l The four ports (numbered 0 to 3) on an XP4B or XP4CA card each support four queues (queue 0 to 3) and support the configuration for queue scheduling.

l The following configurations can only be performed on port 0 and 2: applying user-defined flow template, configuring port local precedence, packet filtering, priority marking, traffic policing, traffic redirecting, traffic mirroring, and traffic accounting. When such a configuration is performed on port 0, it takes effect on both port 0 and 1. Likewise, when such a configuration is performed on port 2, it takes effect on both port 2 and 3.

l With traffic policing configured on a XP4B or XP4CA card, port 0 and 1 share the same bandwidth, and port 2 and 3 do likewise. That is, port 0 and 1 share the traffic parameter settings on port 0, and port 2 and 3 share the traffic parameter settings on port 2.

l On an XP4B or XP4CA card, executing the traffic-statistic command on port 0 will collect traffic statistics on both port 0 and 1, and executing the command on port 2 will collect traffic statistics on both port 2 and 3.

l Ports on XP4B and XP4CA cards do not support traffic shaping (the traffic-shape command).

1.1.1 display mirroring-group

Syntax

display mirroring-group [ groupid ]

View

Any view

Parameters

groupid: Mirroring group ID, in the range of 1 to 24.

Description

Use the display mirroring-group command to view the configuration of a port mirroring group. The information displayed includes the mirroring ports, direction of monitored packets, and monitor ports.

Related commands: mirroring-group.

Examples

# Display the parameter configuration of a port mirroring group.

<H3C> display mirroring-group

mirroring-group 1 inbound Ethernet6/1/1 mirrored-to Ethernet6/1/2

1.1.2 display qos conform-level

Syntax

display qos conform-level [ conform-level-value ] { dscp-policed-service-map [ dscp-list ] | exp-policed-service-map | local-precedence-cos-map }

View

Any view

Parameters

conform-level-value: Conform level, in the range of 0 to 2. If a conform level is specified, only the specified mapping table for the conform level is displayed. If no conform level is specified, the mapping tables of the specified type for all the conform levels are displayed.

dscp-policed-service-map [ dscp-list ]: Displays the DSCP-to-services mapping table for the specified conform level or displays all DSCP-to-services mapping tables if no conform level is specified. The dscp-list argument can be a single DSCP or a range of DSCPs separated by spaces, for example, 0 8 10 16. If the dscp-list argument is specified, only the mapping entries for the specified DSCP(s) will be displayed; if not, the entire DSCP-to-service mapping table or tables are displayed.

exp-policed-service-map: Displays the EXP-to-services mapping table for the specified conform level or displays all EXP-to-services mapping tables if no conform level is specified. EXP is the priority field of MPLS packets.

local-precedence-cos-map: Displays the local precedence-to-802.1p mapping table for the specified conform level or displays all local precedence-to-802.1p mapping tables if no conform level is specified.

Description

Use the display qos conform-level command to display QoS priority mapping tables.

Examples

# Display the DSCP-to-services mapping table for conform level 0.

<H3C> display qos conform-level 0 dscp-policed-service-map

conform-level 0 :

dscp : dscp exp cos local-precedence drop-precedence

---------------------------------------------------------------------------

0 : 0 0 0 0 0

1 : 1 0 0 0 0

2 : 2 0 0 0 0

3 : 3 0 0 0 0

4 : 4 0 0 0 0

5 : 5 0 0 0 0

6 : 6 0 0 0 0

7 : 7 0 0 0 0

8 : 8 1 1 1 0

9 : 9 1 1 1 0

10 : 10 1 1 1 0

11 : 11 1 1 1 0

12 : 12 1 1 1 0

13 : 13 1 1 1 0

14 : 14 1 1 1 0

15 : 15 1 1 1 0

16 : 16 2 2 2 0

17 : 17 2 2 2 0

18 : 18 2 2 2 0

19 : 19 2 2 2 0

20 : 20 2 2 2 0

21 : 21 2 2 2 0

22 : 22 2 2 2 0

23 : 23 2 2 2 0

24 : 24 3 3 3 0

25 : 25 3 3 3 0

26 : 26 3 3 3 0

27 : 27 3 3 3 0

28 : 28 3 3 3 0

29 : 29 3 3 3 0

30 : 30 3 3 3 0

31 : 31 3 3 3 0

32 : 32 4 4 4 0

33 : 33 4 4 4 0

34 : 34 4 4 4 0

…...

# Display the EXP-to-services mapping table for conform level 0.

<H3C> display qos conform-level 0 exp-policed-service-map

conform-level 0 :

exp : dscp exp cos local-precedence drop-precedence

--------------------------------------------------------------------------

0 : 2 0 0 0 0

1 : 10 1 1 1 0

2 : 18 2 2 2 0

3 : 26 3 3 3 0

4 : 34 4 4 4 0

5 : 42 5 5 5 0

6 : 50 6 6 6 0

7 : 58 7 7 7 0

# Display the local precedence-to-CoS mapping table for conform level 0.

<H3C> display qos conform-level 0 local-precedence-cos-map

conform-level 0 :

local-precedence : 0 1 2 3 4 5 6 7

--------------------------------------------------------------------------

cos : 0 1 2 3 4 5 6 7

1.1.3 display qos cos-drop-precedence-map

Syntax

display qos cos-drop-precedence-map

View

Any view

Parameters

None

Description

Use the display qos cos-drop-precedence-map command to view the CoS-drop precedence mapping table.

Examples

# Display the CoS-drop precedence mapping table.

<H3C> display qos cos-drop-precedence-map

cos-drop-precedence-map:

cos : 0 1 2 3 4 5 6 7

-------------------------------------------------------------------

drop-precedence : 2 2 1 1 1 1 0 0

1.1.4 display qos cos-local-precedence-map

Syntax

display qos cos-local-precedence-map

View

Any view

Parameters

None

Description

Use the display qos cos-local-precedence-map command to view the CoS-to-local precedence mapping table.

Examples

# Display the CoS-to-local precedence mapping table.

<H3C> display qos cos-local-precedence-map

cos-local-precedence-map:

cos : 0 1 2 3 4 5 6 7

--------------------------------------------------------------------------

local-precedence : 2 0 1 3 4 5 6 7

1.1.5 display qos-interface all

Syntax

display qos-interface [ interface- type interface-number ] all

View

Any view

Parameters

interface-type interface-number: Interface type and interface number. A WAN interface or MP-group interface is allowed.

Description

Use the display qos-interface all command to display all the QoS-related configurations of the specified port or all ports. The QoS-related configurations include drop mode and queue scheduling configuration.

Examples

# Display all the QoS configurations of the port Ethernet2/1/3.

<H3C> display qos-interface Ethernet2/1/3 all

Ethernet2/1/3 Port Shaping: Disable

0 kbps, 0 burst, 256 queue-depth

QID: status max-rate(kbps) burst-size(Kbyte) queue-depth

-------------------------------------------------------------------

0 : Disable 0 0 128

1 : Disable 0 0 128

2 : Disable 0 0 128

3 : Disable 0 0 128

4 : Disable 0 0 128

5 : Disable 0 0 128

6 : Disable 0 0 128

7 : Disable 0 0 128

Ethernet2/1/3 Drop-mode: tail-drop, params index: 0

Ethernet2/1/3 Port scheduling:

QID: scheduling-group weight

-----------------------------------

0 : sp 0

1 : sp 0

2 : sp 0

3 : sp 0

4 : sp 0

5 : sp 0

6 : sp 0

7 : sp 0

1.1.6 display qos-interface drop-mode

Syntax

display qos-interface [ interface-type interface-number ] drop-mode

View

Any view

Parameters

interface-type interface-number: Interface type and interface number. A WAN interface or MP-group interface is allowed.

Description

Use the display qos-interface drop-mode command to view drop mode configuration of output queues at a port. If no port is specified, drop mode configuration of all ports will be displayed.

Related commands: drop-mode.

Examples

# Display drop mode and parameters of the port Ethernet 2/1/2.

<H3C> display qos-interface Ethernet2/1/2 drop-mode

Ethernet2/1/2 Drop-mode: tail-drop, params index: 0

# Display the drop mode and parameters of interface Serial 4/1/1:1.

<H3C> display qos-interface Serial 4/1/1:1 drop-mode

Serial4/1/1:1 Port tail-drop:

QID: Green Yellow Red

-----------------------------------

0 : 1 5 10

1 : 511 460 408

2 : 511 460 408

3 : 511 460 408

1.1.7 display qos-interface mirrored-to

Syntax

display qos-interface [ interface -type interface-number ] mirrored-to

View

Any view

Parameters

interface-type interface-number: Interface type and interface number. A WAN interface or MP-group interface is allowed.

Description

Use the display qos-interface mirrored-to command to view traffic mirroring configuration of a port.

Related commands: mirrored-to.

Examples

# Display traffic mirroring configuration.

<H3C> display qos-interface mirrored-to

GigabitEthernet2/1/1: mirrored-to

Inbound:

Matches: Acl 2020 rule 0 running

Mirrored to: cpu

1.1.8 display qos-interface queue-scheduler

Syntax

display qos-interface [ interface -type interface-number ] queue-scheduler

View

Any view

Parameters

interface-type interface-number: Interface type and interface number. A WAN interface or MP-group interface is allowed.

Description

Use the display qos-interface queue-scheduler command to display queue scheduling mode and parameters of a port. If no port is specified, queue scheduling mode and the parameters of all ports will be displayed.

Related commands: queue-scheduler.

Examples

# Display queue scheduling mode and parameters.

<H3C> display qos-interface queue-scheduler

Ethernet5/1/1 Port scheduling:

QID: scheduling-group weight

-----------------------------------

0 : sp 0

1 : sp 0

2 : sp 0

3 : wrr , group1 25

4 : sp 0

5 : wrr , group2 30

6 : sp 0

7 : sp 0

Ethernet5/1/ Port scheduling:

QID: scheduling-group weight

-----------------------------------

0 : sp 0

1 : sp 0

2 : sp 0

3 : sp 0

4 : sp 0

5 : sp 0

6 : sp 0

1.1.9 display qos-interface traffic-limit

Syntax

display qos-interface [ interface -type interface-number ] traffic-limit

View

Any view

Parameters

interface-type interface-number: Interface type and interface number. A WAN interface or MP-group interface is allowed.

Description

Use the display qos-interface traffic-limit command to display the rate limiting configuration of the specified port or all ports.

Related commands: traffic-limit.

Examples

# Display parameter configuration of traffic rate limitation.

<H3C> display qos-interface traffic-limit

GigabitEthernet2/1/1: traffic-limit

Inbound:

Matches: Acl 2020 rule 0 running

Committed Information Rate: 1000 Kbps

Committed Burst Size: 1000 byte(s)

Excess Burst Size: 1000 byte(s)

Peak Information Rate: 0 Kbps

1.1.10 display qos-interface traffic-priority

Syntax

display qos-interface [ interface-type interface-number ] traffic-priority

View

Any view

Parameters

interface-type interface-number: Interface type and interface number. A WAN interface or MP-group interface is allowed.

Description

Use the display qos-interface traffic-priority command to display the priority marking configuration of the specified port or all ports.

Related commands: traffic-priority.

Examples

# Display traffic priority marking configuration.

<H3C> display qos-interface traffic-priority

GigabitEthernet2/1/1: traffic-priority

Inbound:

Matches: Acl 2021 rule 0 running

Priority action: remark-policed-service, dscp: 20

1.1.11 display qos-interface traffic-redirect

Syntax

display qos-interface [ interface-type interface-number ] traffic-redirect

View

Any view

Parameters

interface-type interface-number: Interface type and interface number. A WAN interface or MP-group interface is allowed.

Description

Use the display qos-interface traffic-redirect command to view the traffic redirecting configuration of the specified port or all ports.

Related commands: traffic-redirect.

Examples

# Display traffic redirecting configuration.

<H3C> display qos-interface traffic-redirect

GigabitEthernet3/1/1: traffic-redirect

Inbound:

Matches: Acl 2020 rule 0 running

Redirected to: next-hop 1.1.1.1

1.1.12 display qos-interface traffic-shape

Syntax

display qos-interface [ interface-type interface-number ] traffic-shape

View

Any view

Parameters

interface-type interface-number: Interface type and interface number. A WAN interface or MP-group interface is allowed.

Description

Use the display qos-interface traffic-shape command to display the traffic shaping configuration of the specified port or all ports.

Examples

# Display traffic shaping configuration.

<H3C> display qos-interface Ethernet2/1/3 traffic-shape

Ethernet2/1/3 Port Shaping: Disable

0 kbps, 0 burst, 256 queue-depth

QID: status max-rate(kbps) burst-size(Kbyte) queue-depth

-------------------------------------------------------------------

0 : Disable 0 0 128

1 : Disable 0 0 128

2 : Disable 0 0 128

3 : Disable 0 0 128

4 : Disable 0 0 128

5 : Disable 0 0 128

6 : Disable 0 0 128

7 : Disable 0 0 128

1.1.13 display qos-interface traffic-statistic

Syntax

display qos-interface traffic-statistic

display qos-interface interface-type interface-number traffic-statistic rate [ timeinterval ]

View

Any view

Parameters

interface-type interface-number: Interface type and interface number. A WAN interface or MP-group interface is allowed.

timeinterval: Interval for collecting rate statistics, ranging from 1 to 5 seconds. The default value is one second.

Description

Use the display qos-interface traffic-statistic command to view traffic statistics of a port, including the target ACL, number of calculated packets etc.

Use the display qos-interface traffic-statistic rate command to display the actual traffic rate on the port. The displayed information includes the ACL corresponding to the traffic flow to be displayed and packet speed.

Related commands: traffic-statistics.

Examples

# Display average traffic rate in the latest three seconds on Ethernet 7/1/1.

<H3C> display qos-interface Ethernet7/1/1 traffic-statistic rate 3

Ethernet7/1/1: traffic-statistic

Inbound:

Matches: Acl 3000 rule 0 running

Last 3 second(s) rate: 12,574 packet(s)/sec, 12,875,776 bit(s)/sec

# Display traffic statistics information on port GigabitEthernet 7/1/1.

<H3C> display qos-interface GigabitEthernet7/1/1 traffic-statistic

GigabitEthernet7/1/1: traffic-statistic

Inbound:

Matches: Acl 2000 rule 0 running

12002688 bytes (green 1270244416 byte(s), yellow 1895874880 byte(s), red 704683968 byte(s) )

3333270 packets (green 0 byte(s), yellow 0 byte(s), red 0 byte(s) )

1.1.14 display wred

Syntax

display wred [ wred-index ]

View

Any view

Parameters

wred-index: WRED parameter index, ranging from 0 to 3.

Description

Use the display wred command to display WRED parameters.

Related commands: wred.

Examples

# Display WRED parameters.

<H3C> display wred 0

wred 0 configuration :

QID : gmin gmax gprob ymin ymax yprob rmin rmax rprob exponent

--------------------------------------------------------------------------

0 : 76 9895 1 33 66 2 11 23 3 9

1 : 85 10601 1 37 75 2 13 27 3 9

2 : 95 11308 1 42 85 2 16 32 3 9

3 : 104 12015 1 47 94 2 18 37 3 9

4 : 114 12722 1 52 104 2 21 42 3 9

5 : 124 13429 1 57 114 2 23 47 3 9

6 : 133 14135 1 61 123 2 25 51 3 9

7 : 143 14842 1 66 133 2 28 56 3 9

<H3C> display wred

wred 0 configuration :

QID : gmin gmax gprob ymin ymax yprob rmin rmax rprob exponent

--------------------------------------------------------------------------

0 : 76 9895 1 33 66 2 11 23 3 9

1 : 85 10601 1 37 75 2 13 27 3 9

2 : 95 11308 1 42 85 2 16 32 3 9

3 : 104 12015 1 47 94 2 18 37 3 9

4 : 114 12722 1 52 104 2 21 42 3 9

5 : 124 13429 1 57 114 2 23 47 3 9

6 : 133 14135 1 61 123 2 25 51 3 9

7 : 143 14842 1 66 133 2 28 56 3 9

wred 1 configuration :

QID : gmin gmax gprob ymin ymax yprob rmin rmax rprob exponent

--------------------------------------------------------------------------

0 : 76 9895 1 33 66 2 11 23 3 9

1 : 85 10601 1 37 75 2 13 27 3 9

2 : 95 11308 1 42 85 2 16 32 3 9

3 : 104 12015 1 47 94 2 18 37 3 9

4 : 114 12722 1 52 104 2 21 42 3 9

5 : 124 13429 1 57 114 2 23 47 3 9

6 : 133 14135 1 61 123 2 25 51 3 9

7 : 143 14842 1 66 133 2 28 56 3 9

wred 2 configuration :

QID : gmin gmax gprob ymin ymax yprob rmin rmax rprob exponent

--------------------------------------------------------------------------

0 : 76 9895 1 33 66 2 11 23 3 9

1 : 85 10601 1 37 75 2 13 27 3 9

2 : 95 11308 1 42 85 2 16 32 3 9

3 : 104 12015 1 47 94 2 18 37 3 9

4 : 114 12722 1 52 104 2 21 42 3 9

5 : 124 13429 1 57 114 2 23 47 3 9

6 : 133 14135 1 61 123 2 25 51 3 9

7 : 143 14842 1 66 133 2 28 56 3 9

wred 3 configuration :

QID : gmin gmax gprob ymin ymax yprob rmin rmax rprob exponent

--------------------------------------------------------------------------

0 : 76 9895 1 33 66 2 11 23 3 9

1 : 85 10601 1 37 75 2 13 27 3 9

2 : 95 11308 1 42 85 2 16 32 3 9

3 : 104 12015 1 47 94 2 18 37 3 9

4 : 114 12722 1 52 104 2 21 42 3 9

5 : 124 13429 1 57 114 2 23 47 3 9

6 : 133 14135 1 61 123 2 25 51 3 9

7 : 143 14842 1 66 133 2 28 56 3 9

Table 1-1 Description on the fields of the display wred command

Parameter	Description
QID	Queue ID
min	Lower packet threshold
max	Higher packet threshold
prob	Packet loss probability
g (prefix)	Represents green packets
y (prefix)	Represents yellow packets
r (prefix)	Represents red packets
exponent	Exponent value used in the formula of WRED to calculate mean queue length.

1.1.15 drop-mode

Syntax

drop-mode { tail-drop | wred } [ wred-index ]

undo drop-mode

View

Ethernet port view

Parameters

tail-drop: Tail drop mode.

wred: WRED drop mode.

wred-index: WRED index, in the range of 0 to 3. By default, it is 0. If you type nothing for this parameter, the system will use the parameters specified when WRED index is 0.

Description

Use the drop-mode command to configure drop mode for a port.

Use the undo drop-mode command to restore the default drop mode, i.e. tail drop mode.

By default, tail drop mode is adopted.

When congestion occurs, the switch drops packets to release queues resources and no longer puts packets into long-delay queues. The following two drop modes are available:

l Tail drop mode: different queues (red, yellow and green) are allocated with different drop thresholds. When these thresholds are exceeded respectively, excessive packets will be dropped.

l WRED drop mode: Drop precedence is taken into account in drop action. When only the lower threshold of a color (red, yellow, or green) is exceeded, packets in this color between the lower threshold and higher threshold are dropped randomly at a given slope. But when the higher threshold of a color (red, yellow, or green) is exceeded, all exceeding packets in this color are dropped.

Examples

# Configure Ethernet 3/1/1 to adopt the WRED drop mode; import WRED 0 as the thresholds.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface Ethernet3/1/1

[H3C-Ethernet3/1/1] drop-mode wred 0

1.1.16 dscp

Syntax

dscp dscp-list : dscp-value exp-value cos-value local-precedence-value drop-precedence

undo dscp dscp-list

View

Conform level view

Parameters

dscp-list: Specifies one or multiple original DSCPs, each taking on a value in the range of 0 to 63. If multiple DSCPs are specified, separate them with spaces, for example, 0 8 10 16.

dscp-value: Modified DSCP, in the range of 0 to 63.

exp-value: Modified EXP, in the range of 0 to 7. EXP is the priority field of MPLS packets.

cos-value: Modified 802.1p priority, in the range of 0 to 7

local-precedence-value: Modified local precedence, in the range of 0 to 7.

drop-precedence: Modified drop precedence, in the range of 0 to 2.

Description

Use the dscp command to configure the DSCP-to-services mapping table for the current conform level.

Use the undo dscp command to restore the default DSCP-to-services mapping table for the current conform level.

The DSCP-to-services mapping table you configured only applies to the traffic of the current conform level.

Examples

# Configure the DSCP-to-services mapping table for conform level 0.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C]qos conform-level 0

[H3C-conform-level-0] dscp 0: 0 0 0 0 0

[H3C-conform-level-0] dscp 8 10 : 8 0 1 1 0

[H3C-conform-level-0] dscp 16 18: 16 0 2 2 0

[H3C-conform-level-0] dscp 24 26 : 24 0 3 3 0

[H3C-conform-level-0] dscp 32 34 : 32 0 4 4 0

[H3C-conform-level-0] dscp 40 46: 40 0 5 5 0

[H3C-conform-level-0] dscp 48 : 48 0 6 6 0

[H3C-conform-level-0] dscp 56 : 56 0 7 7 0

The configured mapping table is as follows:

Table 1-2 DSCP-to-services mapping table for conform level 0

DSCP	CL	Policed-DSCP	Policed-exp	Policed-802.1p	Policed-Localprec	Policed-DropPrecedence
0	0	0	0	0	0	0
8	0	8	0	1	1	0
10	0	8	0	1	1	0
16	0	16	0	2	2	0
18	0	16	0	2	2	0
24	0	24	0	3	3	0
26	0	24	0	3	3	0
32	0	32	0	4	4	0
34	0	32	0	4	4	0
40	0	40	0	5	5	0
46	0	40	0	5	5	0
48	0	48	0	6	6	0
56	0	56	0	7	7	0

1.1.17 exp

Syntax

exp exp-list : dscp-value exp-value cos-value local-precedence-value drop-precedence

undo exp exp-list

View

Conform level view

Parameters

exp-list: Specifies one or multiple original EXPs, each taking on a value in the range of 0 to 7. If multiple EXPs are specified, separate them with spaces, for example, 2 3 4. EXP is the priority field of MPLS packets.

dscp-value: Modified DSCP, in the range of 0 to 63.

exp-value: Modified EXP, in the range of 0 to 7.

cos-value: Modified 802.1p priority, in the range of 0 to 7.

local-precedence-value: Modified local precedence, in the range of 0 to 7.

drop-precedence: Modified drop precedence, in the range of 0 to 2.

Description

Use the exp command to configure the EXP-to-services mapping table for the current conform level.

Use the undo exp command to restore the default EXP-to-services mapping table for the current conform level.

The EXP-to-services mapping table you configured only applies to the MPLS traffic of the current conform level.

Examples

# Configure the EXP-to-services mapping table for conform level 0.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C]qos conform-level 0

[H3C-conform-level-0] exp 0: 0 0 0 0 0

1.1.18 local-precedence

Syntax

local-precedence cos-value0 cos-value1 cos-value2 cos-value3 cos-value4 cos-value5 cos-value6 cos-value7

undo local-precedence

View

Conform level view

Parameters

cos-value0: 802.1p priority corresponding to local-precedence 0, in the range of 0 to 7.

cos-value1: 802.1p priority corresponding to local-precedence 1, in the range of 0 to 7.

cos-value2: 802.1p priority corresponding to local-precedence 2, in the range of 0 to 7.

cos-value3: 802.1p priority corresponding to local-precedence 3, in the range of 0 to 7.

cos-value4: 802.1p priority corresponding to local-precedence 4, in the range of 0 to 7.

cos-value5: 802.1p priority corresponding to local-precedence 5, in the range of 0 to 7.

cos-value6: 802.1p priority corresponding to local-precedence 6, in the range of 0 to 7.

cos-value7: 802.1p priority corresponding to local-precedence 7, in the range of 0 to 7.

Description

Use the local-precedence command to configure the local precedence-to-802.1p mapping table for the current conform level.

Use the undo local-precedence command to restore the default local precedence-to-802.1p mapping table for the current conform level.

The local precedence-to-802.1p mapping table you configured only applies to the traffic of the current conform level.

Examples

# Configure the local precedence-to-802.1p mapping table for conform level 0.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C]qos conform-level 0

[H3C-conform-level-0] local-precedence 0 1 2 3 5 5 6 7

The configured mapping table is as follows:

Table 1-3 Local precedence-to-802.1p mapping table for conform level 0

Local-precedence	Conform-level	802.1p
0	0	0
1	0	1
2	0	2
3	0	3
4	0	5
5	0	5
6	0	6
7	0	7

1.1.19 mirrored-to

Syntax

I. For Layer-3 traffic only

mirrored-to inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] { cpu | interface interface-type interface-number | slot slot-id }

undo mirrored-to inbound ip-group { acl-number | acl-name } [ rule rule ]

II. For Layer-2 and Layer-3 traffic

mirrored-to inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] | link-group { acl-number | acl-name } rule rule } { cpu | interface interface-type interface-number | slot slot-id }

undo mirrored-to inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } rule rule }

III. For Layer-2 traffic only

mirrored-to inbound link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] { cpu | interface interface-type interface-number | slot slot-id }

undo mirrored-to inbound link-group { acl-number | acl-name } [ rule rule ]

View

Ethernet port view

Parameters

inbound: Mirrors inbound packets at the port.

ip-group { acl-number | acl-name }: Activates IP ACLs, including basic and advanced ACLs. acl-number: Sequence number of ACL, ranging from 2000 to 3999. acl-name: Name of the ACL, which must be a character string starting with an English letter (a-z or A-Z), and without any space in it.

link-group { acl-number | acl-name }: Activates Layer 2 ACLs. acl-number: Sequence number of ACL, ranging from 4000 to 4999. acl-name: Name of ACL, which must be a character string started with an English letter (a-z or A-Z), and without any space in it.

rule rule: Specifies the rule of an active ACL, ranging from 0 to 127; if not specified, all rules of the ACL will be activated.

system-index index: System index for the specified ACL rule. Normally, when applying a rule, the system assigns a globally unique index to it for later retrieval. Alternatively, you can choose to assign a system index to an ACL rule with this command. However, as this value may change while the system is running, you are not encouraged to manually assign system indexes to ACL rules.

& Note:

If the specified index is 0, the system selects an index automatically.

cpu: Mirrors traffic to the CPU.

interface interface-type interface-number: Mirrors traffic to the interface specified by its type and number.

slot slot-id: Mirrors traffic to the NetStream card seated in the slot specified by slot-id.

Description

Use the mirrored-to command to reference an ACL (or an ACL rule) and mirror data streams to the CPU, the specified port, or the specified NetStream card.

Use the undo mirrored-to command to remove traffic mirroring setting.

This configuration is only applicable to the packets which match the permit statements in the ACL.

For traffic mirroring configuration restrictions, refer to QoS Configuration.

Related commands: display qos-interface mirrored-to.

Examples

# Mirror the packets which match the permit statements in the ACL 2000 to CPU.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface Ethernet2/1/1

[H3C-Ethernet2/1/1] mirrored-to inbound ip-group 2000 rule 0 cpu

# Mirror the traffic received on Ethernet 2/1/1 and matching the permit statement of ACL 2000 to Ethernet 2/1/3.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface Ethernet2/1/1

[H3C-Ethernet2/1/1] mirrored-to inbound ip-group 2000 rule 0 interface Ethernet 2/1/3

# Mirror the traffic received on Ethernet 2/1/1 and matching the permit statement of ACL 2000 to the NetStream card seated in slot 3.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface Ethernet2/1/1

[H3C-Ethernet2/1/1] mirrored-to inbound ip-group 2000 rule 0 slot 3

1.1.20 mirroring-group

Syntax

mirroring-group groupid { inbound | outbound } mirroring-port-list mirrored-to monitor-port

undo mirroring-group groupid

View

System view

Parameters

groupid: mirroring group ID, in the range of 1 to 24

inbound: Monitors inbound packets.

outbound: Monitors outbound packets.

mirroring-port-list: Mirroring port list. You can specify up to 8 Ethernet ports in the list, each being separated by a space. Specify each Ethernet port by its type and number.

mirrored-to monitor-port: Specifies the monitor port.

Description

Use the mirroring-group command to configure a port mirroring group.

Use the undo mirroring-group command to remove the specified port mirroring group.

The switch supports multiple-to-one mirroring, that is, copying the packets from several mirroring ports to the monitor port.

The mirroring function on the S9500 series is implemented through mirroring groups. Each mirroring group contains one monitor port and at least one mirroring ports. In addition, you can specify the direction of monitored packets.

For port mirroring configuration restrictions, refer to QoS Configuration.

& Note:

The S9500 series support cross-card mirroring, that is, the monitoring port and mirroring ports can be at different cards.

Related commands: display mirroring-group.

Examples

# Configure mirroring group 1, the mirroring ports are Ethernet 3/1/1 to Ethernet 3/1/3, and the monitor port is Ethernet 3/1/4, monitoring only inbound packets.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] mirroring-group 1 inbound ethernet 3/1/1 ethernet 3/1/2 ethernet 3/1/3 mirrored-to ethernet 3/1/4

1.1.21 priority

Syntax

priority priority-level

undo priority

View

Ethernet port view

Parameters

priority-level: Port priority, in the range of 0 to 7.

Description

Use the priority command to set a local precedence for a port.

Use the undo priority command to restore the default local precedence of the port.

By default, the local precedence of a port is 0.

Examples

# Set the default local precedence of the port Ethernet 3/1/1 to 7.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface ethernet3/1/1

[H3C-Ethernet3/1/1] priority 7

1.1.22 qos conform-level

Syntax

qos conform-level conform-level-value

View

System view

Parameters

conform-level conform-level-value: Conform level, which can be 0, 1, or 2.

Description

Use the qos conform-level command to create a conform level and enter its view.

Three conform levels, 0 through 2 are available.

Only after you create and enter the view of a conform level can you display the mapping tables for this conform level, including the DSCP-to-services mapping table, the EXP-to-services mapping table, and the local precedence-to-802.1p mapping table.

Examples

# Create and enter the view of conform level 0.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] qos conform-level 0

[H3C-conform-level-0]

1.1.23 qos cos-drop-precedence-map

Syntax

qos cos-drop-precedence-map cos0-map-drop-prec cos1-map-drop-prec cos2-map-drop-prec cos3-map-drop-prec cos4-map-drop-prec cos5-map-drop-prec cos6-map-drop-prec cos7-map-drop-prec

undo qos cos-drop-precedence-map

View

System view

Parameters

cos0-map-drop-prec: Drop precedence mapped to CoS 0, in the range of 0 to 2.

cos1-map-drop-prec: Drop precedence mapped to CoS 1, in the range of 0 to 2.

cos2-map-drop-prec: Drop precedence mapped to CoS 2, in the range of 0 to 2.

cos3-map-drop-prec: Drop precedence mapped to CoS 3, in the range of 0 to 2.

cos4-map-drop-prec: Drop precedence mapped to CoS 4, in the range of 0 to 2.

cos5-map-drop-prec: Drop precedence mapped to CoS 5, in the range of 0 to 2.

cos6-map-drop-prec: Drop precedence mapped to CoS 6, in the range of 0 to 2.

cos7-map-drop-prec: Drop precedence mapped to CoS 7, in the range of 0 to 2.

Description

Use the qos cos-drop-precedence-map command to configure the CoS-to-drop precedence mapping table.

Use the undo qos cos-drop-precedence-map command to restore the default values of the CoS-to-drop precedence mapping table.

The system provides a default CoS-to-drop precedence mapping table.

Table 1-4 The default CoS-to-drop precedence mapping table

CoS Value	Drop-precedence
0	0
1	0
2	0
3	0
4	0
5	0
6	0
7	0

After receiving a packet, the switch allocates a set of service parameters to it. The service parameters, including CoS value, local precedence and drop level, are determined according to the 802.1p priority of the packets. The CoS value of a packet is the packet’s 802.1p priority, while local and drop precedence values are obtained according to the CoS-to-local precedence mapping table and the CoS-drop precedence mapping table. You can modify the CoS-drop precedence mapping table using this command.

Examples

# Configure the CoS-drop precedence mapping table.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] qos cos-drop-precedence-map 2 2 1 1 1 0 0 0

The modified CoS-drop precedence mapping table is shown as follows.

