H3C Routers
Traffic Policing Configuration Examples

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Introduction· 1

Prerequisites· 1

Example: Configuring traffic policing· 1

Network configuration· 1

Analysis· 2

Software versions used· 2

Procedures· 2

Verifying the configuration· 4

Configuration files· 7

Related documentation· 8

 

Introduction

The following information provides examples for configuring traffic policing.

The typical application of traffic policing is to supervise the specification of certain traffic entering a network and limit it within a reasonable range, or to "discipline" the extra traffic. In this way, the network resources and the interests of the carrier are protected.

Prerequisites

The following information applies to Comware 9-based routers. Procedures and information in the examples might be slightly different depending on the software or hardware version of the routers.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of traffic policing.

Example: Configuring traffic policing

Network configuration

As shown in Figure 1, a company accesses the Internet over VPN. The uplink bandwidth is 60 Mbps. All endpoints use the device as the gateway. Configure traffic policing to limit traffic to the Internet as follows:

·     Limit HTTP traffic to the Internet to 40 Mbps (15 Mbps for 25 hosts in the R&D Dept and 25 Mbps for 40 hosts in the Marketing Dept).

·     Limit mail traffic from the mail server to 2 Mbps.

·     Limit the FTP traffic from the branch to 10 Mbps.

Figure 1 Network diagram

‌

Analysis

To perform traffic policing on different traffic types, define traffic classes to match them. In this example, use ACLs to match packets of different protocols or types and associate different traffic classes with different traffic policing actions.

Software versions used

This configuration example was created and verified on Release 9141P16 of the MSR2630E-X1 router.

Procedures

1.     Assign IP addresses to interfaces:

# Assign an IP address to interface GigabitEthernet 0/0/1.

<Device> system-view

[Device] interface gigabitethernet 0/0/1

[Device-GigabitEthernet0/0/1] ip address 200.1.1.2 24

[Device-GigabitEthernet0/0/1] quit

# Assign IP addresses to other interfaces in the same way. (Details not shown.)

2.     Limit the uplink HTTP traffic from the R&D Dept:

# Create IPv4 advanced ACL 3000, and configure a rule to match the uplink HTTP traffic from the R&D Dept (traffic with destination TCP port 80).

[Device] acl number 3000

[Device-acl-ipv4-adv-3000] rule permit tcp destination-port eq 80 source 192.168.1.0 0.0.0.255

[Device-acl-ipv4-adv-3000] quit

# Create traffic class rd_http,  and use ACL 3000 as a match criterion.

[Device] traffic classifier rd_http

[Device-classifier-rd_http] if-match acl 3000

[Device-classifier-rd_http] quit

# Create traffic behavior rd_http, and configure a traffic policing action with the CIR as 15 Mbps.

[Device] traffic behavior rd_http

[Device-behavior-rd_http] car cir 15360

[Device-behavior-rd_http] quit

# Create QoS policy rd_http, and associate the traffic class with the traffic behavior.

[Device] qos policy rd_http

[Device-qospolicy-rd_http] classifier rd_http behavior rd_http

[Device-qospolicy-rd_http] quit

# Apply QoS policy rd_http to the inbound direction of interface GigabitEthernet 0/0/3.

[Device] interface gigabitethernet 0/0/3

[Device-GigabitEthernet0/0/3] qos apply policy rd_http inbound

[Device-GigabitEthernet0/0/3] quit

3.     Limit the uplink HTTP traffic from the Marketing Dept:

# Create IPv4 advanced ACL 3001, and configure a rule to match the uplink HTTP traffic from the Market Dept.

[Device] acl number 3001

[Device-acl-ipv4-adv-3001] rule permit tcp destination-port eq 80 source 192.168.2.0 0.0.0.255

[Device-acl-ipv4-adv-3001] quit

# Create traffic class mkt_http, and use ACL 3001 as a match criterion.

[Device] traffic classifier mkt_http

[Device-classifier-mkt_http] if-match acl 3001

[Device-classifier-mkt_http] quit

# Create traffic behavior mkt_http, and configure a traffic policing action with the CIR as 25 Mbps.

[Device] traffic behavior mkt_http

[Device-behavior-mkt_http] car cir 25600

[Device-behavior-mkt_http] quit

# Create QoS policy mkt_http, and associate the traffic class with the traffic behavior.

[Device] qos policy mkt_http

[Device-qospolicy-mkt_http] classifier mkt_http behavior mkt_http

[Device-qospolicy-mkt_http] quit

# Apply QoS policy mkt_http to the inbound direction of interface GigabitEthernet 0/0/4.

[Device] interface gigabitethernet 0/0/4

[Device-GigabitEthernet0/0/4] qos apply policy mkt_http inbound

[Device-GigabitEthernet0/0/4] quit

4.     Limit the mail traffic from the mail server:

# Create IPv4 advanced ACL 3002, and configure a rule to match the mail traffic from the mail server.

[Device] acl number 3002

[Device-acl-ipv4-adv-3002] rule permit tcp destination-port eq smtp source 192.168.10.1 0.0.0.0

[Device-acl-ipv4-adv-3002] quit

# Create traffic class email, and use ACL 3002 as a match criterion.

[Device] traffic classifier email

[Device-classifier-email] if-match acl 3002

[Device-classifier-email] quit

# Create traffic behavior email, and configure a traffic policing action with the CIR as 2 Mbps.

[Device] traffic behavior email

[Device-behavior-email] car cir 2048

[Device-behavior-email] quit

# Create QoS policy email&ftp, and associate the traffic class with the traffic behavior.

[Device] qos policy email&ftp

[Device-qospolicy-email&ftp] classifier email behavior email

[Device-qospolicy-email&ftp] quit

5.     Limit the FTP traffic from the branch:

# Create IPv4 basic ACL 2001, and configure a rule to match the FTP traffic from the branch.

[Device] acl number 2001

[Device-acl-ipv4-basic-2001] rule permit source 192.168.10.2 0.0.0.0

[Device-acl-ipv4-basic-2001] quit

# Create traffic class ftp, and use ACL 2001 as a match criterion.

[Device] traffic classifier ftp

[Device-classifier-ftp] if-match acl 2001

[Device-classifier-ftp] quit

# Create traffic behavior ftp, and configure a traffic policing action with the CIR as 10 Mbps.

[Device] traffic behavior ftp

[Device-behavior-ftp] car cir 10240

[Device-behavior-ftp] quit

# Associate the traffic class with the traffic behavior in QoS policy email&ftp.

[Device] qos policy email&ftp

[Device-qospolicy-email&ftp] classifier ftp behavior ftp

[Device-qospolicy-email&ftp] quit

# Apply QoS policy email&ftp to the inbound direction of interface GigabitEthernet 0/0/1.

[Device] interface gigabitethernet 0/0/1

[Device-GigabitEthernet0/0/1] qos apply policy email&ftp outbound

[Device-GigabitEthernet0/0/1] quit

Verifying the configuration

# Use the display qos policy interface command to displays information about QoS policies applied to interfaces.

[Device] display qos policy interface

 

Interface: GigabitEthernet0/0/1

 

  Direction: Outbound

 

  Policy: email&ftp

   Classifier: default-class

     Matched : 0 (Packets) 0 (Bytes)

     5-minute statistics:

      Forwarded: 0/0 (pps/bps)

      Dropped  : 0/0 (pps/bps)

     Operator: AND

     Rule(s) :

      If-match any

     Behavior: be

      -none-

   Classifier: email

     Matched : 0 (Packets) 0 (Bytes)

     5-minute statistics:

      Forwarded: 0/0 (pps/bps)

      Dropped  : 0/0 (pps/bps)

     Operator: AND

     Rule(s) :

      If-match acl 3002

     Behavior: email

      Committed Access Rate:

        CIR 2048 (kbps), CBS 128000 (Bytes), EBS 0 (Bytes)

        Green action  : pass

        Yellow action : pass

        Red action    : discard

        Green packets : 0 (Packets) 0 (Bytes)

        Yellow packets: 0 (Packets) 0 (Bytes)

        Red packets   : 0 (Packets) 0 (Bytes)

   Classifier: ftp

     Matched : 0 (Packets) 0 (Bytes)

     5-minute statistics:

      Forwarded: 0/0 (pps/bps)

      Dropped  : 0/0 (pps/bps)

     Operator: AND

     Rule(s) :

      If-match acl 2001

     Behavior: ftp

      Committed Access Rate:

        CIR 10240 (kbps), CBS 640000 (Bytes), EBS 0 (Bytes)

        Green action  : pass

        Yellow action : pass

        Red action    : discard

        Green packets : 0 (Packets) 0 (Bytes)

        Yellow packets: 0 (Packets) 0 (Bytes)

        Red packets   : 0 (Packets) 0 (Bytes)

 

Interface: GigabitEthernet0/0/3

 

