Login
- Table of Contents
-
- 09-ACL and QoS Configuration Examples
- 00-S12500_ACL_Configuration_Examples
- 01-S12500_Packet_Filtering_Configuration_Examples
- 02-S12500_Priority_Mapping_and_Priority_Marking_Configuration_Examples
- 03-S12500_Traffic_Policing_Configuration_Examples
- 04-S12500_GTS_Configuration_Examples
- 05-S12500_Queue_Scheduling_Configuration_Examples
- 06-S12500_Control_Plane-Based_QoS_Policy_Configuration_Examples
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 06-S12500_Control_Plane-Based_QoS_Policy_Configuration_Examples | 114.41 KB |
Example: Rate limiting specific protocol packets
Configuration restrictions and guidelines
Example: Filtering protocol packets from a specific interface
Configuration restrictions and guidelines
Example: Filtering specific protocol packets
Introduction
This document provides examples for applying a QoS policy to the control plane.
When the data plane transmits packets to the control plane at a rate beyond the control plane' processing capacity, handling of protocol packets is affected.
You can apply a QoS policy to the control plane to take QoS actions on inbound traffic, such as packet filtering and rate limiting. This makes sure the control plane can properly receive, transmit, and process packets.
Prerequisites
The configuration examples in this document were created and verified in a lab environment, and all the devices started with the factory default configuration. When you are working in a live network, make sure you understand the potential impact of every command on your network.
This document assumes that you have basic knowledge of QoS policy application to the control plane.
Example: Rate limiting specific protocol packets
Network requirements
As shown in Figure 1, simulate ARP broadcast packets on Host to initiate DoS attacks to Switch A.
Configure a control plane-based QoS policy on Switch A to rate limit the ARP broadcast packets to the control plane to 10 pps.
Requirements analysis
By default, the predefined QoS policy is applied to the control plane, as shown in Table 1. The predefined QoS policy identifies packet types by system-index and uses a default rate limit value for each packet type.
Table 1 Predefined QoS policy applied to the control plane
|
System-index |
Match criterion |
Default rate limit value (pps) |
|
1 |
STP |
200 |
|
2 |
ARP-BC |
600 |
|
3 |
IGMP |
2048 |
|
4 |
GVRP |
100 |
|
5 |
MLD |
500 |
|
6 |
PIM |
2000 |
|
7 |
DHCP |
400 |
|
8 |
802.3ah |
100 |
|
9 |
TTL(1) |
20 |
|
10 |
HopLimit(1) |
20 |
|
11 |
600 |
|
|
12 |
LACP |
100 |
|
13 |
CFD |
20000 |
|
14 |
802.1X |
4096 |
|
15 |
RRPP |
300 |
|
16 |
DLDP |
100 |
|
17 |
LLDP |
200 |
|
18 |
Loopback |
100 |
|
19 |
DHCP Snooping |
600 |
|
20 |
Portal |
400 |
|
21 |
VRRP/VRRP3 |
4000 |
|
22 |
RSVP |
2000 |
|
23 |
UDP Helper |
500 |
|
24 |
DHCPv6 |
400 |
|
25 |
ICMP ping |
1000 |
|
26 |
OSPF |
1000 |
|
27 |
SNMP |
200 |
|
28 |
ISIS |
1500 |
|
29 |
BGP |
400 |
|
30 |
LDP |
1600 |
As shown in Table 1, ARP broadcast packets (ARP-BC) have a system index of 2 and a default rate limit of 600 pps.
Use the if match command to reference the system index to classify packets, and use the packet-rate command to configure a rate limit of 10 pps for that class of packets.
Software version used
This configuration example was created and verified on S12500-CMW520-R1825P01.
Configuration restrictions and guidelines
A class referencing a system index as a match criterion cannot have any other match criteria and can be associated with only the rate limiting action (configured by using the packet-rate command).
Configuration procedures
# Create VLAN-interface 1 and configure related attributes for GigabitEthernet 3/0/1 to communicate with Host at Layer 3.
