Licensing Requirements and Limitations for MQC (CE12800E)

Involved Network Elements

Other network elements are not required.

Licensing Requirements

MQC is a basic feature of the switch and is not under license control.

Version Requirements

Feature Limitations

Limitations for MQC Specifications

Table 2-4 describes MQC specifications.

The values in Table 2-4 are used in each VS only when the MQC service is configured on a network. If the service configurations on the actual network and test network are different, the specifications of MQC may be different from the values in Table 2-4.

Table 2-4 Specifications of MQC

Item	Specification
Maximum number of traffic classifiers	Versions earlier than V200R003C00: 512 V200R003C00 and later versions: 2048
Maximum number of traffic behaviors	Versions earlier than V200R003C00: 512 V200R003C00 and later versions: 2048
Maximum number of traffic policies	Versions earlier than V200R003C00: 512 V200R003C00 and later versions: 2048
Maximum binding count of traffic policies	12288
Maximum number of if-match rules in a traffic classifier	2048
Maximum number of traffic classifiers bound to a traffic policy	Versions earlier than V200R003C00: 512 V200R003C00 and later versions: 2048

Limitations for Traffic Classifiers

• When a traffic classifier contains an ACL rule that defines a VPN instance, the vpn-instance field is ignored. That is, both private and public network traffic is matched. To match only private network traffic, apply a traffic policy to the corresponding Layer 3 interface.
• If a traffic classifier references an ACL rule that matches the outer VLAN ID and the VLAN mapping function is configured, the translated VLAN ID after VLAN mapping is matched in both the inbound and outbound directions.
• When editing or modifying traffic classification rules in a traffic policy on the switch configured with the traffic-policy atomic-update-mode command, ensure that the number of remaining ACL resources is larger than twice the number of chip resources occupied by traffic classification rules in the traffic policy.
• If the destination VPN instance (without any specified outbound interface or next-hop address) is configured as the next hop or the public parameter (without any specified next-hop address) is specified in a static route for inter-VPN forwarding and the packets matching the MQC rule need to be forwarded according to the static route, packets will fail to be forwarded because there is no specific next hop address in the static route.
• The bound traffic classifiers can define IPv4 ACL rules containing the logging field on the CE12800E equipped with ED-E, EG-E, or EGA-E series cards in V200R019C00 and later versions. A traffic policy containing such traffic classifiers can be applied in the system view, VLAN view, VLANIF interface view, BD view, VBDIF interface view (only in the inbound direction), Eth-Trunk interface view, physical interface view, or Layer 2 sub-interface view (only in the inbound direction). The following matching fields are supported: source IP address, destination IP address, source port number, destination port number, protocol type, and TCP flag.
  In addition, the bound traffic classifiers can also define IPv6 ACL rules containing the logging field. A traffic policy containing such a matching rule is described as follows:

  • Views: system view, VLAN view, VLANIF interface view, BD view (only in the inbound direction), VBDIF interface view (only in the inbound direction), Eth-Trunk interface view, physical interface view, Layer 2 sub-interface view (only in the inbound direction), and QoS group view
  • Actions: deny and traffic statistics collection
  • Matching fields: source IP address, destination IP address, source port number, destination port number, and protocol type
• On the CE12800E equipped with FD-X series cards, a traffic classifier can define IPv4 ACL rules containing the logging field. A traffic policy containing the matching rule can be applied to the system view, VLAN view, VLANIF interface view, VBDIF interface view (only in the inbound direction), Eth-Trunk interface view, or physical interface view. Starting from V200R019C00, a traffic classifier can define IPv6 ACL rules containing the logging field. A traffic policy containing the matching rule can be applied to the inbound direction in the system view, VLAN view, VLANIF interface view, BD view, VBDIF interface view, Eth-Trunk interface view, physical interface view, Layer 2 sub-interface view, or QoS group view.
• For the CE12800E equipped with ED-E, EG-E, or EGA-E series cards: If a traffic classifier defines IPv6 ACL rules, the traffic behavior bound to this traffic classifier cannot define the following actions: VLAN mapping, VLAN stacking, and MAC address learning disabling.

