H3C Low-End Ethernet Switches Configuration Examples(V1.04)

HomeSupportResource CenterSwitchesH3C S3100 Switch SeriesH3C S3100 Switch SeriesTechnical DocumentsConfigureConfiguration ExamplesH3C Low-End Ethernet Switches Configuration Examples(V1.04)
02-QACL Configuration Examples
Title Size Download
02-QACL Configuration Examples 175.18 KB

QACL Configuration Examples

Key words: ACL, and QoS

Abstract: This document describes QACL configurations on Ethernet switches in actual networking environments. To satisfy different user needs, the document covers various functions and applications like time-based ACLs, traffic policing, priority re-marking, queue scheduling, traffic measurement, port redirection, local traffic mirroring, and WEB Cache redirection.

Acronyms: Access control list (ACL), and quality of service (QoS)

 


Chapter 1  QACL Overview

1.1  Supported QACL Functions

1.1.1  ACL/QoS Functions Supported by H3C Low-End Ethernet Switches

Table 1-1 ACL/QoS functions supported by H3C low-end ethernet switches

Model

Function

S3600-EI

S3600-SI

S5600

S5100-EI

S5100-SI

S3100-SI

Basic ACL

l

l

l

l

l

l

Advanced ACL

l

l

l

l

l

l

Layer 2 ACL

l

l

l

l

User-defined ACL

l

l

l

Software-based ACL referenced by upper-layer software

l

l

l

l

l

l

Apply hardware-based ACL to hardware

l

l

l

l

Traffic classification

l

l

l

l

Priority re-marking

l

l

l

l

Port rate limiting

l

l

l

l

l

Traffic policing

l

l

l

l

Traffic shaping

l

Port redirection

l

l

l

l

Queue scheduling

l

l

l

l

l

l

Congestion avoidance

l

l

Local traffic mirroring

l

l

l

l

Traffic measurement

l

l

l

l

WEB Cache redirection

l

 

&  Note:

l means that the function is supported.

means that the function is not supported.

 

&  Note:

For details on ACL/QoS functions supported by different models, refer to corresponding operation manuals.

 

1.2  Configuration Guide

 

&  Note:

l      ACL/QoS configuration varies with switch models. The configuration below takes an H3C S3600 Ethernet Switch as an example. For ACL/QoS configuration on other switches, refer to corresponding user manuals.

l      The section below only lists basic configuration steps. For the operating principle and detailed information of each function, refer to the operation manual and command manual of each product.

 

Table 1-2 Configure ACL/QoS in system view

Configuration

Command

Remarks

Create an ACL and enter ACL view

acl number acl-number [ match-order { config | auto } ]

By default, the matching order is config.

Layer 2 ACLs and user-defined ACLs do not support match-order.

Define an ACL rule

rule [ rule-id ] { permit | deny } rule-string

The parameters (criteria) available for rule-string vary with ACL types. For details, refer to the corresponding command manual.

Configure a queue scheduling algorithm in system view

queue-scheduler { strict-priority | wfq queue0-width queue1-width queue2-width queue3-width queue4-width queue5-width queue6-width queue7-width | wrr queue0-weight queue1-weight queue2-weight queue3-weight queue4-weight queue5-weight queue6-weight queue7-weight }

l    If the weight or minimum bandwidth of a queue is set to 0 in the WRR or WFQ approach, strict priority queuing applies to the queue.

l    By default, the WRR queue scheduling algorithm is used for all outbound queues on a port. Default weights are 1:2:3:4:5:9:13:15.

l    The queue scheduling algorithm defined using the queue-scheduler command in system view will work on all ports.

Configure congestion avoidance

wred queue-index qstart probability

 

Table 1-3 Configure ACL/QoS in port view

Configuration

Command

Remarks

Apply an ACL on a port

packet-filter { inbound | outbound } acl-rule

Configure the switch to trust the priority of received packets

priority trust

Configure the switch to trust the priority carried in received packets.

