H3 C S75 00E Seri es Eth ern et Swi t ch es A CL and Qo S Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document Version: 20100722-C-1.01 Product Version: Release 6605 and Later
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 1/112
H3C S7500E Series Ethernet Switches
ACL and QoS
Configuration Guide
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Document Version: 20100722-C-1.01
Product Version: Release 6605 and Later
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 2/112
Copyright © 2009-2010, Hangzhou H3C Technologies Co., Ltd. and its l icensors
Al l Rights Reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
H3C, , Aolynk, , H3Care, , TOP G, , IRF, NetPilot, Neocean, NeoVTL,
SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V2G, V
nG, PSPT,
XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co.,
Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners.
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 3/112
Preface
The H3C S7500E documentation set includes 12 configuration guides, which describe the software
features for the H3C S7500E Series Ethernet Switches and guide you through the softwareconfiguration procedures. These configuration guides also provide configuration examples to help you
apply software features to different network scenarios.
The ACL and QoS Configuration Guide describes fundamentals and configuration of ACL and QoS. It
describes how to create IPv4 ACL and IPv6 ACL, use QoS polices to control traffic, and configure
common QoS techniques such as traffic policing, traffic shaping, congestion management, and
congestion avoidance.
This preface includes:
Audience
Document Organization
Conventions
About the H3C S7500E Documentation Set
Obtaining Documentation
Documentation Feedback
Audience
This documentation is intended for:
Network planners Field technical support and servicing engineers
Network administrators working with the S7500E series
Document Organization
The ACL and QoS Configuration Guide comprises these parts:
ACL Configuration QoS OverviewQoS Configuration Approaches
Priority MappingConfiguration
Traffic Policing, Traffic
Shaping, and Line RateConfiguration
Congestion ManagementConfiguration Congestion Avoidance
Traffic FilteringConfiguration
Priority MarkingConfiguration
Traffic RedirectingConfiguration
Aggregation CARConfiguration
Class-Based AccountingConfiguration
QoS in an EPON System Appendix A DefaultPriority Mapping Tables
Appendix B Introductionto Packet Precedences
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 4/112
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.
italic Italic text represents arguments that you replace with actual values.
[ ]Square brackets enclose syntax choices (keywords or arguments) that areoptional.
{ x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars,from which you select one.
[ x | y | ... ] Square brackets enclose a set of optional syntax choices separated by verticalbars, from which you select one or none.
{ x | y | ... } * Asterisk marked braces enclose a set of required syntax choices separated byvertical bars, from which you select at least one.
[ x | y | ... ] * Asterisk marked square brackets enclose optional syntax choices separated byvertical bars, from which you may select multiple choices or none.
&<1-n>The argument or keyword and argument combination before the ampersand (&)sign can be entered 1 to n times.
# A line that starts with a pound (#) sign is comments.
GUI conventions
Convention Description
< > Button names are inside angle brackets. For example, click <OK>.
[ ]Window names, menu items, data table and field names are inside squarebrackets. For example, pop up the [New User] window.
/Multi-level menus are separated by forward slashes. For example,[File/Create/Folder].
Symbols
Convention Description
Means reader be careful. Improper operation may cause data loss or damage toequipment.
Means an action or information that needs special attention to ensuresuccessful configuration or good performance.
Means a complementary description.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 5/112
About the H3C S7500E Documentation Set
The H3C S7500E documentation set includes:
Category Documents Purposes
Marketing brochures Describe product specifications and benefits.
Technology white papersProvide an in-depth description of software featuresand technologies.
Product description andspecifications
Card datasheets Describe card specifications, features, and standards.
Installation guide Provides a complete guide to hardware installationand hardware specifications.
H3C N68 CabinetInstallation and RemodelIntroduction
Guides you through installing and remodeling H3CN68 cabinets.
H3C Pluggable SFP[SFP+][XFP] Transceiver
Modules InstallationGuide
Guides you through installing SFP/SFP+/XFP
transceiver modules.
H3C Mid-Range SeriesEthernet SwitchesPluggable ModulesManual
Describes the hot-swappable modules available forthe Mid-Range Series Ethernet Switches, theirexternal views, and specifications.
H3C PoE DIMM ModuleInstallation Guide
Describes how to install the DIMM(LSBM1POEDIMMH) for PoE master and slave powermanagement.
Hardware installation
Single PoE DIMMModule Installation Guide
Describes how to install the 24-port DIMM(LSQM1POEDIMMS0) for PoE power management.
Configuration guides Describe software features and configurationprocedures.
Command references Provide a quick reference to all available commands.Software configuration
Configuration examples Describe typical network scenarios and provideconfiguration examples and instructions.
Operations andmaintenance
Release notes
Provide information about the product release,including the version history, hardware and softwarecompatibility matrix, version upgrade information,technical support information, and software upgrading.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 6/112
Category Documents Purposes
H3CPSR320-A[PSR320-D]Power Module UserManual
Describes the appearance, specifications, LEDs, andinstallation and removal of the H3CPSR320-A/PSR320-D power module.
H3C
PSR650-A[PSR650-D]Power Module UserManual
Describes the appearance, specifications, LEDs, andinstallation and removal of the H3CPSR650-A/PSR650-D power module.
H3CPSR1400-A[PSR1400-D]Power Module UserManual
Describes the appearance, specifications, LEDs, andinstallation and removal of the H3CPSR1400-A/PSR1400-D power module.
H3C PSR2800-ACVPower Module UserManual
Describes the appearance, specifications, LEDs, andinstallation and removal of the H3C PSR2800-ACVpower module.
H3C PSR6000-ACVPower Module UserManual
Describes the appearance, specifications, LEDs, andinstallation and removal of the H3C PSR6000-ACVpower module.
H3C PWR-SPA PowerModule Adapter UserManual
Describes the functions and appearance of the H3CPWR-SPA power module adapter, and how to use itwith the PSR650 power module.
Power configuration
H3C S7500E PowerConfiguration Guide
Guides you to select power modules in various cases.
Optional cards Card manuals
The S7500E series Ethernet switches support variouscard models. Each model is provided with a cardmanual that describes:
The type, number, and transmission rate ofinterfaces
Applicable switches of the card Required software version
Pluggable modules supported by the card
Obtaining Documentation
You can access the most up-to-date H3C product documentation on the World Wide Web at
http://www.h3c.com.
Click the links on the top navigation bar to obtain different categories of product documentation:
[Technical Support & Documents > Technical Documents] – Provides hardware installation, and
software feature configuration and maintenance documentation.
[Products & Solutions] – Provides information about products and technologies, as well as solutions.
[Technical Support & Documents > Software Download] – Provides the documentation released with
the software version.
Documentation Feedback
You can e-mail your comments about product documentation to [email protected].
We appreciate your comments.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 7/112
i
Table of Contents
1 ACL Configuration ·····································································································································1-1
ACL Overview ·········································································································································1-1
Introduction to ACL··························································································································1-1
Application of ACLs on the Switch ··································································································1-2
ACL Classification ···························································································································1-2
ACL Numbering and Naming ··········································································································1-3
Match Order·····································································································································1-3
ACL Rule Numbering Step ··············································································································1-4
Implementing Time-Based ACL Rules ····························································································1-5
IPv4 Fragments Filtering with ACLs································································································1-5
ACL Configuration Task List ···················································································································1-5
Configuring an ACL·································································································································1-6
Creating a Time Range ···················································································································1-6
Configuring a Basic ACL ·················································································································1-7
Configuring an Advanced ACL········································································································1-9
Configuring an Ethernet Frame Header ACL················································································1-12
Copying an ACL ····························································································································1-14
Displaying and Maintaining ACLs·········································································································1-15
ACL Configuration Examples················································································································1-15
IPv4 ACL Configuration Example··································································································1-15
IPv6 ACL Configuration Example··································································································1-17
2 QoS Overview ············································································································································2-1
Introduction to QoS ·································································································································2-1
Introduction to QoS Service Models ·······································································································2-1
Best-Effort Service Model················································································································2-1
IntServ Service Model ·····················································································································2-2
DiffServ Service Model····················································································································2-2
QoS Techniques Overview ·····················································································································2-2
Positions of the QoS Techniques in a Network···············································································2-3
3 QoS Configuration Approaches···············································································································3-1
QoS Configuration Approach Overview··································································································3-1
Non Policy-Based Configuration ·····································································································3-1
Policy-Based Configuration ·············································································································3-1
Configuring a QoS Policy························································································································3-1
Defining a Class ······························································································································3-2
Defining a Traffic Behavior ··············································································································3-5
Defining a Policy······························································································································3-5
Applying the QoS Policy··················································································································3-6
Displaying and Maintaining QoS Policies······················································································3-10
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 8/112
ii
4 Priority Mapping Configuration················································································································4-1
Priority Mapping Overview ······················································································································4-1
Introduction to Priority Mapping·······································································································4-1
Priority Mapping Tables···················································································································4-1
Priority Trust Mode on a Port ··········································································································4-2
Priority Mapping Procedure·············································································································4-2
Priority Mapping Configuration Tasks·····································································································4-4
Configuring Priority Mapping···················································································································4-5
Configuring a Priority Mapping Table······························································································4-5
Configuring the Priority Trust Mode on a Port·················································································4-5
Configuring the Port Priority of a Port······························································································4-6
Displaying and Maintaining Priority Mapping··························································································4-6
Priority Mapping Configuration Examples·······························································································4-7
Priority Mapping Table and Priority Marking Configuration Example··············································4-7
5 Traffic Policing, Traffic Shaping, and Line Rate Configuration ····························································5-1
Traffic Policing, Traffic Shaping, and Line Rate Overview······································································5-1
Traffic Evaluation and Token Buckets·····························································································5-1
Traffic Policing·································································································································5-2
Traffic Shaping ································································································································5-3
Line Rate ·········································································································································5-4
Configuring Traffic Policing ·····················································································································5-5
Configuration Procedure··················································································································5-5
Configuration Example ····················································································································5-6
Configuring GTS ·····································································································································5-7
Configuration Procedure··················································································································5-7
Configuration Example ····················································································································5-8
Configuring the Line Rate ·······················································································································5-8
Configuration Procedure··················································································································5-8
Configuration Example ····················································································································5-8
Displaying and Maintaining Traffic Policing, GTS, and Line Rate ··························································5-9
6 Congestion Management Configuration ·································································································6-1
Congestion Management Overview········································································································6-1
Causes, Impacts, and Countermeasures of Congestion·································································6-1
Congestion Management Policies···································································································6-2
Congestion Management Configuration Approaches·············································································6-4
Per-Queue Hardware Congestion Management ····················································································6-5
Configuring SP Queuing··················································································································6-5
Configure WRR Queuing·················································································································6-6
Configuring WFQ Queuing ··············································································································6-6
Configuring SP+WRR Queues········································································································6-8
Configuration Example ····················································································································6-8
Displaying and Maintaining Congestion Management············································································6-9
7 Congestion Avoidance······························································································································7-1
Congestion Avoidance Overview············································································································7-1
Introduction to WRED Configuration·······································································································7-2
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 9/112
iii
WRED Configuration Approaches···································································································7-2
Introduction to WRED Parameters··································································································7-2
Configuring WRED on an Interface·········································································································7-2
Configuration Procedure··················································································································7-2
Configuration Example ····················································································································7-3
Displaying and Maintaining WRED·········································································································7-3
8 Traffic Filtering Configuration··················································································································8-1
Traffic Filtering Overview ························································································································8-1
Configuring Traffic Filtering·····················································································································8-1
Support of Line Cards for the Traffic Filtering Function··········································································8-2
Traffic Filtering Configuration Example···································································································8-3
Traffic Filtering Configuration Example···························································································8-3
9 Priority Marking Conf iguration·················································································································9-1
Priority Marking Overview ·······················································································································9-1
Configuring Priority Marking····················································································································9-1
Support of Line Cards for Priority Marking······························································································9-3
Priority Marking Configuration Example··································································································9-5
Priority Marking Configuration Example··························································································9-5
QoS-Local-ID Marking Configuration Example ···············································································9-6
10 Traffic Redirect ing Conf iguration ········································································································10-1
Traffic Redirecting Overview·················································································································10-1
Configuring Traffic Redirecting ·············································································································10-1
Support of Line Cards for Traffic Redirecting ·······················································································10-2
11 Aggregation CAR Configuration ··········································································································11-1
Aggregation CAR Overview ··················································································································11-1
Referencing an Aggregation CAR in a Traffic Behavior ·······································································11-1
Configuration prerequisites ···········································································································11-1
Configuration procedure················································································································11-1
Displaying and Maintaining Aggregation CAR······················································································11-2
12 Class-Based Accounting Configuration······························································································12-1
Class-Based Accounting Overview·······································································································12-1
Configuring Class-Based Accounting ···································································································12-1
Displaying and Maintaining Traffic Accounting ·····················································································12-2
Class-Based Accounting Configuration Example ·················································································12-2
Class-Based Accounting Configuration Example··········································································12-2
13 QoS in an EPON System·······················································································································13-4
QoS in an EPON System······················································································································13-4
QoS Functions for Uplink Traffic ···································································································13-4
QoS Functions for Downlink Traffic·······························································································13-5
Configuring QoS in an EPON System ··································································································13-6
QoS Configuration Task List in an EPON System ········································································13-6
Configuring QoS at the OLT side ··································································································13-7
Configuring QoS at the ONU Side·······························································································13-10
Example for UNI Priority Remarking Configuration·····································································13-14
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 10/112
iv
14 Appendix A Default Priority Mapping Tables ·····················································································14-1
15 Appendix B Introduction to Packet Precedences ··············································································15-1
IP Precedence and DSCP Values ········································································································15-1
802.1p Priority·······································································································································15-2
EXP Values···········································································································································15-3
16 Index ·······················································································································································16-1
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 11/112
1-1
1 ACL Configuration
This chapter includes these sections:
ACL Overview
ACL Configuration Task List
Configuring an ACL
Creating a Time Range
Configuring a Basic ACL
Configuring an Advanced ACL
Configuring an Ethernet Frame Header ACL
Copying an ACL
Displaying and Maintaining ACLs
ACL Configuration Examples
Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document.
The S7500E Series Ethernet Switches are distributed devices supporting Intelligent Resilient
Framework (IRF). Two S7500E series can be connected together to form a distributed IRF device.If an S7500E series is not in any IRF, it operates as a distributed device; if the S7500E series is in
an IRF, it operates as a distributed IRF device. For introduction of IRF, see IRF Configuration
Guide.
ACL Overview
This section covers these topics:
Introduction to ACL
Application of ACLs on the Switch
ACL Classification
ACL Numbering and Naming
Match Order
Implementing Time-Based ACL Rules
IPv4 Fragments Filtering with ACLs
Introduction to ACL
As network scale and network traffic are increasingly growing, network security and bandwidth
allocation become more and more critical to network management. Packet filtering can be used to
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 12/112
1-2
efficiently prevent illegal users from accessing networks and to control network traffic and save
network resources. Access control lists (ACL) are often used to filter packets with configured matching
rules.
ACLs are sets of rules (or sets of permit or deny statements) that decide what packets can pass and
what should be rejected based on matching criteria such as source MAC address, destination MAC
address, source IP address, destination IP address, and port number.
Appl ication of ACLs on the Switch
The switch supports two ACL application modes:
Hardware-based application: An ACL is assigned to a piece of hardware. For example, an ACL
can be referenced by QoS for traffic classification. Note that when an ACL is referenced to
implement QoS, the actions defined in the ACL rules, deny or permit, do not take effect; actions to
be taken on packets matching the ACL depend on the traffic behavior definition in QoS. For details
about traffic behavior, see QoS Configuration Approaches in ACL and QoS Configuration Guide.
Software-based application: An ACL is referenced by a piece of upper layer software. For
example, an ACL can be referenced to configure login user control behavior, thus controlling
Telnet, SNMP and Web users. Note that when an ACL is reference by the upper layer software,
actions to be taken on packets matching the ACL depend on those defined by the ACL rules. For
details about login user control, see User Login Control in Fundamentals Configuration Guide.
When an ACL is assigned to a piece of hardware and referenced by a QoS policy for traffic
classification, the switch does not take action according to the traffic behavior definition on a
packet that does not match the ACL.
When an ACL is referenced by a piece of software to control Telnet, SNMP, and Web login users,
the switch denies all packets that do not match the ACL.
ACL Classi fication
ACLs fall into three categories, as shown in Table 1-1.
Table 1-1 ACL categories
Category ACL number IP version Match criteria
IPv4 Source IPv4 address
Basic ACLs 2000 to 2999
IPv6 Source IPv6 address
Advanced ACLs 3000 to 3999 IPv4
Source/destination IPv4 address, protocols
over IPv4, and other Layer 3 and Layer 4
header fields
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 13/112
1-3
Category ACL number IP version Match criteria
IPv6
Source/destination IPv6 address, protocols
over IPv6, and other Layer 3 and Layer 4
header fields
Ethernet frame
header ACLs4000 to 4999 IPv4 and IPv6
Layer 2 header fields, such as source and
destination MAC addresses, 802.1p priority,
and link layer protocol type
ACL Numbering and Naming
Each ACL category has a unique range of ACL numbers. When creating an ACL, you must assign it a
number for identification, and in addition, you can also assign the ACL a name for the ease of
identification. After creating an ACL with a name, you can neither rename it nor delete its name.For an Ethernet frame header ACL, the ACL number and name must be globally unique. For an IPv4
basic or advanced ACLs, its ACL number and name must be unique among all IPv4 ACLs, and for an
IPv6 basic or advanced ACL, among all IPv6 ACLs. You can assign an IPv4 ACL and an IPv6 ACL the
same number and name.
Match Order
The rules in an ACL are sorted in a certain order. When a packet matches a rule, the device stops the
match process and performs the action defined in the rule. If an ACL contains overlapping or
conflicting rules, the matching result and action to take depend on the rule order.
Two ACL match orders are available:
config: Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a
rule with a higher ID. If you use this approach, check the rules and their order carefully.
auto: Sorts ACL rules in depth-first order, as described in Table 1-2. The depth-first order varies
with ACL categories.
Table 1-2 Sorting ACL rules in depth-first order
ACL category Depth-f irst rule sor ting procedures
IPv4 basic ACL
1) A rule configured with a VPN instance takes precedence.
2) A rule with more 0s in the source IP address wildcard mask takes precedence.
More 0s means a narrower IP address range.
3) A rule with a smaller ID takes precedence.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 14/112
1-4
ACL category Depth-f irst rule sor ting procedures
IPv4 advanced ACL
1) A rule configured with a VPN instance takes precedence.
2) A rule configured with a specific protocol is prior to a rule with the protocol type set
to IP. IP represents any protocol over IP.
3) A rule with more 0s in the source IP address wildcard mask takes precedence.More 0s means a narrower IP address range.
4) A rule with more 0s in the destination IP address wildcard mask takes
precedence.
5) A rule with a narrower TCP/UDP service port number range takes precedence.
6) A rule with a smaller ID takes precedence.
IPv6 basic ACL
1) A rule configured with a longer prefix for the source IP address takes precedence.
A longer prefix means a narrower IP address range.
