Login
- Table of Contents
-
- 04-Comware 7 CLI-based configuration examples (AC+fit AP deployment)
- 01-HTTPS Login Configuration Examples
- 02-SSH Configuration Examples
- 03-License Management Configuration Examples
- 04-AP Association with the AC at Layer 2 Configuration Examples
- 05-AP Association with the AC at Layer 2 (IPv6) Configuration Examples
- 06-Auto AP Configuration Examples
- 07-AP Association with the AC at Layer 3 Configuration Examples
- 08-AP Association with the AC at Layer 3 (IPv6) Configuration Examples
- 09-WEP Encryption Configuration Examples
- 100-Static Blacklist Configuration Examples
- 101-Client Quantity Control Configuration Examples
- 102-AP License Synchronization Configuration Examples
- 103-BLE Module iBeacon Transmission Configuration Examples
- 104-Medical RFID Tag Management Configuration Examples
- 105-iBeacon Management Configuration Examples
- 106-Mesh Link Establishment Between Fit APs Configuration Examples
- 107-Mesh Link Establishment Between a Fit AP and a Fat AP Configuration Examples
- 108-Auto-DFS and Auto-TPC Configuration Examples
- 109-AP Image Downloading Configuration Examples
- 10-PSK Encryption Configuration Examples
- 110-Dual-Uplink Interfaces Configuration Guide
- 111-H3C Comware AC Cloud-Managed AP Centralized Management Configuration Examples
- 112-Internal-to-External Access Through NAT Configuration Examples
- 113-Layer 2 Static Aggregation Configuration Examples
- 114-Layer 2 Multicast Configuration Examples
- 115-Static VLAN Allocation Configuration Examples
- 116-URL Redirection Configuration Examples
- 117-IPv6 URL Redirection Configuration Examples
- 11-WPA3-SAE PSK Encryption Configuration Examples
- 12-WLAN Access (IPv6) Configuration Examples
- 13-Policy-Based Forwarding with Dual Gateways Configuration Examples
- 14-Scheduled Configuration Deployment by AP Group Configuration Examples
- 15-Inter-AC Roaming with Static Client VLAN Allocation Configuration Examples
- 16-Service Template and Radio Binding Configuration Examples
- 17-Scheduled WLAN Access Services Configuration Examples
- 18-HTTPS-Based Local Portal Authentication Configuration Examples
- 19-Remote Portal Authentication Configuration Examples
- 20-Local Portal Authentication through LDAP Server Configuration Examples
- 21-Local Portal Auth and SSID-based Auth Page Pushing Configuration Examples
- 22-Local Portal MAC-Trigger Authentication Configuration Examples
- 23-Portal MAC-Trigger Authentication Configuration Examples
- 24-Local Forwarding Mode and Local Portal MAC-Trigger Auth Configuration Examples
- 25-Local Portal Authentication (IPv6) Configuration Examples
- 26-Local Portal Authentication through LDAP Server (IPv6) Configuration Examples
- 27-Remote Portal Authentication (IPv6) Configuration Examples
- 28-Portal MAC-Trigger Authentication (IPv6) Configuration Example
- 29-Remote Portal Authentication with User Profile Authorization Configuration Examples
- 30-WiFiDog Portal Authentication Configuration Examples
- 31-Portal Fail-Permit Configuration Examples
- 32-Local MAC Authentication Configuration Examples
- 33-Remote MAC Authentication Configuration Examples
- 34-Local Portal Authentication Configuration Examples
- 35-Transparent Auth Through Remote MAC and Portal Auth Configuration Examples
- 36-Remote AP, Remote Portal, and MAC-Trigger Authentication Configuration Examples
- 37-MAC Authentication with Guest VLAN Assignment Configuration Examples
- 38-MAC Authentication with Guest VLAN Assignment (IPv6) Configuration Examples
- 39-Local MAC-And-802.1X Authentication Configuration Examples
- 40-Local 802.1X Authentication Configuration Examples
- 41-Local RADIUS-Based 802.1X Authentication in EAP Relay Mode Configuration Examples
- 42-Remote 802.1X Authentication Configuration Examples
- 43-Remote 802.1X Authentication (IPv6) Configuration Examples
- 44-Remote 802.1X Authentication in WPA3-Enterprise Mode Configuration Examples
- 45-802.1X Auth with ACL Assignment Through IMC Server Configuration Examples