Table 1-5 A CoS-drop precedence mapping table

CoS Value	Drop-precedence
0	2
1	2
2	1
3	1
4	1
5	0
6	0
7	0

1.1.24 qos cos-local-precedence-map

Syntax

qos cos-local-precedence-map cos0-map-local-prec cos1-map-local-prec cos2-map-local-prec cos3-map-local-prec cos4-map-local-prec cos5-map-local-prec cos6-map-local-prec cos7-map-local-prec

undo qos cos-local-precedence-map

View

System view

Parameters

cos0-map-local-prec: Local precedence mapped to CoS 0, in the range of 0 to 7.

cos1-map-local-prec: Local precedence mapped to CoS 1, in the range of 0 to 7.

cos2-map-local-prec: Local precedence mapped to CoS 2, in the range of 0 to 7.

cos3-map-local-prec: Local precedence mapped to CoS 3, in the range of 0 to 7.

cos4-map-local-prec: Local precedence mapped to CoS 4, in the range of 0 to 7.

cos5-map-local-prec: Local precedence mapped to CoS 5, in the range of 0 to 7.

cos6-map-local-prec: Local precedence mapped to CoS 6, in the range of 0 to 7.

cos7-map-local-prec: Local precedence mapped to CoS 7, in the range of 0 to 7.

Description

Use the qos cos-local-precedence-map command to configure the CoS-to-local precedence mapping table.

Use the undo qos cos-local-precedence-map command to restore the default CoS-to-local precedence mapping table.

The following is the default CoS-to-local precedence mapping table.

Table 1-6 The default CoS-to-local precedence mapping table

CoS Value	Local Precedence
0	2
1	0
2	1
3	3
4	4
5	5
6	6
7	7

After receiving a packet, the switch allocates a set of service parameters to it according to a specific rule. The service parameters, including CoS value, local precedence and drop level, are determined according to the packet 802.1p priority. CoS value is the packet 802.1p priority, while local and drop precedence values are obtained according to the CoS-to-local-precedence mapping table and the CoS-to-drop precedence mapping table. You can modify the CoS-to-local precedence mapping table with this command.

Examples

# Configure the CoS-to-local precedence mapping table.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] qos cos-local-precedence-map 0 1 2 3 4 5 6 7

The modified CoS-to-local precedence mapping table is shown in the following table.

Table 1-7 A CoS-to-local precedence mapping table

CoS Value	Local Precedence
0	0
1	1
2	2
3	3
4	4
5	5
6	6
7	7

1.1.25 queue

Syntax

queue queue-id green-min-threshold green-max-threshold green-max-prob yellow-min-threshold yellow-max-threshold yellow-max-prob red-min-threshold red-max-threshold red-max-prob exponent

undo queue queue-id

View

WRED index view

Parameters

queue-id: Output queue ID, in the range of 0 to 7

green-min-threshold: Lower threshold triggering random green packet dropping, in the range of 0 to 65535. It must be a multiple of 256 bytes.

green-max-threshold: Higher threshold triggering complete green packet dropping, in the range of 0 to 65535. It must be a multiple of 256 bytes.

green-max-prob: Maximum drop probability for green packets, in the range of 1 to 15.

yellow-min-threshold: Lower threshold triggering random yellow packet dropping, in the range of 0 to 65535. It must be a multiple of 256 bytes.

yellow-max-threshold: Higher threshold triggering complete yellow packet dropping, in the range of 0 to 65535. It must be a multiple of 256 bytes.

yellow-max-prob: Maximum drop probability for yellow packets, in the range of 1 to 15.

red-min-threshold: Lower threshold triggering random red packet dropping, in the range of 0 to 65535. It must be a multiple of 256 bytes.

red-max-threshold: Higher threshold triggering complete red packet dropping, in the range of 0 to 65535. It must be a multiple of 256 bytes.

red-max-prob: Maximum drop probability for red packets, in the range of 1 to 15.

exponent: Weight for calculating average queue length, in the range of 1 to 15. By default, it is 9.

Description

Use the queue command to configure parameters for a WRED index.

Use the undo queue command to restore the default parameters for the WRED index.

The switch provides four sets of default WRED parameters, respectively numbered as 0, 1, 2 and 3. Each set includes 80 parameters, 10 parameters for each of the eight queues. The ten parameters are green-min-threshold, yellow-min-threshold, red-min-threshold, green-max-threshold, yellow-max-threshold, red-max-threshold, green-max-prob, yellow-max-prob, red-max-prob and exponent. You can use the command to modify the parameters of a specific WRED index.

Examples

# Configure parameters for WRED 0: queue-id is 7; green-min-threshold is 150; green-max-threshold is 500; green-max-prob is 5; yellow-min-threshold is 100; yellow-max-threshold is 150; yellow-max-prob is 10; red-min-threshold is 50; red-max-threshold is 100; red-max-prob is 15; exponent is 10.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] wred 0

[H3C-wred-0] queue 7 150 500 5 100 150 10 50 100 15 10

1.1.26 queue-scheduler

Syntax

queue-scheduler wrr { group1 { queue-id queue-weight } &<1-8> | group2 { queue-id queue-weight } &<1-8> } *

undo queue-scheduler [ queue-id ] &<1-8>

View

Ethernet port view

Parameters

wrr: Weighted round robin algorithm.

group1: Adds the queue to WRR priority group 1.

group2: Adds the queue to WRR priority group 2.

queue-id: Output queue ID, in the range of 0 to 7.

queue-weight: Queue weight, in the range of 1 to 255.

&<1-8>: You can input the queue-id and queue-weight parameters eight times at most.

Description

Use the queue-scheduler command to choose queue scheduling algorithm and parameters.

Use the undo queue-scheduler command to restore the default setting, SP algorithm.

By default, the SP algorithm is adopted for all output queues at a port.

The switch supports eight output queues at a port, with different scheduling algorithms for them. You can assign these queues to different scheduling groups: SP group, WRR priority group 1 and group 2. For example, you can assign queues 6 and 7 to the SP group, queues 0, 1 and 2 to WRR priority group 1 and queues 3, 4 and 5 to WRR priority group 2. Then a queue will be selected from each group according to its own scheduling algorithm. The three selected queues will scheduled by the SP algorithm.

The queue weight is based on bandwidth. For example, if queues 0, 1 and 2 belong to WRR priority group 1 and their weight is respectively configured as 20, 20 and 30, then during process, the proportion of their respective weight in the whole bandwidth is 20:20:30

Examples

# Configure queues 0 to 5 to adopt the WRR algorithm. Assign queues 0, 1 and 2 to group 1, with weight 20, 20 and 30; and assign queues 3, 4 and 5 to group 2, with weight 20, 20 and 40. Configure queues 6 and 7 to adopt the SP algorithm.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface ethernet3/1/1

[H3C-Ethernet3/1/1] queue-scheduler wrr group1 0 20 1 20 2 30 group2 3 20 4 20 5 40

1.1.27 reset traffic-statistic

Syntax

reset traffic-statistic inbound { { ip-group { acl-number | acl-name } rule rule | link-group { acl-number | acl-name } } * | { ip-group { acl-number | acl-name } | link-group { acl-number | acl-name } rule rule } * | ip-group { acl-number | acl-name } rule rule link-group { acl-number | acl-name } rule rule }

View

Ethernet port view, RPR logical port view, POS port view

Parameters

inbound: Clears statistics of the inbound packets at the port.

rule rule: Specifies a rule in the ACL, ranging from 0 to 127; if not specified, all rules in the ACL will be activated.

Description

Use the reset traffic-statistic command to clear statistics of all traffic or traffic matching a specific ACL.

Table 1-8 Comparison between two statistics clearing commands

Command	Description
reset acl counter	Clears ACL statistics. This command is for the ACLs that perform filtering and traffic classification to the packets processed by software. The cases for software to import ACLs include ACL importing for routing policy, ACL importing for registered user control. The ACL ID available here is in the range of 2000 to 3999.
reset traffic-statistic	Clear traffic statistics. This command is for the ACLs sent to hardware for packet filtering and traffic classification. This command usually clears the statistics collected with the traffic-statistic command.

Examples

# Clear traffic statistics of the ACL 4000.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface ethernet3/1/1

[H3C-Ethernet3/1/1] reset traffic-statistic inbound link-group 4000

1.1.28 set gv48-egress-buffer

Syntax

set gv48-egress-buffer { fe-mode | ge-mode } slot slot-id

undo set gv48-egress-buffer slot slot-id

View

System view

Parameters

fe-mode: Sets the buffer mode of the board in the specified slot to fast Ethernet (FE) mode, that is, 100 Mbps mode.

ge-mode: Sets the buffer mode of the board in the specified slot to gigabit Ethernet (GE) mode, that is, 1000 Mbps mode.

slot slot-id: Specifies a board by its slot ID.

Description

Use the set gv48-egress-buffer command to set the buffer mode for the specified GV48DB or GP48DB board.

Use the undo set gv48-egress-buffer command to restore the default.

By default, GV48DB and GP48DB boards operate in FE buffer mode.

Note that this command is applicable only to GV48DB and GP48DB boards.

Examples

# Configure the GV48DB board seated in slot 1 to operate in GE buffer mode.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] set gv48-egress-buffer ge-mode slot 1

1.1.29 share descriptors

Syntax

share descriptors slot-id

undo share descriptors slot-id

View

System view

Parameters

slot-id: Slot ID of a card.

Description

Use the share descriptors command to enable the descriptor sharing function.

Use the undo share descriptors command to disable the descriptor sharing function.

The descriptor sharing function is disabled by default.

Examples

# Enable descriptor sharing on the card seated in slot 3.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] share descriptors 3

1.1.30 traffic-limit

Syntax

I. For Layer-3 traffic only

traffic-limit inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] [ tc-index index ] cir cbs ebs [ pir ] [ conform { { remark-cos | remark-drop-priority } * | remark-policed-service } ] [ exceed { forward | drop } ]

undo traffic-limit inbound ip-group { acl-number | acl-name } [ rule rule ]

II. For Layer-2 and Layer-3 traffic

traffic-limit inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] | link-group { acl-number | acl-name } rule rule } [ tc-index index ] cir cbs ebs [ pir ] [ conform { { remark-cos | remark-drop-priority } * | remark-policed-service } ] [ exceed { forward | drop } ]

undo traffic-limit inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } rule rule }

III. For Layer-2 traffic only

traffic-limit inbound link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] [ tc-index index ] cir cbs ebs [ pir ] [ conform { { remark-cos | remark-drop-priority } * | remark-policed-service } ] [ exceed { forward | drop } ]

undo traffic-limit inbound link-group { acl-number | acl-name } [ rule rule ]

View

Ethernet port view

Parameters

inbound: Sets traffic limiting for the inbound packets at the port.

rule rule: Specifies a rule in the ACL, ranging from 0 to 127; if not specified, all rules in the ACL will be activated.

tc-index index: Index value of traffic conditioner, ranging from 0 to 12288. If you configured the same index value to different traffic rules during traffic policy configuration, then the sum of these traffics is restricted by the configured traffic policy parameter. For example, configure CIR of the traffic that matches rule 1 to 10 kbps, and that of the rule 2 to 10 kbps too; and both of the rules have the same index value of traffic conditioner, then the sum of the average rates of rule 1 and rule 2 is restricted to 10 kbps.

& Note:

l The traffic policing parameters must be the same for traffic flows configured with the same tc-index; otherwise the system prompts you for the wrong configuration; when the tc-index is 0, it means that the system will select an index value automatically.

l For cards with C or D suffix in their names, if the remark-cos keyword is used, both remark-cos and remark-drop-priority will take effect.

cir: Committed information rate in kbps.

cbs: Committed burst size in bytes.

ebs: Excess burst size in bytes.

pir: Peak information rate in Kbps.

conform: Sets the action to be taken when the traffic does not exceed the set value.

remark-cos: Sets new 802.1p priority for the packet according to its conform level and local precedence.

remark-drop-priority: Sets drop precedence value for the packet according to its conform level.

remark-policed-service: Sets new service parameters for the packet according to its conform level and DSCP value.

exceed: Sets action for the case when traffic threshold is exceeded.

l forward: Forwards the packet.

l drop: Drops the packet.

traffic-index index: Traffic index.

Description

Use the traffic-limit command to reference an ACL (or an ACL rule) to match traffic on the current port and policy the matching traffic, performing different actions on the conforming traffic and exceeding traffic.

Use the undo traffic-limit command to remove the traffic limiting setting.

This command is only applicable to the packets which match the permit statements in the ACL or the ACL rule.

It is required that CIR is less than or equal to PIR and CBS is less than or equal to EBS. You are recommended to configure CBS and EBS to numbers that are 100 to 150 times the CIR.

For the same traffic, you cannot select both the remark-cos and remark-policed-service keywords, or both the remark-drop-priority and remark-policed-service keywords.

Before selecting the remark-policed-service keyword, make sure you have configured the DSCP-to-services mapping tables for the conform levels. Before selecting the remark-cos keyword, make sure you have configured the local-precedence-to-802.1p mapping table for the conform levels.

Related commands: qos conform-level, dscp, local-precedence.

Examples

# Set traffic limiting for the packets matching the permit statements in the ACL 4000: CIR is 200 kbps, CBS is 1,500,000 bytes, EBS is 1,800,000 bytes, drop the exceeding packets.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface ethernet2/1/1

[H3C-Ethernet2/1/1] traffic-limit inbound link-group 4000 200 1500000 1800000 conform remark-policed-service exceed drop

1.1.31 traffic-priority

Syntax

I. For Layer-3 traffic only

traffic-priority inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] { auto | remark-policed-service { trust-dscp | dscp dscp-value | untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level } }

undo traffic-priority inbound ip-group { acl-number | acl-name } [ rule rule ]

II. For Layer-2 and Layer-3 traffic

traffic-priority inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] | link-group { acl-number | acl-name } rule rule } { auto | remark-policed-service { trust-dscp | dscp dscp-value | untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level } }

undo traffic-priority inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } rule rule }

III. For Layer-2 traffic only

traffic-priority inbound link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] { auto | remark-policed-service { trust-dscp | dscp dscp-value | untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level } }

undo traffic-priority inbound link-group { acl-number | acl-name } [ rule rule ]

View

Ethernet port view

Parameters

inbound: Sets traffic priority for inbounds packets at the port.

rule rule: Specifies a rule in the ACL, ranging from 0 to 127; if not specified, all rules in the ACL will be activated.

auto: Chooses the service parameters allocated automatically by the switch.

remark-policed-service: Sets service parameters.

trust-dscp: Sets service parameters according to packet DSCP values.

dscp dscp-value: Sets service parameters according to user’s DSCP values or EXP values. For IP packets, dscp-value is the specified DSCP priority (six bits in the packet header) and in the range of 0 to 63; for MPLS packets, the dscp-value argument also defines an EXP priority (the three high-order bits of the value). Set the EXP value when defining the dscp-value.

untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level: Customizes a set of service parameters. For IP packets, dscp-value is the specified DSCP priority (six bits in the packet header) and in the range of 0 to 63; for MPLS packets, other than that the dscp-value stands for their DSCP priority, the three high-order bits of the value represent the EXP flag field. Set the EXP value when defining the dscp-value; local-precedence is local precedence, in number (ranging 0 to 7) or name; cos-value is 802.1p priority, in number (ranging 0 to 7) or name; drop-level is drop level, in number (ranging 0 to 2) or name.

& Note:

The mapping relationship between dscp-value and EXP is:

l When the S9500 switch is used as the ingress PE device, for IP packets, EXP is matched according to the DSCP-to-services mapping table for the conform level of the packets; for TCP and UDP packets, the value of EXP is the lower 3 bits of dscp-value.

l When the S9500 switch is used as an ingress P device, the value of EXP is the lower 3 bits of the dscp-value.

Description

Use the traffic-priority command to reference an ACL (or an ACL rule) to match traffic and assign a set of service parameters for the traffic matching the permit statements in the ACL.

Use the undo traffic-priority command to remove the service parameters for the matching traffic.

You can assign service parameters for the matching traffic in one of the following modes:

1) Have the system allocate service parameters automatically for the traffic. Upon receiving a packet, the switch allocates a set of service parameters for it according to a specific rule. To choose this mode, configure the command with the auto keyword.

2) Configure the system to obtain service parameters from the DSCP-to-services mapping table for the conform level of the traffic based on the DSCP priority of the traffic. To choose this mode, configure the command with the remark-policed-service trust-dscp keyword.

3) Configure the system to obtain service parameters for the traffic from the DSCP-to-services mapping table or EXP-to-services mapping table for the conform level of the traffic based on the DSCP priority you specified for the traffic or the EXP of the MPLS traffic. To choose this mode, configure the command with the remark-policed-service dscp dscp-value parameters.

