Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-QACL Configuration Examples | 169 KB |
Table of Contents
Chapter 2 QACL Configuration Examples
2.1 Configuration Examples in an Enterprise Network
2.1.1 Time-Based ACL and Traffic Accounting Configuration Example
2.1.2 Line Rate and Traffic Policing Configuration Example
2.1.3 Traffic Redirecting and Traffic Mirroring Configuration Example
2.1.4 Configuring Priority Marking and Queue Scheduling
2.2 Configuration Example in a Service Provider Network
2.2.1 Flow-Based Selective QinQ Configuration Example
2.4 Referencing ACLs for Other Purposes
QACL Configuration Examples
Keywords: ACL, QoS
Abstract: This document introduces how QACL of the H3C series Ethernet switches is applied and configured in real network scenarios. In the document, time-based ACLs, line rates, traffic policing, traffic redirecting, traffic mirroring, traffic accounting, priority marking, queue scheduling, and flow-based selective QinQ are introduced.
Acronyms: Access Control List (ACL), Quality of Service (QoS)
Chapter 1 QACL Overview
1.1 QACL Support Matrix
The LPUs of the S7500 series Ethernet switches fall into type-A LPUs and non-type-A LPUs. The following table describes different LPUs’ support for ACL/QoS functions.
Table 1-1 Type-A LPUs’ and non-type-A LPUs’ support for ACL/QoS
|
LPU type (right) |
Type-A LPUs |
Non-type-A LPUs |
|
Feature (below) |
||
|
Basic ACL |
Supported |
Supported |
|
Advanced ACL |
Supported |
Supported |
|
Layer-2 ACL |
Supported |
Supported |
|
User-defined ACL |
Not supported |
Supported |
|
Traffic classification |
Supported |
Supported |
|
Priority marking |
Supported |
Supported |
|
Line rate |
Not supported |
Supported |
|
Traffic policing |
Supported |
Supported |
|
Bandwidth guarantee |
Supported |
Not supported |
|
Bidirectional CAR |
Supported |
Not supported |
|
Traffic redirecting |
Not supported |
Supported |
|
Queue scheduling |
Not supported |
Supported |
|
Congestion avoidance |
Supported |
Not supported |
|
Traffic mirroring |
Not supported |
Supported |
|
Traffic accounting |
Supported |
Supported |
|
Flow-based selective QinQ |
Not supported |
Supported |
& Note:
l Type-A LPUs include LS81FT48A, LS81FM24A, LS81FS24A, LS81GB8UA, LS81GT8UA, LS81FT48, LS81FM24, LS81FS24, LS81GB8U, and LS81GT8U.
l The prompt for QoS view is qoss on a type-A LPU and qosb on a non-type-A LPU.
1.2 Configuration Guide
& Note:
This guide provides only general configuration procedures. For detailed information about the involved functions and parameters, refer to the operation manual and command manual for your device.
Follow these steps to configure ACL/QoS in system view:
|
To do… |
Use the command... |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Configure an ACL |
Create an ACL and enter ACL view |
acl { number acl-number | name acl-name [ advanced | basic | link | user ] } [ match-order { config | auto } ] |
By default, the match order in an ACL is config. That is, the rules in an ACL are matched in the order in which they are configured. The rule-string argument varies by ACL type. For detailed information, refer to the command manual. |
|
Define an ACL rule |
rule [ rule-id ] { permit | deny } rule-string |
||
|
Return to system view |
quit |
||
|
Specify the trusted priority type when packets are assigned to output queues |
priority-trust { dscp | ip-precedence | cos | local-precedence } |
By default, the switch assigns packets to output queues based on local precedence. |
|
|
Configure the 802.1p-precedence-to-local-precedence mapping table |
qos cos-local-precedence-map cos0-map-local-prec cos1-map-local-prec cos2-map-local-prec cos3-map-local-prec cos4-map-local-prec cos5-map-local-prec cos6-map-local-prec cos7-map-local-prec |
Table 1-2 shows the default 802.1p-precedence-to-local-precedence mapping table of the switch. |
|
Follow these steps to configure ACL/QoS in QoS view on a type-A LPU:
|
To do… |
Use the command... |
Remarks |
|
Enter Ethernet port view |
interface interface-type interface-number |
— |
|
Enter QoS view |
qos |
— |
|
Configure packet filtering |
packet-filter { inbound | outbound } acl-rule [ system-index ] [ not-care-for-interface ] |
The acl-rule argument ranges from 2000 to 4999. |
|
Configure bandwidth guarantee |
traffic-bandwidth outbound acl-rule [ system-index ] min-guaranteed-bandwidth max-guaranteed-bandwidth weight |
The min-guaranteed-bandwidth argument and the max-guaranteed-bandwidth argument must be a multiple of 64. |
|
Configure traffic policing |
traffic-limit { inbound | outbound } acl-rule [ system-index ] target-rate |
The target-rate argument must be a multiple of 64. |
|
Configure priority marking |
traffic-priority { inbound | outbound } acl-rule [ system-index ] { { dscp dscp-value | ip-precedence pre-value } | local-precedence pre-value }* |
You can mark DSCP precedence, IP precedence, and local precedence for packets. |
|
Configure congestion avoidance |
traffic-red outbound acl-rule [ system-index ] qstart qstop probability |
The qstart argument and the qstop argument must be a multiple of 16. |
|
Configure traffic accounting |
traffic-statistic { inbound | outbound } acl-rule [ system-index ] |
— |
Follow these steps to configure ACL/QoS in QoS view on a non-type-A LPU:
|
To do… |
Use the command... |
Remarks |
|
Enter Ethernet port view |
interface interface-type interface-number |
— |
|
Enter QoS view |
qos |
— |
|
Configure the line rate |
line-rate [ kbps ] target-rate |
With the kbps keyword specified, the rate limit granularity is 64 kbps. That is, if you input a value in the range of N×64 to (N+1)×64 (N is a natural number), the switch sets the value to (N+1)×64 kbps automatically. |
|
Configure traffic mirroring |
mirrored-to inbound acl-rule [ system-index ] { interface interface-type interface-number [ reflector ] | mirroring-group group-id } |
— |
|
Configure packet filtering |
packet-filter inbound acl-rule [ system-index ] |
The acl-rule argument ranges from 2000 to 5999. |
|
Configure queue scheduling |
queue-scheduler { rr | strict-priority | wrr queue1-weight queue2-weight queue3-weight queue4-weight queue5-weight queue6-weight queue7-weight queue8-weight } |
By default, the switch adopts the SP queue scheduling algorithm. |
|
Configure traffic policing |
traffic-limit inbound acl-rule [ system-index ] [ kbps ] target-rate [ exceed action ] |
With the kbps keyword specified, the rate limit granularity is 64 Kbps. That is, if you input a value in the range of N*64 to (N+1)*64 (N is a natural number), the switch sets the value to (N+1)*64 kbps automatically. |
|
Configure priority marking |
traffic-priority inbound acl-rule [ system-index ] { { dscp dscp-value | ip-precedence pre-value } | { cos cos | local-precedence pre-value } }* |
You can mark DSCP precedence, IP precedence, 802.1p precedence, and local precedence for packets. |
|
Configure traffic redirecting |
traffic-redirect inbound acl-rule [ system-index ] { cpu | interface interface-type interface-number } |
In traffic redirecting configuration, the source port and the destination port must reside on the same LPU. |
|
Configure flow-based selective QinQ |
traffic-remark-vlanid inbound acl-rule [ system-index ] remark-vlan vlan-id |
Before configuring flow-based selective QinQ, execute the vlan-vpn enable command in the corresponding Ethernet port view first. You cannot execute the vlan-vpn enable command on a voice VLAN-enabled port. Type-A LPUs, LS82GT20, and LS82GP20 do not support flow-based selective QinQ. |
|
Configure traffic accounting |
traffic-statistic inbound acl-rule [ system-index ] |
— |
Note that:
l Table 1-2 is the default 802.1p-precedence-to-local-precedence mapping table of the S7500 series.
Table 1-2 The default 802.1p-precedence-to-local-precedence mapping table
|
802.1p precedence (CoS) |
Local precedence |
|
0 |
2 |
|
1 |
0 |
|
2 |
1 |
|
3 |
3 |
|
4 |
4 |
|
5 |
5 |
|
6 |
6 |
|
7 |
7 |
l The acl-rule argument can be a combination of various ACL rules. Table 1-3 and Table 1-4 shows the ACL rule combinations that you can apply on type-A LPUs and non-type-A LPUs respectively. Table 1-5 explains the form that the acl-rule argument takes for the combinations.
Table 1-3 Combinations of ACL rules on a type-A LPU
|
Combination mode |
Form of acl-rule |
|
Apply all rules in an IP-based ACL (a basic ACL or advanced ACL) |
ip-group { acl-number | acl-name } |
|
Apply one rule in an IP-based ACL (a basic ACL or advanced ACL) |
ip-group { acl-number | acl-name } rule rule-id |
|
Apply all rules in a Layer-2 ACL |
link-group { acl-number | acl-name } |
|
Apply one rule in a Layer-2 ACL |
link-group { acl-number | acl-name } rule rule-id |
Table 1-4 Non-type-A LPUs’ ways of applying combined ACLs
|
Combination mode |
Form of acl-rule |
|
Apply all rules in an IP-based ACL (a basic ACL or advanced ACL) |
ip-group { acl-number | acl-name } |
|
Apply one rule in an IP-based ACL (a basic ACL or advanced ACL) |
ip-group { acl-number | acl-name } rule rule-id |
|
Apply all rules in a Layer-2 ACL |
link-group { acl-number | acl-name } |
|
Apply one rule in a Layer-2 ACL |
link-group { acl-number | acl-name } rule rule-id |
|
Apply all rules in a user-defined ACL |
user-group { acl-number | acl-name } |
|
Apply one rule in a user-defined ACL |
user-group { acl-number | acl-name } rule rule-id |
|
Apply one rule in an IP-based ACL and one rule in a Layer-2 ACL |
ip-group { acl-number | acl-name } rule rule-id link-group { acl-number | acl-name } rule rule-id |
Table 1-5 Description on the forms of the acl-rule argument
|
Parameter |
Description |
|
ip-group { acl-number | acl-name } |
Specifies a basic ACL or advanced ACL. acl-number: ACL number, in the range of 2000 to 3999. acl-name: ACL name, a case-insensitive string of up to 32 characters. It must start with an English letter (a-z, or A-Z) and cannot contain any spaces or quotation mark. |
|
link-group { acl-number | acl-name } |
Specifies a Layer-2 ACL acl-number: ACL number, in the range of 4000 to 4999. acl-name: ACL name, a case-insensitive string of up to 32 characters. It must start with an English letter (a-z, or A-Z) and cannot contain any space or quotation mark. |
|
user-group { acl-number | acl-name } |
Specifies a user-defined ACL acl-number: ACL number, in the range of 5000 to 5999. acl-name: ACL name, a case-insensitive string of up to 32 characters. It must start with an English letter (a-z, or A-Z) and cannot contain any space or quotation mark. |
|
rule-id |
Specifies an ACL rule ID, in the range of 0 to 127. If the rule-id argument is not specified, the rule keyword refers to all the rules in the ACL. |
Chapter 2 QACL Configuration Examples
Non-type-A LPUs are used in all configurations in this chapter.
Go to these sections for information you are interested in:
|
Network scenarios |
Task |
|
Enterprise network |
|
|
Traffic Redirecting and Traffic Mirroring Configuration Example |
|
|
Service provider network |
2.1 Configuration Examples in an Enterprise Network
Figure 2-1 Topology of an enterprise network
Figure 2-1 shows the network topology of a company:
l An S7500 switch whose software version is Release 3135 interconnects all departments of the company. It provides access to the Internet through GigabitEthernet 2/0/10.
l The R&D department belongs to VLAN 2. It is on the network segment 192.168.2.0/24 and accesses the switch through GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2.
l The customer service department belongs to VLAN 3. It is on the network segment 192.168.3.0/24 and accesses the switch through GigabitEthernet 2/0/3.
l The marketing department belongs to VLAN 4. It is on the network segment 192.168.4.0/24 and accesses the switch through GigabitEthernet 2/0/4, GigabitEthernet 2/0/5, and GigabitEthernet 2/0/6. Data detect server is a data monitoring device.
l The administration department belongs to VLAN 5. It is on the network segment 192.168.5.0/24 and accesses the switch through GigabitEthernet 2/0/7.
2.1.1 Time-Based ACL and Traffic Accounting Configuration Example
I. Network requirements
In the R&D department, the IP address of PC 1 is 192.168.2.1 and that of PC 2 is 192.168.2.2. The gateway IP address is set to 192.168.2.100 (the IP address of VLAN-interface 2) for both PC 1 and PC 2. Configure time-based ACLs and traffic accounting to satisfy the following requirements:
l Through advanced ACL configuration, filter the virus packets from the Internet.
l Through user-defined ACL configuration, filter the ARP packets that PC 1 sends with the gateway IP address as the source IP address within the time range from 8:00 to 18:00 everyday.
l Through traffic accounting configuration, account the HTTP packets that PC 2 sends to the Internet within the time range from 8:00 to 18:00 every day.
II. Network diagram
Figure 2-2 Network diagram for time-based ACL and traffic accounting configuration
III. Configuration procedure
# Define a time range trname to cover the time range from 8:00 to 18:00 every day.
<H3C> system-view
[H3C] time-range trname 8:00 to 18:00 daily
# Create advanced ACL 3000 to filter the virus packets from the Internet. You can also configure other rules in the ACL as required.
[H3C] acl number 3000
[H3C-acl-adv-3000] rule 1 deny icmp
[H3C-acl-adv-3000] rule 2 deny udp destination-port eq 69
[H3C-acl-adv-3000] rule 3 deny tcp destination-port eq 4444
[H3C-acl-adv-3000] rule 4 deny tcp destination-port eq 135
[H3C-acl-adv-3000] rule 5 deny udp destination-port eq 135
[H3C-acl-adv-3000] rule 6 deny udp destination-port eq 137
[H3C-acl-adv-3000] rule 7 deny udp destination-port eq 138
[H3C-acl-adv-3000] rule 8 deny udp destination-port eq 139
[H3C-acl-adv-3000] rule 9 deny tcp destination-port eq 139
[H3C-acl-adv-3000] rule 10 deny tcp destination-port eq 445
[H3C-acl-adv-3000] rule 11 deny udp destination-port eq 445
[H3C-acl-adv-3000] rule 12 deny tcp destination-port eq 593
[H3C-acl-adv-3000] rule 13 deny udp destination-port eq 593
[H3C-acl-adv-3000] rule 14 deny tcp destination-port eq 5554
[H3C-acl-adv-3000] rule 15 deny tcp destination-port eq 9995
[H3C-acl-adv-3000] rule 16 deny tcp destination-port eq 9996
[H3C-acl-adv-3000] rule 17 deny udp destination-port eq 1434
[H3C-acl-adv-3000] quit
# Create advanced ACL 3001 to sort out the HTTP packets sourced from IP address 192.168.2.2.
[H3C] acl number 3001
[H3C-acl-adv-3001] rule 0 permit tcp source 192.168.2.2 0 destination-port eq 80 time-range trname
# Create user-defined ACL 5000 to filter out the ARP packets with the source IP address 192.168.2.100. Among the fields of the rule defined in ACL 5000, 0806 is the ARP protocol number, 16 is the offset value of the protocol type field for internally processed packets, c0a80264 is the hexadecimal form of 192.168.2.100, and 32 is the offset value of the source IP address field for internally processed ARP packets.
[H3C] acl number 5000
[H3C-acl-user-5000] rule 0 deny 0806 ffff 16 c0a80264 ffffffff 32 time-range trname
[H3C-acl-user-5000] quit
# Configure packet filtering in the inbound direction of GigabitEthernet 2/0/10 by referencing ACL 3000.
[H3C] interface GigabitEthernet 2/0/10
[H3C-GigabitEthernet2/0/10] qos
[H3C-qosb-GigabitEthernet2/0/10] packet-filter inbound ip-group 3000
[H3C-qosb-GigabitEthernet2/0/10] quit
[H3C-GigabitEthernet2/0/10] quit
# Configure packet filtering in the inbound direction of GigabitEthernet 2/0/1 by referencing ACL 5000.
[H3C] interface GigabitEthernet 2/0/1
[H3C-GigabitEthernet2/0/1] qos
[H3C-qosb-GigabitEthernet2/0/1] packet-filter inbound user-group 5000
[H3C-qosb-GigabitEthernet2/0/1] quit
[H3C-GigabitEthernet2/0/1] quit
# Configure traffic accounting on GigabitEthernet 2/0/2.
[H3C] interface GigabitEthernet 2/0/2
[H3C-GigabitEthernet2/0/2] qos
[H3C-qosb-GigabitEthernet2/0/2] traffic-statistic inbound ip-group 3001
2.1.2 Line Rate and Traffic Policing Configuration Example
I. Network requirements
In the customer service department, the IP address of PC 3 is 192.168.3.1. Configure line rate and traffic policing to satisfy the following requirements:
l Limit the rate of Internet-accessing traffic of all the departments to 2 Mbps, and drop the exceeding traffic.
l Limit the outbound traffic rate of PC 3 in the customer service department to 640 kbps, and drop the exceeding traffic.
II. Network diagram
Figure 2-3 Network diagram for line rate and traffic policing configuration
III. Configuration procedure
# Create basic ACL 2000 to sort out the packets with the source IP address 192.168.3.1.
<H3C> system-view
[H3C] acl number 2000
[H3C-acl-basic-2000] rule permit source 192.168.3.1 0
[H3C-acl-basic-2000] quit
# Configure traffic policing to limit the outbound traffic rate of PC 3 in the customer service department to 640 kbps and drop the exceeding traffic.
[H3C] interface GigabitEthernet 2/0/3
[H3C-GigabitEthernet2/0/3] qos
[H3C-qosb-GigabitEthernet2/0/3] traffic-limit inbound ip-group 2000 kbps 640
[H3C-qosb-GigabitEthernet2/0/3] quit
[H3C-GigabitEthernet2/0/3] quit
# Configure line rate to limit the rate of Internet-accessing traffic of all the departments to 2 Mbps and drop the exceeding traffic.
[H3C] interface GigabitEthernet 2/0/10
[H3C-GigabitEthernet2/0/10] qos
[H3C-qosb-GigabitEthernet2/0/10] line-rate 2
2.1.3 Traffic Redirecting and Traffic Mirroring Configuration Example
I. Network requirements
In the marketing department, the IP address of PC 4 is 192.168.4.1 and that of PC 5 is 192.168.4.2. Configure traffic redirecting and traffic mirroring to satisfy the following requirements:
l Redirect the HTTP packets that PC 4 sends to the Internet to the data monitoring device within the time range from 8:00 to 18:00 in working days.
l Mirror the HTTP packets that PC 5 sends to the Internet to the data monitoring device within the time range from 8:00 to 18:00 in working days.
II. Network diagram
Figure 2-4 Network diagram for traffic redirecting and traffic mirroring configuration
III. Configuration procedure
# Define the time range from 8:00 to 18:00 in working days.
<H3C> system-view
[H3C] time-range tr1 8:00 to 18:00 working-day
# Create advanced ACL 3000 to sort out the HTTP packets from PC 4 and PC 5.
[H3C] acl number 3000
[H3C-acl-adv-3000] rule 0 permit tcp source 192.168.4.1 0 destination-port eq 80 time-range tr1
[H3C-acl-adv-3000] rule 1 permit tcp source 192.168.4.2 0 destination-port eq 80 time-range tr1
[H3C-acl-adv-3000] quit
# Configure traffic redirecting on GigabitEthernet 2/04 to redirect the Internet-accessing traffic from PC 4 to the data monitoring device.
[H3C] interface GigabitEthernet 2/0/4
[H3C-GigabitEthernet2/0/4] qos
[H3C-qosb-GigabitEthernet2/0/4] traffic-redirect inbound ip-group 3000 rule 0 interface GigabitEthernet 2/0/6
[H3C-qosb-GigabitEthernet2/0/4] quit
[H3C-GigabitEthernet2/0/4] quit
# Configure traffic mirroring on GigabitEthernet 2/0/5 to mirror the Internet-accessing traffic from PC 5 to the data monitoring device.
[H3C] mirroring-group 1 local
[H3C] mirroring-group 1 monitor-port GigabitEthernet 2/0/6
[H3C] interface GigabitEthernet 2/0/5
[H3C-GigabitEthernet2/0/5] qos
[H3C-qosb-GigabitEthernet2/0/5] mirrored-to inbound ip-group 3000 rule 1 interface GigabitEthernet 2/0/6
2.1.4 Configuring Priority Marking and Queue Scheduling
I. Network requirements
In the administration department, the IP address of PC 6 is 192.168.5.1, that of PC 7 is 192.168.5.2, and that of PC 8 is 192.168.5.3. PC 6, PC 7, and PC 8 must access the station with the IP address 129.110.1.2. Configure priority marking and queue scheduling for the traffic from PC 6, PC 7, and PC 8 to the station at 129.110.1.2 to satisfy the following requirements:
l The IP traffic from the three PCs to 129.110.1.2 is processed in the descending priority order of PC 6, PC 7, and PC 8.
II. Network diagram
Figure 2-5 Network diagram for priority marking and queue scheduling configuration
III. Configuration procedure
# Create advanced ACL 3000 to classify packets from PCs 6 through 8 based on their source IP addresses.
<H3C> system-view
[H3C] acl number 3000
[H3C-acl-adv-3000] rule 0 permit ip source 192.168.5.1 0 destination 129.110.1.2 0
[H3C-acl-adv-3000] rule 1 permit ip source 192.168.5.2 0 destination 129.110.1.2 0
[H3C-acl-adv-3000] rule 2 permit ip source 192.168.5.3 0 destination 129.110.1.2 0
[H3C-acl-adv-3000] quit
# Mark the traffic matching a rule of ACL 3000 with a local precedence value on GigabitEthernet 2/0/7.
[H3C] interface GigabitEthernet 2/0/7
[H3C-GigabitEthernet2/0/7] qos
[H3C-qosb-GigabitEthernet2/0/7] traffic-priority inbound ip-group 3000 rule 0 local-precedence 5
[H3C-qosb-GigabitEthernet2/0/7] traffic-priority inbound ip-group 3000 rule 1 local-precedence 4
[H3C-qosb-GigabitEthernet2/0/7] traffic-priority inbound ip-group 3000 rule 2 local-precedence 3
[H3C-qosb-GigabitEthernet2/0/7] quit
[H3C-GigabitEthernet2/0/7] quit
# Configure GigabitEthernet 2/0/10 to adopt the SP queue scheduling algorithm. Because SP is the default, you do not need to configure it unless you have changed the scheduling algorithm.
[H3C] interface GigabitEthernet 2/0/10
[H3C-GigabitEthernet2/0/10] qos
[H3C-qosb-GigabitEthernet2/0/10] queue-scheduler strict-priority
2.2 Configuration Example in a Service Provider Network
Figure 2-6 Topology of a service provider network
Figure 2-6 shows the network topology of the service provider network:
l The S7500 switches (Switch A, Switch B, and Switch C in the network diagram) operate as the edge devices of the service provider network and are connected to server-side or client-side networks.
l The service provider network permits the packets of VLAN 100 and VLAN 200 to pass through.
l Switch B is connected to the service provider network through GigabitEthernet 2/0/2, which permits the packets of VLAN 100 to pass through.
l Switch C is connected to the service provider network through GigabitEthernet 2/0/2, which permits the packets of VLAN 200 to pass through.
l Packets of VLAN 10 and VLAN 20 in the client-side network arrive at GigabitEthernet 2/0/1 single-tagged.
2.2.1 Flow-Based Selective QinQ Configuration Example
I. Network requirements
Configure flow-based selective QinQ to satisfy the following requirements:
l Tag VLAN 10 packets with VLAN 100. Thus, the clients in VLAN 10 can access servers in VLAN 10 in the network connected to Switch B across the service provider network.
l Tag VLAN 20 packets whose source MAC addresses are in the range of 1234-5678-9000 to 1234-5678-90FF with VLAN 200. Thus, the sending clients can access servers in VLAN 20 in the network connected to Switch C across the service provider network.
l Tag VLAN 20 packets whose source MAC addresses are beyond the range of 1234-5678-9000 to 1234-5678-90FF with VLAN 100. Thus, the sending clients can access servers in VLAN 20 in the network connected to Switch B across the service provider network.
II. Network diagram
Refer to Figure 2-6.
III. Configuration procedure
1) Configuration on Switch A
# Create Layer-2 ACL 4000 to sort out the packets with source MAC addresses in the range of 1234-5678-9000 to 1234-5678-90FF.
<H3C> system-view
[H3C] acl number 4000
[H3C-acl-link-4000] rule permit ingress 1234-5678-9000 ffff-ffff-ff00
[H3C-acl-link-4000] quit
# Configure GigabitEthernet 2/0/2 to be a hybrid port and to forward packets of VLAN 100 and VLAN 200 without removing the outer VLAN tag.
[H3C] interface GigabitEthernet 2/0/2
[H3C-GigabitEthernet2/0/2] port link-type hybrid
[H3C-GigabitEthernet2/0/2] port hybrid vlan 100 200 tagged
[H3C-GigabitEthernet2/0/2] quit
# Configure GigabitEthernet 2/0/1 as a hybrid port and configure VLAN 100 as its default VLAN. Configure GigabitEthernet 2/0/1 to forward packets of VLAN 100 and VLAN 200 with the outer VLAN tag removed.
[H3C] interface GigabitEthernet 2/0/1
[H3C-GigabitEthernet2/0/1] port link-type hybrid
[H3C-GigabitEthernet2/0/1] port hybrid pvid vlan 100
[H3C-GigabitEthernet2/0/1] port hybrid vlan 100 200 untagged
# Enable QinQ on GigabitEthernet 2/0/1.
[H3C-GigabitEthernet2/0/1] vlan-vpn enable
# Configure flow-based selective QinQ on GigabitEthernet 2/0/1 to tag packets whose source MAC addresses are in the range of 1234-5678-9000 to 1234-5678-90FF with VLAN 200.
[H3C-GigabitEthernet2/0/1] qos
[H3C-qosb-GigabitEthernet2/0/1] traffic-remark-vlanid inbound link-group 4000 remark-vlan 200
2) Configuration on Switch B
# Configure GigabitEthernet 2/0/2 to be a hybrid port and to forward packets of VLAN 100 without removing the outer VLAN tag.
[H3C] interface GigabitEthernet 2/0/2
[H3C-GigabitEthernet2/0/2] port link-type hybrid
[H3C-GigabitEthernet2/0/2] port hybrid vlan 100 tagged
[H3C-GigabitEthernet2/0/2] quit
# Configure GigabitEthernet 2/0/1 as a hybrid port and configure VLAN 100 as its default VLAN. Configure GigabitEthernet 2/0/1 to forward packets of VLAN 100 with the outer VLAN tag removed.
<H3C> system-view
[H3C] interface GigabitEthernet 2/0/1
[H3C-GigabitEthernet2/0/1] port link-type hybrid
[H3C-GigabitEthernet2/0/1] port hybrid pvid vlan 100
[H3C-GigabitEthernet2/0/1] port hybrid vlan 100 untagged
# Enable QinQ on GigabitEthernet 2/0/1.
[H3C-GigabitEthernet2/0/1] vlan-vpn enable
3) Configuration on Switch C
# Configure GigabitEthernet 2/0/2 to be a hybrid port and to forward packets of VLAN 200 without removing the outer VLAN tag.
[H3C] interface GigabitEthernet 2/0/2
[H3C-GigabitEthernet2/0/2] port link-type hybrid
[H3C-GigabitEthernet2/0/2] port hybrid vlan 200 tagged
[H3C-GigabitEthernet2/0/2] quit
# Configure GigabitEthernet 2/0/1 as a hybrid port and configure VLAN 200 as its default VLAN. Configure GigabitEthernet 2/0/1 to forward packets of VLAN 200 with the outer VLAN tag removed.