- 46-802.1X Auth with User Profile Assignment Through IMC Server Configuration Examples
- 47-EAD Authentication Configuration Examples
- 48-EAD Authentication (IPv6) Configuration Examples
- 49-Local Forwarding Mode and Local Portal Authentication Configuration Examples
- 50-Local Forwarding Mode Direct Portal Authentication Configuration Examples
- 51-Local Forwarding Mode Direct Portal Authentication (IPv6) Configuration Examples
- 52-Local Forwarding Configuration Examples
- 53-Wired Port Local Forwarding through Wireless Terminator Configuration Examples
- 54-Remote AP Configuration Examples
- 55-Downlink VLAN Management for Fit-Mode APs Configuration Examples
- 56-Downlink VLAN Management for Fit APs and Cloud APs Configuration Examples
- 57-WIPS Configuration Examples
- 58-WIPS Countermeasures Against All SSIDs Configuration Examples
- 59-IP Source Guard (IPv4) Configuration Examples
- 60-IP Source Guard (IPv6) Configuration Examples
- 61-IPS Configuration Examples
- 62-URL Filtering Configuration Examples
- 63-Anti-Virus Configuration Examples
- 64-Data Filtering Configuration Examples
- 65-File Filtering Configuration Examples
- 66-Application Audit and Management Configuration Examples
- 67-Application Rate Limiting Configuration Examples
- 68-IRF Setup with LACP MAD Configuration Examples
- 69-IRF Setup with ARP MAD Configuration Examples
- 70-IRF Setup with Members Not Directly Connected Configuration Examples
- 71-IRF Setup with Members in One Chassis Configuration Examples
- 72-IRF Setup with Members in Different Chassis Configuration Examples
- 73-Dual-Link Backup Configuration Examples
- 74-Remote 802.1X Auth on an AC Hierarchy Network with Dual-Link Backup Configuration Examples
- 75-Remote Portal Auth on an AC Hierarchy Network with Dual-Link Backup Configuration Examples
- 76-OAuth-Based Portal MAC-Trigger Auth on a Local-Forwarding Dual-Link Backup Configuration Examples
- 77-Dual-Link Backup OAuth-Based Portal Authentication in Local Forwarding Configuration Examples
- 78-Dual-Link Backup Remote Portal MAC-Trigger Authentication in Local Forwarding Configuration Examples
- 79-Dual-Link Backup Remote Portal and Transparent MAC Auth in Local Forwarding Configuration Examples
- 80-Dual-Link Backup Remote Portal Authentication in Local Forwarding Configuration Examples
- 81-Dual-Link Backup Remote Portal and Transparent MAC Auth in Centralized Forwarding Configuration Examples
- 82-Dual-Link Backup Remote Portal Authentication in Centralized Forwarding Configuration Examples
- 83-Dual-Link Backup Lightweight Portal Authentication in Centralized Forwarding Configuration Examples
- 84-Dual-Link Backup OAuth-Based Portal Authentication in Centralized Forwarding Configuration Examples
- 85-Dual-Link Backup Remote Portal MAC-Trigger Auth in Centralized Forwarding Configuration Examples
- 86-Remote 802.1X Authentication on a Dual-Link AC Backup Network Configuration Examples
- 87-Remote MAC Authentication on a Dual-Link AC Backup Network Configuration Examples
- 88-AC Hierarchy Configuration Examples
- 89-Remote 802.1X Auth (Local AC Auth+AC Forwardering) Configuration Examples
- 90-Remote 802.1X Auth (Central AC Auth+AP Forwarding) Configuration Examples
- 91-AC Hierarchy (IPv6) Configuration Examples
- 92-WLAN Probe Configuration Examples
- 93-Multicast Optimization Configuration Examples
- 94-Client Rate Limiting Configuration Examples
- 95-Inter-AC Roaming Configuration Examples
- 96-Inter-AC Roaming (IPv6) Configuration Examples
- 97-Inter-AC Roaming in Local Forwarding Mode Configuration Examples
- 98-H3C Access Controllers Cooperative Roaming for 802.11v Clients Configuration Examples
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 67-Application Rate Limiting Configuration Examples | 100.89 KB |
|
H3C Access Controllers |
|
Application Rate Limiting |
|
Configuration Examples |
Copyright © 2023 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Introduction
The following information provides an example for configuring application rate limiting.
