08-ACL and QoS Configuration Examples

HomeSupportResource CenterSwitchesH3C S7500E Switch SeriesH3C S7500E Switch SeriesTechnical DocumentsConfigureConfiguration ExamplesH3C S7500E Switch Series Configuration Examples-R7577P04-6W10008-ACL and QoS Configuration Examples
04-H3C_Traffic_Policing_Configuration_Examples
Title Size Download
04-H3C_Traffic_Policing_Configuration_Examples 171.87 KB

H3C Traffic Policing Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Software version: Release 7577P04

Document version: 6W100-20190330

 

Copyright © 2019 New H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

The information in this document is subject to change without notice.



Introduction

This chapter provides examples for configuring traffic policing and aggregate CAR to control network traffic.

Prerequisites

The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

This document assumes that you have basic knowledge of traffic policing.

Example: Policing traffic by IP address and protocol type

Network configuration

As shown in Figure 1, a company uses a dedicated line to access the Internet, with an uplink bandwidth of 60 Mbps. All end devices use the firewall as the gateway. The mail server forwards emails for all clients to the external network. The FTP server provides data services for the branch through the Internet.

Configure traffic policing to classify and rate limit the uplink traffic as follows:

·          HTTP trafficRate limit HTTP traffic to a total rate of 40 Mbps (15 Mbps for the 25 hosts in the R&D department and 25 Mbps for the 40 hosts in the Marketing department).

·          Email traffic—Rate limit email traffic to 2 Mbps.

·          FTP traffic—Rate limit FTP traffic to 10 Mbps.

Figure 1 Network diagram

 

Analysis

To meet the network requirements, you must perform the following tasks:

·          Configure ACLs to classify packets of different types.

·          Associate classes with policing actions to rate limit packets of different types.

Restrictions and guidelines

In a traffic behavior, the traffic policing action cannot be configured together with the following priority marking actions:

·          Local precedence marking.

·          Drop precedence marking.

·          802.1p priority marking.

·          DSCP marking.

·          IP precedence marking.

Otherwise, the class-behavior association for that traffic behavior cannot be applied correctly.

Procedures

1.        Police HTTP traffic from the R&D department:

# Create advanced IPv4 ACL 3000 to match HTTP traffic from the R&D department.

<Device> system-view

[Device] acl advanced 3000

[Device-acl-ipv4-adv-3000] rule permit tcp destination-port eq 80 source 192.168.1.0 0.0.0.255

[Device-acl-ipv4-adv-3000] quit

# Create a class named rd_http, and use advanced IPv4 ACL 3000 as the match criterion.

[Device] traffic classifier rd_http

[Device-classifier-rd_http] if-match acl 3000

[Device-classifier-rd_http] quit

# Create a behavior named rd_http, and configure traffic policing with the CIR of 15 Mbps.

[Device] traffic behavior rd_http

[Device-behavior-rd_http] car cir 15360

[Device-behavior-rd_http] quit

# Create a QoS policy named rd_http, and associate the class rd_http with the behavior rd_http in the QoS policy.

[Device] qos policy rd_http

[Device-qospolicy-rd_http] classifier rd_http behavior rd_http

[Device-qospolicy-rd_http] quit

# Apply the QoS policy rd_http to the inbound direction of interface Ten-GigabitEthernet 1/0/3.

[Device] interface ten-gigabitethernet 1/0/3

[Device-Ten-GigabitEthernet1/0/3] qos apply policy rd_http inbound

[Device-Ten-GigabitEthernet1/0/3] quit

2.        Police HTTP traffic from the Marketing department:

# Create advanced IPv4 ACL 3001 to match HTTP traffic from the Marketing department.

[Device] acl advanced 3001

[Device-acl-ipv4-adv-3001] rule permit tcp destination-port eq 80 source 192.168.2.0 0.0.0.255

[Device-acl-ipv4-adv-3001] quit

# Create a class named mkt_http, and use advanced IPv4 ACL 3001 as the match criterion.

[Device] traffic classifier mkt_http

[Device-classifier-mkt_http] if-match acl 3001

[Device-classifier-mkt_http] quit

# Create a behavior named mkt_http, and configure traffic policing with the CIR of 25 Mbps.

[Device] traffic behavior mkt_http

[Device-behavior-mkt_http] car cir 25600

[Device-behavior-mkt_http] quit

# Create a QoS policy named mkt_http, and associate the class mkt_http with the behavior mkt_http in the QoS policy.

[Device] qos policy mkt_http

[Device-qospolicy-mkt_http] classifier mkt_http behavior mkt_http

[Device-qospolicy-mkt_http] quit

# Apply the QoS policy mkt_http to the inbound direction of interface Ten-GigabitEthernet 1/0/4.

[Device] interface ten-gigabitethernet 1/0/4

[Device-Ten-GigabitEthernet1/0/4] qos apply policy mkt_http inbound

[Device-Ten-GigabitEthernet1/0/4] quit

3.        Police email traffic and FTP traffic:

# Create advanced IPv4 ACL 3002 to match email traffic.

[Device] acl advanced 3002

[Device-acl-ipv4-adv-3002] rule permit tcp destination-port eq smtp source 192.168.10.1 0.0.0.0