2) A rule with a smaller ID takes precedence.
IPv6 advanced ACL
1) A rule configured with a specific protocol is prior to a rule with the protocol type set
to IP. IP represents any protocol over IPv6.
2) A rule configured with a longer prefix for the source IPv6 address has a higher
priority.
3) A rule configured with a longer prefix for the destination IPv6 address takes
precedence.
4) A rule with a narrower TCP/UDP service port number range takes precedence.
5) A rule with a smaller ID takes precedence.
Ethernet frame
header ACL
1) A rule with more 1s in the source MAC address mask takes precedence. More 1smeans a smaller MAC address.
2) A rule with more 1s in the destination MAC address mask takes precedence.
3) A rule with a smaller ID takes precedence.
A wildcard mask, also called an inverse mask, is a 32-bit binary and represented in dotted decimal
notation. In contrast to a network mask, the 0 bits in a wildcard mask represent ‘do care’ bits, while the
1 bits represent 'don’t care bits'. If the 'do care' bits in an IP address identical to the 'do care' bits in an
IP address criterion, the IP address matches the criterion. All 'don’t care' bits are ignored. The 0s and
1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a valid wildcard mask. With
wildcard masks, you can create more granular match criteria than network masks.
ACL Rule Numbering Step
What is the ACL rule numbering s tep
If you do not assign an ID for the rule you are creating, the system automatically assigns it a rule ID.
The rule numbering step sets the increment by which the system numbers rules automatically. For
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 15/112
1-5
example, the default ACL rule numbering step is 5. If you do assign IDs to rules you are creating, they
are numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert
between two rules.
By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of
inserting rules in an ACL. This feature is important for a config order ACL, where ACL rules are
matched in ascending order of rule ID.
Automat ic ru le number ing and re-numbering
The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step
to the current highest rule ID, starting with 0.
For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10,
and 12, the newly defined rule will be numbered 15. If the ACL does not contain any rule, the first rule
will be numbered 0.
Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five
rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be
renumbered 0, 2, 4, 6 and 8.
Likewise, after you restore the default step, ACL rules are renumbered in the default step. Assume that
there are four ACL rules numbered 0, 2, 4, and 6 in steps of 2. When the default step is restored, the
rules are renumbered 0, 5, 15, and 15.
Implementing Time-Based ACL Rules
You can implement ACL rules based on the time of day by applying a time range to them. A time-based
ACL rule takes effect only in any time periods specified by the time range.
Two basic types of time range are available:
Periodic time range, which recurs periodically on a day or days of the week.
Absolute time range, which represents only a period of time and does not recur.
You may apply a time range to ACL rules before or after you create it. However, the rules using the
time range can take effect only after you define the time range.
IPv4 Fragments Filtering with ACLs
Traditional packet filtering matched only first fragments of IPv4 packets, and allowed all subsequent
non-first fragments to pass through. This mechanism resulted in security risks, because attackers may
fabricate non-first fragments to attack networks.
A rule defined with the fragment keyword applies to only IP fragments. Note that a rule defined with
the fragment keyword matches non-last IP fragments on an SA or EA Series LPUs while matching
non-first IP fragments on an SC, EB, or SD Series LPUs. For detailed information about types of LPUs,
see the installation manual.
ACL Configuration Task List
IPv4 configuration task list
Complete the following tasks to configure an IPv4 ACL:
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 16/112
1-6
Task Remarks
Creating a Time Range Optional
Configuring an IPv4 basic ACL
Configuring an IPv4 advanced ACL
Configuring an Ethernet Frame Header ACL
Copying an IPv4 ACL Optional
IPv6 ACL configuration task list
Complete the following tasks to configure an IPv6 ACL:
Task Remarks
Creating a Time Range Optional
Configuring an IPv6 basic ACL
Configuring an IPv6 Advanced ACL
Configuring an Ethernet Frame Header ACL
Copying an IPv6 ACL Optional
Configuring an ACL
Creating a Time Range
Follow these steps to create a time range:
To do… Use the command… Remarks
Enter system view system-view ––
Create a time range
time-range time-range-name
{ start-time to end-time days
[ from time1 date1 ] [ to time2
date2 ] | from time1 date1 [ to
time2 date2 ] | to time2 date2 }
Required
By default, no time range exists.
You may create time ranges identified with the same name. They are regarded as one time range
whose active period is the result of ORing periodic ones, ORing absolute ones, and ANDing periodic
and absolute ones.
You may create a maximum of 256 uniquely named time ranges, each with 32 periodic time ranges at
most and 12 absolute time ranges at most.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 17/112
1-7
Configuring a Basic ACL
Configur ing an IPv4 basic ACL
IPv4 basic ACLs match packets based on only source IP address.
Follow these steps to configure an IPv4 basic ACL:
To do… Use the command… Remarks
Enter system view system-view ––
Create an IPv4 basic ACL and
enter its view
acl number acl-number [ name
acl-name ] [ match-order { auto |
config } ]
Required
By default, no ACL exists.
IPv4 basic ACLs are numbered in
the range 2000 to 2999.
You can use the acl name
acl-name command to enter the
view of an existing named IPv4
ACL.
Configure a description for the
IPv4 basic ACLdescription text
Optional
By default, an IPv4 basic ACL has
no ACL description.
Set the rule numbering step step step-value Optional
5 by default.
Create or edit a rule
rule [ rule-id ] { deny | permit }
[ fragment | logging | source
{ sour-addr sour-wildcard | any } |
time-range time-range-name |
vpn-instance
vpn-instance-name ]*
Required
By default, an IPv4 basic ACL
does not contain any rule.
To create or edit multiple rules,
repeat this step.
Note that the logging and
vpn-instance keywords are not
supported if the ACL is to be
referenced by a QoS policy for
traffic classification.
Configure or edit a rule description rule rule-id comment text
Optional
By default, an IPv4 ACL rule has
no rule description.
Note that:
You can only modify the existing rules of an ACL that uses the match order of config. When
modifying a rule of such an ACL, you may choose to change just some of the settings, in which
case the other settings remain the same.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 18/112
1-8
You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an
existing rule in the ACL.
When the ACL match order is auto, a newly created rule will be inserted among the existing rules
in the depth-first match order. Note that the IDs of the rules still remain the same.
You can modify the match order of an ACL with the acl number acl-number [ name acl-name ]
match-order { auto | config } command but only when it does not contain any rules.
Configur ing an IPv6 basic ACL
Follow these steps to configure an IPv6 basic ACL:
To do… Use the command… Remarks
Enter system view system-view ––
Create an IPv6 basic ACL view
and enter its view
acl ipv6 number acl6-number
[ name acl6-name ] [ match-order
{ auto | config } ]
Required
By default, no ACL exists.
IPv6 basic ACLs are numbered in
the range 2000 to 2999.
You can use the acl ipv6 name
acl6-name command to enter the
view of an existing named IPv6
ACL.
Configure a description for the
IPv6 basic ACLdescription text
Optional
By default, an IPv6 basic ACL has
no ACL description.
Set the rule numbering step step step-value Optional
5 by default
Create or edit a rule
rule [ rule-id ] { deny | permit }
[ fragment | logging | source
{ ipv6-address prefix-length |
ipv6-address/prefix-length | any } |
time-range time-range-name ]*
Required
By default, an IPv6 basic ACL
does not contain any rule.
To create or edit multiple rules,
repeat this step.
Note that the logging and
fragment keywords are not
supported if the ACL is to be
referenced by a QoS policy for
traffic classification.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 19/112
1-9
To do… Use the command… Remarks
Configure or edit a rule description rule rule-id comment text
Optional
By default, an IPv6 basic ACL rule
has no rule description.
Note that:
You can only modify the existing rules of an ACL that uses the match order of config. When
modifying a rule of such an ACL, you may choose to change just some of the settings, in which
case the other settings remain the same.
You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an
existing rule in the ACL.
When the ACL match order is auto, a newly created rule will be inserted among the existing rules
in the depth-first match order. Note that the IDs of the rules still remain the same.
You can modify the match order of an IPv6 ACL with the acl ipv6 number acl6-number [ name
acl6-name ] match-order { auto | config } command but only when it does not contain any rules.
Configuring an Advanced ACL
Configur ing an IPv4 advanced ACL IPv4 advanced ACLs match packets based on source and destination IP addresses, protocols over IP,
and other protocol header information, such as TCP/UDP source and destination port numbers, TCP
flags, ICMP message types, and ICMP message codes.
IPv4 advanced ACLs also allow you to filter packets based on three priority criteria: type of service
(ToS), IP precedence, and differentiated services codepoint (DSCP) priority.
Compared with IPv4 basic ACLs, IPv4 advanced ACLs allow of more flexible and accurate filtering.
Follow these steps to configure an IPv4 advanced ACL:
To do… Use the command… Remarks
Enter system view system-view ––
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 20/112
1-10
To do… Use the command… Remarks
Create an IPv4 advanced ACL and
enter its view
acl number acl-number [ name
acl-name ] [ match-order { auto |
config } ]
Required
By default, no ACL exists.
IPv4 advanced ACLs are
numbered in the range 3000 to
3999.
You can use the acl name
acl-name command to enter the
view of an existing named IPv4
ACL.
Configure a description for the
IPv4 advanced ACLdescription text
Optional
By default, an IPv4 advanced ACL
has no ACL description.
Set the rule numbering step step step-value Optional
5 by default.
Create or edit a rule
rule [ rule-id ] { deny | permit }
protocol [ { established | { ack
ack-value | fin fin-value | psh
psh-value | rst rst-value | syn
syn-value | urg urg-value } * } |
destination { dest-addr
dest-wildcard | any } |
destination-port operator port1
[ port2 ] | dscp dscp | fragment |
icmp-type { icmp-type icmp-code |
icmp-message } | logging |
precedence precedence |
reflective | source { sour-addr
sour-wildcard | any } | source-port
operator port1 [ port2 ] |
time-range time-range-name | tos
tos | vpn-instance
vpn-instance-name ] *
Required
By default, an IPv4 advanced ACL
does not contain any rule.
To create or edit multiple rules,
repeat this step.
Note that if the ACL is to be
referenced by a QoS policy for
traffic classification, the logging ,
reflective and vpn-instance
keywords are not supported and
the operator argument cannot be:
neq , if the policy is for the
inbound traffic,
gt , lt , neq or range, if the
policy is for the outbound
traffic.
Configure or edit a rule description rule rule-id comment text
Optional
By default, an IPv4 ACL rule has
no rule description.
Note that:
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 21/112
1-11
You can only modify the existing rules of an ACL that uses the match order of config. When
modifying a rule of such an ACL, you may choose to change just some of the settings, in which
case the other settings remain the same.
You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an
existing rule in the ACL.
When the ACL match order is auto, a newly created rule will be inserted among the existing rules
in the depth-first match order. Note that the IDs of the rules still remain the same.
You can modify the match order of an ACL with the acl number acl-number [ name acl-name ]
match-order { auto | config } command but only when it does not contain any rules.
Configur ing an IPv6 Advanced ACL
IPv6 advanced ACLs match packets based on the source IPv6 address, destination IPv6 address,
protocol carried over IPv6, and other protocol header fields such as the TCP/UDP source port number,
TCP/UDP destination port number, ICMP message type, and ICMP message code.
Compared with IPv6 basic ACLs, they allow of more flexible and accurate filtering.
Follow these steps to configure an IPv6 advanced ACL:
To do… Use the command… Remarks
Enter system view system-view ––
Create an IPv6 advanced ACL
and enter its view
acl ipv6 number acl6-number [ name
acl6-name ] [ match-order { auto |
config } ]
Required
By default, no ACL exists.
IPv6 advanced ACLs are
numbered in the range 3000 to
3999.
You can use the acl ipv6 name
acl6-name command to enter
the view of an existing named
IPv6 ACL.
Configure a description for the
IPv6 advanced ACLdescription text
Optional
By default, an IPv6 advanced
ACL has no ACL description.
Set the rule numbering step step step-value Optional
5 by default.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 22/112
1-12
To do… Use the command… Remarks
Create or edit a rule
rule [ rule-id ] { deny | permit } protocol
[ { established | { ack ack-value | fin
fin-value | psh psh-value | rst rst-value |
syn syn-value | urg urg-value } * } |
destination { dest dest-prefix |
dest/dest-prefix | any } |
destination-port operator port1 [ port2 ]
| dscp dscp | fragment | icmpv6-type
{ icmpv6-type icmpv6-code |
icmpv6-message } | logging | source
{ source source-prefix |
source/source-prefix | any } |source-port operator port1 [ port2 ] |
time-range time-range-name ] *
Required
By default IPv6 advanced ACL
does not contain any rule.
To create or edit multiple rules,
repeat this step.
Note that if the ACL is to be
referenced by a QoS policy for
traffic classification, the logging
and fragment keywords are not
supported and the operator
argument cannot be:
neq , if the policy is for the
inbound traffic,
gt , lt , neq or range, if the
policy is for the outbound
traffic.
Configure or edit a rule
descriptionrule rule-id comment text
Optional
By default, an IPv6 ACL rule has
no rule description.
Note that:
You can only modify the existing rules of an ACL that uses the match order of config. When
modifying a rule of such an ACL, you may choose to change just some of the settings, in which
case the other settings remain the same.
You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an
existing rule in the ACL.
When the ACL match order is auto, a newly created rule will be inserted among the existing rules
in the depth-first match order. Note that the IDs of the rules still remain the same.
You can modify the match order of an IPv6 ACL with the acl ipv6 number acl6-number [ name
acl6-name ] match-order { auto | config } command but only when it does not contain any rules.
Configuring an Ethernet Frame Header ACL
Ethernet frame header ACLs, also called Layer 2 ACLs, match packets based on Layer 2 protocol
header fields such as source MAC address, destination MAC address, 802.1p priority (VLAN priority),
and link layer protocol type.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 23/112
1-13
Follow these steps to configure an Ethernet frame header ACL:
To do… Use the command… Remarks
Enter system view system-view ––
Create an Ethernet frame header
ACL and enter its view
acl number acl-number [ name
acl-name ] [ match-order { auto |
config } ]
Required
By default, no ACL exists.
Ethernet frame header ACLs are
numbered in the range 4000 to
4999..
You can use the acl name
acl-name command to enter the
view of an existing named
Ethernet frame header ACL.
Configure a description for the
Ethernet frame header ACLdescription text
Optional
By default, an Ethernet frame
header ACL has no ACL
description.
Set the rule numbering step step step-value Optional
5 by default.
Create or edit a rule
rule [ rule-id ] { deny | permit }[ cos vlan-pri | dest-mac
dest-addr dest-mask | lsap
lsap-code lsap-wildcard |
source-mac sour-addr
source-mask | time-range
time-range-name | type type-code
type-wildcard ]*
Required
By default, an Ethernet frame
header ACL does not contain any
rule.
To create or edit multiple rules,
repeat this step.
Note that the lsap keyword is not
supported if the ACL is to be
referenced by a QoS policy for
traffic classification.
Configure or edit a rule description rule rule-id comment text
Optional
By default, an Ethernet frame
header ACL rule has no rule
description.
Note that:
You can only modify the existing rules of an ACL that uses the match order of config. When
modifying a rule of such an ACL, you may choose to change just some of the settings, in which
case the other settings remain the same.
You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an
existing rule in the ACL.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 24/112
1-14
When the ACL match order is auto, a newly created rule will be inserted among the existing rules
in the depth-first match order. Note that the IDs of the rules still remain the same.
You can modify the match order of an ACL with the acl number acl-number [ name acl-name ]
match-order { auto | config } command but only when it does not contain any rules.
Copying an ACL
You can create an ACL by copying an existing ACL. The new ACL has the same properties and content
as the source ACL except the ACL number and name.
To copy an IPv4 or IPv6 ACL successfully, ensure that:
The destination ACL number is from the same category as the source ACL number.
The source IPv4 or IPv6 ACL already exits but the destination IPv4 or IPv6 ACL does not.
Copying an IPv4 ACL
Follow these steps to copy an IPv4 ACL:
To do… Use the command… Remarks
Enter system view system-view —
Copy an existing IPv4 ACL to
create a new IPv4 ACL
acl copy { source-acl-number |
name source-acl-name } to
{ dest-acl-number | name
dest-acl-name }
Required
Copying an IPv6 ACL
Follow these steps to copy an IPv6 ACL:
To do… Use the command… Remarks
Enter system view system-view —
Copy an existing IPv6 ACL to
generate a new one of the same
category
acl ipv6 copy
{ source-acl6-number | name
source-acl6-name } to
{ dest-acl6-number | name
dest-acl6-name }
Required
The generated ACL does not take the name of the source ACL.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 25/112
1-15
Displaying and Maintaining ACLs
To do... Use the command… Remarks
Display configuration and match
statistics for one or all IPv4 ACLs
(distributed device)
display acl { acl-number | all | name
acl-name } [ slot slot-number ] Available in any view
Display configuration and match
statistics for one or all IPv4 ACLs
(distributed IRF device)
display acl { acl-number | all | name
acl-name } [ chassis chassis-number slot
slot-number ]
Available in any view
Display configuration and match
statistics for one or all IPv6 ACLs
(distributed device)
display acl ipv6 { acl6-number | all |
name acl6-name } [ slot slot-number ] Available in any view
Display configuration and match
statistics for one or all IPv6 ACLs
(distributed IRF device)
display acl ipv6 { acl6-number | all |
name acl6-name } [ chassis
chassis-number slot slot-number ]
Available in any view
Display the usage of ACL
resources (distributed device)display acl resource [ slot slot-number ] Available in any view
Display the usage of ACL
resources (distributed IRF device)
display acl resource [ chassis
chassis-number slot slot-number ] Available in any view
Display the configuration and
status of one or all time ranges
display time-range { time-range-name |
all } Available in any view
Clear statistics on one or all IPv4
ACLs
reset acl counter { acl-number | all |
name acl-name } Available in user view
Clear statistics on one or all IPv6
basic and advanced ACLs
reset acl ipv6 counter { acl6-number | all
| name acl6-name } Available in user view
ACL Configuration Examples
IPv4 ACL Configuration Example
Network Requirements
As shown in Figure 1-1, a company interconnects its departments through the switch.
Configure an ACL to deny access of all departments but the President’s office to the salary query
server during office hours (from 8:00 to 18:00) in working days.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 26/112
1-16
Network Diagram
Figure 1-1 Network diagram for IPv4 ACL configuration
GE2/0/4GE2/0/1
GE2/0/2 GE2/0/3
192.168.1.0/24
192.168.4.1
Switch
R&D department192.168.2.0/24
Salary server
Marketing department192.168.3.0/24
President’s Office
Configuration Procedure
Create a time range for office hours
# Create a periodic time range spanning 8:00 to 18:00 in working days.
<Swi t ch> syst em- vi ew
[ Swi t ch] t i me- r ange t r name 8: 00 t o 18: 00 worki ng- day
Define an ACL to control access to the salary query server
# Configure a rule to control access of the R&D Department to the salary query server.[ Swi t ch] acl number 3000
[ Swi t ch- acl - adv- 3000] r ul e deny i p sour ce 192. 168. 2. 0 0. 0. 0. 255 desti nati on 192. 168. 4. 1
0. 0. 0. 0 t i me- r ange t r name
[ Swi t ch- acl - adv-3000] qui t
# Configure a rule to control access of the Marketing Department to the salary query server.
[ Swi t ch] acl number 3001
[ Swi t ch- acl - adv- 3001] r ul e deny i p sour ce 192. 168. 3. 0 0. 0. 0. 255 desti nati on 192. 168. 4. 1
0. 0. 0. 0 t i me- r ange t r name
[ Swi t ch- acl - adv-3001] qui t
Apply the IPv4 ACL# Configure class c_rd for packets matching IPv4 ACL 3000.
