Example for Configuring Rate Limiting in a Specified Time Range
Overview
An ACL contains various matching conditions. You can configure a time range and reference it in ACL rules on the device. This allows the device to match packets based on the time range, and the administrator can apply different policies to packets at different time ranges.
In this example, a basic ACL defines a time range and the basic ACL is referenced by the traffic policy module to limit Internet access rate during the specified time range.
Configuration Notes
- This example applies to the following products:
- S2752EI, S2710-SI, S2720-EI, S2750-EI
- S3700-SI, S3700-EI, S3700-HI
- S5700-LI, S5700S-LI, S5700-SI, S5700-EI, S5700-HI, S5710-C-LI, S5710-X-LI, S5710-EI, S5710-HI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5720-EI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H, S2730S-S, S5735-L-I, S5735-L1, S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S, S5735-S-I, S5735S-H, S5736-S
- S6700-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI, S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
- S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
For the product models whose applicable versions are not listed above, see Table 1 in "Applicable Products and Versions" for details.
For details about software mappings, visit Hardware Center and select the desired product model.
The S5731-L and S5731S-L are remote units and do not support web-based management, YANG, or commands. They can be configured only through configuration delivery by the central device. For details, see "Simplified Architecture Configuration (the Solar System Solution)" in the S300, S500, S2700, S5700, and S6700 V200R023C00 Configuration Guide - Device Management.
Networking Requirements
In Figure 3-255, users connect to external network devices through GE2/0/1 of the switch.
During work hours from 8:30 to 18:00, the Internet access rate of employees needs to be limited to 4 Mbit/s.
Configuration Roadmap
- Configure interfaces so that users can access the Internet through the Switch.
- Configure a time range and reference the time range in an ACL.
- Configure an ACL to match traffic passing the device in the specified time range.
- Configure a traffic policy to limit the rate of packets matching ACL rules.
- Apply the traffic policy to GE1/0/1 in the inbound direction.
Procedure
- Create a VLAN and configure interfaces.
# Create VLAN 10 on the Switch.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan 10 [Switch-vlan10] quit
# Configure GE1/0/1 and GE2/0/1 on the Switch as trunk interfaces and add them to VLAN 10.
[Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] port link-type trunk [Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 [Switch-GigabitEthernet1/0/1] quit [Switch] interface gigabitethernet 2/0/1 [Switch-GigabitEthernet2/0/1] port link-type trunk [Switch-GigabitEthernet2/0/1] port trunk allow-pass vlan 10 [Switch-GigabitEthernet2/0/1] quit
Configure the interface of the LSW connected to the Switch as a trunk interface and add it to VLAN 10.
# Create VLANIF 10 and set its IP address to 192.168.1.1/24.
[Switch] interface vlanif 10 [Switch-Vlanif10] ip address 192.168.1.1 24 [Switch-Vlanif10] quit
On the router, set the IP address of the interface connected to the Switch to 192.168.1.2/24, and configure a sub-interface on the interface to terminate the VLAN.
- Create a periodic time range working_time that defines work hours from 8:30 to 18:00.
[Switch] time-range working_time 08:30 to 18:00 working-day //Define the work hours.
- Configure ACL 2001 and define three rules to limit the bandwidth of packets from 192.168.1.10, 192.168.1.11, and 192.168.1.12 during work hours.
[Switch] acl number 2001 [Switch-acl-basic-2001] rule permit source 192.168.1.10 0 time-range working_time //Limit the rate of packets from 192.168.1.10 at work hours. [Switch-acl-basic-2001] rule permit source 192.168.1.11 0 time-range working_time //Limit the rate of packets from 192.168.1.11 at work hours. [Switch-acl-basic-2001] rule permit source 192.168.1.12 0 time-range working_time //Limit the rate of packets from 192.168.1.12 at work hours. [Switch-acl-basic-2001] quit
- Reference ACL 2001 in a traffic classifier to classify packets.
[Switch] traffic classifier c1 [Switch-classifier-c1] if-match acl 2001 [Switch-classifier-c1] quit
- Configure a traffic behavior to set the rate limit to 4 Mbit/s.
[Switch] traffic behavior b1 [Switch-behavior-b1] car cir 4096 //Limit the Internet access rate to 4 Mbit/s at work hours. [Switch-behavior-b1] statistic enable [Switch-behavior-b1] quit
- Configure a traffic policy and apply the traffic policy to GE1/0/1 in the inbound direction.
[Switch] traffic policy p1 [Switch-trafficpolicy-p1] classifier c1 behavior b1 [Switch-trafficpolicy-p1] quit [Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] traffic-policy p1 inbound [Switch-GigabitEthernet1/0/1] quit
- Verify the configuration.
# Check the traffic classifier configuration.
[Switch] display traffic classifier user-defined c1 User Defined Classifier Information: Classifier: c1 Precedence: 5 Operator: OR Rule(s) : if-match acl 2001
# Check the traffic policy configuration.
[Switch] display traffic policy user-defined p1 User Defined Traffic Policy Information: Policy: p1 Classifier: c1 Operator: OR Behavior: b1 Permit Committed Access Rate: CIR 4096 (Kbps), PIR 4096 (Kbps), CBS 770048 (byte), PBS 1282048 (byte) Color Mode: color Blind Conform Action: pass Yellow Action: pass Exceed Action: discard Statistic: enable
# Check the traffic policy that is applied to the interface. During work hours, when the rate of packets from each network segment on GE1/0/1 in the inbound direction is larger than 4 Mbit/s, packet loss occurs. The rate of packets from each network segment is limited within 4 Mbit/s.
[Switch] display traffic policy statistics interface gigabitethernet 1/0/1 inbound Interface: GigabitEthernet1/0/1 Traffic policy inbound: p1 Rule number: 3 Current status: success Statistics interval: 300 --------------------------------------------------------------------- Board : 1 --------------------------------------------------------------------- Matched | Packets: 38,761 | Bytes: - | Rate(pps): 0 | Rate(bps): - --------------------------------------------------------------------- Passed | Packets: 25,534 | Bytes: - | Rate(pps): 0 | Rate(bps): - --------------------------------------------------------------------- Dropped | Packets: 13,227 | Bytes: - | Rate(pps): 0 | Rate(bps): - --------------------------------------------------------------------- Filter | Packets: 0 | Bytes: - --------------------------------------------------------------------- Car | Packets: 13,227 | Bytes: - ---------------------------------------------------------------------
Configuration Files
Switch configuration file
# sysname Switch # vlan batch 10 # time-range working_time 08:30 to 18:00 working-day # acl number 2001 rule 5 permit source 192.168.1.10 0 time-range working_time rule 10 permit source 192.168.1.11 0 time-range working_time rule 15 permit source 192.168.1.12 0 time-range working_time # traffic classifier c1 operator or precedence 5 if-match acl 2001 # traffic behavior b1 permit car cir 4096 pir 4096 cbs 770048 pbs 1282048 mode color-blind green pass yellow pass red discard statistic enable # traffic policy p1 match-order config classifier c1 behavior b1 # interface Vlanif10 ip address 192.168.1.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 10 traffic-policy p1 inbound # interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 10 # return