09-Application security

HomeSupportResource CenterH3C Access Controllers Configuration Examples(V7)-6W10209-Application security
07-Application Rate Limiting Configuration Examples

 

H3C Access Controllers

Comware 7 Application Rate Limiting

Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright © 2021 New H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

The information in this document is subject to change without notice.



Introduction

The following information provides an example for configuring application rate limiting.

Prerequisites

The following information applies to Comware 7-based access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access points.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

General restrictions and guidelines

This feature is supported only in E5568P01 and later.

Example: Configuring application rate limiting

Network configuration

As shown in Figure 1, the AC is connected to the Internet. Configure application rate limiting on the AC to finely manage and control applications.

Configure application rate limiting to meet the following requirements:

·     Limit both the maximum uplink bandwidth and maximum downlink bandwidth to 30720 kbps for the clients accessing the iQiYiPPS application on the Internet.

·     Guarantee both the uplink bandwidth of 30720 kbps and the downlink bandwidth of 30720 kbps for the clients accessing the FTP application on the Internet.

Figure 1 Network diagram

 

Restrictions and guidelines

·     When configuring the serial number for an AP, make sure the serial number uniquely identifies the AP. The serial number of an AP is printed on the label on the back of the AP.

·     You must set the forwarding mode to centralized forwarding mode.

Procedures

Configuring the AC

Configuring basic AC functions

1.     Configure interfaces on the AC:

# Create VLAN 100 and VLAN-interface 100. Assign an IP address to the VLAN interface. The AC will use this IP address to establish CAPWAP tunnels with APs.

<AC> system-view

[AC] vlan 100

[AC-vlan100] quit

[AC] interface vlan-interface 100

[AC-Vlan-interface100] ip address 192.1.1.1 24

[AC-Vlan-interface100] quit

# Create VLAN 200 and VLAN-interface 100. Assign an IP address to the VLAN interface. The AC will use VLAN 200 for client access.

[AC] vlan 200

[AC-vlan200] quit

[AC] interface vlan-interface 200

[AC-Vlan-interface200] ip address 192.2.1.1 24

[AC-Vlan-interface200] quit

# Set the link type to trunk for interface GigabitEthernet 1/0/1 connecting the AC and the switch, and assign it to VLANs 100 and 200.

[AC] interface gigabitethernet 1/0/1

[AC-GigabitEthernet1/0/1] port link-type trunk

[AC-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[AC-GigabitEthernet1/0/1] quit

2.     Configure a wireless service:

# Create wireless service template 1 and enter its view.

[AC] wlan service-template 1

# Configure SSID service.

[AC-wlan-st-1] ssid service

# Enable the AC to forward client data traffic.

[AC-wlan-st-1] client forwarding-location ac

# Assign clients coming online through service template 1 to VLAN 200.

[AC-wlan-st-1] vlan 200

# Enable wireless service template 1.

[AC-wlan-st-1] service-template enable

[AC-wlan-st-1] quit

3.     Configure the AP:

# Create a manual AP named ap1, and specify the AP model WA4320-ACN-B.

[AC] wlan ap ap1 model WA4320-ACN-B

# Specify the serial ID 210235A1PRC183000006 for the AP.

[AC-wlan-ap-ap1] serial-id 210235A1PRC183000006

# Enter the view of radio 1, and bind wireless service template 1 to radio 1.

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] service-template 1

# Enable radio 1.

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] quit

# Enter the view of radio 2, and bind wireless service template 1 to radio 2.

[AC-wlan-ap-ap1] radio 2

[AC-wlan-ap-ap1-radio-2] service-template 1

# Enable radio 2.

[AC-wlan-ap-ap1-radio-2] radio enable

[AC-wlan-ap-ap1-radio-2] quit

[AC-wlan-ap-ap1] quit

Configure application rate limiting

1.     Configure traffic profiles:

# Create a traffic profile named aiqiyi, and enter its view.

<AC> system-view

[AC] traffic-policy

[AC-traffic-policy] profile name aiqiyi

# Set the maximum bandwidth to 30720 kbps for both upstream and downstream traffic.

[AC-traffic-policy-profile-aiqiyi] bandwidth upstream maximum 30720

[AC-traffic-policy-profile-aiqiyi] bandwidth downstream maximum 30720

[AC-traffic-policy-profile-aiqiyi] quit

# Create a traffic profile named profileFTP, and enter its view.

[AC-traffic-policy] profile name profileFTP

# Set the guaranteed bandwidth to 30720 kbps for both upstream and downstream traffic.

[AC-traffic-policy-profile-profileFTP] bandwidth upstream guaranteed 30720

[AC-traffic-policy-profile-profileFTP] bandwidth downstream guaranteed 30720

[AC-traffic-policy-profile-profileFTP] quit

2.     Configure traffic rules:

# Create a traffic rule named aiqiyi, and enter its view.

[AC-traffic-policy] rule name aiqiyi

# Configure the predefined application iQiYiPPS as a match criterion.

[AC-traffic-policy-rule-1-aiqiyi] application app iQiYiPPS

# Specify traffic profile aiqiyi for traffic rule aiqiyi.

[AC-traffic-policy-rule-1-aiqiyi] action qos profile aiqiyi

[AC-traffic-policy-rule-1-aiqiyi] quit

# Create a traffic rule named ruleFTP, and enter its view.

[AC-traffic-policy] rule name ruleFTP

# Configure the predefined application FTP as a match criterion.

[AC-traffic-policy-rule-2-ruleFTP] application app ftp

# Specify traffic profile profileFTP for traffic rule ruleFTP.

[AC-traffic-policy-rule-2-ruleFTP] action qos profile profileFTP

[AC-traffic-policy-rule-2-ruleFTP] quit

[AC-traffic-policy-rule-2] quit

3.     Configure application rate limiting criteria:

# Enter traffic policy view.

[AC] traffic-policy

# Create a traffic rule named aiqiyi, and enter its view.

[AC-traffic-policy] rule name aiqiyi

# Configure SSID service as a match criterion in traffic rule aiqiyi.

[AC-traffic-policy-rule-1-aiqiyi] wlan ssid service

# Configure AP ap1 as a match criterion in traffic rule aiqiyi.

[AC-traffic-policy-rule-1-aiqiyi] ap ap1

[AC-traffic-policy-rule-1-aiqiyi] quit

# Create a traffic rule named ruleFTP, and enter its view.

[AC-traffic-policy] rule name ruleFTP

# Configure SSID service as a match criterion in traffic rule ruleFTP.

[AC-traffic-policy-rule-2-ruleFTP] wlan ssid service

# Configure AP ap1 as a match criterion in traffic rule ruleFTP.

[AC-traffic-policy-rule-2-ruleFTP] ap ap1

[AC-traffic-policy-rule-2-ruleFTP] quit

[AC-traffic-policy] quit

Configuring the switch

1.     Configure interfaces on the switch:

# Create VLANs 100 and 200 and the corresponding VLAN interfaces. Assign IP addresses to the VLAN interfaces. VLAN 100 is used for forwarding traffic in CAPWAP tunnels between the AC and APs, and VLAN 200 is used to forward wireless packets from clients.

<Switch> system-view

[Switch] vlan 100

[Switch-vlan100] quit

[Switch] interface vlan-interface 100

[Switch-Vlan-interface100] ip address 192.1.1.2 24

[Switch-Vlan-interface100] quit

[Switch] vlan 200

[Switch-vlan200] quit

[Switch] interface vlan-interface 200

[Switch-Vlan-interface200] ip address 192.2.1.2 24

[Switch-Vlan-interface200] quit

# Set the link type to trunk for interface GigabitEthernet 1/0/1 connecting the AC and the switch, and assign it to VLANs 100 and 200.

[Switch] interface gigabitethernet 1/0/1

[Switch-GigabitEthernet1/0/1] port link-type trunk

[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200

[Switch-GigabitEthernet1/0/1] quit

# Set the link type to access for interface GigabitEthernet 1/0/2 connecting APs and the switch, and assign it to VLAN 100.

[Switch] interface gigabitethernet1/0/2

[Switch-GigabitEthernet1/0/2] port link-type access

[Switch-GigabitEthernet1/0/2] port access vlan 100

# Enable PoE.

[Switch-GigabitEthernet1/0/2] poe enable

[Switch-GigabitEthernet1/0/2] quit

2.     Configure DHCP:

# Enable DHCP.

[Switch] dhcp enable

# Create a DHCP address pool named vlan100 for allocating addresses to APs. In the address pool, specify subnet 192.1.1.0/24 for dynamic address allocation, exclude addresses 192.1.1.1 and 192.1.1.2 from address allocation, and specify the gateway address as 192.1.1.1.

[Switch] dhcp server ip-pool vlan100

[Switch-dhcp-pool-vlan100] network 192.1.1.0 mask 255.255.255.0

[Switch-dhcp-pool-vlan100] forbidden-ip 192.1.1.1 192.1.1.2

[Switch-dhcp-pool-vlan100] gateway-list 192.1.1.1

[Switch-dhcp-pool-vlan100] quit

# Create a DHCP address pool named vlan200 for allocating addresses to clients. In the address pool, specify subnet 192.2.1.0/24 for dynamic address allocation, exclude addresses 192.2.1.1 and 192.2.1.2 from address allocation, specify the DNS server address as needed, and specify the gateway address as 192.1.1.1.

[Switch] dhcp server ip-pool vlan200

[Switch-dhcp-pool-vlan200] network 192.2.1.0 mask 255.255.255.0

[Switch-dhcp-pool-vlan200] forbidden-ip 192.2.1.1 192.2.1.2

[Switch-dhcp-pool-vlan200] dns-list 192.2.1.1

[Switch-dhcp-pool-vlan200] gateway-list 192.2.1.1

[Switch-dhcp-pool-vlan200] quit

Verifying the configuration

Verify that the traffic of the iQiYiPPS application is rate-limited, and the traffic of the FTP application is guaranteed.

Configuration files

·     AC:

#

vlan 100

#

vlan 200

#

wlan service-template 1

 ssid service

client forwarding-location ac

vlan 200

service-template enable

#

interface Vlan-interface100

 ip address 192.1.1.1 255.255.255.0

#

interface Vlan-interface200

 ip address 192.2.1.1 255.255.255.0

#

interface GigabitEthernet1/0/1

 port link-type trunk

 port trunk permit vlan 100 200

#

wlan ap ap1 model WA4320-ACN-B

 serial-id 210235A1PRC183000006

 radio 1

  radio enable

  service-template 1

 radio 2

  radio enable

  service-template 1

#

traffic-policy

 rule 3 name ruleFTP parent rule

  action qos profile profileftp

  application app ftp

  wlan ssid service

  ap ap1

 rule 5 name aiqiyi

  action qos profile aiqiyi

  application app iQiYiPPS

  wlan ssid service

  ap ap1

 profile name aiqiyi

  bandwidth downstream maximum 30720

  bandwidth upstream maximum 30720

 profile name profileftp

  bandwidth downstream guaranteed 30720

  bandwidth upstream guaranteed 30720

·     Switch:

#

 dhcp enable

#

vlan 100

#

vlan 200

#

interface Vlan-interface100

 ip address 192.1.1.2 255.255.255.0

#

interface Vlan-interface200

 ip address 192.2.1.2 255.255.255.0

#

dhcp server ip-pool vlan100

 network 192.1.0.0 mask 255.255.255.0

forbidden-ip 192.1.1.1 192.1.1.2

gateway-list 192.1.1.1

#

dhcp server ip-pool vlan200

 gateway-list 192.2.1.1

 network 192.2.1.0 mask 255.255.255.0

 forbidden-ip 192.2.1.1 192.2.1.2

dns-list 192.2.1.1

#

interface GigabitEthernet1/0/1

port link-type trunk

 port trunk permit vlan 100 200

#

interface GigabitEthernet1/0/2

port link-type access

 port access vlan 100

poe enable

Related documentation

·     Bandwidth Management Configuration Guide in H3C Access Controllers Configuration Guides

·     Bandwidth Management Command Reference in H3C Access Controllers Command References