[Swi tch] t raf f i c c l assi f i er c_rd
[ Swi t ch- cl assi f i er - c_rd] i f - mat ch acl 3000
[Swi tch- cl assi f i er - c_rd] qui t
# Configure traffic behavior b_rd to deny matching packets.
[ Swi t ch] t r af f i c behavi or b_rd
[ Swi t ch- behavi or - b_rd] f i l t er deny
[ Swi t ch- behavi or - b_r d] qui t
# Configure class c_market for packets matching IPv4 ACL 3001.
[ Swi t ch] t raff i c cl assi f i er c_market[ Swi t ch- cl assi f i er - c_mar ket ] i f - mat ch acl 3001
[ Swi t ch- cl assi f i er - c_mar ket ] qui t
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 27/112
1-17
# Configure traffic behavior b_ market to deny matching packets.
[ Swi t ch] t r af f i c behavi or b_mar ket
[ Swi t ch- behavi or - b_mar ket ] f i l t er deny
[ Swi t ch- behavi or- b_market ] qui t
# Configure QoS policy p_rd to use traffic behavior b_rd for class c_rd.
[ Swi t ch] qos pol i cy p_r d[ Swi t ch- qospol i cy- p_rd] cl assi f i er c_rd behavi or b_r d
[ Swi t ch- qospol i cy- p_rd] qui t
# Configure QoS policy p_market to use traffic behavior b_market for class c_market.
[ Swi t ch] qos pol i cy p_market
[ Swi t ch- qospol i cy- p_market ] cl assi f i er c_market behavi or b_mar ket
[ Swi t ch- qospol i cy- p_mar ket ] qui t
# Apply QoS policy p_rd to interface GigabitEthernet 2/0/2.
[ Swi t ch] i nt er f ace Gi gabi t Et her net 2/ 0/ 2
[ Swi t ch- Gi gabi t Et hernet 2/ 0/ 2] qos appl y pol i cy p_r d i nbound
[ Swi t ch- Gi gabi t Et her net 2/ 0/ 2] qui t# Apply QoS policy p_market to interface GigabitEthernet 2/0/3.
[ Swi t ch] i nt er f ace Gi gabi t Et her net 2/ 0/ 3
[ Swi t ch- Gi gabi t Et hernet 2/ 0/ 3] qos appl y pol i cy p_market i nbound
IPv6 ACL Configuration Example
Network Requirements
As shown in Figure 1-2, a company interconnects its departments through the switch.
Configure an ACL to deny access of the R&D department to external networks.
Network Diagram
Figure 1-2 Network diagram for IPv6 ACL configuration
Configuration Procedure
# Create an IPv6 ACL 2000.
<Swi t ch> syst em- vi ew
[ Swi t ch] acl i pv6 number 2000
[ Swi t ch- acl 6- basi c- 2000] r ul e deny sour ce 4050: : 9000/ 120
[ Swi t ch- acl 6- basi c- 2000] qui t
# Configure class c_rd for packets matching IPv6 ACL 2000.
[Swi tch] t raf f i c c l assi f i er c_rd
[ Swi t ch- cl assi f i er - c_rd] i f - mat ch acl i pv6 2000
[Swi tch- cl assi f i er - c_rd] qui t
# Configure traffic behavior b_rd to deny matching packets.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 28/112
1-18
[ Swi t ch] t r af f i c behavi or b_rd
[ Swi t ch- behavi or - b_rd] f i l t er deny
[ Swi t ch- behavi or - b_r d] qui t
# Configure QoS policy p_rd to use traffic behavior b_rd for class c_rd.
[ Swi t ch] qos pol i cy p_r d
[ Swi t ch- qospol i cy- p_rd] cl assi f i er c_rd behavi or b_r d
[ Swi t ch- qospol i cy- p_rd] qui t
# Apply QoS policy p_rd to interface GigabitEthernet 2/0/1.
[ Swi t ch] i nt er f ace Gi gabi t Et her net 2/ 0/ 1
[ Swi t ch- Gi gabi t Et hernet 2/ 0/ 1] qos appl y pol i cy p_r d i nbound
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 29/112
2-1
2 QoS Overview
The S7500E Series Ethernet Switches are distributed devices supporting Intelligent Resilient
Framework (IRF). Two S7500E series can be connected together to form a distributed IRF device. If
an S7500E series is not in any IRF, it operates as a distributed device; if the S7500E series is in an
IRF, it operates as a distributed IRF device. For introduction of IRF, see IRF Configuration Guide.
This chapter covers the following topics:
Introduction to QoS
Introduction to QoS Service Models
QoS Techniques Overview
Introduction to QoS
In data communications, Quality of Service (QoS) is the ability of a network to provide differentiated
service guarantees for diversified traffic regarding bandwidth, delay, jitter, and drop rate.
The network resources are always scarce. Wherever there is contention for resources, there is the
demand for QoS to prioritize important traffic flows over trivial traffic flows. When making a QoS
scheme, a network administrator must plan network resources carefully considering the characteristics
of various applications to balance the interests of diversified users and fully utilize network resources.
The following part introduces the QoS service models, and some mature QoS techniques in wide use.
Appropriately using these techniques in specific environments, you can improve QoS effectively.
Introduction to QoS Service Models
This section covers three typical QoS service models: Best-effort service
Integrated service (IntServ)
Differentiated service (DiffServ)
Best-Effort Service Model
Best effort is a single service model and also the simplest service model. In the best effort service
model, the network delivers the packets at its best effort but does not guarantee delay or reliability.
The best-effort service model is the default model in the Internet and is applicable to most network
applications. It is implemented through FIFO queuing.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 30/112
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 31/112
2-3
Positions of the QoS Techniques in a Network
Figure 2-1 Positions of the QoS techniques in a network
As shown in Figure 2-1, traffic classification, traffic shaping, traffic policing, congestion management,
and congestion avoidance mainly implement the following functions:
Traffic classification uses certain match criteria to assign packets with the same characteristics to
a class. Based on classes, differentiated services can be provided. Traffic classification uses
certain match criteria to organize packets with different characteristics into different classes.
Traffic classification is the basis for providing differentiated services.
Traffic policing polices flows entering or leaving a device and can be applied in both inbound and
outbound directions of a port. When a flow exceeds the pre-set threshold, some restriction or
punishment measures can be taken to prevent overconsumption of network resources.
Traffic shaping proactively adapts the output rate of traffic to the network resources available on
the downstream device to eliminate packet drop and delay. Traffic shaping is usually applied in
the outbound direction of a port.
Congestion management provides a resource scheduling policy to arrange the forwarding
sequence of packets when congestion occurs. Congestion management is usually applied to the
outgoing traffic of a port.
Congestion avoidance monitors the usage status of network resources and is usually applied to
the outgoing traffic of a port. As congestion becomes worse, it actively reduces the amount of
traffic by dropping packets.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 32/112
3-1
3 QoS Configuration Approaches
This chapter covers the following topics:
QoS Configuration Approach Overview
Configuring a QoS Policy
QoS Configuration Approach Overview
Two approaches are available for you to configure QoS: policy-based and non policy-based.
Some QoS features can be configured in either approach while some can be configured only in one
approach.
Non Policy-Based Configuration
In the non policy-based approach, you configure QoS service parameters without using a QoS policy.
For example, to rate limit an interface, you can use the line rate feature to directly configure a rate limit
on the interface rather than using a QoS policy.
Policy-Based Configuration
In the policy-based approach, QoS service parameters are configured through configuring QoS
policies. A QoS policy defines what QoS actions to take on what class of traffic for purposes such as
traffic shaping or traffic policing.
Before configuring a QoS policy, be familiar with these concepts: class, traffic behavior, and policy.
Class
Classes are used to identify traffic.
A class is identified by a class name and contains match criteria for traffic identification. The
relationship between the criteria is AND or OR.
AND: A packet is considered as belonging to a class only when the packet matches all the criteria
in the class.
OR: A packet is considered as belonging to a class if it matches any of the criteria in the class.Traffic behavior
A traffic behavior defines a set of QoS actions to take on packets, such as priority marking and traffic
redirecting.
Policy
A policy associates a class with a traffic behavior to define what actions to take on which class of
traffic.
You can configure multiple class-behavior associations in a policy.
Configuring a QoS Policy
Figure 3-1 shows how to configure a QoS policy.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 33/112
3-2
Figure 3-1 QoS policy configuration procedure
Defining a Class
To define a class, you need to specify a name for it and then configure match criteria in class view.
Follow these steps to define a class:
To do… Use the command… Remarks
Enter system view system-view —
Create a class and enter class
view
traffic classifier tcl-name
[ operator { and | or } ]
Required
By default, the relationship
between match criteria is AND.
Configure match criteria if-match match-criteria Required
match-criteria: Match criterion. Table 3-1 shows the available criteria.
Table 3-1 The keyword and argument combinations for the match-criteria argument
Keyword and argument combination Description
acl { access-list-number | name acl-name }
Specifies to match an IPv4 ACL specified by its
number or name. The access-list-number argument
specifies an ACL by its number, which ranges from
2000 to 4999; the name acl-name keyword-argument
combination specifies an ACL by its name.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 34/112
3-3
Keyword and argument combination Description
acl ipv6 { access-list-number | name acl-name }
Specifies to match an IPv6 ACL specified by its
number or name. The access-list-number argument
specifies an ACL by its number, which ranges from
2000 to 3999; the name acl-name keyword-argumentcombination specifies an ACL by its name.
anyMatches all packets (IPv6 packets are ignored on the
SC cards).
customer-dot1p 8021p-list
Matches the 802.1p priority of the customer network.
The 8021p-list argument is a list of up to eight 802.1p
priority values. An 802.1p priority is in the range 0 to
7.
customer-vlan-id vlan-id-list
Specifies to match the packets of specified VLANs ofuser networks. The vlan-id-list argument specifies a
list of VLAN IDs, in the form of vlan-id to vlan-id or
multiple discontinuous VLAN IDs (separated by
space). You can specify up to eight VLAN IDs for this
argument at a time. VLAN ID is in the range 1 to
4094.
destination-mac mac-address Matches a destination MAC address
dscp dscp-list
Matches DSCP values. The dscp-list is a list of up to
eight DSCP values. A DSCP value is a number in the
range of 0 to 63 or a word representing the specific
value. For the number-to-word mapping, see Table
15-2.
ip-precedence ip-precedence-list
Matches IP precedence. The ip-precedence-list is a
list of up to eight IP precedence values. An IP
precedence is in the range of 0 to 7.
protocol protocol-name Matches a protocol. The protocol-name can be IP or
IPv6.
qos-local-id local-id-value
Matches a local QoS ID, which is in the range of 1 to
4095. The local QoS IDs supported on the S7500E
series switches are from 1 to 3999.
service-dot1p 8021p-list
Matches the 802.1p priority of the service provider
network. The 8021p-list argument is a list of up to
eight 802.1p priority values. An 802.1p priority is in
the range 0 to 7.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 35/112
3-4
Keyword and argument combination Description
service-vlan-id vlan-id-list
Specifies to match the packets of the VLANs of the
operator’s network. The vlan-id-list argument is a list
of VLAN IDs, in the form of vlan-id to vlan-id or
multiple discontinuous VLAN IDs (separated byspace). You can specify up to eight VLAN IDs for this
argument at a time. VLAN ID is in the range of 1 to
4094.
source-mac mac-address Matches a source MAC address
system-index index-value-list
Matches a pre-defined match criterion (system-index)
for packets sent to the control plane. The
index-value-list argument specifies a list of up to eight
system indexes. The system index range is from 1 to
128.
Suppose the logical relationship between classification rules is and. Note the following when using the
if-match command to define matching rules.
If multiple matching rules with the acl or acl ipv6 keyword specified are defined in a class, the
actual logical relationship between these rules is or when the policy is applied.
If multiple matching rules with the customer-vlan-id or service-vlan-id keyword specified are
defined in a class, the actual logical relationship between these rules is or .
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 36/112
3-5
The matching criteria listed below must be unique in a traffic class with the operator being AND.
Therefore, even though you can define multiple if-match clauses for these matching criteria or input
multiple values for a list argument (such as the 8021p-list argument) listed below in a traffic class,
avoid doing that. Otherwise, the QoS policy referencing the class cannot be applied to interfaces
successfully.
customer-dot1p 8021p-list
destination-mac mac-address
dscp dscp-list
ip-precedence ip-precedence-list
service-dot1p 8021p-list
source-mac mac-address
system-index index-value-list
To create multiple if-match clauses or specify multiple values for a list argument for any of the
matching criteria listed above, ensure that the operator of the class is OR.
Defining a Traffic Behavior
A traffic behavior is a set of QoS actions to take on a traffic class for purposes such as traffic filtering,
shaping, policing, priority marking. To define a traffic behavior, you must first create it and then
configure QoS actions such as priority marking and redirect in traffic behavior view.Follow these steps to define a traffic behavior:
To do… Use the command… Remarks
Enter system view system-view —
Create a traffic behavior and enter
traffic behavior view
traffic behavior behavior-name Required
Configure other actions in the
traffic behavior
See the subsequent sections depending on the purpose of the traffic
behavior: traffic policing, traffic filtering, traffic redirecting, priority
marking, traffic accounting and so on.
Defining a Policy
In a policy, you can define multiple class-behavior associations. A behavior is performed for the
associated class of packets. In this way, various QoS features can be implemented.
Follow these steps to associate a class with a behavior in a policy:
To do… Use the command… Remarks
Enter system view system-view —
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 37/112
3-6
To do… Use the command… Remarks
Create a policy and enter policy
view qos policy policy-name Required
Associate a class with a behavior
in the policy
classifier tcl-name behavior
behavior-name [ mode
dot1q-tag-manipulation ]
Required
Specify the
dot1q-tag-manipulation keyword
if the class-behavior association is
defined for VLAN mapping.
If an ACL is referenced by a QoS policy for defining traffic match criteria, packets matching the
ACL are organized as a class and the behavior defined in the QoS policy applies to the class
regardless of whether the match mode of the if-match clause is deny or permit.
In a QoS policy with multiple class-to-traffic-behavior associations, if the action of creating an
outer VLAN tag, the action of setting customer network VLAN ID, or the action of setting service
provider network VLAN ID is configured in a traffic behavior, we recommend you not to configure
any other action in this traffic behavior. Otherwise, the QoS policy may not function as expected
after it is applied.
The do1q-tag-manipulation keyword is applicable to only many-to-one VLAN mapping
configuration. For information about many-to-one VLAN mapping, see VLAN Mapping
Configuration in the Layer 2 - LAN Switching Configuration Guide.
Applying the QoS Pol icy
You can apply a QoS policy to different occasions:
Applied to an interface, the policy takes effect on the traffic sent or received on the interface.
Applied to a user profile, the policy takes effect on the traffic sent or received by the online users
of the user profile.
Applied to a VLAN, the policy takes effect on the traffic sent or received on all ports in the VLAN.
Applied globally, the policy takes effect on the traffic sent or received on all ports.
Applied to the control plane, the policy takes effect on the traffic sent or received on the control
plane.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 38/112
3-7
You can modify classes, behaviors, and class-behavior associations in a QoS policy even after it
is applied.
The QoS policies applied to ports, VLANs, and the system globally have descending priorities. For
example, if a port and a VLAN carried on the port have both referenced a QoS policy for incoming
traffic, the one on the port is used to match traffic prior to the one for the VLAN.
Applying the QoS policy to an interface
A policy can be applied to multiple interfaces, but in one direction (inbound or outbound) of an interface
only one policy can be applied.
Follow these steps to apply the QoS policy to an interface:
To do… Use the command… Remarks
Enter system view system-view —
Enter
interface
view
interface interface-type
interface-number
Enter
interface
view or port
group view Enter port
group viewport-group manual port-group-name
Use either command
Settings in interface view take
effect on the current interface;
settings in port group view take
effect on all ports in the port group.
Apply the policy to the
interface/port group
qos apply policy policy-name
{ inbound | outbound } Required
The QoS policy applied to the outgoing traffic of a port does not regulate local packets, which are
critical protocol packets sent by the card that hosts the interface for maintaining the normal operation
of the device. The most common local packets include link maintenance packets, STP, LDP, and
RSVP packets.
Applying the QoS policy to online users
You can apply a QoS policy to multiple online users, but in one direction of each online user only one
policy can be applied. To modify a QoS policy already applied in a certain direction, remove the QoS
policy application first.
Follow these steps to apply the QoS policy to online users:
To do… Use the command… Remarks
Enter system view system-view —
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 39/112
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 40/112
3-9
QoS policies cannot be applied to dynamic VLANs, for example, VLANs created by GVRP.
Applying the QoS pol icy global ly
You can apply a QoS policy globally to the inbound or outbound direction of all ports.
Follow these steps to apply the QoS policy globally:
To do… Use the command… Remarks
Enter system view system-view —
Apply the QoS policy globally qos apply policy policy-name
global { inbound | outbound }Required
A QoS policy containing any of the nest, remark customer-vlan-id, and remark service-vlan-id
Actions cannot be applied globally.
Applying the QoS policy to the cont rol p lane
Packet processing units fit into the data plane and the control plane depending on their functions.
At the data plane are units responsible for receiving, transmitting, and switching (that is,
forwarding) packets, such as various dedicated forwarding chips. They deliver super processing
speeds and throughput.
At the control plane are processing units running most routing and switching protocols and
responsible for protocol packet resolution and calculation, such as CPUs. Compared with data
plane units, they allow for great packet processing flexibility but have lower throughput.
When the data plane receives packets that it cannot recognize or process, it transmits them to the
control plane. If the transmission rate exceeds the processing capability of the control plane, which
very likely occurs at times of DoS attacks, the control plane will be busy handling undesired packets
and fail to handle legitimate packets correctly or timely. As a result, protocol performance is affected.
To address this problem, you can apply a QoS policy to the control plane to take QoS actions such as
traffic filtering or rate limiting on inbound traffic, thus ensuring that the control plane can receive,
transmit, and process packets normally.
Follow these steps to apply the QoS policy to the control plane:
To do… Use the command… Remarks
Enter system view
system-view —
Enter control plane view (on a
distributed device)
control-plane slot slot-number Required
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 41/112
3-10
To do… Use the command… Remarks
Enter control plane view (on a
distributed IRF device)
control-plane chassis chassis-number slot
slot-number Required
Apply the QoS policy to the
control plane
qos apply policy policy-name { inbound |
outbound } Required
The QoS policy applied to the control plane for a specific slot takes effect only on the slot.