<H3C> system-view
[H3C] interface GigabitEthernet 2/0/1
[H3C-GigabitEthernet2/0/1] port link-type hybrid
[H3C-GigabitEthernet2/0/1] port hybrid pvid vlan 200
[H3C-GigabitEthernet2/0/1] port hybrid vlan 200 untagged
# Enable QinQ on GigabitEthernet 2/0/1.
[H3C-GigabitEthernet2/0/1] vlan-vpn enable
2.3 Precautions
Pay attention to the following when making configuration:
1) Advanced ACLs 3998 and 3999 are reserved for cluster management and therefore are not user-configurable.
2) You can use the acl order command to specify the match order for the ACL rules applied to the hardware. The S7500 series support three match orders: depth-first, first-config-first-match, and last-config-first-match.
3) On a type-A LPU, basic ACL rules with the fragment keyword and advanced ACL rules with the tos or fragment keyword cannot be applied to hardware.
4) On a non-type-A LPU, advanced ACL rules with the range keyword for TCP/UDP ports cannot be applied to hardware.
5) Table 2-1 lists the offset values of some common protocols you can define in user-defined ACLs for packet matching on a non-type-A LPU.
Table 2-1 Offset values of common protocols
|
Protocol type |
Protocol number |
Offset value for ports with QinQ disabled |
Offset value for ports with QinQ enabled |
|
ARP |
0x0806 |
16 |
20 |
|
RARP |
0x8035 |
16 |
20 |
|
IP |
0x0800 |
16 |
20 |
|
IPX |
0x8137 |
16 |
20 |
|
AppleTalk |
0x809B |
16 |
20 |
|
ICMP |
0x01 |
27 |
31 |
|
IGMP |
0x02 |
27 |
31 |
|
TCP |
0x06 |
27 |
31 |
|
UDP |
0x17 |
27 |
31 |
6) The ACL rules configured for traffic policing, traffic redirecting, traffic mirroring, traffic accounting, priority marking, or flow-based selective QinQ must be permit statements.
7) On a non-type-A LPU, if a traffic policing rule is configured with the kbps keyword specified, the rate limit granularity is 64 kbps. That is, if the rate value you input is in the range of N×64 to (N+1)×64 (N is a natural number), the switch sets the value to (N+1)×64 kbps automatically.
8) In traffic redirecting configuration, the source port and the destination port must reside on the same LPU.
9) In traffic mirroring configuration, for centralized LPUs, all the involved ports must reside on the same LPU; for distributed systems, all the involved ports must reside in the same distributed system.
10) For an S7500 switch, you can configure multiple mirrored ports but only one monitor port for traffic mirroring. You are recommended to use the monitor port only for traffic mirroring. If you use it as a service port at the same time, service traffic may be affected.
11) Non-type-A LPUs of the S7500 series support three queue scheduling algorithms: round robin (RR), strict priority (SP), and weighted round robin (WRR). When configuring WRR, you can set some weight values to 0, thus implementing the SP + WRR queue scheduling algorithm.
12) With the SP + WRR queue scheduling algorithm enabled, the switch schedules SP queues preferentially. For example, suppose queues 0 through 3 adopt SP (with the weight being 0), and queues 4 through 7 adopt WRR. The switch will schedule queues 0 through 3 with the SP algorithm preferentially, and then schedule queues 4 through 7 with the WRR algorithm when the SP queues are empty.
13) Flow-based selective QinQ is usually configured on the customer-side port on the edge device connecting the service provider network to the customer network. Usually, the customer-side port is configured as a hybrid port.
2.4 Referencing ACLs for Other Purposes
You can reference ACLs to do the following in addition to filtering packets:
l Using ACL 2000 through ACL 3999 for Telnet access control, and ACL 2000 through ACL 2999 for SNMP/Web login control.
l Using ACL 2000 through ACL 3999 as match criteria in routing policies.
l Using ACL 2000 through ACL 3999 for routing information filtering.
l Using ACL 2000 through ACL 2999 for filtering routing entries to be displayed.
l Using ACL 2000 through ACL 2999 for filtering FIB entries to be displayed.
l Using ACL 2000 through ACL 2999 to control access to a TFTP server.
