Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-H3C_Traffic_Policing_Configuration_Examples | 107.56 KB |
H3C Traffic Policing Configuration Examples
Software version: Release 7951P01
Document version: 6W100-20200625
Copyright © 2020 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Contents
Example: Policing traffic by IP address and protocol type
Example: Configuring aggregate CAR
Introduction
This chapter provides examples for configuring traffic policing and aggregate CAR to control network traffic.
Prerequisites
The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
This document assumes that you have basic knowledge of traffic policing.
Example: Policing traffic by IP address and protocol type
Network configuration
As shown in Figure 1, a company uses a dedicated line to access the Internet, with an uplink bandwidth of 60 Mbps. All end devices use the firewall as the gateway. The mail server forwards emails for all clients to the external network. The FTP server provides data services for the branch through the Internet.
Configure traffic policing to classify and rate limit the uplink traffic as follows:
· HTTP traffic—Rate limit HTTP traffic to a total rate of 40 Mbps (15 Mbps for the 25 hosts in the R&D department and 25 Mbps for the 40 hosts in the Marketing department).
· Email traffic—Rate limit email traffic to 2 Mbps.
· FTP traffic—Rate limit FTP traffic to 10 Mbps.
Analysis
To meet the network requirements, you must perform the following tasks:
· Configure ACLs to classify packets of different types.
· Associate classes with policing actions to rate limit packets of different types.
Procedures
1. Police HTTP traffic from the R&D department:
# Create advanced IPv4 ACL 3000 to match HTTP traffic from the R&D department.
<Device> system-view
[Device] acl advanced 3000
[Device-acl-ipv4-adv-3000] rule permit tcp destination-port eq 80 source 192.168.1.0 0.0.0.255
[Device-acl-ipv4-adv-3000] quit
# Create a class named rd_http, and use advanced IPv4 ACL 3000 as the match criterion.
[Device] traffic classifier rd_http
[Device-classifier-rd_http] if-match acl 3000
[Device-classifier-rd_http] quit
# Create a behavior named rd_http, and configure traffic policing with the CIR of 15 Mbps.
[Device] traffic behavior rd_http
[Device-behavior-rd_http] car cir 15360
[Device-behavior-rd_http] quit
# Create a QoS policy named rd_http, and associate the class rd_http with the behavior rd_http in the QoS policy.
[Device] qos policy rd_http
[Device-qospolicy-rd_http] classifier rd_http behavior rd_http
[Device-qospolicy-rd_http] quit
# Apply the QoS policy rd_http to the inbound direction of interface GigabitEthernet 3/1/1.
[Device] interface gigabitethernet 3/1/1
[Device-GigabitEthernet3/1/1] qos apply policy rd_http inbound
[Device-GigabitEthernet3/1/1] quit
2. Police HTTP traffic from the Marketing department:
# Create advanced IPv4 ACL 3001 to match HTTP traffic from the Marketing department.
[Device] acl advanced 3001
[Device-acl-ipv4-adv-3001] rule permit tcp destination-port eq 80 source 192.168.2.0 0.0.0.255
