Configuring MQC to Implement Traffic Policing
Context
To control a specific type of traffic in the inbound or outbound direction on an interface, configure MQC-based traffic policing. MQC-based traffic policing can implement differentiated services using complex traffic classification. When the receive or transmit rate of packets matching traffic classification rules exceeds the rate limit, the device discards the packets.
Procedure
- Configure a traffic classifier.
Run system-view
The system view is displayed.
Run traffic classifier classifier-name [ operator { and | or } ]
A traffic classifier is created and the traffic classifier view is displayed.
and indicates that rules are ANDed with each other.If a traffic classifier contains ACL rules, packets match the traffic classifier only when they match one ACL rule and all the non-ACL rules.
If a traffic classifier does not contain ACL rules, packets match the traffic classifier only when the packets match all the non-ACL rules.
By default, the relationship between rules in a traffic classifier is OR.
- Run the following commands as required.
Matching Rule
Command
Outer VLAN ID
if-match vlan-id start-vlan-id [ to end-vlan-id ]
Inner VLAN IDs in QinQ packets
if-match cvlan-id start-vlan-id [ to end-vlan-id ]
802.1p priority in VLAN packets
if-match 8021p 8021p-value &<1-8>
Inner 802.1p priority in QinQ packets
if-match cvlan-8021p 8021p-value &<1-8>
EXP priority in MPLS packets
if-match mpls-exp exp-value &<1-8>
NOTE:V300R019C10 and earlier versions: Only the AR600 series does not support MPLS. V300R019C11 and later versions: Only the AR611W, AR611W-LTE4CN, AR617VW, AR617VW-LTE4EA, AR617VW-LTE4, AR651C, and AR651F-Lite do not support MPLS.
Destination MAC address
if-match destination-mac mac-address [ mac-address-mask mac-address-mask ]
Source MAC address
if-match source-mac mac-address [ mac-address-mask mac-address-mask ]
DLCI value in FR packets
if-match dlci start-dlci-number [ to end-dlci-number ]
DE value in FR packets
if-match fr-de
NOTE:AR600 and AR1600 series do not support fr-de.
Protocol type field encapsulated in the Ethernet frame header
if-match l2-protocol { arp | ip | mpls | rarp | protocol-value }
All packets
if-match any
DSCP priority in IP packets
if-match [ ipv6 ] dscp dscp-value &<1-8>
IP precedence in IP packets
if-match ip-precedence ip-precedence-value &<1-8>
NOTE:if-match [ ipv6 ] dscp and if-match ip-precedence cannot be configured simultaneously in a traffic classifier where the relationship between rules is AND.
Layer 3 protocol type
if-match protocol { ip | ipv6 }
QoS group index of packets
if-match qos-group qos-group-value
NHRP group name of packets
if-match nhrp-group nhrp-group-name
IPv4 packet length
if-match packet-length min-length [ to max-length ]
PVC information in ATM packets
if-match pvc vpi-number/vci-number
RTP port number
if-match rtp start-port start-port-number end-port end-port-number
SYN Flag in the TCP packet header
if-match tcp syn-flag { ack | fin | psh | rst | syn | urg } *
Inbound interface
if-match inbound-interface interface-type interface-number
Outbound interface
if-match outbound-interface Cellular interface-number:channel
ACL rule
if-match acl { acl-number | acl-name }
NOTE:Before defining a matching rule for traffic classification based on an ACL, create the ACL.
To use an ACL in a traffic classifier to match the source IP address, run the qos pre-nat command on an interface to configure NAT pre-classification. NAT pre-classification enables the NAT-enabled device to carry the private IP address before translation on the outbound interface so that the NAT-enabled device can classify IP packets based on private IP addresses and provide differentiated services.
ACL6 rule
if-match ipv6 acl { acl-number | acl-name }
NOTE:Before defining a matching rule for traffic classification based on an ACL, create the ACL.
To use an ACL in a traffic classifier to match the source IP address, run the qos pre-nat command on an interface to configure NAT pre-classification. NAT pre-classification enables the NAT-enabled device to carry the private IP address before translation on the outbound interface so that the NAT-enabled device can classify IP packets based on private IP addresses and provide differentiated services.
Application protocol
if-match application application-name [ user-set user-set-name ] [ time-range time-name ]
NOTE:Before defining a matching rule based on an application protocol, enable Smart Application Control (SA) and load the signature file.
SA group
if-match category category-name [ user-set user-set-name ] [ time-range time-name ]
NOTE:Before defining a matching rule based on an application protocol, enable Smart Application Control (SA) and load the signature file.
User group
if-match user-set user-set-name [ time-range time-range-name ]
NOTE:- Only the AR600 series supports user-set.
- The user-set command can be configured only on the web UI in V300R019C10 and later versions. Therefore, you are advised to configure other commands related to user-set on the web UI. Otherwise, the configuration may fail.
Run quit
Exit from the traffic classifier view.
- Configure a traffic behavior.
- Run traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is displayed, or the view of an existing traffic behavior is displayed.
By default, the traffic behavior be exists in the system.
- Run car cir { cir-value | pct cir-percentage } [ pir { pir-value | pct pir-percentage } ] [ cbs cbs-value pbs pbs-value ] [ share ] [ mode { color-blind | color-aware } ] [ green { discard | pass [ remark-8021p 8021p-value | remark-dscp dscp-value | remark-mpls-exp exp-value ] } ] [ yellow { discard | pass [ remark-8021p 8021p-value | remark-dscp dscp-value | remark-mpls-exp exp-value ] } ] [ red { discard | pass [ remark-8021p 8021p-value | remark-dscp dscp-value | remark-mpls-exp exp-value ] } ]
Traffic policing is configured in the traffic behavior.
By default, traffic policing is not configured in a traffic behavior.
- (Optional) Run car cir pct cir-percentage [ pir pct pir-percentage ] { hierarchical-bandwidth | hierarchical-car } [ cbs cbs-value pbs pbs-value | share | mode { color-blind | color-aware } | green { discard | pass [ remark-8021p 8021p-value | remark-dscp dscp-value | remark-mpls-exp exp-value ] } | yellow { discard | pass [ remark-8021p 8021p-value | remark-dscp dscp-value | remark-mpls-exp exp-value ] } | red { discard | pass [ remark-8021p 8021p-value | remark-dscp dscp-value | remark-mpls-exp exp-value ] } ] *
The base value of the interface bandwidth percentage is configured.
By default, the base value of the interface bandwidth percentage is the interface bandwidth.
- V300R019C10 and earlier versions: AR600 series does not support MPLS. V300R019C11 and later versions: AR611W, AR611W-LTE4CN, AR617VW, AR617VW-LTE4EA, AR617VW-LTE4, AR651C, and AR651F-Lite do not support MPLS.
You can run the bandwidth bandwidth-value command in the dialer interface view to set the base value for the percentage of the CIR set by the pct cir-percentage parameter. Then the bandwidth percentage and actual bandwidth can be allocated to different flows on the interface according to the base value.
- After share is specified, all the rules in the traffic classifiers bound to the same traffic behavior share CAR settings. The system aggregates all the flows and uses CAR to limit the rate of the flows.
hierarchical-bandwidth indicates that the base value for the interface bandwidth percentage is the bandwidth; hierarchical-car indicates that the base value for the interface bandwidth percentage is the CAR. When you configure the CIR and PIR in bandwidth percentage mode, you can run the car cir pct cir-percentage [ pir pct pir-percentage ] { hierarchical-bandwidth | hierarchical-car } command to specify the base value of the interface bandwidth percentage. The base value of the interface bandwidth percentage can be configured only in V300R019C10 and later versions.
- (Optional) Run statistic enable
The traffic statistics collection function is enabled.
By default, the traffic statistics collection function is disabled in a traffic behavior.
- Run quit
Exit the traffic behavior view.
(Optional) Run qos overhead layer { link | physics }
A mode is specified for calculating packet lengths during traffic policing or traffic shaping.
By default, physical-layer and link-layer compensation information is included in packet lengths during traffic policing or traffic shaping.
- Run quit
Exit the system view.
- Run traffic behavior behavior-name
- Configure a traffic policy.
Run system-view
The system view is displayed.
Run traffic policy policy-name
A traffic policy is created and the traffic policy view is displayed, or the view of an existing traffic policy is displayed.
By default, no traffic policy is created in the system.
Run classifier classifier-name behavior behavior-name [ precedence precedence-value ]
A traffic behavior is bound to a traffic classifier in a traffic policy.
By default, no traffic classifier or traffic behavior is bound to a traffic policy.
Run quit
Exit from the traffic policy view.
Run quit
Exit from the system view.
- Apply the traffic policy.
Apply a traffic policy to an interface.
Run system-view
The system view is displayed.
Run interface interface-type interface-number[.subinterface-number ]
The interface view is displayed.
- Apply a traffic policy to the interface. You can apply one or three types of traffic policies to one direction of the interface.
Run traffic-policy policy-name { inbound | outbound }
A common traffic policy is applied to the outbound or inbound direction of the interface.
By default, no common traffic policy is applied to an interface.
Run traffic-policy policy-name { inbound | outbound } preprocess
A preprocessing traffic policy is applied to the outbound or inbound direction of the interface.
By default, no preprocessing traffic policy is applied to an interface.
Run traffic-policy policy-name { inbound | outbound } firstprocess
A preferential processing traffic policy is applied to the outbound or inbound direction of the interface.
By default, no preferential processing traffic policy is applied to an interface.
The preprocess and firstprocess parameters can be configured only for Layer 3 interfaces.
- Apply a traffic policy to an interzone.
Run system-view
The system view is displayed.
- Run firewall interzone zone-name1 zone-name2
An interzone is created and the interzone view is displayed.
By default, no interzone is created.
To create an interzone, you must specify two existing security zones.
Run traffic-policy policy-name
A traffic policy is bound to the interzone.
By default, no traffic policy is bound to an interzone.
- Apply a traffic policy to a bridge domain (BD).
Run system-view
The system view is displayed.
Run bridge-domain bd-id
A BD is created and the BD view is displayed.
By default, no BD is created.
Run traffic-policy policy-name { inbound | outbound }
A traffic policy is applied to the BD.
By default, no traffic policy is applied to a BD.
- Apply a traffic policy in the system view.
Run system-view
The system view is displayed.
Run traffic-policy policy-name global bind interface { interface-type interface-number } &<1-16>
A global traffic policy is applied to the interface and bound to an interface.
By default, no global traffic policy is applied to the device or bound to an interface.