Prerequisites
The following information applies to Comware-based access points. Procedures and information in the examples might be slightly different depending on the software or hardware version of the access points.
The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
Example: Configuring application rate limiting
Network configuration
As shown in Figure 1, the AC is connected to the Internet. Configure application rate limiting on the AC to finely manage and control applications.
Configure application rate limiting to meet the following requirements:
· Limit both the maximum uplink bandwidth and maximum downlink bandwidth to 30720 kbps for the clients accessing the iQiYiPPS application on the Internet.
· Guarantee both the uplink bandwidth of 30720 kbps and the downlink bandwidth of 30720 kbps for the clients accessing the FTP application on the Internet.
Restrictions and guidelines
· Use the actual serial ID of an AP to uniquely identify that AP.
· You must set the forwarding mode to centralized forwarding mode.
Procedures
Configuring the AC
Configuring basic AC functions
1. Configure interfaces on the AC:
# Create VLAN 100 and VLAN-interface 100. Assign an IP address to the VLAN interface. The AC will use this IP address to establish CAPWAP tunnels with APs.
<AC> system-view
[AC] vlan 100
[AC-vlan100] quit
[AC] interface vlan-interface 100
[AC-Vlan-interface100] ip address 192.1.1.1 24
[AC-Vlan-interface100] quit
# Create VLAN 200 and VLAN-interface 100. Assign an IP address to the VLAN interface. The AC will use VLAN 200 for client access.
[AC] vlan 200
[AC-vlan200] quit
[AC] interface vlan-interface 200
[AC-Vlan-interface200] ip address 192.2.1.1 24
[AC-Vlan-interface200] quit
# Set the link type to trunk for interface GigabitEthernet 1/0/1 connecting the AC and the switch, and assign it to VLANs 100 and 200.
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[AC-GigabitEthernet1/0/1] quit
2. Configure a wireless service:
# Create wireless service template 1 and enter its view.
[AC] wlan service-template 1
# Configure SSID service.
[AC-wlan-st-1] ssid service
# Configure the PSK AKM mode and the 12345678 plaintext key.
[AC-wlan-st-1] akm mode psk
[AC-wlan-st-1] preshared-key pass-phrase simple 12345678
# Configure CCMP as the cipher suite and RSN as the security IE.
[AC-wlan-st-1] cipher-suite ccmp
[AC-wlan-st-1] security-ie rsn
# Enable the AC to forward client data traffic. If the AC forwards client data traffic by default, skip this step.
[AC-wlan-st-1] client forwarding-location ac
# Assign clients coming online through service template 1 to VLAN 200.
[AC-wlan-st-1] vlan 200
# Enable wireless service template 1.
[AC-wlan-st-1] service-template enable
[AC-wlan-st-1] quit
3. Configure the AP:
|
|
NOTE: In a large network, use AP groups to configure APs as a best practice. |
# Create an AP named ap1, with model WA6320.
[AC] wlan ap ap1 model WA6320
# Set the serial ID to 219801A28N819CE0002T.
[AC-wlan-ap-ap1] serial-id 219801A28N819CE0002T
# Create an AP group named group1, and create an AP grouping rule by AP names to add AP ap1 to the AP group.
[AC-wlan-ap-group-group1] ap ap1
# Enter radio view of radio 1, and bind service template 1 to the radio.
[AC-wlan-ap-group-group1] ap-model WA6320
[AC-wlan-ap-group-group1-ap-model-WA6320] radio 1
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] service-template 1
# Enable radio 1.
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] radio enable
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-1] quit
# Enter radio view of radio 2, and bind service template 1 to the radio.
[AC-wlan-ap-group-group1-ap-model-WA6320] radio 2
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] service-template 1
# Enable radio 2.
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] radio enable
[AC-wlan-ap-group-group1-ap-model-WA6320-radio-2] quit
Configure application rate limiting
1. Configure traffic profiles:
# Create a traffic profile named aiqiyi, and enter its view.
<AC> system-view
[AC] traffic-policy
[AC-traffic-policy] profile name aiqiyi
# Set the maximum bandwidth to 30720 kbps for both upstream and downstream traffic.
[AC-traffic-policy-profile-aiqiyi] bandwidth upstream maximum 30720
[AC-traffic-policy-profile-aiqiyi] bandwidth downstream maximum 30720
[AC-traffic-policy-profile-aiqiyi] quit
# Create a traffic profile named profileFTP, and enter its view.
[AC-traffic-policy] profile name profileFTP
# Set the guaranteed bandwidth to 30720 kbps for both upstream and downstream traffic.
[AC-traffic-policy-profile-profileFTP] bandwidth upstream guaranteed 30720
[AC-traffic-policy-profile-profileFTP] bandwidth downstream guaranteed 30720
[AC-traffic-policy-profile-profileFTP] quit
2. Configure traffic rules:
# Create a traffic rule named aiqiyi, and enter its view.
[AC-traffic-policy] rule name aiqiyi
# Configure the predefined application iQiYiPPS as a match criterion.
[AC-traffic-policy-rule-1-aiqiyi] application app iQiYiPPS
# Specify traffic profile aiqiyi for traffic rule aiqiyi.
[AC-traffic-policy-rule-1-aiqiyi] action qos profile aiqiyi
[AC-traffic-policy-rule-1-aiqiyi] quit
# Create a traffic rule named ruleFTP, and enter its view.
[AC-traffic-policy] rule name ruleFTP
# Configure the predefined application FTP as a match criterion.
[AC-traffic-policy-rule-2-ruleFTP] application app ftp
# Specify traffic profile profileFTP for traffic rule ruleFTP.
[AC-traffic-policy-rule-2-ruleFTP] action qos profile profileFTP
[AC-traffic-policy-rule-2-ruleFTP] quit
[AC-traffic-policy-rule-2] quit
3. Configure application rate limiting criteria:
# Enter traffic policy view.
[AC] traffic-policy
# Create a traffic rule named aiqiyi, and enter its view.
[AC-traffic-policy] rule name aiqiyi
# Configure SSID service as a match criterion in traffic rule aiqiyi.
[AC-traffic-policy-rule-1-aiqiyi] wlan ssid service
# Configure AP ap1 as a match criterion in traffic rule aiqiyi.
[AC-traffic-policy-rule-1-aiqiyi] ap ap1
[AC-traffic-policy-rule-1-aiqiyi] quit
# Create a traffic rule named ruleFTP, and enter its view.
[AC-traffic-policy] rule name ruleFTP
# Configure SSID service as a match criterion in traffic rule ruleFTP.
[AC-traffic-policy-rule-2-ruleFTP] wlan ssid service
# Configure AP ap1 as a match criterion in traffic rule ruleFTP.
[AC-traffic-policy-rule-2-ruleFTP] ap ap1
[AC-traffic-policy-rule-2-ruleFTP] quit
[AC-traffic-policy] quit
Configuring the switch
1. Configure interfaces on the switch:
# Create VLANs 100 and 200 and the corresponding VLAN interfaces. Assign IP addresses to the VLAN interfaces. VLAN 100 is used for forwarding traffic in CAPWAP tunnels between the AC and APs, and VLAN 200 is used to forward wireless packets from clients.
<Switch> system-view
[Switch] vlan 100
[Switch-vlan100] quit
[Switch] interface vlan-interface 100
[Switch-Vlan-interface100] ip address 192.1.1.2 24
[Switch-Vlan-interface100] quit
[Switch] vlan 200
[Switch-vlan200] quit
[Switch] interface vlan-interface 200
[Switch-Vlan-interface200] ip address 192.2.1.2 24
[Switch-Vlan-interface200] quit
# Set the link type to trunk for interface GigabitEthernet 1/0/1 connecting the AC and the switch, and assign it to VLANs 100 and 200.
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[Switch-GigabitEthernet1/0/1] quit
# Set the link type to access for interface GigabitEthernet 1/0/2 connecting APs and the switch, and assign it to VLAN 100.
