Login
- Table of Contents
-
- 10-Application security
- 01-IPS Configuration Examples
- 02-URL Filtering Configuration Examples
- 03-Anti-Virus Configuration Examples
- 04-Data Filtering Configuration Examples
- 05-File Filtering Configuration Examples
- 06-Application Audit and Management Configuration Examples
- 07-Application Rate Limiting Configuration Examples
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 07-Application Rate Limiting Configuration Examples | 82.71 KB |
|
H3C Access Controllers |
|
Application Rate Limiting |
|
Configuration Examples |
Copyright © 2023 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Introduction
The following information provides an example for configuring application rate limiting.
Prerequisites
The following information applies to Comware-based access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access points.
The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
Example: Configuring application rate limiting
Network configuration
As shown in Figure 1, the AC is connected to the Internet. Configure application rate limiting on the AC to finely manage and control applications.
Configure application rate limiting to meet the following requirements:
· Limit both the maximum uplink bandwidth and maximum downlink bandwidth to 30720 kbps for the clients accessing the iQiYiPPS application on the Internet.
· Guarantee both the uplink bandwidth of 30720 kbps and the downlink bandwidth of 30720 kbps for the clients accessing the FTP application on the Internet.
Restrictions and guidelines
· Use the actual serial ID of an AP to uniquely identify that AP.
· You must set the forwarding mode to centralized forwarding mode.
Procedures
Configuring the AC
Configuring basic AC functions
1. Configure interfaces on the AC:
# Create VLAN 100 and VLAN-interface 100. Assign an IP address to the VLAN interface. The AC will use this IP address to establish CAPWAP tunnels with APs.
<AC> system-view
[AC] vlan 100
[AC-vlan100] quit
[AC] interface vlan-interface 100
[AC-Vlan-interface100] ip address 192.1.1.1 24
[AC-Vlan-interface100] quit
# Create VLAN 200 and VLAN-interface 100. Assign an IP address to the VLAN interface. The AC will use VLAN 200 for client access.
[AC] vlan 200
[AC-vlan200] quit
[AC] interface vlan-interface 200
[AC-Vlan-interface200] ip address 192.2.1.1 24
[AC-Vlan-interface200] quit
# Set the link type to trunk for interface GigabitEthernet 1/0/1 connecting the AC and the switch, and assign it to VLANs 100 and 200.
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[AC-GigabitEthernet1/0/1] quit