4) Directly specify a set of service parameters for the traffic. To choose this mode, configure the command with the remark-policed-service untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level parameters.

& Note:

l For priority marking actions, the DSCP-to-services mapping table or EXP-to-services mapping table for conform level 0 applies.

l To use the second or the third mode, make sure that you have configured the DSCP-to-services mapping tables and EXP-to-services mapping tables. For more information about the mapping tables, see the qos conform-level, dscp and exp commands.

Related commands: display qos-interface traffic-priority, qos conform-level, dscp, local-precedence.

Examples

# Configure the switch to automatically assign service parameters for the packets matching the permit statements in ACL 4000.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface ethernet5/1/2

[H3C-Ethernet5/1/2] traffic-priority inbound link-group 4000 auto

1.1.32 traffic-redirect

Syntax

I. For Layer-3 traffic only

traffic-redirect inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] { cpu | interface interface-type interface-number destination-vlan [ l2-vpn | l3-vpn ] | link-aggregation group groupid destination-vlan | smart-link group groupid destination-vlan | next-hop ip-addr1 [ ip-addr2 ] [ invalid { forward | drop } ] | slot slot-id { vlanid | designated-vlan vlanid } [ join-vlan ] }

undo traffic-redirect inbound ip-group { acl-number | acl-name } [ rule rule ]

II. For Layer-3 and Layer-2 traffic

traffic-redirect inbound ip-group { acl-number | acl-name } rule rule link-group { acl-number | acl-name } [ rule rule ] { cpu | interface interface-type interface-number destination-vlan [ l2-vpn | l3-vpn ] | link-aggregation group groupid destination-vlan | smart-link group groupid destination-vlan | next-hop ip-addr1 [ ip-addr2 ] [ invalid { forward | drop } ] | slot slot-id designated-vlan vlanid [ join-vlan ] }

traffic-redirect inbound ip-group { acl-number | acl-name } link-group { acl-number | acl-name } rule rule { cpu | interface interface-type interface-number destination-vlan [ l2-vpn | l3-vpn ] | link-aggregation group groupid destination-vlan | smart-link group groupid destination-vlan | next-hop ip-addr1 [ ip-addr2 ] [ invalid { forward | drop } ] | slot slot-id designated-vlan vlanid [ join-vlan ] }

undo traffic-redirect inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } rule rule }

undo traffic-redirect inbound link-group { acl-number | acl-name } { rule rule ip-group { acl-number | acl-name } | ip-group { acl-number | acl-name } rule rule }

III. For Layer-2 traffic only

traffic-redirect inbound link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] { cpu | interface interface-type interface-number destination-vlan [ l2-vpn | l3-vpn ] | link-aggregation group groupid destination-vlan | smart-link group groupid destination-vlan | next-hop ip-addr1 [ ip-addr2 ] [ invalid { forward | drop } ] | slot slot-id designated-vlan vlanid [ join-vlan ] }

undo traffic-redirect inbound link-group { acl-number | acl-name } [ rule rule ]

View

Ethernet port view

Parameters

ip-group { acl-number | acl-name }: Activates IP ACLs, including basic and advanced ACLs. acl-number: Sequence number of ACL, ranging from 2000 to 3999. acl-name: Name of the ACL, which must be a character string starting (1 to 32 characters) with an English letter (a-z or A-Z), and without any space in it.

link-group { acl-number | acl-name }: Activates Layer 2 ACLs. acl-number: Sequence number of ACL, ranging from 4000 to 4999. acl-name: Name of ACL, which must be a character string (1 to 32 characters) started with an English letter (a-z or A-Z), and without any space in it.

rule rule: Specifies a rule in the ACL, ranging from 0 to 127; if not specified, all rules in the ACL will be activated.

cpu: Redirects packets to the CPU.

interface interface-type interface-number destination-vlan { l2-vpn | l3-vpn : Redirects packets to the specified Ethernet port or RPR logical interface. interface-number and interface-type together can define a port. destination-vlan specifies the VLAN to which the destination port belongs. l2-vpn means that MPLS L2-VPN packets are allowed to pass, and l3-vpn means that MPLS L3-VPN packets are allowed to pass. The l2vpn and l3vpn keywords are not supported when the destination port is an RPR logical interface.

link-aggregation group groupid destination-vlan: Redirects traffic to the manual aggregation group specified by groupid, which ranges from 1 to 31. destination-vlan is the destination VLAN ID and ranges from 2 to 4094.

smart-link group groupid destination-vlan: Redirects traffic to the smart link group specified by groupid, which ranges from 1 to 48. destination-vlan is the destination VLAN ID and ranges from 2 to 4094.

next-hop ip-addr1 [ ip-addr2 ]: Redirects packets to the specified IP address. You can define two IP addresses at a stroke, but the first one is with higher priority. That is, the system redirects packets to the second IP address only if the first one is unreachable.

invalid { forward | drop }: Sets the method of processing packets (forward or drop) when the IP address of the next hop is invalid. The packet will be dropped by default.

slot slot-id: Redirects packets to the specified service processor card.

vlanid: Specifies the VLAN of the packets to be redirected.

designated-vlan vlanid: VLAN where a designated port resides.

join-vlan: With this keyword specified, when traffic redirecting is enabled, the system assigns the port to the destination-vlan automatically; when traffic redirecting is disabled, the system removes the port from the VLAN if the last join-vlan enabled traffic redirecting is removed from the VLAN. This field should be specified in the traffic redirecting applications related to MPLS (such as VPLS, L3VPN, and intermixing). Currently, only Ethernet ports and GigabitEthernet ports support the join-vlan keyword.

Description

Use the traffic-redirect command to reference an ACL (or an ACL rule) to match traffic and redirect the matching traffic.

Use the undo traffic-redirect command to remove the traffic redirecting setting.

You can redirect packets to the CPU, a specified Ethernet port, a specified RPR logical interface, a specified IP address, a specified aggregation group, a specified smart link group, or a specified slot.

& Note:

l Traffic redirecting setting is only available for traffic matching the permit statements in the ACL.

l The packet redirected to the CPU cannot be forwarded normally.

l You can achieve policy routing by selecting the next-hop keyword in this command.

l Multicast packets are not allowed to be redirected to the service processor cards.

l With the traffic redirected to a NAT board and a sub-VLAN specified as the designated VLAN, the super VLAN of the sub-VLAN is issued.

l When traffic is redirected to a port without the l3vpn or l2vpn keyword specified, the destination port will not be loopbacked; when traffic is redirected to a port with the l3vpn or l2vpn keyword specified, intermixing redirection is performed, and the destination port will be loopbacked and then assigned to the designated VLAN.

Related commands: display qos-interface traffic-redirect. Refer to the QinQ part in the manual for the information on the traffic-redirect { nested-vlan | modified-vlan } command.

Examples

# Configure traffic redirecting on the interface cards for packets that match the permit statements in ACL 4000: packets are redirected to the port Ethernet 5/1/1, the destination VLAN ID is 4094, and L3 VPN packets are permitted.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface ethernet5/1/2

[H3C-Ethernet5/1/2] traffic-redirect inbound link-group 4000 interface ethernet5/1/1 4094 l3-vpn

# Configure traffic redirecting on a service processor card for packets that match the permit statements in ACL 4000. Redirect such packets to manual aggregation group 1, and the destination VLAN ID is 4094.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface ethernet5/1/2

[H3C-Ethernet5/1/2] traffic-redirect inbound link-group 4000 link-aggregation group 1 4094

1.1.33 traffic-shape

Syntax

traffic-shape [ queue queue-id ] max-rate burst-size

undo traffic-shape [ queue queue-id ]

View

Ethernet port view

Parameters

queue queue-id: Specifies a queue by its ID, in the range of 0 to 7.

max-rate: Maximum traffic rate in Kbps of the port.

burst-size: Burst size in KB. Its value should be the integer of 4.

Description

Use the traffic-shape command to enable traffic shaping.

Use the undo traffic-shape command to disable traffic shaping.

The switch supports both port-based traffic shaping and queue-based traffic shaping. You can achieve the former mode by specifying no queue ID or the latter mode by specifying a queue ID.

Examples

# Shape the traffic in the output queue 2 at the port: maximum rate 500 Kbps, burst size 12 Kbytes.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface ethernet3/1/1

[H3C-Ethernet3/1/1] traffic-shape queue 2 500 12

1.1.34 traffic-statistic

Syntax

I. For Layer-3 traffic only

traffic-statistic inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] [ tc-index index ]

undo traffic-statistic inbound ip-group { acl-number | acl-name } [ rule rule ]

II. For Layer-2 and Layer-3 traffic

traffic-statistic inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name }{ rule rule [ system-index index ] | link-group { acl-number | acl-name } rule rule } [ tc-index index ]

undo traffic-statistic inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } rule rule }

III. For Layer-2 traffic only

traffic-statistic inbound link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] [ tc-index index ]

undo traffic-statistic inbound link-group { acl-number | acl-name } [ rule rule ]

View

Ethernet port view

Parameters

inbound: Sets traffic accounting for inbound packets at the port.

rule rule: Specifies a rule in the ACL, ranging from 0 to 127; if not specified, all rules of the ACL will be activated.

tc-index index: Index value of traffic conditioner, ranging from 0 to 12288. If you configured the same index value to different traffic rules during traffic statistic configuration, then the statistic of these traffics is performed.

Description

Use the traffic-statistic command to reference an ACL to match traffic and perform accounting for the matching traffic.

Use the undo traffic-statistic command to disable traffic accounting.

The traffic-statistic command only counts hardware matchings during packet forwarding. You can view the statistics using the display qos-interface traffic-statistic commands.

Related commands: display qos-interface traffic-statistic.

Examples

# Perform traffic accounting for the packets matching the permit statements in the ACL 2000.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface ethernet3/1/1

[H3C-Ethernet3/1/1] traffic-statistic inbound ip-group 2000

1.1.35 wred

Syntax

wred wred-index

undo wred wred-index

View

System view

Parameters

wred-index: WRED index, in the range of 0 to 3.

Description

Use the wred command to create a WRED index view and enter it.

Use the undo wred command to restore the default WRED parameters.

The switch provides four sets of default WRED parameters, respectively numbered as 0, 1, 2 and 3. The ten parameters for a port are green-min-threshold, yellow-min-threshold, red-min-threshold, green-max-threshold, yellow-max-threshold, red-max-threshold, green-max-prob, yellow-max-prob, red-max-prob and exponent. Red, yellow and green packets respectively refer to those with drop precedent levels 2, 1 and 0.

Examples

# Create WRED 0 view and enter it.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] wred 0

[H3C-wred-0]

Chapter 2 Port Tokens Configuration Commands

& Note:

The four commands qos token, qos multicast queue, share descriptors, and flow-control can be used to configure the number of tokens on a port, and they take effect in the descending order of priority. Refer to the Ethernet Port Configuration Commands in the Access Volume for the information about the flow-control command.

2.1 Port Tokens Configuration Commands

2.1.1 qos token

Syntax

qos token interface-list [ queue queue-id ] token-number

undo qos token interface-list [ queue queue-id ]

View

System view

Parameters

interface-list: Port list.

queue-id: ID of a queue on the port, ranging from 0 to 7.

token-number: Number of tokens, ranging from 1 to 256.

Description

Use the qos token command to adjust the number of tokens for each specified port and for a specified queue of each specified port.

Use the undo qos token command to cancel the adjustment and restore the default configuration.

Examples

# Set the total number of tokens for GigabitEthernet 3/1/1 to 30.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] qos token GigabitEthernet3/1/1 30

# Set the number of tokens for queue 2 of GigabitEthernet 3/1/1 to 5.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] qos token GigabitEthernet3/1/1 queue 2 5

& Note:

l 100 Mbps Ethernet ports do not support the commands here.

l The ports on LSB1TGX1B, LSB1GV48DB and LSB1GP48DB cards do not support the commands here.

l On the LSB1P4G8B, LSB1P4G8C, LSB1P4G8CA and LSB1SP4CA cards, you can configure the qos token command on only one of the four POS ports.

l On the LSB1XP4B and LSB1XP4CA cards, this command does not take effect on port 1 and port 2 at the same time; this command does not take effect on port 3 and port 4 at the same time.

Chapter 3 WAN QoS Configuration Commands

3.1 WAN QoS Configuration Commands

3.1.1 qos enable

Syntax

qos enable

undo qos enable

View

Channelized serial interface view, MP interface view

Parameters

None

Description

Use the qos enable command to enable QoS on the specified WAN interface.

Use the undo qos enable command to disable QoS on the specified WAN interface.

& Note:

You can use the display interface command to check whether QoS is enabled on an interface.

Examples

# Enable QoS on Serial 1/1/1/1:0.

<H3C> system-view

[H3C] interface serial 1/1/1/1:0

[H3C-Serial1/1/1/1:0] qos enable

3.1.2 queue-scheduler wrr

Syntax

queue-scheduler wrr group { queue-id queue-weight } & <1-4>

undo queue-scheduler

View

Channelized serial interface view, MP interface view

Parameters

wrr: Weighted round robin (WRR) queue scheduling.

queue-id: Output queue ID, in the range of 0 to 3. & <1-4> indicates that you can specify up to four pairs of queue ID and weight.

queue-weight: Queue weight value, in the range of 1 to 15. & <1-4> indicates that you can specify up to four pairs of queue ID and weight.

Description

Use the queue-scheduler wrr command to configure the queue scheduling mode of a WAN interface.

Examples

# Schedule queue 2 and queue 3 with WRR and queue 0 and queue 1 with SP. Assign weight 20 and 30 to queue 2 and queue 3.

<H3C> system-view

[H3C] interface serial 1/1/1/1:0

[H3C-Serial1/1/1/1:0] qos enable

[H3C-Serial1/1/1/1:0] queue-scheduler wrr group 2 20 3 30

3.1.3 tail-drop

Syntax

queue queue-id tail-drop dp0-threshold dp1-threshold dp2-threshold

undo queue queue-id tail-drop

View

Channelized serial interface view, MP-group interface view

Parameters

queue-id: Queue ID, in the range of 0 to 3.

tail-drop: Enables tail drop.

dp0-threshold: Queue length that triggers dropping green packets (in 256 bytes), in the range of 0 to 511.

dp1-threshold: Queue length that triggers dropping yellow packets (in 256 bytes), in the range of 0 to 511.

dp2-threshold: Queue length that triggers dropping red packets (in 256 bytes), in the range of 0 to 511.

Description

Use the queue command to set tail drop thresholds on the specified channelized serial interface or MP-group interface.

Use the undo queue command to restore the default tail drop thresholds.

& Note:

The following are the default tail drop thresholds for a channelized serial interface with QoS enabled:

l dp0-threshold: 511, 100%

l dp1-threshold: 460, about 90%

l dp2-threshold: 408, about 80%

Examples

# Set tail drop thresholds for queue 1 on Serial 1/1/1/1:0 as follows: dp0-threshold 76800 bytes (300 × 256 bytes), dp1-threshold 51200 bytes (200 × 256 bytes), and dp3-threshold 25600 bytes (100 × 256 bytes).

<H3C> system-view

[H3C] interface serial 1/1/1/1:0

[H3C-Serial1/1/1/1:0] qos enable

[H3C-Serial1/1/1/1:0] queue 1 tail-drop 300 200 100

Chapter 4 ACL Control Commands to Control Login Users

4.1 ACL Control Commands to Control Login Users

4.1.1 acl

Syntax

acl acl-number1 { inbound | outbound }

undo acl acl-number1 { inbound | outbound }

acl acl-number2 inbound

undo acl acl-number2 inbound

View

User interface view

Parameters

acl-number1: Numbers of a basic or advanced number-based ACL, ranging from 2000 to 3999.

acl-number2: Number of a number-based Layer 2 ACL, ranging from 4000 to 4999.

inbound: Performs ACL control to the users accessing the local switch through Telnet or SSH.

outbound: Performs ACL control to the users accessing other switches from the local switch through Telnet or SSH.

Description

Use the acl command to apply an ACL to control the users accessing through Telnet or SSH.

Use the undo acl command to remove the ACL control configured for users accessing through Telnet or SSH.