Configure port-based rate limit

line-rate { inbound | outbound } target-rate

The granularity is 64 kbps. If an entered number is in the range N×64 to (N+1)×64 (N is a natural number), the switch takes the value (N+1)×64.

Reference an ACL for traffic identification, and re-assign a priority to the matching packets

traffic-priority { inbound | outbound } acl-rule { { dscp dscp-value | ip-precedence { pre-value | from-cos } } | cos { pre-value | from-ipprec } | local-precedence pre-value }*

You can re-mark the IP priority, 802.1p priority, DSCP priority of packets, and the priority of local queues.

Configure traffic policing

traffic-limit inbound acl-rule target-rate [ exceed action ]

exceed action: specifies the action taken on the excess packets when the packet traffic exceeds the preset limit.

l    drop: Drop the excess packets.

l    remark-dscp value: Re-set the DSCP priority, and forward the packets.

Configure a queue scheduling algorithm in port view

queue-scheduler { wfq queue0-width queue1-width queue2-width queue3-width queue4-width queue5-width queue6-width queue7-width | wrr queue0-weight queue1-weight queue2-weight queue3-weight queue4-weight queue5-weight queue6-weight queue7-weight }

l    The queue scheduling algorithm defined using the queue-scheduler command in Ethernet port view will work on the current port only.

l    In the globally defined WRR or WFQ queue scheduling algorithm, you can modify the weight or bandwidth in port view if the weight or bandwidth of each queue cannot satisfy the needs of a port.

l    Queue weight or bandwidth defined in port view take priority over the global settings.

l    The queue weight or bandwidth defined in port view cannot be displayed using the display queue-scheduler command.

Configure redirection

traffic-redirect { inbound | outbound } acl-rule { cpu | interface interface-type interface-number }

A packet cannot be forwarded normally if it is redirected to the CPU.

Reference an ACL for traffic identification, and measure the traffic of the matching packets

traffic-statistic inbound acl-rule

 


Chapter 2  Examples of QACL Configuration

2.1  Network Environment

Figure 2-1 Network topology

Figure 2-1 shows the network topology of a company. The environment is as follows:

l           An S3600 switch serves as the central switch of the company. The software version is Release 1510.

l           The devices within the company gain access to the Internet through Server1 attached to the port GigabitEthernet1/1/1.

l           Server2, Server3, and Server4 are the data server, mail server and file server of the company respectively. They are connected to the port GigabitEthernet1/1/2.

l           The Data Detect Server is connected to the port Ethernet1/0/20.

l           PC1, PC2, PC3 and PC4 are clients of the company, and are connected to the ports Ethernet1/0/1, Ethernet1/0/2, Ethernet1/0/3, and Ethernet1/0/4 respectively.

2.2  Time-based ACL plus Rate Limiting plus Traffic Policing Configuration Example

2.2.1  Network Requirements

The company gains access to the Internet through Server1. The requirements are as follows:

l           During the period from 8:30 to 18:30 in workdays, the clients are not allowed to access the Internet through HTTP. In other periods, the clients are allowed to access the Internet. The maximum access traffic is 100 Mbps.

l           For the packets with the IP priority of 7 that are sent by PC 1, the allowed maximum rate is 20 Mbps. The DSCP priority of such packets at rates higher than 20 Mbps is modified as EF.

l           For the packets with the CoS priority of 5 that are sent by PC 2, the allowed maximum rate is 10 Mbps. Such packets at rates higher than 10 Mbps are discarded.

2.2.2  Network Diagram

Figure 2-2 Network diagram for configuration of time-based ACL plus port-based bandwidth limiting plus traffic policing

2.2.3  Configuration Procedure

# Create time range a001, defining the office hours on working days.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] time-range a001 8:30 to 18:00 working-day

# Create time range a002, defining off hours.

[H3C] time-range a002 00:00 to 8:30 working-day

[H3C] time-range a002 18:00 to 24:00 working-day

[H3C] time-range a002 00:00 to 24:00 off-day

# Define ACL 3010: Forbid the clients to access the Internet through HTTP during the time range a001; classify and mark the packets with the IP priority of 7 generated when PC 1 accesses the Internet during non-workday periods.

