QoS Configuration on Huawei S5700: MQC and ACL-based Simplified Traffic Policy
Overview
Quality of service (QoS) can effectively manage network resources, especially in scenarios with limited resources. It helps improve network resource utilization and allows different types of traffic to compete for network resources based on their priorities, so that audio, video, and important data applications are processed preferentially on network devices. Huawei's S series switches support QoS services based on the Differentiated Service (DiffServ) model. DiffServ classifies packets on the network into multiple classes for differentiated processing. In this way, when congestion occurs, classes with a higher priority are given preference.
Modular QoS Command-Line Interface (MQC) and ACL-based simplified traffic policies are typical QoS configuration methods. They classify packets with the same characteristics into one type and provide differentiated services for different types of traffic. With MQC and ACL-based simplified traffic policies, you can configure packet classification and common QoS services, such as traffic policing, packet priority re-marking, packet filtering, redirection, and traffic statistics collection.
This document describes how to configure MQC and ACL-based simplified traffic policies, and compares these two configuration methods to facilitate your configuration.
Prerequisites
This document uses the S5700 series switches running V200R019C10 as an example to describe how to configure MQC and ACL-based simplified traffic policies. The configuration method varies according to the device model and software version. For details, see the corresponding product documentation.
Configuring MQC
To implement MQC, you need to configure traffic classifiers, traffic behaviors, and traffic policies, and apply the traffic policies.
Configuration Roadmap
As shown in Figure 1-1, MQC configuration includes the following steps:
- Configure traffic classifiers. A traffic classifier defines a group of matching rules for classifying packets.Run the traffic classifier classifier-name [ operator { and | or } ] command to create a traffic classifier and enter the traffic classifier view. In the traffic classifier view, run if-match commands to define matching rules. An example is as follows:
<HUAWEI> system-view [HUAWEI] traffic classifier c1 //Create traffic classifier c1 and enter the traffic classifier view. [HUAWEI-classifier-c1] if-match vlan-id 10 //Match packets with the VLAN ID 10 in the traffic classifier. [HUAWEI-classifier-c1] quit //Return to the system view.
- Configure traffic behaviors. A traffic behavior defines actions to be taken for a type of packets, such as packet filtering, redirection, traffic policing, and traffic statistics collection.
Run the traffic behavior behavior-name command to create a traffic behavior and enter the traffic behavior view. In the traffic behavior view, define actions such as deny, permit, redirect, car, and remark. An example is as follows:
[HUAWEI] traffic behavior b1 //Create traffic behavior b1 and enter the traffic behavior view. [HUAWEI-behavior-b1] statistic enable //Define the action of traffic statistics collection in the traffic behavior. [HUAWEI-behavior-b1] quit //Return to the system view.
- Configure traffic policies. A traffic policy binds traffic classifiers and traffic behaviors, so actions defined in traffic behaviors are taken on classified packets.Run the traffic policy policy-name command to create a traffic policy and enter the traffic policy view. Then run the classifier classifier-name behavior behavior-name command to bind traffic classifiers to traffic behaviors. An example is as follows:
[HUAWEI] traffic policy p1 //Create traffic policy p1 and enter the traffic policy view. [HUAWEI-trafficpolicy-p1] classifier c1 behavior b1 //Bind traffic classifier c1 to traffic behavior b1. [HUAWEI-trafficpolicy-p1] quit //Return to the system view.
Each traffic policy can be bound to one or more pairs of traffic classifiers and traffic behaviors.
In a traffic policy, a traffic classifier can be bound to only one traffic behavior, but a traffic behavior can be bound to one or more traffic classifiers.
- Apply a traffic policy. Apply a traffic policy to the system, an interface, or a VLAN. After the traffic policy is applied, the device performs the action defined in the traffic behavior on the packets that match traffic classification rules on the system, on an interface, or in a VLAN.Run the traffic-policy policy-name { inbound | outbound } command in the interface view or VLAN view to apply a traffic policy to an interface or a VLAN. Alternatively, run the traffic-policy policy-name global { inbound | outbound } [ slot slot-id ] command in the system view to apply the traffic policy to the system. An example is as follows:
[HUAWEI] interface GigabitEthernet0/0/1 //Enter the interface view. [HUAWEI-GigabitEthernet0/0/1] traffic-policy p1 inbound //Apply the traffic policy p1. [HUAWEI-GigabitEthernet0/0/1] quit //Return to the system view.
Only one traffic policy can be applied in one direction on the system, on each interface, or in each VLAN. When you run the traffic-policy command in the system view, interface view, or VLAN view to apply a traffic policy, you need to specify inbound or outbound to implement policy control on incoming packets (packets sent by the device) or outgoing packets (packets received by the device).
Traffic policies can be applied to physical interfaces, Ethernet sub-interfaces, Eth-Trunk interfaces, Eth-Trunk sub-interfaces, port groups, and VLANIF interfaces.
Matching Rules in a Traffic Classifier
You can run the if-match command to configure matching rules for a traffic classifier. A traffic classifier can define multiple matching rules.
Common matching rules include the MAC address, 802.1p priority, EXP priority, IP precedence, DSCP priority, VLAN ID, ACL, ACL6, all packets, outbound interface, inbound interface, flow ID, and VXLAN Network Identifier (VNI) of Virtual eXtensible Local Area Network (VXLAN) packets.
OR: A packet matches a traffic classifier as long as it matches one of rules.
In the following example, the relationship between traffic classification rules is OR. Packets match the traffic classifier c2 if the VLAN ID of a packet is 10, the inbound interface of the packet is GE0/0/1, the packet matches ACL 3000, or the packet matches ACL 3001.# traffic classifier c2 operator or //Set the relationship between rules in the traffic classifier c2 to OR. if-match vlan-id 10 //Configure a matching rule based on VLAN ID 10. if-match inbound-interface GigabitEthernet0/0/1 //Configure a matching rule based on inbound interface GE0/0/1. if-match acl 3000 //Configure a matching rule based on ACL 3000. if-match acl 3001 //Configure a matching rule based on ACL 3001. #
AND: If a traffic classifier does not contain ACL rules, packets match the traffic classifier only when they match all ACL rules. If a traffic classifier contains ACL rules, packets match the traffic classifier only when they match one ACL rule and all non-ACL rules.
In the following example, the relationship between traffic classification rules is AND. Packets match the traffic classifier c2 only when the VLAN ID of the packets is 10, the inbound interface is GE0/0/1, and the packets match ACL 3000 or ACL 3001.# traffic classifier c2 operator and //Set the relationship between rules in the traffic classifier c2 to AND. if-match vlan-id 10 //Configure a matching rule based on VLAN ID 10. if-match inbound-interface GigabitEthernet0/0/1 //Configure a matching rule based on inbound interface GE0/0/1. if-match acl 3000 //Configure a matching rule based on ACL 3000. if-match acl 3001 //Configure a matching rule based on ACL 3001. #
Actions in a Traffic Behavior
Multiple actions can be defined in each traffic behavior, and each action corresponds to a specific QoS service. Non-conflicting actions can be defined in the same traffic behavior and take effect simultaneously.
Action |
Command |
Description |
|---|---|---|
Packet filtering |
deny | permit |
When you specify a packet filtering action for packets matching an ACL, if the ACL rule defines permit, the device processes packets according to the action (deny or permit) in the traffic behavior. If the ACL rule defines deny, the device discards packets regardless of whether deny or permit is configured in the traffic behavior. |
Traffic statistics collection |
statistic enable |
You can run the display traffic policy statistics command to check statistics about forwarded and discarded packets after a traffic policy is applied. The command output helps you determine whether the traffic policy is applied properly and locate faults. |
Re-marking |
remark |
Changes the 802.1p priority, DSCP priority, IP priority, VLAN ID, flow ID, and destination MAC address of packets. |
Redirection and policy-based routing (PBR) |
redirect |
Packets are redirected to the specified location for processing. |
Traffic policing and hierarchical traffic policing |
car |
The device discards the traffic that exceeds the rate limit to limit the incoming or outgoing traffic within a proper range. |
Flow mirroring |
mirroring |
The packets that match specified rules are copied to an observing port. |
Selective QinQ |
add-tag vlan-id |
An outer VLAN tag is added to packets. |
Disabling MAC address learning |
mac-address learning disable |
The device does not learn MAC addresses when receiving data frames. |
Disabling URPF |
ip urpf disable |
URPF check is not performed on certain packets so that the packets are not discarded. |
Configuring an ACL-based Simplified Traffic Policy
- Create an ACL and configure ACL rules.Run the acl command in the system view to create an ACL and enter the ACL view. In the ACL view, run the rule command to configure ACL rules. An example is as follows:
[HUAWEI] acl 4000 //Create ACL 4000 and enter the Layer 2 ACL view. [HUAWEI-acl-L2-4000] rule 5 permit source-mac 0000-0000-0003 //Define a rule to match packets with the source MAC address 0000-0000-0003. [HUAWEI-acl-L2-4000] quit //Return to the system view.
- Table 1-2 lists the ACLs that can be defined in an ACL-based simplified traffic policy.
Table 1-2 ACLs that can be defined in an ACL-based simplified traffic policy
Category
IP Version
Function
ACL Number Range
Basic ACL
IPv4
Defines rules based on source IP addresses, fragmentation information, and time ranges.
2000 to 2999
Advanced ACL
IPv4
Defines rules based on source IPv4 addresses, destination IPv4 addresses, IPv4 protocol types, ICMP types, TCP source/destination port numbers, UDP source/destination port numbers, and time ranges.
3000 to 3999
Layer 2 ACL
IPv4 and IPv6
Defines rules based on information in Ethernet frame headers of packets, such as the source MAC addresses, destination MAC addresses, and Layer 2 protocol types.
4000 to 4999
User-defined ACL
IPv4 and IPv6
Defines rules based on packet headers, offsets, character string masks, and user-defined character strings. The ACL performs an AND operation on the packet bytes from a certain position behind the packet header and the character string mask. Then, the ACL compares the extracted character string against the user-defined character string.
5000 to 5999
User ACL
IPv4
Defines rules based on source IPv4 addresses or user control list (UCL) groups/destination IPv4 addresses or destination UCL groups, IPv4 protocol types, ICMP types, TCP source/destination port numbers, and UDP source/destination port numbers.
6000 to 9999
Basic ACL6
IPv6
Defines rules based on source IPv6 addresses, fragmentation information, and time ranges.
2000 to 2999
Advanced ACL6
IPv6
Defines rules based on source IPv6 addresses, destination IPv6 addresses, IPv6 protocol types, ICMPv6 types, TCP source/destination port numbers, UDP source/destination port numbers, and time ranges.
3000 to 3999
An ACL-based simplified traffic policy supports most ACL rules. However, an ACL-based simplified traffic policy fails to be delivered if its ACL rule matches the VPN instance name of packets.
- Table 1-2 lists the ACLs that can be defined in an ACL-based simplified traffic policy.
- Specify an action for the packets that match the ACL. The system takes the corresponding action for the packets that match the ACL in the system, in a VLAN, or on an interface. An example is as follows:
[HUAWEI] interface GigabitEthernet0/0/1 //Apply the simplified traffic policy to packets on GE0/0/1. [HUAWEI-GigabitEthernet0/0/1] traffic-statistic inbound acl 4000 //Collect statistics on incoming packets that match ACL 4000. [HUAWEI-GigabitEthernet0/0/1] quit //Return to the system view.
Table 1-3 lists the actions that can be performed in the system view and interface view. To apply an ACL-based simplified traffic policy to a specified VLAN, specify vlan vlan-id in the system view.
Table 1-3 Supported actionsAction
Command
Description
Packet filtering
traffic-filter
If permit is configured in an ACL rule, the device allows packets to pass through. If deny is configured in an ACL rule, the device discards packets.