  Direction: Inbound

 

  Policy: rd_http

   Classifier: default-class

     Matched : 313 (Packets) 29916 (Bytes)

     5-minute statistics:

      Forwarded: 0/719 (pps/bps)

      Dropped  : 0/0 (pps/bps)

     Operator: AND

     Rule(s) :

      If-match any

     Behavior: be

      -none-

   Classifier: rd_http

     Matched : 0 (Packets) 0 (Bytes)

     5-minute statistics:

      Forwarded: 0/0 (pps/bps)

      Dropped  : 0/0 (pps/bps)

     Operator: AND

     Rule(s) :

      If-match acl 3000

     Behavior: rd_http

      Committed Access Rate:

        CIR 15360 (kbps), CBS 960000 (Bytes), EBS 0 (Bytes)

        Green action  : pass

        Yellow action : pass

        Red action    : discard

        Green packets : 0 (Packets) 0 (Bytes)

        Yellow packets: 0 (Packets) 0 (Bytes)

        Red packets   : 0 (Packets) 0 (Bytes)

 

Interface: GigabitEthernet0/0/4

 

  Direction: Inbound

 

  Policy: mkt_http

   Classifier: default-class

     Matched : 0 (Packets) 0 (Bytes)

     5-minute statistics:

      Forwarded: 0/0 (pps/bps)

      Dropped  : 0/0 (pps/bps)

     Operator: AND

     Rule(s) :

      If-match any

     Behavior: be

      -none-

   Classifier: mkt_http

     Matched : 0 (Packets) 0 (Bytes)

     5-minute statistics:

      Forwarded: 0/0 (pps/bps)

      Dropped  : 0/0 (pps/bps)

     Operator: AND

     Rule(s) :

      If-match acl 3001

     Behavior: mkt_http

      Committed Access Rate:

        CIR 25600 (kbps), CBS 1600000 (Bytes), EBS 0 (Bytes)

        Green action  : pass

        Yellow action : pass

        Red action    : discard

        Green packets : 0 (Packets) 0 (Bytes)

        Yellow packets: 0 (Packets) 0 (Bytes)

        Red packets   : 0 (Packets) 0 (Bytes)

Configuration files

#

traffic classifier email operator and

 if-match acl 3002

#

traffic classifier ftp operator and

 if-match acl 2001

#

traffic classifier mkt_http operator and

 if-match acl 3001

#

traffic classifier rd_http operator and

 if-match acl 3000

#

traffic behavior email

 car cir 2048 cbs 128000 ebs 0 green pass red discard yellow pass

#

traffic behavior ftp

 car cir 10240 cbs 640000 ebs 0 green pass red discard yellow pass

#

traffic behavior mkt_http

 car cir 25600 cbs 1600000 ebs 0 green pass red discard yellow pass

#

traffic behavior rd_http

 car cir 15360 cbs 960000 ebs 0 green pass red discard yellow pass

#

qos policy email&ftp

 classifier email behavior email

 classifier ftp behavior ftp

#

qos policy mkt_http

 classifier mkt_http behavior mkt_http

#

qos policy rd_http

 classifier rd_http behavior rd_http

#

interface GigabitEthernet0/0/1

 port link-mode route

 combo enable copper

 ip address 200.1.1.2 255.255.255.0

 qos apply policy email&ftp outbound

#

interface GigabitEthernet0/0/2

 port link-mode route

 combo enable copper

 ip address 192.168.10.254 255.255.255.0

#

interface GigabitEthernet0/0/3

 port link-mode route

 combo enable copper

 ip address 192.168.1.1 255.255.255.0

 qos apply policy rd_http inbound

#

interface GigabitEthernet0/0/4

 port link-mode route

 combo enable copper

 ip address 192.168.2.1 255.255.255.0

 qos apply policy mkt_http inbound

#

acl number 2001

 rule 0 permit source 192.168.10.2 0

#

acl number 3000

 rule 0 permit tcp source 192.168.1.0 0.0.0.255 destination-port eq www

#

acl number 3001

 rule 0 permit tcp source 192.168.2.0 0.0.0.255 destination-port eq www

#

acl number 3002

 rule 0 permit tcp source 192.168.10.1 0 destination-port eq smtp

Related documentation

·     ACL and QoS Configuration Guide in H3C MSR1000[2600][3600] Routers Configuration Guides(V9)

·     ACL and QoS Command Reference in H3C MSR1000[2600][3600] Routers Command References(V9)