[Device-acl-ipv4-adv-3001] quit
# Create a class named mkt_http, and use advanced IPv4 ACL 3001 as the match criterion.
[Device] traffic classifier mkt_http
[Device-classifier-mkt_http] if-match acl 3001
[Device-classifier-mkt_http] quit
# Create a behavior named mkt_http, and configure traffic policing with the CIR of 25 Mbps.
[Device] traffic behavior mkt_http
[Device-behavior-mkt_http] car cir 25600
[Device-behavior-mkt_http] quit
# Create a QoS policy named mkt_http, and associate the class mkt_http with the behavior mkt_http in the QoS policy.
[Device] qos policy mkt_http
[Device-qospolicy-mkt_http] classifier mkt_http behavior mkt_http
[Device-qospolicy-mkt_http] quit
# Apply the QoS policy mkt_http to the inbound direction of interface GigabitEthernet 3/1/2.
[Device] interface gigabitethernet 3/1/2
[Device-GigabitEthernet3/1/2] qos apply policy mkt_http inbound
[Device-GigabitEthernet3/1/2] quit
3. Police email traffic and FTP traffic:
# Create advanced IPv4 ACL 3002 to match email traffic.
[Device] acl advanced 3002
[Device-acl-ipv4-adv-3002] rule permit tcp destination-port eq smtp source 192.168.10.1 0.0.0.0
[Device-acl-ipv4-adv-3002] quit
# Create a class named email, and use advanced IPv4 ACL 3002 as the match criterion.
[Device] traffic classifier email
[Device-classifier-email] if-match acl 3002
[Device-classifier-email] quit
# Create a behavior named email, and configure traffic policing with the CIR of 2 Mbps.
[Device] traffic behavior email
[Device-behavior-email] car cir 2048
[Device-behavior-email] quit
# Create basic IPv4 ACL 2001 to match FTP traffic.
[Device] acl basic 2001
[Device-acl-ipv4-basic-2001] rule permit source 192.168.10.2 0.0.0.0
[Device-acl-ipv4-basic-2001] quit
# Create a class named ftp, and use basic IPv4 ACL 2001 as the match criterion.
[Device] traffic classifier ftp
[Device-classifier-ftp] if-match acl 2001
[Device-classifier-ftp] quit
# Create a behavior named ftp, and configure traffic policing with the CIR of 10 Mbps.
[Device] traffic behavior ftp
[Device-behavior-ftp] car cir 10240
[Device-behavior-ftp] quit
# Create a QoS policy named email&ftp, and associate the classes email and ftp with the behavior email and ftp in the QoS policy, respectively.
[Device] qos policy email&ftp
[Device-qospolicy-email&ftp] classifier email behavior email
[Device-qospolicy-email&ftp] classifier ftp behavior ftp
[Device-qospolicy-email&ftp] quit
# Apply the QoS policy email&ftp to the outbound direction of interface GigabitEthernet 3/1/3.
[Device] interface gigabitethernet 3/1/3
[Device-GigabitEthernet3/1/3] qos apply policy email&ftp outbound
[Device-GigabitEthernet3/1/3] quit
Verifying the configuration
# Verify QoS policies applied to interfaces.
[Device] display qos policy interface
Interface: GigabitEthernet3/1/1
Direction: Inbound
Policy: rd_http
Classifier: rd_http
Operator: AND
Rule(s) :
If-match acl 3000
Behavior: rd_http
Committed Access Rate:
CIR 15360 (kbps), CBS 960000 (Bytes), EBS 512 (Bytes)
Green action : pass
Yellow action : pass
Red action : discard
Green packets : 0 (Bytes)
Yellow packets: 0 (Bytes)
Red packets : 0 (Bytes)
Interface: GigabitEthernet3/1/2
Direction: Inbound
Policy: mkt_http
Classifier: mkt_http
Operator: AND
Rule(s) :
If-match acl 3001
Behavior: mkt_http
Committed Access Rate:
CIR 25600 (kbps), CBS 1600000 (Bytes), EBS 512 (Bytes)
Green action : pass
Yellow action : pass
Red action : discard
Green packets : 0 (Bytes)
Yellow packets: 0 (Bytes)
Red packets : 0 (Bytes)
Interface: GigabitEthernet3/1/3
Direction: Outbound
Policy: email&ftp
Classifier: email
Operator: AND
Rule(s) :
If-match acl 3002
Behavior: email
Committed Access Rate:
CIR 2048 (kbps), CBS 128000 (Bytes), EBS 512 (Bytes)
Green action : pass
Yellow action : pass
Red action : discard
Green packets : 0 (Bytes)
Yellow packets: 0 (Bytes)
Red packets : 0 (Bytes)
Classifier: ftp
Operator: AND
Rule(s) :
If-match acl 2001
Behavior: ftp
Committed Access Rate:
CIR 10240 (kbps), CBS 640000 (Bytes), EBS 512 (Bytes)
Green action : pass
Yellow action : pass
Red action : discard
Green packets : 0 (Bytes)
Yellow packets: 0 (Bytes)
Red packets : 0 (Bytes)
Configuration files
#
traffic classifier email operator and
if-match acl 3002
#
traffic classifier ftp operator and
if-match acl 2001
#
traffic classifier mkt_http operator and
if-match acl 3001
#
traffic classifier rd_http operator and
if-match acl 3000
#
traffic behavior email
car cir 2048 cbs 128000 ebs 512 green pass red discard yellow pass
#
traffic behavior ftp
car cir 10240 cbs 640000 ebs 512 green pass red discard yellow pass
#
traffic behavior mkt_http
car cir 25600 cbs 1600000 ebs 512 green pass red discard yellow pass
#
traffic behavior rd_http
car cir 15360 cbs 960000 ebs 512 green pass red discard yellow pass
#
qos policy email&ftp
classifier email behavior email
classifier ftp behavior ftp
#
qos policy mkt_http
classifier mkt_http behavior mkt_http
#
qos policy rd_http
classifier rd_http behavior rd_http
#
interface GigabitEthernet3/1/3
port link-mode bridge
qos apply policy email&ftp outbound
#
interface GigabitEthernet3/1/1
port link-mode bridge
qos apply policy rd_http inbound
#
interface GigabitEthernet3/1/2
port link-mode bridge
qos apply policy mkt_http inbound
#
acl basic 2001
rule 0 permit source 192.168.10.2 0
#
acl advanced 3000
rule 0 permit tcp source 192.168.1.0 0.0.0.255 destination-port eq www
#
acl advanced 3001
rule 0 permit tcp source 192.168.2.0 0.0.0.255 destination-port eq www
#
acl advanced 3002
rule 0 permit tcp source 192.168.10.1 0 destination-port eq smtp
Example: Configuring aggregate CAR
Network configuration
As shown in Figure 2, configure aggregate CAR on the device to limit the traffic from the R&D department (including R&D department 1 and R&D department 2) to 10 Mbps in both uplink and downlink directions.
Analysis
To limit the traffic from the R&D department to 10 Mbps in both uplink and downlink directions, configure aggregate CAR on GigabitEthernet 3/1/3 in both directions.
Procedures
1. Configure aggregate CAR for uplink traffic:
# Create an aggregate CAR action with the CIR of 10 Mbps.
<Device> system-view
[Device] qos car uplink aggregative cir 10240
# Configure a traffic class to match the traffic of R&D Dept 1, and configure a traffic behavior to reference the aggregate CAR action for the matching traffic.
[Device] acl basic 2000
[Device-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255
[Device-acl-ipv4-basic-2000] quit
[Device] traffic classifier uplink1
[Device-classifier-uplink1] if-match acl 2000
[Device-classifier-uplink1] quit
[Device] traffic behavior uplink1
[Device-behavior-uplink1] car name uplink
[Device-behavior-uplink1] quit
# Configure a traffic class to match the traffic of R&D Dept 2, and configure a traffic behavior to reference the aggregate CAR action for the matching traffic.
[Device] acl basic 2001
[Device-acl-ipv4-basic-2001] rule permit source 192.168.2.0 0.0.0.255
[Device-acl-ipv4-basic-2001] quit
[Device] traffic classifier uplink2
[Device-classifier-uplink2] if-match acl 2001
[Device-classifier-uplink2] quit
[Device] traffic behavior uplink2
[Device-behavior-uplink2] car name uplink
[Device-behavior-uplink2] quit
# Create a QoS policy named uplink, and associate the classes with the behaviors in the QoS policy.
[Device] qos policy uplink
[Device-qospolicy-uplink] classifier uplink1 behavior uplink1
[Device-qospolicy-uplink] classifier uplink2 behavior uplink2
[Device-qospolicy-uplink] quit
# Apply the QoS policy uplink to the outbound direction of GigabitEthernet 3/1/3.
[Device] interface ten-GigabitEthernet 3/1/3
[Device-GigabitEthernet3/1/3] qos apply policy uplink outbound
[Device-GigabitEthernet3/1/3] quit
2. Configure aggregate CAR for downlink traffic:
# Create an aggregate CAR action with the CIR of 10 Mbps.
<Device> system-view
[Device] qos car downlink aggregative cir 10240
# Configure a traffic class to match the traffic of R&D Dept 1, and configure a traffic behavior to reference the aggregate CAR action for the matching traffic.
[Device] acl advanced 3000
[Device-acl-ipv4-adv-3000] rule permit ip destination 192.168.1.0 0.0.0.255
[Device-acl-ipv4-adv-3000] quit
[Device] traffic classifier downlink1
[Device-classifier-downlink1] if-match acl 3000
[Device-classifier-downlink1] quit
[Device] traffic behavior downlink1
[Device-behavior-downlink1] car name downlink
[Device-behavior-downlink1] quit
# Configure a traffic class to match the traffic of R&D Dept 2, and configure a traffic behavior to reference the aggregate CAR action for the matching traffic.
[Device] acl advanced 3001
[Device-acl-ipv4-adv-3001] rule permit ip destination 192.168.2.0 0.0.0.255
[Device-acl-ipv4-adv-3001] quit
[Device] traffic classifier downlink2
[Device-classifier-downlink2] if-match acl 3001
[Device-classifier-downlink2] quit
[Device] traffic behavior downlink2
[Device-behavior-downlink2] car name downlink
[Device-behavior-downlink2] quit
# Create a QoS policy named downlink, and associate the classes with the behaviors in the QoS policy.
[Device] qos policy downlink
[Device-qospolicy-downlink] classifier downlink1 behavior downlink1
[Device-qospolicy-downlink] classifier downlink2 behavior downlink2
[Device-qospolicy-downlink] quit
# Apply the QoS policy downlink to the inbound direction of GigabitEthernet 3/1/3.
[Device] interface ten-GigabitEthernet 3/1/3
[Device-GigabitEthernet3/1/3] qos apply policy downlink inbound
[Device-GigabitEthernet3/1/3] quit
Verifying the configuration
# Verify QoS policies applied to interfaces.
[Device] display qos policy interface
Interface: GigabitEthernet3/1/3
Direction: Inbound
Policy: downlink
Classifier: downlink
Operator: AND
Rule(s) :
If-match acl 3000
Behavior: downlink
Committed Access Rate:
Car name: downlink
Classifier: downlink2
Operator: AND
Rule(s) :
If-match acl 3001
Behavior: downlink2
Committed Access Rate:
Car name: downlink
Interface: GigabitEthernet3/1/3
Direction: Outbound
Policy: uplink
Classifier: uplink1
Operator: AND
Rule(s) :
If-match acl 2000
Behavior: uplink1
Committed Access Rate:
Car name: uplink
Classifier: uplink2
Operator: AND
Rule(s) :
If-match acl 2001
Behavior: uplink2
Committed Access Rate:
Car name: uplink
Configuration files
#
qos car downlink aggregative cir 10240 cbs 640000 ebs 0 green pass red discard yellow pass
qos car uplink aggregative cir 10240 cbs 640000 ebs 0 green pass red discard yellow pass
#
traffic classifier downlink operator and
if-match acl 3000
#
traffic classifier downlink2 operator and
if-match acl 3001
#
traffic classifier uplink1 operator and
if-match acl 2000
#
traffic classifier uplink2 operator and
if-match acl 2001
#
traffic behavior downlink1
car name downlink
#
traffic behavior downlink2
car name downlink
#
traffic behavior uplink1
car name uplink
#
traffic behavior uplink2
car name uplink
#
qos policy downlink
classifier downlink1 behavior downlink1
classifier downlink2 behavior downlink2
#
qos policy uplink
classifier uplink1 behavior uplink1
classifier uplink2 behavior uplink2
#
interface GigabitEthernet3/1/3
port link-mode route
qos apply policy downlink inbound
qos apply policy uplink outbound
#
acl basic 2000
rule 0 permit source 192.168.1.0 0.0.0.255
#
acl basic 2001
rule 0 permit source 192.168.2.0 0.0.0.255
#
acl advanced 3000
rule 0 permit ip destination 192.168.1.0 0.0.0.255
#
acl advanced 3001
rule 0 permit ip destination 192.168.2.0 0.0.0.255
Related documentation
· H3C CR16000-F Routers ACL and QoS Configuration Guide-R7951P01
· H3C CR16000-F Routers ACL and QoS Command Reference-R7951P01