[Switch] interface gigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port access vlan 100
# Enable PoE.
[Switch-GigabitEthernet1/0/2] poe enable
[Switch-GigabitEthernet1/0/2] quit
2. Configure DHCP:
# Enable DHCP.
[Switch] dhcp enable
# Create a DHCP address pool named vlan100 for allocating addresses to APs. In the address pool, specify subnet 192.1.1.0/24 for dynamic address allocation, exclude addresses 192.1.1.1 and 192.1.1.2 from address allocation, and specify the gateway address as 192.1.1.1.
[Switch] dhcp server ip-pool vlan100
[Switch-dhcp-pool-vlan100] network 192.1.1.0 mask 255.255.255.0
[Switch-dhcp-pool-vlan100] forbidden-ip 192.1.1.1 192.1.1.2
[Switch-dhcp-pool-vlan100] gateway-list 192.1.1.1
[Switch-dhcp-pool-vlan100] quit
# Create a DHCP address pool named vlan200 for allocating addresses to clients. In the address pool, specify subnet 192.2.1.0/24 for dynamic address allocation, exclude addresses 192.2.1.1 and 192.2.1.2 from address allocation, specify the DNS server address as needed, and specify the gateway address as 192.1.1.1.
[Switch] dhcp server ip-pool vlan200
[Switch-dhcp-pool-vlan200] network 192.2.1.0 mask 255.255.255.0
[Switch-dhcp-pool-vlan200] forbidden-ip 192.2.1.1 192.2.1.2
[Switch-dhcp-pool-vlan200] dns-list 192.2.1.1
[Switch-dhcp-pool-vlan200] gateway-list 192.2.1.1
[Switch-dhcp-pool-vlan200] quit
Verifying the configuration
Verify that the traffic of the iQiYiPPS application is rate-limited, and the traffic of the FTP application is guaranteed.
Configuration files
· AC:
#
vlan 100
#
vlan 200
#
wlan service-template 1
ssid service
vlan 200
akm mode psk
preshared-key pass-phrase cipher $c$3$29gn1DalRVhkcyZ1CKwevH+xb6Lxopy3eq/H
cipher-suite ccmp
security-ie rsn
service-template enable
#
interface Vlan-interface100
ip address 192.1.1.1 255.255.255.0
#
interface Vlan-interface200
ip address 192.2.1.1 255.255.255.0
#
wlan ap ap1 model WA6320
serial-id 219801A28N819CE0002T
#
wlan ap-group group1
vlan 1
ap ap1
ap-model WA6320
radio 1
radio enable
service-template 1
radio 2
radio enable
service-template 1
gigabitethernet 1
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 100 200
#
wlan ap ap1 model WA4320-ACN-B
serial-id 210235A1PRC183000006
radio 1
radio enable
service-template 1
radio 2
radio enable
service-template 1
#
traffic-policy
rule 3 name ruleFTP parent rule
action qos profile profileftp
application app ftp
wlan ssid service
ap ap1
rule 5 name aiqiyi
action qos profile aiqiyi
application app iQiYiPPS
wlan ssid service
ap ap1
profile name aiqiyi
bandwidth downstream maximum 30720
bandwidth upstream maximum 30720
profile name profileftp
bandwidth downstream guaranteed 30720
bandwidth upstream guaranteed 30720
· Switch:
#
dhcp enable
#
vlan 100
#
vlan 200
#
interface Vlan-interface100
ip address 192.1.1.2 255.255.255.0
#
interface Vlan-interface200
ip address 192.2.1.2 255.255.255.0
#
dhcp server ip-pool vlan100
network 192.1.0.0 mask 255.255.255.0
forbidden-ip 192.1.1.1 192.1.1.2
gateway-list 192.1.1.1
#
dhcp server ip-pool vlan200
gateway-list 192.2.1.1
network 192.2.1.0 mask 255.255.255.0
forbidden-ip 192.2.1.1 192.2.1.2
dns-list 192.2.1.1
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 100 200
#
interface GigabitEthernet1/0/2
port link-type access
port access vlan 100
poe enable
Related documentation
· Bandwidth Management Configuration Guide in H3C Access Controllers Configuration Guides
· Bandwidth Management Command Reference in H3C Access Controllers Command References