Limitations for Traffic Policies

• On the CE12800E equipped with ED-E, EG-E, or EGA-E series cards:
  • Traffic policies configured in the VLAN or BD view are mutually exclusive with those configured in the corresponding VLANIF or VBDIF interface view.
  • The if-match discard command needs to be configured to match packets that are discarded due to the mac-address bpdu command.
  • Traffic policies configured on the device do not take effect for packets that are discarded due to local attack defense.
  • Microsegmentation does not take effect for packets that are discarded due to a traffic policy containing the deny action.
  • Traffic policies configured in different views take effect in descending order of priority as follows: Layer 2 or Layer 3 sub-interface view > physical interface view > VLAN view, VLANIF interface view, BD view, or VBDIF interface view > system view. For the same packet, if a traffic policy containing the redirection or deny action is applied in a view with a higher priority, the traffic policy applied in the view with a lower priority does not take effect.
• A traffic policy applied in the Layer 3 main interface view also takes effect for traffic on Layer 3 sub-interfaces. As a result, the traffic policy applied in the interface view may conflict with that applied in the sub-interface view.
• When two traffic policies are applied to the same view and the same direction (assuming that traffic policies p1 and p2 are applied in sequence), if traffic policy p1 is unbound and a traffic policy (traffic policy p1 or another one) is applied again, traffic policy p2 becomes invalid for a period of time. In addition, there is a delay for the re-applied traffic policy to take effect after the configuration is committed.
• A maximum of two traffic policies can be applied to the same direction in the same view.
• When multiple fields of packets of the same type (such as Layer 2, IPv4, or IPv6 packets) need to be matched in a view, apply one traffic policy in the view and specify multiple traffic classifiers and corresponding traffic behaviors in the traffic policy. If both IPv4 and IPv6 packets need to be matched, create one traffic policy for each type of the packets.
• Applying, modifying, and deleting a traffic policy take effect after a slight delay, which is proportional to the number of rules. In extreme conditions, the delay may reach minutes.

• You can run the display traffic-policy apply-information command in the diagnostic view to check the priorities of all traffic policies that have been applied. The applied traffic policies are displayed in descending order of priority in the command output.

• For the CE12800E configured with FD-X series cards, when the system resource mode is set to large-acl or the system resource mode is set to the UFT flexible resource mode of ACL entries, a traffic policy can contain only the deny and redirect interface actions in bound traffic behaviors.
• When a VLAN is used or a Layer 2 sub-interface connects to a VXLAN on the CE12800E configured with ED-E, EG-E, or EGA-E series cards, a traffic policy cannot match the original VLAN ID of packets and cannot be applied to the VLAN. You can configure a traffic classifier to match fields except for the VLAN ID and apply the traffic policy to the BD corresponding to the VLAN.
• If a traffic policy applied to a VLAN references an ACL rule that matches the outer VLAN ID and the VLAN mapping function is configured, the translated VLAN ID after VLAN mapping is matched in both the inbound and outbound directions.
• On the CE12800E equipped with FD-X series cards, a traffic policy applied in the VLAN view takes effect only for Layer 2 traffic.
• When a traffic policy is applied to a VLANIF interface:
  • The bound traffic classifiers can define matching rules based on the destination MAC address, IP address type (IPv4 or IPv6), source IPv4 address, destination IPv4 address, source IPv6 address, destination IPv6 address, protocol type, source port number, destination port number, and IP fragment flag.
  • If the bound traffic classifiers define matching rules based on the destination MAC address, the destination MAC address must be the MAC address of a VLANIF interface.
  • The bound traffic behaviors support packet filtering, redirection, traffic policing (CAR), traffic statistics collection, mirroring, re-marking, and MAC address learning disabling.
  • When a traffic policy is applied to the outbound direction, the bound traffic behaviors support mirroring only on the CE12800E equipped with ED-E, EG-E, or EGA-E series cards.
  • When a traffic policy is applied to the inbound direction of a VLANIF interface:
    • A traffic policy that contains rules for matching IPv4 fields takes effect only for IPv4 unicast packets. A traffic policy that contains rules for matching IPv6 fields takes effect only for IPv6 unicast packets. A traffic policy can only contain rules for matching either IPv4 or IPv6 fields.
    • On the CE12800E equipped with FD-X series cards, only the leftmost 64 bits of IPv6 addresses can be matched by default. strict-mode can be specified for a matching rule to match the full 128-bit IPv6 addresses.
  • A traffic policy containing only if-match any takes effect for both IPv4 and IPv6 unicast packets.
  • If a traffic policy contains only if-match any on a VRRP-enabled router, only the IPv4 or IPv6 packets forwarded based on the VRRP virtual IP address can be matched.
• When a traffic policy is applied to a VBDIF interface:

  • In versions earlier than V200R005C10, a traffic policy can be applied only to the inbound direction when it is applied on a VBDIF interface on a switch excluding the CE12800E equipped with ED-E, EG-E, or EGA-E series cards.

    Starting from V200R005C10, a traffic policy can also be applied to the outbound direction of a VBDIF interface on the CE12800E equipped with FD-X series cards.

  • When a traffic policy that contains only if-match any is applied to the inbound direction, the traffic policy takes effect only for user traffic.

  • The bound traffic behaviors support only packet filtering, traffic statistics collection, PBR, traffic policing (CAR), and mirroring.

  • When a traffic policy is applied to the outbound direction, the bound traffic behaviors support mirroring only on the CE12800E equipped with ED-E, EG-E, or EGA-E series cards.

  • In versions earlier than V200R005C00, the bound traffic classifiers can define matching rules based only on the source IPv4 address, destination IPv4 address, protocol type, source port number, destination port number, ICMP type, and IPv4 TCP flag.

    In V200R005C00 and later versions, the bound traffic classifiers can define matching rules based only on the source IPv4 address, destination IPv4 address, source IPv6 address, destination IPv6 address, protocol type, source port number, destination port number, ICMP type, and IPv4 TCP flag.

    Starting from V200R005C10, on the CE12800E equipped with FD-X series cards, a traffic classifier can define matching rules based on the IPv6 TCP flag.

