No relevant resource is found in the selected language.
MENU
Support Documentation
S600-E V200R010C00 Configuration Guide - QoS

This document describes the configurations of QoS functions, including MQC, priority mapping, traffic policing, traffic shaping, interface-based rate limiting, congestion avoidance, congestion management, packet filtering, redirection, traffic statistics, and ACL-based simplified traffic policy.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Packet Filtering

Configuring Packet Filtering

Background

A device configured to use packet filtering implements traffic control to filter packets that match traffic classification rules.

Procedure

  1. Configure a traffic classifier.

    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      traffic classifier classifier-name [ operator { and | or } ]

      A traffic classifier is created and the traffic classifier view is displayed, or the existing traffic classifier view is displayed.

      and is the logical operator between the rules in the traffic classifier, which means that:

      • If the traffic classifier contains ACL rules, packets match the traffic classifier only when they match one ACL rule and all the non-ACL rules.

      • If the traffic classifier does not contain any ACL rules, packets match the traffic classifier only when they match all the rules in the classifier.

      The logical operator or means that packets match the traffic classifier as long as they match one of rules in the classifier.

      By default, the relationship between rules in a traffic classifier is AND.

    3. Configure matching rules according to the following table.

      Matching Rule

      Command

      Remarks

      Outer VLAN ID

      		 if-match vlan-id start-vlan-id [ to end-vlan-id ]

      -

      802.1p priority in VLAN packets

      		 if-match 8021p 8021p-value &<1-8>

      If you enter multiple 802.1p priority values in one command, a packet matches the traffic classifier as long as it matches any one of the 802.1p priorities, regardless of whether the relationship between rules in the traffic classifier is AND or OR.

      Destination MAC address

      		 if-match destination-mac mac-address [ mac-address-mask ]

      -

      Source MAC address

      		 if-match source-mac mac-address [ mac-address-mask ]

      -

      Protocol type field in the Ethernet frame header

      		 if-match l2-protocol { arp | ip | mpls | rarp | protocol-value }

      -

      All packets

      		 if-match any

      After the if-match any command is run, only the matching rule configured using this command takes effect, and the other matching rules in the same traffic classifier will become ineffective.

      DSCP priority in IP packets

      if-match dscp dscp-value &<1-8>

      • If you enter multiple DSCP values in one command, a packet matches the traffic classifier as long as it matches any one of the DSCP values, regardless of whether the relationship between rules in the traffic classifier is AND or OR.

      • If the relationship between rules in a traffic classifier is AND, the if-match dscp and if-match ip-precedence commands cannot be used in the traffic classifier simultaneously.

      IP precedence in IP packets

      		 if-match ip-precedence ip-precedence-value &<1-8>

      • The if-match dscp and if-match ip-precedence commands cannot be configured in a traffic classifier in which the relationship between rules is AND.

      • If you enter multiple IP precedence values in one command, a packet matches the traffic classifier as long as it matches any one of the IP precedence values, regardless of whether the relationship between rules in the traffic classifier is AND or OR.

      Layer 3 protocol type

      		 if-match protocol { ip | ipv6 }

      -

      SYN Flag in the TCP packet

      if-match tcp syn-flag { syn-flag-value | ack | fin | psh | rst | syn | urg }

      -

      Inbound interface

      		 if-match inbound-interface interface-type interface-number

      A traffic policy containing this matching rule cannot be applied to the outbound direction or in the interface view.

      ACL rule

      		 if-match acl { acl-number | acl-name }
      • When an ACL is used to define a traffic classification rule, it is recommended that the ACL be configured first.
      • If an ACL in a traffic classifier defines multiple rules, a packet matches the ACL as long as it matches one of rules, regardless of whether the relationship between rules in the traffic classifier is AND or OR.

      ACL6 rule

      		 if-match ipv6 acl { acl-number | acl-name }

      Before specifying an ACL6 in a matching rule, configure the ACL6.

    4. Run:

      quit

      Exit from the traffic classifier view.

  2. Configure a traffic behavior.

    1. Run:

      traffic behavior behavior-name

      A traffic behavior is created and the traffic behavior view is displayed, or the view of an existing traffic behavior is displayed.

    2. Run the following commands as required.

      • Run:

        permit

        The device is configured to forward packets matching the traffic classifier based on the original policy.

      • Run:

        deny

        The device is configured to reject packets matching the traffic classifier.

      • When permit and other actions are configured in a traffic behavior, the actions are performed in sequence. deny cannot be configured with other actions. When deny is used, other configured actions except traffic statistics and flow mirroring do not take effect.