& Note:

l You can only apply number-based ACLs to implement the ACL control to the users accessing through Telnet or SSH.

l When you use a basic or advanced ACL to implement the ACL control to the users accessing through Telnet or SSH, incoming/outgoing connecting requests are restricted based on the source or destination IP addresses. Therefore, when you use the rules of a basic or advanced ACL, only the source IP address and its mask, the destination IP address and its mask, and the time-range parameter in them are valid. Similarly, when you use Layer 2 ACLs to implement the ACL control to the users accessing through Telnet or SSH, incoming/outgoing requests are restricted based on the source MAC addresses. Therefore, when you use the rules of a Layer 2 ACL, only the source MAC address and its mask and the time-range parameter are valid.

l When you use a Layer 2 ACL to implement ACL control to the users accessing through Telnet or SSH, only incoming requests are restricted.

l If a user fails to log in due to ACL restriction, the system logs the failure, including the IP address, login method, user interface index value and the cause.

By default, the system does not restrict incoming/outgoing requests.

Examples

# Perform ACL control to the users who access the local switch through Telnet (assuming that ACL 2000 is previously created).

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] user-interface vty 0 4

[H3C-user-interface-vty0-4] acl 2000 inbound

4.1.2 snmp-agent community

Syntax

snmp-agent community { read | write } community-name [ mib-view view-name ] [ acl acl-number ]

undo snmp-agent community community-name

View

System view

Parameters

read: Indicates that this community name has the read-only right within the specified view.

write: Indicates that this community name has the read-write right within the specified view.

community-name: Community name, consisting of 1 to 32 characters.

mib-view: Sets the MIB view name which can be accessed by the community name.

view-name: MIB view name, consisting of 1 to 32 characters.

acl acl-number: Specifies a basic number-based ACL by its number, ranging from 2000 to 2999.

Description

Use the snmp-agent community command to set the community access name, permit the access to the switch using SNMP, and reference the ACL to perform ACL control to the network management users by acl-number.

Use the undo snmp-agent community command to remove the setting of community access name.

By default, SNMPv1 and SNMPv2C use community names to perform access.

Examples

# Set the community name to Test, permit the user to perform read-only access by using this community name, and reference the ACL 2000 to perform ACL control to the network management users (assuming that basic ACL 2000 has already been defined).

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] snmp-agent community read test acl 2000

4.1.3 snmp-agent group

Syntax

snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ]

undo snmp-agent group { v1 | v2c } group-name

snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ]

undo snmp-agent group v3 group-name [ authentication | privacy ]

View

System view

Parameters

v1: V 1 security mode.

v2c: V 2 security mode.

v3: V 3 security mode.

group-name: Group name, ranging from 1 to 32 bytes.

authentication: Authenticates SNMP data without encrypting it.

privacy: Authenticates and encrypts packets.

read-view: Sets read-only view.

read-view: Name of read-only view, ranging from 1 to 32 bytes.

write-view: Permits to set read-write view.

write-view: Name of read-write view, ranging from 1 to 32 bytes.

notify-view: Sets notify view.

notify-view: Name of notify view, ranging from 1 to 32 bytes.

acl acl-number: Specifies a basic number-based ACL by its number, ranging from 2000 to 2999.

Description

Use the snmp-agent group command to configure a new SNMP group and reference the ACL to perform ACL control to the network management users by acl acl-number.

Use the undo snmp-agent group command to remove a specified SNMP group.

Examples

# Create a SNMP group test, and reference the ACL 2001 to perform ACL control to the network management users (assuming that basic ACL 2001 has already been defined).

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] snmp-agent group v1 test acl 2001

4.1.4 snmp-agent usm-user

Syntax

snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ]

undo snmp-agent usm-user { v1 | v2c } user-name group-name

snmp-agent usm-user v3 user-name group-name [ authentication-mode { md5 | sha } auth-password ] [ privacy des56 priv-password ] [ acl acl-number ]

undo snmp-agent usm-user v3 user-name group-name { local | engineid engineid-string }

View

System view

Parameters

v1: V 1 security mode.

v2c: V 2 security mode.

v3: V 3 security mode.

user-name: User name, ranging from 1 to 32 bytes.

group-name: Corresponding group name of the user, ranging from 1 to 32 bytes.

authentication-mode: Specifies the security level to “to be authenticated”

md5: Specifies the authentication protocol as HMAC-MD5-96.

sha: Specifies the authentication protocol as HMAC-SHA-96.

auth-password: Authentication password, character string, ranging from 1 to 64 bytes.

privacy: Specifies the security level as encryption.

des56: Specifies the DES encryption protocol.

priv-password: Encryption password, character string, ranging from 1 to 64 bytes.

acl acl-number: Specifies a basic number-based ACL by its number, ranging from 2000 to 2999.

local: Specifies a local entity user.

engineid: Specifies the engine ID related to the user.

engineid-string: Engine ID character string.

Description

Use the snmp-agent usm-user command to add a new user to an SNMP group, and reference the ACL to perform ACL control to the network management users by acl acl-number.

Use the undo snmp-agent usm-user command to remove the user from the related SNMP group as well as the configuration of the ACL control of the user.

Examples

# Add a user test to the SNMP group testgroup. Specify the security level to to be authenticated, the authentication protocol to HMAC-MD5-96 and the authentication password to H3C, and reference the ACL 2002 to perform ACL control to the network management users (basic ACL 2002 has already been defined).

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] snmp-agent usm-user v3 test testgroup authentication-mode md5 H3C acl 2002

Chapter 5 VLAN-ACL Configuration Commands

5.1 VLAN-ACL Configuration Commands

The VLAN-ACL configuration is subject to the following limitations:

1) Limitations on flow templates:

l The system only applies VLAN-ACL to ports with the default flow template applied. The applied ACL rule field must be specified by the default flow template.

l If no port in a VLAN has ACL rules applied to, the system checks all ports in the VLAN when applying an ACL rule in VLAN view and prohibits the ACL rule from being applied if a port in the VLAN has a customized flow template applied to.

l If a VLAN-ACL is applied to some of the ports in a VLAN, a port with a customized flow template applied to can be added to the VLAN. But the system will fail to apply the VLAN-ACL to the newly added port. That is, you can apply the VLAN-ACL in VLAN view to all the ports in the VLAN except the newly added one. However, when the self-defined flow template is deleted under the port, the system will apply QACL rules in the VLAN to the new port automatically.

l You will fail to apply the self-defined flow template of a port with a VLAN-ACL already applied to a customized flow template.

2) If both a VLAN and one of its ports have QACL rules applied, only those applied to the port work. In this case, the VLAN-ACL takes effect only after the QACL rules applied to the port are removed and the flow template applied to the port changes to the default flow template.

3) When the VLAN contains no ports, the system is prohibited from applying VLAN-ACL (including adding and deleting rules).

4) Two ports differing in VLAN-ACL configuration cannot be aggregated dynamically.

5) A VLAN-ACL is prohibited from being applied to a VLAN bounded to POS ports. That is, VLAN-ACL is prohibited from being applied to POS ports.

6) A VLAN-ACL is prohibited from being applied to a VLAN containing MPLS intermixing ports. Similarly, a VLAN with a VLAN-ACL applied to is prohibited from being used for MPLS intermixing.

7) When an ACL is applied to a VLAN, if a port in the VLAN is unavailable due to that the board where the port resides is not in position, the port will not synchronize to the ACL after the board is in position. For the port to synchronize to the ACL, you can use the port can-access vlan-acl command on the port.

5.1.1 display qos-vlan all

Syntax

display qos-vlan [ vlan-id ] all

View

Any view

Parameters

vlan-id: VLAN ID, in the range 1 to 4094.

Description

Use the display qos-vlan all command to display QoS configuration (including the configuration of priority marking, traffic policing, traffic redirecting, and traffic accounting) information about one specific VLAN (with the vlan-id argument) or all VLANs (without the vlan-id argument) on the switch.

Examples

# Display the QoS configurations of all the VLANs.

<H3C> display qos-vlan all

Vlan 1 traffic-limit

Inbound:

There is no configuration.

Outbound:

There is no configuration.

Vlan 1 traffic-priority

Inbound:

There is no configuration.

Outbound:

There is no configuration

Vlan 1 traffic-redirect

Inbound:

There is no configuration.

Outbound:

There is no configuration

Vlan 1 traffic-statistic

Inbound:

There is no configuration.

Outbound:

There is no configuration.

Vlan 2 traffic-limit

Inbound:

Matches: Acl 2000 rule 1 running (Action-type: vlan-acl, Destination slot: 3)

Committed Information Rate: 8192 Kbps

Committed Burst Size: 10000 byte(s)

Excess Burst Size: 20000 byte(s)

Peak Information Rate: 0 Kbps

Exceed action: drop

Outbound:

There is no configuration

Vlan 2 traffic-priority

Inbound:

Matches: Acl 2000 rule 1 running (Action-type: vlan-acl, Destination slot: 3)

Priority action: remark-policed-service, untrusted, dscp: 13, cos: 6,

5.1.2 display qos-vlan traffic-limit

Syntax

display qos-vlan [ vlan-id ] traffic-limit

View

Any view

Parameters

vlan-id: VLAN ID, in the range of 1 to 4,094.

Description

Use the display qos-vlan traffic-limit command to display the parameter configuration for traffic limit on VLAN, including the configuration information about related ACLs and policing actions.

Related commands: traffic-limit and traffic-params.

Examples

# Display the parameter configuration of traffic limit on VLANs.

<H3C> display qos-vlan traffic-limit

Vlan 1 traffic-limit

Inbound:

There is no configuration.

Outbound:

There is no configuration

Vlan 2 traffic-limit

Inbound:

Matches: Acl 2000 rule 3 running (Action-type: Vlan-acl, Destination slot: 3)

Committed Information Rate: 8192 Kbps

Committed Burst Size: 10000 byte(s)

Excess Burst Size: 20000 byte(s)

Peak Information Rate: 0 Kbps

Exceed action: drop

Outbound:

There is no configuration.

5.1.3 display qos-vlan traffic-priority

Syntax

display qos-vlan [ vlan-id ] traffic-priority

View

Any view

Parameters

vlan-id: VLAN ID, in the range of 1 to 4094.

Description

Use the display qos-vlan traffic-priority command to display the priority marking configuration on VLAN, including the ACL used to filter the traffic that priority marking is performed on, the type and values of priority marking.

Related commands: traffic-priority.

Examples

# Display the priority marking configuration on VLANs.

<H3C> display qos-vlan traffic-priority

Vlan 1 traffic-priority

Inbound:

There is no configuration.

Outbound:

There is no configuration

Vlan 2 traffic-priority

Inbound:

Matches: Acl 2000 rule 1 running (Action-type: Vlan-acl, Destination slot: 3)

Priority action: remark-policed-service, untrusted, dscp: 13, cos: 6, local-precedence: 6, drop-priority: 1

Outbound:

There is no configuration.

5.1.4 display qos-vlan traffic-redirect

Syntax

display qos-vlan [ vlan-id ] traffic-redirect

View

Any view

Parameters

vlan-id: VLAN ID, in the range of 1 to 4094.

Description

Use the display qos-vlan traffic-redirect command to display the parameter configuration for traffic redirecting on VLAN, including the related ACL and the destination port of traffic redirecting.

Related commands: traffic-redirect.

Examples

# Display the parameter configuration for traffic redirecting on VLAN 2.

<H3C> display qos-vlan 2 traffic-redirect

Vlan 2 traffic-redirect

Inbound:

Matches: Acl 2000 rule 1 running (Action-type: Vlan-acl, Destination slot: 3)

Redirected to: next-hop 1.1.1.1

Outbound:

There is no configuration.

5.1.5 display qos-vlan traffic-statistic

Syntax

display qos-vlan [ vlan-id ] traffic-statistic

View

Any view

Parameters

vlan-id: VLAN ID, in the range of 1 to 4094.

Description

Use the display qos-vlan traffic-statistic command to display the traffic statistics information on VLAN. The displayed information includes the ACL corresponding to the traffic on which traffic accounting is performed, action type, and statistics result.

Related commands: traffic-statistic.

Examples

# Display the traffic statistics information of VLAN 2.

<H3C> display qos-vlan 2 traffic-statistic

Vlan 2 traffic-statistic

Inbound:

Matches: Acl 3000 rule 0 running (Action-type: Vlan-acl)

0 byte (green 0 byte(s), yellow 0 byte(s), red 0 byte(s) )

0 packet

Matches: Acl 3000 rule 0 running (Action-type: Vlan-acl, Destination slot: 2)

0 byte

Outbound:

Matches: Acl 3000 rule 0 running (Action-type: Vlan-acl, Destination slot: 2)

0 byte

5.1.6 display vlan-acl-member-ports

Syntax

display vlan-acl-member-ports vlan vlan-id

View

Any view

Parameters

vlan-id: VLAN ID, in the range of 1 to 4094.

Description

Use the display vlan-acl-member-ports command to display which ports in a VLAN synchronize to the ACL configuration of the VLAN.

When a port is added to a VLAN, you may fail to synchronize the VLAN-ACL configuration of the VLAN because the resources are not enough or user-defined flow templates are applied to ports. You can use this command to view the ports to which the ACL rule configured on the specified VLAN is applied.

Examples

# View the ports to which the ACL rule configured on VLAN 5 is applied.

<H3C> display vlan-acl-member-ports vlan 5

Vlan-acl member port(s):

Ethernet2/1/11 Ethernet2/1/20 Ethernet2/1/21

Ethernet2/1/22 Ethernet2/1/23 Ethernet2/1/24

Ethernet2/1/25 Ethernet2/1/40

5.1.7 mirrored-to

Syntax

mirrored-to inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] cpu

undo mirrored-to inbound ip-group { acl-number | acl-name } [ rule rule ]

View

VLAN view

Parameters

inbound: Mirrors inbound packets at the port.

rule rule: Specifies a rule in the ACL, ranging from 0 to 127; if not specified, all rules in the ACL will be activated.

cpu: Mirrors traffic to the CPU.

Description

Use the mirrored-to command to reference an ACL (or an ACL rule) to match traffic and mirror the matching traffic in the VLAN to the CPU.

Use the undo mirrored-to command to remove traffic mirroring setting.

This configuration is only applicable to the packets which match the permit statements in the ACL or the ACL rule.

Examples

# Mirror the packets received by ports in VLAN 2 and matching the permit statements in ACL 2000 to the CPU.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] vlan 2

[H3C-vlan2] mirrored-to inbound ip-group 2000 cpu

5.1.8 packet-filter

Syntax

packet-filter inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] [ slot slot-id ] ]

undo packet-filter inbound ip-group { acl-number | acl-name } [ rule rule ] [ slot slot-id ]

View

VLAN view

Parameters

inbound: Filters inbound packets at the port.

rule rule: Specifies a rule in the ACL, ranging from 0 to 127; if not specified, all rules in the ACL will be activated.

slot slot-id: Specifies a slot by its slot ID.

Description

Use the packet-filter command to activate the ACLs in VLAN.

Use the undo packet-filter command to deactivate an active ACL.

Examples

# Activate ACL 2000 of each port in VLAN 2.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] vlan 2

[H3C-vlan2] packet-filter inbound ip-group 2000

5.1.9 port can-access vlan-acl

Syntax

port can-access vlan-acl vlan vlan-id

View

Ethernet port view

Parameters

vlan-id: VLAN ID, in the range of 1 to 4094.

Description

Use the port can-access vlan-acl command to synchronize the VLAN-ACL configuration of the specified VLAN to the port.

As soon as a port is assigned to a VLAN, the QACL configuration of the VLAN is synchronized to the port if adequate resources are available. The synchronization, however, may fail if system resources are not enough. In this case, you can delete part of configuration of the card and then use this command to manually synchronize the ACL rules applied to the VLAN to the specified port.

Examples

# Synchronize ACL configuration of VLAN 5 to Ethernet 3/1/1 manually.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface Ethernet3/1/1

[H3C-Ethernet3/1/1] port can-access vlan-acl vlan 5

5.1.10 traffic-limit

Syntax

undo traffic-limit inbound ip-group { acl-number | acl-name } [ rule rule ]

View

VLAN view

Parameters

inbound: Implements traffic policing for data packets received on the port.

ip-group { acl-number | acl-name }: Activates the ACL identified by the acl-number or acl-name argument. The ACL here can be a basic ACL or an advanced ACL. acl-number: Sequence number of the ACL, ranging from 2000 to 3999. acl-name: Name of the ACL, a string beginning with character a-z or A-Z. Note that this argument cannot contain spaces.

rule rule: Specifies the rule identified by the rule argument of the ACL. The rule argument ranges from 0 to 127. Without this keyword, this command applies to all rules of the ACL.

tc-index index: Traffic control index. If the same index is configured under different flow rules when you configure the traffic policing, the total traffic of all these flows will be limited by the configured flow policing parameters. For example, the CIR value of the flow of match rule 1 is configured to be 10 kbps, and that of match rule 2 is configured to be 10 kbps. The tc-index values of the two rules are the same at the same time. Then the sum of the average rate of the flow matching rule 1 and the flow matching rule 2 will be limited to 10 kbps.

traffic-index traffic index: Traffic index value. Quote the traffic parameters through traffic-index. These traffic parameters are configured with the traffic-params command.