In case a global QoS policy conflicts with a control plane QoS policy, the control plane QoS policy
takes effect on the control plane.
By default, devices are configured with pre-defined control plane policies, which take effect on the
control planes by default. A pre-defined control plane QoS policy uses the system-index to identify
the type of packets sent to the control plane. You can reference system-indexes in if-match
commands in class view for traffic classification and then re-configure traffic behaviors for these
classes as required. You can use the display qos policy control-plane pre-defined command
to display them.
In a QoS policy for control planes, if a system index classifier is configured, the associated traffic
behavior can contain only the CAR or accounting action. In addition, if the CAR action is
configured, only its CIR setting can be applied.
Displaying and Maintaining QoS Policies
To do… Use the command… Remarks
Display traffic class information
display traffic classifier
user-defined [ tcl-name ] Available in any view
Display traffic behavior
configuration information
display traffic behavior
user-defined [ behavior-name ] Available in any view
Display user-defined QoS policy
configuration information
display qos policy user-defined
[ policy-name [ classifier
tcl-name ] ]
Available in any view
Display QoS policy configuration
on the specified or all interfaces
display qos pol icy interface
[ interface-type interface-number ]
[ inbound | outbound ]
Available in any view
Display VLAN QoS policy
configuration on a distributed
device
display qos vlan-policy { name
policy-name | vlan vlan-id } [ slot
slot-number ] [ inbound |outbound ]
Available in any view
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 42/112
3-11
To do… Use the command… Remarks
Display VLAN QoS policy
configuration on a distributed IRF
device
display qos vlan-policy { name
policy-name | vlan [ vlan-id ] }
[ chassis chassis-number slot
slot-number ] [ inbound |outbound ]
Available in any view
Display information about QoS
policies applied globally on a
distributed device
display qos policy global [ slot
slot-number ] [ inbound |
outbound ]
Available in any view
Display information about QoS
policies applied globally on a
distributed IRF device
display qos policy global
[ chassis chassis-number slot
slot-number ] [ inbound |
outbound ]
Available in any view
Display information about control
plane QoS policies on a distributed
device
display qos policy
control-plane [ slot
slot-number ] [ inbound |
outbound ]
Available in any view
Display information about control
plane QoS policies on a distributed
IRF device
display qos policy control-plane
[ chassis chassis-number slot
slot-number ] [ inbound |
outbound ]
Available in any view
Display information about
pre-defined control plane QoS
policies on a distributed device
display qos policy
control-plane pre-defined
[ slot slot-number ]
Available in any view
Display information about
pre-defined control plane QoS
policies on a distributed IRF device
display qos policy control-plane
pre-defined [ chassis
chassis-number slot slot-number ]
Available in any view
Clear VLAN QoS policy statisticsreset qos vlan-policy [ vlan
vlan-id ] [ inbound | outbound ] Available in user view
Clear the statistics for a QoS policy
applied globally
reset qos po licy global
[ inbound | outbound ] Available in user view
Clear the statistics for the QoS
policy applied to a control plane on
a distributed device
reset qos policy
control-plane [ slot
slot-number ] [ inbound |
outbound ]
Available in user view
Clear the statistics for the QoS
policy applied to a control plane on
a distributed IRF device
reset qos po licy control -plane
[ chassis chassis-number slot
slot-number ] [ inbound |
outbound ]
Available in user view
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 43/112
3-12
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 44/112
4-1
4 Priori ty Mapping Configuration
When configuring priority mapping, go to these sections for information you are interested in:
Priority Mapping Overview
Priority Mapping Configuration Tasks
Configuring Priority Mapping
Displaying and Maintaining Priority Mapping
Priority Mapping Configuration Examples
Priority Mapping Overview
Introduction to Priori ty Mapping
The priorities of a packet determine its transmission priority. There are two types of priority: priorities
carried in packets and priorities locally assigned for scheduling only.
The packet-carried priorities include 802.1p priority, DSCP precedence, IP precedence, EXP, and so
on. These priorities have global significance and affect the forwarding priority of packets across the
network.
The locally assigned priorities have only local significance. They are assigned by the device for
scheduling only. These priorities include the local precedence and drop precedence, as follows.
Local precedence is used for queuing. A local precedence value corresponds to an output queue. A packet with higher local precedence is assigned to a higher priority output queue to be
preferentially scheduled.
Drop precedence is used for making packet drop decisions. Packets with the highest drop
precedence are dropped preferentially.
When a packet enters the device from a port, the device assigns a set of QoS priority parameters to
the packet based on a certain priority and sometimes may modify its priority, according to certain rules
depending on device status. This process is called priority mapping. The priority based on which
priority mapping is performed depends on the priority trust mode configured on the port . The set of
QoS priority parameters decides the scheduling priority and forwarding priority of the packet.
Priority Mapping Tables
Priority mapping is implemented with priority mapping tables. The device provides various types of
priority mapping tables, or rather, priority mappings. By looking up a priority mapping table, the device
decides which priority value is to assign to a packet for subsequent packet processing.
dot1p-dp : 802.1p-to-drop priority mapping table.
dot1p-exp: 802.1p-to-EXP priority mapping table. (Available only on the EB and SD cards)
dot1p-lp : 802.1p-to-local priority mapping table.
dscp-dot1p: DSCP-to-802.1p priority mapping table, which is applicable to only IP packets.
dscp-dp: DSCP-to-drop priority mapping table, which is applicable to only IP packets.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 45/112
4-2
dscp-dscp: DSCP-to-DSCP priority mapping table, which is applicable to only IP packets.
exp-dot1p: EXP-to-802.1p priority mapping table. (Available only on the EB and SD cards)
exp-dp: EXP-to-drop priority mapping table.
The default priority mapping tables (as shown in Appendix A Default Priority Mapping Tables) are
available for priority mapping. Generally, they are sufficient for priority mapping. If a default priority
mapping table cannot meet your requirements, you can modify the priority mapping table as required.
Priority Trust Mode on a Port
The priority trust mode on a port decides which priority is used for priority mapping table lookup. There
are two priority trust modes on the H3C S7500E series switches:
dot1p: Uses the 802.1p priority carried in packets for priority mapping.
dscp: Uses the DSCP carried in packets for priority mapping.
In addition, port priority was introduced for 802.1q untagged packets. Thus, when a port configured
with the 802.1p trust mode receives an 802.1q untagged packet, the priority of the port is used as the802.1p priority of the packet for priority mapping table lookup.
The priority mapping procedure varies with the priority modes, as described in the next section Priority
Mapping Procedure.
Priority Mapping Procedure
Figure 4-1 presents how the S7500E performs priority mapping for an Ethernet packet. The procedure
differs depending on whether the packet is 802.1q tagged or not.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 46/112
4-3
Figure 4-1 Priority mapping procedure for an Ethernet packet
Which priority istrusted on the
port?
Receive apacket on a port
Use the portpriority as the
802.1p priority ofthe packet
Look up thedot1p-dp and
dot1p-lp tables
Mark the packetwith local
precedence anddrop precedence
Is the packet802.1q tagged?
DSCP in packets
Look up thedscp-dp, dscp-
dot1p, and dscp-dscp tables
802.1p inpackets
Mark the packetwith 802.1ppriority, drop
precedence, andnew DSCPprecedence
Look up thedot1p-lp table
Mark the packetwith local
precedence
Look up thedot1p-dp and
dot1p-lp tables
Mark the packetwith local
precedence anddrop precedence
Schedule the packetaccording to its localprecedence and drop
precedence
Y
N
For an MPLS packet, the priority mapping procedure as shown in Figure 4-2 is adopted:
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 47/112
4-4
Figure 4-2 Priority mapping procedure for an MPLS packet
Receive apacket
Look up theexp-dp table
Mark the packetwith drop
precedence
Look up theexp-dot1p table
Mark the packetwith new 802.1p
priority
Look up thedot1p-lp table
Mark the packetwith localprecedence
Schedule the packetaccording to its localprecedence and drop
precedence
The priority mapping procedure presented above applies in the absence of priority marking. If priority
marking is configured, the device performs priority marking before priority mapping, and then uses there-marked packet-carried priority for priority mapping or directly uses the re-marked scheduling priority
for traffic scheduling depending on your configuration. In this case, neither priority trust mode
configuration on the port nor port priority configuration takes effect.
Priority Mapping Configuration Tasks
You are recommended to plan QoS throughout the network before making QoS configuration.
Complete the following task to configure priority mapping:
Task Remarks
Configuring a Priority Mapping Table Optional
Configuring the Priority Trust Mode on a Port Optional
Configuring the Port Priority of a Port Optional
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 48/112
4-5
Configuring Priority Mapping
Configuring a Priori ty Mapping Table
Follow these steps to configure an uncolored priority mapping table:
To do… Use the command… Remarks
Enter system view system-view —
Enter priority mapping table view
qos map-table { dot1p-dp |
dot1p-exp | dot1p-lp |
dscp-dot1p | dscp-dp |
dscp-dscp | exp-dot1p | exp-dp }
Required
Configure the priority mapping
table
import import-value-list export
export-value
Required
Newly configured mappings
overwrite the old ones.
Display the configuration of the
priority mapping table
display qos map-table
[ dot1p-dp | dot1p-exp | dot1p-lp
| dscp-dot1p | dscp-dp |
dscp-dscp | exp-dot1p | exp-dp ]
Optional
Available in any view
The 802.1p-to-EXP priority mapping table (dot1p-exp) and the EXP-to-802.1p priority mapping table
(exp-dot1p) are available only for the EB and SD cards.
Configuring the Priori ty Trust Mode on a Port
Follow these steps to configure the trusted packet priority type on an interface/port group:
To do… Use the command… Remarks
Enter system view system-view —
Enter
interface
view
interface interface-type
interface-number
Enter
interface
view or port
group view Enter port
group view
port-group manual port-group-name
Use either command
Settings in interface view take
effect on the current interface;
settings in port group view take
effect on all ports in the port group.
Configure
the priority
trust mode
Trust the
DSCP
priority in
packets
qos trust dscp
Use either command
By default, the device trusts the802.1p priority in packets.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 49/112
4-6
To do… Use the command… Remarks
Trust the
802.1p
priority in
packets
undo qos trust
Display the priority trust
mode configuration on the
port
display qos trust interface
[ interface-type interface-number ]
Optional
Available in any view
Configuring the Port Priority of a Port
You can change the port priority of a port used for priority mapping. For the priority mapping procedure,
see the Priority Mapping Procedure section.Follow these steps to configure the port priority of a port for priority mapping:
To do… Use the command… Remarks
Enter system view system-view —
Enter
interface
view
interface interface-type
interface-number
Enter
interface
view or port
group view Enter port
group view
port-group manual
port-group-name
Use either command
Settings in interface view take effect on
the current interface; settings in port
group view take effect on all ports in the
port group.
Configure the port priority qos priority priority-value Required
The default port priority is 0.
Display the trusted packet
priority type and the
priorities of an interface
display qos trust interface
[ interface-type interface-number ]
Optional
Available in any view
Displaying and Maintaining Priority Mapping
To do… Use the command… Remarks
Display priority mapping table
configuration
display qos map-table
[ dot1p-dp | dot1p-exp | dot1p-lp
| dscp-dot1p | dscp-dp |
dscp-dscp | exp-dot1p | exp-dp ]
Available in any view
Display the trusted packet priority
type on a port
display qos trust interface
[ interface-type interface-number ] Available in any view
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 50/112
4-7
Priority Mapping Configuration Examples
Priority Mapping Table and Priority Marking Configuration Example
For information about priority marking, see Priority Marking Configuration.
Network requirements
As shown in Figure 4-3, the enterprise network of a company interconnects all departments through
Device. The network is described as follows:
The marketing department connects to GigabitEthernet 2/0/1 of Device, which sets the 802.1p
priority of traffic from the marketing department to 3. The R&D department connects to GigabitEthernet 2/0/2 of Device, which sets the 802.1p priority
of traffic from the R&D department to 4.
The management department connects to GigabitEthernet 2/0/3 of Device, which sets the 802.1p
priority of traffic from the management department to 5.
Configure port priority, 802.1p-to-local priority mapping table, and priority marking to implement the
plan as described in Table 4-1.
Table 4-1 Configuration plan
Queuing plan
Traffic
destinationTraffic Priorit y order
Traffic sourceOutput
queue
Queue
priority
R&D department 6 High
Management
department4 MediumPublic servers
R&D department > management
department > marketing
department
Marketing department 2 Low
R&D department 2 Low
Management
department6 High
Internet
through HTTP
management department >
marketing department > R&D
department
Marketing department 4 Medium
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 51/112
4-8
Figure 4-3 Network diagram for priority mapping table and priority marking configuration
Host
Server
R&D department
Internet
Device GE2/0/1
GE2/0/2GE2/0/3
GE2/0/4
Marketing department
Host
Server
Host
Server
Management department
Public servers
GE2/0/5
Data server
Mail server
Configuration procedure
1) Configure trusting port priority
# Set the port priority of GigabitEthernet 2/0/1 to 3.<Devi ce> syst em- vi ew
[ Devi ce] i nt er f ace gi gabi t et her net 2/ 0/ 1
[ Devi ce- Gi gabi t Et her net 2/ 0/ 1] qos pr i or i t y 3
[ Devi ce- Gi gabi t Et her net 2/ 0/ 1] qui t
# Set the port priority of GigabitEthernet 2/0/2 to 4.
[ Devi ce] i nt er f ace gi gabi t et her net 2/ 0/ 2
[ Devi ce- Gi gabi t Et her net 2/ 0/ 2] qos pr i or i t y 4
[ Devi ce- Gi gabi t Et her net 2/ 0/ 2] qui t
# Set the port priority of GigabitEthernet 2/0/3 to 5.
[ Devi ce] i nt er f ace gi gabi t et her net 2/ 0/ 3[ Devi ce- Gi gabi t Et her net 1/ 3] qos pr i or i t y 5
[ Devi ce- Gi gabi t Et her net 1/ 3] qui t
2) Configure the priority mapping table
# Configure the 802.1p-to-local priority mapping table to map 802.1p priority values 3, 4, and 5 to local
precedence values 2, 6, and 4.
[ Devi ce] qos map- t abl e dot1p- l p
[ Devi ce- mapt bl - dot 1p- l p] i mport 3 expor t 2
[ Devi ce- mapt bl - dot 1p- l p] i mport 4 expor t 6
[ Devi ce- mapt bl - dot 1p- l p] i mport 5 expor t 4
[ Devi ce- mapt bl - dot 1p- l p] qui t3) Configure priority marking
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 52/112
4-9
# Mark the HTTP traffic of the management department, marketing department, and R&D department
to the Internet with 802.1p priorities 4, 5, and 3 respectively. Use the priority mapping table configured
above to map the 802.1p priorities to local precedence values 6, 4, and 2 respectively for differentiated
traffic treatment.
# Create ACL 3000 to match HTTP traffic.
[ Devi ce] acl number 3000
[ Devi ce- acl - adv- 3000] r ul e permi t t cp desti nat i on- port eq 80
[ Devi ce- acl - adv- 3000] qui t
# Create class http and reference ACL 3000 in the class.
[Devi ce] t r af f i c cl assi f i er ht t p
[ Devi ce- cl assi f i er - ht t p] i f - mat ch acl 3000
[Devi ce- cl assi f i er - ht t p] qui t
# Configure a priority marking policy for the management department and apply the policy to the
incoming traffic of GigabitEthernet 2/0/3.
[ Devi ce] t r af f i c behavi or admi n
[ Devi ce- behavi or - admi n] r emark dot1p 4
[ Devi ce- behavi or- admi n] qui t
[ Devi ce] qos pol i cy admi n
[ Devi ce- qospol i cy- admi n] cl assi f i er htt p behavi or admi n
[ Devi ce- qospol i cy- admi n] qui t
[ Devi ce] i nt er f ace gi gabi t et her net 2/ 0/ 3
[ Devi ce- Gi gabi t Ethernet 2/ 0/ 3] qos appl y pol i cy admi n i nbound
# Configure a priority marking policy for the marketing department and apply the policy to the incoming
traffic of GigabitEthernet 2/0/1.
[ Devi ce] t r af f i c behavi or mar ket
[ Devi ce- behavi or - market] r emark dot1p 5[ Devi ce- behavi or- market ] qui t
[ Devi ce] qos pol i cy market
[ Devi ce- qospol i cy- mar ket ] cl assi f i er ht t p behavi or mar ket
[ Devi ce- qospol i cy- mar ket ] qui t
[ Devi ce] i nt er f ace gi gabi t et her net 2/ 0/ 1
[ Devi ce- Gi gabi t Ethernet 2/ 0/ 1] qos appl y pol i cy market i nbound
# Configure a priority marking policy for the R&D department and apply the policy to the incoming
traffic of GigabitEthernet 2/0/2.
[ Devi ce] t r af f i c behavi or r d
[ Devi ce- behavi or- r d] r emark dot 1p 3[ Devi ce- behavi or - r d] qui t
[ Devi ce] qos pol i cy rd
[ Devi ce- qospol i cy- r d] cl assi f i er ht t p behavi or r d
[ Devi ce- qospol i cy- r d] qui t
[ Devi ce] i nt er f ace gi gabi t et her net 2/ 0/ 2
[ Devi ce- Gi gabi t Et hernet 2/ 0/ 2] qos appl y pol i cy r d i nbound
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 53/112
5-1
5 Traffic Policing, Traffic Shaping, and Line Rate
Configuration
When configuring traffic classification, traffic policing, and traffic shaping, go to these sections for
information you are interested in:
Traffic Policing, Traffic Shaping, and Line Rate Overview
Configuring Traffic Policing
Configuring GTS
Configuring the Line Rate
Displaying and Maintaining Traffic Policing, GTS, and Line Rate
Traffic Policing, Traffic Shaping, and Line Rate Overview
Without limits on user traffic, a network can be overwhelmed very easily. To help assign network
resources such as bandwidth efficiently to improve network performance and hence user satisfaction,
QoS technologies such as traffic policing, traffic shaping, and rate limit were introduced. For example,
you can configure a flow to use only the resources committed to it in a certain time range, thus
avoiding network congestion caused by burst traffic.
Traffic policing and generic traffic shaping (GTS) limit traffic rate and resource usage according to
traffic specifications. Once a particular traffic exceeds its specifications such as bandwidth assigned to
it, it is shaped or policed to ensure that it is under the specifications. Generally, token buckets are used
to evaluate traffic specifications.
Traffic Evaluation and Token Buckets
Token bucket features
A token bucket is analogous to a container holding a certain number of tokens. The system puts tokens
into the bucket at a set rate. When the token bucket is full, the extra tokens overflows.
Evaluating traffic w ith the token bucket
The evaluation of traffic specifications is based on whether the number of tokens in the bucket canmeet the need of packet forwarding. Generally, one token is associated with a 1-bit forwarding
authority. If the number of tokens in the bucket is enough for forwarding the packets, the traffic
conforms to the specification and is called conforming traffic; otherwise, the traffic does not conform to
the specification and is called excess traffic.
