Table of Contents

Related Documents

28-Traffic Policing Configuration Examples

Title	Size	Download
28-Traffic Policing Configuration Examples	181.51 KB

Introduction

This chapter provides examples for configuring traffic policing and aggregate CAR to control network traffic.

Prerequisites

The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

This document assumes that you have basic knowledge of traffic policing.

Example: Policing traffic by IP address and protocol type

Network configuration

As shown in Figure 1, a company uses a dedicated line to access the Internet, with an uplink bandwidth of 60 Mbps. All end devices use the firewall as the gateway. The mail server forwards emails for all clients to the external network. The FTP server provides data services for the branch through the Internet.

Configure traffic policing to classify and rate limit the uplink traffic as follows:

· HTTP traffic —Rate limit HTTP traffic to a total rate of 40 Mbps (15 Mbps for the 25 hosts in the R&D department and 25 Mbps for the 40 hosts in the Marketing department).

· Email traffic—Rate limit email traffic to 2 Mbps.

· FTP traffic—Rate limit FTP traffic to 10 Mbps.

Figure 1 Network diagram

Analysis

To meet the network requirements, you must perform the following tasks:

· Configure ACLs to classify packets of different types.

· Associate classes with policing actions to rate limit packets of different types.

Applicable hardware and software versions

The following matrix shows the hardware and software versions to which this configuration example is applicable:

Hardware	Software version
S6812 switch series S6813 switch series	Release 66xx
S6550XE-HI switch series	Release 6008 and later
S6525XE-HI switch series	Release 6008 and later
S5850 switch series	Release 8005 and later
S5570S-EI switch series	Release 11xx
S5560X-EI switch series	Release 63xx, Release 65xx, Release 66xx
S5560X-HI switch series	Release 63xx, Release 65xx, Release 66xx
S5500V2-EI switch series	Release 63xx, Release 65xx, Release 66xx
MS4520V2-30F switch	Release 63xx, Release 65xx, Release 66xx
MS4520V2-30C switch MS4520V2-54C switch	Release 65xx, Release 66xx
MS4520V2-28S switch MS4520V2-24TP switch	Release 63xx
S6520X-HI switch series S6520X-EI switch series	Release 63xx, Release 65xx, Release 66xx
S6520X-SI switch series S6520-SI switch series	Release 63xx, Release 65xx, Release 66xx
S5000-EI switch series	Release 63xx, Release 65xx, Release 66xx
MS4600 switch series	Release 63xx, Release 65xx, Release 66xx
ES5500 switch series	Release 63xx, Release 65xx, Release 66xx
S5560S-EI switch series S5560S-SI switch series	Release 63xx
S5500V3-24P-SI S5500V3-48P-SI	Release 63xx
S5500V3-SI switch series (except S5500V3-24P-SI and S5500V3-48P-SI)	Release 11xx
S5170-EI switch series	Release 11xx
S5130S-HI switch series S5130S-EI switch series S5130S-SI switch series S5130S-LI switch series	Release 63xx
S5120V2-SI switch series S5120V2-LI switch series	Release 63xx
S5120V3-EI switch series	Release 11xx
S5120V3-36F-SI S5120V3-28P-HPWR-SI S5120V3-54P-PWR-SI	Release 11xx
S5120V3-SI switch series (except S5120V3-36F-SI, S5120V3-28P-HPWR-SI, and S5120V3-54P-PWR-SI)	Release 63xx
S5120V3-LI switch series	Release 63xx
S3600V3-EI switch series	Release 11xx
S3600V3-SI switch series	Release 11xx
S3100V3-EI switch series S3100V3-SI switch series	Release 63xx
S5110V2 switch series	Release 63xx
S5110V2-SI switch series	Release 63xx
S5000V3-EI switch series S5000V5-EI switch series	Release 63xx
S5000E-X switch series S5000X-EI switch series	Release 63xx
E128C switch E152C switch E500C switch series E500D switch series	Release 63xx
MS4320V2 switch series MS4320V3 switch series MS4300V2 switch series MS4320 switch series MS4200 switch series	Release 63xx
WS5850-WiNet switch series	Release 63xx
WS5820-WiNet switch series WS5810-WiNet switch series	Release 63xx
WAS6000 switch series	Release 63xx
IE4300-12P-AC switch IE4300-12P-PWR switch IE4300-M switch series IE4320 switch series	Release 63xx

The port link-mode command is not supported on the following switches and the port link-mode bridge command does not appear in their configuration files.