& Note:

When you specify the same tc-index value for different flows, the parameter settings of the traffic policing action must be consistent completely; otherwise the system will prompt errors; when the tc-index is set to 0, it means that the system will select the index automatically.

cir: Committed information rate in Kbps.

cbs: Committed burst size in bytes.

ebs: Excess burst size in bytes.

pir: Peak information rate in Kbps.

remark-cos: Sets new 802.1p priority for the packet according to its conform-level and local precedence.

remark-drop-priority: Sets drop precedence value for the packet according to its conform-level.

remark-policed-service: Sets new service parameters for the packet according to its conform-level and DSCP priority.

exceed: Sets the action to be taken when traffic threshold is exceeded.

forward: Forwards the packet.

drop: Drops the packet.

Description

Use the traffic-limit command to reference an ACL (or an ACL rule) to match traffic and policy the matching traffic in the VLAN, performing different actions on the conforming traffic and exceeding traffic.

Use the undo traffic-limit command to remove the configuration.

This command only limits the traffic matching the permit statements of the specified ACL or the ACL rule.

When the parameter is set, it is required that CIR is less than or equal to PIR and CBS is less than or equal to EBS. It is recommended to set the CBS and EBS 100 to 150 times CIR.

The setting of tc-index is subject to the following limitations:

l remark-cos and remark-policed-service cannot be set at the same time for the same data flow, neither can remark-drop-priority and remark-policed-service.

l To configure the remark-policed-service action, you must configure the DSCP-to-services mapping tables. To configure the remark-cos action, you must configure the local precedence-to-802.1p mapping tables.

Related commands: qos conform-level, local-precedence.

Examples

# Perform traffic limiting on packets received on the ports in VLAN 2 and matching the permit statements in ACL 3000. Set the CIR to 2000 kbps, the CBS to 1500000 bytes and the EBS to 1800000 bytes. Drop the exceeding traffic.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] vlan 2

[H3C-vlan2] traffic-limit inbound ip-group 3000 200 1500000 1800000 conform remark-policed-service exceed drop

5.1.11 traffic-priority

Syntax

traffic-priority inbound ip-group { acl-number | acl-name } { rule rule { system-index index | { remark-policed-service { trust-dscp | dscp dscp-value | untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level [ slot slot-id ] } | auto [ slot slot-id ] } } | { auto [ slot slot-id ] } | { remark-policed-service { trust-dscp | dscp dscp-value | { untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level } [ slot slot-id ] } } }

undo traffic-priority inbound ip-group { acl-number | acl-name } [ rule rule ] [ slot slot-id ]

View

VLAN view

Parameters

inbound: Sets priority for packets received on the port.

rule rule: Specifies the rule identified by the rule argument of the ACL. The rule argument ranges from 0 to 127. Without this keyword, this command applies to all rules of the ACL.

auto: Chooses the service parameters allocated automatically by the switch.

remark-policed-service: Sets service parameters.

trust-dscp: Sets service parameters according to the DSCP values carried by packets.

dscp dscp-value: Sets service parameters according to customized DSCP values or EXP values. For IP packets, dscp-value is the DSCP priority (six bits in length in the packet header) ranging from 0 to 63 and is set by users. For MPLS packets, the dscp-value argument indicates the DSCP priority. In addition, the least three bits of the value also act as the EXP flag field, which is set simultaneously when the user specifies the dscp-value argument.

untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level: Customizes a set of service parameters. For IP packets, dscp-value is the DSCP priority (six bits in length in the packet header) ranging from 0 to 63 and is set by users. For MPLS packets, the dscp-value indicates the DSCP priority. In additional, the least three bits of the value also acts as the EXP flag field, which is set simultaneously when the user specifies the dscp-value argument. The local-precedence argument is local precedence, in the range of 0 to 7. The cos-value argument is 802.1p priority, in the range of 0 to 7. The drop-level argument is drop level, in the range of 0 to 2.

slot slot-id: Specifies a slot by its slot ID.

Description

Use the traffic-priority command to reference an ACL (or an ACL rule) to classify traffic and assign a set of service parameters for the traffic matching the permit statements in the ACL (or the ACL rule) in the VLAN.

Use the undo traffic-priority command to remove the configuration.

The system can set service parameters for the matching traffic in one of the following modes:

1) Allocate service parameters automatically for the traffic. Upon receiving a packet, the switch allocates a set of service parameters for it according to a specific rule. To choose this mode, configure the command with the auto keyword.

2) Based on the DSCP priority of the traffic, obtain service parameters from the DSCP-to-services mapping table for the conform level of the traffic. To choose this mode, configure the command with the remark-policed-service trust-dscp keyword.

3) Based on the DSCP priority you specified for the traffic or the EXP of the MPLS traffic, obtain service parameters for the traffic from the DSCP-to-services mapping table or EXP-to-services mapping table for the conform level of the traffic. To choose this mode, select remark-policed-service dscp dscp-value in this command.

& Note:

l For priority marking actions, the DSCP-to-services mapping table or EXP-to-services mapping table for conform level 0 applies.

l To use the second or the third mode, make sure that you have configured the DSCP-to-services mapping tables and EXP-to-services mapping tables.

Related commands: qos conform-level, dscp, exp.

Examples

# Configure the switch to automatically assign service parameters for the incoming packets matching the permit statements in ACL 3000 in VLAN 2.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] vlan 2

[H3C-vlan2] traffic-priority inbound ip-group 3000 auto

5.1.12 traffic-redirect

Syntax

traffic-redirect inbound ip-group { acl-number | acl-name } { { rule rule { cpu [ slot slot-id ] | next-hop ip-addr1 [ ip-addr2 ] [ invalid { forward | drop } ] | system-index index { cpu [ slot slot-id ] | next-hop ip-addr1 [ ip-addr2 ] [ invalid { forward | drop } } } | { cpu [ slot slot-id ] } | { next-hop ip-addr1 [ ip-addr2 ] [ invalid { forward | drop } ] [ slot slot-id ] } }

undo traffic-redirect inbound ip-group { acl-number | acl-name } [ rule rule ] [ slot slot-id ]

View

VLAN view

Parameters

inbound: Redirects data packets received by a port.

rule rule: Specifies a rule in the ACL, ranging from 0 to 127; if not specified, all rules in the ACL will be activated.

cpu: Redirects packets to the CPU.

next-hop ip-addr1 [ ip-addr2 ]: Redirects packets to the specified IP address. You can define two IP addresses at a stroke. The system redirects packets to the first IP address if the fist IP address has higher priority. However, if the first one is unreachable, the system automatically redirects packets to the second IP address.

invalid { forward | drop }: Sets the method of processing packets (forward or drop) when the IP address of the next hop is invalid. The packet will be dropped by default.

slot slot-id: Specifies a slot by its slot ID.

Description

Use the traffic-redirect command to reference an ACL (or an ACL rule) and configure traffic redirecting for the traffic matching the permit statements of the ACL or the ACL rule in the VLAN.

Use the undo traffic-redirect command to remove traffic redirecting setting.

You can redirect packets to the CPU or a specified IP address.

& Note:

l The traffic redirecting setting takes effect only on the traffic matching the permit statements in the ACL or the ACL rule.

l The packet redirected to the CPU will not be forwarded as usual.

l You can achieve policy routing by selecting the next-hop keyword in this command.

Examples

# Redirect the packets of VLAN2 that match the permit statements in ACL 3000 to the CPU.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] vlan 2

[H3C-vlan2] traffic-redirect inbound ip-group 3000 cpu

5.1.13 traffic-statistic

Syntax

traffic-statistic inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] [ tc-index index ]

undo traffic-statistic inbound ip-group { acl-number | acl-name } [ rule rule ]

View

VLAN view

Parameters

inbound: Collects statistics of the traffic received by a port.

rule rule: Specifies a rule in the ACL, ranging from 0 to 127; if not specified, all rules in the ACL will be activated.

tc-index index: Traffic adjustment index value. If you configure the same index value for different ACL rules when configuring traffic accounting, the switch will collect statistics of these traffic flows.

Description

Use the traffic-statistic command to reference an ACL (or an ACL rule) to match traffic and enable traffic accounting for the traffic matching the permit statements in the ACL or the ACL rule in the VLAN.

Use the undo traffic-statistic command to disable traffic accounting.

The statistics count in only the hardware matchings in packet forwarding.

Examples

# In VLAN 2, enable traffic accounting for the packets matching the permit statements in ACL 2000.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] vlan 2

[H3C-vlan2] traffic-statistic inbound ip-group 2000

Chapter 6 EACL Configuration Commands

6.1 EACL Configuration Commands

& Note:

l Only the NAM service processor board supports EACL commands.

l EACL does not support Layer-2 ACLs.

l BT and reflective ACL are generally not used at the same time. That is, it is prohibited to configure both BT and reflective ACL.

6.1.1 display traffic-params

Syntax

display traffic-params [ traffic-index ]

View

Any view

Parameters

traffic-index: Traffic parameter index. If no traffic-index is specified, all traffic-indexes are displayed.

Description

Use the display traffic-params command to display the parameter configuration for traffic policing, including CIR, CBS, EBS, PIR, and so on.

Related commands: traffic-params.

Examples

# Display the parameter configuration for traffic policing.

<H3C> display traffic-params 1

traffic parameters configuration list:

index : cir cbs ebs pir

--------------------------------------------------------------------------

1 : 100 800000 800000 100

6.1.2 packet-filter

Syntax

packet-filter { inbound | outbound } ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] slot slot-id

undo packet-filter { inbound | outbound } ip-group { acl-number | acl-name } [ rule rule ] slot slot-id

View

VLAN view

Parameters

inbound: Specifies to filter packets received on the port.

outbound: Specifies to filter packets sent out the port.

ip-group { acl-number | acl-name }: ACL or EACL. acl-number: ACL number, ranging from 2000 to 3999. acl-name: ACL name, a character string starting with an English letter from a-z or A-Z. No space is allowed in the character string.

rule rule: Specifies a rule in the designated ACL. This parameter is optional. The value ranges from 0 to 127. If this parameter is not provided in this command, this command will filter the packets that match any rule in the ACL.

slot slot-id: Number of the slot where the service processor card resides.

Description

Use the packet-filter command to activate the ACL.

Use the undo packet-filter command to remove the configuration.

& Note:

l Before configuring the packet-filter command on the service processor card, you must configure packet redirection in port view to redirect packets in the designated VLAN to the service processor card.

l This command does not support reflexive ACL rules containing deny.

Examples

# Activate ACL 3000.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] vlan 2

[H3C-vlan2] packet-filter inbound ip-group 3000 slot 2

6.1.3 rule bt-flag

Syntax

rule [ rule-id ] { permit | deny } tcp [ packet-level { bridge | route } | source { source-addr wildcard | any } | destination { dest-addr wildcard | any } | source-port operator port1 [ port2 ] | destination-port operator port1 [ port2 ] ] * bt-flag [ time-range name ]

undo rule rule-id

View

EACL view

Parameters

rule-id: Indicates a rule ID of the designated ACL, in the range of 0 to 127.

permit: Permits the packets that satisfy the condition to pass through.

deny: Forbids the packets that satisfy the condition to pass through.

time-range name: Time range name, optional. It indicates that this rule is effective in this time range.

& Note:

l The following sections describe attribute parameters carried by data packets. ACL makes rules based on the values of these parameters.

l BT flow restriction is applicable to the ACL rule, in which the action is permit.

tcp: Type of the designated protocol. Only TCP supports bt-flag.

packet-level: Specifies to match Layer-2 packets or Layer-3 packets. If this keyword is not specified, both Layer-2 and Layer-3 packets are matched. This keyword does not occupy any flow template byte. By default, both the default flow template and user-defined flow templates support this field.

bridge: Matches only Layer-2 packets.

route: Matches only Layer-3 packets.

source source-addr wildcard | any: source-addr wildcard: Source IP address and source address wildcard, in the dotted decimal notation. any indicates all the source IP addresses.

destination dest-addr wildcard | any: dest-addr wildcard: Destination IP address and destination address wildcard, in the dotted decimal notation. any indicates all the destination IP addresses.

source-port operator port1 [ port2 ]: Source TCP port number used by a packet. operator indicates a port operator. The value of operator can be eq (equal to), gt (greater than), lt (less than), neq (not equal to) or range (within the range of). port1 [ port2 ]: Source TCP port number used by a packet, expressed with characters or numerals. When expressed with numerals, the value range is 0 to 65535. See port number mnemonic symbol list. Only the operator “range” needs port 1 and port 2 at the same time, while other operators only needs port 1.

destination-port operator port1 [ port2 ]: Destination TCP port number used by the packet. For details, see the description of source-port operator port1 [ port2 ].

bt-flag: Indicates that this rule is only valid for BT data packets.

Description

Use the rule bt-flag command to configure a BT traffic limiting rule.

Use the undo rule command to remove the configuration.

Related commands: acl.

& Note:

Only the NAM card supports application of the rule bt-flag rule.

Examples

# Configure the bt-flag rule.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C]acl number 3000

[H3C-acl-adv-3000] rule 1 permit tcp bt-flag

6.1.4 rule reflective

Syntax

rule [ rule-id ] { permit | deny } { icmp | tcp | udp } [ packet-level { bridge | route } | source { source-addr wildcard | any } | destination { dest-addr wildcard | any } | icmp-type type code | source-port operator port1 [ port2 ] | destination-port operator port1 [ port2 ] ] * reflective [ time-range name ]

undo rule rule-id

View

EACL view

Parameters

rule-id: Indicates a rule ID of the designated ACL, in the range of 0 to 127.

permit: Permits the packets that satisfy the condition to pass through.

deny: Forbids the packets that satisfy the condition to pass through.

time-range name: Time range name, optional. It indicates that this rule is effective in this time range.

& Note:

The following sections describe attribute parameters carried by data packets. ACL makes rules based on the values of these parameters.

bridge: Matches only Layer-2 packets.

route: Matches only Layer-3 packets.

source source-addr wildcard | any: source-addr wildcard: Source IP address and source address wildcard, in the dotted decimal notation. any indicates all the source IP addresses. This parameter is used to define an EACL.

source-port operator port1 [ port2 ]: Source TCP or UDP port number used by a packet. operator indicates a port operator. The value of operator can be eq (equal to), gt (greater than), lt (less than), neq (not equal to) or range (within the range of). Notice that this parameter is available only when you select TCP or UDP. port1 [ port2 ]: Source TCP or UDP port number used by a packet, expressed with characters or numerals. When expressed with numerals, the value range is 0 to 65535. See port number mnemonic symbol list. Only the operator “range” needs port 1 and port 2 at the same time, while other operators only needs port 1. This parameter is used to define an EACL.

destination-port operator port1 [ port2 ]: Destination TCP or UDP port number used by a packet. For details, see the description of source-port operator port1 [ port2 ].

icmp-type type code: This parameter is available when the value is icmp. type code designates ICMP packets. type represents ICMP packet type, expressed with characters or numerals. When expressed with numerals, the value range is 0 to 255. code represents an ICMP code. Input it only when the protocol type is ICMP and ICMP packet type is expressed with a numeral. The value range is 0 to 255. This parameter is used to define an EACL. See Table 1-4 in the ACL Commands.

reflective: Reflexive flag.

Description

Use the rule reflective command to configure a reflexive ACL rule.

Use the undo rule command to remove the configuration.

& Note:

Only the NAM card supports application of the rule reflective rule.

Related commands: acl.