  • If the VBDIF interface is used as the VXLAN gateway, the traffic policy matches only inner IPv4 packets in which the VXLAN header is decapsulated.
  • A traffic policy can be applied to the inbound direction of a VBDIF interface on the ingress of the VXLAN tunnel, but cannot be applied to the inbound direction of a VBDIF interface on the egress of the VXLAN tunnel in a distributed VXLAN system.
• When a traffic policy is applied to a Layer 2 sub-interface:
  • On the CE12800E equipped with FD-X series cards, a traffic policy can be applied to both the inbound and outbound directions of Layer 2 sub-interfaces.
  • For Layer 2 sub-interfaces on the CE12800E equipped with ED-E, EG-E, or EGA-E series cards, a traffic policy can be applied only to the inbound direction of a Dot1q Layer 2 sub-interface.

  • In versions earlier than V200R005C10, the bound traffic classifiers can define matching rules based only on the destination MAC address, source MAC address, Ethernet type, source IPv4 address, destination IPv4 address, protocol type, source port number, and destination port number. In addition, only the following traffic behaviors are supported: traffic policing (CAR) and traffic statistics collection.

    In V200R005C10 and later versions, traffic policing (CAR) and re-marking can also be performed for IPv6 packets.

• When a traffic policy is applied to a VPN instance:

  • A traffic policy can be applied to a VPN instance only in the inbound direction.

  • If a traffic policy is applied to a VPN instance, traffic classification rules in this traffic policy cannot match IPv6 packets.

• When a traffic policy is applied to a QoS group:

  • In versions earlier than V200R005C10, a traffic policy can be applied to a QoS group only in the inbound direction.

    In V200R005C10 and later versions, a traffic policy can be applied to the outbound direction of a QoS group containing Ethernet or Eth-Trunk interfaces.

  • For the CE12800E equipped with FD-X series cards, applying a traffic policy to the outbound direction of a QoS group is mutually exclusive with the following functions:
    • Adding Eth-Trunk interfaces to an FCoE interface and enabling traffic statistics collection on the FCoE interface
    • Applying a traffic policy to the outbound direction of an Eth-Trunk interface
    • Configuring an ACL-based simplified traffic policy in the outbound direction of an Eth-Trunk interface
    • Configuring traffic statistics collection on a Layer 3 sub-interface of an Eth-Trunk

• When a traffic policy is applied to a BD:

  • When a traffic policy is applied to the inbound direction of a BD:
    • The bound traffic classifiers can define matching rules based only on the source IPv4 address, destination IPv4 address, protocol type, source port number, destination port number, DSCP value, TCP flag, and inbound interface.
    • The bound traffic behaviors do not support VLAN mapping and VLAN stacking.
  • When a traffic policy is applied to the outbound direction of a BD on the CE12800E configured with ED-E, EG-E, and EGA-E series cards:
    • The bound traffic behaviors support only VLAN mapping, traffic statistics collection, traffic policing, packet filtering, and priority re-marking.

    • If segment VXLAN is used to implement Layer 2 communication and a traffic policy containing a matching rule based on inner information in VXLAN packets is applied to the outbound direction of a BD, the traffic policy does not take effect.

  • When a traffic policy is applied to the outbound direction of a BD on the CE12800E configured with FD-X series cards:
    • The bound traffic behaviors support only VLAN mapping, traffic statistics collection, traffic policing, packet filtering, and priority re-marking.
    • If a downlink traffic policy is configured and there are downlink Layer 3 packets, configure uplink and downlink traffic policies.
      • If a traffic policy has been configured in the inbound direction, run the remark qos-local-id qos-local-id command to configure the switch to re-mark the local ID of packets matching the traffic classifier and bind the corresponding traffic behavior to the traffic policy. Then configure a traffic policy in the outbound direction and define a matching rule based on the QoS local ID in the traffic classifier.
      • If no traffic policy is configured in the inbound direction, run the if-match any command to match all packets and run the remark qos-local-id qos-local-id command to configure the switch to re-mark packets matching the bound traffic classifier with the QoS local ID, and configure and apply a traffic policy to the inbound direction. Then configure a traffic policy in the outbound direction and define a matching rule based on the QoS local ID in the traffic classifier.
  • If a traffic policy contains only if-match any, the traffic policy takes effect only for user traffic.
• When a traffic policy is applied to the outbound direction:
  • A traffic policy containing ARP-based ACLs cannot be applied to the outbound direction.
  • A traffic policy containing user-defined ACLs cannot be applied to the outbound direction.
  • On the CE12800E equipped with FD-X series cards, when a traffic policy containing rules for matching VLANs is applied to the outbound direction of access or hybrid interfaces, packet VLAN IDs cannot be matched because they are stripped off the packets.
  • A traffic policy cannot be applied to the outbound direction if the bound traffic behaviors define the following actions:
    • mirroring cpu
    • ip urpf disable
    • remark local-precedence
    • mac-address learning disable
    • redirect cpu and redirect interface
    • redirect nexthop, redirect load-balance, and redirect remote
    • car share