[Device-acl-ipv4-adv-3002] quit

# Create a class named email, and use advanced IPv4 ACL 3002 as the match criterion.

[Device] traffic classifier email

[Device-classifier-email] if-match acl 3002

[Device-classifier-email] quit

# Create a behavior named email, and configure traffic policing with the CIR of 2 Mbps.

[Device] traffic behavior email

[Device-behavior-email] car cir 2048

[Device-behavior-email] quit

# Create basic IPv4 ACL 2001 to match FTP traffic.

[Device] acl basic 2001

[Device-acl-ipv4-basic-2001] rule permit source 192.168.10.2 0.0.0.0

[Device-acl-ipv4-basic-2001] quit

# Create a class named ftp, and use basic IPv4 ACL 2001 as the match criterion.

[Device] traffic classifier ftp

[Device-classifier-ftp] if-match acl 2001

[Device-classifier-ftp] quit

# Create a behavior named ftp, and configure traffic policing with the CIR of 10 Mbps.

[Device] traffic behavior ftp

[Device-behavior-ftp] car cir 10240

[Device-behavior-ftp] quit

# Create a QoS policy named email&ftp, and associate the classes email and ftp with the behavior email and ftp in the QoS policy, respectively.

[Device] qos policy email&ftp

[Device-qospolicy-email&ftp] classifier email behavior email

[Device-qospolicy-email&ftp] classifier ftp behavior ftp

[Device-qospolicy-email&ftp] quit

# Apply the QoS policy email&ftp to the outbound direction of interface Ten-GigabitEthernet 1/0/1.

[Device] interface ten-gigabitethernet 1/0/1

[Device-Ten-GigabitEthernet1/0/1] qos apply policy email&ftp outbound

[Device-Ten-GigabitEthernet1/0/1] quit

Verifying the configuration

# Verify QoS policies applied to interfaces.

[Device] display qos policy interface

Interface: Ten-GigabitEthernet1/0/3

  Direction: Inbound

  Policy: rd_http

   Classifier: rd_http

     Operator: AND

     Rule(s) :

      If-match acl 3000

     Behavior: rd_http

      Committed Access Rate:

        CIR 15360 (kbps), CBS 960000 (Bytes), EBS 0 (Bytes)

        Green action  : pass

        Yellow action : pass

        Red action    : discard

        Green packets : 0 (Packets)

        Red packets   : 0 (Packets)

 

Interface: Ten-GigabitEthernet1/0/4

  Direction: Inbound

  Policy: mkt_http

   Classifier: mkt_http

     Operator: AND

     Rule(s) :

      If-match acl 3001

     Behavior: mkt_http

      Committed Access Rate:

        CIR 25600 (kbps), CBS 1600000 (Bytes), EBS 0 (Bytes)

        Green action  : pass

        Yellow action : pass

        Red action    : discard

        Green packets : 0 (Packets)

        Red packets   : 0 (Packets)

 

Interface: Ten-GigabitEthernet1/0/1

  Direction: Outbound

  Policy: email&ftp

   Classifier: email

     Operator: AND

     Rule(s) :

      If-match acl 3002

     Behavior: email

      Committed Access Rate:

        CIR 2048 (kbps), CBS 128000 (Bytes), EBS 0 (Bytes)

        Green action  : pass

        Yellow action : pass

        Red action    : discard

        Green packets : 0 (Packets)

        Red packets   : 0 (Packets)

   Classifier: ftp

     Operator: AND

     Rule(s) :

      If-match acl 2001

     Behavior: ftp

      Committed Access Rate:

        CIR 10240 (kbps), CBS 640000 (Bytes), EBS 0 (Bytes)

        Green action  : pass

        Yellow action : pass

        Red action    : discard

        Green packets : 0 (Packets)

        Red packets   : 0 (Packets)

Configuration files

#

traffic classifier email operator and

 if-match acl 3002

#

traffic classifier ftp operator and

 if-match acl 2001

#

traffic classifier mkt_http operator and

 if-match acl 3001

#

traffic classifier rd_http operator and

 if-match acl 3000

#

traffic behavior email

 car cir 2048 cbs 128000 ebs 0 red discard

#

traffic behavior ftp

 car cir 10240 cbs 640000 ebs 0 red discard

#

traffic behavior mkt_http

 car cir 25600 cbs 1600000 ebs 0 red discard

#

traffic behavior rd_http

 car cir 15360 cbs 960000 ebs 0 red discard

#

qos policy email&ftp

 classifier email behavior email

 classifier ftp behavior ftp

#

qos policy mkt_http

 classifier mkt_http behavior mkt_http

#

qos policy rd_http

 classifier rd_http behavior rd_http

#

interface Ten-GigabitEthernet1/0/1

 port link-mode bridge

qos apply policy email&ftp outbound

#

interface Ten-GigabitEthernet1/0/3

 port link-mode bridge

qos apply policy rd_http inbound

#

interface Ten-GigabitEthernet1/0/4

 port link-mode bridge

qos apply policy mkt_http inbound

#

acl basic 2001

 rule 0 permit source 192.168.10.2 0

#

acl advanced 3000

 rule 0 permit tcp source 192.168.1.0 0.0.0.255 destination-port eq www

#

acl advanced 3001

 rule 0 permit tcp source 192.168.2.0 0.0.0.255 destination-port eq www

#

acl advanced 3002

 rule 0 permit tcp source 192.168.10.1 0 destination-port eq smtp

 

Example: Allocating bandwidth based on VLANs

Network configuration

As shown in Figure 2, the device aggregates traffic from the branches and transmits the traffic to the backbone network through a leased line. Each branch site assigns packets of different applications to different VLANs.