Examples

# Configure a reflexive ACL rule.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C]acl number 3000

[H3C-acl-adv-3000] rule 1 permit tcp reflective

6.1.5 traffic-limit

Syntax

traffic-limit { inbound | outbound } ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] [ tc-index index ] traffic-index traffic-index { conform { remark-cos | remark-policed-service } | exceed { forward | drop } } *slot slot-id

undo traffic-limit { inbound | outbound } ip-group { acl-number | acl-name } [ rule rule ] slot slot-id

View

VLAN view

Parameters

inbound: Performs traffic policing for traffic received by a port.

outbound: Performs traffic policing for traffic sent out a port.

ip-group { acl-number | acl-name }: ACL or EACL. acl-number: Number of the ACL, ranging from 2000 to 3999. acl-name: Name of the ACL, a character string starting with an English letter from a-z or A-Z. No space is allowed in the character string.

tc-index index: Traffic adjustment index value. If you configure the same index value for different ACL rules when configuring traffic policing, the sum of these traffics will be limited by the configured traffic policing parameter. For example, CIR of the traffics matching rule 1 is set to 10 kbps and that of the traffics matching rule 2 is set to 10 kbps. The traffic adjustment index values of both rules are the same. The sum of average rates of traffics matching rule 1 and those matching rule 2 is limited to 10 Kbps.

traffic-index traffic index: Traffic index value. Quote the traffic parameters through traffic-index. These traffic parameters are configured with the traffic-params command.

& Note:

When you designate the same tc-index for different traffic flows, the traffic policing parameters must be the same; otherwise the system gives an error prompt. When tc-index is designated to 0, this means that the system selects the index value automatically.

conform: Sets the action to take when the data traffic does not exceed the limited value. This parameter is optional.

remark-cos: Sets new 802.1p priority for the packet based on confirm-level and local priority.

remark-drop-priority: Sets drop level based on confirm-level of the packet.

remark-policed-service: Sets new service parameters based on confirm-level and DSCP priority of the packet.

exceed: Sets the action to take when the data traffic exceeds the limited value. This parameter is optional.

forward: Forwards packets.

drop: Drops packets.

slot slot-id: Number of the slot where the service processor card resides.

Description

Use the traffic-limit command to apply an ACL (or an ACL rule) to the current VLAN to match traffic of the specified service processor card and police the matching traffic, performing different actions on the conforming traffic and exceeding traffic.

Use the undo traffic-limit command to remove the configuration.

This command is only applicable to the packets which match the permit statements in the ACL or the ACL rule.

When configuring tc-index, pay attention to the following restrictions:

l For the same traffic flow, you are not permitted to configure both remark-cos and remark-policed-service or both remark-drop-priority and remark-policed-service.

& Note:

Before configuring the traffic-limit command on the service processor card, you must configure packet redirection in port view to redirect Layer-3 packets to the service processor card and the designated VLAN.

Related commands: qos conform-level, dscp, local-precedence, display qos-vlan traffic-limit, traffic-params.

Examples

# Use the following commands to limit the rate of data packets that match the permit statements in ACL 3000. Set cir to 200 kbps, cbs to 250000 bytes, and ebs to 300000 bytes. Drop data packets that exceed this traffic.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] traffic-params 10 cir 200 cbs 250000 ebs 300000

[H3C] vlan 2

[H3C-vlan2] traffic-limit inbound ip-group 3000 traffic-index 10 exceed drop slot 2

6.1.6 traffic-params

Syntax

traffic-params traffic-index cir committed-info-rate cbs committed-base-size ebs exceed-base-size [ pir peak-info-rate ]

undo traffic-params traffic-index

View

System view

Parameters

traffic index: Traffic index value.

cir committed-info-rate: cir, in kbps.

cbs committed-burst-size: cbs, in bytes.

ebs exceed-burst-size: ebs, in bytes.

pir peak-info-rate: pir, in kbps.

Description

Use the traffic-params command to configure the traffic parameters necessary for the traffic-limit command on the service processor card.

Use the undo traffic-params traffic-index command to delete the traffic parameters.

When making configuration, ensure that:

l CIR × 90 ≥ CBS

l PIR × 90 ≥ EBS

l CIR ≤ PIR or PIR = 0

l CBS ≤ EBS

The calculation should not ignore the units of the elements.

Related commands: display traffic-params

Examples

# Set traffic-index to 10, cir to 64 kbps, cbs to 80,000 bytes, and ebs to 100,000 bytes.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] traffic-params 10 cir 64 cbs 80000 ebs 100000

& Note:

Two algorithms are used to limit rate on the switch. One is srTCM, the other is trTCM. The difference between both algorithms is whether pir is configured. If pir is configured, the algorithm is trTCM; otherwise the algorithm is srTCM. For details, see RFC2697 and RFC2698.

6.1.7 traffic-priority

Syntax

traffic-priority { inbound | outbound } ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] { auto | remark-policed-service { trust-dscp | dscp dscp-value | untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level } } slot slot-id

undo traffic-priority { inbound | outbound } ip-group { acl-number | acl-name } [ rule rule ] slot slot-id

View

VLAN view

Parameters

inbound: Marks the priority of data packets received by a port.

outbound: Marks the priority of data packets sent by a port.

auto: Keeps the service parameter of a packet without modifying it.

remark-policed-service: Redistributes a service parameter.

trust-dscp: Redistributes service parameters based on the packet DSCP.

dscp dscp-value: Redistributes service parameters based on the user-defined DSCP or EXP. For IP packets, dscp-value indicates a user-defined DSCP priority, which occupies six bits in the packet header. The value range is 0 to 63. For MPLS packets, dscp-value indicates a DSCP priority. Three lower bits of dscp-value also serve as EXP marking domain. You can set the EXP value while setting dscp-value.

untrusted dscp dscp-value cos cos-value local-precedence local-precedence drop-priority drop-level: Indicates that you can set a set of service parameters. For IP packets, dscp-value indicates a user-defined DSCP priority, which occupies six bits in the packet header. The value range is 0 to 63. For MPLS packets, dscp-value indicates a DSCP priority. It is also mapped to the EXP domain. You can set the EXP value while setting dscp-value. local-precedence indicates the local priority, ranging from 0 to 7. cos-value indicates the 802.1p priority, ranging from 0 to 7. drop-level indicates the drop level, expressed with numerals. The value range is 0 to 7.

& Note:

The mapping relationship between dscp-value and the EXP value is as follows:

l When the switch serves as an ingress P device, the EXP value matches three lower bits of dscp-value.

slot slot-id: Number of the slot where the service processor card resides.

Description

Use the traffic-priority command to reference an ACL (or an ACL rule) on the service processor card to match traffic and assign a set of service parameters for the matching traffic. If an ACL is referenced, only the permit statements in the ACL take effect.

Use the undo traffic-priority command to remove the service parameters.

You can assign service parameters for the matching traffic in one of the following modes:

1) Keep the packet parameters without modifying them. To choose this mode, configure the command with the auto keyword.

& Note:

l Before configuring the traffic-priority command on a service processor card, you must configure packet redirection in port view to redirect Layer-3 packets to the service processor card and the designated VLAN.

l For priority marking actions, the DSCP-to-services mapping table or EXP-to-services mapping table for conform level 0 applies.

Related commands: display qos-vlan traffic-priority, qos conform-level, dscp, exp.

Examples

# Configure the switch to automatically assign service parameters for the packets matching the permit statements in ACL 3000.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] vlan 2

[H3C-vlan2] traffic-priority inbound ip-group 3000 auto slot 2

6.1.8 traffic-redirect

Syntax

traffic-redirect { inbound | outbound } ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] { cpu | next-hop ip-addr1 [ ip-addr2 ] } slot slot-id

undo traffic-redirect { inbound | outbound } ip-group { acl-number | acl-name } [ rule rule ] slot slot-id

View

VLAN view

Parameters

inbound: Redirects data packets received by a port.

outbound: Redirects data packets sent by a port.

ip-group { acl-number | acl-name }: ACL or EACL. acl-number: Number of the ACL, ranging from 2000 to 3999. acl-name: Name of the ACL, a character string of 1 to 32 characters, starting with an English letter from a-z or A-Z. No space is allowed in the character string.

cpu: Redirects the packet to the CPU.

next-hop ip-addr1 [ ip-addr2 ]: Redirects the packet to the designated IP addresses. You can designate two IP addresses at a time. The first IP address has the higher priority, so the system redirects the packet to the first IP address. If the first IP address is unreachable, the system redirects the packet to the second IP address automatically.

slot slot-id: Number of the slot where the service processor card resides.

Description

Use the traffic-redirect command to reference an ACL or ACL rule on the service processor card to match traffic and redirect the traffic matching the permit statements in the ACL or the ACL rule.

Use the undo traffic-redirect command to remove the configuration.

You can redirect packets to one of the two directions: CPU or a designated IP address.

& Note:

l Before configuring the traffic-redirect command on the service processor card, you must configure packet redirection in port view to redirect Layer 3 packets to the service processor card and the designated VLAN.

l The traffic redirecting setting takes effect only on the traffic matching the permit statements in the ACL or the ACL rule.

l After a packet is redirected to the CPU, the packet will not be forwarded as usual.

l You can implement policy routing by configuring the next-hop keyword in the redirection command.

l Currently the service processor cards does not support multicast. You can restrict packets to be redirected to the service processor cards by configuring ACL.

Related commands: display qos-vlan traffic-redirect.

Examples

# Reference ACL 3000 to match traffic forwarded to the service processor card in slot 2 in VLAN view and redirect the matching traffic to next hops 202.119.85.1 and 202.119.95.1.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] vlan 4

[H3C-vlan4] traffic-redirect inbound ip-group 3000 next-hop 202.119.85.1 202.119.95.1 slot 2

6.1.9 traffic-statistic

Syntax

traffic-statistic { inbound | outbound } ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] [ tc-index index ] slot slot-id

undo traffic-statistic { inbound | outbound } ip-group { acl-number | acl-name } [ rule rule ] slot slot-id

View

VLAN view

Parameters

inbound: Makes statistics of traffics of data packets received by a port.

outbound: Makes statistics of traffics of data packets sent by a port.

slot slot-id: Number of the slot where the service processor card resides.

Description

Use the traffic-statistic command to reference an ACL (or an ACL rule) on the specified service processor card to match traffic and enable traffic accounting for the traffic matching the permit statements in the ACL or the ACL rule.

Use the undo traffic-statistic command to remove the configuration.

The statistics count in only the hardware matchings in packet forwarding. You can use the display qos-vlan traffic-statistic to view the result.

Examples

# Enable traffic accounting for the packets matching the permit statements in ACL 3000 on the service processor card in slot 3.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] vlan 2

[H3C-vlan2] traffic-statistic inbound ip-group 3000 slot 3

Chapter 7 Global ACL Configuration Commands

7.1 Global ACL Configuration Commands

7.1.1 display acl global

Syntax

display acl global [ slot slot-id ]

View

Any view

Parameters

slot slot-id: Specifies the slot number of a common interface card.

Description

Use the display acl global command to display global ACL configuration.

Examples

# Display global ACL configuration.

<H3C> display acl global slot 5

packet-filter inbound ip-group 3000 rule 0 system-index 1 slot 5

packet-filter inbound ip-group 3000 rule 1 system-index 2 slot 5

& Note:

With the slot-id argument specified, the global ACL configuration on the card in the specified slot is displayed. With no slot-id specified, all the global ACL configuration is displayed, including global ACLs applied to boards out of place.

7.1.2 flow-template user-defined

Syntax

flow-template user-defined global slot slot-id

undo flow-template user-defined global slot slot-id

View

System view

Parameters

slot slot-id: Specifies the slot number of a normal interface card.

Description

Use the flow-template user-defined command to apply the user-defined flow template to a specified card.

Use the undo flow-template user-defined command to remove the application.

Related commands: display flow-template, flow-template user-defined slot slot-id template-info.

Examples

# Apply the user-defined flow template to the card in slot 5.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] flow-template user-defined global slot 5

[H3C] display flow-template

default flow template : ip-protocol tcp-flag sport dport icmp-type icmp-code sip 0.0.0.0 dip 0.0.0.0 vlanid

slot 5

user-defined flow template : sip 1.1.1.1 dip 2.2.2.2 smac 0003-0004-0005

Applied to Slot: 5

7.1.3 global-acl maximum slot

Syntax

global-acl maximum max-entry-num slot slot-id

undo global-acl maximum slot slot-id

View

System view

Parameters

max-entry-number: Maximum number of global ACL entries, in the range 1 to 512.

slot-id: ID of the slot where a D-type board is seated.

Description

Use the global-acl maximum slot command to configure the maximum number of global ACL entries on the specified D-type board.

Use the undo global-acl maximum slot command to restore the default.

By default, the maximum number of global ACL entries allowed on a D-type board is 1024.

Note that:

l The global-acl maximum slot command is applicable only to D-type boards.

l To make the global-acl maximum slot command take effect, you must restart the board configured with the command.

Examples

# Set the maximum number of global ACL entries allowed on the D-type board seated in slot 6 to 256.

<H3C> system-view

[H3C] global-acl maximum 256 slot 6

7.1.4 packet-filter

Syntax

I. For Layer-3 traffic only

packet-filter inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] slot slot-id

undo packet-filter inbound ip-group { acl-number | acl-name } [ rule rule ] slot slot-id

II. For Layer-2 and Layer-3 traffic

packet-filter inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] | link-group { acl-number | acl-name } rule rule } slot slot-id

undo packet-filter inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } rule rule } slot slot-id

III. For Layer-2 traffic only

packet-filter inbound link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] slot slot-id

undo packet-filter inbound link-group { acl-number | acl-name } [ rule rule ] slot slot-id

View

System view

Parameters

inbound: Filters incoming packets on ports.

ip-group { acl-number | acl-name }: Specifies a basic or advanced ACL, where acl-number is an ACL number ranging from 2000 to 3999 and acl-name is an ACL name, a character string beginning with a letter (A to Z, a to z) and containing no spaces or quotation marks.

link-group { acl-number | acl-name }: Specifies a Layer 2 ACL, where acl-number is an ACL number ranging from 4000 to 4999 and acl-name is an ACL name, a character string beginning with a letter (A to Z, a to z) and containing no spaces or quotation marks.

rule rule: Specifies a rule in the ACL. The rule argument ranges from 0 to 127. The two parameters are optional. If they are not provided, all rules in the ACL will be applied.

slot slot-id: Number of the slot where a common interface card resides. For the undo form of this command, the slot-id argument can be any slot. Thus, you can delete the ACLs applied to the interface cards not in place.

Description

Use the packet-filter command to apply an ACL or an ACL rule to the specified interface card globally to filter the incoming packets on the card.

Use the undo packet-filter command to remove the application.

& Note:

Any interface card with the C, CA, CB, DA, DB, or DC suffix in its name supports the global ACL function.

Examples

# Apply ACL 2000 to the interface card in slot 5 for packet filtering.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] packet-filter inbound ip-group 2000 slot 5

7.1.5 traffic-limit

Syntax

I. For Layer-3 traffic only

undo traffic-limit inbound ip-group { acl-number | acl-name } [ rule rule ] slot slot-id

II. For Layer-2 and Layer-3 traffic

III. For Layer-2 traffic only

traffic-limit inbound link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] [ tc-index index ] cir cbs ebs [ pir ] [ conform { { remark-cos | remark-drop-priority }* | remark-policed-service } ] [ exceed { forward | drop } ] slot slot-id

undo traffic-limit inbound link-group { acl-number | acl-name } [ rule rule ] slot slot-id

View

System view

Parameters

inbound: Performs traffic policing on incoming packets on ports.

rule rule: Specifies a rule in the ACL. The rule argument ranges from 0 to 127. The two parameters are optional. If they are not provided, all rules in the ACL will be applied.

tc-index index: Specifies a traffic policing index. If you specify the same index for different traffic policing ACL rules, the set traffic limit will be taken on the total traffic of all matching flows. For example, suppose the same traffic policing index are specified for two ACL rules: rule 1 and rule 2, CIR for the flow matching rule 1 is set to 10 Kbps, and that for the flow matching ACL 2 is also set to 10 Kbps. Then the sum of the mean rates of the two flows (the flow matching ACL 1 and the flow matching ACL 2) will be limited to 10 Kbps.

& Note:

l If you specify the same traffic policing index (tc-index) for different ACL rules, you must set the same traffic policing action parameters for the ACL rules; otherwise an error will be displayed.

l Index 0 (specified by tc-index) means the system will automatically assign an index.

cir: Committed information rate, in kbps.

cbs: Committed burst size, in bytes.

ebs: Excess burst size, in bytes.

pir: Peak information rate, in kbps.

conform: Sets the action to be taken when the traffic does not exceed the set limit. This parameter is optional.

remark-cos: Specifies to set new 802.1p priorities for packets based on their conform levels and local precedence.

remark-drop-priority: Specifies to set drop precedence for packets based on their conform levels.

remark-policed-service: Specifies to set new service parameters for packets based on their conform levels and DSCP priorities.

exceed: Sets the action to be taken when the traffic exceeds the set limit. This parameter is optional.

forward: The action is to forward packets.

drop: The action is to drop packets.

slot slot-id: Slot number of an interface card. For the undo form of this command, the slot-id argument can be any slot. Thus, you can delete the ACLs applied to the interface cards not in place.