2. Configure a wireless service:
# Create wireless service template 1 and enter its view.
[AC] wlan service-template 1
# Configure SSID service.
[AC-wlan-st-1] ssid service
# Configure the PSK AKM mode and the 12345678 plaintext key.
[AC-wlan-st-1] akm mode psk
[AC-wlan-st-1] preshared-key pass-phrase simple 12345678
# Configure CCMP as the cipher suite and RSN as the security IE.
[AC-wlan-st-1] cipher-suite ccmp
[AC-wlan-st-1] security-ie rsn
# Enable the AC to forward client data traffic. If the AC forwards client data traffic by default, skip this step.
[AC-wlan-st-1] client forwarding-location ac
# Assign clients coming online through service template 1 to VLAN 200.
[AC-wlan-st-1] vlan 200
# Enable wireless service template 1.
[AC-wlan-st-1] service-template enable
[AC-wlan-st-1] quit
3. Configure the AP:
|
|
NOTE: In a large network, use AP groups to configure APs as a best practice. |
# Create an AP named ap1, with model WA6320.
[AC] wlan ap ap1 model WA6320
# Set the serial ID to 219801A28N819CE0002T.
[AC-wlan-ap-ap1] serial-id 219801A28N819CE0002T
# Create an AP group named group1, and create an AP grouping rule by AP names to add AP ap1 to the AP group.
[AC-wlan-ap-group-group1] ap ap1
# Enter radio view of radio 1, and bind service template 1 to the radio.
[AC-wlan-ap-group-group1] ap-model WA6320
[AC-wlan-ap-group-group1-ap-model-WA6320] radio 1
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] service-template 1
# Enable radio 1.
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] radio enable
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] quit
# Enter radio view of radio 2, and bind service template 1 to the radio.
[AC-wlan-ap-group-group1-ap-model-WA6320] radio 2
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] service-template 1
# Enable radio 2.
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] radio enable
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] quit
Configure application rate limiting
1. Configure traffic profiles:
# Create a traffic profile named aiqiyi, and enter its view.
<AC> system-view
[AC] traffic-policy
[AC-traffic-policy] profile name aiqiyi
# Set the maximum bandwidth to 30720 kbps for both upstream and downstream traffic.
[AC-traffic-policy-profile-aiqiyi] bandwidth upstream maximum 30720
[AC-traffic-policy-profile-aiqiyi] bandwidth downstream maximum 30720
[AC-traffic-policy-profile-aiqiyi] quit
# Create a traffic profile named profileFTP, and enter its view.
[AC-traffic-policy] profile name profileFTP
# Set the guaranteed bandwidth to 30720 kbps for both upstream and downstream traffic.
[AC-traffic-policy-profile-profileFTP] bandwidth upstream guaranteed 30720
[AC-traffic-policy-profile-profileFTP] bandwidth downstream guaranteed 30720
[AC-traffic-policy-profile-profileFTP] quit
2. Configure traffic rules:
# Create a traffic rule named aiqiyi, and enter its view.
[AC-traffic-policy] rule name aiqiyi
# Configure the predefined application iQiYiPPS as a match criterion.
[AC-traffic-policy-rule-1-aiqiyi] application app iQiYiPPS
# Specify traffic profile aiqiyi for traffic rule aiqiyi.
[AC-traffic-policy-rule-1-aiqiyi] action qos profile aiqiyi
[AC-traffic-policy-rule-1-aiqiyi] quit
# Create a traffic rule named ruleFTP, and enter its view.
[AC-traffic-policy] rule name ruleFTP
# Configure the predefined application FTP as a match criterion.
[AC-traffic-policy-rule-2-ruleFTP] application app ftp
# Specify traffic profile profileFTP for traffic rule ruleFTP.
[AC-traffic-policy-rule-2-ruleFTP] action qos profile profileFTP
[AC-traffic-policy-rule-2-ruleFTP] quit
[AC-traffic-policy-rule-2] quit
3. Configure application rate limiting criteria:
# Enter traffic policy view.
[AC] traffic-policy
# Create a traffic rule named aiqiyi, and enter its view.
[AC-traffic-policy] rule name aiqiyi
# Configure SSID service as a match criterion in traffic rule aiqiyi.
[AC-traffic-policy-rule-1-aiqiyi] wlan ssid service
# Configure AP ap1 as a match criterion in traffic rule aiqiyi.
[AC-traffic-policy-rule-1-aiqiyi] ap ap1
[AC-traffic-policy-rule-1-aiqiyi] quit
# Create a traffic rule named ruleFTP, and enter its view.
[AC-traffic-policy] rule name ruleFTP
# Configure SSID service as a match criterion in traffic rule ruleFTP.
[AC-traffic-policy-rule-2-ruleFTP] wlan ssid service
# Configure AP ap1 as a match criterion in traffic rule ruleFTP.
[AC-traffic-policy-rule-2-ruleFTP] ap ap1
[AC-traffic-policy-rule-2-ruleFTP] quit
[AC-traffic-policy] quit
Configuring the switch
1. Configure interfaces on the switch:
# Create VLANs 100 and 200 and the corresponding VLAN interfaces. Assign IP addresses to the VLAN interfaces. VLAN 100 is used for forwarding traffic in CAPWAP tunnels between the AC and APs, and VLAN 200 is used to forward wireless packets from clients.
<Switch> system-view
[Switch] vlan 100
[Switch-vlan100] quit
[Switch] interface vlan-interface 100
[Switch-Vlan-interface100] ip address 192.1.1.2 24
[Switch-Vlan-interface100] quit
[Switch] vlan 200
[Switch-vlan200] quit
[Switch] interface vlan-interface 200
[Switch-Vlan-interface200] ip address 192.2.1.2 24
[Switch-Vlan-interface200] quit
# Set the link type to trunk for interface GigabitEthernet 1/0/1 connecting the AC and the switch, and assign it to VLANs 100 and 200.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[Switch-GigabitEthernet1/0/1] quit
# Set the link type to access for interface GigabitEthernet 1/0/2 connecting APs and the switch, and assign it to VLAN 100.