[H3C] acl number 3010

[H3C-acl-adv-3010] rule 0 deny tcp destination 10.0.0.1 0 destination-port eq 80 time-range a001

[H3C-acl-adv-3010] rule 1 permit ip source 10.0.0.10 0 precedence 7 time-range a002

[H3C-acl-adv-3010] quit

# Define ACL 4010: Classify and mark the packets with the CoS priority of 5 generated when PC 2 accesses the Internet during non-work periods.

[H3C] acl number 4010

[H3C-acl-ethernetframe-4010] rule 0 permit cos 5 source 0012-0990-2241 ffff-ffff-ffff time-range a002

[H3C-acl-ethernetframe-4010] quit

# Apply rule 0 of ACL 3010 to the port GigabitEthernet1/1/1 connected to Server1, and set the maximum traffic rate by clients’ accessing the Internet to 100 Mbps.

[H3C] interface GigabitEthernet 1/1/1

[H3C-GigabitEthernet1/1/1] packet-filter outbound ip-group 3010 rule 0

[H3C-GigabitEthernet1/1/1] line-rate outbound 102400

[H3C-GigabitEthernet1/1/1] quit

# Perform traffic policing for the packets marked rule 1 of ACL 3010 on the port Ethernet1/0/1 connected to PC 1, and modify the DSCP priority of the excess packets to EF.

[H3C] interface Ethernet 1/0/1

[H3C-Ethernet1/0/1] traffic-limit inbound ip-group 3010 rule 1 20480 exceed remark-dscp ef

[H3C-Ethernet1/0/1] quit

# Perform traffic policing for the packets marked rule 0 of ACL 4010 on the port Ethernet1/0/2 connected to PC 2, set the maximum traffic rate to 10 Mbps, and discard the excess packets.

[H3C] interface Ethernet 1/0/2

[H3C-Ethernet1/0/2] traffic-limit inbound link-group 4010 rule 0 10240 exceed drop

Note: The traffic-limit command works only with the permit rules in ACLs.

2.3  Configuration Example of Priority Re-marking plus Queue Scheduling Algorithm plus Congestion Avoidance plus Packet Priority Trust

2.3.1  Network Requirements

Server2, Server3, and Server4 are the data server, mail server and file server of the company respectively. The detailed requirements are as follows:

l           The switch first processes the packets accessing the data server, then the packets accessing the mail server, and finally the packet accessing the file server.

l           Configure the port GigabitEthernet1/1/2 to use the WRR queue priority algorithm, and configure the weight of outbound queues as 1:1:1:5:1:10:1:15.

l           Configure the queue with an index of 4 on the port GigabitEthernet1/1/2 to use WRED: Discard subsequent packets at random when the queue is more than 64 packets in size, and configure the probability of discarding as 20%.

l           Configure the port Ethernet1/0/3 to trust the priority of packets rather than to use the priority of the port.

2.3.2  Network Diagram

Figure 2-3 Network diagram for configuration of priority re-marking plus queue scheduling algorithm plus congestion avoidance plus packet priority trust

2.3.3  Configuration Procedure

# Define ACL 3020: Classify and mark packets according to their destination IP addresses.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] acl number 3020

[H3C-acl-adv-3020] rule 0 permit ip destination 10.0.0.2 0

[H3C-acl-adv-3020] rule 1 permit ip destination 10.0.0.3 0

[H3C-acl-adv-3020] rule 2 permit ip destination 10.0.0.4 0

[H3C-acl-adv-3020] quit

# Re-mark priority for the packets on the port GigabitEthernet1/1/2 that match the rules in ACL 3020.

[H3C] interface GigabitEthernet 1/1/2

[H3C-GigabitEthernet1/1/2] traffic-priority outbound ip-group 3020 rule 0 local-precedence 7

[H3C-GigabitEthernet1/1/2] traffic-priority outbound ip-group 3020 rule 1 local-precedence 5

[H3C-GigabitEthernet1/1/2] traffic-priority outbound ip-group 3020 rule 2 local-precedence 3

# Configure the WRR queue scheduling algorithm on the port GigabitEthernet1/1/2, and configure the weight of outbound queues as 1:1:1:5:1:10:1:15.

[H3C-GigabitEthernet1/1/2] queue-scheduler wrr 1 1 1 5 1 10 1 15

# Configure the queue with an index of 4 on the port GigabitEthernet1/1/2 to use WRED: Discard subsequent packets at random when the queue is more than 64 packets in size, and configure the probability of discarding as 20%.

[H3C-GigabitEthernet1/1/2] wred 4 64 20

[H3C-GigabitEthernet1/1/2] quit

# Configure the port Ethernet1/0/3 connected to PC 3 to trust the 802.1p priority carried by packets.

[H3C] interface Ethernet 1/0/3

[H3C-Ethernet1/0/3] priority trust

Note: The traffic-priority command works only with the permit rules in ACLs.

2.4  Configuration Example of Traffic Measurement plus Port Redirection

2.4.1  Network Requirements

The Data Detect Server is connected to the port Ethernet1/0/20. The detailed requirements are as follows:

l           Measure the HTTP traffic generated by Internet access through the port Ethernet1/0/1 during non-workday periods.

l           Redirect all the HTTP traffic generated by the Internet access through the port Ethernet1/0/1 during workday period to the port Ethernet1/0/20.

2.4.2  Network Diagram

Figure 2-4 Network diagram for configuration of traffic measurement plus port redirection

2.4.3  Configuration Procedure

# Configure a workday period.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] time-range a001 8:30 to 18:00 working-day

# Configure non-workday periods.

[H3C] time-range a002 00:00 to 8:30 working-day

[H3C] time-range a002 18:00 to 24:00 working-day

[H3C] time-range a002 00:00 to 24:00 off-day

# Define ACL 3030: Classify the packets accessing the Internet through HTTP according to periods.

[H3C] acl number 3030

[H3C-acl-adv-3030] rule 0 permit tcp destination 10.0.0.1 0 destination-port eq 80 time-range a001

[H3C-acl-adv-3030] rule 1 permit tcp destination 10.0.0.1 0 destination-port eq 80 time-range a002

# Configure traffic redirection on the port Ethernet1/0/1: Redirect all the HTTP traffic generated by Internet access during workday period to the port Ethernet1/0/20.

[H3C] interface Ethernet 1/0/1

[H3C-Ethernet1/0/1] traffic-redirect inbound ip 3030 rule 0 interface Ethernet 1/0/20

# Measure the HTTP traffic generated by Internet access during non-workday periods on the port Ethernet1/0/1.

[H3C-Ethernet1/0/1] traffic-statistic inbound ip-group 3030 rule 1

Note: The traffic-redirect and traffic-statistic commands work only with the permit rules in ACLs.

2.5  Configuration Example of Local Traffic Mirroring

2.5.1  Network Requirements

The Data Detect Server is connected to the port Ethernet1/0/20. All the packets accessing the Internet through the ports Ethernet1/0/1 and Ethernet1/0/2 using HTTP during workday period must be mirrored to the port Ethernet1/0/20. Then, the Data Detect Server analyzes the packets.

2.5.2  Network Diagram

Figure 2-5 Network diagram for configuration of traffic mirroring

2.5.3  Configuration Procedure

# Configure a workday period.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] time-range a001 8:30 to 18:00 working-day

# Define ACL 3030: Classify the packets accessing the Internet through HTTP during workday period.

[H3C] acl number 3030

[H3C-acl-adv-3030] rule 0 permit tcp destination 10.0.0.1 0 destination-port eq 80 time-range a001

[H3C-acl-adv-3030] quit

# Configure the port Ethernet1/0/20 as the mirroring destination port.

[H3C] interface Ethernet 1/0/20

[H3C-Ethernet1/0/20] monitor-port

[H3C-Ethernet1/0/20] quit

# Configure traffic mirroring on the ports Ethernet1/0/1 and Ethernet1/0/2: Perform traffic identification through ACL 3010, and mirror the matching packets to the destination port Ethernet1/0/20.

[H3C] interface Ethernet 1/0/1

[H3C-Ethernet1/0/1] mirrored-to inbound ip-group 3010 rule 0 monitor-interface

[H3C-Ethernet1/0/1] quit

[H3C] interface Ethernet 1/0/2

[H3C-Ethernet1/0/2] mirrored-to inbound ip-group 3010 rule 0 monitor-interface

Note: The mirrored-to command works only with the permit rules in ACLs.

2.6  Precautions

Note the following points during the configurations:

1)         When ACL rules are applied to a port, the match order of multiple rules in an ACL depends on the hardware of the switch. For the S3600 Series Ethernet Switches, the match order is “first applied, last matched”. Even if you configure a match order while defining an ACL, the configured one will not work.

2)         Each port supports eight outbound queues. The priority of Queues 7 to 0 goes down one by one. When the SP+WRR queue scheduling algorithm is applied on a port, the switch will first schedule the queue with the weight of 0. If no packets are sent from the queue, the switch will perform the WRR scheduling for the remaining queues. When the SP+WFQ queue scheduling algorithm is applied on a port, the switch will first schedule the queue with the bandwidth of 0. If no packets are sent from the queue, the switch will perform the WFQ scheduling for the remaining queues.

3)         The switch can be configured with multiple mirroring source ports but only one mirroring destination port. You are recommended to use the mirror destination port only for forwarding mirroring traffic rather than as a service port. Otherwise, normal services may be affected.

4)         The traffic-limit, traffic-priority, traffic-redirect, and mirrored-to commands can work only on the permit rules in ACLs.

5)         For the TCP/UDP port in an advanced ACL, only the eq operator is supported.

6)         For a Layer 2 ACL, the format-type (including 802.3/802.2, 802.3, ether_ii, and snap) parameter is not supported.

7)         All redirected packets will be tagged no matter whether the egress port is tagged.

8)         When configuring a user-defined ACL, consider the following points for the offset length:

l           All the packets that are processed by the switch internally have a VLAN tag. One VLAN tag is four bytes in length.

l           If the VLAN VPN function is disabled, all the packets that are processed by the switch internally have one VLAN tag.

l           If the VLAN VPN function is enabled on a port, the switch will add another layer of VLAN tag to the packets received on all ports. No matter whether the packets contain a VLAN tag originally, the packets will have two layers of VLAN tags.

The table below lists the common protocol types and offset.

Table 2-1 Common protocol type and offset

Protocol type

Protocol number

Offset (VLAN VPN disabled)

Offset (VLAN VPN enabled)

ARP

0x0806

16

20

RARP

0x8035

16

20

IP

0x0800

16

20

IPX

0x8137

16

20

AppleTalk

0x809B

16

20

ICMP

0x01

27

31

IGMP

0x02

27

31

TCP

0x06

27

31

UDP

0x17

27

31

 

2.7  Other Functions Referencing ACL Rules

Other functions that reference ACL rules are as follows:

l           Telnet/SNMP/WEB login user control. For Telnet users, ACLs 2000 to 4999 may be referenced, and for SNMP/WEB users, ACLs 2000 to 2999 may be referenced.

l           ACLs 2000 to 3999 can be referenced for routing policy match.

l           ACLs 2000 to 3999 can be referenced for filtering route information.

l           ACLs 2000 to 3999 can be referenced for displaying the routing entries that match an ACL rule.

l           ACLs 2000 to 3999 can be referenced for displaying the FIB entries that match an ACL rule.

l           ACLs 2000 to 3999 can be referenced for connecting a TFTP client to the TFTP server.