·          Configure one-to-one VLAN mapping on the following interfaces of the device to re-map traffic of different applications to VLANs as per the transmission scheme on the backbone network:

¡  Ten-GigabitEthernet 1/0/1.

¡  Ten-GigabitEthernet 1/0/2.

·          Configure traffic policing to allocate bandwidth to traffic from different VLANs, as shown in Table 1.

Table 1 Bandwidth allocation

XGE 1/0/1 and XGE 1/0/2 (uplink or downlink)

XGE 1/0/3 (uplink or downlink)

XGE 1/0/10 (uplink or downlink)

VLAN 1001

VLAN 1002

VLAN 1003

VLAN 201

VLAN 202

VLAN 203

VLAN 201

VLAN 202

VLAN 203

400 Mbps

200 Mbps

200 Mbps

400 Mbps

200 Mbps

200 Mbps

100 Mbps

60 Mbps

40 Mbps

 

Figure 2 Network diagram

 

Analysis

To meet the network requirements, you must perform the following tasks:

·          Configure VLAN-based traffic classes.

·          Configure per-VLAN traffic policing behaviors.

·          Associate each class with its specific traffic behavior.

Restrictions and guidelines

When you allocate bandwidth based on VLANs, follow these restrictions and guidelines:

·          QinQ must be enabled before a QoS policy is applied. You cannot enable QinQ on a port if a QoS policy has been applied to the port.

·          In a traffic behavior, the traffic policing action cannot be configured together with the following priority marking actions:

¡  Local precedence marking.

¡  Drop precedence marking.

¡  802.1p priority marking.

¡  DSCP marking.

¡  IP precedence marking.

Otherwise, the class-behavior association for that behavior cannot be applied correctly.

·          Class-behavior associations take effect in the order that they are configured. The device stops searching the QoS policy once a match is found. You must configure traffic mapping class-behavior associations before you configure traffic policing class-behavior associations.

Procedures

Configuring bandwidth allocation unrelated to VLAN mapping

# Create a class named vlan201_c, and configure SVLAN 201 as the match criterion.

<Device> system-view

[Device] traffic classifier vlan201_c

[Device-classifier-vlan201_c] if-match service-vlan-id 201

[Device-classifier-vlan201_c] quit

# Create classes named vlan202_c and vlan203_c, and configure SVLAN 202 and SVLAN 203 as their match criteria, respectively.

[Device] traffic classifier vlan202_c

[Device-classifier-vlan202_c] if-match service-vlan-id 202

[Device-classifier-vlan202_c] quit

[Device] traffic classifier vlan203_c

[Device-classifier-vlan203_c] if-match service-vlan-id 203

[Device-classifier-vlan203_c] quit

# Create a behavior named car_vlan201_downlink, with the CIR of 400 Mbps.

[Device] traffic behavior car_vlan201_downlink

[Device-behavior-car_vlan201_downlink] car cir 409600

[Device-behavior-car_vlan201_downlink] quit

# Create behaviors named car_vlan202_downlink and car_vlan203_downlink, and configure a traffic policing action with the CIR of 200 Mbps in each behavior.

[Device] traffic behavior car_vlan202_downlink

[Device-behavior-car_vlan202_downlink] car cir 204800

[Device-behavior-car_vlan202_downlink] quit

[Device] traffic behavior car_vlan203_downlink

[Device-behavior-car_vlan203_downlink] car cir 204800

[Device-behavior-car_vlan203_downlink] quit

# Create a QoS policy named qos_c, and associate the three classes with their specific behaviors in the QoS policy.

[Device] qos policy qos_c

[Device-qospolicy-qos_c] classifier vlan201_c behavior car_vlan201_downlink

[Device-qospolicy-qos_c] classifier vlan202_c behavior car_vlan202_downlink

[Device-qospolicy-qos_c] classifier vlan203_c behavior car_vlan203_downlink

[Device-qospolicy-qos_c] quit

# Apply the QoS policy qos_c to the inbound direction of Ten-GigabitEthernet 1/0/3 to rate limit the uplink traffic of VLAN 201, VLAN 202, and VLAN 203 from Branch C.

[Device] interface Ten-GigabitEthernet 1/0/3

[Device-Ten-GigabitEthernet1/0/3] qos apply policy qos_c inbound

# Apply the QoS policy qos_c to the outbound direction of Ten-GigabitEthernet 1/0/3 to rate limit the downlink traffic of VLAN 201, VLAN 202, and VLAN 203 to Branch C.

[Device-Ten-GigabitEthernet1/0/3] qos apply policy qos_c outbound

# Configure Ten-GigabitEthernet 1/0/3 and Ten-GigabitEthernet 1/0/10 as follows:

·          Configure Ten-GigabitEthernet 1/0/3 and Ten-GigabitEthernet 1/0/10 as trunk ports.