Description

Use the traffic-limit command to apply an ACL/ACL rule to an interface card globally for traffic policing.

This command will make the system activate traffic classification with a specified ACL/ACL rule and perform traffic limit on packets matching the ACL/ACL rule. In this command, only the permit statement(s) take effect.

Use the undo traffic-limit command to remove the traffic policing configuration.

When you set the traffic limit parameters, it is required that the CIR be less than or equal to the PIR and the CBS is less than or equal to the EBS. You are recommended to set the CBS and the EBS to numbers 100 to 150 times the CIR.

When you specify a traffic policing index with the tc-index keyword, pay attention to the following restrictions:

l For the same traffic flow, you are not allowed to configure both remark-cos and remark-policed-service, or both remark-drop-priority and remark-policed-service.

& Note:

Any interface card with the C, CA, CB, DA, DB, or DC suffix in its name supports the global ACL function.

Related commands: qos conform-level, dscp, local-precedence.

Examples

# Perform traffic limit on packets passing the filter of ACL 4000. The service parameters for the matching traffic are CIR of 200 kbps, CBS of 2000 bytes and EBS of 2500 bytes, and the action of dropping exceeding packets.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] traffic-limit inbound link-group 4000 200 2000 2500 conform remark-policed-service exceed drop slot 5

Chapter 8 WAN-ACL Configuration Commands

8.1 WAN-ACL Configuration Commands

8.1.1 display acl running-packet-filter

Syntax

display acl running-packet-filter [ interface-type interface-number ]

View

Any view

Parameters

interface-type interface-number: WAN interface, which can be a common serial interface or an MP-group interface.

Parameters

Use the display acl running-packet-filter command to display packet filtering information of the specified interface or all interfaces. Packet filtering information includes packet filtering rules and the state of each rule.

Related commands: packet-filter.

Examples

# Display the packet filtering information of ATM 11/1/1.1.

<H3C> display acl running-packet-filter interface atm 11/1/1.1

Atm11/1/1.1

Inbound:

Acl 3002 rule 1 not running

8.1.2 mirrored-to

Syntax

I. For Layer-3 traffic only

mirrored-to inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] cpu

undo mirrored-to inbound ip-group { acl-number | acl-name } [ rule rule ]

II. For Layer-2 and Layer-3 traffic

III. For Layer-2 traffic only

mirrored-to inbound link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] cpu

undo mirrored-to inbound link-group { acl-number | acl-name } [ rule rule ]

View

Channelized serial interface view, MP interface view, IPoA interface view

Parameters

inbound: Performs traffic mirroring for inbound traffic.

rule rule: Specifies a rule in the ACL. The rule argument ranges from 0 to 127. The two parameters are optional. If they are not provided, all rules in the ACL will be applied.

& Note:

If the specified index is 0, the system selects an index automatically.

cpu: Mirrors the specified traffic to the CPU.

Parameters

Use the mirrored-to command to reference an ACL (or an ACL rule) to match traffic and mirror the matching traffic to the CPU.

Use the undo mirrored-to command to remove the traffic mirroring setting.

This configuration is only applicable to the packets which match the permit statements in the ACL or the ACL rule.

Related commands: display qos-interface mirrored-to.

Examples

# Mirror the packets received on Serial 4/1/1:1 and matching rule 0 in ACL 2000 to the CPU.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface Serial 4/1/1:1

[H3C- Serial4/1/1:1] mirrored-to inbound ip-group 2000 rule 0 cpu

8.1.3 packet-filter

Syntax

I. For Layer-3 traffic only

packet-filter inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ]

undo packet-filter inbound ip-group { acl-number | acl-name } [ rule rule ]

II. For Layer-2 and Layer-3 traffic

III. For Layer-2 traffic only

packet-filter inbound link-group { acl-number | acl-name } [ rule rule [ system-index index ] ]

undo packet-filter inbound link-group { acl-number | acl-name } [ rule rule ]

View

Channelized serial interface view, MP interface view, IPoA interface view

Parameters

inbound: Performs packet filtering for inbound traffic.

rule rule: Specifies a rule in the ACL. The rule argument ranges from 0 to 127. The two parameters are optional. If they are not provided, all rules in the ACL will be applied.

Parameters

Use the packet-filter command to reference an ACL (or an ACL rule) to the current interface for packet filtering.

Use the undo packet-filter command to remove the referenced ACL or ACL rule from the interface.

Examples

# Reference ACL 2000 to interface Serial4/1/1:1.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface Serial4/1/1:1

[H3C-Serial4/1/1:1] packet-filter inbound ip-group 2000

8.1.4 traffic-limit

Syntax

I. For Layer-3 traffic only

undo traffic-limit inbound ip-group { acl-number | acl-name } [ rule rule ]

II. For Layer-2 and Layer-3 traffic

III. For Layer-2 traffic only

undo traffic-limit inbound link-group { acl-number | acl-name } [ rule rule ]

View

Channelized serial interface view, MP interface view, IPoA interface view

Parameters

inbound: Performs traffic policing for inbound traffic.

rule rule: Specifies a rule in the ACL. The rule argument ranges from 0 to 127. The two parameters are optional. If they are not provided, all rules in the ACL will be applied.

& Note:

l Traffic flows configured with the same tc-index must be configured with the same traffic policing parameters; otherwise the system prompts you for the wrong configuration; when the tc-index is 0, it means that the system will select an index value automatically.

l For interface cards with C or D suffix in their names, if the remark-cos keyword is used, both remark-cos and remark-drop-priority will take effect.

cir: Committed information rate in kbps.

cbs: Committed burst size in bytes.

ebs: Excess burst size in bytes.

pir: Peak information rate in kbps.

conform: Sets the action to be taken for the traffic that does not exceed the set value.

remark-cos: Sets new 802.1p priority for the packet according to its conform level and local precedence.

remark-drop-priority: Sets drop precedence value for the packet according to its conform level.

remark-policed-service: Sets new service parameters for the packet according to its conform level and DSCP value.

exceed: Sets the action for the case when traffic threshold is exceeded.

l forward: Forwards the packet.

l drop: Drops the packet.

traffic-index index: Traffic index.

Parameters

Use the traffic-limit command to apply an ACL (or an ACL rule) to the current interface to match traffic and police the matching traffic, performing different actions on the conforming traffic and exceeding traffic.

Use the undo traffic-limit command to remove the traffic limiting setting.

This command is only applicable to the packets which match the permit statements in the ACL or the ACL rule.

It is required that CIR be less than or equal to PIR and CBS be less than or equal to EBS. You are recommended to configure CBS and EBS to numbers that are 100 to 150 times the CIR.

For the same traffic, you cannot select both the remark-cos and remark-policed-service keywords, or both the remark-drop-priority and remark-policed-service keywords.

Before selecting the remark-policed-service keyword, you must make sure you have configured the DSCP + Conform-Level —> Service parameter mapping table. Before selecting the remark-cos keyword, you must ensure you have configured the Local-precedence + Conform-level—> 802.1p priority mapping table.

Related commands: qos conform-level, local-precedence.

Examples

# Set traffic limiting for the packets match the permit statements in the ACL 4000: CIR is 200 kbps, CBS is 1,500,000 bytes, EBS is 1,800,000 bytes, drop the exceeding packets.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface Serial4/1/1:1

[H3C-Serial4/1/1:1] traffic-limit inbound link-group 4000 200 1500000 1800000 exceed drop

8.1.5 traffic-priority

Syntax

I. For Layer-3 traffic only

undo traffic-priority inbound ip-group { acl-number | acl-name } [ rule rule ]

II. For Layer-2 and Layer-3 traffic

III. For Layer-2 traffic only

undo traffic-priority inbound link-group { acl-number | acl-name } [ rule rule ]

View

Channelized serial interface view, MP interface view, IPoA interface view

Parameters

inbound: Performs priority marking for inbound traffic.

rule rule: Specifies a rule in the ACL. The rule argument ranges from 0 to 127. The two parameters are optional. If they are not provided, all rules in the ACL will be applied.

auto: Chooses the service parameters allocated automatically by the switch.

remark-policed-service: Reallocates service parameters.

trust-dscp: Reallocates service parameters according to packet DSCP values.

dscp dscp-value: Reallocates service parameters according to user’s DSCP values or EXP values. For IP packets, dscp-value is the specified DSCP priority (six bits in the packet header) and in the range of 0 to 63; for MPLS packets, other than that the dscp-value stands for their DSCP priority, the three high-order bits of the value represent the EXP flag field. Set the EXP value when defining the dscp-value.

& Note:

The mapping relationship between dscp-value and EXP is:

l When the S9500 switch is used as an ingress PE device, for the IP packets, EXP is matched according to the DSCP-to-services mapping table for the conform level of the packets; for TCP and UDP packets, the value of EXP is the lower 3 bits of dscp-value.

l When the S9500 switch is used as an ingress P device, the value of EXP is the lower 3 bits of the dscp-value.

Parameters

Use the traffic-priority command to reference an ACL (or an ACL rule) and assign a set of service parameters for the traffic matching the permit statements of the ACL or the ACL rule.

Use the undo traffic-priority command to remove the service parameters for the matching traffic.

You can assign service parameters for the matching traffic in one of the following modes:

& Note:

l For priority marking actions, the DSCP-to-services mapping table or EXP-to-services mapping table for conform level 0 applies.

Related commands: qos conform-level, dscp, exp.

Examples

# Configure the switch to automatically assign service parameters for the packets matching the permit statements in ACL 4000.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface Serial4/1/1:1

[H3C- Serial4/1/1:1] traffic-priority inbound link-group 4000 auto

8.1.6 traffic-redirect

Syntax

I. For Layer-3 traffic only

traffic-redirect inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] { cpu | next-hop ip-addr1 [ ip-addr2 ] [ invalid { forward | drop } ] | slot slot-id [ designated-vlan vlanid ] }

undo traffic-redirect inbound ip-group { acl-number | acl-name } [ rule rule ]

II. For Layer-2 and Layer-3 traffic

traffic-redirect inbound ip-group { acl-number | acl-name } [ rule rule ] link-group { acl-number | acl-name } [ rule rule ] { cpu | next-hop ip-addr1 [ ip-addr2 ] [ invalid { forward | drop } ] | slot slot-id [ designated-vlan vlanid ] }

III. For Layer-2 traffic only

traffic-redirect inbound link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] { cpu | next-hop ip-addr1 [ ip-addr2 ] [ invalid { forward | drop } ] | slot slot-id [ designated-vlan vlanid ] }

undo traffic-redirect inbound link-group { acl-number | acl-name } [ rule rule ]

View

Channelized serial interface view, MP interface view, IPoA interface view

Parameters

rule rule: Specifies a rule in the ACL. The rule argument ranges from 0 to 127. The two parameters are optional. If they are not provided, all rules in the ACL will be applied.

cpu: Redirects packets to the CPU.

interface interface-type interface-number destination-vlan { l2-vpn | l3-vpn : Redirects packets to the specified Ethernet port. interface-number and interface-type together define a port. destination-vlan { l2-vpn | l3-vpn } is used to redirect MPLS packets. l2-vpn means that MPLS L2VPN packets are allowed to pass, and l3-vpn means that MPLS L3VPN packets are allowed to pass. destination-vlan must be the VLAN that the destination port belongs to.

next-hop ip-addr1 [ ip-addr2 ]: Redirects packets to the specified IP address. You can define two IP addresses, but the first one is with higher priority. That is, the system redirects packets to the second IP address only if the first one is unreachable.

invalid { forward | drop }: Sets the method of processing packets (forward or drop) when the IP address of the next hop is invalid. The packet will be dropped by default.

slot slot-id: Redirects packets to the specified service processor card, which can be a VPLS card, NetStream card, or VPNNAT card at present.

designated-vlan vlanid: VLAN where a designated port resides. To redirect packets to a VPNNAT card or NetStream card, you must specify this keyword.

Parameters

Use the traffic-redirect command to redirect the traffic matching the permit statements in a referenced ACL or ACL rule on the current interface.

Use the undo traffic-redirect command to remove the traffic redirecting setting.

You can redirect packets to the CPU, a specified IP address, or a specified slot.

& Note:

l Traffic redirecting setting is only available for traffic matching the permit statements in the ACL.

l The packet redirected to the CPU cannot be forwarded normally.

l You can achieve policy routing by selecting the next-hop keyword in this command.

l Multicast packets are not allowed to be redirected to the service processor cards.

l With the traffic redirected to a NAT board and a sub-VLAN specified as the designated VLAN, the super VLAN of the sub-VLAN is issued.

Examples

# Configure traffic redirecting on a normal interface card to redirect packets matching the permit statement of ACL 4000 to the VPLS card in slot 8.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface Serial4/1/1:1

[H3C- Serial4/1/1:1] traffic-redirect inbound link-group 4000 slot 8

8.1.7 traffic-statistic

Syntax

I. For Layer-3 traffic only

traffic-statistic inbound ip-group { acl-number | acl-name } [ rule rule [ system-index index ] ] [ tc-index index ]

undo traffic-statistic inbound ip-group { acl-number | acl-name } [ rule rule ]

II. For Layer-2 and Layer-3 traffic

III. For Layer-2 traffic only

traffic-statistic inbound link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] [ tc-index index ]

undo traffic-statistic inbound link-group { acl-number | acl-name } [ rule rule ]

View

Channelized serial interface view, MP interface view, IPoA interface view

Parameters

rule rule: Specifies a rule in the ACL. The rule argument ranges from 0 to 127. The two parameters are optional. If they are not provided, all rules in the ACL will be applied.

tc-index index: Index value of traffic conditioner. If you configure the same index value for different traffic rules, then the statistics of the matching traffic flows are collected at the same time.

Parameters

Use the traffic-statistic command to perform traffic accounting for traffic matching the permit statements in a referenced ACL or ACL rule.

Use the undo traffic-statistic command to remove the traffic accounting setting.

The traffic-statistic command only counts the hardware matchings during packet forwarding. You can view the statistics with the display qos-interface traffic-statistic command.

Examples

# Perform traffic accounting for traffic matching the permit statements in ACL 2000.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface Serial4/1/1:1

[H3C- Serial4/1/1:1] traffic-statistic inbound ip-group 2000

H3C S9500 Command Manual-Release1648[v1.24]-06 QoS ACL Volume

1.1.1 display mirroring-group

1.1.6 display qos-interface drop-mode

1.1.14 display wred

I. For Layer-3 traffic only

II. For Layer-2 and Layer-3 traffic

III. For Layer-2 traffic only

1.1.21 priority

1.1.30 traffic-limit

I. For Layer-3 traffic only

II. For Layer-2 and Layer-3 traffic

III. For Layer-2 traffic only

1.1.31 traffic-priority

I. For Layer-3 traffic only

II. For Layer-2 and Layer-3 traffic

III. For Layer-2 traffic only

1.1.32 traffic-redirect

I. For Layer-3 traffic only

II. For Layer-3 and Layer-2 traffic

III. For Layer-2 traffic only

1.1.33 traffic-shape

I. For Layer-3 traffic only

II. For Layer-2 and Layer-3 traffic

III. For Layer-2 traffic only

1.1.35 wred

4.1.1 acl

4.1.2 snmp-agent community

I. For Layer-3 traffic only

II. For Layer-2 and Layer-3 traffic

III. For Layer-2 traffic only

I. For Layer-3 traffic only

II. For Layer-2 and Layer-3 traffic

III. For Layer-2 traffic only

I. For Layer-3 traffic only

II. For Layer-2 and Layer-3 traffic

III. For Layer-2 traffic only

I. For Layer-3 traffic only

II. For Layer-2 and Layer-3 traffic

III. For Layer-2 traffic only

I. For Layer-3 traffic only

II. For Layer-2 and Layer-3 traffic

III. For Layer-2 traffic only

I. For Layer-3 traffic only

II. For Layer-2 and Layer-3 traffic

III. For Layer-2 traffic only

I. For Layer-3 traffic only

II. For Layer-2 and Layer-3 traffic

III. For Layer-2 traffic only

I. For Layer-3 traffic only

II. For Layer-2 and Layer-3 traffic

III. For Layer-2 traffic only

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program