· S5130S-HI series.

· S5130S-EI series.

· S3100V3-EI series.

· E128C switch.

· E152C switch.

· E500C series.

· E500D series.

· IE4300-12P-AC switch

· IE4300-12P-PWR switch.

· IE4300-M series.

· IE4320 series.

Procedures

1. Police HTTP traffic from the R&D department:

# Create advanced IPv4 ACL 3000 to match HTTP traffic from the R&D department.

<Device> system-view

[Device] acl advanced 3000

[Device-acl-ipv4-adv-3000] rule permit tcp destination-port eq 80 source 192.168.1.0 0.0.0.255

[Device-acl-ipv4-adv-3000] quit

# Create a class named rd_http, and use advanced IPv4 ACL 3000 as the match criterion.

[Device] traffic classifier rd_http

[Device-classifier-rd_http] if-match acl 3000

[Device-classifier-rd_http] quit

# Create a behavior named rd_http, and configure traffic policing with the CIR of 15 Mbps.

[Device] traffic behavior rd_http

[Device-behavior-rd_http] car cir 15360

[Device-behavior-rd_http] quit

# Create a QoS policy named rd_http, and associate the class rd_http with the behavior rd_http in the QoS policy.

[Device] qos policy rd_http

[Device-qospolicy-rd_http] classifier rd_http behavior rd_http

[Device-qospolicy-rd_http] quit

# Apply the QoS policy rd_http to the inbound direction of interface GigabitEthernet 1/0/3.

[Device] interface gigabitethernet 1/0/3

[Device-GigabitEthernet1/0/3] qos apply policy rd_http inbound

[Device-GigabitEthernet1/0/3] quit

2. Police HTTP traffic from the Marketing department:

# Create advanced IPv4 ACL 3001 to match HTTP traffic from the Marketing department.

[Device] acl advanced 3001

[Device-acl-ipv4-adv-3001] rule permit tcp destination-port eq 80 source 192.168.2.0 0.0.0.255

[Device-acl-ipv4-adv-3001] quit

# Create a class named mkt_http, and use advanced IPv4 ACL 3001 as the match criterion.

[Device] traffic classifier mkt_http

[Device-classifier-mkt_http] if-match acl 3001

[Device-classifier-mkt_http] quit

# Create a behavior named mkt_http, and configure traffic policing with the CIR of 25 Mbps.

[Device] traffic behavior mkt_http

[Device-behavior-mkt_http] car cir 25600

[Device-behavior-mkt_http] quit

# Create a QoS policy named mkt_http, and associate the class mkt_http with the behavior mkt_http in the QoS policy.

[Device] qos policy mkt_http

[Device-qospolicy-mkt_http] classifier mkt_http behavior mkt_http

[Device-qospolicy-mkt_http] quit

# Apply the QoS policy mkt_http to the inbound direction of interface GigabitEthernet 1/0/4.

[Device] interface gigabitethernet 1/0/4

[Device-GigabitEthernet1/0/4] qos apply policy mkt_http inbound

[Device-GigabitEthernet1/0/4] quit

3. Police email traffic and FTP traffic:

# Create advanced IPv4 ACL 3002 to match email traffic.

[Device] acl advanced 3002

[Device-acl-ipv4-adv-3002] rule permit tcp destination-port eq smtp source 192.168.10.1 0.0.0.0

[Device-acl-ipv4-adv-3002] quit

# Create a class named email, and use advanced IPv4 ACL 3002 as the match criterion.

[Device] traffic classifier email

[Device-classifier-email] if-match acl 3002

[Device-classifier-email] quit

# Create a behavior named email, and configure traffic policing with the CIR of 2 Mbps.

[Device] traffic behavior email

[Device-behavior-email] car cir 2048

[Device-behavior-email] quit

# Create basic IPv4 ACL 2001 to match FTP traffic.

[Device] acl basic 2001

[Device-acl-ipv4-basic-2001] rule permit source 192.168.10.2 0.0.0.0

[Device-acl-ipv4-basic-2001] quit

# Create a class named ftp, and use basic IPv4 ACL 2001 as the match criterion.

[Device] traffic classifier ftp

[Device-classifier-ftp] if-match acl 2001

[Device-classifier-ftp] quit

# Create a behavior named ftp, and configure traffic policing with the CIR of 10 Mbps.

[Device] traffic behavior ftp

[Device-behavior-ftp] car cir 10240

[Device-behavior-ftp] quit

# Create a QoS policy named email&ftp, and associate the classes email and ftp with the behavior email and ftp in the QoS policy, respectively.

[Device] qos policy email&ftp

[Device-qospolicy-email&ftp] classifier email behavior email

[Device-qospolicy-email&ftp] classifier ftp behavior ftp

[Device-qospolicy-email&ftp] quit

# Apply the QoS policy email&ftp to the inbound direction of interface GigabitEthernet 1/0/2.

[Device] interface gigabitethernet 1/0/2

[Device-GigabitEthernet1/0/2] qos apply policy email&ftp inbound

[Device-GigabitEthernet1/0/2] quit

Verifying the configuration

# Verify QoS policies applied to interfaces.

[Device] display qos policy interface

Interface: GigabitEthernet1/0/2

Direction: Inbound

Policy: email&ftp

Classifier: email

Operator: AND

Rule(s) :

If-match acl 3002

Behavior: email

Committed Access Rate:

CIR 2048 (kbps), CBS 128000 (Bytes), EBS 0 (Bytes)

Green action : pass

Yellow action : pass

Red action : discard

Green packets : 0 (Packets)

Red packets : 0 (Packets)

Classifier: ftp

Operator: AND

Rule(s) :

If-match acl 2001

Behavior: ftp

Committed Access Rate:

CIR 10240 (kbps), CBS 640000 (Bytes), EBS 0 (Bytes)

Green action : pass

Yellow action : pass

Red action : discard

Green packets : 0 (Packets)

Red packets : 0 (Packets)

Interface: GigabitEthernet1/0/3

Direction: Inbound

Policy: rd_http

Classifier: rd_http

Operator: AND

Rule(s) :

If-match acl 3000

Behavior: rd_http

Committed Access Rate:

CIR 15360 (kbps), CBS 960000 (Bytes), EBS 0 (Bytes)

Green action : pass

Yellow action : pass

Red action : discard

Green packets : 0 (Packets)

Red packets : 0 (Packets)

Interface: GigabitEthernet1/0/4

Direction: Inbound

Policy: mkt_http

Classifier: mkt_http

Operator: AND

Rule(s) :

If-match acl 3001

Behavior: mkt_http

Committed Access Rate:

CIR 25600 (kbps), CBS 1600000 (Bytes), EBS 0 (Bytes)

Green action : pass

Yellow action : pass

Red action : discard

Green packets : 0 (Packets)

Red packets : 0 (Packets)

Configuration files

traffic classifier email operator and

if-match acl 3002

traffic classifier ftp operator and

if-match acl 2001

traffic classifier mkt_http operator and

if-match acl 3001

traffic classifier rd_http operator and

if-match acl 3000

traffic behavior email

car cir 2048 cbs 128000 ebs 0 green pass red discard yellow pass

traffic behavior ftp

car cir 10240 cbs 640000 ebs 0 green pass red discard yellow pass

traffic behavior mkt_http

car cir 25600 cbs 1600000 ebs 0 green pass red discard yellow pass

traffic behavior rd_http

car cir 15360 cbs 960000 ebs 0 green pass red discard yellow pass

qos policy email&ftp

classifier email behavior email

classifier ftp behavior ftp

qos policy mkt_http

classifier mkt_http behavior mkt_http

qos policy rd_http

classifier rd_http behavior rd_http

interface GigabitEthernet1/0/2

port link-mode bridge

qos apply policy email&ftp inbound

interface GigabitEthernet1/0/3

port link-mode bridge

qos apply policy rd_http inbound

interface GigabitEthernet1/0/4

port link-mode bridge

qos apply policy mkt_http inbound

acl basic 2001

rule 0 permit source 192.168.10.2 0

acl advanced 3000

rule 0 permit tcp source 192.168.1.0 0.0.0.255 destination-port eq www

acl advanced 3001

rule 0 permit tcp source 192.168.2.0 0.0.0.255 destination-port eq www

acl advanced 3002

rule 0 permit tcp source 192.168.10.1 0 destination-port eq smtp

Example: Allocating bandwidth based on VLANs

Network configuration

As shown in Figure 2, the device aggregates traffic from the branches and transmits the traffic to the backbone network through a leased line. Each branch site assigns packets of different applications to different VLANs.

· Configure one-to-one VLAN mapping on the following interfaces of the device to re-map traffic of different applications to VLANs as per the transmission scheme on the backbone network:

¡ GigabitEthernet 1/0/1.

¡ GigabitEthernet 1/0/2.

· Configure traffic policing to allocate bandwidth to traffic from different VLANs, as shown in Table 1.

Table 1 Bandwidth allocation

XGE 1/0/1 and XGE 1/0/2 (uplink or downlink)			XGE 1/0/3 (uplink or downlink)			XGE 1/0/10 (uplink or downlink)
VLAN 1001	VLAN 1002	VLAN 1003	VLAN 201	VLAN 202	VLAN 203	VLAN 201	VLAN 202	VLAN 203
400 Mbps	200 Mbps	200 Mbps	400 Mbps	200 Mbps	200 Mbps	100 Mbps	60 Mbps	40 Mbps

Figure 2 Network diagram

Analysis

To meet the network requirements, you must perform the following tasks:

· Configure VLAN-based traffic classes.

· Configure per-VLAN traffic policing behaviors.

· Associate each class with its specific traffic behavior.

Applicable hardware and software versions

The following matrix shows the hardware and software versions to which this configuration example is applicable:

Hardware	Software version
S6812 switch series S6813 switch series	Release 66xx
S6550XE-HI switch series	Release 6008 and later
S6525XE-HI switch series	Release 6008 and later
S5850 switch series	Release 8005 and later
S5570S-EI switch series	Release 11xx
S5560X-EI switch series	Release 63xx, Release 65xx, Release 66xx
S5560X-HI switch series	Release 63xx, Release 65xx, Release 66xx
S5500V2-EI switch series	Release 63xx, Release 65xx, Release 66xx
MS4520V2-30F switch	Release 63xx, Release 65xx, Release 66xx
MS4520V2-30C switch MS4520V2-54C switch	Release 65xx, Release 66xx
MS4520V2-28S switch MS4520V2-24TP switch	Not supported
S6520X-HI switch series S6520X-EI switch series	Release 63xx, Release 65xx, Release 66xx
S6520X-SI switch series S6520-SI switch series	Release 63xx, Release 65xx, Release 66xx
S5000-EI switch series	Release 63xx, Release 65xx, Release 66xx
MS4600 switch series	Release 63xx, Release 65xx, Release 66xx
ES5500 switch series	Release 63xx, Release 65xx, Release 66xx
S5560S-EI switch series S5560S-SI switch series	Not supported
S5500V3-24P-SI S5500V3-48P-SI	Not supported
S5500V3-SI switch series (except S5500V3-24P-SI and S5500V3-48P-SI)	Release 11xx
S5170-EI switch series	Release 11xx
S5130S-HI switch series S5130S-EI switch series S5130S-SI switch series S5130S-LI switch series	Not supported
S5120V2-SI switch series S5120V2-LI switch series	Not supported
S5120V3-EI switch series	Release 11xx
S5120V3-36F-SI S5120V3-28P-HPWR-SI S5120V3-54P-PWR-SI	Release 11xx
S5120V3-SI switch series (except S5120V3-36F-SI, S5120V3-28P-HPWR-SI, and S5120V3-54P-PWR-SI)	Not supported
S5120V3-LI switch series	Not supported
S3600V3-EI switch series	Release 11xx
S3600V3-SI switch series	Release 11xx
S3100V3-EI switch series S3100V3-SI switch series	Not supported
S5110V2 switch series	Not supported
S5110V2-SI switch series	Not supported
S5000V3-EI switch series S5000V5-EI switch series	Not supported
S5000E-X switch series S5000X-EI switch series	Not supported
E128C switch E152C switch E500C switch series E500D switch series	Not supported
MS4320V2 switch series MS4320V3 switch series MS4300V2 switch series MS4320 switch series MS4200 switch series	Not supported
WS5850-WiNet switch series	Not supported
WS5820-WiNet switch series WS5810-WiNet switch series	Not supported
WAS6000 switch series	Not supported
IE4300-12P-AC switch IE4300-12P-PWR switch IE4300-M switch series IE4320 switch series	Not supported

Procedures

Configuring VLAN settings

1. Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as follows:

¡ Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as trunk ports.

¡ Assign them to VLANs 1001 through 1003 and VLANs 201 through 203.

¡ Remove them from VLAN 1.

¡ Configure one-to-one VLAN mappings on the two interfaces.

<Device> system-view

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] port link-type trunk

[Device-GigabitEthernet1/0/1] port trunk permit vlan 1001 to 1003 201 to 203

[Device-GigabitEthernet1/0/1] undo port trunk permit vlan 1

[Device-GigabitEthernet1/0/1] vlan mapping 1001 translated-vlan 201

[Device-GigabitEthernet1/0/1] vlan mapping 1002 translated-vlan 202

[Device-GigabitEthernet1/0/1] vlan mapping 1003 translated-vlan 203

[Device-GigabitEthernet1/0/1] quit

[Device] interface gigabitethernet 1/0/2

[Device-GigabitEthernet1/0/2] port link-type trunk

[Device-GigabitEthernet1/0/2] port trunk permit vlan 1001 to 1003 201 to 203

[Device-GigabitEthernet1/0/2] undo port trunk permit vlan 1

[Device-GigabitEthernet1/0/2] vlan mapping 1001 translated-vlan 201

[Device-GigabitEthernet1/0/2] vlan mapping 1002 translated-vlan 202

[Device-GigabitEthernet1/0/2] vlan mapping 1003 translated-vlan 203

[Device-GigabitEthernet1/0/2] quit

2. Configure GigabitEthernet 1/0/3 and GigabitEthernet 1/0/10 as follows:

¡ Configure GigabitEthernet 1/0/3 and GigabitEthernet 1/0/10 as trunk ports.

¡ Assign them to VLANs 201 through 203.

¡ Remove them from VLAN 1.

[Device] interface gigabitethernet 1/0/3

[Device-GigabitEthernet1/0/3] port link-type trunk

[Device-GigabitEthernet1/0/3] port trunk permit vlan 201 to 203

[Device-GigabitEthernet1/0/3] undo port trunk permit vlan 1

[Device-GigabitEthernet1/0/3] quit

[Device] interface gigabitethernet 1/0/10

[Device-GigabitEthernet1/0/10] port link-type trunk

[Device-GigabitEthernet1/0/10] port trunk permit vlan 201 to 203

[Device-GigabitEthernet1/0/10] undo port trunk permit vlan 1

[Device-GigabitEthernet1/0/10] quit

Configuring traffic policing

1. Configure traffic policing for the traffic from and to branches:

# Create a class named vlan201, and configure CVLAN 201 as the match criterion.

[Device-classifier-vlan201] if-match customer-vlan-id 201

[Device-classifier-vlan201] quit

# Create a class named vlan202, and configure CVLAN 202 as the match criterion.

[Device] traffic classifier vlan202

[Device-classifier-vlan202] if-match customer-vlan-id 202

[Device-classifier-vlan202] quit

# Create a class named vlan203, and configure CVLAN 203 as the match criterion.

[Device] traffic classifier vlan203

[Device-classifier-vlan203] if-match customer-vlan-id 203

[Device-classifier-vlan203] quit

# Create a behavior named car400, and configure a CIR of 400 Mbps.

[Device] traffic behavior car400

[Device-behavior-car400] car cir 409600

[Device-behavior-car400] quit

# Create a behavior named car200, and configure a CIR of 200 Mbps.

[Device] traffic behavior car200

[Device-behavior-car200] car cir 204800

[Device-behavior-car200] quit

# Create a QoS policy named ABCupdown, and associate the classes with the behaviors.

[Device] qos policy ABCupdown

[Device-qospolicy-ABCupdown] classifier vlan201 behavior car400

[Device-qospolicy-ABCupdown] classifier vlan202 behavior car200

[Device-qospolicy-ABCupdown] classifier vlan203 behavior car200

[Device-qospolicy-ABCupdown] quit

# Apply the QoS policy to both directions of GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3.

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] qos apply policy ABCupdown inbound

[Device-GigabitEthernet1/0/1] qos apply policy ABCupdown outbound

[Device-GigabitEthernet1/0/1] quit

[Device] interface gigabitethernet 1/0/2

[Device-GigabitEthernet1/0/2] qos apply policy ABCupdown inbound

[Device-GigabitEthernet1/0/2] qos apply policy ABCupdown outbound

[Device-GigabitEthernet1/0/2] quit

[Device] interface gigabitethernet 1/0/3

[Device-GigabitEthernet1/0/3] qos apply policy ABCupdown inbound

[Device-GigabitEthernet1/0/3] qos apply policy ABCupdown outbound

[Device-GigabitEthernet1/0/3] quit

2. Configure traffic policing for the traffic from and to the backbone network:

# Create a behavior named car100, and configure a CIR of 100 Mbps.

[Device] traffic behavior car100

[Device-behavior-car100] car cir 102400

[Device-behavior-car100] quit

# Create a behavior named car60, and configure a CIR of 60 Mbps.

[Device] traffic behavior car60

[Device-behavior-car60] car cir 61440

[Device-behavior-car60] quit

# Create a behavior named car40, and configure a CIR of 40 Mbps.

[Device] traffic behavior car40

[Device-behavior-car40] car cir 40960

[Device-behavior-car40] quit

# Create a QoS policy named BONEupdown, and associate the classes with the behaviors.

[Device] qos policy BONEupdown

[Device-qospolicy-BONEupdown] classifier vlan201 behavior car100

[Device-qospolicy-BONEupdown] classifier vlan202 behavior car60

[Device-qospolicy-BONEupdown] classifier vlan203 behavior car40

[Device-qospolicy-BONEupdown] quit

# Apply the QoS policy to both directions of GigabitEthernet 1/0/10.

[Device] interface gigabitethernet 1/0/10

[Device-GigabitEthernet1/0/10] qos apply policy BONEupdown inbound

[Device-GigabitEthernet1/0/10] qos apply policy BONEupdown outbound

[Device-GigabitEthernet1/0/10] quit

Figure 3 shows how the switches process the uplink traffic from a branch to the backbone network. The figure uses VLAN 1001 as an example.

Figure 3 Uplink traffic processing

Figure 4 shows how the switches process the downlink traffic from the backbone network to a branch. The figure uses VLAN 201 as an example.

Figure 4 Downlink traffic processing

Verifying the configuration

Verify the configuration on any interface, for example, GigabitEthernet 1/0/10.

# Verify QoS policies applied to interface GigabitEthernet 1/0/10.

[Device] display qos policy interface gigabitethernet 1/0/10

Interface: GigabitEthernet1/0/10

Direction: Inbound

Policy: BONEupdown

Classifier: vlan201

Operator: AND

Rule(s) :

If-match customer-vlan-id 201

Behavior: car100

Committed Access Rate:

CIR 102400 (kbps), CBS 6400000 (Bytes), EBS 0 (Bytes)

Green action : pass

Yellow action : pass

Red action : discard

Green packets : 0 (Packets)

Red packets : 0 (Packets)

Classifier: vlan202

Operator: AND

Rule(s) :

If-match customer-vlan-id 202

Behavior: car60

Committed Access Rate:

CIR 61440 (kbps), CBS 3840000 (Bytes), EBS 0 (Bytes)

Green action : pass

Yellow action : pass

Red action : discard

Green packets : 0 (Packets)

Red packets : 0 (Packets)

Classifier: vlan203

Operator: AND

Rule(s) :

If-match customer-vlan-id 203

Behavior: car40

Committed Access Rate:

CIR 40960 (kbps), CBS 2560000 (Bytes), EBS 0 (Bytes)

Green action : pass

Yellow action : pass

Red action : discard

Green packets : 0 (Packets)

Red packets : 0 (Packets)

Interface: GigabitEthernet1/0/10

Direction: Outbound

Policy: BONEupdown

Classifier: vlan201

Operator: AND

Rule(s) :

If-match customer-vlan-id 201

Behavior: car100

Committed Access Rate:

CIR 102400 (kbps), CBS 6400000 (Bytes), EBS 0 (Bytes)

Green action : pass

Yellow action : pass

Red action : discard

Green packets : 0 (Packets)

Red packets : 0 (Packets)

Classifier: vlan202

Operator: AND

Rule(s) :

If-match customer-vlan-id 202

Behavior: car60

Committed Access Rate:

CIR 61440 (kbps), CBS 3840000 (Bytes), EBS 0 (Bytes)

Green action : pass

Yellow action : pass

Red action : discard

Green packets : 0 (Packets)

Red packets : 0 (Packets)

Classifier: vlan203

Operator: AND

Rule(s) :

If-match customer-vlan-id 203

Behavior: car40

Committed Access Rate:

CIR 40960 (kbps), CBS 2560000 (Bytes), EBS 0 (Bytes)

Green action : pass

Yellow action : pass

Red action : discard

Green packets : 0 (Packets)

Red packets : 0 (Packets)

Configuration files

traffic classifier vlan201 operator and

if-match customer-vlan-id 201

traffic classifier vlan202 operator and

if-match customer-vlan-id 202

traffic classifier vlan203 operator and

if-match customer-vlan-id 203

traffic behavior car40

car cir 40960 cbs 2560000 ebs 0 green pass red discard yellow pass

traffic behavior car60

car cir 61440 cbs 3840000 ebs 0 green pass red discard yellow pass

traffic behavior car100

car cir 102400 cbs 6400000 ebs 0 green pass red discard yellow pass

traffic behavior car200

car cir 204800 cbs 12800000 ebs 0 green pass red discard yellow pass

traffic behavior car400

car cir 409600 cbs 25600000 ebs 0 green pass red discard yellow pass

qos policy ABCupdown

classifier vlan201 behavior car400

classifier vlan202 behavior car200

classifier vlan203 behavior car200

qos policy BONEupdown

classifier vlan201 behavior car100

classifier vlan202 behavior car60

classifier vlan203 behavior car40

interface GigabitEthernet1/0/10

port link-type trunk

undo port trunk permit vlan 1

port trunk permit vlan 201 to 203

qos apply policy BONEupdown inbound

qos apply policy BONEupdown outbound

interface GigabitEthernet1/0/1

port link-type trunk

undo port trunk permit vlan 1

port trunk permit vlan 201 to 203 1001 to 1003

vlan mapping 1001 translated-vlan 201

vlan mapping 1002 translated-vlan 202

vlan mapping 1003 translated-vlan 203

qos apply policy ABCupdown inbound

qos apply policy ABCupdown outbound

interface GigabitEthernet1/0/2

port link-type trunk

undo port trunk permit vlan 1

port trunk permit vlan 201 to 203 1001 to 1003

vlan mapping 1001 translated-vlan 201

vlan mapping 1002 translated-vlan 202

vlan mapping 1003 translated-vlan 203

qos apply policy ABCupdown inbound

qos apply policy ABCupdown outbound

interface GigabitEthernet1/0/3

port link-type trunk

undo port trunk permit vlan 1

port trunk permit vlan 201 to 203

qos apply policy ABCupdown inbound

qos apply policy ABCupdown outbound

Example: Configuring aggregate CAR

Network configuration

As shown in Figure 5, the access layer devices add VLAN tags to the traffic from VLAN 10 and VLAN 100 before sending the traffic to the device.

Configure aggregate CAR on GigabitEthernet 1/0/1 to meet the following requirements:

· Limit the incoming traffic from VLAN 10 and VLAN 100 to 200 Mbps.

· Drop the excess traffic.

Figure 5 Network diagram

Applicable hardware and software versions

The following matrix shows the hardware and software versions to which this configuration example is applicable:

Hardware	Software version
S6812 switch series S6813 switch series	Release 66xx
S6550XE-HI switch series	Release 6008 and later
S6525XE-HI switch series	Release 6008 and later
S5850 switch series	Release 8005 and later
S5570S-EI switch series	Release 11xx
S5560X-EI switch series	Release 63xx, Release 65xx, Release 66xx
S5560X-HI switch series	Release 63xx, Release 65xx, Release 66xx
S5500V2-EI switch series	Release 63xx, Release 65xx, Release 66xx
MS4520V2-30F switch	Release 63xx, Release 65xx, Release 66xx
MS4520V2-30C switch MS4520V2-54C switch	Release 65xx, Release 66xx
MS4520V2-28S switch MS4520V2-24TP switch	Release 63xx
S6520X-HI switch series S6520X-EI switch series	Release 63xx, Release 65xx, Release 66xx
S6520X-SI switch series S6520-SI switch series	Release 63xx, Release 65xx, Release 66xx
S5000-EI switch series	Release 63xx, Release 65xx, Release 66xx
MS4600 switch series	Release 63xx, Release 65xx, Release 66xx
ES5500 switch series	Release 63xx, Release 65xx, Release 66xx
S5560S-EI switch series S5560S-SI switch series	Release 63xx
S5500V3-24P-SI S5500V3-48P-SI	Release 63xx
S5500V3-SI switch series (except S5500V3-24P-SI and S5500V3-48P-SI)	Release 11xx
S5170-EI switch series	Release 11xx
S5130S-HI switch series S5130S-EI switch series S5130S-SI switch series S5130S-LI switch series	Release 63xx
S5120V2-SI switch series S5120V2-LI switch series	Release 63xx
S5120V3-EI switch series	Release 11xx
S5120V3-36F-SI S5120V3-28P-HPWR-SI S5120V3-54P-PWR-SI	Release 11xx
S5120V3-SI switch series (except S5120V3-36F-SI, S5120V3-28P-HPWR-SI, and S5120V3-54P-PWR-SI)	Release 63xx
S5120V3-LI switch series	Release 63xx
S3600V3-EI switch series	Release 11xx
S3600V3-SI switch series	Release 11xx
S3100V3-EI switch series S3100V3-SI switch series	Release 63xx
S5110V2 switch series	Release 63xx
S5110V2-SI switch series	Release 63xx
S5000V3-EI switch series S5000V5-EI switch series	Release 63xx
S5000E-X switch series S5000X-EI switch series	Release 63xx
E128C switch E152C switch E500C switch series E500D switch series	Release 63xx
MS4320V2 switch series MS4320V3 switch series MS4300V2 switch series MS4320 switch series MS4200 switch series	Release 63xx
WS5850-WiNet switch series	Release 63xx
WS5820-WiNet switch series WS5810-WiNet switch series	Release 63xx
WAS6000 switch series	Release 63xx
IE4300-12P-AC switch IE4300-12P-PWR switch IE4300-M switch series IE4320 switch series	Release 63xx

The port link-mode command is not supported on the following switches and the port link-mode bridge command does not appear in their configuration files.

· S5130S-HI series.

· S5130S-EI series.

· S3100V3-EI series.

· E128C switch.

· E152C switch.

· E500C series.

· E500D series.

· IE4300-12P-AC switch

· IE4300-12P-PWR switch.

· IE4300-M series.

· IE4320 series.

Procedures

# Configure interface GigabitEthernet 1/0/1 as a trunk port.

<Device> system-view

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] port link-type trunk

# Assign the interface to VLANs 10 and 100.

[Device-GigabitEthernet1/0/1] port trunk permit vlan 10 100

# Remove the interface from VLAN 1.

[Device-GigabitEthernet1/0/1] undo port trunk permit vlan 1

[Device-GigabitEthernet1/0/1] quit

# Create an aggregate CAR action.

[Device] qos car aggcar-1 aggregative cir 204800

# Create class 1, and use SVLAN ID 10 as the match criterion.

[Device] traffic classifier 1

[Device-classifier-1] if-match service-vlan-id 10

[Device-classifier-1] quit

# Create behavior 1, and reference the aggregate CAR action in the behavior.

[Device] traffic behavior 1

[Device-behavior-1] car name aggcar-1

[Device-behavior-1] quit

# Create class 2, and use SVLAN ID 100 as the match criterion.

[Device] traffic classifier 2

[Device-classifier-2] if-match service-vlan-id 100

[Device-classifier-2] quit

# Create behavior 2, and reference the aggregate CAR action in the behavior.

[Device] traffic behavior 2

[Device-behavior-2] car name aggcar-1

[Device-behavior-2] quit

# Create a QoS policy named car, and associate the classes with the behaviors in the QoS policy.

[Device] qos policy car

[Device-qospolicy-car] classifier 1 behavior 1

[Device-qospolicy-car] classifier 2 behavior 2

[Device-qospolicy-car] quit

# Apply the QoS policy car to the inbound direction of GigabitEthernet 1/0/1.

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] qos apply policy car inbound

Verifying the configuration

Verify the configuration on any interface, for example, GigabitEthernet 1/0/1.

# Verify QoS policies applied to interface GigabitEthernet 1/0/1.

[Device] display qos policy interface gigabitethernet 1/0/1

Interface: GigabitEthernet1/0/1

Direction: Inbound

Policy: car

Classifier: 1

Operator: AND

Rule(s) :

If-match service-vlan-id 10

Behavior: 1

Committed Access Rate:

Car name: aggcar-1

Classifier: 2

Operator: AND

Rule(s) :

If-match service-vlan-id 100

Behavior: 2

Committed Access Rate:

Car name: aggcar-1

Configuration files

qos car aggcar-1 aggregative cir 204800 cbs 12800000 ebs 0 green pass yellow pass red discard

traffic classifier 1 operator and

if-match service-vlan-id 10

traffic classifier 2 operator and

if-match service-vlan-id 100

traffic behavior 1

car name aggcar-1

traffic behavior 2

car name aggcar-1

qos policy car

classifier 1 behavior 1

classifier 2 behavior 2

interface GigabitEthernet1/0/1

port link-mode bridge

port link-type trunk

undo port trunk permit vlan 1

port trunk permit vlan 10 100

qos apply policy car inbound

H3C Fixed Port Campus Switches Configuration Examples-6W103

Example: Policing traffic by IP address and protocol type

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us