A token bucket has the following configurable parameters:
Mean rate at which tokens are put into the bucket, namely, the permitted average rate of traffic. It
is usually set to the committed information rate (CIR).
Burst size or the capacity of the token bucket. It is the maximum traffic size that is permitted in
each burst. It is usually set to the committed burst size (CBS). The set burst size must be greater
than the maximum packet size.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 54/112
5-2
Evaluation is performed for each arriving packet. In each evaluation, if the number of tokens in the
bucket is enough, the traffic conforms to the specification and the corresponding tokens for forwarding
the packet are taken away; if the number of tokens in the bucket is not enough, it means that too many
tokens have been used and the traffic is excessive.
Complicated evaluation
You can set two token buckets, the C bucket and the E bucket, to evaluate traffic in a more
complicated environment and achieve more policing flexibility. For example, traffic policing uses four
parameters:
CIR: Rate at which tokens are put into the C bucket, that is, the average packet transmission or
forwarding rate allowed by the C bucket.
CBS: Size of the C bucket, that is, transient burst of traffic that the C bucket can forward.
Peak information rate (PIR): Rate at which tokens are put into the E bucket, that is, the average
packet transmission or forwarding rate allowed by the E bucket.
Excess burst size (EBS): Size of the E bucket, that is, transient burst of traffic that the E bucket
can forward.
CBS is implemented with the C bucket and EBS with the E bucket. In each evaluation, packets are
measured against the buckets:
If the C bucket has enough tokens, packets are colored green.
If the C bucket does not have enough tokens but the E bucket has enough tokens, packets are
colored yellow.
If neither the C bucket nor the E bucket has sufficient tokens, packets are colored red.
Traffic Policing
Traffic policing supports policing traffic in the inbound direction and the outbound direction. Thereafter,
the outbound direction is taken for example.
A typical application of traffic policing is to supervise the specification of certain traffic entering a
network and limit it within a reasonable range, or to "discipline" the extra traffic. In this way, the networkresources and the interests of the user are protected. For example, you can limit bandwidth for HTTP
packets to less than 50% of the total. If the traffic of a certain session exceeds the limit, traffic policing
can drop the packets or reset the IP precedence of the packets.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 55/112
5-3
Figure 5-1 Schematic diagram for traffic policing
Tokenbucket
Packets dropped
Packetclassification
Packets to be sentthrough this interface
Packets sent
Tokens are put into thebucket at the set rate
Queue
Traffic policing is widely used in policing traffic entering the networks of internet service providers
(ISPs). It can classify the policed traffic and take pre-defined policing actions on each packet
depending on the evaluation result:
Forwarding the traffic if the evaluation result is “conforming.”
Dropping the traffic if the evaluation result is “excess.”
Modifying the DSCP priority of the conforming traffic and forwarding it.
Traffic Shaping
Traffic shaping supports shaping traffic to the outgoing traffic.
Traffic shaping provides measures to adjust the rate of outbound traffic actively. A typical traffic
shaping application is to limit the local traffic output rate according to the downstream traffic policing
parameters.
The difference between traffic policing and GTS is that packets to be dropped with traffic policing are
retained in a buffer or queue with GTS, as shown in Figure 5-2. When there are enough tokens in the
token bucket, the buffered packets are sent at an even rate. Traffic shaping may result in additional
delay while traffic policing does not.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 56/112
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 57/112
5-5
Figure 5-4 Line rate implementation
In the token bucket approach to traffic control, bursty traffic can be transmitted so long as enough
tokens are available in the token bucket; if tokens are inadequate, packets cannot be transmitted until
the required number of tokens are generated in the token bucket. Thus, traffic rate is restricted to the
rate for generating tokens, thus limiting traffic rate and allowing bursty traffic.
Line rate can only limit the total traffic rate on a physical port, while traffic policing can limit the rate of a
flow on a port. To limit the rate of all the packets on a port, using line rate is easier.
Configuring Traffic Policing
Configuration Procedure
Follow these steps to configure traffic policing:
To do… Use the command… Remarks
Enter system view system-view —
Create a class and enter class
view
traffic classifier tcl-name [ operator { and
| or } ] —
Configure the match criteria if-match match-criteria —
Exit class view quit —
Create a behavior and enter
behavior viewtraffic behavior behavior-name —
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 58/112
5-6
To do… Use the command… Remarks
Configure a traffic policing
action
car cir committed-information-rate [ cbs
committed-burst-size [ ebs
excess-burst-size ] ] [ pir
peak-information-rate ] [ green action ]
[ yellow action ] [ red action ]
Required
On SC, SA, and EA LPUs,
the granularity of traffic
policing is 64 kbps.
On SD and EB LPUs, the
granularity of traffic policing
is 8 kbps.
Exit behavior view quit —
Create a policy and enter
policy view
qos policy policy-name —
Associate the class with the
traffic behavior in the QoS
policy
classifier tcl-name behavior
behavior-name —
Exit policy view quit —
To an interface Applying the QoS policy to an interface —
To online users Applying the QoS policy to online users —
To a VLAN Applying the QoS policy to a VLAN —
Globally Applying the QoS policy globally —
Apply the
QoS
policy
To the control
plane
Applying the QoS policy to the control
plane —
Only SC, SD and EB cards support policing traffic in the outbound direction.
Configuration Example
Configure traffic policing on GigabitEthernet 2/0/1 to limit the rate of received HTTP traffic to 512 kbps
and drop the exceeding traffic.
# Enter system view.
<Sysname> syst em- vi ew
# Configure advanced ACL 3000 to match HTTP traffic.
[ Sysname] acl number 3000
[ Sysname- acl - adv- 3000] r ul e per mi t t cp dest i nati on- por t eq 80
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 59/112
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 60/112
5-8
Configuration Example
Configure GTS on GigabitEthernet2/0/1, shaping the packets of queue 1 when the sending rate
exceeds 512 kbps.
# Enter system view.
<Sysname> syst em- vi ew# Enter interface view.
[ Sysname] i nt er f ace gi gabi t et her net 2/ 0/ 1
# Configure GTS parameters.
[ Sysname- Gi gabi t Et her net 2/ 0/ 1] qos gt s queue 1 ci r 512
Configuring the Line Rate
Configuration Procedure
Follow these steps to configure the line rate:
To do… Use the command… Remarks
Enter system view system-view —
Enter
interface
view
interface interface-type interface-number Enter
interface
view or port
group view Enter port
group viewport-group manual port-group-name
Use either command
Settings in interface view take effect
on the current interface; settings in
port group view take effect on all
ports in the port group.
Configure the inbound or
outbound line rate for the
interface/port group
qos lr outbound cir
committed-information-rate [ cbs
committed-burst-size ]
Required
On SC, SA, and EA LPUs, the
granularity of line rate is 64 kbps.
On SD and EB LPUs, the
granularity of line rate is 8 kbps.
Display line rate
configuration information
on the interface/all
interfaces
display qos lr interface [ interface-type
interface-number ] Available in any view
Configuration Example
Limit the outbound line rate of GigabitEthernet 2/0/1 to 512 kbps.
# Enter system view.
<Sysname> syst em- vi ew
# Enter interface view.
[ Sysname] i nt er f ace gi gabi t et her net 2/ 0/ 1
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 61/112
5-9
# Limit the outbound line rate of GigabitEthernet 2/0/1 to 512 kbps.
[ Sysname- Gi gabi t Et her net 2/ 0/ 1] qos l r out bound ci r 512
Displaying and Maintaining Traffic Policing, GTS, and Line Rate
On the S7500E series switches, you can configure traffic policing in policy-based approach. For
related displaying and maintaining commands, see Displaying and Maintaining QoS Policies.
To do… Use the command… Remarks
Display interface GTS
configuration information
display qos g ts interface
[ interface-type interface-number ] Available in any view
Display interface line rate
configuration information
display qos lr interface
[ interface-type interface-number ] Available in any view
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 62/112
6-1
6 Congestion Management Configuration
When configuring hardware congestion management, go to these sections for information you are
interested in:
Congestion Management Overview
Congestion Management Configuration Approaches
Per-Queue Hardware Congestion Management
Displaying and Maintaining Congestion Management
Congestion Management Overview
Causes, Impacts, and Countermeasures of Congestion
Network congestion is a major factor contributed to service quality degrading on a traditional network.
Congestion is a situation where the forwarding rate decreases due to insufficient resources, resulting
in extra delay.
Congestion easily occurs in complex packet switching circumstances in the Internet. The following
figure shows two common cases:
Figure 6-1 Traffic congestion causes
100M>10M
(100M+10M+50M)>100M
100M
100M
100M
50M
10M10M
(1) (2)
Congestion may bring these negative results:
Increased delay and jitter during packet transmission
Decreased network throughput and resource use efficiency
Network resource (memory in particular) exhaustion and even system breakdown
Congestion is unavoidable in switched networks and multi-user application environments. To improve
the service performance of your network, you must take some proper measures to address the
congestion issues.
The key to congestion management is how to define a dispatching policy for resources to decide the
order of forwarding packets when congestion occurs.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 63/112
6-2
Congestion Management Policies
In general, congestion management uses queuing technology. The system uses a certain queuing
algorithm for traffic classification, and then uses a certain precedence algorithm to send the traffic.
Each queuing algorithm addresses a particular network traffic problem and which algorithm is used
affects bandwidth resource assignment, delay, and jitter significantly.Queue scheduling processes packets by their priorities, preferentially forwarding high-priority packets.
In the following section, Strict Priority (SP) queuing, Weighted Fair Queuing (WFQ), and Weighted
Round Robin (WRR) queuing are introduced.
SP queuing
SP queuing is specially designed for mission-critical applications, which require preferential service to
reduce the response delay when congestion occurs.
Figure 6-2 Schematic diagram for SP queuing
As shown in Figure 6-2, SP queuing classifies eight queues on a port into eight classes, numbered 7 to
0 in descending priority order.
SP queuing schedules the eight queues strictly according to the descending order of priority. It sends
packets in the queue with the highest priority first. When the queue with the highest priority is empty, it
sends packets in the queue with the second highest priority, and so on. Thus, you can assign
mission-critical packets to the high priority queue to ensure that they are always served first and
common service packets to the low priority queues and transmitted when the high priority queues are
empty.
The disadvantage of SP queuing is that packets in the lower priority queues cannot be transmitted if
there are packets in the higher priority queues. This may cause lower priority traffic to starve to death.
WRR queuing
WRR queuing schedules all the queues in turn to ensure that every queue can be served for a certain
time, as shown in Figure 6-3.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 64/112
6-3
Figure 6-3 Schematic diagram for WRR queuing
Queue 0 Weight 1
……
Queue 1 Weight 2
Queue N-2Weight N-1
Queue N-1 Weight N
Packets to be sent throughthis port Sent packets
Interface
Queuescheduling
Sending queuePacket
classification
Assume there are eight output queues on a port. WRR assigns each queue a weight value
(represented by w7, w6, w5, w4, w3, w2, w1, or w0) to decide the proportion of resources assigned to
the queue. On a 100 Mbps port, you can configure the weight values of WRR queuing to 5, 3, 1, 1, 5, 3,
1, and 1 (corresponding to w7, w6, w5, w4, w3, w2, w1, and w0 respectively). In this way, the queue
with the lowest priority is assured of 5 Mbps of bandwidth at least, thus avoiding the disadvantage of
SP queuing that packets in low-priority queues may fail to be served for a long time.
Another advantage of WRR queuing is that while the queues are scheduled in turn, the service time for
each queue is not fixed, that is, if a queue is empty, the next queue will be scheduled immediately. This
improves bandwidth resource use efficiency.
WFQ queuing
Figure 6-4 Schematic diagram for WFQ queuing
Queue 1 Band width 1
……
Queue 2 Band width 2
Queue N-1 Band width N-1
Queue N Band width N
Packets to be sent throughthis port
Packetclassification
Sent packets
Interface
Sending queueQueue
scheduling
WFQ is derived from fair queuing (FQ), which is designed for fairly sharing network resources,
reducing the delay and jitter of all traffic. FQ fully consider the interests of all queues to ensure that:
Different queues have fair dispatching opportunities, preventing a single queue from being
delayed for too long.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 65/112
6-4
Short packets and long packets are fairly scheduled: if there are both long packets and short
packets in queues, statistically the short packets should be scheduled preferentially to reduce the
jitter between packets as a whole.
Compared with FQ, WFQ takes weights into account when determining the queue scheduling order.
Statistically, WFQ gives high priority traffic more scheduling opportunities than low priority traffic. WFQ
can automatically classify traffic according to the “session” information of traffic (protocol type, TCP or
UDP source/destination port numbers, source/destination IP addresses, IP precedence bits in the ToS
field, and so on), and try to provide as many queues as possible so that each traffic flow can be put into
these queues to balance the delay of every traffic flow as a whole. When dequeuing packets, WFQ
assigns the outgoing interface bandwidth to each traffic flow by precedence. The higher precedence
value a traffic flow has, the more bandwidth it gets.
Additionally, WFQ can work with the minimum guaranteed bandwidth mechanism. You can configure a
minimum guaranteed bandwidth for each WFQ queue to guarantee that each WFQ queue is
guaranteed of the bandwidth when congestion occurs. The assignable bandwidth (assignable
bandwidth = total bandwidth – the sum of the minimum guaranteed bandwidth for each queue) isallocated to queues based on queue priority.
For example, assume that the total bandwidth of a port is 10 Mbps, and there are five flows on the port
currently, with the precedence being 0, 1, 2, 3, and 4 and the minimum guaranteed bandwidth being
128 kbps, 128 kbps, 128 kbps, 64 kbps, and 64 kbps respectively.
The assignable bandwidth = 10 Mbps – (128 kbps + 128 kbps + 128 kbps + 64 kbps + and 64
kbps) = 9.5 Mbps
The total assignable bandwidth quota is the sum of all the (precedence value + 1)s, that is, 1 + 2 +
3 + 4 + 5 = 15.
The bandwidth percentage assigned to each flow is (precedence value of the flow + 1)/totalassignable bandwidth quota. The bandwidth percentages for the flows are 1/15, 2/15, 3/15, 4/15,
and 5/15 respectively.
The bandwidth finally assigned to a queue = the minimum guaranteed bandwidth + the bandwidth
allocated to the queue from the assignable bandwidth
Because WFQ can balance delay and jitter among flows when congestion occurs, it is effectively
applied in some special occasions. For example, WFQ is used for the assured forwarding (AF)
services of the Resource Reservation Protocol (RSVP). In Generic Traffic Shaping (GTS), WFQ is
used to schedule buffered packets.
SP+WRR queuing
By assigning some queues on the port to the SP scheduling group and the others to the WRR
scheduling group (that is, group 1), you implement SP + WRR queue scheduling on the port. Packets
in the SP scheduling group are scheduled preferentially. When the SP scheduling group is empty,
packets in the WRR scheduling group are scheduled. Queues in the SP scheduling group are
scheduled with the SP queue scheduling algorithm. Queues in the WRR scheduling group are
scheduled with WRR.
Congestion Management Configuration Approaches
Complete the following tasks to achieve congestion management:
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 66/112
6-5
Task Remarks
Configuring SP Queuing Optional
Configure WRR Queuing Optional
Configuring WFQ Queuing Optional
Configuring SP+WRR Queues Optional
Per-Queue Hardware Congestion Management
Configuring SP Queuing
Configuration procedure
Follow these steps to configure SP queuing:
To do… Use the command… Remarks
Enter system view system-view —
Enter
interface
view
interface interface-type
interface-number
Enter
interface
view or port
group view Enter port
group view
port-group manual
port-group-name
Use either command
Settings in interface view take effect on
the current interface; settings in port
group view take effect on all ports in the
port group.
Configure SP queuing
qos sp
Optional
The default queuing algorithm on an
interface is SP queuing.
Display SP queuing
configuration
display qos sp interface
[ interface-type interface-number ]
Optional
Available in any view
Configuration example
1) Network requirements
Configure GigabitEthernet 2/0/1 to use SP queuing.
2) Configuration procedure
# Enter system view
<Sysname> syst em- vi ew
# Configure GigabitEthernet2/0/1 to use SP queuing.
[ Sysname]i nt erf ace gi gabi t ether net 2/ 0/ 1
[ Sysname- Gi gabi t Et her net 2/ 0/ 1] qos sp
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 67/112
6-6
Configure WRR Queuing
Configuration procedure
Follow these steps to configure group-based WRR queuing:
To do… Use the command… Remarks
Enter system view system-view —
Enter
interface
view
interface interface-type
interface-number
Enter
interface
view or port
group view Enter port
group viewport-group manual port-group-name
Use either command
Settings in interface view take
effect on the current interface;
settings in port group view take
effect on all ports in the port group.
Enable WRR queuing
qos wrr
Optional
The default queuing algorithm on
an interface is SP queuing.
Configure a WRR queue qos wrr queue-id group 1 weight
schedule-value Required
Display WRR queuing
configuration information
display qos wrr interface
[ interface-type interface-number ]
Optional
Available in any view
Configuration example
1) Network requirements
Enable WRR queuing on the interface GigabitEthernet 2/0/1.
Assign queues 0 through 7 to the WRR group, with their weights being 1, 3, 3, 5, 8, 8, 10, and 15.
2) Configuration procedure
# Enter system view.
<Sysname> syst em- vi ew
# Configure WRR queuing on GigabitEthernet 2/0/1.
[ Sysname] i nt er f ace gi gabi t et her net 2/ 0/ 1
[ Sysname- Gi gabi t Et her net 2/ 0/ 1] qos wr r
[ Sysname- Gi gabi t Ether net 2/ 0/ 1] qos wr r 0 group 1 wei ght 1
[ Sysname- Gi gabi t Ether net 2/ 0/ 1] qos wr r 1 group 1 wei ght 3
[ Sysname- Gi gabi t Ether net 2/ 0/ 1] qos wr r 2 group 1 wei ght 3
[ Sysname- Gi gabi t Ether net 2/ 0/ 1] qos wr r 3 group 1 wei ght 5
[ Sysname- Gi gabi t Ether net 2/ 0/ 1] qos wr r 4 group 1 wei ght 8
[ Sysname- Gi gabi t Ether net 2/ 0/ 1] qos wr r 5 group 1 wei ght 8
[ Sysname- Gi gabi t Ether net 2/ 0/ 1] qos wr r 6 gr oup 1 wei ght 10
[ Sysname- Gi gabi t Ether net 2/ 0/ 1] qos wr r 7 gr oup 1 wei ght 15
Configuring WFQ Queuing
Configuration procedure
Follow these steps to configure an WFQ queue:
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 68/112
6-7
To do… Use the command… Remarks
Enter system view system-view —
Enter
interface
view
interface interface-type
interface-number
Enter
interface
view or port
group view Enter port
group viewport-group manual port-group-name
Use either command
Settings in interface view takeeffect on the current interface;
settings in port group view take
effect on all ports in the port group.
Enable WFQ queuing qos wfq
Required
The default queuing algorithm on
an interface is SP queuing.
Configure the minimum
guaranteed bandwidth foran WFQ queue
qos bandwidth queue queue-id min
bandwidth-value
Required
64 kbps by default
Specify the queue
scheduling weight for an
WFQ queue
qos wfq queue-id weight
schedule-value
Required
1 by default
Display WFQ queuing
configuration
display qos wfq i nterface
[ interface-type interface-number ]
Optional
Available in any view
The support of different cards for the minimum guaranteed bandwidth and scheduling weight
configuration for WFQ queues varies as follows:
The SC, SD, and EB cards support both minimum guaranteed bandwidth and scheduling weight
configurations.
The EA cards support both configurations too, but the scheduling weight for each queue can only
be 1.
The SA cards support only the scheduling weight configuration.
Configuration example
1) Network requirements
Configure the queues on port GigabitEthernet2/0/1 as WFQ queues and sets the scheduling
weights of queues 1, 3, 4, 5, and 6 to 1, 5, 10, 15, and 10 respectively.
Set the minimum guaranteed bandwidth of queue 1 to 128 kbps.
2) Configuration procedure
# Enter system view.
<Sysname> syst em- vi ew
# Configure WFQ queues on GigabitEthernet 2/0/1.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 69/112
6-8
[ Sysname] i nt er f ace gi gabi t et her net 2/ 0/ 1
[ Sysname- Gi gabi t Et her net 2/ 0/ 1] qos wf q
[ Sysname- Gi gabi t Ether net 2/ 0/ 1] qos wf q 1 wei ght 1
[ Sysname- Gi gabi t Ether net 2/ 0/ 1] qos wf q 3 wei ght 5
[ Sysname- Gi gabi t Ether net 2/ 0/ 1] qos wf q 4 wei ght 10
[ Sysname- Gi gabi t Ether net 2/ 0/ 1] qos wf q 5 wei ght 15
[ Sysname- Gi gabi t Ether net 2/ 0/ 1] qos wf q 6 wei ght 10
# Set the minimum guaranteed bandwidth of queue 1 to 128 kbps.
[ Sysname- Gi gabi t Ether net 2/ 0/ 1] qos bandwi dth queue 1 mi n 128
Configuring SP+WRR Queues
Configuration Procedure
Follow these steps to configure SP + WRR queues:
To do… Use the command… Remarks
Enter system view system-view —
Enter interface
view
interface interface-type
interface-number Enter
interface
view or port
group viewEnter port
group view
port-group manual
port-group-name
Use either command
Settings in interface view take effect on
the current interface; settings in port group
view take effect on all ports in the port
group.
Enable the WRR queue
scheduling on the portqos wrr
Required
The default queuing algorithm on an
interface is SP queuing.
Configure SP queue
schedulingqos wrr queue-id group sp Required
Configure WRR queue
scheduling
qos wrr queue-id group
group-id byte-count
schedule-value
Required
Configuration Example
Network requirements
Configure to adopt SP+WRR queue scheduling algorithm on GigabitEthernet2/0/1.
Configure queue 0, queue 1, queue 2 and queue 3 on GigabitEthernet2/0/1 to be in SP queue
scheduling group.
Configure queue 4, queue 5, queue 6 and queue 7 on GigabitEthernet2/0/1 to be in WRR queue
scheduling group, with the weight being 2, 4, 6 and 8 respectively.
Configuration procedure
# Enter system view.<Sysname> syst em- vi ew
# Enable the SP+WRR queue scheduling algorithm on GigabitEthernet2/0/1.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 70/112
6-9
[ Sysname] i nt er f ace Gi gabi t Et her net 2/ 0/ 1
[ Sysname- Gi gabi t Et her net 2/ 0/ 1] qos wr r
[ Sysname- Gi gabi t Et her net 2/ 0/ 1] qos wr r 0 gr oup sp
[ Sysname- Gi gabi t Et her net 2/ 0/ 1] qos wr r 1 gr oup sp
[ Sysname- Gi gabi t Et her net 2/ 0/ 1] qos wr r 2 gr oup sp
[ Sysname- Gi gabi t Et her net 2/ 0/ 1] qos wr r 3 gr oup sp
[ Sysname- Gi gabi t Ether net 2/ 0/ 1] qos wr r 4 group 1 wei ght 2
[ Sysname- Gi gabi t Ether net 2/ 0/ 1] qos wr r 5 group 1 wei ght 4
[ Sysname- Gi gabi t Ether net 2/ 0/ 1] qos wr r 6 group 1 wei ght 6
[ Sysname- Gi gabi t Ether net 2/ 0/ 1] qos wr r 7 group 1 wei ght 8
Displaying and Maintaining Congestion Management
To do… Use the command… Remarks
Display WRR queue configuration
information
display qos wrr interface [ interface-type
interface-number ]
Display SP queue configuration
information
display qos sp interface [ interface-type
interface-number ]
Display WFQ queue configuration
information
display qos wfq interface [ interface-type
interface-number ]
Available in any view
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 71/112
7-1
7 Congestion Avoidance
When configuring congestion avoidance, go to these sections for information you are interested in:
Congestion Avoidance Overview
Introduction to WRED Configuration
Configuring WRED on an Interface
Displaying and Maintaining WRED
Congestion Avoidance Overview
Avoiding congestion before it occurs to deteriorate network performance is a proactive approach to
improving network performance. As a flow control mechanism, congestion avoidance actively drops
packets when congestion is expected to occur or deteriorate by monitoring the utilization of network
resources (such as queues or memory buffers) to alleviate the load on the network.
Compared with end-to-end flow control, this flow control mechanism controls the load of more flows in
a device. When dropping packets from a source end, it cooperates with the flow control mechanism
(such as TCP flow control) at the source end to regulate the network traffic size. The combination of
the local packet drop policy and the source-end flow control mechanism helps maximize throughput
and network use efficiency and minimize packet loss and delay.
Traditional packet drop policy
Tail drop is the traditional approach to congestion avoidance. In this approach, when the size of a
queue reaches the maximum threshold, all the subsequent packets are dropped.
This results in global TCP synchronization. That is, if packets from multiple TCP connections are
dropped, these TCP connections go into the state of congestion avoidance and slow start to reduce
traffic, but traffic peak occurs later. Consequently, the network traffic jitters all the time.
RED and WRED
You can use random early detection (RED) or weighted random early detection (WRED) to avoid
global TCP synchronization.
Both RED and WRED avoid global TCP synchronization by randomly dropping packets. Thus, while
the sending rates of some TCP sessions slow down after their packets are dropped, other TCP
sessions remain at high sending rates. As there are always TCP sessions at high sending rates, link
bandwidth is efficiently utilized.
The RED or WRED algorithm sets an upper threshold and lower threshold for each queue, and
processes the packets in a queue as follows:
When the queue size is shorter than the lower threshold, no packet is dropped;
When the queue size reaches the upper threshold, all subsequent packets are dropped;
When the queue size is between the lower threshold and the upper threshold, the received
packets are dropped at random. The longer a queue is, the higher the drop probability is. However,
a maximum drop probability exists.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 72/112
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 73/112
7-3
To do… Use the command… Remarks
Enter system view system-view —
Create a WRED table qos wred queue table table-name —
Configure the drop
parameters for each
queue in the WRED table
queue queue-id [ drop-level drop-level ]
low-limit low-limit [ discard-probability
discard-prob ]
Optional
By default, the low-limit argument
is 100 and the discard-prob
argument is 10.
Enter
interface
view
interface interface-type interface-number Enter
interface
view or port
group view Enter port
group view
port-group manual port-group-name
Use either command
Settings in interface view take
effect on the current interface;
settings in port group view take
effect on all ports in the port group.
Apply the WRED table qos wred apply table-name Required
Configuration Example
Network requirements
Apply a queue-based WRED table to port GigabitEthernet 2/0/1.
Configuration procedure
# Enter system view.<Sysname> syst em- vi ew
# Configure a queue-based WRED table.
[ Sysname] qos wr ed queue t abl e queue- t abl e1
[ Sysname- wr ed- t abl e- queue- t abl e1] qui t
# Enter interface view.
[ Sysname] i nt er f ace gi gabi t et her net 2/ 0/ 1
# Apply the queue-based WRED table to GigabitEthernet 2/0/1.
[ Sysname- Gi gabi t Et her net 2/ 0/ 1] qos wr ed appl y queue- t abl e1
Displaying and Maintaining WRED
To do… Use the command… Remarks
Display WRED configuration
information on the interface or all
interfaces
display qos wred interface
[ interface-type interface-number ] Available in any view
Display configuration information
about a WRED table or all WRED
tables
display qos wred table
[ table-name ] Available in any view
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 74/112
8-1
8 Traffic Filtering Configuration
When configuring traffic filtering, go to these sections for information you are interested in:
Traffic Filtering Overview
Configuring Traffic Filtering
Traffic Filtering Configuration Example
Traffic Filtering Overview
You can filter in or filter out a class of traffic by associating the class with a traffic filtering action. For
example, you can filter packets sourced from a specific IP address according to network status. By
using ACL rules configured with a time range for traffic classification, you can implement time-based
traffic filtering.
Configuring Traffic Filtering
Follow these steps to configure traffic filtering:
To do… Use the command… Remarks
Enter system view system-view —
Create a class and enter class
view
traffic classifier tcl-name [ operator
{ and | or } ] —
Configure the match criteria if-match match-criteria —
Exit class view quit —
Create a behavior and enter
behavior viewtraffic behavior behavior-name —
Configure the traffic filteringaction
filter { deny | permit }
Required
deny: Drops packets.
permit: Permits packets to
pass through.
Exit behavior view quit —
Create a policy and enter policy
viewqos policy policy-name —
Associate the class with the
traffic behavior in the QoS
policy
classifier tcl-name behavior
behavior-name —
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 75/112
8-2
To do… Use the command… Remarks
Exit policy view quit —
To an interface Applying the QoS policy to an interface —
To online users Applying the QoS policy to online users —
To a VLAN Applying the QoS policy to a VLAN —
Globally Applying the QoS policy globally —
Apply the
QoS
policy
To the control
plane
Applying the QoS policy to the control
plane —
Display the traffic filtering
configuration
display traffic behavior user-defined
[ behavior-name ]
Optional
Available in any view
With filter deny configured for a traffic behavior, the other actions (except class-based accounting) in
the traffic behavior do not take effect.
Support of Line Cards for the Traffic Filtering Function
Table 8-1 shows the support of line cards for the traffic filtering action for the inbound and outbound
traffic.
For line card categories and their description, see the installation manual for the S7500E series
switches.
Table 8-1 Support of line cards for the traffic filtering action
Traffic di rection (right)
Card category (below)
Inbound Outbound
SC Supported Supported
SA Supported Not supported
EA Supported Not supported
EB Supported Supported
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 76/112
8-3
Traffic di rection (right)
Card category (below)
Inbound Outbound
SD Supported Supported
Traffic Filtering Configuration Example
Traffic Filtering Configuration Example
Network requirements
As shown in Figure 8-1, Host is connected to GigabitEthernet 2/0/1 of Device.
Configure traffic filtering to filter the packets whose source port is 21 received on GigabitEthernet 2/0/1.
Figure 8-1 Network diagram for traffic filtering configuration
Configuration procedure
# Create advanced ACL 3000, and configure a rule to match packets whose source port number is 21.
<Devi ceA> syst em- vi ew
[ Devi ceA] acl number 3000
[ Devi ceA- acl - basi c- 3000] r ul e 0 per mi t t cp sour ce- port eq 21
[ Devi ceA- acl - basi c- 3000] qui t
# Create a class named classifier_1, and reference ACL 3000 in the class.
[Devi ceA] t raf f i c c l assi f i er c l assi f i er_1
[ Devi ceA- cl assi f i er - cl assi f i er _1] i f - mat ch acl 3000
[Devi ceA- c l assi f i er - c l assi f i er_1] qui t
# Create a behavior named behavior_1, and configure the traffic filtering action for the behavior to
drop packets.
[ Devi ceA] t r af f i c behavi or behavi or _1
[ Devi ceA- behavi or - behavi or _1] f i l t er deny
[ Devi ceA- behavi or- behavi or _1] qui t
# Create a policy named policy, and associate class classifier_1 with behavior behavior_1 in the
policy.
[ Devi ceA] qos pol i cy pol i cy
[ Devi ceA- qospol i cy- pol i cy] cl assi f i er cl assi f i er _1 behavi or behavi or _1
[ Devi ceA- qospol i cy- pol i cy] qui t
# Apply the policy named policy to the incoming traffic of GigabitEthernet 2/0/1.
[ Devi ceA] i nt er f ace gi gabi t et her net 2/ 0/ 1
[ Devi ceA- Gi gabi t Et her net 2/ 0/ 1] qos appl y pol i cy pol i cy i nbound
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 77/112
9-1
9 Priori ty Marking Configuration
When configuring priority marking, go to these sections for information you are interested in:
Priority Marking Overview
Configuring Priority Marking
Priority Marking Configuration Example
Priority Marking Overview
Priority marking can be used together with priority mapping. For details, see Priority Mapping Table
and Priority Marking Configuration Example.
Priority marking sets the priority fields or flag bits of packets to modify the priority of traffic. For example,
you can use priority marking to set IP precedence or DSCP for a class of IP traffic to change its
transmission priority in the network.
To configure priority marking, you can associate a class with a behavior configured with the priority
marking action to set the priority fields or flag bits of the class of packets.
Configuring Priority Marking
Follow these steps to configure priority marking:
To do… Use the command… Remarks
Enter system view system-view —
Create a class and enter class
view
traffic classifier tcl-name [ operator { and
| or } ] —
Configure the match criteria if-match match-criteria —
Exit class view quit —
Create a behavior and enter
behavior viewtraffic behavior behavior-name —
Set the DSCP value for
packetsremark dscp dscp-value Optional
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 78/112
9-2
To do… Use the command… Remarks
Set the 802.1p priority for
packets or configure the
inner-to-outer tag priority
copying function
remark dot1p { 8021p |
customer-dot1p-trust } Optional
Set the drop precedence for
packets
remark drop-precedence
drop-precedence-value
Optional
Applicable to only the
outbound direction
Set the IP precedence for
packets
remark ip-precedence
ip-precedence-value Optional
Set the local precedence for
packets
remark local-precedence
local-precedence Optional
Set the QoS-local-ID for
packetsremark qos-local-id local-id-value
Optional
The QoS-local-ID is used for
identifying services and has
only local significance. By
marking different classes of
traffic with the same QoS local
ID, you can re-classify them to
apply a uniform set of QoS
actions on them.
Exit behavior view quit —
Create a policy and enter
policy viewqos policy policy-name —
Associate the class with the
traffic behavior in the QoS
policy
classifier tcl-name behavior
behavior-name —
Exit policy view quit —
To an interface Applying the QoS policy to an interface —
To online users Applying the QoS policy to online users —
To a VLAN Applying the QoS policy to a VLAN —
Globally Applying the QoS policy globally —
Apply the
QoS
policy
To the control
plane
Applying the QoS policy to the control
plane —
Display the priority marking
configuration
display traffic behavior user-defined
[ behavior-name ]
Optional
Available in any view
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 79/112
9-3
Support of Line Cards for Priority Marking
Table 9-1 and Table 9-2 show the support of line cards for the priority marking actions for the inbound
and outbound traffic.
For line card categories and their description, see the installation manual for the S7500E series
switches.
Table 9-1 Support of SC/SA/EA cards for priority marking
Card
category
(right)
SC SA EA
Action
(below)Inbound Outbound Inbound Outbound Inbound Outbound
Remarking the
802.1p
precedence
for packets
Supported Supported Supported Not supported Supported Not supported
Remarking the
drop
precedence
for packets
SupportedNot
supportedSupported Not supported Supported Not supported
Remarking the
DSCP
precedence
for packets
Supported Supported Supported Not supported Supported Not supported
Remarking the
IP precedence
for packets
Supported Supported Supported Not supported Supported Not supported
Remarking the
local
precedence
for packets
SupportedNot
supportedSupported Not supported Supported Not supported
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 80/112
9-4
Card
category
(right)
SC SA EA
Action
(below)
Inbound Outbound Inbound Outbound Inbound Outbound
Remarking the
specified QoS
local ID for
packets.
Not
supported
Not
supported
Not
supportedNot supported
Not
supportedNot supported
Table 9-2 Support of EB/SD cards for priority marking
Card category
(right)EB SD
Action (below) Inbound Outbound Inbound Outbound
Remarking the
802.1p precedence
for packets
Supported Supported Supported Supported
Remarking the drop
precedence for
packets
Supported Not supported Supported Not supported
Remarking the
DSCP precedence
for packets
Supported Supported Supported Supported
Remarking the IP
precedence for
packets
Supported Supported Supported Supported
Remarking the
local precedence
for packets
Supported Not supported Supported Not supported
Remarking the
specified QoS local
ID for packets.
Supported Not supported Supported Not supported
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 81/112
9-5
Priority Marking Configuration Example
Priority Marking Configuration Example
Network requirements
As shown in Figure 9-1, the enterprise network of a company interconnects hosts with servers throughDevice. The network is described as follows:
Host A and Host B are connected to GigabitEthernet 2/0/1 of Device.
The data server, mail server, and file server are connected to GigabitEthernet 2/0/2 of Device.
Configure priority marking on Device to satisfy the following requirements:
Traffic source Destination Processing priority
Host A, B Data server High
Host A, B Mail server Medium
Host A, B File server Low
Figure 9-1 Network diagram for priority marking configuration
Internet
Host A
Host B
Device
Data server 192.168.0.1/24
Mail server 192.168.0.2/24
File server 192.168.0.3/24
GE2/0/1 GE2/0/2
Configuration procedure
# Create advanced ACL 3000, and configure a rule to match packets with destination IP address
192.168.0.1.
<Devi ce> syst em- vi ew
[ Devi ce] acl number 3000
[ Devi ce- acl - adv- 3000] r ul e permi t i p dest i nati on 192. 168. 0. 1 0
[ Devi ce- acl - adv- 3000] qui t
# Create advanced ACL 3001, and configure a rule to match packets with destination IP address
192.168.0.2.
[ Devi ce] acl number 3001
[ Devi ce- acl - adv- 3001] r ul e permi t i p dest i nati on 192. 168. 0. 2 0
[ Devi ce- acl - adv- 3001] qui t
# Create advanced ACL 3002, and configure a rule to match packets with destination IP address
192.168.0.3.
[ Devi ce] acl number 3002
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 82/112
9-6
[ Devi ce- acl - adv- 3002] r ul e permi t i p dest i nati on 192. 168. 0. 3 0
[ Devi ce- acl - adv- 3002] qui t
# Create a class named classifier_dbserver , and reference ACL 3000 in the class.
[Devi ce] t r af f i c c l assi f i er c l assi f i er_dbserver
[ Devi ce- cl assi f i er - cl assi f i er _dbser ver ] i f - mat ch acl 3000
[ Devi ce- cl assi f i er- cl assi f i er_dbserver] qui t
# Create a class named classifier_mserver , and reference ACL 3001 in the class.
[ Devi ce] t raff i c cl assi f i er cl assi f i er_mserver
[ Devi ce- cl assi f i er - cl assi f i er _mserver ] i f - mat ch acl 3001
[ Devi ce- cl assi f i er- cl assi f i er_mserver] qui t
# Create a class named classifier_fserver , and reference ACL 3002 in the class.
[Devi ce] t raf f i c c l assi f i er c l assi f i er_ f server
[ Devi ce- cl assi f i er- cl assi f i er_f server] i f - match acl 3002
[Devi ce- cl assi f i er - cl assi f i er_ f server] qui t
# Create a behavior named behavior_dbserver , and configure the action of setting the local
precedence value to 4 for the behavior.[ Devi ce] t r af f i c behavi or behavi or _dbser ver
[ Devi ce- behavi or- behavi or_ dbserver ] r emark l ocal - pr ecedence 4
[ Devi ce- behavi or- behavi or_dbserver ] qui t
# Create a behavior named behavior_mserver , and configure the action of setting the local
precedence value to 3 for the behavior.
[ Devi ce] t r af f i c behavi or behavi or_mserver
[ Devi ce- behavi or- behavi or_ mserver ] r emark l ocal - precedence 3
[ Devi ce- behavi or- behavi or_mserver ] qui t
# Create a behavior named behavior_fserver , and configure the action of setting the local
precedence value to 2 for the behavior.[ Devi ce] t r af f i c behavi or behavi or _f ser ver
[ Devi ce- behavi or- behavi or_f server ] r emar k l ocal - pr ecedence 2
[ Devi ce- behavi or - behavi or _f ser ver ] qui t
# Create a policy named policy_server , and associate classes with behaviors in the policy.
[ Devi ce] qos pol i cy pol i cy_ser ver
[ Devi ce- qospol i cy- pol i cy_ser ver ] cl assi f i er cl assi f i er _dbser ver behavi or behavi or _dbser ver
[ Devi ce- qospol i cy- pol i cy_ser ver ] cl assi f i er cl assi f i er _mser ver behavi or behavi or _mser ver
[ Devi ce- qospol i cy- pol i cy_server] cl assi f i er cl assi f i er _f ser ver behavi or behavi or_f ser ver
[ Devi ce- qospol i cy- pol i cy_server] qui t
# Apply the policy named policy_server to the incoming traffic of GigabitEthernet 2/0/1.[ Devi ce] i nt er f ace gi gabi t et her net 2/ 0/ 1
[ Devi ce- Gi gabi t Et hernet 2/ 0/ 1] qos appl y pol i cy pol i cy_server i nbound
[ Devi ce- Gi gabi t Et her net 2/ 0/ 1] qui t
QoS-Local-ID Marking Configuration Example
QoS-local-ID marking is mainly used for re-classifying packets of multiple classes to perform a uniform
set of actions on them as a re-classified class.
Consider the case of limiting the total rate of packets with source MAC address 0001-0001-0001 and
packets with source IP address 1.1.1.1 to 128 kbps. Without QoS local ID marking, you can only
assign fixed bandwidth to the two classes by associating each of them with a rate-limit traffic behavior.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 83/112
9-7
With QoS local ID marking, however, traffic limit applies to the two classes as a whole, allowing the
switch to dynamically assign the bandwidth to the two classes depending on their traffic size.
To configure QoS-local-ID marking to limit the total rate of the two classes, you need to mark packets
of the two classes with the same QoS-local-ID; create a class to match the QoS local ID, and associate
this class with the traffic policing action. The configuration procedure is as follows:
# Create ACL 2000 to match packets with source IP address 1.1.1.1.
<Sysname> syst em- vi ew
[ Sysname] acl number 2000
[ Sysname-acl - basi c- 2000] r ul e permi t sour ce 1. 1. 1. 1 0
[ Sysname-acl - basi c- 2000] qui t
# Create a class class_a to match both packets with source MAC address 0001-0001-0001 and
packets with source IP 1.1.1.1.
<Sysname> syst em- vi ew
[ Sysname] t raf f i c cl assi f i er cl ass_a oper at or or
[ Sysname-cl assi f i er- cl ass_a] i f - mat ch sour ce- mac 1- 1- 1
[ Sysname- cl assi f i er - cl ass_a] i f - mat ch acl 2000
[ Sysname- cl assi f i er - cl ass_a] qui t
# Create a behavior behavior_a, and configure the action of marking packets with QoS-local-ID 100
for the behavior.
[ Sysname] t r af f i c behavi or behavi or _a
[ Sysname- behavi or- behavi or_ a] r emark qos- l ocal - i d 100
[ Sysname- behavi or- behavi or_ a] qui t
# Create a class class_b to match packets with QoS-local-ID 100.
[ Sysname] t raf f i c cl assi f i er cl ass_b
[ Sysname- cl assi f i er - cl ass_b] i f - mat ch qos- l ocal - i d 100
[ Sysname- cl assi f i er - cl ass_b] qui t
# Create a behavior behavior_b, and configure the action of limiting traffic rate to 128 kbps for the
behavior.
[ Sysname] t r af f i c behavi or behavi or _b
[ Sysname- behavi or- behavi or_ b] car ci r 128
[ Sysname- behavi or- behavi or_ b] qui t
# Create a QoS policy car_policy. In the QoS policy, associate class class_a with behavior
behavior_a, and associate class class_b with behavior behavior_b.
[ Sysname] qos pol i cy car_pol i cy
[ Sysname- qospol i cy- car _pol i cy] cl assi f i er cl ass_a behavi or behavi or _a
[ Sysname- qospol i cy- car _pol i cy] cl assi f i er cl ass_b behavi or behavi or _b
Apply the QoS policy car_policy to the interface, and you can satisfy the network requirements.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 84/112
10-1
10 Traffic Redirecting Configuration
When configuring traffic redirecting, go to these sections for information you are interested in:
Traffic Redirecting Overview
Configuring Traffic Redirecting
Traffic Redirecting Overview
Traffic redirecting is the action of redirecting the packets matching the specific match criteria to a
certain location for processing.
Currently, the following four traffic redirecting actions are supported:
Redirecting traffic to the CPU: redirects packets which require processing by CPU to the CPU.
Redirecting traffic to an interface: redirects packets which require processing by an interface to the
interface. Note that this action is applicable to only Layer 2 packets, and the target interface
should be a Layer 2 interface.
Redirecting traffic to the next hop: redirects packets which require processing by an interface to
the interface. This action is applicable to only Layer 3 packets.
Configuring Traffic Redirecting
Follow these steps to configure traffic redirecting:
To do… Use the command… Remarks
Enter system view system-view —
Create a class and enter class
view
traffic classifier tcl-name [ operator
{ and | or } ] —
Configure the match criteria if-match match-criteria —
Exit class view quit —
Create a behavior and enter
behavior viewtraffic behavior behavior-name Required
Configure a traffic redirecting
action
redirect { cpu | interface interface-type
interface-number | next-hop { ipv4-add1
[ ipv4-add2 ] | ipv6-add1 [ interface-type
interface-number ] [ ipv6-add2
[ interface-type interface-number ] ] }
Optional
Exit behavior view quit —
Create a policy and enter policy
viewqos policy policy-name —
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 85/112
10-2
To do… Use the command… Remarks
Associate the class with the
traffic behavior in the QoS
policy
classifier tcl-name behavior
behavior-name —
Exit policy view quit —
To an interface Applying the QoS policy to an interface —
To a VLAN Applying the QoS policy to a VLAN —
Globally Applying the QoS policy globally —
Apply the
QoS
policy
To the control
plane
Applying the QoS policy to the control
plane —
Generally, the action of redirecting traffic to the CPU, the action of redirecting traffic to an interface,
and the action of redirecting traffic to the next hop are mutually exclusive with each other in the
same traffic behavior.
You can use the display traffic behavior command to view the traffic redirecting configuration.
A QoS policy that contains a traffic redirecting action can be applied only to the incoming traffic.
To implement QoS policy routing successfully, ensure that the next hop address specified in the
redirect action exist and the outgoing interface is not a tunnel interface. If you fail to do that, thematching traffic will be dropped.
Support of Line Cards for Traffic Redirecting
Table 10-1 shows the support of line cards for the traffic redirecting action for the inbound and
outbound traffic.
For line card categories and their description, see the installation manual for the S7500E series
switches.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 86/112
10-3
Table 10-1 Support of line cards for the traffic redirecting action
Direction(right)
Card category (below)
Inbound Outbound
SC LPU Supported Not Supported
SA LPU Supported Not Supported
EA LPU Supported Not Supported
EB LPU Supported Not Supported
SD LPU Supported Not Supported
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 87/112
11-1
11 Aggregation CAR Configuration
Aggregation CAR Overview
With aggregation CAR, one CAR is used to rate limit flows on different ports as a whole. If aggregation
CAR is enabled for multiple ports, the total traffic on these ports must conform to the traffic policing
parameters set in the aggregation CAR.
The S7500E series switches implement aggregation CAR with QoS policies.
Only the SD and EB cards support QoS policies that contain aggregation CAR actions.
Referencing an Aggregation CAR in a Traffic Behavior
Configuration prerequisites
You have determined the parameters in the aggregation CAR.
You have determined the traffic behavior to reference the aggregation CAR.
Configuration procedure
Follow these steps to reference an aggregation CAR in a traffic behavior:
To do… Use the command… Remarks
Enter system view system-view —
Configure an aggregation
CAR action
qos car car-name aggregative circommitted-information-rate [ cbs
committed-burst-size [ ebs
excess-burst-size ] ] [ pir
peek-information-rate ] [ green action ]
[ yellow action ] [ red action ]
Required
On SC, SA, and EA LPUs, the
granularity of traffic policing is
64 kbps.
On SD and EB LPUs, the
granularity of traffic policing is
8 kbps.
Create a class and enter
class view
traffic classifier tcl-name [ operator
{ and | or } ] —
Configure the match criteria if-match match-criteria —
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 88/112
11-2
To do… Use the command… Remarks
Exit class view quit —
Enter traffic behavior view traffic behavior behavior-name Required
Reference the aggregationCAR in the traffic behavior
car name car-name Required
Exit policy view quit —
To an interface Applying the QoS policy to an interface —
To a VLAN Applying the QoS policy to a VLAN —
Globally Applying the QoS policy globally —
Apply the
QoS
policy
To the control
plane
Applying the QoS policy to the control
plane —
Displaying and Maintaining Aggregation CAR
To do… Use the command… Remarks
Display the statistics for the
specified aggregation CAR
display qos car name
[ car-name ]
Required
Available in any view
Clear the statistics for the specified
aggregation CAR
reset qos car name [ car-name ] Required
Available in user view
Configuration example
Configure an aggregation CAR to rate-limit the traffic of VLAN 10 and VLAN 100 received on
GigabitEthernet 2/0/1 using these parameters: CIR is 256 kbps, CBS is 2000 bytes, and the action for
red packets is discard.
# Configure an aggregation CAR according to the rate limit requirements.
<Sysname> syst em- vi ew[ Sysname] qos car aggcar - 1 aggr egat i ve ci r 256 cbs 2000 r ed di scar d
# Create class 1 to match traffic of VLAN 10; create behavior 1, and reference the aggregation CAR in
the behavior.
[ Sysname] t raf f i c cl assi f i er 1
[ Sysname- cl assi f i er - 1] i f - mat ch cust omer - vl an- i d 10
[ Sysname- cl assi f i er - 1] qui t
[ Sysname] t r af f i c behavi or 1
[ Sysname- behavi or - 1] car name aggcar- 1
[ Sysname- behavi or- 1] qui t
# Create class 2 to match traffic of VLAN 100; create behavior 2, and reference the aggregation CARin the behavior.
[ Sysname] t raf f i c cl assi f i er 2
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 89/112
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 90/112
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 91/112
12-2
To do… Use the command… Remarks
To an interface Applying the QoS policy to an interface —
To a VLAN Applying the QoS policy to a VLAN —
Globally Applying the QoS policy globally —
Apply the
QoS
policy
To the control
plane
Applying the QoS policy to the control
plane
Displaying and Maintaining Traffic Account ing
After completing the configuration above, you can verify the configuration with the display qos policy
global, display qos policy interface, or display qos vlan-policy command depending on the
occasion where the QoS policy is applied.
Class-Based Accounting Configuration Example
Class-Based Accounting Configuration Example
Network requirements
As shown in Figure 12-1, Host is connected to GigabitEthernet 2/0/1 of Device.
Configure class-based accounting to collect statistics for traffic sourced from 1.1.1.1/24 and received
on GigabitEthernet 2/0/1.
Figure 12-1 Network diagram for traffic accounting configuration
Configuration procedure
# Create basic ACL 2000, and configure a rule to match packets with source IP address 1.1.1.1.
<Devi ceA> syst em- vi ew
[ Devi ceA] acl number 2000
[ Devi ceA- acl - basi c- 2000] r ul e permi t sour ce 1. 1. 1. 1 0
[ Devi ceA- acl - basi c- 2000] qui t
# Create a class named classifier_1, and reference ACL 2000 in the class.
[Devi ceA] t raf f i c c l assi f i er c l assi f i er_1
[ Devi ceA- cl assi f i er - cl assi f i er _1] i f - mat ch acl 2000
[Devi ceA- c l assi f i er - c l assi f i er_1] qui t
# Create behavior behavior_1, and configure an accounting action in the behavior.
[ Devi ceA] t r af f i c behavi or behavi or _1
[ Devi ceA- behavi or- behavi or_ 1] account i ng byt e
[ Devi ceA- behavi or- behavi or _1] qui t
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 92/112
12-3
# Create a policy named policy, and associate class classifier_1 with behavior behavior_1 in the
policy.
[ Devi ceA] qos pol i cy pol i cy
[ Devi ceA- qospol i cy- pol i cy] cl assi f i er cl assi f i er _1 behavi or behavi or _1
[ Devi ceA- qospol i cy- pol i cy] qui t
# Apply the policy named policy to the incoming traffic of GigabitEthernet 2/0/1.[ Devi ceA] i nt er f ace gi gabi t et her net 2/ 0/ 1
[ Devi ceA- Gi gabi t Et her net 2/ 0/ 1] qos appl y pol i cy pol i cy i nbound
[ Devi ceA- Gi gabi t Et her net 2/ 0/ 1] qui t
# Display traffic statistics to verify the configuration.
[ Devi ceA] di spl ay qos pol i cy i nt er f ace gi gabi t et her net 2/ 0/ 1
I nt er f ace: Gi gabi t Et her net 2/ 0/ 1
Di r ect i on: I nbound
Pol i cy: pol i cy
Cl assi f i er : cl assi f i er _1
Operat or : AND
Rul e( s) : I f - match acl 2000
Behavi or: behavi or_ 1
Accounti ng Enabl e:
16 ( Packet s)
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 93/112
13-4
13 QoS in an EPON System
When configuring QoS in an EPON system, go to these sections for information you are interested in:
QoS in an EPON System
Configuring QoS in an EPON System
QoS in an EPON System
An S7500E switch installed with an OLT card can work as an OLT in an EPON system. For detailed
information about an EPON system, see EPON Configuration and related chapters in Layer 2 - LAN
Switching Configuration Guide.
You can configure QoS for an OLT and ONUs attached to the OLT. To achieve QoS in an EPON
system, you must configure QoS at both the OLT side and the ONU side. The following part introduces
QoS functions that can be configured for uplink traffic and those for the downlink traffic.
QoS Functions for Uplink Traffic
Processing on an ONU
Configuring the priority trust mode for an ONU.
Configuring traffic classification for an ONU: the ONU classifies the uplink traffic of a UNI and
marks CoS precedence values for the matching traffic, so that traffic can be put into different
queues.
Filtering the packets matching certain match criteria according to the configured QoS policy.
Configuring the ONU to perform traffic policing for uplink traffic of a UNI.
Configuring the UNI to tag the uplink 802.1q-untagged traffic with the default VLAN tag, and
adding the UNI priority to the Priority field as the 802.1p precedence (CoS precedence).
Configuring the ONU to distribute the uplink traffic to different output queues based on the
mapping between the CoS precedence and local precedence.
Configuring the ONU to perform congestion management for traffic from uplink ports, supporting
SP and WFQ queue scheduling algorithms (available to only H3C ONUs).Processing on an OLT
By default, an OLT port trusts the 802.1p precedence of the packets. You can configure to trust
the DSCP precedence of the packets through the command line. Thus, the OLT will obtain the
CoS precedence based on the mapping between the DSCP precedence and CoS precedence
before mapping the CoS precedence to the corresponding output queue. This configuration
applies to all uplink traffic of ONUs.
Configuring congestion management for uplink ports (supporting SP, WRR, and SP+WRR queue
scheduling algorithms).
Configuring congestion avoidance on an OLT. When the port is congested, received packets aredropped selectively.
Figure 13-1 shows the QoS model for uplink traffic in an EPON system.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 94/112
13-5
Figure 13-1 QoS model for uplink traffic in an EPON system
QoS Functions for Downlink Traffic
Processing on an OLT
Configuring the OLT to perform priority mapping for packets received from the uplink port
according to the CoS-to-local precedence mapping table and then assign packets to output
queues of the OLT port.
Configuring the OLT to perform congestion management for downlink traffic, supporting SP and
WRR queue scheduling algorithms.
Configuring the OLT to perform line rate and traffic shaping for downlink traffic.
Configuring the maximum downlink bandwidth that the OLT assigns to the ONU.
Configuring high-priority packet buffer for downlink traffic that the OLT sends to the specified
ONU.
Processing on an ONU
Filtering the packets matching certain match criteria according to the configured QoS policy.
Configuring the ONU to distribute the received downlink traffic to different output queues based onthe mapping between the CoS precedence and local precedence.
Configuring the ONU to perform traffic policing for downlink traffic of a UNI.
Some ONUs support configuring queue scheduling for traffic from a UNI. To perform such
configurations, you should log in to the ONU. For detailed configuration, see the ONU user manual.
Figure 13-2 shows the QoS model for downlink traffic in an EPON system.
Figure 13-2 QoS model for downlink traffic in an EPON system
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 95/112
13-6
Configur ing QoS in an EPON System
QoS Configuration Task List in an EPON System
QoS configurations in an EPON system are the same as those in Ethernet, and the corresponding
configuration commands in OLT port view and ONU port view are the same as those in Ethernet port
view too. For detailed configuration, see the corresponding chapters above.
Table 13-1 and Table 13-2 show how to configure QoS for downlink traffic and uplink traffic in an EPON
system.
Table 13-1 Configure QOS at the OLT side of an EPON system
QoS at the OLT side Reference
Configure priority mapping on the
OLT
Modify the priority mapping on the OLT
port
Configuring priority trust mode for
the OLT port
Configuring the Priority Trust Mode on
a Port
Configure traffic policing for uplink
traffic of all ONUs (through QoS)Configuring Traffic Policing
Configure QoS for uplink
traffic
Configure congestion management
on the uplink port
Configuring SP Queuing
Configure WRR Queuing
Configuring WFQ Queuing
Configuring SP+WRR Queues
Configure the OLT to perform
priority mapping for traffic received
on an uplink port
Modify the priority mapping on the OLT
port
Configure congestion management
(SP and WRR) on the downlink
OLT port
Configuring SP Queuing
Configure WRR Queuing
Configuring WFQ Queuing
Configuring SP+WRR Queues
Configure the high-priority queue
buffer for the specified ONUSending buffer size of the OLT port
Configure QoS for downlink
traffic
Configure line rate and traffic
shaping for downlink traffic
Configuring GTS
Configuring the Line Rate
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 96/112
13-7
QoS at the OLT side Reference
Assign downlink bandwidth for each
ONU Assign downlink bandwidth for an ONU
Table 13-2 Configure QoS at the ONU side of an EPON system
QoS at the ONU side Reference
Configuring traffic classification and
CoS priority marking for incoming
packets on UNIs
Priority mapping on the UNI
Configure priority trust mode for the
ONU
Configuring the Priority Trust
Mode on a Port
Configuring traffic policing for uplink
traffic of a UNI
Configure traffic policing for
downlink/uplink traffic of a UNI
Configure QoS for uplink
traffic
Configure congestion management for
the uplink port of an ONU
Configuring SP Queuing
Configuring WFQ Queuing
Configure the ONU to perform priority
mapping for downlink traffic from the
OLT according to the CoS-to-local
precedence mapping table
Priority mapping on the ONU port
Set the ONU port priorityConfiguring the Priority Trust
Mode on a Port
Configure QoS for downlink
traffic
Configuring traffic policing for downlink
traffic of a UNI
Configure traffic policing for
downlink/uplink traffic of a UNI
Configuring QoS at the OLT side
Modify the priority mapping on the OLT port
Follow these steps to modify the 802.1p-to-local mapping on the OLT port:
To do… Use the command… Remarks
Enter system view system-view —
Enter OLT port view interface interface-type interface-number —
Modify the 802.1p-to-local
mapping on the OLT port for
downlink or uplink traffic
priority-queue-mapping { downstream |
upstream } { value } &<1-8>
Optional
For the default
mapping, see Table
14-1.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 97/112
13-8
Sending buffer size of the OLT port
For traffic to be sent out an OLT port, you can set the priority threshold to identify high-priority traffic
and low-priority traffic. You can set sending buffer to reserve buffer for high-priority queues and thus
decrease the dropping probability of high-priority packets and guarantee QoS for high-priority packet
transmission. The sending buffer does not apply to low-priority queues.
You need to set the buffer parameters for high-priority packets in OLT port view and then enable
high-priority packet buffering for the specified ONU in ONU port view. After the configurations, when
the OLT sends traffic to the specified ONU, high-priority packet buffering is enabled and so that
high-priority packets can be sent preferentially.
You can enable high-priority packet buffering for multiple ONUs, and the OLT will reserve an
independent buffer for each ONU.
Follow these steps to configure rate limiting:
To do… Use the command… Remarks
Enter system view system-view —
Enter OLT port view interface interface-type interface-number —
Configure the priority threshold
and enable high-priority packet
buffering
bandwidth dow nstream priority-queue priority
high-priority-reserved value
Required
The downlink packets
on an OLT port are
considered
high-priority only if
their priority is greater
then or equal to the
priority value.
The value argument
is in bytes.
By default, no buffer
is reserved for
high-priority packets.
Return to system view quit —
Enter ONU port view interface interface-type interface-number —
Reserve high-priority buffer for
the current ONUbandwidth downstream high-priority enable
Optional
By default, the OLT
reserves no
high-priority buffer for
an ONU.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 98/112
13-9
High-priority packet buffering takes effect for downlink traffic only when downlink bandwidth allocation
policy is enabled (as shown in Configure traffic policing for downlink/uplink traffic of a UNI).
Assign downlink bandwidth for an ONU
When an S7500E works as an OLT in an EPON system, you can limit the rate at which the OLT port
sends traffic to each ONU, that is, assign downlink bandwidth to each ONU. This function includes two
configurations:
Enabling the downlink bandwidth allocation policy.
Configuring the ONU downlink bandwidth range, including the maximum bandwidth and the
maximum burst buffer.
Follow these steps to configure the ONU bandwidth allocation and related parameters:
To do… Use the command… Remarks
Enter system view system-view —
Enter ONU port viewinterface interface-type
interface-number —
Enable the ONU downlink
bandwidth allocation policy
and prioritize high-prioritypackets
bandwidth downstream policy
enable
Required
By default, the downlink bandwidth
allocation policy is disabled and
high-priority packets are not
prioritized.
Configure the ONU downlink
bandwidth limit
bandwidth downstream
{ max-bandwidth value |
max-burstsize value } *
Optional
By default, the maximum
bandwidth is 999994 kbps, and the
maximum burst buffer is 8388480
bytes.
The configuration of high-priority packet buffering (as shown in Sending buffer size of the OLT port)
and that of the downlink bandwidth limit take effect only when the downlink bandwidth allocation
policy is enabled.
The configured downlink bandwidth limitation takes effect only on known unicasts, but not on
unknown unicasts, multicasts, or broadcasts.
The sum of the minimum uplink bandwidths configured for all the existing ONU ports under an
OLT port cannot exceed 921600 Kbps, namely, 900 Mbps.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 99/112
13-10
Configuring QoS at the ONU Side
Priority mapping on the ONU port
When the ONU receives packets on an ONU port, it assigns local precedence to the packets according
to the 802.1p-to-local precedence mapping table. Table 13-3 shows the default 802.1p-to-local
precedence mapping table.Table 13-3 Default mapping between CoS precedence values and local precedence values
CoS precedence Local precedence
0 0
1 0
2 1
3 1
4 2
5 2
6 3
7 3
Follow these steps to configure the mapping between CoS precedence values and local precedence
values:
To do... Use the command... Remarks
Enter system view system-view —
Enter ONU port viewinterface interface-type
interface-number —
Configure the mapping
between CoS precedence
values and local precedence
values
qos cos-local-precedence-map
cos0-map-local-prec
cos1-map-local-prec
cos2-map-local-prec
cos3-map-local-prec
cos4-map-local-prec
cos5-map-local-prec
cos6-map-local-prec
cos7-map-local-prec
Required
For the default mapping, see Table
13-3.
Priority mapping on the UNI
You can classify the traffic received on a UNI based on information in the traffic, such as MAC address
and IP address, and then configure different mapping policies for each class of packets. When the
ONU receives packets on a UNI, it determines the actions to perform for packets based on the match
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 100/112
13-11
criteria, VLAN operation mode of the port, and VLAN tagging status of the received packets. For details,
see Table 13-4.
Table 13-4 Relationship between VLAN operation modes and priority remarking
VLAN operation
mode
With or withou t VLAN
tag
Packet processing
With VLAN tag
In the case of traffic classification based on the source MAC
address/destination MAC address, Ethernet priority, VLAN
ID, or physical port, if the packet matches the configured
traffic classification rule, the packet is priority-remarked with
the value specified in the rule and is then forwarded;
otherwise, the packet is directly forwarded.
In the case of traffic classification based on Ethernet type,
DSCP, IP protocol type, source IP address/destination IP
address, or source L4 port, the packet is forwarded withoutany change.
Transparent
mode
Without VLAN tag The packet is forwarded without any change.
With VLAN tag The packet is dropped.
Tag mode
Without VLAN tag
The packet is tagged with the VLAN tag corresponding to the
default PVID of the port, and then:
If the packet matches the configured traffic classification
rule, the packet is priority-remarked with the value specified
in the rule and is then forwarded;
Otherwise, the packet is remarked with the port priority and
is then forwarded.
Translation mode With VLAN tag
Case 1: The VLAN ID in the VLAN tag matches a VLAN
translation entry on the port. The VLAN ID is replaced with the
VLAN ID corresponding to the entry, and then:
If the packet matches the configured traffic classification
rule, the packet is priority-remarked with the value specified
in the rule and is then forwarded;
Otherwise, the packet is directly forwarded.
Case 2: The VLAN ID in the tag is the default VLAN ID of the
port:
If the packet matches the configured traffic classification
rule, the packet is priority-remarked with the value specified
in the rule and is then forwarded;
Otherwise, the packet is directly forwarded.
Case 3: The VLAN ID in the tag does not match any VLAN
translation entry on the port. The packet is dropped.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 101/112
13-12
VLAN operation
mode
With or withou t VLAN
tagPacket processing
Without VLAN tag
The packet is tagged with the VLAN tag corresponding to the
default PVID of the port, and then:
If the packet matches the configured traffic classification
rule, the packet is priority-remarked with the value specified
in the rule and is then forwarded;
Otherwise, the packet is remarked with the port priority and
is then forwarded.
Follow these steps to configure uplink traffic classification and priority remarking for a UNI:
To do... Use the command... Remarks
Enter system view system-view —
Enter ONU port view interface interface-type interface-number —
Configure uplink traffic
priority remarking for a
UNI
uni uni-number classification-marking index index queue
qid priority priority { selector operator matched-value }
&<1-4>
Required
Currently, up to eight rules can be configured for each UNI port on an H3C ONU.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 102/112
13-13
Table 13-5 Restrictions about the configuration
Item Restrictions
Priority remarking based on
the source MAC address or
destination Mac address
If a source MAC address–based traffic classification rule and a destination
MAC address–based traffic classification rule are configured for a UNI port
of an ONU, and if the uplink traffic satisfies both rules, only the destination
MAC address–based traffic classification rule applies even if the other one
has a higher priority.
The configuration of destination MAC address–based priority remarking
takes effect globally. Namely, a destination MAC address–based traffic
classification rule configured for a UNI port of an ONU applies to incoming
traffic from all the other UNI ports of the ONU.
In the case of source MAC address–based priority remarking for a UNI port,
the ONU adds the source MAC address and the corresponding UNI port
statically into its MAC address table; In the case of destination MACaddress–based priority remarking for a UNI port, the ONU adds the
destination MAC address and the PON port of the ONU statically into its
MAC address table.
It does not support priority remarking based on the source MAC
addresses/destination MAC addresses that are multicast MAC addresses,
all-0 MAC addresses, broadcast MAC addresses, or the MAC address of
the ONU.
Priority remarking based on
Ethernet priority
When the VLAN operation mode is set to tag mode for a UNI and the CoS
value in the traffic classification rule is the same as the priority of the UNI, thetraffic classification rule will not take effect.
Priority remarking based on
VLAN ID
The configuration of VLAN ID–based priority remarking takes effect globally.
Namely, a VLAN ID–based traffic classification rule configured for a UNI port of
an ONU applies to incoming traffic from all the other UNI ports of the ONU.
Priority remarking based on
Ethernet type, DSCP, IP
protocol type, source IP
address/destination IP
address, or source L4 port
The configuration of priority remarking based on Ethernet type, DSCP, IP
protocol type, source IP address/destination IP address, or source L4 port
takes effect globally. Namely, such a traffic classification rule configured for
a UNI port of an ONU applies to incoming traffic from all the other UNI ports
of the ONU.
If multiple rules are matched on the same UNI of an ONU, the match
sequence is L3 L4 L2; if the rules are for the same layer, the rule with
the smallest index has the highest precedence.
The device does not support priority remarking for different UNIs of an ONU
based on the same Ethernet type, DSCP, IP protocol type, source IP
address/destination IP address, or source L4 port.
The device does not support priority remarking based on destination L4
ports.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 103/112
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 104/112
13-15
Configuration procedure
# Create ONU 3/0/1:1, and bind it to the ONU.
<Sysname> syst em- vi ew
[ Sysname] i nt er f ace ol t 3/ 0/ 1
[ Sysname- Ol t 3/ 0/ 1] usi ng onu 1
[ Sysname-Ol t 3/ 0/ 1] qui t[ Sysname] i nt erf ace onu 3/ 0/ 1: 1
[ Sysname- Onu3/ 0/ 1: 1] bi nd onui d 000f - e200- 0104
# Set the uplink bandwidth of the ONU port to 50 Mbps (64 Kbps × 800).
[ Sysname- Onu3/ 0/ 1: 1] upst r eam- sl a mi ni mum- bandwi dt h 800 maxi mum- bandwi dt h 800
# Configure the VLAN operation mode as transparent for UNI 1 and UNI 2.
[ Sysname- Onu3/ 0/ 1: 1] uni 1 vl an- mode t r ansparent
[ Sysname- Onu3/ 0/ 1: 1] uni 2 vl an- mode t r ansparent
For detailed information about ONU uplink bandwidth and VLAN operation mode of a UNI, see ONU
Remote Management Configuration and UNI Port Configuration in the Layer 2 - LAN Switching
Configuration Guide.
# Configure priority remarking for UNI 1 and UNI 2.
[ Sysname- Onu3/ 0/ 1: 1] uni 1 cl assi f i cati on- marki ng i ndex 1 queue 3 pri ori t y 3 sr c- mac equal
000A- EB7F- AAAB
[ Sysname- Onu3/ 0/ 1: 1] uni 2 cl assi f i cati on- marki ng i ndex 1 queue 1 pri ori t y 1 sr c- mac equal001B- EB7F- 21AC
After the configuration above is complete, when two streams (each 50 Mbps) from two UNIs of the
ONU are being forwarded to the OLT, the packets sourced from the MAC address of 001B-EB7F-21AC
are dropped at forwarding congestion on the ONU port, because the queue precedence of these
packets is lower than that of the packets sourced from the MAC address of 000A-EB7F-AAAB.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 105/112
14-1
14 Appendix A Default Priority Mapping Tables
For the default dot1p-exp, dscp-dscp, and exp-dot1p priority mapping tables, an input value yields a
target value that is equal to it.
Table 14-1 The default dot1p-lp and dot1p-dp priority mapping tables
Input priority value dot1p-lp mapping dot1p-dp mapping
802.1p priority (dot1p)Local precedence
(lp)Drop precedence (dp)
0 2 0
1 0 0
2 1 0
3 3 0
4 4 0
5 5 0
6 6 0
7 7 0
Table 14-2 The default dscp-dp and dscp-dot1p priority mapping tables
Input priority value dscp-dp mapping dscp-dot1p mapping
DSCP Drop precedence (dp) 802.1p prio rity (dot1p)
0 to 7 0 0
8 to 15 0 1
16 to 23 0 2
24 to 31 0 3
32 to 39 0 4
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 106/112
14-2
Input priority value dscp-dp mapping dscp-dot1p mapping
DSCP Drop precedence (dp) 802.1p prio rity (dot1p)
40 to 47 0 5
48 to 55 0 6
56 to 63 0 7
Table 14-3 The default exp-dp priority mapping tables
Input priority value exp-dp mapping
EXP value Drop precedence (dp)
0 0
1 0
2 0
3 0
4 0
5 0
6 0
7 0
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 107/112
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 108/112
15-2
Table 15-2 Description on DSCP values
DSCP value (decimal) DSCP value (binary) Description
46 101110 ef
10 001010 af11
12 001100 af12
14 001110 af13
18 010010 af21
20 010100 af22
22 010110 af23
26 011010 af31
28 011100 af32
30 011110 af33
34 100010 af41
36 100100 af42
38 100110 af43
8 001000 cs1
16 010000 cs2
24 011000 cs3
32 100000 cs4
40 101000 cs5
48 110000 cs6
56 111000 cs7
0 000000 be (default)
802.1p Priority
802.1p priority lies in Layer 2 packet headers and is applicable to occasions where Layer 3 header
analysis is not needed and QoS must be assured at Layer 2.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 109/112
15-3
Figure 15-2 An Ethernet frame with an 802.1Q tag header
As shown in Figure 15-2, the 4-byte 802.1Q tag header consists of the tag protocol identifier (TPID,
two bytes in length), whose value is 0x8100, and the tag control information (TCI, two bytes in length).
Figure 15-3 presents the format of the 802.1Q tag header. The Priority field in the 802.1Q tag header is
called the 802.1p priority, because its use is defined in IEEE 802.1p. Table 15-3 presents the values for
802.1p priority.
Figure 15-3 802.1Q tag header
1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 Priority VLAN ID
TPID (Tag protocol identifier) TCI (Tag control information)
Byte 1 Byte 2
0
Byte 3 Byte 4
CFI
7 5 4 3 2 1 0 7 5 4 3 2 1 06 6 7 5 4 3 2 1 0 7 5 4 3 2 1 06 6
Table 15-3 Description on 802.1p priority
802.1p priority (decimal) 802.1p priority (binary) Description
0 000 best-effort
1 001 background
2 010 spare
3 011 excellent-effort
4 100 controlled-load
5 101 video
6 110 voice
7 111 network-management
EXP Values
The EXP field lies in MPLS labels and is used for QoS.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 110/112
15-4
Figure 15-4 MPLS label structure
As shown in Figure 15-4, the EXP field is 3 bits long and ranges from 0 to 7.
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 111/112
16-1
16 Index
A
ACL Classification 1-2
ACL Numbering and Naming 1-3
Application of ACLs on the Switch 1-2
Applying the QoS Policy 3-6
B
Best-Effort Service Model 2-1
C
Causes, Impacts, and Countermeasures of
Congestion 6-1
Class-Based Accounting Configuration
Example 12-2
Configuration prerequisites 11-1
Configure WRR Queuing 6-6
Configuring a Basic ACL 1-7
Configuring a Priority Mapping Table 4-5 Configuring an Advanced ACL 1-9
Configuring an Ethernet Frame Header ACL
1-12
Configuring QoS at the OLT side 13-7
Configuring QoS at the ONU Side 13-10
Configuring SP Queuing 6-5
Configuring SP+WRR Queues 6-8
Configuring the Port Priority of a Port 4-6
Configuring the Priority Trust Mode on a Port
4-5
Configuring WFQ Queuing 6-6
Congestion Management Policies 6-2
Copying an ACL 1-14
Creating a Time Range 1-6
D
Defining a Class 3-2
Defining a Policy 3-5
Defining a Traffic Behavior 3-5
DiffServ Service Model 2-2
Displaying and Maintaining QoS Policies
3-10
E
Example for UNI Priority Remarking
Configuration 13-14
I
Implementing Time-Based ACL Rules 1-5 Introduction to ACL 1-1
Introduction to Priority Mapping 4-1
Introduction to WRED Parameters 7-2
IntServ Service Model 2-2
IPv4 ACL Configuration Example 1-15
IPv4 Fragments Filtering with ACLs1-5
IPv6 ACL Configuration Example 1-17
L
Line Rate 5-4
M
Match Order 1-3
N
Non Policy-Based Configuration 3-1
P
Policy-Based Configuration 3-1 Positions of the QoS Techniques in a
Network 2-3
Priority Mapping Procedure 4-2
Priority Mapping Table and Priority Marking
Configuration Example 4-7
Priority Mapping Tables 4-1
Priority Marking Configuration Example 9-5
Priority Trust Mode on a Port 4-2
Q
8/10/2019 ACL and QoS Configuration Guide-book
http://slidepdf.com/reader/full/acl-and-qos-configuration-guide-book 112/112
QoS Configuration Task List in an EPON
System 13-6
QoS Functions for Downlink Traffic 13-5
QoS Functions for Uplink Traffic 13-4
QoS-Local-ID Marking Configuration
Example 9-6
T
Traffic Evaluation and Token Buckets 5-1
Traffic Filtering Configuration Example 8-3
Traffic Policing 5-2
Traffic Shaping 5-3
W
WRED Configuration Approaches 7-2