·          Assign them to VLANs 201 through 203.

·          Remove them from VLAN 1.

[Device-Ten-GigabitEthernet1/0/3] port link-type trunk

[Device-Ten-GigabitEthernet1/0/3] port trunk permit vlan 201 to 203

[Device-Ten-GigabitEthernet1/0/3] undo port trunk permit vlan 1

[Device-Ten-GigabitEthernet1/0/3] quit

[Device] interface Ten-GigabitEthernet 1/0/10

[Device-Ten-GigabitEthernet1/0/10] port link-type trunk

[Device-Ten-GigabitEthernet1/0/10] port trunk permit vlan 201 to 203

[Device-Ten-GigabitEthernet1/0/10] undo port trunk permit vlan 1

Configuring bandwidth allocation related to VLAN mapping

1.        Configure Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 as follows:

¡  Configure Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 as trunk ports.

¡  Assign them to VLANs 1001 through 1003 and VLANs 201 through 203.

¡  Remove them from VLAN 1.

¡  Enable QinQ on the two interfaces to implement VLAN mapping.

[Device] interface Ten-GigabitEthernet1/0/1

[Device-Ten-GigabitEthernet1/0/1] port link-type trunk

[Device-Ten-GigabitEthernet1/0/1] port trunk permit vlan 1001 to 1003 201 to 203

[Device-Ten-GigabitEthernet1/0/1] undo port trunk permit vlan 1

[Device-Ten-GigabitEthernet1/0/1] qinq enable

[Device-Ten-GigabitEthernet1/0/1] quit

[Device] interface Ten-GigabitEthernet1/0/2

[Device-Ten-GigabitEthernet1/0/2] port link-type trunk

[Device-Ten-GigabitEthernet1/0/2] port trunk permit vlan 1001 to 1003 201 to 203

[Device-Ten-GigabitEthernet1/0/2] undo port trunk permit vlan 1

[Device-Ten-GigabitEthernet1/0/2] qinq enable

[Device-Ten-GigabitEthernet1/0/2] quit

2.        Configure classes and behaviors for performing VLAN mapping for the uplink traffic to the device:

# Create a class named vlan1001, and configure CVLAN 1001 as the match criterion. This class is used in the QoS policy that maps VLAN 1001 to VLAN 201.

[Device] traffic classifier vlan1001

[Device-classifier-vlan1001] if-match customer-vlan-id 1001

[Device-classifier-vlan1001] quit

# Create a behavior named 1001_to_201, and configure the action of marking traffic with SVLAN 201 in the behavior.

[Device] traffic behavior 1001_to_201

[Device-behavior-1001_to_201] remark service-vlan-id 201

[Device-behavior-1001_to_201] quit

# Create classes vlan1002 and vlan1003 and behaviors 1002_to_202 and 1003_to_203. The classes and behaviors are used for mapping VLAN 1002 to VLAN 202 and VLAN 1003 to VLAN 203.

[Device] traffic classifier vlan1002

[Device-classifier-vlan1002] if-match customer-vlan-id 1002

[Device-classifier-vlan1002] quit

[Device] traffic behavior 1002_to_202

[Device-behavior-1002_to_202] remark service-vlan-id 202

[Device-behavior-1002_to_202] quit

[Device] traffic classifier vlan1003

[Device-classifier-vlan1003] if-match customer-vlan-id 1003

[Device-classifier-vlan1003] quit

[Device] traffic behavior 1003_to_203

[Device-behavior-1003_to_203] remark service-vlan-id 203

[Device-behavior-1003_to_203] quit

3.        Configure classes and behaviors for performing VLAN mapping for the downlink traffic:

# Create a class named vlan201, and configure SVLAN 201 as the match criterion. This class is used in the QoS policy that maps VLAN 201 to VLAN 1001.

[Device] traffic classifier vlan201

[Device-classifier-vlan201] if-match service-vlan-id 201

[Device-classifier-vlan201] quit

# Create a behavior named 201_to_1001, and configure the action of marking traffic with CVLAN 1001 in the behavior.

[Device] traffic behavior 201_to_1001

[Device-behavior-201_to_1001] remark customer-vlan-id 1001

[Device-behavior-201_to_1001] quit

# Create classes vlan202 and vlan203 and behaviors 202_to_1002 and 203_to_1003. The classes and behaviors are used for mapping VLAN 202 to VLAN 1002 and VLAN 203 to VLAN 1003.

[Device] traffic classifier vlan202

[Device-classifier-vlan202] if-match service-vlan-id 202

[Device-classifier-vlan202] quit

[Device] traffic behavior 202_to_1002

[Device-behavior-202_to_1002] remark customer-vlan-id 1002

[Device-behavior-202_to_1002] quit

[Device] traffic classifier vlan203

[Device-classifier-vlan203] if-match service-vlan-id 203

[Device-classifier-vlan203] quit

[Device] traffic behavior 203_to_1003

[Device-behavior-203_to_1003] remark customer-vlan-id 1003

[Device-behavior-203_to_1003] quit

4.        Configure classes and behaviors to rate limit the uplink traffic from branches.

# Use the following traffic classes:

¡  vlan201 for traffic of VLAN 201 (mapped from VLAN 1001).

¡  vlan202 for traffic of VLAN 202 (mapped from VLAN 1002).

¡  vlan203 for traffic of VLAN 203 (mapped from VLAN 1003).

# Use the following behaviors for policing the traffic:

¡  car_vlan201_downlink for traffic of VLAN 201 (mapped from VLAN 1001).

¡  car_vlan202_downlink for traffic of VLAN 202 (mapped from VLAN 1002).

¡  car_vlan203_downlink for traffic of VLAN 203 (mapped from VLAN 1003).

The behaviors are configured in "Configuring bandwidth allocation unrelated to VLAN mapping."

5.        Configure classes and behaviors to rate limit the downlink traffic sent to branches.

# Use the following traffic classes:

¡  Vlan1001 for traffic of VLAN 1001 (mapped from VLAN 201).

¡  vlan1002 for traffic of VLAN 1002 (mapped from VLAN 202).

¡  vlan1003 for traffic of VLAN 1003 (mapped from VLAN 203).

# Use the following behaviors:

¡  car_vlan201_downlink for traffic of VLAN 1001 (mapped from VLAN 201).

¡  car_vlan202_downlink for traffic of VLAN 1002 (mapped from VLAN 202).

¡  car_vlan203_downlink for traffic of VLAN 1003 (mapped from VLAN 203).

6.        Configure classes and behaviors for rate limiting the uplink traffic to the backbone network.

# Use the following classes:

¡  vlan201 for traffic from VLAN 201.

¡  vlan202 for traffic from VLAN 202.

¡  vlan203 for traffic from VLAN 203.

# Create a behavior named car_vlan201_uplink for rate limiting the uplink traffic of VLAN 201 on the device. Set the CIR to 100 Mbps.

[Device] traffic behavior car_vlan201_uplink

[Device-behavior-car_vlan201_uplink] car cir 102400

[Device-behavior-car_vlan201_uplink] quit

# Create a behavior named car_vlan202_uplink for rate limiting the uplink traffic of VLAN 202. Set the CIR to 60 Mbps.

[Device] traffic behavior car_vlan202_uplink

[Device-behavior-car_vlan202_uplink] car cir 61440

[Device-behavior-car_vlan202_uplink] quit

# Create a behavior named car_vlan203_uplink for rate limiting the uplink traffic of VLAN 203. Set the CIR to 40 Mbps.

[Device] traffic behavior car_vlan203_uplink

[Device-behavior-car_vlan203_uplink] car cir 40960

[Device-behavior-car_vlan203_uplink] quit

7.        Configure classes and behaviors to rate limit the downlink traffic from the backbone network.

# Use the following classes:

¡  vlan201 for traffic from VLAN 201.

¡  vlan202 for traffic from VLAN 202.

¡  vlan203 for traffic from VLAN 203.

# Use the following behaviors:

¡  car_vlan201_uplink for traffic from VLAN 201.

¡  car_vlan202_uplink for traffic from VLAN 202.

¡  car_vlan203_uplink for traffic from VLAN 203.

8.        Configure and apply the QoS policies for uplink traffic.

Figure 3 shows how the switches process the uplink traffic from a branch to the backbone network. The figure uses VLAN 1001 as an example.

Figure 3 Uplink traffic processing

 

# Create a QoS policy named downlink_in, and configure class-behavior associations in the following order:

a.    The VLAN mapping class-behavior associations.

b.    The traffic policing class-behavior associations that use the newly marked VLANs as the match criteria.

[Device] qos policy downlink_in

[Device-qospolicy-downlink_in] classifier vlan1001 behavior 1001_to_201

[Device-qospolicy-downlink_in] classifier vlan1002 behavior 1002_to_202

[Device-qospolicy-downlink_in] classifier vlan1003 behavior 1003_to_203

[Device-qospolicy-downlink_in] classifier vlan201 behavior car_vlan201_downlink

[Device-qospolicy-downlink_in] classifier vlan202 behavior car_vlan202_downlink

[Device-qospolicy-downlink_in] classifier vlan203 behavior car_vlan203_downlink

[Device-qospolicy-downlink_in] quit

# Apply the QoS policy downlink_in to the inbound direction of Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2.

[Device] interface Ten-GigabitEthernet1/0/1

[Device-Ten-GigabitEthernet1/0/1] qos apply policy downlink_in inbound

[Device-Ten-GigabitEthernet1/0/1] quit

[Device] interface Ten-GigabitEthernet1/0/2

[Device-Ten-GigabitEthernet1/0/2] qos apply policy downlink_in inbound

[Device-Ten-GigabitEthernet1/0/2] quit

# Create a QoS policy named uplink_out, and associate the classes and behaviors configured to rate limit the uplink traffic to the backbone network.

[Device] qos policy uplink_out

[Device-qospolicy-uplink_out] classifier vlan201 behavior car_vlan201_uplink

[Device-qospolicy-uplink_out] classifier vlan202 behavior car_vlan202_uplink

[Device-qospolicy-uplink_out] classifier vlan203 behavior car_vlan203_uplink

[Device-qospolicy-downlink_in] quit

# Apply QoS policy uplink_out to the outbound direction of Ten-GigabitEthernet 1/0/10.

[Device] interface Ten-GigabitEthernet1/0/10

[Device-Ten-GigabitEthernet1/0/10] qos apply policy uplink_out outbound

9.        Configure and apply the QoS policies for downlink traffic.

Figure 4 shows how the switches process the downlink traffic from the backbone network to a branch. The figure uses VLAN 201 as an example.

Figure 4 Downlink traffic processing

 

# Create a QoS policy named uplink_in, and associate the classes and behaviors configured to rate limit the downlink traffic from the backbone network.

[Device] qos policy uplink_in

[Device-qospolicy-uplink_in] classifier vlan201 behavior car_vlan201_uplink

[Device-qospolicy-uplink_in] classifier vlan202 behavior car_vlan202_uplink

[Device-qospolicy-uplink_in] classifier vlan203 behavior car_vlan203_uplink

[Device-qospolicy-uplink_in] quit

# Apply the QoS policy uplink_in to the inbound direction of Ten-GigabitEthernet 1/0/10.

[Device] interface Ten-GigabitEthernet1/0/10

[Device-Ten-GigabitEthernet1/0/10] qos apply policy uplink_in inbound

# Create a QoS policy named downlink_out, and configure class-behavior associations in the following order:

a.    The VLAN mapping class-behavior associations.

b.    The traffic policing class-behavior associations that rate limit the downlink traffic to branches.

[Device] qos policy downlink_out

[Device-qospolicy-downlink_out] classifier vlan201 behavior 201_to_1001

[Device-qospolicy-downlink_out] classifier vlan202 behavior 202_to_1002

[Device-qospolicy-downlink_out] classifier vlan203 behavior 203_to_1003

[Device-qospolicy-downlink_out] classifier vlan1001 behavior car_vlan201_downlink

[Device-qospolicy-downlink_out] classifier vlan1002 behavior car_vlan202_downlink

[Device-qospolicy-downlink_out] classifier vlan1003 behavior car_vlan203_downlink

[Device-qospolicy-downlink_in] quit

# Apply the QoS policy downlink_out to the outbound direction of Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2.

[Device] interface Ten-GigabitEthernet1/0/1

[Device-Ten-GigabitEthernet1/0/1] qos apply policy downlink_out outbound

[Device-Ten-GigabitEthernet1/0/1] quit

[Device] interface Ten-GigabitEthernet1/0/2

[Device-Ten-GigabitEthernet1/0/2] qos apply policy downlink_out outbound

[Device-Ten-GigabitEthernet1/0/2] quit

Verifying the configuration

Verify the configuration on any interface, for example, Ten-GigabitEthernet 1/0/10.

# Verify QoS policies applied to interface Ten-GigabitEthernet 1/0/10.

[Device] display qos policy interface ten-GigabitEthernet 1/0/10

Interface: Ten-GigabitEthernet1/0/10                                           

                                                                               

  Direction: Inbound                                                           

                                                                               

  Policy: uplink_in                                                            

   Classifier: 201_to_1001                                                     

     Operator: AND                                                             

     Rule(s) :                                                                  

      If-match service-vlan-id 201                                             

     Behavior: car_vlan201_uplink                                              

      Committed Access Rate:                                                    

        CIR 102400 (kbps), CBS 6400000 (Bytes), EBS 512 (Bytes)                

        Green action  : pass                                                   

        Yellow action : pass                                                    

        Red action    : discard                                                

        Green packets : 0 (Packets)                                            

        Red packets   : 0 (Packets)                                             

   Classifier: 202_to_1002                                                     

     Operator: AND                                                             

     Rule(s) :                                                                  

      If-match service-vlan-id 202                                             

     Behavior: car_vlan202_uplink                                              

      Committed Access Rate:                                                   

        CIR 61440 (kbps), CBS 3840000 (Bytes), EBS 512 (Bytes)                 

        Green action  : pass                                                   

        Yellow action : pass                                                   

        Red action    : discard                                                

        Green packets : 0 (Packets)                                            

        Red packets   : 0 (Packets)                                            

   Classifier: 203_to_1003                                                     

     Operator: AND                                                             

     Rule(s) :                                                                 

      If-match service-vlan-id 203                                             

     Behavior: car_vlan203_uplink                                              

      Committed Access Rate:                                                   

        CIR 40960 (kbps), CBS 2560000 (Bytes), EBS 512 (Bytes)                 

        Green action  : pass                                                   

        Yellow action : pass                                                   

        Red action    : discard                                                 

        Green packets : 0 (Packets)                                            

        Red packets   : 0 (Packets)                                            

                                                                                

  Direction: Outbound

 

  Policy: uplink_out

   Classifier: 201_to_1001

     Operator: AND

     Rule(s) :

      If-match service-vlan-id 201

     Behavior: car_vlan201_uplink

      Committed Access Rate:

        CIR 102400 (kbps), CBS 6400000 (Bytes), EBS 512 (Bytes)

        Green action  : pass

        Yellow action : pass

        Red action    : discard

        Green packets : 0 (Packets)

        Red packets   : 0 (Packets)

   Classifier: 202_to_1002

     Operator: AND

     Rule(s) :

      If-match service-vlan-id 202

     Behavior: car_vlan202_uplink

      Committed Access Rate:

        CIR 61440 (kbps), CBS 3840000 (Bytes), EBS 512 (Bytes)

        Green action  : pass

        Yellow action : pass

        Red action    : discard

        Green packets : 0 (Packets)

        Red packets   : 0 (Packets)

   Classifier: 203_to_1003

     Operator: AND

     Rule(s) :

      If-match service-vlan-id 203

     Behavior: car_vlan203_uplink

      Committed Access Rate:

        CIR 40960 (kbps), CBS 2560000 (Bytes), EBS 512 (Bytes)

        Green action  : pass

        Yellow action : pass

        Red action    : discard

        Green packets : 0 (Packets)

        Red packets   : 0 (Packets)

Configuration files

#

traffic classifier vlan203_downlink operator and

 if-match service-vlan-id 1003

traffic classifier 1002_to_202 operator and

 if-match customer-vlan-id 1002

traffic classifier 201_to_1001 operator and

 if-match service-vlan-id 201

traffic classifier 1003_to_203 operator and

 if-match customer-vlan-id 1003

traffic classifier 203_to_1003 operator and

 if-match service-vlan-id 203

traffic classifier vlan201 operator and

 if-match service-vlan-id 201

traffic classifier vlan201_downlink operator and

 if-match service-vlan-id 1001

traffic classifier vlan202 operator and

 if-match service-vlan-id 202

traffic classifier vlan202_downlink operator and

 if-match service-vlan-id 1002

traffic classifier 202_to_1002 operator and

 if-match service-vlan-id 202

traffic classifier 1001_to_201 operator and

 if-match customer-vlan-id 1001

traffic classifier vlan203 operator and

 if-match service-vlan-id 203

#

traffic behavior car_vlan201_downlink

 car cir 409600 cbs 25600000 ebs 512 green pass red discard yellow pass

traffic behavior car_vlan202_downlink

 car cir 204800 cbs 12800000 ebs 512 green pass red discard yellow pass

traffic behavior car_vlan203_downlink

 car cir 204800 cbs 12800000 ebs 512 green pass red discard yellow pass

traffic behavior car_vlan201_uplink

 car cir 102400 cbs 6400000 ebs 512 green pass red discard yellow pass

traffic behavior car_vlan202_uplink

 car cir 61440 cbs 3840000 ebs 512 green pass red discard yellow pass

traffic behavior car_vlan203_uplink

 car cir 40960 cbs 2560000 ebs 512 green pass red discard yellow pass

traffic behavior 1002_to_202

 remark service-vlan-id 202

traffic behavior 201_to_1001

 remark customer-vlan-id 1001

traffic behavior 1003_to_203

 remark service-vlan-id 203

traffic behavior 203_to_1003

 remark customer-vlan-id 1003

traffic behavior 202_to_1002

 remark customer-vlan-id 1002

traffic behavior 1001_to_201

 remark service-vlan-id 201

#

qos policy uplink_in

 classifier 201_to_1001 behavior car_vlan201_uplink

 classifier 202_to_1002 behavior car_vlan202_uplink

 classifier 203_to_1003 behavior car_vlan203_uplink

qos policy uplink_out

 classifier 201_to_1001 behavior car_vlan201_uplink

 classifier 202_to_1002 behavior car_vlan202_uplink

 classifier 203_to_1003 behavior car_vlan203_uplink

qos policy downlink_in

 classifier 1001_to_201 behavior 1001_to_201

 classifier 1002_to_202 behavior 1002_to_202

 classifier 1003_to_203 behavior 1003_to_203

 classifier 201_to_1001 behavior car_vlan201_downlink

 classifier 202_to_1002 behavior car_vlan202_downlink

 classifier 203_to_1003 behavior car_vlan203_downlink

qos policy downlink_c

 classifier vlan201 behavior car_vlan201_downlink

 classifier vlan202 behavior car_vlan202_downlink

 classifier vlan203 behavior car_vlan203_downlink

qos policy downlink_out

 classifier 201_to_1001 behavior 201_to_1001

 classifier 202_to_1002 behavior 202_to_1002

 classifier 203_to_1003 behavior 203_to_1003

 classifier vlan201_downlink behavior car_vlan201_downlink

 classifier vlan202_downlink behavior car_vlan202_downlink

 classifier vlan203_downlink behavior car_vlan203_downlink

#

interface Ten-GigabitEthernet1/0/1

 port link-mode bridge

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 201 to 203 1001 to 1003

 qinq enable

 qos apply policy downlink_in inbound

 qos apply policy downlink_out outbound

#

interface Ten-GigabitEthernet1/0/2

 port link-mode bridge

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 201 to 203 1001 to 1003

 qinq enable

 qos apply policy downlink_in inbound

 qos apply policy downlink_out outbound

#

interface Ten-GigabitEthernet1/0/3

 port link-mode bridge

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 201 to 203

 qos apply policy downlink_c inbound

 qos apply policy downlink_c outbound

#

interface Ten-GigabitEthernet1/0/10

 port link-mode bridge

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 201 to 203

 qos apply policy uplink_in inbound

 qos apply policy uplink_out outbound

Example: Configuring aggregate CAR

Network configuration

As shown in Figure 5, configure aggregate CAR on the device to limit the traffic from the R&D department (including R&D department 1 and R&D department 2) to 10 Mbps in both uplink and downlink directions.