[Switch] interface gigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port access vlan 100
# Enable PoE.
[Switch-GigabitEthernet1/0/2] poe enable
[Switch-GigabitEthernet1/0/2] quit
2. Configure DHCP:
# Enable DHCP.
[Switch] dhcp enable
# Create a DHCP address pool named vlan100 for allocating addresses to APs. In the address pool, specify subnet 192.1.1.0/24 for dynamic address allocation, exclude addresses 192.1.1.1 and 192.1.1.2 from address allocation, and specify the gateway address as 192.1.1.1.
[Switch] dhcp server ip-pool vlan100
[Switch-dhcp-pool-vlan100] network 192.1.1.0 mask 255.255.255.0
[Switch-dhcp-pool-vlan100] forbidden-ip 192.1.1.1 192.1.1.2
[Switch-dhcp-pool-vlan100] gateway-list 192.1.1.1
[Switch-dhcp-pool-vlan100] quit
# Create a DHCP address pool named vlan200 for allocating addresses to clients. In the address pool, specify subnet 192.2.1.0/24 for dynamic address allocation, exclude addresses 192.2.1.1 and 192.2.1.2 from address allocation, specify the DNS server address as needed, and specify the gateway address as 192.1.1.1.
[Switch] dhcp server ip-pool vlan200
[Switch-dhcp-pool-vlan200] network 192.2.1.0 mask 255.255.255.0
[Switch-dhcp-pool-vlan200] forbidden-ip 192.2.1.1 192.2.1.2
[Switch-dhcp-pool-vlan200] dns-list 192.2.1.1
[Switch-dhcp-pool-vlan200] gateway-list 192.2.1.1
[Switch-dhcp-pool-vlan200] quit
Verifying the configuration
Verify that the traffic of the iQiYiPPS application is rate-limited, and the traffic of the FTP application is guaranteed.
Configuration files
· AC:
#
vlan 100
#
vlan 200
#
wlan service-template 1
ssid service
vlan 200
akm mode psk
preshared-key pass-phrase cipher $c$3$29gn1DalRVhkcyZ1CKwevH+xb6Lxopy3eq/H
cipher-suite ccmp
security-ie rsn
service-template enable
#
interface Vlan-interface100
ip address 192.1.1.1 255.255.255.0
#
interface Vlan-interface200
ip address 192.2.1.1 255.255.255.0
#
wlan ap ap1 model WA6320
serial-id 219801A28N819CE0002T
#
wlan ap-group group1
vlan 1
ap ap1
ap-model WA6320
radio 1
radio enable
service-template 1
radio 2
radio enable
service-template 1
gigabitethernet 1
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 100 200
#
wlan ap ap1 model WA4320-ACN-B
serial-id 210235A1PRC183000006
radio 1
radio enable
service-template 1
radio 2
radio enable
service-template 1
#
traffic-policy
rule 3 name ruleFTP parent rule
action qos profile profileftp
application app ftp
wlan ssid service
ap ap1
rule 5 name aiqiyi
action qos profile aiqiyi
application app iQiYiPPS
wlan ssid service
ap ap1
profile name aiqiyi
bandwidth downstream maximum 30720
bandwidth upstream maximum 30720
profile name profileftp
bandwidth downstream guaranteed 30720
bandwidth upstream guaranteed 30720
· Switch:
#
dhcp enable
#
vlan 100
#
vlan 200
#
interface Vlan-interface100
ip address 192.1.1.2 255.255.255.0
#
interface Vlan-interface200
ip address 192.2.1.2 255.255.255.0
#
dhcp server ip-pool vlan100
network 192.1.0.0 mask 255.255.255.0
forbidden-ip 192.1.1.1 192.1.1.2
gateway-list 192.1.1.1
#
dhcp server ip-pool vlan200
gateway-list 192.2.1.1
network 192.2.1.0 mask 255.255.255.0
forbidden-ip 192.2.1.1 192.2.1.2
dns-list 192.2.1.1
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 100 200
#
interface GigabitEthernet1/0/2
port link-type access
port access vlan 100
poe enable
Related documentation
· Bandwidth Management Configuration Guide in H3C Access Controllers Configuration Guides
· Bandwidth Management Command Reference in H3C Access Controllers Command References
