule ID.
The rule numbering step sets the increment by which the system automatically numbers rules. For example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are automatically numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between two rules.
By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of inserting rules in an ACL. This feature is important for a config-order ACL, where ACL rules are matched in ascending order of rule ID.
1
The rule numbering step sets the increment by which the system numbers rules automatically. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting from the start rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is
12, the rule is numbered 15.
The wider the numbering step, the more rules you can insert between two rules. Whenever the step or start rule ID changes, the rules are renumbered, starting from the start rule ID. For example, if there are five rules numbered 0, 5, 9, 10, and 15, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6, and 8.
Automatic rule numbering and renumbering
The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to the current highest rule ID, starting with 0.
For example, if the step is 5, and there are five rules numbered 0, 5, 9, 10, and 12, the newly defined rule is numbered 15. If the ACL does not contain a rule, the first rule is numbered 0.
Whenever the step changes, the rules are renumbered, starting from 0. For example, changing the step from 5 to 2 renumbers rules 5, 10, 13, and 15 as rules 0, 2, 4, and 6.
Fragment filtering with ACLs
Traditional packet filtering matches only first fragments of packets, and allows all subsequent non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks.
To avoid risks, the ACL feature is designed as follows:
•
Filters all fragments by default, including non-first fragments.
•
Allows for matching criteria modification for efficiency. For example, you can configure the ACL to filter only non-first fragments.
Restrictions and guidelines: ACL configuration
•
To create a numbered ACL, you can use one of the following command forms:
{
acl
[ ipv6 ] number acl-number
{
acl
[ ipv6 | mac ] acl-number
•
If you create a named ACL, you can enter the view of the ACL only by using the acl [ ipv6 |
mac
] name acl-name command.
•
If you create a numbered ACL, you can enter the view of the ACL only by using the acl
[
ipv6 ] number acl-number or acl [ ipv6 | mac ] acl-number command.
•
Matching packets are forwarded through slow forwarding if an ACL rule contains match criteria or has functions enabled in addition to the following match criteria and functions:
{
{
{
{
Source and destination IP addresses.
Source and destination ports.
Transport layer protocol.
ICMP or ICMPv6 message type, message code, and message name.
{
{
Logging.
Time range.
Slow forwarding requires packets to be sent to the control plane for forwarding entry calculation, which affects the device forwarding performance.
2
ACL tasks at a glance
To configure an ACL, perform the following tasks:
•
Configure ACLs according to the characteristics of the packets to be matched
{
{
{
•
(Optional.)
•
(Optional.)
Configuring packet filtering with ACLs
Configuring a basic ACL
About basic ACLs
Basic ACLs match packets based only on source IP addresses.
Configuring an IPv4 basic ACL
1.
Enter system view.
system-view
2.
Create an IPv4 basic ACL and enter its view.
acl basic
{ acl-number | name acl-name } [ match-order { auto | config } ]
acl
number acl-number [ match-order { auto | config } ]
3.
(Optional.) Configure a description for the IPv4 basic ACL.
description
text
By default, an IPv4 basic ACL does not have a description.
4.
(Optional.) Set the rule numbering step.
step
step-value [ start start-value ]
By default, the rule numbering step is 5 and the start rule ID is 0.
5.
Create or edit a rule.
rule
[ rule-id ] { deny | permit } [ counting | fragment | logging | source
{
source-address source-wildcard | any } | time-range time-range-name ]
*
The logging keyword takes effect only when the module (for example, packet filtering) that uses the ACL supports logging.
6.
(Optional.) Add or edit a rule comment.
rule
rule-id comment text
By default, no rule comment is configured.
Configuring an IPv6 basic ACL
1.
Enter system view.
system-view
2.
Create an IPv6 basic ACL view and enter its view.
3
acl ipv6 basic
{ acl-number | name acl-name } [ match-order { auto |
config
} ]
acl
ipv6 number acl-number [ match-order { auto | config } ]
3.
(Optional.) Configure a description for the IPv6 basic ACL.
description
text
By default, an IPv6 basic ACL does not have a description.
4.
(Optional.) Set the rule numbering step.
step
step-value [ start start-value ]
By default, the rule numbering step is 5 and the start rule ID is 0.
5.
Create or edit a rule.
rule
[ rule-id ] { deny | permit } [ counting | fragment | logging | routing
[
type routing-type ] | source { source-address source-prefix |
source-address
/source-prefix | any } | time-range time-range-name ] *
The logging keyword takes effect only when the module (for example, packet filtering) that uses the ACL supports logging.
6.
(Optional.) Add or edit a rule comment.
rule
rule-id comment text
By default, no rule comment is configured.
Configuring an advanced ACL
About advanced ACLs
Advanced ACLs match packets based on the following criteria:
•
Source IP addresses.
•
Destination IP addresses.
•
Packet priorities.
•
Protocol types.
•
Other protocol header information, such as TCP/UDP source and destination port numbers,
TCP flags, ICMP message types, and ICMP message codes.
Compared to basic ACLs, advanced ACLs allow more flexible and accurate filtering.
Configuring an IPv4 advanced ACL
Restrictions and guidelines
If an ACL is used for QoS traffic classification or packet filtering, do not specify neq for the
operator
argument.
Procedure
1.
Enter system view.
system-view
2.
Create an IPv4 advanced ACL and enter its view.
acl advanced
{ acl-number | name acl-name } [ match-order { auto |
config
} ]
acl
number acl-number [ match-order { auto | config } ]
3.
(Optional.) Configure a description for the IPv4 advanced ACL.
4
description
text
By default, an IPv4 advanced ACL does not have a description.
4.
(Optional.) Set the rule numbering step.
step
step-value [ start start-value ]
By default, the rule numbering step is 5 and the start rule ID is 0.
5.
Create or edit a rule.
rule
[ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin
fin-value
| psh psh-value | rst rst-value | syn syn-value | urg urg-value }
*
| established } | counting | destination { dest-address dest-wildcard |
any
} | destination-port operator port1 [ port2 ] | { dscp dscp |
{
precedence precedence | tos tos } * } | fragment | icmp-type { icmp-type
[
icmp-code ] | icmp-message } | logging | source { source-address
source-wildcard
| any } | source-port operator port1 [ port2 ] |
time-range
time-range-name ] *
The logging keyword takes effect only when the module (for example, packet filtering) that uses the ACL supports logging.
6.
(Optional.) Add or edit a rule comment.
rule
rule-id comment text
By default, no rule comment is configured.
Configuring an IPv6 advanced ACL
Restrictions and guidelines
If an ACL is for QoS traffic classification or packet filtering:
•
Do not specify the fragment keyword.
•
Do not specify neq for the operator argument.
•
Do not specify the routing, hop-by-hop, or flow-label keyword if the ACL is for outbound application.
•
Do not specify ipv6-ah for the protocol argument, or set its value to 0, 43, 44, 51, or 60 if the ACL is for outbound application.
Procedure
1.
Enter system view.
system-view
2.
Create an IPv6 advanced ACL and enter its view.
acl ipv6 advanced
{ acl-number | name acl-name } [ match-order { auto |
config
} ]
acl
ipv6 number acl-number [ match-order { auto | config } ]
3.
(Optional.) Configure a description for the IPv6 advanced ACL.
description
text
By default, an IPv6 advanced ACL does not have a description.
4.
(Optional.) Set the rule numbering step.
step
step-value [ start start-value ]
By default, the rule numbering step is 5 and the start rule ID is 0.
5.
Create or edit a rule.
rule
[ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin
fin-value
| psh psh-value | rst rst-value | syn syn-value | urg urg-value }
5
*
| established } | counting | destination { dest-address dest-prefix |
dest-address/dest-prefix
| any } | destination-port operator port1
[
port2 ] | dscp dscp | flow-label flow-label-value | fragment |
icmp6-type
{ icmp6-type icmp6-code | icmp6-message } | logging | routing
[
type routing-type ] | hop-by-hop [ type hop-type ] | source
{
source-address source-prefix | source-address/source-prefix | any } |
source-port
operator port1 [ port2 ] | time-range time-range-name ] *
The logging keyword takes effect only when the module (for example, packet filtering) that uses the ACL supports logging.
6.
(Optional.) Add or edit a rule comment.
rule
rule-id comment text
By default, no rule comment is configured.
Configuring a Layer 2 ACL
About Layer 2 ACLs
Layer 2 ACLs, also called Ethernet frame header ACLs, match packets based on Layer 2 Ethernet header fields, such as:
•
Source MAC address.
•
Destination MAC address.
•
802.1p priority (VLAN priority).
•
Link layer protocol type.
•
Encapsulation type.
Procedure
1.
Enter system view.
system-view
2.
Create a Layer 2 ACL and enter its view.
acl mac
{ acl-number | name acl-name } [ match-order { auto | config } ]
acl
number acl-number [ match-order { auto | config } ]
3.
(Optional.) Configure a description for the Layer 2 ACL.
description
text
By default, a Layer 2 ACL does not have a description.
4.
(Optional.) Set the rule numbering step.
step
step-value [ start start-value ]
By default, the rule numbering step is 5 and the start rule ID is 0.
5.
Create or edit a rule.
rule
[ rule-id ] { deny | permit } [ cos dot1p | counting | dest-mac
dest-address
dest-mask | { lsap lsap-type lsap-type-mask | type
protocol-type
protocol-type-mask } | source-mac source-address
source-mask
| time-range time-range-name ] *
6.
(Optional.) Add or edit a rule comment.
rule
rule-id comment text
By default, no rule comment is configured.
6
Copying an ACL
About copying an ACL
You can create an ACL by copying an existing ACL (source ACL). The new ACL (destination ACL) has the same properties and content as the source ACL, but uses a different number or name than the source ACL.
Restrictions and guidelines
To successfully copy an ACL, make sure:
•
The destination ACL is the same type as the source ACL.
•
The source ACL already exists, but the destination ACL does not.
Procedure
1.
Enter system view.
system-view
2.
Copy an existing ACL to create a new ACL.
acl
[ ipv6 | mac ] copy { source-acl-number | name source-acl-name } to
{ dest-acl-number | name dest-acl-name }
Configuring packet filtering with ACLs
About packet filtering with ACLs
This section describes procedures for using an ACL to filtering packets. For example, you can apply an ACL to an interface to filter incoming or outgoing packets.
Applying an ACL to an interface for packet filtering
Restrictions and guidelines
To the same direction of an interface, you can apply a maximum of three ACLs: one IPv4 ACL, one
IPv6 ACL, and one Layer 2 ACL.
The term "interface" in this section collectively refers to Layer 2 Ethernet interfaces, Layer 2 aggregate interfaces, and VLAN interfaces. For a Layer 2 aggregate interface, you can apply an ACL to only its inbound direction.
Procedure
1.
Enter system view.
system-view
2.
Enter interface view.
interface interface-type interface-number
3.
Apply an ACL to the interface to filter packets.
packet-filter
[ ipv6 | mac ] { acl-number | name acl-name } { inbound |
outbound
} [ hardware-count ]
By default, an interface does not filter packets.
7
Configuring the applicable scope of packet filtering on a
VLAN interface
About applicable scope of packet filtering on a VLAN interface
You can configure the packet filtering on a VLAN interface to filter the following packets:
•
Packets forwarded at Layer 3 by the VLAN interface.
•
All packets, including packets forwarded at Layer 3 by the VLAN interface and packets forwarded at Layer 2 by the physical ports associated with the VLAN interface.
Procedure
1.
Enter system view.
system-view
2.
Create a VLAN interface and enter its view.
interface vlan-interface
vlan-interface-id
If the VLAN interface already exists, you directly enter its view.
By default, no VLAN interface exists.
3.
Specify the applicable scope of packet filtering on the VLAN interface.
packet-filter filter
{ all | route }
By default, the packet filtering filters packets forwarded at Layer 3.
Configuring logging and SNMP notifications for packet filtering
About configuring logging and SNMP notifications for packet filtering
You can configure the ACL module to generate log entries or SNMP notifications for packet filtering and output them to the information center or SNMP module at the output interval. The log entry or notification records the number of matching packets and the matched ACL rules. If an ACL is matched for the first time, the device immediately outputs a log entry or notification to record the matching packet.
For more information about the information center and SNMP, see Network Management and
Monitoring Configuration Guide.
Procedure
1.
Enter system view.
system-view
2.
Set the interval for outputting packet filtering logs or notifications.
acl
{ logging | trap } interval interval
The default setting is 0 minutes. By default, the device does not generate log entries or SNMP notifications for packet filtering.
Setting the packet filtering default action
1.
Enter system view.
system-view
2.
Set the packet filtering default action to deny.
packet-filter
default deny
8
By default, the packet filter permits packets that do not match any ACL rule to pass.
Display and maintenance commands for ACL
Execute display commands in any view and reset commands in user view.
Task Command
Display ACL configuration and match statistics.
display acl
[
ipv6
|
mac
] {
acl-number
|
all
|
name
acl-name
}
Display ACL application information for packet filtering.
Display match statistics for packet filtering
ACLs.
display packet-filter
{
interface
[
interface-type interface-number
]
[
inbound
|
outbound
] |
interface vlan-interface
vlan-interface-number
[
inbound
|
outbound
] [
slot
slot-number
] }
display packet-filter statistics interface
interface-type interface-number
{
inbound
|
outbound
}
[ [
ipv6
| mac ] {
acl-number
|
name
acl-name
} ] [
brief
]
Display the accumulated statistics for packet filtering ACLs.
Display detailed ACL packet filtering information.
display packet-filter statistics sum
{
inbound
|
outbound
} [
ipv6
| mac ]
{
acl-number
|
name
acl-name
} [
brief
]
display packet-filter verbose interface
interface-type interface-number
{
inbound
|
outbound
} [ [ ipv6 | mac ]
{
acl-number
|
name
acl-name
} ] [
slot
slot-number
]
Display QoS and ACL resource usage.
Clear ACL statistics.
Clear match statistics and accumulated match statistics for packet filtering ACLs.
display qos-acl resource
[
slot
slot-number
]
reset
acl [
ipv6
|
mac
]
counter
{
acl-number
|
all
|
name
acl-name
}
reset packet-filter statistics interface
[
interface-type interface-number
]
{
inbound
|
outbound
} [ [
ipv6
| mac ]
{
acl-number
|
name
acl-name
} ]
ACL configuration examples
Example: configuring interface-based packet filter
Network configuration
A company interconnects its departments through the device. Configure a packet filter to:
•
Permit access from the President's office at any time to the financial database server.
•
Permit access from the Finance department to the database server only during working hours
(from 8:00 to 18:00) on working days.
9
•
Deny access from any other department to the database server.
Figure 1 Network diagram
Procedure
# Create a periodic time range from 8:00 to 18:00 on working days.
<Device> system-view
[Device] time-range work 08:0 to 18:00 working-day
# Create an IPv4 advanced ACL numbered 3000.
[Device] acl advanced 3000
# Configure a rule to permit access from the President's office to the financial database server.
[Device-acl-ipv4-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination
192.168.0.100 0
# Configure a rule to permit access from the Finance department to the database server during working hours.
[Device-acl-ipv4-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255 destination
192.168.0.100 0 time-range work
# Configure a rule to deny access to the financial database server.
[Device-acl-ipv4-adv-3000] rule deny ip source any destination 192.168.0.100 0
[Device-acl-ipv4-adv-3000] quit
# Apply IPv4 advanced ACL 3000 to filter outgoing packets on interface GigabitEthernet 1/0/1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] packet-filter 3000 outbound
[Device-GigabitEthernet1/0/1] quit
Verifying the configuration
# Verify that a PC in the Finance department can ping the database server during working hours. (All
PCs in this example use Windows XP).
C:\> ping 192.168.0.100
Pinging 192.168.0.100 with 32 bytes of data:
Reply from 192.168.0.100: bytes=32 time=1ms TTL=255
Reply from 192.168.0.100: bytes=32 time<1ms TTL=255
10
Reply from 192.168.0.100: bytes=32 time<1ms TTL=255
Reply from 192.168.0.100: bytes=32 time<1ms TTL=255
Ping statistics for 192.168.0.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
# Verify that a PC in the Marketing department cannot ping the database server during working hours.
C:\> ping 192.168.0.100
Pinging 192.168.0.100 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.100:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
# Display configuration and match statistics for IPv4 advanced ACL 3000 on the device during working hours.
[Device] display acl 3000
Advanced IPv4 ACL 3000, 3 rules,
ACL's step is 5
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.100 0
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.0.100 0 time-range work
(Active)
rule 10 deny ip destination 192.168.0.100 0
The output shows that rule 5 is active. Rule 5 and rule 10 have been matched four times as the result of the ping operations.
11
QoS overview
In data communications, Quality of Service (QoS) provides differentiated service guarantees for diversified traffic in terms of bandwidth, delay, jitter, and drop rate, all of which can affect QoS.
QoS manages network resources and prioritizes traffic to balance system resources.
The following section describes typical QoS service models and widely used QoS techniques.
QoS service models
This section describes several typical QoS service models.
Best-effort service model
The best-effort model is a single-service model. The best-effort model is not as reliable as other models and does not guarantee delay-free delivery.
The best-effort service model is the default model for the Internet and applies to most network applications. It uses the First In First Out (FIFO) queuing mechanism.
IntServ model
The integrated service (IntServ) model is a multiple-service model that can accommodate diverse
QoS requirements. This service model provides the most granularly differentiated QoS by identifying and guaranteeing definite QoS for each data flow.
In the IntServ model, an application must request service from the network before it sends data.
IntServ signals the service request with the RSVP. All nodes receiving the request reserve resources as requested and maintain state information for the application flow.
The IntServ model demands high storage and processing capabilities because it requires all nodes along the transmission path to maintain resource state information for each flow. This model is suitable for small-sized or edge networks. However, it is not suitable for large-sized networks, for example, the core layer of the Internet, where billions of flows are present.
DiffServ model
The differentiated service (DiffServ) model is a multiple-service model that can meet diverse QoS requirements. It is easy to implement and extend. DiffServ does not signal the network to reserve resources before sending data, as IntServ does.
QoS techniques in a network
The QoS techniques include the following features:
•
Traffic classification.
•
Traffic policing.
•
Traffic shaping.
•
Rate limit.
•
Congestion management.
•
Congestion avoidance.
12
The following section briefly introduces these QoS techniques.
All QoS techniques in this document are based on the DiffServ model.
Figure 2 Position of the QoS techniques in a network
and congestion avoidance mainly implement the following functions: a traffic class. Based on traffic classes, you can provide differentiated services. resources. You can apply traffic policing to both incoming and outgoing traffic of a port. downstream device to eliminate packet drops. Traffic shaping usually applies to the outgoing traffic of a port. forwarding sequence when congestion occurs. Congestion management usually applies to the outgoing traffic of a port. outgoing traffic of a port. When congestion worsens, congestion avoidance reduces the queue length by dropping packets.
QoS processing flow in a device
briefly describes how the QoS module processes traffic.
1.
Traffic classifier identifies and classifies traffic for subsequent QoS actions.
2.
The QoS module takes various QoS actions on classified traffic as configured, depending on the traffic processing phase and network status. For example, you can configure the QoS module to perform the following operations:
{
{
{
{
Traffic policing for incoming traffic.
Traffic shaping for outgoing traffic.
Congestion avoidance before congestion occurs.
Congestion management when congestion occurs.
13
Figure 3 QoS processing flow
Tokens
Drop
Classify packets
CAR Mark
Other actions
Packets received on the interface
Classification
Token bucket
Traffic policing
Priority marking
Tokens
Drop Drop
Enqueue
Classify packets
CAR
GTS
Other actions
WRED Queuing
Queue 0
Queue 1
Queue 2
Dequeue
Packets sent out of the interface
Classification
Token bucket
Traffic policing
Traffic shaping
Send
Congestion avoidance
Queue N
Queues
Congestion management
QoS configuration approaches
You can configure QoS by using the MQC approach or non-MQC approach.
In the modular QoS configuration (MQC) approach, you configure QoS service parameters by using
QoS policies. A QoS policy defines QoS actions to take on different classes of traffic and can be applied to an object (such as an interface) to control traffic.
In the non-MQC approach, you configure QoS service parameters without using a QoS policy. For example, you can use the rate limit feature to set a rate limit on an interface without using a QoS policy.
14
Configuring a QoS policy
About QoS policies
A QoS policy has the following components:
By associating a traffic class with a traffic behavior, a QoS policy can perform the QoS actions on matching packets.
A QoS policy can have multiple class-behavior associations.
QoS policy tasks at a glance
To configure a QoS policy, perform the following tasks:
1.
2.
3.
4.
{
Applying the QoS policy to an interface
{
{
Applying the QoS policy to VLANs
Applying the QoS policy globally
{
{
Applying the QoS policy to a control plane
Applying the QoS policy to a user profile
Defining a traffic class
1.
Enter system view.
system-view
2.
Create a traffic class and enter traffic class view.
traffic classifier
classifier-name [ operator { and | or } ]
3.
(Optional.) Configure a description for the traffic class.
description
text
By default, no description is configured for a traffic class.
4.
Configure a match criterion.
if-match match-criteria
By default, no match criterion is configured.
For more information, see the if-match command in ACL and QoS Command Reference.
Defining a traffic behavior
1.
Enter system view.
system-view
15
2.
Create a traffic behavior and enter traffic behavior view.
traffic behavior behavior-name
3.
Configure an action in the traffic behavior.
By default, no action is configured for a traffic behavior.
For more information about configuring an action, see the subsequent chapters for traffic policing, traffic filtering, priority marking, class-based accounting, and so on.
Defining a QoS policy
1.
Enter system view.
system-view
2.
Create a QoS policy and enter QoS policy view.
qos policy
policy-name
3.
Associate a traffic class with a traffic behavior to create a class-behavior association in the QoS policy.
classifier
classifier-name behavior behavior-name [ insert-before
before-classifier-name ]
By default, a traffic class is not associated with a traffic behavior.
Repeat this step to create more class-behavior associations.
Applying the QoS policy
Application destinations
You can apply a QoS policy to the following destinations:
• Interface—The QoS policy takes effect on the traffic sent or received on the interface.
• VLAN—The QoS policy takes effect on the traffic sent or received on all ports in the VLAN.
• Globally—The QoS policy takes effect on the traffic sent or received on all ports. the user profile.
Restrictions and guidelines for applying a QoS policy
You can modify traffic classes, traffic behaviors, and class-behavior associations in a QoS policy even after it is applied (except that it is applied to a user profile). If a traffic class uses an ACL for traffic classification, you can delete or modify the ACL.
Applying the QoS policy to an interface
Restrictions and guidelines
A QoS policy can be applied to multiple interfaces. However, only one QoS policy can be applied to one direction (inbound or outbound) of an interface.
The QoS policy applied to the outgoing traffic on an interface does not regulate local packets. Local packets refer to critical protocol packets sent by the local system for operation maintenance. The most common local packets include link maintenance, RIP, LDP, and SSH packets.
16
The term "interface" in this section refers to Layer 2 Ethernet interfaces.
Procedure
1.
Enter system view.
system-view
2.
Enter interface view.
interface
interface-type interface-number
3.
Apply the QoS policy to the interface.
qos apply policy policy-name { inbound | outbound }
By default, no QoS policy is applied to an interface.
Applying the QoS policy to VLANs
About QoS policy application to VLANs
You can apply a QoS policy to VLANs to regulate the traffic on all ports of the VLANs.
Restrictions and guidelines
QoS policies cannot be applied to dynamic VLANs, including VLANs created by GVRP.
When you apply a QoS policy to VLANs, the QoS policy is applied to the specified VLANs on all interface cards. If the hardware resources of an interface card are insufficient, applying a QoS policy to VLANs might fail on the interface card. The system does not automatically roll back the QoS policy configuration already applied to the main processing unit or other interface cards. To ensure consistency, use the undo qos vlan-policy vlan command to manually remove the QoS policy configuration applied to them.
Procedure
1.
Enter system view.
system-view
2.
Apply the QoS policy to VLANs.
qos vlan-policy
policy-name vlan vlan-id-list { inbound | outbound }
By default, no QoS policy is applied to a VLAN.
Applying the QoS policy globally
About global QoS policy application
You can apply a QoS policy globally to the inbound or outbound direction of all ports.
Restrictions and guidelines
If the hardware resources of an interface card are insufficient, applying a QoS policy globally might fail on the interface card. The system does not automatically roll back the QoS policy configuration already applied to the main processing unit or other interface cards. To ensure consistency, you must use the undo qos apply policy global command to manually remove the QoS policy configuration applied to them.
Procedure
1.
Enter system view.
system-view
2.
Apply the QoS policy globally.
qos apply policy policy-name global { inbound
| outbound }
17
By default, no QoS policy is applied globally.
Applying the QoS policy to a control plane
About the data plane and control plane
A device provides the data plane and the control plane. switching (forwarding) packets, such as various dedicated forwarding chips. They deliver super processing speeds and throughput. switching protocols. They are responsible for protocol packet resolution and calculation, such as CPUs. Compared with data plane units, the control plane units allow for great packet processing flexibility but have lower throughput.
When the data plane receives packets that it cannot recognize or process, it transmits them to the control plane. If the transmission rate exceeds the processing capability of the control plane, the control plane will be busy handling undesired packets. As a result, the control plane will fail to handle legitimate packets correctly or timely. As a result, protocol performance is affected.
To address this problem, apply a QoS policy to the control plane to take QoS actions, such as traffic filtering or traffic policing, on inbound traffic. This ensures that the control plane can correctly receive, transmit, and process packets.
A predefined control plane QoS policy uses the protocol type or protocol group type to identify the type of packets sent to the control plane. You can use protocol types or protocol group types in
if-match
commands in traffic class view for traffic classification. Then you can reconfigure traffic behaviors for these traffic classes as required. You can use the display qos policy
control-plane
pre-defined command to display predefined control plane QoS policies.
Procedure
1.
Enter system view.
system-view
2.
Enter control plane view.
control-plane
slot slot-number
3.
Apply the QoS policy to the control plane.
qos apply policy
policy-name inbound
By default, no QoS policy is applied to a control plane.
Applying the QoS policy to a user profile
About QoS policy application to a user profile
When a user profile is configured, you can perform traffic policing based on users. After a user passes authentication, the authentication server sends the name of the user profile associated with the user to the device. The QoS policy configured in user profile view takes effect only when users come online.
Restrictions and guidelines
You can apply a QoS policy to multiple user profiles. In one direction of each user profile, only one policy can be applied. To modify a QoS policy already applied to a direction, first remove the applied
QoS policy.
Procedure
1.
Enter system view.
18
system-view
2.
Enter user profile view.
user-profile
profile-name
3.
Apply the QoS policy to the user profile.
qos apply policy
policy-name { inbound | outbound }
By default, no QoS policy is applied to a user profile.
Parameter Description inbound
Applies a QoS policy to the traffic received by the device from the user profile.
outbound
Applies a QoS policy to the traffic sent by the device to the user profile.
Display and maintenance commands for QoS policies
Execute display commands in any view and reset commands in user view.
Task Command
Display QoS policy configuration.
display qos policy user-defined
[ policy-name [
classifier
classifier-name
] ] [
slot
slot-number ]
Display information about QoS policies applied to the control plane.
display qos policy control-plane slot
slot-number
Display information about the predefined
QoS policy applied to the control plane.
display qos policy control-plane pre-defined
[ slot slot-number ]
Display information about QoS policies applied globally.
Display information about QoS policies applied to interfaces.
Display information about QoS policies applied to user profiles.
Display information about QoS policies applied to VLANs.
display qos policy global
[
slot
slot-number
] [
inbound
|
outbound
]
display qos policy interface
[ interface-type interface-number ]
[
inbound
|
outbound
]
display qos policy user-profile
[
name
profile-name ] [
user-id user-id ]
[
slot
slot-number
] [
inbound
|
outbound
]
display qos vlan-policy {
name
policy-name
| vlan [
vlan-id
] } [
slot
slot-number
]
[
inbound
|
outbound
]
Display QoS and ACL resource usage.
Display traffic behavior configuration.
Display traffic class configuration.
Clear the statistics of the QoS policy applied in a certain direction of a VLAN.
display qos-acl resource
[
slot
slot-number
]
display traffic behavior user-defined
[ behavior-name ] [
slot
slot-number ]
display traffic classifier user-defined
[ classifier-name ] [
slot
slot-number ]
reset qos vlan-policy [ vlan vlan-id ]
[ inbound |
outbound
]
19
Task Command
Clear the statistics for a QoS policy applied globally.
reset qos policy global
[
inbound
|
outbound
]
Clear the statistics for the QoS policy applied to the control plane.
reset qos policy control-plane slot
slot-number
Clear the statistics for a QoS policy applied globally.
Clear the statistics of the QoS policy applied in a certain direction of a VLAN.
reset qos policy global
[
inbound
|
outbound
]
reset qos vlan-policy [ vlan vlan-id ]
[ inbound |
outbound
]
20
Configuring priority mapping
About priority mapping
When a packet arrives, a device assigns a set of QoS priority parameters to the packet based on either of the following:
•
A priority field carried in the packet.
•
The port priority of the incoming port.
This process is called priority mapping. During this process, the device can modify the priority of the packet according to the priority mapping rules. The set of QoS priority parameters decides the scheduling priority and forwarding priority of the packet.
Priority mapping is implemented with priority maps and involves the following priorities:
•
802.1p priority.
•
DSCP.
•
EXP.
•
IP precedence.
•
Local precedence.
•
Drop priority.
About priorities
Priorities include the following types: priorities carried in packets, and priorities locally assigned for scheduling only.
Packet-carried priorities include 802.1p priority, DSCP precedence, IP precedence, and EXP. These priorities have global significance and affect the forwarding priority of packets across the network.
For more information about these priorities, see "
Locally assigned priorities only have local significance. They are assigned by the device only for scheduling. These priorities include the local precedence, drop priority, and user priority, as follows: queue. A packet with higher local precedence is assigned to a higher priority output queue to be preferentially scheduled. are dropped preferentially. packet according to its forwarding path. It is a parameter for determining the scheduling priority and forwarding priority of the packet. The user priority represents the following items:
{
{
{
The 802.1p priority for Layer 2 packets.
The IP precedence for Layer 3 packets.
The EXP for MPLS packets.
The device supports only local precedence for scheduling.
Priority maps
The device provides various types of priority maps. By looking through a priority map, the device decides which priority value to assign to a packet for subsequent packet processing.
21
The default priority maps (as shown in Appendix B Default priority maps ) are available for priority
mapping. They are adequate in most cases. If a default priority map cannot meet your requirements, you can modify the priority map as required.
Priority mapping configuration methods
You can configure priority mapping by using any of the following methods:
•
Configuring priority trust mode—In this method, you can configure a port to look up a trusted priority type (802.1p, for example) in incoming packets in the priority maps. Then, the system maps the trusted priority to the target priority types and values.
•
Changing port priority—If no packet priority is trusted, the port priority of the incoming port is used. By changing the port priority of a port, you change the priority of the incoming packets on the port.
Priority mapping process
On receiving an Ethernet packet on a port, the switch marks the scheduling priorities (local precedence and drop precedence) for the Ethernet packet. This procedure is done according to the priority trust mode of the receiving port and the 802.1Q tagging status of the packet, as shown in
22
Figure 4 Priority mapping process for an Ethernet packet
For information about priority marking, see " Configuring priority marking ."
Priority mapping tasks at a glance
To configure priority mapping, perform the following tasks:
1.
(Optional.)
2.
Configure a priority mapping method:
{
Configuring a port to trust packet priority for priority mapping
{
Changing the port priority of an interface
Configuring a priority map
1.
Enter system view.
23
system-view
2.
Enter priority map view.
qos map-table{
dot1p-lp | dscp-dot1p | dscp-dscp }
3.
Configure mappings for the priority map.
import
import-value-list export export-value
By default, the default priority maps are used. For more information, see "
Appendix B Default priority maps
."
If you execute this command multiple times, the most recent configuration takes effect.
Configuring a port to trust packet priority for priority mapping
About configuring a port to trust packet priority
You can configure the device to trust a particular priority field carried in packets for priority mapping on ports or globally. When you configure the trusted packet priority type on an interface, use the following available keywords:
• dot1p—Uses the 802.1p priority of received packets for mapping.
• dscp—Uses the DSCP precedence of received IP packets for mapping.
Restrictions and guidelines
The term "interface" in this section refers to Layer 2 Ethernet interfaces.
Procedure
1.
Enter system view.
system-view
2.
Enter interface view.
interface
interface-type interface-number
3.
Configure the trusted packet priority type.
qos trust
{ dot1p | dscp }
An interface does not trust any packet priority and uses the port priority as the 802.1p priority for mapping.
Changing the port priority of an interface
About port priority
If an interface does not trust any packet priority, the device uses its port priority to look for priority parameters for the incoming packets. By changing port priority, you can prioritize traffic received on different interfaces.
Procedure
1.
Enter system view.
system-view
2.
Enter interface view.
interface
interface-type interface-number
3.
Set the port priority of the interface.
qos
priority priority-value
24
The default setting is 0.
Display and maintenance commands for priority mapping
Execute display commands in any view.
Task Command
Display priority map configuration.
display qos map-table
[
dot1p-lp
|
dscp-dot1p
|
dscp-dscp
]
Display the trusted packet priority type on a port.
display qos trust interface
[
interface-type interface-number
]
Priority mapping configuration examples
Example: Configuring a priority trust mode
Network configuration
:
•
The DSCP precedence of traffic from Device A to Device C is 3.
•
The DSCP precedence of traffic from Device B to Device C is 1.
Configure Device C to preferentially process packets from Device A to the server when
GigabitEthernet 1/0/3 of Device C is congested.
Figure 5 Network diagram
Procedure
(Method 1) Configure Device C to trust packet priority
# Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to trust DSCP for priority mapping.
<DeviceC> system-view
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] qos trust dscp
[DeviceC-GigabitEthernet1/0/1] quit
25
[DeviceC] interface gigabitethernet 1/0/2
[DeviceC-GigabitEthernet1/0/2] qos trust dscp
[DeviceC-GigabitEthernet1/0/2] quit
(Method 2) Configure Device C to trust port priority
# Assign port priority to GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. Make sure the following requirements are met:
•
The priority of GigabitEthernet 1/0/1 is higher than that of GigabitEthernet 1/0/2.
•
No trusted packet priority type is configured on GigabitEthernet 1/0/1 or GigabitEthernet 1/0/2.
<DeviceC> system-view
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] qos priority 3
[DeviceC-GigabitEthernet1/0/1] quit
[DeviceC] interface gigabitethernet 1/0/2
[DeviceC-GigabitEthernet1/0/2] qos priority 1
[DeviceC-GigabitEthernet1/0/2] quit
Example: Configuring priority mapping tables and priority marking
Network configuration
:
•
The Marketing department connects to GigabitEthernet 1/0/1 of Device, which sets the 802.1p priority of traffic from the Marketing department to 3.
•
The R&D department connects to GigabitEthernet 1/0/2 of Device, which sets the 802.1p priority of traffic from the R&D department to 4.
•
The Management department connects to GigabitEthernet 1/0/3 of Device, which sets the
802.1p priority of traffic from the Management department to 5.
Configure port priority, 802.1p-to-local mapping table, and priority marking to implement the plan as
.
Table 1 Configuration plan
Traffic destination
Public servers
Internet
Traffic priority order
R&D department >
Management department > Marketing department
Management department > Marketing department > R&D department
Queuing plan
Traffic source
Output queue
6
Queue priority
High R&D department
Management department
4 Medium
Marketing department 2 Low
R&D department 2 Low
Management department
6 High
Marketing department 4 Medium
26
Figure 6 Network diagram
Internet
Host
Server
Mgmt Dept
Data server
Host
Server
GE1/0/3
GE1/0/5
GE1/0/2
GE1/0/4
Device
GE1/0/1
R&D Dept
Host
Mail server
Server
Public servers Marketing Dept
Procedure
1.
Configure trusting port priority:
# Set the port priority of GigabitEthernet 1/0/1 to 3.
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] qos priority 3
[Device-GigabitEthernet1/0/1] quit
# Set the port priority of GigabitEthernet 1/0/2 to 4.
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] qos priority 4
[Device-GigabitEthernet1/0/2] quit
# Set the port priority of GigabitEthernet 1/0/3 to 5.
[Device] interface gigabitethernet 1/0/3
[Device-GigabitEthernet1/0/3] qos priority 5
[Device-GigabitEthernet1/0/3] quit
2.
Configure the 802.1p-to-local mapping table to map 802.1p priority values 3, 4, and 5 to local precedence values 2, 6, and 4.
This guarantees the R&D department, Management department, and Marketing department decreased priorities to access the public servers.
[Device] qos map-table dot1p-lp
[Device-maptbl-dot1p-lp] import 3 export 2
[Device-maptbl-dot1p-lp] import 4 export 6
[Device-maptbl-dot1p-lp] import 5 export 4
[Device-maptbl-dot1p-lp] quit
27
3.
Configure priority marking to mark the packets from Management department, Marketing department, and R&D department to the Internet with 802.1p priority values 4, 5, and 3.
This guarantees the Management department, Marketing department, and R&D department decreased priorities to access the Internet.
# Create ACL 3000, and configure a rule to match HTTP packets.
[Device] acl advanced 3000
[Device-acl-adv-3000] rule permit tcp destination-port eq 80
[Device-acl-adv-3000] quit
# Create a traffic class named http, and use ACL 3000 as a match criterion.
[Device] traffic classifier http
[Device-classifier-http] if-match acl 3000
[Device-classifier-http] quit
# Create a traffic behavior named admin, and configure a marking action for the Management department.
[Device] traffic behavior admin
[Device-behavior-admin] remark dot1p 4
[Device-behavior-admin] quit
# Create a QoS policy named admin, and associate traffic class http with traffic behavior
admin in QoS policy admin.
[Device] qos policy admin
[Device-qospolicy-admin] classifier http behavior admin
[Device-qospolicy-admin] quit
# Apply QoS policy admin to the inbound direction of GigabitEthernet 1/0/3.
[Device] interface gigabitethernet 1/0/3
[Device-GigabitEthernet1/0/3] qos apply policy admin inbound
# Create a traffic behavior named market, and configure a marking action for the Marketing department.
[Device] traffic behavior market
[Device-behavior-market] remark dot1p 5
[Device-behavior-market] quit
# Create a QoS policy named market, and associate traffic class http with traffic behavior
market in QoS policy market.
[Device] qos policy market
[Device-qospolicy-market] classifier http behavior market
[Device-qospolicy-market] quit
# Apply QoS policy market to the inbound direction of GigabitEthernet 1/0/1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] qos apply policy market inbound
# Create a traffic behavior named rd, and configure a marking action for the R&D department.
[Device] traffic behavior rd
[Device-behavior-rd] remark dot1p 3
[Device-behavior-rd] quit
# Create a QoS policy named rd, and associate traffic class http with traffic behavior rd in QoS policy rd.
[Device] qos policy rd
[Device-qospolicy-rd] classifier http behavior rd
[Device-qospolicy-rd] quit
# Apply QoS policy rd to the inbound direction of GigabitEthernet 1/0/2.
28
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] qos apply policy rd inbound
29
Configuring traffic policing, GTS, and rate limit
About traffic policing, GTS, and rate limit
Traffic limit helps assign network resources (including bandwidth) and increase network performance. For example, you can configure a flow to use only the resources committed to it in a certain time range. This avoids network congestion caused by burst traffic.
Traffic policing, Generic Traffic Shaping (GTS), and rate limit control the traffic rate and resource usage according to traffic specifications. You can use token buckets for evaluating traffic specifications.
Traffic evaluation and token buckets
Token bucket features
A token bucket is analogous to a container that holds a certain number of tokens. Each token represents a certain forwarding capacity. The system puts tokens into the bucket at a constant rate.
When the token bucket is full, the extra tokens cause the token bucket to overflow.
Evaluating traffic with the token bucket
A token bucket mechanism evaluates traffic by looking at the number of tokens in the bucket. If the number of tokens in the bucket is enough for forwarding the packets:
•
The traffic conforms to the specification (called conforming traffic).
•
The corresponding tokens are taken away from the bucket.
Otherwise, the traffic does not conform to the specification (called excess traffic).
A token bucket has the following configurable parameters:
•
Mean rate at which tokens are put into the bucket, which is the permitted average rate of traffic.
It is usually set to the committed information rate (CIR).
•
Burst size or the capacity of the token bucket. It is the maximum traffic size permitted in each burst. It is usually set to the committed burst size (CBS). The set burst size must be greater than the maximum packet size.
Each arriving packet is evaluated.
Complicated evaluation
You can set two token buckets, bucket C and bucket E, to evaluate traffic in a more complicated environment and achieve more policing flexibility. For example, traffic policing uses the following mechanisms:
•
Single rate two color—Uses one token bucket and the following parameters:
{
{
CIR—Rate at which tokens are put into bucket C. It sets the average packet transmission or forwarding rate allowed by bucket C.
CBS—Size of bucket C, which specifies the transient burst of traffic that bucket C can forward.
When a packet arrives, the following rules apply:
{
If bucket C has enough tokens to forward the packet, the packet is colored green.
{
Otherwise, the packet is colored red.
•
Single rate three color—Uses two token buckets and the following parameters:
30
{
{
{
CIR—Rate at which tokens are put into bucket C. It sets the average packet transmission or forwarding rate allowed by bucket C.
CBS—Size of bucket C, which specifies the transient burst of traffic that bucket C can forward.
EBS—Size of bucket E minus size of bucket C, which specifies the transient burst of traffic that bucket E can forward. The EBS cannot be 0. The size of E bucket is the sum of the CBS and EBS.
When a packet arrives, the following rules apply:
{
If bucket C has enough tokens, the packet is colored green.
{
If bucket C does not have enough tokens but bucket E has enough tokens, the packet is colored yellow.
{
If neither bucket C nor bucket E has sufficient tokens, the packet is colored red.
•
Two rate three color—Uses two token buckets and the following parameters:
{
CIR—Rate at which tokens are put into bucket C. It sets the average packet transmission or forwarding rate allowed by bucket C.
{
{
CBS—Size of bucket C, which specifies the transient burst of traffic that bucket C can forward.
PIR—Rate at which tokens are put into bucket E, which specifies the average packet transmission or forwarding rate allowed by bucket E.
{
EBS—Size of bucket E, which specifies the transient burst of traffic that bucket E can forward.
When a packet arrives, the following rules apply:
{
If bucket C has enough tokens, the packet is colored green.
{
{
If bucket C does not have enough tokens but bucket E has enough tokens, the packet is colored yellow.
If neither bucket C nor bucket E has sufficient tokens, the packet is colored red.
Traffic policing
Traffic policing supports policing the inbound traffic and the outbound traffic.
A typical application of traffic policing is to supervise the specification of traffic entering a network and limit it within a reasonable range. Another application is to "discipline" the extra traffic to prevent aggressive use of network resources by an application. For example, you can limit bandwidth for
HTTP packets to less than 50% of the total. If the traffic of a session exceeds the limit, traffic policing can drop the packets or reset the IP precedence of the packets.
policing outbound traffic on an interface.
31
Figure 7 Traffic policing
Traffic policing is widely used in policing traffic entering the ISP networks. It can classify the policed traffic and take predefined policing actions on each packet depending on the evaluation result:
•
Forwarding the packet if the evaluation result is "conforming."
•
Dropping the packet if the evaluation result is "excess."
•
Forwarding the packet with its precedence re-marked if the evaluation result is "conforming."
•
Delivering the packet to next-level traffic policing with its precedence re-marked if the evaluation result is "conforming."
•
Entering the next-level policing (you can set multiple traffic policing levels, each focused on objects at different levels).
GTS
GTS supports shaping the outbound traffic. GTS limits the outbound traffic rate by buffering exceeding traffic. You can use GTS to adapt the traffic output rate on a device to the input traffic rate of its connected device to avoid packet loss.
The differences between traffic policing and GTS are as follows:
•
Packets to be dropped with traffic policing are retained in a buffer or queue with GTS, as shown
. When enough tokens are in the token bucket, the buffered packets are sent at an even rate.
•
GTS can result in additional delay and traffic policing does not.
32
Figure 8 GTS
For example, in
, Device B performs traffic policing on packets from Device A and drops packets exceeding the limit. To avoid packet loss, you can perform GTS on the outgoing interface of
Device A so that packets exceeding the limit are cached in Device A. Once resources are released,
GTS takes out the cached packets and sends them out.
Figure 9 GTS application
Rate limit
Rate limit controls the rate of inbound and outbound traffic. The outbound traffic is taken for example.
The rate limit of an interface specifies the maximum rate for forwarding packets (excluding critical packets).
Rate limit also uses token buckets for traffic control. When rate limit is configured on an interface, a token bucket handles all packets to be sent through the interface for rate limiting. If enough tokens are in the token bucket, packets can be forwarded. Otherwise, packets are put into QoS queues for congestion management. In this way, the traffic passing the interface is controlled.
33
Figure 10 Rate limit implementation
The token bucket mechanism limits traffic rate when accommodating bursts. It allows bursty traffic to be transmitted if enough tokens are available. If tokens are scarce, packets cannot be transmitted until efficient tokens are generated in the token bucket. It restricts the traffic rate to the rate for generating tokens.
Rate limit controls the total rate of all packets on an interface. It is easier to use than traffic policing in controlling the total traffic rate.
Configuring traffic policing
Restrictions and guidelines
The device supports the following application destinations for traffic policing:
•
Interface.
•
VLANs.
•
Globally.
•
Control plane.
•
User profile.
Procedure
1.
Enter system view.
system-view
2.
Define a traffic class.
a. Create a traffic class and enter traffic class view.
traffic classifier
classifier-name [ operator { and | or } ]
b. Configure a match criterion.
if-match match-criteria
By default, no match criterion is configured.
For more information about the if-match command, see ACL and QoS Command
Reference.
c. Return to system view.
quit
3.
Define a traffic behavior.
34
a. Create a traffic behavior and enter traffic behavior view.
traffic behavior behavior-name
b. Configure a traffic policing action.
car cir
committed-information-rate [ cbs committed-burst-size [ ebs
excess-burst-size
] ] [ green action | red action | yellow action ] *
[
hierarchy-car hierarchy-car-name [ mode { and | or } ] ]
car cir
committed-information-rate [ cbs committed-burst-size ] pir
peak-information-rate
[ ebs excess-burst-size ] [ green action | red
action
| yellow action ] * [ hierarchy-car hierarchy-car-name [ mode
{
and | or } ] ]
By default, no traffic policing action is configured.
c. Return to system view.
quit
4.
Define a QoS policy.
a. Create a QoS policy and enter QoS policy view.
qos policy
policy-name
b. Associate the traffic class with the traffic behavior in the QoS policy.
classifier
classifier-name behavior behavior-name
By default, a traffic class is not associated with a traffic behavior.
c. Return to system view.
quit
5.
Apply the QoS policy.
For more information, see "
."
By default, no QoS policy is applied.
Configuring GTS
Restrictions and guidelines
The term "interface" in this section refers to Layer 2 Ethernet interfaces.
Procedure
1.
Enter system view.
system-view
2.
Enter interface view.
interface
interface-type interface-number
3.
Configure GTS for a queue.
qos gts queue queue-id cir committed-information-rate [ cbs
committed-burst-size
]
By default, GTS is not configured on an interface.
Configuring the rate limit
Restrictions and guidelines
The term "interface" in this section refers to Layer 2 Ethernet interfaces.
35
Procedure
1.
Enter system view.
system-view
2.
Enter interface view.
interface
interface-type interface-number
3.
Configure the rate limit for the interface.
qos lr { inbound | outbound } cir committed-information-rate
[ cbs
committed-burst-size
]
By default, no rate limit is configured on an interface.
Display and maintenance commands for traffic policing, GTS, and rate limit
Execute display commands in any view.
Task Command
Display GTS configuration and statistics for interfaces.
display qos gts interface
[
interface-type interface-number
]
Display rate limit configuration and statistics.
Display QoS and ACL resource usage.
Display traffic behavior configuration.
display qos lr interface [
interface-type
interface-number ]
display qos-acl resource
[
slot
slot-number
]
display traffic behavior user-defined
[
behavior-name
]
Traffic policing, GTS, and rate limit configuration examples
Example: Configuring traffic policing and GTS
Network requirements
:
•
The server, Host A, and Host B can access the Internet through Device A and Device B.
•
The server, Host A, and GigabitEthernet 1/0/1 of Device A are in the same network segment.
•
Host B and GigabitEthernet 1/0/2 of Device A are in the same network segment.
Perform traffic control for the packets that GigabitEthernet 1/0/1 of Device A receives from the server and Host A using the following guidelines:
•
Limit the rate of packets from the server to 10240 kbps. When the traffic rate is below 10240 kbps, the traffic is forwarded. When the traffic rate exceeds 10240 kbps, the excess packets are marked with DSCP value 0 and then forwarded.
•
Limit the rate of packets from Host A to 2560 kbps. When the traffic rate is below 2560 kbps, the traffic is forwarded. When the traffic rate exceeds 2560 kbps, the excess packets are dropped.
36
Perform traffic control on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 of Device B using the following guidelines:
•
Limit the incoming traffic rate on GigabitEthernet 1/0/1 to 20480 kbps, and the excess packets are dropped.
•
Limit the outgoing traffic rate on GigabitEthernet 1/0/2 to 10240 kbps, and the excess packets are dropped.
Figure 11 Network diagram
Configuration procedure
1.
Configure Device A:
# Configure ACL 2001 and ACL 2002 to permit the packets from the server and Host A, respectively.
[DeviceA] acl basic 2001
[DeviceA-acl-ipv4-basic-2001] rule permit source 1.1.1.1 0
[DeviceA-acl-ipv4-basic-2001] quit
[DeviceA] acl basic 2002
[DeviceA-acl-ipv4-basic-2002] rule permit source 1.1.1.2 0
[DeviceA-acl-ipv4-basic-2002] quit
# Create a traffic class named server, and use ACL 2001 as the match criterion.
[DeviceA] traffic classifier server
[DeviceA-classifier-server] if-match acl 2001
[DeviceA-classifier-server] quit
# Create a traffic class named host, and use ACL 2002 as the match criterion.
[DeviceA] traffic classifier host
[DeviceA-classifier-host] if-match acl 2002
[DeviceA-classifier-host] quit
# Create a traffic behavior named server, and configure a traffic policing action (CIR 10240 kbps).
[DeviceA] traffic behavior server
[DeviceA-behavior-server] car cir 10240 red remark-dscp-pass 0
[DeviceA-behavior-server] quit
# Create a traffic behavior named host, and configure a traffic policing action (CIR 2560 kbps).
[DeviceA] traffic behavior host
[DeviceA-behavior-host] car cir 2560
[DeviceA-behavior-host] quit
# Create a QoS policy named car, and associate traffic classes server and host with traffic behaviors server and host in QoS policy car, respectively.
[DeviceA] qos policy car
37
[DeviceA-qospolicy-car] classifier server behavior server
[DeviceA-qospolicy-car] classifier host behavior host
[DeviceA-qospolicy-car] quit
# Apply QoS policy car to the inbound direction of GigabitEthernet 1/0/1.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] qos apply policy car inbound
2.
Configure Device B:
# Create ACL 3001, and configure a rule to match HTTP packets.
<DeviceB> system-view
[DeviceB] acl advanced 3001
[DeviceB-acl-adv-3001] rule permit tcp destination-port eq 80
[DeviceB-acl-adv-3001] quit
# Create a traffic class named http, and use ACL 3001 as a match criterion.
[DeviceB] traffic classifier http
[DeviceB-classifier-http] if-match acl 3001
[DeviceB-classifier-http] quit
# Create a traffic class named class, and configure the traffic class to match all packets.
[DeviceB] traffic classifier class
[DeviceB-classifier-class] if-match any
[DeviceB-classifier-class] quit
# Create a traffic behavior named car_inbound, and configure a traffic policing action (CIR
20480 kbps).
[DeviceB] traffic behavior car_inbound
[DeviceB-behavior-car_inbound] car cir 20480
[DeviceB-behavior-car_inbound] quit
# Create a traffic behavior named car_outbound, and configure a traffic policing action (CIR
10240 kbps).
[DeviceB] traffic behavior car_outbound
[DeviceB-behavior-car_outbound] car cir 10240
[DeviceB-behavior-car_outbound] quit
# Create a QoS policy named car_inbound, and associate traffic class class with traffic behavior car_inbound in QoS policy car_inbound.
[DeviceB] qos policy car_inbound
[DeviceB-qospolicy-car_inbound] classifier class behavior car_inbound
[DeviceB-qospolicy-car_inbound] quit
# Create a QoS policy named car_outbound, and associate traffic class http with traffic behavior car_outbound in QoS policy car_outbound.
[DeviceB] qos policy car_outbound
[DeviceB-qospolicy-car_outbound] classifier http behavior car_outbound
[DeviceB-qospolicy-car_outbound] quit
# Apply QoS policy car_inbound to the inbound direction of GigabitEthernet 1/0/1.
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] qos apply policy car_inbound inbound
# Apply QoS policy car_outbound to the outbound direction of GigabitEthernet 1/0/2.
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] qos apply policy car_outbound outbound
38
Configuring congestion management
About congestion management
Congestion occurs on a link or node when traffic size exceeds the processing capability of the link or node. It is typical of a statistical multiplexing network and can be caused by link failures, insufficient resources, and various other causes.
shows two typical congestion scenarios.
Figure 12 Traffic congestion scenarios
Congestion produces the following negative results:
•
Increased delay and jitter during packet transmission.
•
Decreased network throughput and resource use efficiency.
•
Network resource (memory, in particular) exhaustion and even system breakdown.
Congestion is unavoidable in switched networks and multiuser application environments. To improve the service performance of your network, take measures to manage and control it.
The key to congestion management is defining a resource dispatching policy to prioritize packets for forwarding when congestion occurs.
Congestion management uses queuing and scheduling algorithms to classify and sort traffic leaving a port.
The device supports the following queuing mechanisms:
•
SP.
•
WRR.
•
WFQ.
SP queuing
SP queuing is designed for mission-critical applications that require preferential service to reduce the response delay when congestion occurs.
39
Figure 13 SP queuing
In
, SP queuing classifies eight queues on a port into eight classes, numbered 7 to 0 in descending priority order.
SP queuing schedules the eight queues in the descending order of priority. SP queuing sends packets in the queue with the highest priority first. When the queue with the highest priority is empty, it sends packets in the queue with the second highest priority, and so on. You can assign mission-critical packets to a high priority queue to make sure they are always served first. Common service packets can be assigned to low priority queues to be transmitted when high priority queues are empty.
The disadvantage of SP queuing is that packets in the lower priority queues cannot be transmitted if packets exist in the higher priority queues. In the worst case, lower priority traffic might never get serviced.
WRR queuing
WRR queuing schedules all the queues in turn to ensure that every queue is served for a certain time,
Figure 14 WRR queuing
Queue 0 Weight 1
Packets to be sent through this port
Queue 1 Weight 2
Sent packets
Interface
……
Queue N-2 Weight N-1
Packet classification
Queue N-1 Weight N
Queue scheduling
Sending queue
40
Assume a port provides eight output queues. WRR assigns each queue a weight value (represented by w7, w6, w5, w4, w3, w2, w1, or w0). The weight value of a queue decides the proportion of resources assigned to the queue. On a 100 Mbps port, you can set the weight values to 50, 30, 10,
10, 50, 30, 10, and 10 for w7 through w0. In this way, the queue with the lowest priority can get a minimum of 5 Mbps of bandwidth. WRR solves the problem that SP queuing might fail to serve packets in low-priority queues for a long time.
Another advantage of WRR queuing is that when the queues are scheduled in turn, the service time for each queue is not fixed. If a queue is empty, the next queue will be scheduled immediately. This improves bandwidth resource use efficiency.
WRR queuing includes the following types:
•
Basic WRR queuing—Contains multiple queues. You can set the weight for each queue, and
WRR schedules these queues based on the user-defined parameters in a round robin manner.
•
Group-based WRR queuing—All the queues are scheduled by WRR. You can divide output queues to WRR priority queue group 1 and WRR priority queue group 2. Round robin queue scheduling is performed for group 1 first. If group 1 is empty, round robin queue scheduling is performed for group 2. Only WRR priority queue group 1 is supported in the current software version.
On an interface enabled with group-based WRR queuing, you can assign queues to the SP group.
Queues in the SP group are scheduled with SP. The SP group has higher scheduling priority than the
WRR groups.
WFQ queuing
Figure 15 WFQ queuing
Queue 0 Weight 1
Packets to be sent through this port
Queue 1 Weight 2
Sent packets
Interface
……
Queue N-2 Weight N-1
Packet classification
Queue N-1 Weight N
Queue scheduling
Sending queue
WFQ is similar to WRR. On an interface with group-based WFQ queuing enabled, you can assign queues to the SP group. Queues in the SP group are scheduled with SP. The SP group has higher scheduling priority than the WFQ groups.
The difference is that WFQ enables you to set guaranteed bandwidth that a WFQ queue can get during congestion.
Congestion management tasks at a glance
To configure congestion management, perform the following tasks:
•
Configuring queuing on an interface
41
{
{
{
{
{
•
Configuring a queue scheduling profile
Configuring queuing on an interface
Restrictions and guidelines for queuing configuration
The term "interface" in this section refers to Layer 2 Ethernet interfaces.
Configuring SP queuing
1.
Enter system view.
system-view
2.
Enter interface view.
interface interface-type
interface-number
3.
Configure SP queuing.
qos sp
An interface uses byte-count WRR queuing.
Configuring WRR queuing
1.
Enter system view.
system-view
2.
Enter interface view.
interface interface-type interface-number
3.
Enable WRR queuing.
qos wrr {
byte-count | weight }
An interface uses byte-count WRR queuing.
4.
Assign a queue to a WRR group, and configure scheduling parameters for the queue.
qos wrr queue-id
group 1 { byte-count | weight } schedule-value
All queues on a WRR-enabled interface are in WRR group 1, and queues 0 through 7 have a weight of 1, 2, 3, 4, 5, 9, 13, and 15, respectively.
Configuring WFQ queuing
1.
Enter system view.
system-view
2.
Enter interface view.
interface
interface-type interface-number
3.
Enable WFQ queuing.
qos wfq {
byte-count | weight }
42
An interface uses byte-count WRR queuing.
4.
Assign a queue to a WFQ group, and configure scheduling parameters for the queue.
qos wfq queue-id
group 1 { byte-count | weight } schedule-value
All queues on a WRR-enabled interface are in WRR group 1, and queues 0 through 7 have a weight of 1, 2, 3, 4, 5, 9, 13, and 15, respectively.
Configuring SP+WRR queuing
About SP+WRR queuing
You can configure some queues on an interface to use SP queuing and others to use WRR queuing by assigning the queues to the SP group and WRR groups. With this SP+WRR queuing method, the system first schedules the queues in the SP group and then schedules queues in the WRR groups when all queues in the SP group are empty. The queues in the SP group are scheduled based on their priorities. The queues in a WRR group are scheduled based on their weights.
Procedure
1.
Enter system view.
system-view
2.
Enter interface view.
interface interface-type interface-number
3.
Enable byte-count or packet-count WRR queuing.
qos wrr {
byte-count | weight }
An interface uses byte-count WRR queuing.
4.
Assign a queue to the SP group.
qos wrr queue-id
group sp
All queues on a WRR-enabled interface are in WRR group 1.
5.
Assign a queue to a WRR group, and configure a scheduling weight for the queue.
qos wrr queue-id
group 1 { byte-count | weight } schedule-value
All queues on a WRR-enabled interface are in WRR group 1, and queues 0 through 7 have a weight of 1, 2, 3, 4, 5, 9, 13, and 15, respectively.
Configuring SP+WFQ queuing
About SP+WFQ queuing
You can configure some queues on an interface to use SP queuing and others to use WFQ queuing by assigning the queues to the SP group and WFQ groups. With this SP+WFQ queuing method, the system schedules traffic as follows:
1.
The system schedules the traffic conforming to the minimum guaranteed bandwidth in each
WFQ group.
2.
The system uses SP to schedule queues in the SP group.
3.
If there is remaining bandwidth, the system schedules the traffic of queues in each WFQ group based on their weights.
Procedure
1.
Enter system view.
system-view
2.
Enter interface view.
interface interface-type interface-number
43
3.
Enable byte-count or packet-count WFQ queuing.
qos wfq [
byte-count | weight ]
An interface uses byte-count WRR queuing.
4.
Assign a queue to the SP group.
qos wfq queue-id
group sp
All queues on a WFQ-enabled interface are in WFQ group 1
5.
Assign a queue to a WFQ queue scheduling group, and configure a scheduling weight for the queue.
qos wfq queue-id
group 1 { weight | byte-count } schedule-value
All queues on a WFQ-enabled interface are in WFQ group 1 and have a weight of 1.
6.
(Optional.) Set the minimum guaranteed bandwidth for a queue.
qos bandwidth queue queue-id min bandwidth-value
The default setting is 64 kbps.
Configuring a queue scheduling profile
About queue scheduling profiles
In a queue scheduling profile, you can configure scheduling parameters for each queue. By applying the queue scheduling profile to an interface or session group profile, you can implement congestion management on the interface or session group profile.
Queue scheduling profiles support three queue scheduling algorithms: SP, WRR, and WFQ. In a queue scheduling profile, you can configure SP + WRR or SP + WFQ. When the three queue scheduling algorithms are configured, SP queues, WRR groups, and WFQ groups are scheduled in descending order of queue ID. In a WRR or WFQ group, queues are scheduled based on their weights. When SP and WRR groups are configured in a queue scheduling profile,
shows the scheduling order.
Figure 16 Queue scheduling profile configured with both SP and WRR
•
Queue 7 has the highest priority. Its packets are sent preferentially.
•
Queue 6 has the second highest priority. Packets in queue 6 are sent when queue 7 is empty.
•
Queue 3, queue 4, and queue 5 are scheduled according to their weights. When both queue 6 and queue 7 are empty, WRR group 1 is scheduled.
•
Queue 1 and queue 2 are scheduled according to their weights. WRR group 2 is scheduled when queue 7, queue 6, queue 5, queue 4, and queue 3 are all empty.
•
Queue 0 has the lowest priority, and it is scheduled when all other queues are empty.
44
Restrictions and guidelines for queue scheduling profile configuration
When you configure a queue scheduling profile, follow these restrictions and guidelines:
•
The term "interface" in this section refers to Layer 2 Ethernet interfaces.
•
Only one queue scheduling profile can be applied to an interface or session group profile.
•
You can modify the scheduling parameters in a queue scheduling profile already applied to an interface, the switching fabric module, or a session group profile.
Configuring a queue scheduling profile
1.
Enter system view.
system-view
2.
Create a queue scheduling profile and enter queue scheduling profile view.
qos qmprofile
profile-name
3.
(Optional.) Configure queue scheduling parameters.
{
Configure a queue to use SP.
queue queue-id sp
{
Configure a queue to use WRR.
queue queue-id wrr
group group-id { weight | byte-count }
schedule-value
{
Configure a queue to use WFQ.
queue queue-id wfq
{ weight | byte-count } schedule-value
All queues in a queue scheduling profile use SP queuing.
4.
(Optional.) Set the minimum guaranteed bandwidth for a queue.
bandwidth queue queue-id min
bandwidth-value
The default setting is 64 kbps.
Applying a queue scheduling profile
1.
Enter system view.
system-view
2.
Enter queue scheduling profile view.
qos qmprofile
profile-name
3.
Execute the following commands in sequence to apply the queue scheduling profile to an interface.
interface interface-type interface-number
qos apply qmprofile
profile-name
By default, no queue scheduling profile is applied to an interface.
This command applies the queue scheduling profile to outgoing packets (packets received by online users).
45
Example: Configuring a queue scheduling profile
Network configuration
Configure a queue scheduling profile to meet the following requirements on GigabitEthernet 1/0/1:
•
Queue 7 has the highest priority, and its packets are sent preferentially.
•
Queue 0 through queue 6 are in the WRR group and are scheduled according to their packet-count weights, which are 2, 1, 2, 4, 6, 8, and 10, respectively. When queue 7 is empty, the WRR group is scheduled.
Procedure
# Enter system view.
<Sysname> system-view
# Create a queue scheduling profile named qm1.
[Sysname] qos qmprofile qm1
[Sysname-qmprofile-qm1]
# Configure queue 7 to use SP queuing.
[Sysname-qmprofile-qm1] queue 7 sp
# Assign queue 0 through queue 6 to WRR group 1, with their packet-count weights as 2, 1, 2, 4, 6,
8, and 10, respectively.
[Sysname-qmprofile-qm1] queue 0 wrr group 1 weight 2
[Sysname-qmprofile-qm1] queue 1 wrr group 1 weight 1
[Sysname-qmprofile-qm1] queue 2 wrr group 1 weight 2
[Sysname-qmprofile-qm1] queue 3 wrr group 1 weight 4
[Sysname-qmprofile-qm1] queue 4 wrr group 1 weight 6
[Sysname-qmprofile-qm1] queue 5 wrr group 1 weight 8
[Sysname-qmprofile-qm1] queue 6 wrr group 1 weight 10
[Sysname-qmprofile-qm1] quit
# Apply queue scheduling profile qm1 to GigabitEthernet 1/0/1.
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] qos apply qmprofile qm1
After the configuration is completed, GigabitEthernet 1/0/1 performs queue scheduling as specified in queue scheduling profile qm1.
Display and maintenance commands for congestion management
Execute display commands in any view.
Task Command
Display the configuration of queue scheduling profiles.
display qos qmprofile configuration
[ profile-name ] [ slot slot-number ]
Display the queue scheduling profiles applied to interfaces.
display qos qmprofile interface
[
interface-type interface-number
]
Display SP queuing configuration.
display qos queue sp interface
[
interface-type interface-number
]
46
Task Command
Display WFQ queuing configuration.
display qos queue wfq interface
[
interface-type interface-number
]
Display WRR queuing configuration.
display qos queue wrr interface
[
interface-type interface-number
]
47
Configuring congestion avoidance
About congestion avoidance
Avoiding congestion before it occurs is a proactive approach to improving network performance. As a flow control mechanism, congestion avoidance:
•
Actively monitors network resources (such as queues and memory buffers).
•
Drops packets when congestion is expected to occur or deteriorate.
When dropping packets from a source end, congestion avoidance cooperates with the flow control mechanism at the source end to regulate the network traffic size. The combination of the local packet drop policy and the source-end flow control mechanism implements the following functions:
•
Maximizes throughput and network use efficiency.
•
Minimizes packet loss and delay.
Tail drop
Congestion management techniques drop all packets that are arriving at a full queue. This tail drop mechanism results in global TCP synchronization. If packets from multiple TCP connections are dropped, these TCP connections go into the state of congestion avoidance and slow start to reduce traffic. However, traffic peak occurs later. Consequently, the network traffic jitters all the time.
RED and WRED
You can use Random Early Detection (RED) or Weighted Random Early Detection (WRED) to avoid global TCP synchronization.
Both RED and WRED avoid global TCP synchronization by randomly dropping packets. When the sending rates of some TCP sessions slow down after their packets are dropped, other TCP sessions remain at high sending rates. Link bandwidth is efficiently used, because TCP sessions at high sending rates always exist.
The RED or WRED algorithm sets an upper threshold and lower threshold for each queue, and processes the packets in a queue as follows:
•
When the queue size is shorter than the lower threshold, no packet is dropped.
•
When the queue size reaches the upper threshold, all subsequent packets are dropped.
•
When the queue size is between the lower threshold and the upper threshold, the received packets are dropped at random. The drop probability in a queue increases along with the queue size under the maximum drop probability.
If the current queue size is compared with the upper threshold and lower threshold to determine the drop policy, burst traffic is not fairly treated. To solve this problem, WRED compares the average queue size with the upper threshold and lower threshold to determine the drop probability.
The average queue size reflects the queue size change trend but is not sensitive to burst queue size changes, and burst traffic can be fairly treated.
When WFQ queuing is used, you can set the following parameters for packets with different precedence values to provide differentiated drop policies:
•
Exponent for average queue size calculation.
•
Upper threshold.
•
Lower threshold.
48
•
Drop probability.
Relationship between WRED and queuing mechanisms
Figure 17 Relationship between WRED and queuing mechanisms
WRED drop
Queue 1 weight 1
Packets to be sent through this interface
Queue 2 weight 2
Packets sent
Classify
……
Interface
……
Queue N-1 weight N-1
Schedule
Sending queue
Queue N weight N
Packets dropped
Through combining WRED with WFQ, the flow-based WRED can be realized. Each flow has its own queue after classification.
•
A flow with a smaller queue size has a lower packet drop probability.
•
A flow with a larger queue size has a higher packet drop probability.
In this way, the benefits of the flow with a smaller queue size are protected.
WRED parameters
Determine the following parameters before configuring WRED: are not dropped. When the average queue size exceeds the lower threshold, packets are dropped at random according to the configured drop probability.
•
Denominator for drop probability calculation—The greater the denominator, the smaller the calculated drop probability.
Table 2 shows the denominator-drop probability map.
Table 2 Denominator-drop probability map
0 100%
1 to 8 1/8
9 to 16
17 to 32
33 to 64
65 to 128
1/16
1/32
1/64
1/128
49
Configuring and applying a queue-based WRED table
Restrictions and guidelines
By using a WRED table, WRED randomly drops packets during congestion based on the queues that hold packets.
One WRED table can be applied to multiple interfaces. You can modify the parameters of a WRED table applied to an interface, but you cannot delete the WRED table.
The term "interface" in this section refers to Layer 2 Ethernet interfaces.
Procedure
1.
Enter system view.
system-view
2.
Create a WRED table and enter its view.
qos wred queue table table-name
3.
(Optional.) Configure the other WRED parameters.
queue
queue-id low-limit low-limit [ discard-probability
discard-prob
]
By default, the lower limit is 100, and the drop probability is 10%.
4.
Return to system view.
quit
5.
Enter interface view.
interface
interface-type interface-number
6.
Apply the WRED table to the interface.
qos wred apply
[ table-name ]
By default, no WRED table is applied to an interface, and tail drop is used on an interface.
Example: Configuring and applying a queue-based WRED table
Network configuration
Apply a WRED table to GigabitEthernet 1/0/2 to meet the following requirements:
•
The lower threshold is 30.
•
The denominators for drop probability calculation for queue 0 through queue 7 are 5, 5, 10, 10,
15, 15, 20, and 20, respectively.
Procedure
# Configure a queue-based WRED table, and set different drop parameters for packets with different drop levels in different queues.
<Sysname> system-view
[Sysname] qos wred queue table queue-table1
[Sysname-wred-table-queue-table1] queue 0 low-limit 30 discard-probability 5
[Sysname-wred-table-queue-table1] queue 1 low-limit 30 discard-probability 5
50
[Sysname-wred-table-queue-table1] queue 2 low-limit 30 discard-probability 10
[Sysname-wred-table-queue-table1] queue 3 low-limit 30 discard-probability 10
[Sysname-wred-table-queue-table1] queue 4 low-limit 30 discard-probability 15
[Sysname-wred-table-queue-table1] queue 5 low-limit 30 discard-probability 15
[Sysname-wred-table-queue-table1] queue 6 low-limit 30 discard-probability 20
[Sysname-wred-table-queue-table1] queue 7 low-limit 30 discard-probability 20
[Sysname-wred-table-queue-table1] quit
# Apply the queue-based WRED table to GigabitEthernet 1/0/2.
[Sysname] interface gigabitethernet 1/0/2
[Sysname-GigabitEthernet1/0/2] qos wred apply queue-table1
[Sysname-GigabitEthernet1/0/2] quit
Display and maintenance commands for WRED
Execute display commands in any view.
Task Command
Display WRED configuration and statistics for an interface.
display qos wred interface
[
interface-type interface-number
]
Display the configuration of a WRED table or all WRED tables.
display qos wred table
[ name
table-name ] [ slot slot-number ]
51
Configuring traffic filtering
About traffic filtering
You can filter in or filter out traffic of a class by associating the class with a traffic filtering action. For example, you can filter packets sourced from an IP address according to network status.
Restrictions and guidelines: Traffic filtering configuration
The device supports the following application destinations for traffic filtering:
•
Interface.
•
VLANs.
•
Globally.
•
Control plane.
Procedure
1.
Enter system view.
system-view
2.
Define a traffic class.
a. Create a traffic class and enter traffic class view.
traffic classifier
classifier-name [ operator { and | or } ]
b. Configure a match criterion.
if-match match-criteria
By default, no match criterion is configured.
For more information about configuring match criteria, see ACL and QoS Command
Reference.
c. Return to system view.
quit
3.
Define a traffic behavior.
a. Create a traffic behavior and enter traffic behavior view.
traffic behavior behavior-name
b. Configure the traffic filtering action.
filter {
deny | permit }
By default, no traffic filtering action is configured.
If a traffic behavior has the filter deny action, all other actions in the traffic behavior except class-based accounting do not take effect.
c. Return to system view.
quit
4.
Define a QoS policy.
a. Create a QoS policy and enter QoS policy view.
52
qos policy
policy-name
b. Associate the traffic class with the traffic behavior in the QoS policy.
classifier
classifier-name behavior behavior-name
By default, a traffic class is not associated with a traffic behavior.
c. Return to system view.
quit
5.
Apply the QoS policy.
For more information, see "
."
By default, no QoS policy is applied.
6.
(Optional.) Display the traffic filtering configuration.
display traffic behavior user-defined
[ behavior-name ]
This command is available in any view.
Traffic filtering configuration examples
Example: Configuring traffic filtering
Network configuration
As shown in
Figure 18 , configure traffic filtering on GigabitEthernet 1/0/1 to deny the incoming
packets with a source port number other than 21.
Figure 18 Network diagram
Procedure
# Create advanced ACL 3000, and configure a rule to match packets whose source port number is not 21.
<Device> system-view
[Device] acl advanced 3000
[Device-acl-ipv4-adv-3000] rule 0 permit tcp source-port neq 21
[Device-acl-ipv4-adv-3000] quit
# Create a traffic class named classifier_1, and use ACL 3000 as the match criterion in the traffic class.
[Device] traffic classifier classifier_1
[Device-classifier-classifier_1] if-match acl 3000
[Device-classifier-classifier_1] quit
# Create a traffic behavior named behavior_1, and configure the traffic filtering action to drop packets.
[Device] traffic behavior behavior_1
[Device-behavior-behavior_1] filter deny
[Device-behavior-behavior_1] quit
# Create a QoS policy named policy, and associate traffic class classifier_1 with traffic behavior
behavior_1 in the QoS policy.
[Device] qos policy policy
53
[Device-qospolicy-policy] classifier classifier_1 behavior behavior_1
[Device-qospolicy-policy] quit
# Apply QoS policy policy to the incoming traffic of GigabitEthernet 1/0/1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] qos apply policy policy inbound
54
Configuring priority marking
About priority marking
Priority marking sets the priority fields or flag bits of packets to modify the priority of packets. For example, you can use priority marking to set IP precedence or DSCP for a class of IP packets to control the forwarding of these packets.
To configure priority marking to set the priority fields or flag bits for a class of packets, perform the following tasks:
1.
Configure a traffic behavior with a priority marking action.
2.
Associate the traffic class with the traffic behavior.
Configuring priority marking
Restrictions and guidelines
The device supports the following application destinations for priority marking:
•
Interface.
•
VLANs.
•
Globally.
•
Control plane.
•
User profile.
The ports on the HPE FlexNetwork 5130 48G 4SFP+ EI Switch (JG934A), HPE FlexNetwork 5130
48G 4SFP+ EI Brazil Switch (JG976A), HPE FlexNetwork 5130 48G PoE+ 4SFP+ (370W) EI Switch
(JG937A), HPE FlexNetwork 5130 48G PoE+ 4SFP+ (370W) EI Brazil Switch (JG978A), HPE
FlexNetwork 5130 48G 2SFP+ 2XGT EI Switch (JG939A), and HPE FlexNetwork 5130 48G PoE+
2SFP+ 2XGT (370W) EI Switch (JG941A) are organized into two groups.
•
Ports numbered from 1 to 24 and 49 to 50 are organized into one group.
•
Ports numbered from 25 to 48 and 51 to 52 are organized into the other group.
If a packet enters and leaves the switch through ports in different groups, the local precedence value marked for the packet in the inbound direction does not take effect.
Procedure
1.
Enter system view.
system-view
2.
Define a traffic class.
a. Create a traffic class and enter traffic class view.
traffic classifier
classifier-name [ operator { and | or } ]
b. Configure a match criterion.
if-match match-criteria
By default, no match criterion is configured.
For more information about the if-match command, see ACL and QoS Command
Reference.
c. Return to system view.
55
quit
3.
Define a traffic behavior.
a. Create a traffic behavior and enter traffic behavior view.
traffic behavior behavior-name
b. Configure a priority marking action.
For configurable priority marking actions, see the remark commands in ACL and QoS
Command Reference.
c. Return to system view.
quit
4.
Define a QoS policy.
a. Create a QoS policy and enter QoS policy view.
qos policy
policy-name
b. Associate the traffic class with the traffic behavior in the QoS policy.
classifier
classifier-name behavior behavior-name
By default, a traffic class is not associated with a traffic behavior.
c. Return to system view.
quit
5.
Apply the QoS policy.
For more information, see "
."
By default, no QoS policy is applied.
6.
(Optional.) Display the priority marking configuration.
display traffic behavior user-defined
[ behavior-name ]
This command is available in any view.
Priority marking configuration examples
Example: Configuring priority marking
Network configuration
, configure priority marking on the device to meet the following requirements:
Traffic source
Host A, B
Host A, B
Host A, B
Destination
Data server
Mail server
File server
Processing priority
High
Medium
Low
56
Figure 19 Network diagram
Procedure
# Create advanced ACL 3000, and configure a rule to match packets with destination IP address
192.168.0.1.
<Device> system-view
[Device] acl advanced 3000
[Device-acl-ipv4-adv-3000] rule permit ip destination 192.168.0.1 0
[Device-acl-ipv4-adv-3000] quit
# Create advanced ACL 3001, and configure a rule to match packets with destination IP address
192.168.0.2.
[Device] acl advanced 3001
[Device-acl-ipv4-adv-3001] rule permit ip destination 192.168.0.2 0
[Device-acl-ipv4-adv-3001] quit
# Create advanced ACL 3002, and configure a rule to match packets with destination IP address
192.168.0.3.
[Device] acl advanced 3002
[Device-acl-ipv4-adv-3002] rule permit ip destination 192.168.0.3 0
[Device-acl-ipv4-adv-3002] quit
# Create a traffic class named classifier_dbserver, and use ACL 3000 as the match criterion in the traffic class.
[Device] traffic classifier classifier_dbserver
[Device-classifier-classifier_dbserver] if-match acl 3000
[Device-classifier-classifier_dbserver] quit
# Create a traffic class named classifier_mserver, and use ACL 3001 as the match criterion in the traffic class.
[Device] traffic classifier classifier_mserver
[Device-classifier-classifier_mserver] if-match acl 3001
[Device-classifier-classifier_mserver] quit
# Create a traffic class named classifier_fserver, and use ACL 3002 as the match criterion in the traffic class.
[Device] traffic classifier classifier_fserver
[Device-classifier-classifier_fserver] if-match acl 3002
[Device-classifier-classifier_fserver] quit
# Create a traffic behavior named behavior_dbserver, and configure the action of setting the local precedence value to 4.
57
[Device] traffic behavior behavior_dbserver
[Device-behavior-behavior_dbserver] remark local-precedence 4
[Device-behavior-behavior_dbserver] quit
# Create a traffic behavior named behavior_mserver, and configure the action of setting the local precedence value to 3.
[Device] traffic behavior behavior_mserver
[Device-behavior-behavior_mserver] remark local-precedence 3
[Device-behavior-behavior_mserver] quit
# Create a traffic behavior named behavior_fserver, and configure the action of setting the local precedence value to 2.
[Device] traffic behavior behavior_fserver
[Device-behavior-behavior_fserver] remark local-precedence 2
[Device-behavior-behavior_fserver] quit
# Create a QoS policy named policy_server, and associate traffic classes with traffic behaviors in the QoS policy.
[Device] qos policy policy_server
[Device-qospolicy-policy_server] classifier classifier_dbserver behavior behavior_dbserver
[Device-qospolicy-policy_server] classifier classifier_mserver behavior behavior_mserver
[Device-qospolicy-policy_server] classifier classifier_fserver behavior behavior_fserver
[Device-qospolicy-policy_server] quit
# Apply QoS policy policy_server to the incoming traffic of GigabitEthernet 1/0/1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] qos apply policy policy_server inbound
[Device-GigabitEthernet1/0/1] quit
58
Configuring nesting
About nesting
Nesting adds a VLAN tag to the matching packets to allow the VLAN-tagged packets to pass through the corresponding VLAN. For example, you can add an outer VLAN tag to packets from a customer network to a service provider network. This allows the packets to pass through the service provider network by carrying a VLAN tag assigned by the service provider.
Restrictions and guidelines: Nesting configuration
The device supports the following application destinations for nesting:
•
Interface.
•
VLANs.
•
Globally.
Procedure
1.
Enter system view.
system-view
2.
Define a traffic class.
a. Create a traffic class and enter traffic class view.
traffic classifier
classifier-name [ operator { and | or } ]
b. Configure a match criterion.
if-match match-criteria
By default, no match criterion is configured for a traffic class.
For more information about the match criteria, see the if-match command in ACL and
QoS Command Reference.
c. Return to system view.
quit
3.
Define a traffic behavior.
a. Create a traffic behavior and enter traffic behavior view.
traffic behavior behavior-name
b. Configure a VLAN tag adding action.
nest top-most vlan vlan-id
By default, no VLAN tag adding action is configured for a traffic behavior.
c. Return to system view.
quit
4.
Define a QoS policy.
a. Create a QoS policy and enter QoS policy view.
qos policy
policy-name
b. Associate the traffic class with the traffic behavior in the QoS policy.
classifier
classifier-name behavior behavior-name
59
By default, a traffic class is not associated with a traffic behavior.
c. Return to system view.
quit
5.
Apply the QoS policy.
For more information, see "
."
By default, no QoS policy is applied.
6.
(Optional.) Display the nesting configuration.
display traffic behavior user-defined
[ behavior-name ]
This command is available in any view.
Nesting configuration examples
Example: Configuring nesting
Network configuration
:
•
Site 1 and Site 2 in VPN A are two branches of a company. They use VLAN 5 to transmit traffic.
•
Because Site 1 and Site 2 are located in different areas, the two sites use the VPN access service of a service provider. The service provider assigns VLAN 100 to the two sites.
Configure nesting, so that the two branches can communicate through the service provider network.
Figure 20 Network diagram
Public network
PE 1
GE1/0/1
VLAN 100 VLAN 5 Data
IP network
VLAN 100 VLAN 5 Data
PE 2
GE1/0/1
VLAN 5 Data VLAN 5 Data
CE 1
VLAN 5
VPN A
Site 1
VPN A
Site 2
CE 2
Procedure
1.
Configuring PE 1:
# Create a traffic class named test to match traffic with VLAN ID 5.
<PE1> system-view
[PE1] traffic classifier test
[PE1-classifier-test] if-match service-vlan-id 5
[PE1-classifier-test] quit
# Configure an action to add outer VLAN tag 100 in traffic behavior test.
[PE1] traffic behavior test
[PE1-behavior-test] nest top-most vlan 100
60
[PE1-behavior-test] quit
# Create a QoS policy named test, and associate class test with behavior test in the QoS policy.
[PE1] qos policy test
[PE1-qospolicy-test] classifier test behavior test
[PE1-qospolicy-test] quit
# Configure the downlink port (GigabitEthernet 1/0/1) as a hybrid port, and assign the port to
VLAN 100 as an untagged member.
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port link-type hybrid
[PE1-GigabitEthernet1/0/1] port hybrid vlan 100 untagged
# Apply QoS policy test to the incoming traffic of GigabitEthernet 1/0/1.
[PE1-GigabitEthernet1/0/1] qos apply policy test inbound
[PE1-GigabitEthernet1/0/1] quit
# Configure the uplink port (GigabitEthernet 1/0/2) as a trunk port, and assign it to VLAN 100.
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] port link-type trunk
[PE1-GigabitEthernet1/0/2] port trunk permit vlan 100
[PE1-GigabitEthernet1/0/2] quit
2.
Configuring PE 2:
Configure PE 2 in the same way PE 1 is configured.
61
Configuring traffic redirecting
About traffic redirecting
Traffic redirecting redirects packets matching the specified match criteria to a location for processing.
You can redirect packets to the following destinations:
•
CPU.
•
Interface.
Restrictions and guidelines: Traffic redirecting configuration
•
The device supports the following application destinations for traffic redirecting:
{
Interface.
{
{
VLANs.
Globally.
{
Control plane.
•
If you execute the redirect command multiple times, the most recent configuration takes effect.
•
For traffic redirecting to an Ethernet interface, the switch does not display the redirecting action after the interface expansion card that hosts the interface is removed. After the interface expansion card is reinserted, the switch can display the redirecting action.
Procedure
1.
Enter system view.
system-view
2.
Define a traffic class.
a. Create a traffic class and enter traffic class view.
traffic classifier
classifier-name [ operator { and | or } ]
b. Configure a match criterion.
if-match match-criteria
By default, no match criterion is configured for a traffic class.
For more information about the match criteria, see the if-match command in ACL and
QoS Command Reference.
c. Return to system view.
quit
3.
Define a traffic behavior.
a. Create a traffic behavior and enter traffic behavior view.
traffic behavior behavior-name
b. Configure a traffic redirecting action.
redirect {
cpu | interface interface-type interface-number }
62
By default, no traffic redirecting action is configured for a traffic behavior.
c. Return to system view.
quit
4.
Define a QoS policy.
a. Create a QoS policy and enter QoS policy view.
qos policy
policy-name
b. Associate the traffic class with the traffic behavior in the QoS policy.
classifier
classifier-name behavior behavior-name
By default, a traffic class is not associated with a traffic behavior.
c. Return to system view.
quit
5.
Apply the QoS policy.
For more information, see "
."
By default, no QoS policy is applied.
6.
(Optional.) Display traffic redirecting configuration.
display traffic behavior user-defined
[ behavior-name ]
This command is available in any view.
Traffic redirecting configuration examples
Example: Configuring traffic redirecting
Network configuration
:
•
Device A is connected to Device B through two links. Device A and Device B are each connected to other devices.
•
GigabitEthernet 1/0/2 of Device A and GigabitEthernet 1/0/2 of Device B belong to VLAN 200.
•
GigabitEthernet 1/0/3 of Device A and GigabitEthernet 1/0/3 of Device B belong to VLAN 201.
•
On Device A, the IP address of VLAN-interface 200 is 200.1.1.1/24, and that of VLAN-interface
201 is 201.1.1.1/24.
•
On Device B, the IP address of VLAN-interface 200 is 200.1.1.2/24, and that of VLAN-interface
201 is 201.1.1.2/24.
Configure the actions of redirecting traffic to an interface to meet the following requirements:
•
Packets with source IP address 2.1.1.1 received on GigabitEthernet 1/0/1 of Device A are forwarded to GigabitEthernet 1/0/2.
•
Packets with source IP address 2.1.1.2 received on GigabitEthernet 1/0/1 of Device A are forwarded to GigabitEthernet 1/0/3.
•
Other packets received on GigabitEthernet 1/0/1 of Device A are forwarded according to the routing table.
63
Figure 21 Network diagram
Procedure
# Create basic ACL 2000, and configure a rule to match packets with source IP address 2.1.1.1.
<DeviceA> system-view
[DeviceA] acl basic 2000
[DeviceA-acl-ipv4-basic-2000] rule permit source 2.1.1.1 0
[DeviceA-acl-ipv4-basic-2000] quit
# Create basic ACL 2001, and configure a rule to match packets with source IP address 2.1.1.2.
[DeviceA] acl basic 2001
[DeviceA-acl-ipv4-basic-2001] rule permit source 2.1.1.2 0
[DeviceA-acl-ipv4-basic-2001] quit
# Create a traffic class named classifier_1, and use ACL 2000 as the match criterion in the traffic class.
[DeviceA] traffic classifier classifier_1
[DeviceA-classifier-classifier_1] if-match acl 2000
[DeviceA-classifier-classifier_1] quit
# Create a traffic class named classifier_2, and use ACL 2001 as the match criterion in the traffic class.
[DeviceA] traffic classifier classifier_2
[DeviceA-classifier-classifier_2] if-match acl 2001
[DeviceA-classifier-classifier_2] quit
# Create a traffic behavior named behavior_1, and configure the action of redirecting traffic to
GigabitEthernet 1/0/2.
[DeviceA] traffic behavior behavior_1
[DeviceA-behavior-behavior_1] redirect interface gigabitethernet 1/0/2
[DeviceA-behavior-behavior_1] quit
# Create a traffic behavior named behavior_2, and configure the action of redirecting traffic to
GigabitEthernet 1/0/3.
[DeviceA] traffic behavior behavior_2
[DeviceA-behavior-behavior_2] redirect interface gigabitethernet 1/0/3
[DeviceA-behavior-behavior_2] quit
# Create a QoS policy named policy.
[DeviceA] qos policy policy
# Associate traffic class classifier_1 with traffic behavior behavior_1 in the QoS policy.
[DeviceA-qospolicy-policy] classifier classifier_1 behavior behavior_1
# Associate traffic class classifier_2 with traffic behavior behavior_2 in the QoS policy.
[DeviceA-qospolicy-policy] classifier classifier_2 behavior behavior_2
[DeviceA-qospolicy-policy] quit
# Apply QoS policy policy to the incoming traffic of GigabitEthernet 1/0/1.
64
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] qos apply policy policy inbound
65
Configuring global CAR
About global CAR
Global committed access rate (CAR) is an approach to policing traffic flows globally. It adds flexibility to common CAR where traffic policing is performed only on a per-traffic class or per-interface basis.
In this approach, CAR actions are created in system view and each can be used to police multiple traffic flows as a whole.
Aggregate CAR
An aggregate CAR action is created globally. It can be directly applied to interfaces or used in the traffic behaviors associated with different traffic classes to police multiple traffic flows as a whole.
The total rate of the traffic flows must conform to the traffic policing specifications set in the aggregate CAR action.
Hierarchical CAR
A hierarchical CAR action is created globally. It must be used in conjunction with a common CAR or aggregate CAR action. With a hierarchical CAR action, you can limit the total traffic of multiple traffic classes.
A hierarchical CAR action can be used in the common or aggregate CAR action for a traffic class in either AND mode or OR mode.
•
In AND mode, the rate of the traffic class is strictly limited under the common or aggregate CAR.
This mode applies to flows that must be strictly rate limited.
•
In OR mode, the traffic class can use idle bandwidth of other traffic classes associated with the hierarchical CAR. This mode applies to high priority, bursty traffic like video.
By using the two modes appropriately, you can improve bandwidth efficiency.
For example, suppose two flows exist: a low priority data flow and a high priority, bursty video flow.
Their total traffic rate cannot exceed 4096 kbps and the video flow must be assured of at least 2048 kbps bandwidth. You can perform the following tasks:
•
Configure common CAR actions to set the traffic rate to 2048 kbps for the two flows.
•
Configure a hierarchical CAR action to limit their total traffic rate to 4096 kbps.
•
Use the action in AND mode in the common CAR action for the data flow.
•
Use the action in OR mode in the common CAR action for the video flow.
The video flow is assured of 2048 kbps bandwidth and can use idle bandwidth of the data flow.
In a bandwidth oversubscription scenario, the uplink port bandwidth is lower than the total downlink port traffic rate. You can use hierarchical CAR to meet the following requirements:
•
Limit the total rate of downlink port traffic.
•
Allow each downlink port to forward traffic at the maximum rate when the other ports are idle.
For example, you can perform the following tasks:
•
Use common CAR actions to limit the rates of Internet access flow 1 and flow 2 to both 128 kbps.
•
Use a hierarchical CAR action to limit their total traffic rate to 192 kbps.
•
Use the hierarchical CAR action for both flow 1 and flow 2 in AND mode.
66
When flow 1 is not present, flow 2 is transmitted at the maximum rate, 128 kbps. When both flows are present, the total rate of the two flows cannot exceed 192 kbps. As a result, the traffic rate of flow 2 might drop below 128 kbps.
Configuring aggregate CAR
1.
Enter system view.
system-view
2.
Define a traffic class.
a. Create a traffic class and enter traffic class view.
traffic classifier
classifier-name [ operator { and | or } ]
b. Configure a match criterion.
if-match match-criteria
By default, no match criterion is configured.
For configurable match criteria, see the if-match command in ACL and QoS Command
Reference.
c. Return to system view.
quit
3.
Configure an aggregate CAR action.
qos car car-name
aggregative cir committed-information-rate [ cbs
committed-burst-size [ ebs excess-burst-size
] ] [ green action | red
action
| yellow action ] *
qos car car-name
aggregative cir committed-information-rate [ cbs
committed-burst-size
] pir peak-information-rate [ ebs
excess-burst-size
] [ green action | red action | yellow action ] *
By default, no aggregate CAR action is configured.
4.
Define a traffic behavior.
a. Enter traffic behavior view.
traffic behavior
behavior-name
b. Use the aggregate CAR in the traffic behavior.
car name car-name
By default, no aggregate CAR action is used in a traffic behavior.
5.
Apply the QoS policy.
For more information, see "
."
By default, no QoS policy is applied.
Configuring hierarchical CAR
1.
Enter system view.
system-view
2.
Define a traffic class.
a. Create a traffic class and enter traffic class view.
traffic classifier
classifier-name [ operator { and | or } ]
b. Configure a match criterion.
if-match match-criteria
67
By default, no match criterion is configured.
For configurable match criteria, see the if-match command in ACL and QoS Command
Reference.
c. Return to system view.
quit
3.
Configure a hierarchical CAR action.
qos car car-name hierarchy cir committed-information-rate [ cbs
committed-burst-size [ ebs excess-burst-size
] ] [ green action | red
action
| yellow action ] *
qos car car-name
hierarchy cir committed-information-rate [ cbs
committed-burst-size
] pir peak-information-rate [ ebs
excess-burst-size
] [ green action | red action | yellow action ] *
By default, no hierarchical CAR action is configured.
4.
Define a traffic behavior.
a. Enter traffic behavior view.
traffic behavior
behavior-name
b. Use the hierarchical CAR in the traffic behavior to cooperate with an aggregate CAR action.
car name car-name
hierarchy-car hierarchy-car-name [ mode { and |
or }
]
c. Use the hierarchical CAR in the traffic behavior to cooperate with a common CAR action.
car cir
committed-information-rate [ cbs committed-burst-size [ ebs
excess-burst-size
] ] [ green action | red action | yellow action ] *
[
hierarchy-car hierarchy-car-name [ mode { and | or } ] ]
car cir
committed-information-rate [ cbs committed-burst-size ] pir
peak-information-rate
[ ebs excess-burst-size ] [ green action | red
action
| yellow action ] * [ hierarchy-car hierarchy-car-name [ mode
{
and | or } ] ]
For more information about common CAR, see "
Configuring traffic policing, GTS, and rate limit
."
By default, no CAR action is used in a traffic behavior.
You can configure an aggregate CAR action or a common CAR action in a traffic behavior, but not both.
5.
Apply the QoS policy.
For more information, see "
."
By default, no QoS policy is applied.
Display and maintenance commands for global
CAR
Execute display commands in any view and reset commands in user view.
Task Command
Display statistics for global CAR actions.
display qos car name [
car-name
]
Clear statistics for global CAR actions.
reset qos car name
[ car-name ]
68
Global CAR configuration examples
Example: Configuring AND-mode hierarchical CAR
Network configuration
:
•
Configure rate limiting on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to limit the rate of incoming HTTP traffic on each interface to 240 kbps.
•
Configure hierarchical CAR to limit the rate of HTTP traffic received on the two ports to 320 kbps and drop the exceeding packets.
Figure 22 Network diagram
Internet
GE1/0/1
Device
GE1/0/2
Procedure
# Configure a hierarchical CAR action according to the rate limit requirements.
<Device> system-view
[Device] qos car http hierarchy cir 320 red discard
# Configure ACL 3000 to match HTTP packets.
[Device] acl advanced 3000
[Device-acl-ipv4-adv-3000] rule permit tcp destination-port eq 80
[Device-acl-ipv4-adv-3000] quit
# Create traffic class 1, and use ACL 3000 as the match criterion in the traffic class.
[Device] traffic classifier 1
[Device-classifier-1] if-match acl 3000
[Device-classifier-1] quit
# Create traffic behavior 1.
[Device] traffic behavior 1
# Configure the common CAR action in the traffic behavior, and use the hierarchical CAR, with the collaborating mode being AND.
[Device-behavior-1] car cir 240 hierarchy-car http mode and
69
[Device-behavior-1] quit
# Create a QoS policy named http, and associate traffic class 1 with traffic behavior 1 in the QoS policy.
[Device] qos policy http
[Device-qospolicy-http] classifier 1 behavior 1
[Device-qospolicy-http] quit
# Apply QoS policy http to the incoming traffic of GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] qos apply policy http inbound
[Device-GigabitEthernet1/0/1] quit
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] qos apply policy http inbound
Example: Configuring OR-mode hierarchical CAR
Network configuration
, perform the following tasks:
•
Configure rate limiting on GigabitEthernet 1/0/1 for incoming video traffic from 192.168.0.2 and
192.168.0.3.
•
Set the CIR to 240 kbps for both video streams according to their regular average rates.
•
To guarantee that occasional large bursts can pass through, configure hierarchical CAR to meet the following requirements:
{
{
Limit the video traffic rate to 640 kbps.
Drop the exceeding traffic.
Figure 23 Network diagram
Device
GE1/0/1
192.168.0.2
192.168.0.3
Procedure
# Configure a hierarchical CAR action named video according to the rate limit requirements.
<Device> system-view
[Device] qos car video hierarchy cir 640 red discard
# Configure ACL 2000 to match packets sourced from 192.168.0.2.
[Device] acl basic 2000
[Device-acl-ipv4-basic-2000] rule permit source 192.168.0.2 0.0.0.0
[Device-acl-ipv4-basic-2000] quit
70
# Create traffic class 1, and use ACL 2000 as the match criterion.
[Device] traffic classifier 1
[Device-classifier-1] if-match acl 2000
[Device-classifier-1] quit
# Create traffic behavior 1.
[Device] traffic behavior 1
# Configure a common CAR action, and use hierarchical CAR action video, with the collaborating mode being OR.
[Device-behavior-1] car cir 240 hierarchy-car video mode or
[Device-behavior-1] quit
# Configure ACL 2001 to match packets sourced from 192.168.0.3.
[Device] acl basic 2001
[Device-acl-ipv4-basic-2001] rule permit source 192.168.0.3 0.0.0.0
[Device-acl-ipv4-basic-2001] quit
# Create traffic class 2, and use ACL 2001 as the match criterion.
[Device] traffic classifier 2
[Device-classifier-2] if-match acl 2001
[Device-classifier-2] quit
# Create traffic behavior 2.
[Device] traffic behavior 2
# Configure a common CAR action, and use hierarchical CAR action video, with the collaborating mode being OR.
[Device-behavior-2] car cir 240 hierarchy-car video mode or
[Device-behavior-2] quit
# Create a QoS policy named video.
[Device] qos policy video
# Associate traffic class 1 with traffic behavior 1 and traffic class 2 with traffic behavior 2 in the QoS policy.
[Device-qospolicy-video] classifier 1 behavior 1
[Device-qospolicy-video] classifier 2 behavior 2
[Device-qospolicy-video] quit
# Apply QoS policy video to the incoming traffic of GigabitEthernet 1/0/1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] qos apply policy video inbound
71
Configuring class-based accounting
About class-based accounting
Class-based accounting collects statistics (in packets or bytes) on a per-traffic class basis. For example, you can define the action to collect statistics for traffic sourced from a certain IP address.
By analyzing the statistics, you can determine whether anomalies have occurred and what action to take.
Restrictions and guidelines: Class-based accounting configuration
The device supports the following application destinations for class-based accounting:
•
Interface.
•
VLANs.
•
Control plane.
•
User profile.
Procedure
1.
Enter system view.
system-view
2.
Define a traffic class.
a. Create a traffic class and enter traffic class view.
traffic classifier
classifier-name [ operator { and | or } ]
b. Configure a match criterion.
if-match match-criteria
By default, no match criterion is configured.
For more information about the if-match command, see ACL and QoS Command
Reference.
c. Return to system view.
quit
3.
Define a traffic behavior.
a. Create a traffic behavior and enter traffic behavior view.
traffic behavior behavior-name
b. Configure an accounting action.
accounting {
byte | packet }
By default, no traffic accounting action is configured.
c. Return to system view.
quit
4.
Define a QoS policy.
72
a. Create a QoS policy and enter QoS policy view.
qos policy
policy-name
b. Associate the traffic class with the traffic behavior in the QoS policy.
classifier
classifier-name behavior behavior-name
By default, a traffic class is not associated with a traffic behavior.
c. Return to system view.
quit
5.
Apply the QoS policy.
For more information, see "
."
By default, no QoS policy is applied.
6.
(Optional.) Display the class-based accounting configuration.
See the following commands in ACL and QoS Command Reference:
{
{
display qos policy control-plane
.
display qos policy global
.
{
{
display qos policy interface
.
display qos vlan-policy
.
Class-based accounting configuration examples
Example: Configuring class-based accounting
Network configuration
As shown in
, configure class-based accounting on GigabitEthernet 1/0/1 to collect statistics for incoming traffic from 1.1.1.1/24.
Figure 24 Network diagram
Procedure
# Create basic ACL 2000, and configure a rule to match packets with source IP address 1.1.1.1.
<Device> system-view
[Device] acl basic 2000
[Device-acl-ipv4-basic-2000] rule permit source 1.1.1.1 0
[Device-acl-ipv4-basic-2000] quit
# Create a traffic class named classifier_1, and use ACL 2000 as the match criterion in the traffic class.
[Device] traffic classifier classifier_1
[Device-classifier-classifier_1] if-match acl 2000
[Device-classifier-classifier_1] quit
# Create a traffic behavior named behavior_1, and configure the class-based accounting action.
[Device] traffic behavior behavior_1
[Device-behavior-behavior_1] accounting packet
[Device-behavior-behavior_1] quit
73
# Create a QoS policy named policy, and associate traffic class classifier_1 with traffic behavior
behavior_1 in the QoS policy.
[Device] qos policy policy
[Device-qospolicy-policy] classifier classifier_1 behavior behavior_1
[Device-qospolicy-policy] quit
# Apply QoS policy policy to the incoming traffic of GigabitEthernet 1/0/1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] qos apply policy policy inbound
[Device-GigabitEthernet1/0/1] quit
# Display traffic statistics to verify the configuration.
[Device] display qos policy interface gigabitethernet 1/0/1
Interface: GigabitEthernet1/0/1
Direction: Inbound
Policy: policy
Classifier: classifier_1
Operator: AND
Rule(s) :
If-match acl 2000
Behavior: behavior_1
Accounting enable:
28529 (Packets)
74
Appendixes
Appendix A Acronyms
Table 3 Appendix A Acronyms
CAR
CBS
CIR
DSCP
EBS
FIFO
GTS
ISP
Committed Access Rate
Committed Burst Size
Committed Information Rate
Service
Differentiated Services Code Point
Excess Burst Size
First in First out
Generic Traffic Shaping
Service
Internet Service Provider
PIR Peak Information Rate
Queuing
PW Pseudowire
QoS Quality of Service
RSVP
Detection
Resource Reservation Protocol
VoIP
VPN
WFQ
WRED
WRR
Voice over IP
Virtual Private Network
Weighted Fair Queuing
Weighted Random Early Detection
Weighted Round Robin
Appendix B Default priority maps
For the default dscp-dscp priority map, an input value yields a target value equal to it.
75
Table 4 Default dot1p-lp priority map
Input priority value dot1p-lp map dot1p lp
0 2
1 0
2 1
3 3
4 4
5 5
6 6
7 7
Table 5 Default dscp-dot1p priority map
Input priority value dscp-dot1p map dscp dot1p
0 to 7 0
8 to 15
16 to 23
24 to 31
32 to 39
40 to 47
48 to 55 6
56 to 63
Table 6 Default port priority-local priority map
7
1
2
3
4
5
Port priority Local precedence
0 0
1 1
2 2
3 3
4 4
5 5
6 6
7 7
76
Appendix C Introduction to packet precedence
IP precedence and DSCP values
Figure 25 ToS and DS fields
Bits:
IPv4 ToS
byte
0 1
Preced ence
2 3 4 5
Type of
Service
6 7
M
B
Z
Bits: 0 1 2 3 4 5 6 7
RFC 1122
RFC 1349
Must
Be
Zero
DS-Field
(for IPv4,ToS octet,and for
IPv6,Traffic
Class octet )
DSCP
Class Selector codepoints
CU
Currently
Unused
IP Type of Service (ToS)
RFC 791
Differentiated Services
Codepoint (DSCP)
RFC 2474
IP precedence from 0 to 7. According to RFC 2474, the ToS field is redefined as the differentiated services (DS) field. A DSCP value is represented by the first 6 bits (0 to 5) of the DS field and is in the range 0 to 63. The remaining 2 bits (6 and 7) are reserved.
Table 7 IP precedence
IP precedence (decimal) IP precedence (binary) Description
Table 8 DSCP values
DSCP value (decimal) DSCP value (binary) Description
77
DSCP value (decimal) DSCP value (binary) Description
802.1p priority
802.1p priority lies in the Layer 2 header. It applies to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2.
Figure 26 An Ethernet frame with an 802.1Q tag header
, the 4-byte 802.1Q tag header contains the 2-byte tag protocol identifier (TPID)
and the 2-byte tag control information (TCI). The value of the TPID is 0x8100. Figure 27 shows the
format of the 802.1Q tag header. The Priority field in the 802.1Q tag header is called 802.1p priority, because its use is defined in IEEE 802.1p.
Table 9 shows the values for 802.1p priority.
Figure 27 802.1Q tag header
Table 9 Description on 802.1p priority
802.1p priority (decimal) 802.1p priority (binary) Description
78
802.1p priority (decimal) 802.1p priority (binary) Description
79
Configuring data buffers
About data buffers
Data buffer types
Data buffers temporarily store packets to avoid packet loss.
The following data buffers are available:
shows the structure of ingress and egress buffers.
Figure 28 Data buffer structure
Cell resources and packet resources
A buffer uses the following types of resources:
Suppose a cell resource provides 208 bytes. The buffer allocates one cell resource to a
128-byte packet and two cell resources to a 300-byte packet. located in cell resources. The buffer uses one packet resource for each incoming or outgoing packet.
Fixed area and shared area
Each type of resources has a fixed area and a shared area. the switch, as shown in
. When congestion occurs or the CPU is busy, the following rules apply:
a. An interface first uses the relevant queues of the fixed area to store packets.
b. When a queue is full, the interface uses the corresponding queue of the shared area.
c. When the queue in the shared area is also full, the interface discards subsequent packets.
The system allocates the fixed area among queues as specified by the user. Even if a queue is not full, other queues cannot preempt its space. Similarly, the share of a queue for an interface cannot be preempted by other interfaces even if it is not full. as shown in
. The system determines the actual shared-area space for each queue
80
according to user configuration and the number of packets actually received and sent. If a queue is not full, other queues can preempt its space.
The system puts packets received or sent on all interfaces into a queue in the order they arrive.
When the queue is full, subsequent packets are dropped.
Figure 29 Fixed area and shared area
Shared area
Queue 0
Queue 1
Queue 2
Queue 3
Queue 4
Queue 5
Queue 6
Queue 7
Port 1 Port 2 Port 3 Port 4
…
Fixed area
Restrictions and guidelines: Data buffer configuration
You can configure data buffers either manually or automatically by enabling the Burst feature. If you have configured data buffers in one way, delete the configuration before using the other way.
Otherwise, the new configuration does not take effect.
Inappropriate data buffer changes can cause system problems. Before manually changing data buffer settings, make sure you understand its impact on your device. As a best practice, use the
burst-mode enable
command if the system requires large buffer spaces.
Data buffer tasks at a glance
To configure the data buffer, perform the following tasks:
•
•
Configuring data buffers manually
•
(Optional.)
Configuring data buffer monitoring
Enabling the Burst feature
About the Burst feature
The Burst feature enables the device to automatically allocate cell and packet resources. It is well suited to the following scenarios:
•
Broadcast or multicast traffic is intensive, resulting in bursts of traffic.
•
Traffic comes in and goes out in one of the following ways:
{
{
Enters a device from a high-speed interface and goes out of a low-speed interface.
Enters from multiple same-rate interfaces at the same time and goes out of an interface with the same rate.
81
Procedure
1.
Enter system view.
system-view
2.
Enable the Burst feature.
burst-mode enable
By default, the Burst feature is disabled.
Configuring data buffers manually
About manual data buffer configuration
Each type of resources of a buffer, packet or cell, has a fixed size. After you set the shared-area ratio for a type of resources, the rest is automatically assigned to the fixed area.
By default, all queues have an equal share of the shared area and the fixed area. You can to change the maximum shared-area space and the fixed-area for a queue. The unconfigured queues use the default settings.
Procedure
1.
Enter system view.
system-view
2.
Perform at least one of the following tasks to configure buffer assignment rules:
{
Set the total shared-area ratio.
buffer
egress [ slot slot-number ] { cell | packet } total-shared ratio
ratio
{
{
Set the maximum shared-area ratio for a queue.
buffer
egress [ slot slot-number ] { cell | packet } [ queue queue-id ]
shared
ratio ratio
The actual maximum shared-area space for each queue is determined based on your configuration and the number of packets to be received and sent.
Set the fixed-area ratio for a queue.
buffer
egress [ slot slot-number ] { cell | packet } queue queue-id
guaranteed
ratio ratio
The sum of fixed-area ratios configured for all queues cannot exceed the total fixed-area ratio. Otherwise, the configuration fails.
3.
Apply buffer assignment rules.
buffer apply
You cannot directly modify the applied configuration. To modify the configuration, you must cancel the application, reconfigure data buffers, and reapply the configuration.
Configuring data buffer monitoring
About data buffer monitoring
The data buffer on a switch is shared by all interfaces for buffering packets during periods of congestion.
This feature allows you to identify the interfaces that use an excessive amount of data buffer space.
Then, you can diagnose those interfaces for anomalies.
You can set a per-interface buffer usage threshold. The buffer usage threshold for a queue is the same as the per-interface threshold value. The switch automatically records buffer usage for each
82
interface. When a queue on an interface uses more buffer space than the set threshold, the system counts one threshold violation for the queue.
Procedure
1.
Enter system view.
system-view
2.
Set a per-interface buffer usage threshold.
buffer usage threshold slot
slot-number ratio ratio
The default setting is 70%.
Display and maintenance commands for data buffers
Execute display commands in any view.
Task Command
Display buffer size settings.
display buffer [ slot slot-number ] [ queue
[ queue-id ] ]
83
Configuring time ranges
About time ranges
You can implement a service based on the time of the day by applying a time range to it. A time-based service takes effect only in time periods specified by the time range. For example, you can implement time-based ACL rules by applying a time range to them.
The following basic types of time ranges are available:
•
Periodic time range—Recurs periodically on a day or days of the week.
•
Absolute time range—Represents only a period of time and does not recur.
The active period of a time range is calculated as follows:
1.
Combining all periodic statements.
2.
Combining all absolute statements.
3.
Taking the intersection of the two statement sets as the active period of the time range.
Restrictions and guidelines: Time range configuration
When you configure the ACL hardware mode, follow these restrictions and guidelines:
•
If a time range does not exist, the service based on the time range does not take effect.
•
You can create a maximum of 1024 time ranges, each with a maximum of 32 periodic statements and 12 absolute statements.
Procedure
1.
Enter system view.
system-view
2.
Create or edit a time range.
time-range
time-range-name { start-time to end-time days [ from time1
date1
] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2
date2 }
If an existing time range name is provided, this command adds a statement to the time range.
Display and maintenance commands for time ranges
Execute the display command in any view.
Task Command
Display time range configuration and status.
display
time-range
{ time-range-name |
all }
84
Time range configuration examples
Example: Configuring a time range
Network configuration
, configure an ACL on Device A to allow Host A to access the server only during 8:00 and 18:00 on working days from June 2015 to the end of the year.
Figure 30 Network diagram
Procedure
# Create a periodic time range during 8:00 and 18:00 on working days from June 2015 to the end of the year.
<DeviceA> system-view
[DeviceA] time-range work 8:0 to 18:0 working-day from 0:0 6/1/2015 to 24:00 12/31/2015
# Create an IPv4 basic ACL numbered 2001, and configure a rule in the ACL to permit packets only from 192.168.1.2/32 during the time range work.
[DeviceA] acl basic 2001
[DeviceA-acl-ipv4-basic-2001] rule permit source 192.168.1.2 0 time-range work
[DeviceA-acl-ipv4-basic-2001] rule deny source any time-range work
[DeviceA-acl-ipv4-basic-2001] quit
# Apply IPv4 basic ACL 2001 to filter outgoing packets on GigabitEthernet 1/0/2.
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] packet-filter 2001 outbound
[DeviceA-GigabitEthernet1/0/2] quit
Verifying the configuration
# Verify that the time range work is active on Device A.
[DeviceA] display time-range all
Current time is 13:58:35 6/19/2015 Friday
Time-range : work (Active)
08:00 to 18:00 working-day
from 00:00 6/1/2015 to 00:00 1/1/2016
85
Document conventions and icons
Conventions
This section describes the conventions used in the documentation.
Command conventions
Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.
Italic
[ ]
Italic text represents arguments that you replace with actual values.
Square brackets enclose syntax choices (keywords or arguments) that are optional.
{ x | y | ... }
[ x | y | ... ]
{ x | y | ... } *
[ x | y | ... ] *
&<1-n>
Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none.
Asterisk marked braces enclose a set of required syntax choices separated by vertical bars, from which you select at least one.
Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you select one choice, multiple choices, or none.
The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times.
A line that starts with a pound (#) sign is comments. #
GUI conventions
Symbols
Convention Description
Boldface
Window names, button names, field names, and menu items are in Boldface. For example, the New User window opens; click OK.
>
Multi-level menus are separated by angle brackets. For example, File > Create >
Folder.
Convention Description
WARNING!
An alert that calls attention to important information that if not understood or followed can result in personal injury.
CAUTION:
An alert that calls attention to important information that if not understood or followed can result in data loss, data corruption, or damage to hardware or software.
An alert that calls attention to essential information.
IMPORTANT:
NOTE:
An alert that contains additional or supplementary information.
TIP:
An alert that provides helpful information.
86
Network topology icons
Convention Description
Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Represents an access controller, a unified wired-WLAN module, or the access controller engine on a unified wired-WLAN switch.
Represents an access point.
Represents a wireless terminator unit.
Represents a wireless terminator.
Represents a mesh access point.
Represents omnidirectional signals.
Represents directional signals.
Represents a security product, such as a firewall, UTM, multiservice security gateway, or load balancing device.
Represents a security module, such as a firewall, load balancing, NetStream, SSL
VPN, IPS, or ACG module.
Examples provided in this document
Examples in this document might use devices that differ from your device in hardware model, configuration, or software version. It is normal that the port numbers, sample output, screenshots, and other information in the examples differ from what you have on your device.
87
Support and other resources
Accessing Hewlett Packard Enterprise Support
•
For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance
•
To access documentation and support services, go to the Hewlett Packard Enterprise Support
Center website: www.hpe.com/support/hpesc
Information to collect
•
Technical support registration number (if applicable)
•
Product name, model or version, and serial number
•
Operating system name and version
•
Firmware version
•
Error messages
•
Product-specific reports and logs
•
Add-on products or components
•
Third-party products or components
Accessing updates
•
Some software products provide a mechanism for accessing software updates through the product interface. Review your product documentation to identify the recommended software update method.
•
To download product updates, go to either of the following:
{
Hewlett Packard Enterprise Support Center Get connected with updates page: www.hpe.com/support/e-updates
{
Software Depot website: www.hpe.com/support/softwaredepot
•
To view and update your entitlements, and to link your contracts, Care Packs, and warranties with your profile, go to the Hewlett Packard Enterprise Support Center More Information on
Access to Support Materials page: www.hpe.com/support/AccessToSupportMaterials
IMPORTANT:
Access to some updates might require product entitlement when accessed through the Hewlett
Packard Enterprise Support Center. You must have an HP Passport set up with relevant entitlements.
Websites
Website Link
Networking websites
88
Hewlett Packard Enterprise Information Library for
Networking
Hewlett Packard Enterprise Networking website
Hewlett Packard Enterprise My Networking website
Hewlett Packard Enterprise My Networking Portal
Hewlett Packard Enterprise Networking Warranty
General websites
Hewlett Packard Enterprise Information Library
Hewlett Packard Enterprise Support Center
Hewlett Packard Enterprise Support Services Central
Contact Hewlett Packard Enterprise Worldwide
Subscription Service/Support Alerts
Software Depot
Customer Self Repair (not applicable to all devices)
Insight Remote Support (not applicable to all devices) www.hpe.com/networking/resourcefinder www.hpe.com/info/networking www.hpe.com/networking/support www.hpe.com/networking/mynetworking www.hpe.com/networking/warranty www.hpe.com/info/enterprise/docs www.hpe.com/support/hpesc ssc.hpe.com/portal/site/ssc/ www.hpe.com/assistance www.hpe.com/support/e-updates www.hpe.com/support/softwaredepot www.hpe.com/support/selfrepair www.hpe.com/info/insightremotesupport/docs
Customer self repair
Hewlett Packard Enterprise customer self repair (CSR) programs allow you to repair your product. If a CSR part needs to be replaced, it will be shipped directly to you so that you can install it at your convenience. Some parts do not qualify for CSR. Your Hewlett Packard Enterprise authorized service provider will determine whether a repair can be accomplished by CSR.
For more information about CSR, contact your local service provider or go to the CSR website: www.hpe.com/support/selfrepair
Remote support
Remote support is available with supported devices as part of your warranty, Care Pack Service, or contractual support agreement. It provides intelligent event diagnosis, and automatic, secure submission of hardware event notifications to Hewlett Packard Enterprise, which will initiate a fast and accurate resolution based on your product’s service level. Hewlett Packard Enterprise strongly recommends that you register your device for remote support.
For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs
Documentation feedback
Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation
Feedback ( [email protected]
). When submitting your feedback, include the document title, part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
89
Index
Numerics
802
QoS packet 802.1p priority,
A
access control
ACL list. Use
advanced configuration,
configuration,
IPv4 advanced configuration,
IPv4 basic configuration,
IPv6 advanced configuration,
IPv6 basic configuration,
Layer 2 configuration,
naming,
packet filter configuration (interface-based), 9
packet filtering applicable scope (VLAN
packet filtering application (interface),
7 packet filtering configuration, 7
packet filtering default action,
8 packet filtering logging+SNMP notifications, 8
packet fragment filtering,
QoS ACL-based configuration,
rule numbering,
time range configuration,
action
ACL packet filtering default action,
advanced ACL type,
aggregate CAR configuration,
QoS global CAR,
Appendix A
QoS acronyms,
Appendix B
QoS default priority maps,
Appendix C
applying
ACL packet filtering (interface), 7
QoS CA queue-based WRED table,
QoS policy,
QoS policy (control plane),
QoS policy (global),
QoS policy (interface),
area data buffer fixed area,
auto data buffer shared area,
ACL automatic rule numbering, 2
B
bandwidth
QoS overview,
QoS policy configuration,
basic ACL type,
behavior
QoS traffic behavior definition,
best-effort QoS service model, 12
buffering
C
CAR aggregate CAR,
aggregate CAR configuration,
global CAR display,
global CAR maintain,
hierarchical CAR,
hierarchical CAR configuration,
hierarchical CAR configuration (AND-mode), 69
hierarchical CAR configuration (OR-mode), 70
cell data buffer configuration,
changing
QoS priority mapping interface port priority,
class-based accounting
90
configuration restrictions, 72
classifying
QoS class-based accounting,
QoS traffic class definition,
committed access rate. Use CAR
configuring
ACL,
ACL packet filter (interface-based),
ACL packet filtering applicable scope (VLAN
ACL packet filtering logging+SNMP notifications,
data buffers manually,
IPv4 ACL (advanced),
IPv4 ACL (basic),
IPv6 ACL (advanced),
IPv6 ACL (basic),
QoS CA,
QoS CA queue-based WRED table, 50, 50
QoS class-based accounting,
QoS CM queue scheduling profile,
QoS CM SP queuing,
QoS CM WFQ queuing,
QoS CM WRR queuing,
QoS congestion management SP+WFQ
QoS congestion management SP+WRR
QoS global CAR,
QoS GTS,
QoS hierarchical CAR (AND-mode),
QoS hierarchical CAR (OR-mode),
QoS priority mapping,
QoS priority mapping map,
QoS priority mapping priority trust mode,
QoS priority mapping table+priority
QoS priority mapping trusted port packet
QoS priority marking,
QoS rate limit,
QoS traffic policing,
congestion avoidance (QoS CA)
queue-based WRED table, 50, 50
tail drop,
WRED display,
congestion management
SP+WFQ queuing configuration,
SP+WRR queuing configuration, 43
congestion management (CM)
display,
queue scheduling profile,
queue scheduling profile configuration restrictions,
queuing on interface configuration, 42
SP queuing,
WFQ queuing,
WRR queuing,
control plane
QoS policy application,
QoS policy application (control plane),
copying
D
data
data buffer burst enable,
configuration (manual),
configuration restrictions and guidelines,
display,
default
ACL packet filtering default action, 8
defining
QoS policy,
QoS traffic behavior,
91
QoS traffic class,
detecting
QoS CA RED,
QoS CA WRED,
device
ACL packet filtering applicable scope (VLAN
ACL packet filtering application (interface),
ACL packet filtering configuration, 7
ACL packet filtering default action,
ACL packet filtering logging+SNMP notifications,
QoS policy application (control plane), 18
QoS policy application (global), 17
QoS policy application (interface),
QoS policy application (user profile), 18
QoS policy application (VLAN), 17
DiffServ QoS service model, 12
displaying
ACL,
QoS CA WRED,
QoS global CAR,
QoS GTS,
QoS policies,
QoS priority mapping,
drop priority (QoS priority mapping),
DSCP
QoS packet IP precedence and DSCP
E
enabling data buffer burst,
evaluating
QoS traffic with token bucket, 30, 30, 30
F
filtering
ACL default action,
ACL packet filtering logging+SNMP notifications,
QoS traffic filtering configuration,
fixed area
forwarding
ACL configuration,
ACL configuration (advanced), 4
ACL configuration (Layer 2), 6
fragment
ACL fragment filtering,
G
Generic Traffic Shaping. Use GTS
global
QoS policy application (global),
global CAR aggregate CAR,
aggregate CAR configuration,
hierarchical CAR,
hierarchical CAR configuration,
hierarchical CAR configuration (AND-mode), 69
hierarchical CAR configuration (OR-mode), 70
GTS
QoS traffic policing+GTS configuration,
QoS traffic shaping,
guideline data buffer configuration restrictions and guidelines,
policy application restrictions and guidelines, 16
time range configuration restrictions and guidelines,
H
hierarchical CAR
AND-mode configuration,
I
interface
ACL packet filter configuration
(interface-based),
IP addressing
ACL configuration,
ACL configuration (advanced), 4
ACL configuration (Layer 2), 6
QoS class-based accounting
92
IPv4
QoS traffic filtering configuration,
ACL configuration (IPv4 advanced),
ACL configuration (IPv4 basic),
ACL packet filtering configuration, 7
IPv6
ACL configuration (IPv6 advanced),
ACL configuration (IPv6 basic),
ACL packet filtering configuration, 7
L
Layer 2
ACL type,
limiting
QoS rate limit configuration, 35
local
QoS priority mapping local precedence,
logging
ACL packet filtering logging,
M
maintaining
ACL,
QoS global CAR,
QoS policies,
mode
QoS priority mapping priority trust,
MQC
QoS GTS configuration,
MQC QoS
traffic policing configuration, 34
N
naming
ACL,
nesting
configuration restrictions, 59
QoS configuration,
network
ACL configuration (advanced), 4
ACL configuration (Layer 2), 6
ACL packet filter configuration
ACL packet filtering applicable scope (VLAN
ACL packet filtering application (interface),
93
ACL packet filtering configuration,
ACL packet filtering default action, 8
ACL packet filtering logging+SNMP notifications,
ACL packet fragment filtering, 2
QoS aggregate CAR,
QoS aggregate CAR configuration,
QoS CA configuration,
QoS CA WRED queue-based table,
QoS CA WRED-queuing relationship,
QoS class-based accounting
QoS CM configuration,
QoS CM queue scheduling profile,
QoS CM WFQ queuing,
QoS congestion management SP+WFQ queuing
QoS congestion management SP+WRR queuing
QoS hierarchical CAR,
QoS hierarchical CAR configuration, 67
QoS hierarchical CAR configuration
QoS hierarchical CAR configuration
QoS nesting configuration,
QoS policy application,
QoS policy configuration,
QoS policy definition,
QoS priority mapping configuration,
QoS priority mapping drop priority, 21
QoS priority mapping interface port priority,
QoS priority mapping priority trust mode, 25
QoS priority mapping table+priority marking
QoS priority mapping trusted port packet
QoS priority marking configuration,
QoS rate limit,
QoS traffic behavior definition,
QoS traffic class definition, 15
QoS traffic filtering configuration,
QoS traffic policing configuration,
QoS traffic policing+GTS configuration,
QoS traffic redirection configuration,
network management
QoS priority mapping configuration,
QoS service models,
time range configuration,
non-MQC
QoS GTS configuration,
QoS traffic policing configuration, 34
notifying
ACL packet filtering logging+SNMP notifications,
numbering
ACL,
ACL automatic rule numbering,
ACL rule numbering step,
O
P
packet data buffer burst enable,
QoS aggregate CAR configuration, 67
QoS CA configuration,
QoS class-based accounting configuration,
QoS global CAR configuration,
QoS GTS,
QoS hierarchical CAR configuration, 67
QoS hierarchical CAR configuration
(AND-mode),
QoS hierarchical CAR configuration
(OR-mode),
QoS priority mapping configuration,
QoS priority mapping priority trust mode,
QoS priority mapping table+priority marking
QoS priority marking configuration,
QoS rate limit,
QoS traffic filtering configuration,
QoS traffic policing,
QoS traffic redirection configuration,
QoS trusted port packet priority,
packet filtering
ACL applicable scope (VLAN interface),
ACL configuration,
ACL configuration (advanced), 4
ACL configuration (Layer 2), 6
ACL filtering application (interface), 7
ACL logging+SNMP notifications,
ACL packet filter (interface-based), 9
ACL packet fragment filtering, 2
parameter
periodic time range (ACL),
policing
QoS traffic policing configuration,
policy
QoS application (control plane), 18
QoS application (interface),
QoS application (user profile),
QoS application (VLAN),
QoS policy configuration,
policy application port restrictions and guidelines,
QoS priority mapping interface port priority,
QoS trusted port packet priority,
precedence
QoS priority mapping configuration,
QoS priority mapping local precedence,
QoS priority mapping priority trust mode, 25
QoS priority mapping table+priority marking
priority mapping. See
QoS packet 802.1p priority,
QoS packet IP precedence and DSCP values,
priority mapping
94
drop priority,
map,
map configuration,
mapping table+priority marking configuration,
priority trust mode,
trusted port packet priority,
user priority,
priority marking configuration,
procedure
applying ACL packet filtering (interface), 7
applying QoS CA queue-based WRED
applying QoS policy (control plane), 18
applying QoS policy (global), 17
applying QoS policy (interface),
applying QoS policy (user profile),
applying QoS policy (VLAN),
changing QoS priority mapping interface port
configuring ACL,
configuring ACL (advanced),
configuring ACL (basic),
configuring ACL (IPv4 advanced), 4
configuring ACL (IPv4 basic), 3
configuring ACL (IPv6 advanced), 5
configuring ACL (IPv6 basic), 3
configuring ACL packet filter
configuring ACL packet filtering,
configuring ACL packet filtering applicable scope (VLAN interface),
configuring ACL packet filtering
configuring data buffer monitoring,
82 configuring data buffers manually, 82
configuring QoS aggregate CAR,
configuring QoS CA queue-based WRED
configuring QoS class-based
configuring QoS CM,
configuring QoS CM queue scheduling profile,
configuring QoS CM queuing on interface,
42 configuring QoS CM SP queuing, 42
configuring QoS CM WFQ queuing,
configuring QoS CM WRR queuing,
configuring QoS congestion management
SP+WFQ queuing,
configuring QoS congestion management
configuring QoS GTS,
configuring QoS hierarchical CAR,
configuring QoS hierarchical CAR
configuring QoS hierarchical CAR (OR-mode), 70
configuring QoS priority mapping,
configuring QoS priority mapping map,
configuring QoS priority mapping priority trust mode,
configuring QoS priority mapping table+priority marking,
configuring QoS priority mapping trusted port
configuring QoS priority marking,
configuring QoS rate limit,
configuring QoS traffic filtering,
configuring QoS traffic policing, 34
configuring QoS traffic policing+GTS,
configuring QoS traffic redirection,
configuring time range,
copying ACL,
defining QoS traffic behavior,
defining QoS traffic class,
displaying ACL,
displaying data buffer,
displaying QoS CM,
displaying QoS priority mapping, 25
displaying QoS rate limit,
displaying QoS traffic policing,
enabling data buffer burst, 81
maintaining ACL,
maintaining QoS global CAR, 68
setting ACL packet filtering default action,
profile
QoS CM queue scheduling profile,
Q
QoS
95
aggregate CAR,
aggregate CAR configuration,
Appendix A, Acronyms,
Appendix B, Default priority maps, 75
Appendix C, Packet precedence,
best-effort service model,
CA WRED parameters,
class-based accounting configuration,
complicated traffic evaluation with token bucket,
congestion avoidance (CA) configuration,
48 congestion avoidance (CA) RED, 48 congestion avoidance (CA) tail drop, 48
congestion avoidance (CA) WRED,
congestion avoidance (CA) WRED queue-based table,
congestion avoidance (CA) WRED-queuing
congestion avoidance (CA)WRED display, 51
congestion management (CM) configuration,
congestion management (CM) display,
congestion management (CM) queue
congestion management (CM) queue scheduling profile configuration
congestion management (CM) SP
congestion management (CM) WFQ
congestion management (CM) WRR
congestion management SP+WFQ queuing configuration,
congestion management SP+WRR queuing configuration,
data buffer burst enable,
data buffer configuration (manual), 82
data buffer display,
data buffer monitoring configuration, 82
device process flow,
global CAR configuration,
global CAR display, 68 global CAR maintain, 68
GTS configuration,
GTS display,
hierarchical CAR,
hierarchical CAR configuration,
hierarchical CAR configuration (AND-mode), 69
hierarchical CAR configuration (OR-mode), 70
IntServ service model,
nesting configuration,
overview,
policy application,
policy application (control plane),
policy application (global),
policy application (interface), 16
policy application (user profile),
policy application (VLAN),
policy application restrictions (VLAN),
policy configuration,
policy definition,
policy maintain,
priority mapping configuration,
priority mapping display,
priority mapping drop priority,
priority mapping interface port priority,
priority mapping local precedence,
priority mapping priority trust mode, 25
priority mapping process,
priority mapping table+priority marking
priority mapping trusted port packet priority, 24
priority mapping user priority, 21
priority marking configuration,
rate limit,
rate limit configuration,
rate limit display,
techniques,
traffic behavior definition,
15 traffic class definition, 15
traffic evaluation, 30 traffic evaluation with token bucket, 30, 30
traffic filtering configuration,
traffic policing,
traffic policing configuration,
30, 34, 36 traffic policing display, 36 traffic policing+GTS configuration, 36
traffic redirection configuration,
QoS configuration approach
96
MQC,
non-MQC,
Quality of Service. Use
queuing
QoS CA RED,
QoS CA WRED,
QoS CA WRED-queuing relationship, 49
QoS CM queue scheduling profile,
QoS CM scheduling profile,
QoS CM SP queuing,
QoS CM WFQ queuing,
QoS CM WRR queuing,
QoS congestion management SP+WFQ queuing configuration,
QoS congestion management SP+WRR queuing configuration,
QoS queue-based GTS configuration, 35
R
random early detection. Use RED rate limiting
QoS,
QoS rate limit configuration, 35
QoS rate limiting configuration,
redirecting
restriction data buffer configuration restrictions and
time range configuration restrictions and
restrictions
class-based accounting configuration,
QoS CM queue scheduling profile configuration,
QoS policy application (VLAN), 17
traffic filtering configuration,
traffic redirecting configuration, 62
routing
ACL configuration (advanced), 4
ACL configuration (Layer 2), 6
QoS GTS configuration,
QoS priority mapping configuration,
QoS priority mapping priority trust mode,
QoS priority mapping table+priority marking
QoS traffic policing configuration,
QoS traffic policing+GTS configuration,
rule
ACL automatic rule numbering, 2
ACL numbering,
S
scheduling
QoS CM queue scheduling profile,
security
ACL configuration,
ACL configuration (advanced), 4
ACL configuration (IPv4 advanced), 4
ACL configuration (IPv4 basic), 3
ACL configuration (IPv6 advanced), 5
ACL configuration (IPv6 basic), 3
ACL configuration (Layer 2), 6
service
QoS best-effort service model,
QoS CA configuration,
QoS DiffServ service model, 12
QoS IntServ service model,
QoS models,
QoS nesting configuration,
QoS overview,
QoS policy configuration,
QoS priority marking configuration,
QoS traffic filtering configuration,
setting
ACL packet filtering default action, 8
shared area data buffer configuration,
SNMP
ACL packet filtering SNMP notifications,
SP queuing
QoS CM classification,
QoS CM configuration,
SP+WFQ queuing
SP+WRR queuing
statistics
QoS class-based accounting
97
switching
QoS CM queue scheduling profile,
T
table
QoS CA WRED queue-based table, 50, 50
tail drop (QoS CA),
TCP
QoS CA RED,
time range configuration,
configuration restrictions and guidelines,
token bucket
QoS complicated traffic evaluation, 30
QoS traffic evaluation,
traffic
ACL configuration (advanced), 4
ACL configuration (Layer 2), 6
ACL packet filter configuration
data buffer burst enable,
QoS aggregate CAR configuration, 67
QoS CA configuration,
QoS CA WRED parameters,
QoS CA WRED queue-based table, 50, 50
QoS CA WRED-queuing relationship, 49
QoS class-based accounting configuration,
See also under congestion management (CM)
QoS CM queue scheduling profile,
QoS CM SP queuing,
QoS CM WFQ queuing,
QoS CM WRR queuing,
QoS congestion management SP+WFQ queuing configuration,
QoS congestion management SP+WRR queuing configuration,
QoS device process flow,
QoS global CAR configuration,
QoS GTS,
QoS GTS configuration,
QoS hierarchical CAR configuration, 67
QoS hierarchical CAR configuration
(AND-mode),
QoS hierarchical CAR configuration
QoS nesting configuration,
QoS overview,
QoS policy application,
QoS policy application (control plane),
QoS policy application (global),
QoS policy application (interface), 16
QoS policy application (user profile), 18
QoS policy application (VLAN), 17
QoS policy configuration,
QoS policy definition,
QoS priority map,
QoS priority mapping configuration, 25
QoS priority mapping interface port priority,
QoS priority mapping priority trust mode, 25
QoS priority mapping process,
QoS priority mapping table+priority marking
QoS priority mapping trusted port packet
QoS priority marking configuration,
QoS rate limit,
QoS traffic behavior definition,
QoS traffic class definition, 15
QoS traffic filtering configuration,
QoS traffic policing,
QoS traffic policing configuration,
QoS traffic policing+GTS configuration,
QoS traffic redirection configuration,
traffic filtering configuration restrictions,
traffic policing
traffic redirecting configuration restrictions,
trapping
ACL packet filtering logging+SNMP notifications,
trusted type
QoS trusted port packet priority,
U
98
user
QoS priority mapping user priority,
user profile
QoS policy application (user profile), 18
V
VLAN
ACL packet filtering applicable scope (VLAN
QoS policy application,
QoS policy application (VLAN), 17
W
weighted
random early detection. Use WRED
WFQ queuing
QoS CM bandwidth,
WRED
QoS CA parameters,
QoS CA queue-based WRED table, 50, 50
QoS CA WRED display,
QoS CA WRED-queuing relationship, 49
WRR queuing
QoS CM basic queuing,
QoS CM group-based queuing,
99
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project