Figure 5 Network diagram

 

 

Analysis

To limit the traffic from the R&D department to 10 Mbps in both uplink and downlink directions, configure aggregate CAR on Ten-GigabitEthernet 1/0/1 in both directions.

Procedures

1.        Configure aggregate CAR for uplink traffic:

# Configure ACL 2000 to match traffic from subnets 192.168.1.0/24 and 192.168.2.0/24.

<Device> system-view

[Device] acl basic 2000

[Device-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255

[Device-acl-ipv4-basic-2000] rule permit source 192.168.2.0 0.0.0.255

[Device-acl-ipv4-basic-2000] quit

# Create a class named uplink, and use ACL 2000 as the match criterion.

[Device] traffic classifier uplink

[Device-classifier-uplink] if-match acl 2000

[Device-classifier-uplink] quit

# Create an aggregate CAR action with the CIR of 10 Mbps.

[Device] qos car uplink aggregative cir 10240

# Create a behavior named uplink, and reference the aggregate CAR action in the behavior.

[Device] traffic behavior uplink

[Device-behavior-uplink] car name uplink

[Device-behavior-uplink] quit

# Create a QoS policy named uplink, and associate the class uplink with the behavior uplink in the QoS policy.

[Device] qos policy uplink

[Device-qospolicy-uplink] classifier uplink behavior uplink

[Device-qospolicy-uplink] quit

# Apply the QoS policy uplink to the outbound direction of Ten-GigabitEthernet 1/0/1.

[Device] interface ten-GigabitEthernet 1/0/1

[Device-Ten-GigabitEthernet1/0/1] qos apply policy uplink outbound

[Device-Ten-GigabitEthernet1/0/1] quit

2.        Configure aggregate CAR for downlink traffic:

# Configure ACL 3000 to match traffic to subnets 192.168.1.0/24 and 192.168.2.0/24.

[Device] acl advanced 3000

[Device-acl-ipv4-adv-3000] rule permit ip destination 192.168.1.0 0.0.0.255

[Device-acl-ipv4-adv-3000] rule permit ip destination 192.168.2.0 0.0.0.255

[Device-acl-ipv4-adv-3000] quit

# Create a class named downlink, and use ACL 3000 as the match criterion.

[Device] traffic classifier downlink

[Device-classifier-downlink] if-match acl 3000

[Device-classifier-downlink] quit

# Create an aggregate CAR action with the CIR of 10 Mbps.

[Device] qos car downlink aggregative cir 10240

# Create a behavior named downlink, and reference the aggregate CAR action in the behavior.

[Device] traffic behavior downlink

[Device-behavior-downlink] car name downlink

[Device-behavior-downlink] quit

# Create a QoS policy named downlink, and associate the class downlink with the behavior downlink in the QoS policy.

[Device] qos policy downlink

[Device-qospolicy-downlink] classifier downlink behavior downlink

[Device-qospolicy-downlink] quit

# Apply the QoS policy downlink to the inbound direction of Ten-GigabitEthernet 1/0/1.

[Device] interface ten-GigabitEthernet 1/0/1

[Device-Ten-GigabitEthernet1/0/1] qos apply policy downlink inbound

[Device-Ten-GigabitEthernet1/0/1] quit

Verifying the configuration

# Verify QoS policies applied to interfaces.

[Device] display qos policy interface

 

Interface: Ten-GigabitEthernet1/0/1

  Direction: Inbound

  Policy: downlink

   Classifier: downlink

     Operator: AND

     Rule(s) :

      If-match acl 3000

     Behavior: downlink

      Committed Access Rate:

        Car name: downlink

 

Interface: Ten-GigabitEthernet1/0/1

  Direction: Outbound

  Policy: uplink

   Classifier: uplink

     Operator: AND

     Rule(s) :

      If-match acl 2000

     Behavior: uplink

      Committed Access Rate:

        Car name: uplink

Configuration files

#

 qos car downlink aggregative cir 10240 cbs 640000 ebs 0 green pass red discard yellow pass

 qos car uplink aggregative cir 10240 cbs 640000 ebs 0 green pass red discard yellow pass

#

traffic classifier downlink operator and

 if-match acl 3000

#

traffic classifier uplink operator and

 if-match acl 2000

#

traffic behavior downlink

 car name downlink

#

traffic behavior uplink

 car name uplink

#

qos policy downlink

 classifier downlink behavior downlink

#

qos policy uplink

 classifier uplink behavior uplink

#

interface Ten-GigabitEthernet1/0/1

 port link-mode bridge

qos apply policy downlink inbound

 qos apply policy uplink outbound

#

acl basic 2000

 rule 0 permit source 192.168.1.0 0.0.0.255

 rule 5 permit source 192.168.2.0 0.0.0.255

#

acl advanced 3000

 rule 0 permit ip destination 192.168.1.0 0.0.0.255

 rule 5 permit ip destination 192.168.2.0 0.0.0.255

Related documentation

·          H3C S7500E Switch Series ACL and QoS Configuration Guide-R757X

·          H3C S7500E Switch Series ACL and QoS Command Reference-R757X