Traffic policing
traffic-limit
The device discards the traffic that exceeds the rate limit.
Flow mirroring
traffic-mirror
The device copies the packets that match an ACL to the observing port.
Traffic statistics collection
traffic-statistic
You can run the display traffic-statistics command to view statistics about forwarded and discarded packets matching ACL rules. The command output helps you locate faults.
Redirection
traffic-redirect
The device redirects packets to the specified location for processing.
Re-marking
traffic-remark
The device re-marks the 802.1p priority, DSCP priority, IP precedence, and VLAN ID of packets.
If a simplified traffic policy is defined based on user ACLs, actions can be performed only in the system view, and only the following actions are supported: packet filtering, redirection, and re-marking.
Comparison Between MQC and ACL-based Simplified Traffic Policies
As typical configuration methods for QoS services, MQC and ACL-based simplified traffic policies support traffic classification and specify different actions for different types of packets.
Compared with MQC, ACL-based simplified traffic policies are easier to configure and have simpler logic. In most cases, ACL-based simplified traffic policies are recommended.
If matching rules of traffic cannot be defined based on ACLs or actions (excluding packet filtering, traffic policing, flow mirroring, redirection, re-marking, and traffic statistics collection) need to be taken on packets, you need to use MQC.
Supported QoS Services
You can configure QoS services by binding matching rules to actions. MQC supports more matching rules and actions than ACL-based simplified traffic policies. Therefore, MQC supports more QoS service configurations.
- ACL rules can be defined in both MQC and ACL-based simplified traffic policies.
- Both MQC and ACL-based simplified traffic policies support packet filtering, packet priority re-marking, VLAN ID re-marking, destination MAC address re-marking, redirection, traffic statistics collection, traffic policing, and flow mirroring.
- Only ACL-based simplified traffic policies support packet filtering, redirection, and re-marking for packets matching user ACLs.
- Only MQC supports matching rules based on the VLAN ID, IP precedence, DSCP priority, 802.1p priority, EXP priority, flow ID, application name, destination MAC address, source MAC address, inbound interface, outbound interface, and protocol type field in the Ethernet frame header.
- Only MQC supports actions such as flow ID re-marking, hierarchical traffic policing, disabling MAC address learning, selective QinQ, and canceling the deny rule in an ACL or ACL6.
Configuration Flexibility
- Each traffic classifier can define one or more matching rules, and each traffic behavior can define one or more actions.
- Each traffic classifier in a traffic policy can be bound to only one traffic behavior, but a traffic behavior can be bound to different traffic classifiers.
- Each traffic policy can be bound to one or more pairs of traffic classifiers and traffic behaviors.
An ACL-based simplified traffic policy can match only a single ACL or both Layer 2 and Layer 3 ACLs, and perform packet filtering, re-marking, redirection, traffic statistics collection, or flow mirroring on packets matching specified conditions. In most cases, to perform different actions on the same type of packets, you need to configure an ACL-based simplified traffic policy for each action. For example, to perform traffic policing and traffic statistics collection on incoming packets that match ACL 3000 globally, run the traffic-limit inbound acl 3000 cir cir-value and traffic-statistic inbound acl 3000 commands in the system view. However, in the scenario where ACL-based traffic policing is configured, you can directly specify remark-8021p or remark-dscp to enable the device to re-mark 802.1p or DSCP priorities of packets, without configuring an ACL-based simplified traffic policy for each action.
Configuration Simplicity
ACL-based simplified traffic policies are easier to configure than MQC. To configure an ACL-based simplified traffic policy, you only need to run one command such as traffic-limit, traffic-filter, or traffic-redirect in the system or interface view and reference an existing ACL in the command. To configure MQC, you must configure a traffic classifier, configure a traffic behavior, configure a traffic policy, and apply the traffic policy.
Examples
In the following examples, network interconnection is implemented by default, and only QoS-related configurations are provided.
Example 1: Restricting Mutual Access Between Different Network Segments
Service requirements: GE0/0/1, GE0/0/2, and GE0/0/3 of the device are connected to network segment A (192.168.1.1/24), network segment B (192.168.2.1/24), and network segment C (192.168.3.1/24), respectively. The three network segments communicate with each other through the device. It is required that the host on network segment A be allowed to access the host on network segment B, but the host on network segment A not be allowed to access the host on network segment C.
# acl number 3001 rule 5 deny ip source 192.168.1.1 0.0.0.255 destination 192.168.3.1 0.0.0.255 rule 10 permit ip source 192.168.1.1 0.0.0.255 destination 192.168.2.1 0.0.0.255 # traffic classifier c1 operator or if-match acl 3001 # traffic behavior b1 permit # traffic policy p1 match-order config classifier c1 behavior b1 # interface GigabitEthernet0/0/1 traffic-policy p1 inbound #
# acl number 3001 rule 5 deny ip source 192.168.1.1 0.0.0.255 destination 192.168.3.1 0.0.0.255 rule 10 permit ip source 192.168.1.1 0.0.0.255 destination 192.168.2.1 0.0.0.255 # interface GigabitEthernet0/0/1 traffic-filter inbound acl 3001 #
Conclusion: In this example, service requirements are simple, so ACL-based simplified traffic policies are recommended.
Example 2: Configuring Traffic Policing and Re-marking Priorities for Different Service Packets
- Traffic policing needs to be configured on SwitchA to police packets of different services so that traffic is limited within a proper range and bandwidth of each service is guaranteed.
- SwitchA needs to re-mark DSCP priorities of different service packets so that the router can process the packets based on their priorities. Voice, video, and data services are in descending order of priority.
- Traffic statistics collection is configured for the three types of service packets on SwitchA so that you can run the display traffic policy statistics command to view statistics about forwarded and discarded packets after a traffic policy is applied.
#
traffic classifier c1 operator or
if-match vlan-id 120
traffic classifier c2 operator or
if-match vlan-id 110
traffic classifier c3 operator or
if-match vlan-id 100
#
traffic behavior b1
car cir 2000 pir 10000 cbs 250000 pbs 1250000 green pass yellow pass red discard //Use the default configuration for red, yellow, and green packets. Green and yellow packets are allowed to pass through, and red packets are discarded. The same below.
remark dscp ef
statistic enable
traffic behavior b2
car cir 4000 pir 10000 cbs 500000 pbs 1250000 green pass yellow pass red discard
remark dscp af33
statistic enable
traffic behavior b3
car cir 4000 pir 10000 cbs 500000 pbs 1250000 green pass yellow pass red discard
remark dscp af13
statistic enable
#
traffic policy p1 match-order config
classifier c1 behavior b1
classifier c2 behavior b2
classifier c3 behavior b3
#
interface GigabitEthernet0/0/1
traffic-policy p1 inbound
#
# acl number 4001 rule 5 permit vlan-id 120 acl number 4002 rule 5 permit vlan-id 110 acl number 4003 rule 5 permit vlan-id 100 # interface GigabitEthernet0/0/1 traffic-limit inbound acl 4001 cir 2000 pir 10000 cbs 250000 pbs 1250000 traffic-remark inbound acl 4001 dscp ef traffic-statistic inbound acl 4001 traffic-limit inbound acl 4002 cir 4000 pir 10000 cbs 500000 pbs 1250000 traffic-remark inbound acl 4002 dscp af33 traffic-statistic inbound acl 4002 traffic-limit inbound acl 4003 cir 4000 pir 10000 cbs 500000 pbs 1250000 traffic-remark inbound acl 4003 dscp af13 traffic-statistic inbound acl 4003 #
Conclusion: In this example, the MQC configuration logic is clear, so that you can add or modify matching rules and actions based on the MQC configuration logic. In addition, you do not need to configure ACLs. ACL-based simplified traffic policies are easy to understand and configure for users who are familiar with ACLs.