The functions that reference system ACL rules include:

l           802.1x function (after 802.1x  is enabled globally and on a port, ACL rules are referenced to apply)

l           Cluster function (the function is enabled by default. ACL rules are referenced to apply to all ports). ACL 3998 and ACL 3999 are reserved for cluster management, and cannot be configured.

l           DHCP snooping (after the function is enabled, ACL rules are referenced to apply to all ports)

l           Port isolation (If the function is configured and a virtual interface is available, ACL rules are referenced to apply)

l           MAC+IP port binding (after the function is configured on a port, ACL rules are referenced to apply)

l           Flexible QinQ (after this function is configured on a port, the ACL rules within the configured range are referenced to apply)

l           Voice VLAN (if Voice VLAN is enabled on a port and an OUIMAC is available, ACL rules are referenced to add)

 


Chapter 3  Configuration Example of WEB Cache Redirection

 

&  Note:

Now, only the S3600-EI Series Ethernet Switches support the WEB Cache redirection function.

 

3.1  Configuration Example of WEB Cache Redirection

3.1.1  Network Requirements

Figure 3-1 shows the network topology of a company. The environment is as follows:

l           An S3600 switch serves as the central switch of the company. The software version is Release 1510.

l           The market department gains access to the switch through the port Ethernet1/0/1. It belongs to VLAN 10, and the network segment is 192.168.1.1/24.

l           The R&D department gains access to the switch through the port Ethernet1/0/2. It belongs to VLAN 20, and the network segment is 192.168.2.1/24.

l           The administrative department gains access to the switch through the port Ethernet1/0/3. It belongs to VLAN 30, and the network segment is 192.168.3.1/24.

l           The WEB Cache Server gains access to the switch through the port Ethernet1/0/4. It belongs to VLAN 40, and the network segment is 192.168.4.1/24.The IP address of the WEB Cache Server is 192.168.4.2, and the MAC address of it is 0012-0990-2250.

The WEB Cache redirection function is enabled on the switch, and all the packets of the market department, R&D department, and administrative department are redirected to the WEB Cache Server, so as to relieve the load from the connection links of the WAN, and improve the speed of Internet access.

3.1.2  Network Diagram

Figure 3-1 Network diagram for configuration of WEB Cache redirection

3.1.3  Configuration Procedure

# Create VLAN 10 for the market department, and assign an IP address 192.168.1.1 to the VLAN interface 10.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] vlan 10

[H3C-vlan10] port Ethernet 1/0/1

[H3C-vlan10] quit

[H3C] interface Vlan-interface 10

[H3C-Vlan-interface10] ip address 192.168.1.1 24

[H3C-Vlan-interface10] quit

# Create VLAN 20 for the R&D department, and assign an IP address 192.168.2.1 to the VLAN interface 20.

[H3C] vlan 20

[H3C-vlan20] port Ethernet 1/0/2

[H3C-vlan20] quit

[H3C] interface Vlan-interface 20

[H3C-Vlan-interface20] ip address 192.168.2.1 24

[H3C-Vlan-interface20] quit

# Create VLAN 30 for the administrative department, and assign an IP address 192.168.3.1 to the VLAN interface 30.

[H3C] vlan 30

[H3C-vlan30] port Ethernet 1/0/3

[H3C-vlan30] quit

[H3C] interface Vlan-interface 30

[H3C-Vlan-interface30] ip address 192.168.3.1 24

[H3C-Vlan-interface30] quit

# Create VLAN 40 for the WEB Cache Server, and assign an IP address 192.168.4.1 to the VLAN interface 40.

[H3C] vlan 40

[H3C-vlan40] port Ethernet 1/0/4

[H3C-vlan30] quit

[H3C] interface Vlan-interface 40

[H3C-Vlan-interface40] ip address 192.168.4.1 24

[H3C-Vlan-interface40] quit

# Enable the WEB Cache redirection function, and redirect all the HTTP packets received on VLAN 10, VLAN 20 and VLAN 30 to the WEB Cache Server.

[H3C] webcache address 192.168.4.2 mac 0012-0990-2250 vlan 40 port Ethernet 1/0/4

[H3C] webcache redirect-vlan 10

[H3C] webcache redirect-vlan 20

[H3C] webcache redirect-vlan 30

Note: The VLAN interface 40, VLAN interface 10, VLAN interface 20, and VLAN interface 30 must be in UP state. Otherwise, the WEB Cache redirection function will not work.