[SwitchA] system-view
[SwitchA] interface GigabitEthernet 3/0/1
[SwitchA-GigabitEthernet3/0/1] undo shutdown
[SwitchA-GigabitEthernet3/0/1] quit
[SwitchA] interface Vlan-interface 1
[SwitchA-Vlan-interface1] undo shutdown
[SwitchA-Vlan-interface1] ip address 1.1.1.254 24
[SwitchA-Vlan-interface1] quit
# Configure a control plane-based QoS policy to match the ARP broadcast packets and rate limit these packets, and apply the QoS policy to the control plane of the card in slot 3.
[SwitchA] traffic classifier ARP
[SwitchA-classifier-ARP] if-match system-index 2
[SwitchA-classifier-ARP] quit
[SwitchA] traffic behavior ARP
[SwitchA-behavior-ARP] packet-rate 10
[SwitchA-behavior-ARP] quit
[SwitchA] qos policy COPP
[SwitchA-qospolicy-COPP] classifier ARP behavior ARP
[SwitchA-qospolicy-COPP] quit
[SwitchA] control-plane slot 3
[SwitchA-cp-slot3] qos apply policy COPP inbound
Verifying the configuration
Configure the Host to send 10000 ARP packets in burst mode to Switch A. Use the command line interface to query the number of ARP packets sent to the control plane of the card in slot 3. The output shows that the control plane receives only around 10 ARP packets and the other ARP packets have been filtered. Before using the display to-cpu-packet statistics command, use the reset to-cpu-packet statistics command to clear the previous statistics first.
<SwitchA> reset to-cpu-packet statistics slot 3
<SwitchA> display to-cpu-packet statistics slot 3 | include ARP
ARP-unicast 0
ARP-multicast 9
Configuration files
#
traffic classifier ARP operator and
if-match system-index 2
#
traffic behavior ARP
packet-rate 10
#
qos policy COPP
classifier ARP behavior ARP
#
control-plane slot 3
qos apply policy COPP inbound
#
interface Vlan-interface1
ip address 1.1.1.254 255.255.255.0
Example: Filtering protocol packets from a specific interface
Network requirements
As shown in Figure 2, initiate DoS attacks on Host to Switch A.
Configure a control plane-based QoS policy for the control plane to deny the protocol packets from GigabitEthernet 3/0/1.
Requirements analysis
To deny the protocol packets sent by a specific interface to the control plane, use the if match inbound-interface command to configure a specific interface as a match criterion in a traffic class, configure the filtering action in the traffic behavior, and apply the QoS policy to the control plane of the specified slot.
Software version used
This configuration example was created and verified on S12500-CMW520-R1825P01.
Configuration restrictions and guidelines
When you configure a control plane-based QoS policy to deny the protocol packets from a specific interface, follow these restrictions and guidelines:
· The interface specified by the if match inbound-interface command must be in the same slot as the control plane where the relevant QoS policy is applied. Otherwise, the QoS policy fails to be applied.
· A class using inbound-interface as a match criterion supports only the traffic filtering or traffic policing action (filter or car command) in the associated traffic behavior.
Configuration procedures
# Create VLAN-interface 1, and configure related attributes for GigabitEthernet 3/0/1 to communicate with Host at Layer 3.
[SwitchA] system-view
[SwitchA] interface GigabitEthernet 3/0/1
[SwitchA-GigabitEthernet3/0/1] undo shutdown
[SwitchA-GigabitEthernet3/0/1] quit
[SwitchA] interface Vlan-interface 1
[SwitchA-Vlan-interface1] undo shutdown
[SwitchA-Vlan-interface1] ip address 1.1.1.254 24
[SwitchA-Vlan-interface1] quit
# Configure a control plane-based QoS policy to match the protocol packets received from GigabitEthernet 3/0/1 and filter the matched packets, and apply the QoS policy to the control plane of the card in slot 3.
[SwitchA] traffic classifier TC
[SwitchA-classifier-TC] if-match inbound-interface GigabitEthernet 3/0/1
[SwitchA-classifier-TC] quit
[SwitchA] traffic behavior TB
[SwitchA-behavior-TB] filter deny
[SwitchA-behavior-TB] quit
[SwitchA] qos policy COPP
[SwitchA-qospolicy-COPP] classifier TC behavior TB
[SwitchA-qospolicy-COPP] quit
[SwitchA] control-plane slot 3
[SwitchA-cp-slot3] qos apply policy COPP inbound
Verifying the configuration
Configure the Host to send 10000 ARP packets in burst mode to Switch A. Use the command line interface to query the number of ARP packets sent to the control plane of the card in slot 3. The output shows that the control plane receives no ARP packets. Before using the display to-cpu-packet statistics command, use the reset to-cpu-packet statistics command to clear the previous statistics first.
<SwitchA> reset to-cpu-packet statistics slot 3
<SwitchA> display to-cpu-packet statistics slot 3 | include ARP
ARP-unicast 0
ARP-multicast 0
Configuration files
#
traffic classifier TC operator and
if-match inbound-interface GigabitEthernet 3/0/1
#
traffic behavior TB
filter deny
#
qos policy COPP
classifier TC behavior TB
#
control-plane slot 3
qos apply policy COPP inbound
#
interface Vlan-interface1
ip address 1.1.1.254 255.255.255.0
Example: Filtering specific protocol packets
Network requirements
As shown in Figure 3, simulate ARP packets on Host to initiate DoS attacks to Switch A.
Configure a control plane-based QoS policy for the control plane to deny all the ARP packets.
Requirements analysis
To deny specific protocol packets (ARP packets in this example), use the if match protocol command to configure a specific protocol (only ARP, IP and IPv6 are supported) as a match criterion in a traffic class, configure the filtering action in the traffic behavior, and apply the QoS policy to the control plane of the specified slot.
Software version used
This configuration example was created and verified on S12500-CMW520-R1825P01.
Configuration procedures
# Create VLAN-interface 1, and configure related attributes for GigabitEthernet 3/0/1 to communicate with Host at Layer 3.
[SwitchA] system-view
[SwitchA] interface GigabitEthernet 3/0/1
[SwitchA-GigabitEthernet3/0/1] undo shutdown
[SwitchA-GigabitEthernet3/0/1] quit
[SwitchA] interface Vlan-interface 1
[SwitchA-Vlan-interface1] undo shutdown
[SwitchA-Vlan-interface1] ip address 1.1.1.254 24
[SwitchA-Vlan-interface1] quit
# Configure a control plane-based QoS policy to match the ARP packets and filter these packets, and apply the QoS policy to the control plane of the card in slot 3.
[SwitchA] traffic classifier ARP
[SwitchA-classifier-ARP] if-match protocol arp
[SwitchA-classifier-ARP] quit
[SwitchA] traffic behavior ARP
[SwitchA-behavior-ARP] filter deny
[SwitchA-behavior-ARP] quit
[SwitchA] qos policy COPP
[SwitchA-qospolicy-COPP] classifier ARP behavior ARP
[SwitchA-qospolicy-COPP] quit
[SwitchA] control-plane slot 3
[SwitchA-cp-slot3] qos apply policy COPP inbound
Verifying the configuration
Configure the Host to send 10000 ARP packets in burst mode to Switch A. Use the command line interface to query the number of ARP packets sent to the control plane of the card in slot 3. The output shows that the control plane receives no ARP packets. Before using the display to-cpu-packet statistics command, use the reset to-cpu-packet statistics command to clear the previous statistics first.
<SwitchA> reset to-cpu-packet statistics slot 3
<SwitchA> display to-cpu-packet statistics slot 3 | include ARP
ARP-unicast 0
ARP-multicast 0
Configuration files
#
traffic classifier ARP operator and
if-match protocol arp
#
traffic behavior ARP
filter deny
#
qos policy COPP
classifier ARP behavior ARP
#
control-plane slot 3
qos apply policy COPP inbound
#
interface Vlan-interface1
ip address 1.1.1.254 255.255.255.0
Related documentation
· H3C S12500 Routing Switch Series ACL and QoS Configuration Guide
· H3C S12500 Routing Switch Series ACL and QoS Command Reference