      • To specify the packet filtering action for packets matching an ACL rule that defines permit, the action taken for the packets depends on deny or permit in the traffic behavior. If the ACL rule defines deny, the packets are discarded regardless of whether deny or permit is configured in the traffic behavior.

    3. (Optional) Run:

      statistic enable

      The traffic statistics function is enabled.

    4. Run:

      quit

      Exit from the traffic behavior view.

    5. Run:

      quit

      Exit from the system view.

  3. Configure a traffic policy.

    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      traffic policy policy-name

      A traffic policy is created and the traffic policy view is displayed, or the view of an existing traffic policy is displayed.

    3. Run:

      classifier classifier-name behavior behavior-name

      A traffic behavior is bound to a traffic classifier in a traffic policy.

    4. Run:

      quit

      Exit from the traffic policy view.

    5. Run:

      quit

      Exit from the system view.

  4. Apply the traffic policy.
    • Applying a traffic policy to an interface

      1. Run:

        system-view

        The system view is displayed.

      2. Run:

        interface interface-type interface-number

        The interface view is displayed.

      3. Run:

        traffic-policy policy-name { inbound | outbound }

        A traffic policy is applied to the interface.

        Each direction on an interface can be configured with only one traffic policy. A single traffic policy can be applied to both directions on one or more interfaces. After a traffic policy is applied to an interface, the system performs traffic policing for all the incoming or outgoing packets that match traffic classification rules on the interface.

        • You are advised not to use a traffic policy containing remark 8021p or remark vlan-id in the outbound direction of an untagged interface. This is because the configuration may cause packet errors.

        • Applying traffic policies consumes ACL resources. If there are no sufficient ACL resources, some traffic policies will fail to be applied. For example, if an if-match rule in a traffic policy occupies one ACL, M ACL resources will be used to apply the traffic policy to M interfaces. When a traffic policy is applied to L VLANs, L ACLs are occupied. When a traffic policy is applied to the system, one ACL is occupied. For details about ACLs occupied by if-match rules, see Table 2-4 in Licensing Requirements and Limitations for MQC.

    • Applying a traffic policy to a VLAN

      1. Run:

        system-view

        The system view is displayed.

      2. Run:

        vlan vlan-id

        The VLAN view is displayed.

      3. Run:

        traffic-policy policy-name { inbound | outbound }

        A traffic policy is applied to the VLAN.

        Each direction of a VLAN can be configured with only one traffic policy.

        After a traffic policy is applied to a VLAN, the system performs traffic policing for the packets that belong to the VLAN and match traffic classification rules in the inbound or outbound direction.

    • Applying a traffic policy globally

      1. Run:

        system-view

        The system view is displayed.

      2. Run:

        traffic-policy policy-name global { inbound | outbound } [ slot slot-id ]

        A traffic policy is applied to the system.

        Each direction can be configured with only one traffic policy in the system or slot. A traffic policy cannot be applied to the same direction in both the system and slot. For example, if a traffic policy is applied to the inbound direction globally, it cannot be applied to the inbound direction in a slot.

        • In a stack, a traffic policy that is applied to the system takes effect on all the interfaces and VLANs of all the member switches in the stack. The system then performs traffic policing for all the incoming and outgoing packets that match traffic classification rules on all the member switches. A traffic policy that is applied to a specified slot takes effect on all the interfaces and VLANs of the member switch with the specified stack ID. The system then performs traffic policing for all the incoming and outgoing packets that match traffic classification rules on this member switch.
        • On a standalone switch, a traffic policy that is applied to the system takes effect on all the interfaces and VLANs of the local switch. The system then performs traffic policing for all the incoming and outgoing packets that match traffic classification rules on the local switch. Traffic policies applied to the slot and system have the same functions.

Checking the Configuration

  • Run the display traffic classifier user-defined [ classifier-name ] command to check the traffic classifier configuration.
  • Run the display traffic behavior user-defined [ behavior-name ] command to check the traffic behavior configuration.

  • Run the display traffic policy user-defined [ policy-name [ classifier classifier-name ] ] command to check the user-defined traffic policy configuration.

  • Run the display traffic-applied [ interface [ interface-type interface-number ] | vlan [ vlan-id ] ] { inbound | outbound } [ verbose ] command to check information about ACL-based simplified and MQC-based traffic policies applied to the system, a VLAN, or an interface.

  • Run the display traffic policy { interface [ interface-type interface-number ] | vlan [ vlan-id ] | global } [ inbound | outbound ] command to check the traffic policy configuration.

  • Run the display traffic-policy applied-record [ policy-name ] command to check the application record of a specified traffic policy.

Translation
简体中文
Download
Updated: 2020-12-26

Document ID: EDOC1000141882

Views: 67823

Downloads: 26

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next
Enterprise APP

Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :