No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
CloudEngine 12800 and 12800E V200R019C10 Configuration Guide - QoS

This document describes the configurations of QoS functions, including MQC, priority mapping, traffic policing, traffic shaping, interface-based rate limiting, congestion avoidance, congestion management, packet filtering, redirection, traffic statistics, and ACL-based simplified traffic policy.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Licensing Requirements and Limitations for MQC (CE12800)

Licensing Requirements and Limitations for MQC (CE12800)

Involved Network Elements

Other network elements are not required.

Licensing Requirements

MQC is a basic feature of the switch and is not under license control.

Version Requirements

Table 2-1 Products and minimum version supporting MQC

Product

Minimum Version Required

CE12804/CE12808/CE12812

V100R001C00

CE12816

V100R003C00

CE12804S/CE12808S

V100R005C00

For details about the mapping between software versions and switch models, see the Hardware Query Tool.

Software version evolution: V100R001C00 -> V100R002C00 -> V100R003C00 -> V100R003C10 -> V100R005C00 -> V100R005C10 -> V100R006C00 -> V200R001C00 -> V200R002C50 -> V200R003C00 -> V200R005C00 -> V200R005C10 -> V200R019C00 -> V200R019C10

Feature Limitations

Limitations for MQC Specifications

Table 2-2 describes MQC specifications.

The values in Table 2-2 are used in each VS only when the MQC service is configured on a network. If the service configurations on the actual network and test network are different, the specifications of MQC may be different from the values in Table 2-2.

Table 2-2 Specifications of MQC

Item

Specification

Maximum number of traffic classifiers
  • V100R005C00 and earlier versions: 256
  • V100R005C10 to V200R002C50: 512
  • V200R003C00 and later versions: 2048

Maximum number of traffic behaviors
  • V100R005C00 and earlier versions: 256
  • V100R005C10 to V200R002C50: 512
  • V200R003C00 and later versions: 2048

Maximum number of traffic policies
  • V100R005C00 and earlier versions: 256
  • V100R005C10 to V200R002C50: 512
  • V200R003C00 and later versions: 2048

Maximum binding count of traffic policies

12288

Maximum number of if-match rules in a traffic classifier

2048

Maximum number of traffic classifiers bound to a traffic policy
  • V100R005C00 and earlier versions: 256
  • V100R005C10 to V200R002C50: 512
  • V200R003C00 and later versions: 2048
  • For the cards that support the external TCAM, if the external TCAM assigns ACL resources and the configuration views, matching fields, and actions related to the MQC-based traffic policy or ACL-based simplified traffic policy are included in the subsets of the following conditions, the MQC service is preferentially delivered to the external TCAM:
    • Views: VLAN, VLANIF interface, physical interface, Eth-Trunk interface, Layer 3 sub-interface, BD, and VBDIF interface views (In these views, configurations can be performed only in the inbound direction.)
    • Matching fields: source IP address, destination IP address, source port number, destination port number, protocol type, IP fragment, and TCP flag
    • Actions: permit, deny, re-marking, redirection, mirroring, and MAC address learning disabling
    Delivering the MQC service to the external TCAM consumes 1 KB or 2 KB resources. If KB resources are insufficient, disable the external TCAM from assigning ACL resources. You can configure a TCAM template and bind it to a card, and then configure resources but not ACL resources. For details, see "Configuring the Resource Upper Limit of an External TCAM" in the CloudEngine 12800 and 12800E Series Switches Product Documentation - Configuration - Device Management Configuration Guide - Hardware Management. The KB resources occupied by the MQC service in this situation are listed in the preceding table.
    • Executing either the deny/redirection or re-marking action consumes 1 KB resources.
    • Executing the deny/redirection and re-marking actions consumes 2 KB resources.
  • The priorities of MQC-based traffic policies or ACL-based simplified traffic policies delivered to a built-in TCAM are higher than those of MQC-based traffic policies or ACL-based simplified traffic policies with the same configuration and delivered to an external TCAM.
  • For cards except the CE-L12CF-EG: If the external tcam acl command and the ipv6 vxlan enable command are configured but the external tcam { u6router | m6router } enable command is not configured, MQC and ACL-based simplified traffic policies that meet the following conditions will be delivered in ACLs of external TCAMs:
    • The source or destination IPv6 address is matched.
    • The permit, deny, re-marking, redirection, mirroring, or MAC address learning disabling operation is performed.
    • Traffic policies are applied to the inbound direction of Ethernet interfaces, Eth-Trunk interfaces, VLANs, BDs, VLANIF interfaces, or VBDIF interfaces.

  • When the switch is enabled to provide nonstop services during modification of MQC-based traffic classification rules on card that supports the external TCAM, if many traffic policies that have been applied are modified frequently, multiple traffic policies that are about to age out coexist. As a result, a large number of ACL resources are consumed. In this case, traffic policies may fail to be delivered due to insufficient ACL resources.

  • In the scenario where the switch is enabled to use the resource saving mode when a traffic policy is applied, for cards that support the external TCAM, the system automatically releases ACL resources that are occupied by all traffic policies delivered to the external TCAM. The system then delivers the traffic policies to the built-in TCAM. However, some traffic policies may fail to be delivered due to insufficient ACL resources on the built-in TCAM.

  • On a transit device, all the following cards cannot perform internal priority mapping based on the EXP priority of MPLS packets. By default, these cards map the internal priority based on the 802.1p priority. In this case, you can configure MQC to map the EXP priority of MPLS packets (if-match mpls-exp) to the internal priority (remark local-precedence). The involved cards are as follows: CE-L48GT-EA, CE-L48GT-EC, CE-L48GS-EA, CE-L48GS-EC, CE-L24XS-BA, CE-L24XS-EA, CE-L48XS-BA, CE-L48XS-EA and CE-L24LQ-EA.

Limitations for Traffic Classifiers

  • When a traffic classifier contains an ACL rule that defines a VPN instance, the vpn-instance field is ignored. That is, both private and public network traffic is matched. To match only private network traffic, apply a traffic policy to the corresponding Layer 3 interface.
  • If a traffic classifier references an ACL rule that matches the outer VLAN ID and the VLAN mapping function is configured:
    • For the CE12800: The translated VLAN ID after VLAN mapping is matched in the inbound direction, and the original VLAN ID before VLAN mapping is matched in the outbound direction.
    • For the CE12800E: The translated VLAN ID after VLAN mapping is matched in both the inbound and outbound directions.
  • When editing or modifying traffic classification rules in a traffic policy on the switch configured with the traffic-policy atomic-update-mode command, ensure that the number of remaining ACL resources is larger than twice the number of chip resources occupied by traffic classification rules in the traffic policy.
  • A traffic classifier cannot match packets based on the VLAN ID of a Layer 2 sub-interface.
  • If a traffic policy for matching the TCP flag in IPv6 packets is applied in the following situations, the traffic classification rule cannot match the TCP flag, source port number, and destination port number concurrently:
    • The traffic policy is applied in the VBDIF interface view or VLANIF interface view.
    • The traffic policy is applied in the outbound direction in the VLAN interface view, Eth-Trunk interface view, or physical interface view.
    • The traffic policy is applied in the inbound direction in the Eth-Trunk interface view or physical interface view, and the traffic behavior defines the redirection action.
  • When a traffic classifier defines rules for matching the TCP flag in IPv6 packets:
    • A traffic policy containing this traffic classifier can be applied to the following views: system view, physical interface view, Eth-Trunk interface view, VLAN view, VBDIF interface view, and VLANIF interface view.
    • The following actions are supported: permit, deny, redirection, traffic statistics collection, and mirroring.
  • For the CE12800: If a traffic classifier contains both if-match any and other matching rules, the actual fields used for matching packets depend on the type of packets that match the matching rules except if-match any.
  • If the destination VPN instance (without any specified outbound interface or next-hop address) is configured as the next hop or the public parameter (without any specified next-hop address) is specified in a static route for inter-VPN forwarding and the packets matching the MQC rule need to be forwarded according to the static route, packets will fail to be forwarded because there is no specific next hop address in the static route.
  • Starting from V200R001C00, a traffic classifier can define IPv4 ACL rules containing the logging field. Starting from V200R019C00, a traffic classifier can define IPv6 ACL rules containing the logging field.
    • Views: system view, VLAN view, VLANIF interface view (only in the inbound direction), BD view, VBDIF interface view, Eth-Trunk interface view, and physical interface view (If the outbound interface is a loopback interface, only the VLAN view, Eth-Trunk interface view, and physical interface view are supported.)
    • If IPv6 ACL rules are defined, only the deny and traffic statistics collection actions can be configured.
    • Matching fields: source IP address, destination IP address, source port number, destination port number, and protocol type

Limitations for Traffic Behaviors

If both redirection and other actions are configured in the same traffic behavior, the traffic policy defining the traffic behavior is effective only to packets that match the redirection action.

Limitations for Traffic Policies

  • A traffic policy applied in the Layer 3 main interface view also takes effect for traffic on Layer 3 sub-interfaces.
  • In a version earlier than V200R003C00, when a traffic policy is applied, the switch is enabled to use the Single mode for resource occupancy by default. In V200R003C00 and later versions, when a traffic policy is applied, the switch is disabled from using the Single mode for resource occupancy by default. Therefore, after the system software of the switch is upgraded from a version earlier than V200R003C00 to V200R003C00 or a later version, if a traffic policy configured before the upgrade becomes invalid, you can enable the switch to use the Single mode for resource occupancy when a traffic policy is applied to solve this problem.
  • In V200R005C10 and earlier versions, a maximum of two traffic policies can be applied to the same direction in the same view. Starting from V200R019C00, a maximum of four traffic policies can be applied to the same direction in the same view.
  • When two traffic policies are applied to the same view and the same direction (assuming that traffic policies p1 and p2 are applied in sequence), if traffic policy p1 is unbound and a traffic policy (traffic policy p1 or another one) is applied again, traffic policy p2 becomes invalid for a period of time. In addition, there is a delay for the re-applied traffic policy to take effect after the configuration is committed.
  • Starting from V100R005C10, use the following methods on the NVO3-enabled device to prevent service deployment failures:
    • For the CE12800: Run the assign forward nvo3 acl extend enable command to enable the ACL extension function, and then restart the device.
    • For the CE12800: If the network-side interface of the VXLAN or EVN tunnel is not an Eth-Trunk interface, run the assign forward nvo3 eth-trunk hash disable command to disable the Eth-Trunk interface from load balancing NVO3 packets in optimized mode.
  • When multiple fields of packets of the same type (such as Layer 2, IPv4, or IPv6 packets) need to be matched in a view, apply one traffic policy in the view and specify multiple traffic classifiers and corresponding traffic behaviors in the traffic policy. If both IPv4 and IPv6 packets need to be matched, create one traffic policy for each type of the packets.
  • Applying, modifying, and deleting a traffic policy take effect after a slight delay, which is proportional to the number of rules. In extreme conditions, the delay may reach minutes.
  • If an IPv6 ACL rule is defined to match the fragment flag, a traffic policy that contains this IPv6 ACL rule cannot match IPv6 fragments.

  • You can run the display traffic-policy apply-information command in the diagnostic view to check the priorities of all traffic policies that have been applied. The applied traffic policies are displayed in descending order of priority in the command output.

  • When the MQC service matches Layer 2 fields, IPv6 packets may fail to be matched. To match IPv6 packets, configure IPv6 rules. For the packet types matching the MQC service, you can run the display system tcam service brief command in the diagnostic view to check groups occupied by the MQC service and run the display system tcam acl group resource command in the system view to check the packet types matching the group.

  • When a traffic classifier matches a user-defined ACL, the traffic policy cannot be applied to the outbound direction. When the traffic policy is applied to the inbound direction, the offset against l2-head can only be 2, 6, 10, 14, or 18, the offset against ipv4-head can only be 0, 4, 8, 12, 16, or 20, and the offset against l4-head can only be 0, 4, 8, 12, or 16. If you need to set an offset beyond the previous ranges, enable the switch to use the resource saving mode when a traffic policy is applied.

  • When a traffic policy that contains rules based only on IPv6 5-tuple information is applied to a physical interface or an Eth-Trunk, the IPv6 address with 128 bits can be matched. In other situations, only the leftmost 64 bits of an IPv6 address can be matched.
  • When a traffic policy is applied to the inbound direction on a VLAN interface, VLANIF interface, or Layer 3 sub-interface on a VXLAN or MPLS decapsulation device, VXLAN and MPLS packets cannot be matched.
  • When a traffic policy is applied to the inbound direction:
    • If a traffic policy containing both rules for matching IPv4 packets and Layer 2 ACLs, Layer 2 ACL matching rules take effect only for IPv4 packets.
    • If a traffic policy containing both rules for matching IPv6 packets and Layer 2 ACLs, Layer 2 ACL matching rules take effect only for IPv6 packets.
    • If a traffic policy containing both rules for matching MPLS packets and Layer 2 ACLs, Layer 2 ACL matching rules take effect only for MPLS packets.
  • When a traffic policy is applied to a VLAN:
    • In the outbound direction:
      • If the matching rule in the traffic classifier is if-match any or based on Layer 2 fields (such as the source MAC address, destination MAC address, Ethernet type, and VLAN ID), the traffic policy takes effect only for Layer 2 traffic.
      • If the matching rule in the traffic classifier is based on Layer 3 fields (such as the source IPv4 address, destination IPv4 address, and protocol type) or Layer 4 fields (such as the source port number and destination port number), the traffic policy takes effect only for Layer 3 traffic.
    • If a traffic policy references an ACL rule that matches the outer VLAN ID and the VLAN mapping function is configured:
      • For the CE12800: The translated VLAN ID after VLAN mapping is matched in the inbound direction, and the original VLAN ID before VLAN mapping is matched in the outbound direction.
      • For the CE12800E: The translated VLAN ID after VLAN mapping is matched in both the inbound and outbound directions.
    • If VPLS is enabled in a VLAN, the traffic classifier cannot match the VLAN ID in the packets received in the VLAN.
  • When a traffic policy is applied to a VLANIF interface:
    • For a switch running V100R005C00 or a later version, a traffic policy can be applied to a VLANIF interface.

    • For a switch running V100R005C10 or an earlier version, a traffic policy can be applied only to the inbound direction of a VLANIF interface.

      For a switch running V100R006C00 or a later version, a traffic policy can be applied to both the inbound and outbound directions of a VLANIF interface.

    • The bound traffic classifiers can define matching rules based on the destination MAC address, IP address type (IPv4 or IPv6), source IPv4 address, destination IPv4 address, leftmost 64 bits of the source IPv6 address, leftmost 64 bits of the destination IPv6 address, protocol type, source Layer 4 port number, destination Layer 4 port number, and IP fragment flag.
    • If the bound traffic classifiers define matching rules based on the destination MAC address, the destination MAC address must be the MAC address of a VLANIF interface.
    • The bound traffic behaviors support packet filtering, redirection, traffic policing (CAR), traffic statistics collection, mirroring, re-marking, and MAC address learning disabling.
    • In the inbound direction on a VLANIF interface, a traffic policy that contains rules for matching IPv4 fields takes effect only for IPv4 unicast packets; a traffic policy that contains rules for matching IPv6 fields takes effect only for IPv6 unicast packets. A traffic policy can only contain rules for matching either IPv4 or IPv6 fields.
    • When a traffic policy is applied to the outbound direction of a VLANIF interface:
      • A traffic policy containing traffic classifiers that define IPv6 ACL rules can be applied on a device only after the traffic-policy ipv6-enhance-mode command is run to configure the device to use the IPv6 enhanced mode. In this case, the bound traffic behaviors support only packet filtering.
      • Only basic Layer 3 forwarding is supported, and other services such as tunneling services cannot be configured together.
    • If the switch equipped with SD, FD, FD1, FDA, FG, or FG1 series cards is configured as the TRILL gateway, when a traffic policy is configured on the VLANIF interface corresponding to the CE VLAN, if match acl cannot be used to match TRILL known unicast packets. if match trill acl can be used to match TRILL known unicast packets. In this scenario, packets cannot be redirected to interfaces.
    • A traffic policy containing only if-match any takes effect for both IPv4 and IPv6 unicast packets.
    • If a traffic policy contains only if-match any on a VRRP-enabled router, only the IPv4 or IPv6 packets forwarded based on the VRRP virtual IP address can be matched.
    • If the VLANIF interface is used as the TRILL gateway, the traffic policy matches only inner IPv4 packets in which the TRILL header is decapsulated.
  • When a traffic policy is applied to a VBDIF interface:

    • A traffic policy can be applied to a VBDIF interface on the switch running V100R005C10 or a later version.

    • A traffic policy can be applied to a VBDIF interface only in the inbound direction.

    • If the traffic policy contains only if-match any, the traffic policy takes effect only for user traffic.

    • In versions earlier than V200R002C50, the bound traffic behaviors support only packet filtering, PBR, traffic policing (CAR), and mirroring.

      Starting from V200R002C50, the bound traffic behaviors support only packet filtering, traffic statistics collection, PBR, traffic policing (CAR), and mirroring.

    • Versions earlier than V200R005C00: A traffic classifier can match only the source IPv4 address, destination IPv4 address, protocol type, source port number, destination port number, ICMP type, and IPv4 TCP flag.

      V200R005C00: A traffic classifier can match the source IPv4 address, destination IPv4 address, leftmost 64 bits of the source IPv6 address, leftmost 64 bits of the destination IPv6 address, protocol type, source port number, destination port number, ICMP type, and IPv4 TCP flag.

      V200R005C10 and later versions: A traffic classifier can match the source IPv4 address, destination IPv4 address, leftmost 64 bits of the source IPv6 address, leftmost 64 bits of the destination IPv6 address, protocol type, source port number, destination port number, ICMP type, IPv4 TCP flag, and IPv6 TCP flag.

    • If the VBDIF interface is used as the VXLAN gateway, the traffic policy matches only inner IPv4 packets in which the VXLAN header is decapsulated.
    • A traffic policy can be applied to the inbound direction of a VBDIF interface on the ingress of the VXLAN tunnel, but cannot be applied to the inbound direction of a VBDIF interface on the egress of the VXLAN tunnel in a distributed VXLAN system.
    • If the switch functions as the decapsulation device of a VXLAN tunnel and the card interoperability mode is set to non-enhanced mode, the following situations will occur:
      • In versions earlier than V200R002C50, when the enhanced mode of the VXLAN NVO3 gateway is the Layer 3 non-loopback mode, only the if-match vxlan or if-match vxlan acl command can be used to match inner fields of VXLAN packets. If the enhanced mode of the VXLAN NVO3 gateway is the loopback or Layer 2 non-loopback mode, only the if-match acl command can be used to match inner fields of VXLAN packets.
      • In V200R002C50 and later versions, regardless of the enhanced mode of the NVO3 gateway, only the if-match vxlan or if-match vxlan acl command can be used to match inner fields of VXLAN packets. The if-match acl command cannot be used to match inner fields of VXLAN packets.
      When a switch is upgraded from a version earlier than V200R002C50 to V200R002C50 or a later version and the enhanced mode of the VXLAN NVO3 gateway is the loopback or Layer 2 non-loopback mode:
      • If if-match vxlan or if-match vxlan acl has been configured before the upgrade, the configuration takes effect after the upgrade. In this case, packets may be incorrectly matched, and you need to configure matching rules based on the actual traffic model.
      • If the if-match acl command has been configured before the upgrade, the configuration becomes invalid after the upgrade. In this case, you need to configure matching rules based on the actual traffic model.
  • When a traffic policy is applied to a Layer 2 sub-interface:
    • Starting from V200R001C00, a traffic policy can be applied to a Layer 2 sub-interface.
    • In V200R005C10 and earlier versions, a traffic policy can be applied only to the inbound direction of a Layer 2 sub-interface. Starting from V200R019C00, a traffic policy can also be applied to the outbound direction of a Layer 2 sub-interface on FD1, FG, FG1, SD, FD and FDA series cards. If the traffic-policy ipv4-enhance-mode command is not configured, both packet filtering and traffic statistics collection can be configured. If the traffic-policy ipv4-enhance-mode command is configured, only packet filtering can be configured. If an Eth-Trunk interface spans both the preceding cards and other series cards, the traffic policy cannot be applied to the outbound direction.

    • In V200R005C10 and later versions, traffic policing (CAR) and re-marking can also be performed for IPv6 packets.

      Starting from V200R019C00, in the outbound direction of a Layer 2 sub-interface on the CE12800 equipped with FD1, FG, FG1, SD, FD and FDA series cards, if the traffic-policy ipv4-enhance-mode command is not configured, only the source and destination MAC addresses can be matched; if the traffic-policy ipv4-enhance-mode command is configured, the following fields can be matched: source MAC address, destination MAC address, source IPv4 address, destination IPv4 address, protocol type, source port number, destination port number, ICMP type, and IPv4 TCP flag.

  • When a traffic policy is applied to a Layer 3 sub-interface:

    A traffic policy that contains rules based only on IPv6 5-tuple information can match only the leftmost 64 bits of an IPv6 address but not the rightmost 64 bits of an IPv6 address.

  • When a traffic policy is applied to a VPN instance:
    • Starting from V100R005C10, traffic policies can be applied to VPN instances.
    • In V100R005C10, a traffic policy applied to a VPN instance is mainly used in distributed VXLAN gateway scenarios. In this case, ensure that the switch supports VXLAN.

    • A traffic policy can be applied to a VPN instance only in the inbound direction.

    • If a traffic policy is applied to a VPN instance, traffic classification rules in this traffic policy cannot match IPv6 packets.

  • When a traffic policy is applied to a VSI:
    • The traffic classifiers bound to the traffic policy cannot match the outer VLAN ID, inner and outer VLAN IDs of QinQ packets, stacked VLAN ID through VLAN stacking, or mapped VLAN ID through VLAN mapping.
  • When a traffic policy is applied to an AC interface:
    • The traffic classifiers bound to the traffic policy cannot match the outer VLAN ID, inner and outer VLAN IDs of QinQ packets, stacked VLAN ID through VLAN stacking, or mapped VLAN ID through VLAN mapping.
  • When a traffic policy is applied to a QoS group:
    • Starting from V100R006C00, traffic policies can be applied to QoS groups.

    • A traffic policy can be applied to the inbound direction of a QoS group only in versions earlier than V200R005C00.

      Starting from V200R005C00, a traffic policy can be applied to the outbound direction of a QoS group containing Ethernet or Eth-Trunk interfaces.

    • In versions earlier than V200R003C00, a traffic classifier can match only the source IPv4 address, destination IPv4 address, protocol type, source port number, and destination port number.

      In V200R003C00, a traffic classifier can match the source MAC address, destination MAC address, Ethernet type, VLAN, source IPv4 address, destination IPv4 address, protocol type, source port number, and destination port number.

      Starting from V200R005C00, a traffic classifier can match the source MAC address, destination MAC address, Ethernet type, VLAN, source IPv4 address, destination IPv4 address, leftmost 64 bits of the source IPv6 address, leftmost 64 bits of the destination IPv6 address, protocol type, source port number, and destination port number.

      Starting from V200R019C00, a traffic classifier can match the source MAC address, destination MAC address, Ethernet type, VLAN, source IPv4 address, destination IPv4 address, leftmost 64 bits of the source IPv6 address, leftmost 64 bits of the destination IPv6 address, protocol type, source port number, destination port number, and TCP flag.

    • When a traffic policy is applied to the inbound direction of a QoS group, the bound traffic behaviors support only packet filtering, traffic statistics collection, PBR (only for Layer 3 unicast traffic), and redirection to interfaces, observing interface groups, or CPUs (only for Layer 2 traffic).

      If a traffic policy is applied to the outbound direction of a QoS group, the bound traffic behaviors support only packet filtering.

    • If the interoperability mode of the switch is non-enhanced mode and a QoS group containing members is configured, you cannot configure EVN or mapping between PHBs and DSCP priorities in the outbound direction of the VLAN. Similarly, if you configure EVN or mapping between PHBs and DSCP priorities in the outbound direction of VLANs, a QoS group containing members cannot be configured.

  • When a traffic policy is applied to a BD:

    Starting from V100R006C00, traffic policies can be applied to a BD.

    • When a traffic policy is applied to the inbound direction of a BD:
      • For the packets sent from an Ethernet network to a VXLAN network, there is no limitation for traffic classifiers and traffic behaviors.
      • For the packets sent from a VXLAN network to an Ethernet network, a traffic classifier can only define if-match vxlan to match the source IPv4 address, destination IPv4 address, protocol type, source port number, destination port number, DSCP value, TCP flag, and inbound interface of packets. A traffic behavior can define only packet filtering, redirection, PBR, traffic statistics collection, and traffic policing (CAR).
      • If a traffic policy contains only if-match any, the traffic policy takes effect only for user traffic.
    • When a traffic policy is applied to the outbound direction of a BD:
      • The bound traffic behaviors do not support traffic policing (CAR).
      • For the packets sent from an Ethernet network to a VXLAN network, packet matching is not supported.
      • For the packets sent from a VXLAN network to an Ethernet network, the limitations are the same as those when a traffic policy is applied to the outbound direction.
      • If the matching rule in the traffic classifier is if-match any or based on Layer 2 fields (such as the source MAC address, destination MAC address, Ethernet type, and VLAN ID), the traffic policy takes effect only for Layer 2 traffic.
      • If the matching rule in the traffic classifier is based on Layer 3 fields (such as the source IPv4 address, destination IPv4 address, and protocol type) or Layer 4 fields (such as the source port number and destination port number), the traffic policy takes effect only for Layer 3 traffic.
    • To match packets sent from a VXLAN network to an Ethernet network in inbound and outbound directions of a BD, configure two traffic policies and apply them to the inbound and outbound directions of the BD respectively.
  • In V200R005C10 and earlier versions, after a switch is restarted, it delivers traffic policies based on the configuration files saved before the restart. The configuration delivery sequence may be different. As a result, traffic policies that take effect before the restart may fail to be applied after the device restarts due to insufficient ACL resources. Starting from V200R019C00, when the switch is restarted, it re-delivers traffic policies based on the group resources occupied by services in the software forwarding table before the restart. This ensures that the same traffic policies take effect before and after the switch restarts. If the resource mode is changed for traffic policies before the switch restarts, the group resources occupied by services in the software forwarding table may change. As a result, the traffic policies may fail to be restored after the switch restarts.
  • When a traffic policy is applied to the outbound direction:

    • The protocol type of Ethernet frames matching a traffic policy in the outbound direction can be only ARP (0x0806), IP (0x0800), or TRILL (0x22f3).

    • When packets (including FCoE packets) are forwarded at Layer 3, a traffic policy in the outbound direction cannot match the modified Layer 2 field.

    • On cards except CE-L48GT and CE-L48GS series cards, when a traffic policy defining an IPv6 packet matching rule is applied to the outbound direction and all physical interfaces to which the traffic policy is applied belong to the same forwarding chip, the maximum total bandwidth of these interfaces is 100 Gbit/s.

      For example, on the CE-L24LQ-EA card, interfaces 0 to 5 belong to chip 0, interfaces 6 to 11 belong to chip 1, interfaces 12 to 17 belong to chip 2, and interfaces 18 to 23 belong to chip 3. When a traffic policy defining an IPv6 packet matching rule is applied to the outbound direction of four interfaces (for example, interfaces 0, 6, 12, and 18) in different chips, the maximum total bandwidth of the interfaces is 160 Gbit/s (4 x 40 Gbit/s). When a traffic policy defining an IPv6 packet matching rule is applied to the outbound direction of four interfaces (for example, interfaces 0 to 3) in the same chip, the maximum total bandwidth of the interfaces is 100 Gbit/s.

    • In versions earlier than V100R005C00, when the ARP resource allocation mode is set to the extend mode and a traffic policy defining a matching rule based on the TCP/UDP port number or fragment flag is applied to the outbound direction, fragments may be incorrectly matched. Do not configure the extended ARP resource allocation mode and the preceding traffic policy simultaneously.
    • In V100R005C00 and V100R005C10, if the ARP resource allocation mode is set to the extend mode in a stack, the switch cannot match the TCP flag field or IP fragment field in the outbound direction.
    • When a traffic policy for matching IPv6 packets is applied to the outbound direction of a 48GE card, this traffic policy does not take effect for double-tagged packets carrying Layer 3 or Layer 4 fields.

    • For the CE12800: The following services are in descending order of priority: M-LAG unidirectional isolation > MQC (traffic policing, traffic statistics collection, and packet filtering) > querying the outbound interface of packets with specified 5-tuple information, source MAC address, and destination MAC address > local VLAN mirroring > sFlow > NetStream > statistics collection on VLANIF interfaces or Layer 3 sub-interfaces. When the services are configured on an interface in the outbound direction, only the service with the highest priority takes effect. For example, when both packet filtering and statistics collection on VLANIF interfaces are configured on a VLANIF interface, only packet filtering takes effect.

      For sFlow and NetStream, the preceding limitations apply to all interfaces in V100R005C10 and earlier versions and only to Layer 2 sub-interfaces and Layer 3 sub-interfaces in V100R006C00 and later versions. For details about the priorities between MQC-based traffic statistics collection and traffic statistics collection on a VLANIF interface or a Layer 3 sub-interface, see Licensing Requirements and Limitations for Traffic Statistics Collection.

    • On a device that decapsulates VXLAN packets, a traffic policy containing rules for matching packets based on the TCP flag or rules for matching the fragment flag does not take effect in the outbound direction. When a traffic policy is applied to the device that decapsulates VXLAN packets and the enhanced mode is configured, a traffic policy containing rules for matching IPv4 and IPv6 5-tuple information does not take effect in the outbound direction.
    • After one of the following traffic policies is applied to the outbound direction, the switch forwards traffic in loopback mode. In this case, all traffic on the interface is looped back before being forwarded. The traffic policies are as follows:
      • Traffic policy that contains traffic classifiers defining IPv6 matching rules
      • Traffic policy that contains traffic classifiers defining if-match inner-vlan
      • Traffic policy that contains traffic behaviors defining traffic policing
      • Traffic policy that contains traffic behaviors defining remark 8021p
      • Traffic policy that contains traffic behaviors defining traffic statistics collection for cards except the SD, FD, FD1, FDA, FG, and FG1 series
      • For SD, FD, FD1, FDA, FG, and FG1 series cards: Traffic policy that contains traffic behaviors defining traffic statistics collection when the traffic-policy outbound-legacy-mode command is run in the system view
    • If the switch forwards traffic in loopback mode:
      • The traffic policy can be applied only to physical interfaces and their Layer 3 sub-interfaces, Eth-Trunk interfaces, and VLANs.
      • When traffic exceeds 50% of the total forwarding performance of the LPU, there is a high probability that packet loss will occur.
      • The queue statistics on the outbound interface include the traffic before and after the loopback. If the bound traffic behavior defines traffic policing, the queue statistics on the outbound interface include the traffic before the loopback and the traffic that is policed after the loopback.
      • For packets that are forwarded at Layer 3 through VLANIF interfaces, the looped traffic is forwarded at Layer 2. Therefore, the traffic before and after the loopback is forwarded in different queues. If the qos phb marking 8021p disable command is not configured, the 802.1p priority has a fixed value of 2 for IPv4 packets and 3 for IPv6 packets after the loopback. For packets that are forwarded at Layer 3 through the Layer 3 main interface, the looped traffic does not carry VLAN tags, and the packets are always forwarded through queue 0.
      • If NetStream and sFlow are both applied, the switch collects both the traffic before and after the loopback.
      • The interface-based rate limiting, queue traffic shaping, ETS, and PFC functions are not supported in the outbound direction.
      • If traffic exceeds the bandwidth of the outbound interface, the actually-forwarded traffic is smaller than the interface bandwidth. In this case, ensure that the actual traffic does not exceed the interface bandwidth.
    • When a traffic policy containing fragment-type fragment, tcp-flag, destination-port, or source-port is applied to the outbound direction, the device delivers traffic policy resources in ingress cascading mode.
    • When a traffic policy that contains a traffic behavior defining packet filtering, traffic statistics collection, or mirroring is applied to the outbound direction, the following situations may occur:
      • If there is only a traffic classifier that defines if-match any, the traffic policy takes effect only for Layer 2 traffic.
      • If there is a traffic classifier that matches Layer 3 fields, the traffic policy takes effect only for Layer 3 traffic.
      • If there is no traffic classifier that matches Layer 3 fields, the traffic policy takes effect only for Layer 2 traffic.
    • If the bound traffic classifiers contain the following rules, the traffic policy cannot be applied to the outbound direction:
      • if-match vlan inner-vlan
      • if-match 8021p and if-match inner-8021p
      • if-match discard
      • if-match double-tag
      • if-match outbound-interface (V100R003C10 and earlier versions)
      • if-match tcp-flag (versions earlier than V100R005C00)
      • if-match ipv6 dscp
      • if-match ipv6 acl (V100R003C00 and earlier versions)
      • if-match acl (IPv4 ACLs that define the IP fragment, TCP-Flag, and TTL-Expired, and ARP-based ACLs)

        In V100R005C00 and later versions, IPv4 ACL rules containing TCP-Flag can be applied to the outbound direction.

    • A traffic policy cannot be applied to the outbound direction if the bound traffic behaviors define the following actions:
      • remark local-precedence
      • mac-address learning disable
      • redirect cpu, redirect interface, redirect interface tunnel, redirect lsp, and redirect observe-port group
      • redirect nexthop, redirect load-balance, and redirect remote
      • car share
      • mirroring cpu
  • Compared with versions earlier than V100R006C00SPC300, V100R006C00SPC300 and later versions provide different implementation modes for traffic policies containing conflicting rules or actions. There are also upgrade compatibility problems.

    Traffic Policy Application

    Difference

    Traffic classifiers bound to a traffic policy define two or more of following matching rules based on IPv4, IPv6, VXLAN, MPLS, and GRE information.
    • Versions earlier than V100R006C00SPC300: The system displays a message indicating that the traffic policy fails to be applied. All rules or actions in the traffic policy do not take effect.
    • V100R006C00SPC300 and later versions: The rules or actions configured later fail.
    • After the switch is upgraded from a version earlier than V100R006C00SPC300 to V100R006C00SPC300 or a later version, only one rule or action among conflicting rules or actions takes effect. The effective rule or action depends on the configuration sequence in the configuration file before the upgrade. Among conflicting rules or actions, the rule or action that was configured first takes effect, and subsequent conflicting configurations will be lost. For example, a traffic behavior defines the traffic statistics collection, redirection, and deny actions in sequence. After the upgrade, only the traffic statistics collection and redirection actions take effect, and the configuration of the deny action is lost.

    A traffic behavior defines both the redirect and deny actions.

    A traffic policy containing the vlan-stacking action is applied to the outbound direction.
    • Versions earlier than V100R006C00SPC300: The system displays a message indicating that the traffic policy fails to be applied. All rules or actions in the traffic policy do not take effect.
    • V100R006C00SPC300 and later versions: The traffic policy configuration fails.
    • After the switch is upgraded from a version earlier than V100R006C00SPC300 to V100R006C00SPC300 or a later version, the traffic policy configuration will be lost.
Translation
简体中文
Download
Updated: 2021-04-01

Document ID: EDOC1100138142

Views: 41394

Downloads: 23

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :