Professional Documents
Culture Documents
Guia de Configuração Huawei-QoS
Guia de Configuração Huawei-QoS
Guia de Configuração Huawei-QoS
V200R008C00
Issue 03
Date 2016-10-30
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://e.huawei.com
Intended Audience
This document describes the concepts and configuration procedures of QoS features on the
S2750&S5700&S6720, and provides the configuration examples.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Symbol Description
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Security Conventions
l Password setting
Declaration
This manual is only a reference for you to configure your devices. The contents in the manual,
such as web pages, command line syntax, and command outputs, are based on the device
conditions in the lab. The manual provides instructions for general scenarios, but do not cover
all usage scenarios of all product models. The contents in the manual may be different from
your actual device situations due to the differences in software versions, models, and
configuration files. The manual will not list every possible difference. You should configure
your devices according to actual situations.
The specifications provided in this manual are tested in lab environment (for example, the
tested device has been installed with a certain type of boards or only one protocol is run on
the device). Results may differ from the listed specifications when you attempt to obtain the
maximum values with multiple functions enabled on the device.
Change History
Changes between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Contents
8 Redirection Configuration.......................................................................................................192
8.1 Introduction to Redirection.........................................................................................................................................193
8.2 Applicable Scenario....................................................................................................................................................193
8.3 Configuring Redirection............................................................................................................................................. 194
8.4 Configuration Examples............................................................................................................................................. 202
8.4.1 Example for Configuring Redirection..................................................................................................................... 202
8.5 References.................................................................................................................................................................. 207
10.12.1 Example for Preventing a Specified Host to Access the External Network........................................................239
10.12.2 Example for Configuring Rate Limiting for Services from Different VLANs................................................... 242
10.12.3 Example for Configuring ACL-based Redirection..............................................................................................245
10.12.4 Example for Configuring an ACL-based Simplified Traffic Policy to Implement Priority Mapping.................249
10.12.5 Example for Configuring ACL-based Traffic Statistics...................................................................................... 251
10.12.6 Example for Configuring ACL-based Local Flow Mirroring............................................................................. 253
11 HQoS Configuration...............................................................................................................256
11.1 Introduction to HQoS................................................................................................................................................257
11.2 Principles.................................................................................................................................................................. 257
11.3 Applications.............................................................................................................................................................. 259
11.4 Configuration Notes..................................................................................................................................................259
11.5 Default Configuration............................................................................................................................................... 260
11.6 Configuring HQoS....................................................................................................................................................262
11.6.1 Configuring a Flow Queue.................................................................................................................................... 263
11.6.2 (Optional) Configuring the Mapping Between Flow Queues and Interface Queues.............................................264
11.6.3 Configuring a Subscriber Queue............................................................................................................................264
11.6.4 Checking the Configuration...................................................................................................................................265
11.7 Maintaining HQoS....................................................................................................................................................266
11.7.1 Displaying Traffic Statistics on Subscriber Queues.............................................................................................. 266
11.7.2 Clearing Traffic Statistics on Subscriber Queues.................................................................................................. 266
11.8 Configuration Examples........................................................................................................................................... 267
11.8.1 Example for Configuring HQoS............................................................................................................................ 267
1 QoS Overview
QoS defines a service provider's ability to meet the level of service required by a customers'
traffic. The QoS-enabled device controls enterprise network traffic, implements congestion
management and congestion avoidance, reduces the packet loss ratio, and provides dedicated
bandwidth for enterprise users or differentiated services.
QoS Background
Diversified services result in a sharp increase in network traffic, which may cause network
congestion, increase forwarding delay, or even packet loss. Any of the preceding situations
will cause service quality deterioration or even service interruption. Therefore, real-time
services require a solution to prevent network congestion. The best solution is to increase
network bandwidth, but increasing network bandwidth is not cost effective. The most cost-
effective way is to use a "guarantee" policy to manage traffic congestion.
Quality of service (QoS) technology provides end-to-end service quality guarantee based on
the requirements of different services. It is a tool that helps improve utilization of network
resources and allows different types of traffic to preempt network resources based on their
priorities. Voice, video, and important data applications are processed preferentially on
network devices. QoS is now widely used and plays an important role in Internet applications.
parameters. The network maintains a state for each packet flow and performs QoS
behaviors based on this state to ensure a guaranteed application performance.
The IntServ model uses the Resource Reservation Protocol (RSVP) as the signaling
protocol. The RSVP protocol reserves resources such as bandwidth and priority on a
known path, and each network element along the path must reserve required resources
for data flows requiring QoS guarantee. That is, each network element maintains a soft
state for each data flow. A soft state is a temporary state that is periodically updated
through RSVP messages. Each network element checks whether sufficient resources can
be reserved based on these RSVP messages. The path is available only when all involved
network elements can provide sufficient resources.
l Differentiated Services (DiffServ)
The DiffServ model classifies packets on a network into multiple classes and takes
different actions for the classes. When network congestion occurs, packets of different
classes are processed based on their priorities to obtain different packet loss rates, delays,
and jitters. Packets of the same class are aggregated and sent as a whole to ensure the
same delay, jitter, and packet loss rate.
In the DiffServ model, traffic classification and aggregation are completed on edge
nodes. Edge nodes classify packets based on a combination of fields in packets, such as
the source and destination addresses, precedence in the Type of Service (ToS) field, and
protocol type, and then mark packets with different priorities. Other nodes only need to
identify the marked priorities for resource allocation and traffic control.
Unlike the IntServ model, the DiffServ model does not require a signaling protocol. In
this model, an application does not need to apply for network resources before sending
packets. Instead, the application sets QoS parameters in the packets, through which the
network can learn the QoS requirements of the application. The network provides
differentiated services based on the QoS parameters of each data flow and does not need
to maintain a state for each data flow. DiffServ takes full advantage of IP networks'
flexibility and extensibility and transforms information in packets into per-hop behaviors
(PHBs), greatly reducing signaling operations. DiffServ is the most commonly used QoS
model on current networks. QoS implementation described in the subsequent sections is
based on this model.
avoidance monitors network resource usage and drops packets to mitigate network
overloading when congestion worsens.
Traffic classification and marking are the basis of differentiated services. Traffic policing,
traffic shaping, interface-based rate limiting, congestion management, and congestion
avoidance control network traffic and resource allocation to implement differentiated services.
Figure 1-1 shows the order in which different QoS mechanisms process packets.
Congestion Tra
av ng eu er
f
management R fic sh
oi es es
C qu Ent
nc n
d a t io
Data
ate ap
e
lim ing
Queue Go it
Outbound interface
0 qu o u
eu t of
Inbound inerface
Queue es
Scheduling
Voice
1
Traffic Other
Classification Queue
policing processing
Marking 2
Rate limit …
…
Video
Queue
N
WAN
Congestion management
Congestion avoidance
Traffic shaping
Traffic policing
Rate limiting on outbound interface
Related Content
Videos
2 MQC Configuration
This chapter describes how to configure Modular QoS Command-Line Interface (MQC).
MQC enables you to configure certain rules to classify traffic and specify an action for traffic
of the same type. MQC configuration can implement differentiated services.
MQC Entities
MQC involves three entities: traffic classifier, traffic behavior, and traffic policy.
l Traffic classifier
A traffic classifier defines a group of matching rules to classify packets. Table 2-1 lists
traffic classification rules.
The relationship between rules in a traffic classifier can be AND or OR. The default
relationship is AND.
– AND: If a traffic classifier contains ACL rules, a packet matches the traffic
classifier only when it matches one ACL rule and all the non-ACL rules. If a traffic
classifier does not contain ACL rules, a packet matches the traffic classifier only
when it matches all the rules in the classifier.
– OR: A packet matches a traffic classifier as long as it matches one of rules.
l Traffic behavior
A traffic behavior defines an action for packets of a specified type.
l Traffic policy
A traffic policy binds traffic classifiers and traffic behaviors, and then actions defined in
traffic behaviors are taken for classified packets. As shown in Figure 2-1, a traffic policy
can be bound to multiple traffic classifiers and traffic behaviors.
Figure 2-1 Multiple pairs of traffic classifiers and traffic behaviors in a traffic policy
Traffic behavior b1
(priority re-marking,
Traffic policy Traffic classifier c1
redirection, packet
filtering)
Traffic behavior b2
(priority re-marking,
Traffic classifier c2
redirection, packet
filtering)
……
Traffic behavior bn
(priority re-marking,
Traffic classifier cn
redirection, packet
filtering))
Configure a traffic
classifier
Configure a traffic
behavior
Configure a traffic
policy
License Support
MQC is a basic feature of a switch and is not under license control.
Version Support
Table 2-2 describes the products and minimum version supporting MQC.
S2750EI V200R003
S5710-X-LI V200R008
S5720EI V200R007
S5720SI/S5720S-SI V200R008
S5720HI V200R006
S6720EI V200R008
S6720S-EI V200R009
l If the ACL rule matches the VPN instance name of packets, the ACL-based traffic policy
fails to be delivered.
l When permit and other actions are configured in a traffic behavior, these actions are
performed in sequence. The deny action conflicts with other actions in a traffic behavior.
When deny is configured, other configured actions, except traffic statistics collection
and flow mirroring, do not take effect.
l If you specify a packet filtering action for packets matching an ACL rule, the system first
checks the action defined in the ACL rule. If the ACL rule defines permit, the action
taken for the packets depends on whether deny or permit is specified in the traffic
behavior. If the ACL rule defines deny, the packets are discarded regardless of whether
deny or permit is configured in the traffic behavior. If a non-packet-filtering action is
specified for packets matching an ACL rule that defines deny, the packets are discarded,
and the action specified in the traffic classifier, except disabling MAC address learning,
traffic statistics collection and flow mirroring, does not take effect.
l The remark 8021p inner-8021p command applies only to the inbound direction.
l If a traffic policy containing remark 8021p is applied to the outbound direction on an
interface, the VLAN of the interface must work in tagged mode.
l The MAC address specified in a destination MAC address re-marking action must be a
unicast MAC address.
l If a traffic policy containing remark vlan-id is applied to the outbound direction on an
interface, the VLAN of the interface must work in tagged mode.
l A traffic policy containing remark 8021p inner-8021p, remark local-precedence,
remark ip-precedence, or remark destination-mac cannot be applied to the outbound
direction.
l In V200R005 and later versions, a traffic policy containing redirect cpu allows the
device to redirect the traffic matching traffic classification rules to the CPU, affecting
system performance. Exercise caution when you apply such a traffic policy.
l In V200R006 and earlier versions, if traffic is redirected to an interface in Down state,
traffic is dropped on the interface and cannot be switched to the original forwarding path.
l In V200R007 and later versions, if traffic is redirected to an interface in Down state and
forced is specified in the redirection command, traffic is dropped on the interface and
cannot be switched to the original forwarding path. If forced is not specified, the
redirection action does not take effect.
l A traffic policy can be applied to the system, a VLAN, or an interface. When a traffic
policy needs to be applied in multiple views, apply the traffic policy in the interface
view, VLAN view, and system view in sequence.
l When packets match multiple traffic policies, the following rules apply:
– If traffic classification rules in the traffic policies are of the same type (all user-
defined ACL rules, Layer 2 rules, or Layer 3 rules), only one traffic policy takes
effect. The precedence of the traffic policies depends on the objects to which they
are applied: interface > VLAN > global. That is, the traffic policy applied to an
interface has the highest priority, whereas the traffic policy applied to the system
has the lowest priority. When different traffic policies are applied in the same view,
the precedence of the policies depends on the configuration sequence.
– On the S5700EI, S5700HI, S5710EI, S5710HI, S5720EI, S5720HI, and S6700: If
traffic classification rules in the traffic policies are of different types and the actions
do not conflict, all the traffic policies take effect. If actions conflict, the precedence
of the traffic policies depends on precedence of rules in the policies: Layer 2 rule +
Layer 3 rule > Layer 3 rule > Layer 2 rule > user-defined ACL rule.
– On the S5720SI, S5720S-SI, S5710-X-LI, S5710-C-LI, S5700SI, S5700LI,
S5700S-LI, S2750EI, S2720EI, and S1720GFR: If traffic classification rules in the
traffic policies are of different types, only one traffic policy takes effect. The
precedence of the traffic policies depends on the objects to which they are applied:
interface > VLAN > global. That is, the traffic policy applied to an interface has the
highest priority, whereas the traffic policy applied to the system has the lowest
priority. If traffic policies apply to the same object, the traffic policy that contains
the rule with the highest priority takes effect.
It is recommended that you configure traffic policies in descending order of priority;
otherwise, traffic policies may not take effect immediately. For details about traffic
classification rules, see Traffic classification rules in 2.1 Introduction to MQC.
l Applying traffic policies consumes ACL resources. If there are no sufficient ACL
resources, some traffic policies may fail to be applied. For example, if an if-match rule in
a traffic policy occupies one ACL, M ACL resources will be used to apply the traffic
policy to M interfaces. When a traffic policy is applied to L VLANs, L ACLs are
occupied. When a traffic policy is applied to the system, one ACL is occupied. Table 2-4
describes the ACL resource usage of if-match rules.
if-match acl { acl-number | acl-name } Uplink: When the range resources are
if-match ipv6 acl { acl-number | acl- exhausted (there are 32 ranges for each
name } card), rules containing range port-start
port-end are delivered and multiple ACLs
are occupied. Each rule containing tcp-
flag established occupies two ACLs.(In
V200R006 and later versions, the uplink
ACL resource usage on the S5720HI is
similar to the downlink ACL resource
usage.)
Downlink: Rules containing range port-
start port-end are delivered according to
the port number range, and multiple
ACLs are occupied. In other situations,
one rule occupies one ACL. You can run
the display acl division start-id to end-id
command to check how ACL resources
are used in a specified port number range.
Pre-configuration Tasks
Before configuring a traffic classifier, complete the following tasks:
l Configure link layer attributes of interfaces to ensure that the interfaces work properly.
l Configure an ACL if the ACL needs to be used to classify traffic.
Configuration Process
Non-conflicting rules can be configured in a traffic classifier.
Procedure
1. Run:
system-view
A traffic classifier is created and the traffic classifier view is displayed, or the existing
traffic classifier view is displayed.
and is the logical operator between the rules in the traffic classifier, which means that:
– If the traffic classifier contains ACL rules, packets match the traffic classifier only
when they match one ACL rule and all the non-ACL rules.
– If the traffic classifier does not contain any ACL rules, packets match the traffic
classifier only when they match all the rules in the classifier.
The logical operator or means that packets match the traffic classifier as long as they
match one of rules in the classifier.
By default, the relationship between rules in a traffic classifier is AND.
3. Configure matching rules according to the following table.
NOTE
The S5720HI does not support traffic classifiers with advanced ACLs containing the ttl-expired
field or user-defined ACLs.
When a traffic classifier contains if-match ipv6 acl { acl-number | acl-name }, the S5720HI does
not support remark 8021p [ 8021p-value | inner-8021p ], remark cvlan-id cvlan-id, or remark
vlan-id vlan-id.
ACL6 rule if-match ipv6 acl { acl-number | acl- Before specifying an ACL6 in a
name } matching rule, configure the
ACL6.
4. Run:
quit
Background
The device supports actions including packet filtering, priority re-marking, flow ID re-
marking, redirection, traffic policing, and traffic statistics collection.
Procedure
Step 1 Run:
system-view
A traffic behavior is created and the traffic behavior view is displayed, or the view of an
existing traffic behavior is displayed.
Step 3 Define actions in the traffic behavior. You can configure multiple non-conflicting actions in a
traffic behavior.
Action Command Remarks
Step 4 Run:
quit
----End
Pre-configuration Tasks
Before configuring a traffic policy, complete the following tasks:
l Configure a traffic classifier.
l Configure a traffic behavior.
Procedure
1. Run:
system-view
A traffic policy is created and the traffic policy view is displayed, or the view of an
existing traffic policy is displayed.
– On the S6720EI, S5720EI and S5720HI, run:
traffic policy policy-name [ match-order { auto | config } ]
A traffic policy is created and the traffic policy view is displayed, or the view of an
existing traffic policy is displayed.If no matching order is specified when you create
a traffic policy, the default matching order is config.
After a traffic policy is applied, you cannot use the traffic policy command to
modify the matching order of traffic classifiers in the traffic policy. To modify the
matching order, delete the traffic policy, create a new traffic policy and specify the
matching order.
When creating a traffic policy, you can specify the matching order of matching rules
in the traffic policy. The matching order can be either automatic order or
configuration order:
n If automatic order is used, traffic classifiers are matched based on the priorities
of their types. Traffic classifiers based on Layer 2 and Layer 3 information,
Layer 2 information, and Layer 3 information are matched in descending order
of priority. The traffic classifier with the highest priority is matched first. If
data traffic matches multiple traffic classifiers, and the traffic behaviors
conflict with each other, the traffic behavior corresponding to the highest
priority rule takes effect.
n If configuration order is used, traffic classifiers are matched based on the
sequence in which traffic classifiers were bound to traffic behaviors.
NOTE
If more than 128 ACL rules defining CAR are configured, a traffic policy must be applied to
an interface, a VLAN, and the system in sequence in the outbound direction. In the
preceding situation, if ACL rules need to be updated, delete the traffic policy from the
interface, VLAN, and system and reconfigure it in sequence.
3. Run:
classifier classifier-name behavior behavior-name
Pre-configuration Tasks
Before applying a traffic policy, configure the traffic policy.
Procedure
l Applying a traffic policy to an interface
a. Run:
system-view
l Traffic policies can be applied to only the inbound direction of sub-interfaces on the
S6720EI.
l It is not recommended to use the traffic policy containing remark 8021p, remark
cvlan-id, and remark vlan-id in the outbound direction of an untagged interface. This
configuration may cause incorrect information in the packets.
l Applying a traffic policy to a VLAN
a. Run:
system-view
NOTE
Applying traffic policies consumes ACL resources. If there are not sufficient ACL resources,
some traffic policies may fail to be applied. For example, an if-match rule in a traffic policy
occupies an ACL. When the traffic policy is applied to M interfaces, M ACLs are occupied.
When a traffic policy is applied to a VLAN or in the system, the number of occupied ACLs
is the number of LPUs on the device. For details about ACLs occupied by if-match rules, see
Table 2-4 in 2.2 Configuration Notes.
l Applying a traffic policy to the system
a. Run:
system-view
Procedure
l Run the display traffic classifier user-defined [ classifier-name ] command to check the
traffic classifier configuration.
l Run the display traffic behavior user-defined [ behavior-name ] command to check the
traffic behavior configuration.
l Run the display traffic policy user-defined [ policy-name [ classifier classifier-name ] ]
command to check the user-defined traffic policy configuration.
l Run the display traffic-applied [ interface [ interface-type interface-number ] | vlan
[ vlan-id ] ] { inbound | outbound } [ verbose ] command to check ACL-based
simplified and MQC-based traffic policies applied to the system, a VLAN, or an
interface.
NOTE
Traffic policies can be applied to a sub-interface, but the display traffic-applied command cannot be
used to check the ACL-based simplified and MQC-based traffic policies applied to the sub-interface.
Context
MQC statistics are also traffic policy statistics. To check forwarded and discarded packets in
the system or in a specified object to which a traffic policy has been applied, you can view
traffic policy statistics.
To view traffic policy statistics, ensure that MQC and statistic enable have been configured.
Procedure
l Run the display traffic policy statistics { global [ slot slot-id ] | interface interface-type
interface-number [.subinterface-number ] | vlan vlan-id } { inbound | outbound }
[ verbose { classifier-base | rule-base } [ class classifier-name ] ] command to check
packet statistics in the system, on an LPU, on an interface, or in a VLAN to which a
traffic policy has been applied.
----End
Context
MQC statistics are also traffic policy statistics. Before recollecting traffic policy statistics in
the system or in a specified object, clear existing packet statistics.
NOTICE
Traffic policy statistics cannot be restored after being cleared. Exercise caution when you use
this command.
Procedure
l Run the reset traffic policy statistics { global [ slot slot-id ] | interface interface-type
interface-number [.subinterface-number ] | vlan vlan-id } { inbound | outbound }
command in the user view to clear statistics on packets matching a traffic policy applied
to the system, an LPU, an interface, or a VLAN.
----End
2.5 References
Document Description Remarks
3.2 Principles
Priority Mapping
Packets carry different types of precedence field depending on the network type. For example,
packets carry the 802.1p field in a VLAN network, the EXP field on an MPLS network, and
the DSCP field on an IP network. The mapping between the priority fields must be configured
on the gateway to retain packet priorities when the packets traverse different types of
networks.
The priority mapping mechanism provides the mapping from precedence fields of packets to
internal priorities (local priorities) or the mapping from internal priorities to precedence fields
of packets. This mechanism uses a DiffServ domain to manage and record the mapping
between precedence fields and Class of Service (CoS) values. When a packet reaches the
device, the device maps the priority in the packet or the default 802.1p priority of the inbound
interface to a local priority. The device then determines which queue the packet enters based
on the mapping between internal priorities and queues, and performs traffic policing, queuing,
and scheduling. In addition, the device can re-mark precedence fields of outgoing packets so
that the downstream device can provide differentiated QoS based on packet priorities.
Precedence Fields
Certain fields in the packet header or frame header record QoS information so that network
devices can provide differentiated services. These fields include:
l Precedence field
As defined in RFC 791, the 8-bit Type of Service (ToS) field in an IP packet header
contains a 3-bit IP precedence field. Figure 3-1 shows the Precedence field in an IP
packet.
0 1 2 3 4 5 6 7
Precedence D T R C
IP Precedence
DSCP
The 802.1Q header contains a 3-bit PRI field. The PRI field defines eight service priority
values 7, 6, 5, 4, 3, 2, 1 and 0, in descending order of priority.
l MPLS EXP field
In contrast to IP packets, MPLS packets use labels. A label has 4 bytes. Figure 3-3
shows the format of the MPLS EXP field.
NOTE
Traffic direction
Voice flow
ISP
Data flow Router
SwitchA SwitchB
Service Deployment
l On SwitchA, configure a traffic policy in the inbound direction to re-mark voice, video,
and data packets with different 802.1p priorities. The priorities of voice, video, and data
services are in descending order.
l Configure SwitchB to map 802.1p priorities of incoming packets to CoS values and
colors. SwitchB then provides differentiated services based on the CoS values and
colors.
l Configure SwitchB to re-mark outgoing packets with DSCP priorities based on CoS
values and colors. In this way, the service packets are provided differentiated services on
the Layer 3 network based on DSCP priorities.
License Support
Priority mapping is a basic feature of a switch and is not under license control.
Version Support
Table 3-1 describes the products and minimum version supporting priority mapping.
S2750EI V200R003
S5710-X-LI V200R008
S5720EI V200R007
S5720SI/S5720S-SI V200R008
S5720HI V200R006
S6720EI V200R008
S6720S-EI V200R009
Only the S6720EI supports the mappings between EXP priorities and PHBs/colors.
Table 3-2 Mappings from 802.1p priorities to PHBs and colors of incoming VLAN packets in
a DiffServ domain
802.1p Priority PHB Color
0 BE green
1 AF1 green
2 AF2 green
3 AF3 green
4 AF4 green
5 EF green
6 CS6 green
7 CS7 green
Table 3-3 Mappings from DSCP priorities to PHBs and colors of incoming IP packets in the
DiffServ domain
DSCP PHB Color DSCP PHB Color
1 BE green 33 BE green
3 BE green 35 BE green
5 BE green 37 BE green
7 BE green 39 BE green
9 BE green 41 BE green
11 BE green 43 BE green
13 BE green 45 BE green
15 BE green 47 BE green
17 BE green 49 BE green
19 BE green 51 BE green
21 BE green 53 BE green
23 BE green 55 BE green
25 BE green 57 BE green
27 BE green 59 BE green
29 BE green 61 BE green
31 BE green 63 BE green
Table 3-4 Mappings from EXP priorities to PHBs and colors of incoming packets in the
DiffServ domain
EXP Priority PHB Color
0 BE green
1 AF1 green
2 AF2 green
3 AF3 green
4 AF4 green
5 EF green
6 CS6 green
7 CS7 green
Table 3-5 Mappings between internal priorities and queueson the S6720EI, S5720EI and
S5720HI
Internal Priority Queue Index
BE 0
AF1 1
AF2 2
AF3 3
AF4 4
EF 5
CS6 6
CS7 7
Mapping from CoS Values (PHBs) and Colors to Priorities in the Outbound
Direction in the DiffServ Domain
By default, the mappings in a DiffServ domain are as follows:
l Table 3-6 lists the mappings from PHBs and colors to 802.1p priorities.
l Table 3-7 lists the mappings from PHBs and colors to DSCP priorities.
l Table 3-8 lists the mappings from PHBs and colors to EXP priorities in MPLS packets.
The mappings from interface priorities to PHBs and colors are similar to the mappings from
802.1p priorities to PHBs and colors. Colors of packets are only used to determine whether to
drop packets and do not affect mappings between internal priorities and queues.
NOTE
Only the S6720EI supports the mappings between EXP priorities and PHBs/colors.
Table 3-6 Mappings from PHBs and colors to 802.1p priorities of outgoing VLAN packets in
the DiffServ domain
PHB Color 802.1p Priority
BE green 0
BE yellow 0
BE red 0
AF1 green 1
AF1 yellow 1
AF1 red 1
AF2 green 2
AF2 yellow 2
AF2 red 2
AF3 green 3
AF3 yellow 3
AF3 red 3
AF4 green 4
AF4 yellow 4
AF4 red 4
EF green 5
EF yellow 5
EF red 5
CS6 green 6
CS6 yellow 6
CS6 red 6
CS7 green 7
CS7 yellow 7
CS7 red 7
Table 3-7 Mappings from PHBs and colors to DSCP priorities of outgoing IP packets in the
DiffServ domain
PHB Color DSCP
BE green 0
BE yellow 0
BE red 0
AF1 green 10
AF1 yellow 12
AF1 red 14
AF2 green 18
AF2 yellow 20
AF2 red 22
AF3 green 26
AF3 yellow 28
AF3 red 30
AF4 green 34
AF4 yellow 36
AF4 red 38
EF green 46
EF yellow 46
EF red 46
CS6 green 48
CS6 yellow 48
CS6 red 48
CS7 green 56
CS7 yellow 56
CS7 red 56
Table 3-8 Mappings from PHBs and colors to EXP priorities of outgoing packets in the
DiffServ domain
PHB Color EXP Priority
BE green 0
BE yellow 0
BE red 0
AF1 green 1
AF1 yellow 1
AF1 red 1
AF2 green 2
AF2 yellow 2
AF2 red 2
AF3 green 3
AF3 yellow 3
AF3 red 3
AF4 green 4
AF4 yellow 4
AF4 red 4
EF green 5
EF yellow 5
EF red 5
CS6 green 6
CS6 yellow 6
CS6 red 6
CS7 green 7
CS7 yellow 7
CS7 red 7
Pre-configuration Tasks
Before configuring priority mapping, complete the following tasks:
l Set physical parameters for relevant interfaces.
l Set the link-layer attributes for relevant interfaces.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
----End
Procedure
Step 1 Run:
system-view
NOTE
When an interface has been switched to Layer 3 mode using the undo portswitch command, this
interface uses the priority 0 and you cannot configure a priority for it.
----End
l When traffic arrives at the device, the device maps packet priorities to PHBs and colors.
The device then performs congestion management based on PHBs and performs
congestion avoidance based on colors.
l When sending traffic out, the device maps PHBs and colors of packets to priorities. The
downstream device then provides QoS services based on packet priorities.
Procedure
Step 1 Run:
system-view
Step 2 Run:
diffserv domain { default | ds-domain-name }
The domain default defines default mappings between packet priorities and PHBs/colors. You
can modify the mappings defined in the domain default but cannot delete this domain. In
addition to the domain default, you can create a maximum of seven DiffServ domains.
Map the PHBs and colors of outgoing MPLS mpls-exp-outbound service-class color
packets on an interface to the EXP priorities. map exp-value
NOTE
Only the S6720EI supports mappings from MPLS EXP priorities to PHBs and colors on interfaces in the
inbound direction and mappings from PHBs and colors to MPLS EXP priorities on interfaces in the
outbound direction.
----End
Context
You can bind a DiffServ domain to an inbound or outbound interface of packets to enable the
device to implement mapping between packet priorities and PHBs/colors according to the
mappings defined in the DiffServ domain.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
trust upstream { ds-domain-name | default | none }
If trust upstream none is configured on an interface, the system does not perform priority
mapping for incoming and outgoing packets.
To change the DiffServ domain bound to an interface, run the undo trust upstream
command to unbind the original DiffServ domain from the interface, and then run the trust
upstream command to bind the new DiffServ domain to the interface.
----End
Context
By configuring the mappings between local priorities and queues, the device sends packets to
the specified queue based on the mappings between local priorities and queues.
NOTE
The S5720HI does not support the mapping between local priorities and queues.
Procedure
Step 1 Run:
system-view
----End
Background
Priority re-marking is a method of changing priority fields of the packets that match certain
traffic classification rules. For example, you can configure priority mapping to change the
802.1p priority of VLAN packets or DSCP priority and local priority of IP packets.
Procedure
1. Configure a traffic classifier.
a. Run:
system-view
A traffic classifier is created and the traffic classifier view is displayed, or the view
of an existing traffic classifier is displayed.
and is the logical operator between the rules in the traffic classifier, which means
that:
n If the traffic classifier contains ACL rules, packets match the traffic classifier
only when they match one ACL rule and all the non-ACL rules.
n If the traffic classifier does not contain any ACL rules, packets match the
traffic classifier only when they match all the rules in the classifier.
The logical operator or means that packets match the traffic classifier as long as
they match any one of rules in the classifier.
By default, the logical operator used between rules in a traffic classifier is AND.
c. Configure matching rules according to the following table.
NOTE
The S5720HI does not allow traffic classifiers to reference advanced ACLs containing the
ttl-expired field or user-defined ACLs.
On the S5720HI, if a traffic classifier contains if-match ipv6 acl { acl-number | acl-name },
the associated traffic behavior cannot contain the remark 8021p [ 8021p-value |
inner-8021p ], remark cvlan-id cvlan-id, or remark vlan-id vlan-id action.
d. Run:
quit
Exit from the traffic classifier view.
2. Configure a traffic behavior.
a. Run:
traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is displayed.
b. Run the following commands as required:
n To re-mark the 802.1p priority field of packets matching the traffic classifier,
run remark 8021p [ 8021p-value | inner-8021p ].
NOTE
The remark 8021p inner-8021p action can only be used in the inbound direction.
If a traffic policy containing remark 8021p is applied to the outbound direction on an
interface, the VLAN of the outbound interface must work in tagged mode.
n To re-mark the DSCP priority field of packets matching the traffic classifier,
run remark dscp { dscp-name | dscp-value }.
n To re-mark the local priority field of packets matching the traffic classifier, run
remark local-precedence { local-precedence-name | local-precedence-value }
[ green | yellow | red ]
A traffic policy is created and the traffic policy view is displayed, or the view of an
existing traffic policy is displayed. If you do not specify a matching order for traffic
classifiers in the traffic policy, the default matching order config is used.
After a traffic policy is applied, you cannot use the traffic policy command to
change the matching order of traffic classifiers in the traffic policy. To change the
matching order, delete the traffic policy, and create a new traffic policy, and specify
the matching order.
When creating a traffic policy, you can specify the matching order of traffic
classifiers in the traffic policy. The traffic classifiers can be matched in automatic
order (auto) or configuration order (config):
n If the matching order is auto, traffic classifiers are matched in descending
order of priorities pre-defined in the system: traffic classifiers based on Layer
2 and Layer 3 information > traffic classifiers based on Layer 2 information >
traffic classifiers based on Layer 3 information. If a data flow matches multiple
traffic classifiers that are associated with conflicting traffic behaviors, the
traffic behavior associated with the traffic classifier of the highest priority
takes effect.
n If the matching order is config, traffic classifiers are matched in descending
order of priorities manually or dynamically allocated to them. A traffic
classifier with a smaller precedence value has a higher priority and is matched
earlier. If you do not specify precedence-value when creating a traffic
classifier, the system allocates a precedence value to the traffic classifier. The
allocated precedence value is [(max-precedence + 5)/5] x 5, where max-
precedence is the maximum greatest value among existing traffic classifiers.
NOTE
If more than 128 rate limiting ACL rules are configured in the system, traffic policies must
be applied in the sequence of interface view, VLAN view, and system view. To update an
ACL rule, delete all the associated traffic policies from the interface, VLAN, and system,
reconfigure the traffic policies, and then apply them to the interface, VLAN, and system in
sequence again.
b. Run:
classifier classifier-name behavior behavior-name
NOTE
Applying traffic policies consumes ACL resources. If there are not sufficient ACL
resources, some traffic policies may fail to be applied. For example, an if-match rule in
a traffic policy occupies an ACL. When the traffic policy is applied to M interfaces, M
ACLs are occupied. When a traffic policy is applied to a VLAN or in the system, the
number of occupied ACLs is the number of LPUs on the device. For details about
ACLs occupied by if-match rules, see Table 2-4 in 2.2 Configuration Notes.
– Applying a traffic policy to the system
i. Run:
system-view
Traffic policies can be applied to a sub-interface, but the display traffic-applied command cannot be
used to check the ACL-based simplified and MQC-based traffic policies applied to the sub-interface.
Networking Requirements
The S5720HI is used as an example. After priority mapping is configured, the switch maps
802.1p priorities of packets to different CoS values so that it can provide differentiated
services.
As shown in Figure 3-5, GE0/0/3 on the Switch connects to the router. Department 1 and 2
access the Internet through the Switch and router. Department 1 belongs to VLAN 100 and
Department 2 belongs to VLAN 200.
Department 1 requires better QoS guarantee. 802.1p priorities of packets from Departments 1
and 2 are both 0. A DiffServ domain needs to be defined to map priorities of packets from
Departments 1 and 2 to 4 and 2, respectively so that differentiated services are provided.
Core Network
GE0/0/3
GE0/0/1 GE0/0/2
VLAN 100 Switch VLAN 200
Department 1 Department 2
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and configure interfaces so that Department 1 and 2 can connect to the
Internet through the Switch.
2. Create DiffServ domains, and map 802.1p priorities to PHBs and colors.
3. Bind DiffServ domains to GE0/0/1 and GE0/0/2 on the Switch, respectively.
Procedure
Step 1 Create VLANs and configure interfaces.
# Create VLAN 100 and VLAN 200.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 200
# Configure GE0/0/1, GE0/0/2, and GE0/0/3 as trunk interfaces, add GE0/0/1 and GE0/0/2 to
VLAN 100 and VLAN 200, and add GE0/0/3 to VLAN 100 and VLAN 200.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 200
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 200
[Switch-GigabitEthernet0/0/3] quit
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100 200
#
diffserv domain ds1
8021p-inbound 0 phb af4 green
diffserv domain ds2
8021p-inbound 0 phb af2 green
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
trust upstream ds1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 200
trust upstream ds2
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100 200
#
return
Procedure
Step 1 Check whether priority mappings are correct.
Run the display this command in the inbound interface view and check the configuration of
the trust upstream command. Then, run the display diffserv domain name domain-name
command to check whether the priority mappings configured in the trusted DiffServ domain
are correct.
l If not, run the ip-dscp-inbound or 8021p-inbound command to correctly configure
priority mappings.
l If so, go to step 2.
Step 2 Check whether any configurations are affecting packet queuing on the inbound interface.
The following configurations affect the queues that packets enter on the inbound interface:
l If the port vlan-stacking command is configured with remark-8021p specified, the
priorities of packets are re-marked. Local priorities are assigned based on the re-marked
802.1p priorities, so packets do not enter the expected queues according to the priority
mapping configuration.
l If the port vlan-mapping vlan inner-vlan, or port vlan-mapping vlan map-vlan
command is configured with remark-8021p specified, the 802.1p priorities of packets
are re-marked. Local priorities are assigned based on the re-marked 802.1p priorities, so
packets do not enter the expected queues according to the priority mapping
configuration.
l If the packets match a traffic-policy that is applied to the inbound direction and contains
a remark local-precedence traffic behavior, the system sends packets to queues based
on the re-marked local priorities.
l If the packets match a traffic-policy that is applied to the inbound direction and contains
a remark 8021p, remark ip-precedence, or remark dscp traffic behavior, the system
assigns local priorities to packets based on the re-marked priorities of packets and sends
the packets to queues based on the local priorities.
l If the trust upstream none command is configured, the system does not perform
priority mapping for any packets received on the interface. All the incoming packets
enter the queue mapped to the interface priority.
l If the port link-type dot1q-tunnel command is configured but the trust 8021p inner
command is not, all the incoming packets enter the queue mapped to the interface
priority.
Run the display this command in the inbound interface view to check whether any of the
preceding commands are configured on the interface.
l If so, delete or modify the configuration as required.
l If not, go to step 3.
Step 3 Check whether any configurations are affecting packet queuing in the VLAN to which the
packets belong.
The following configurations affect packet queuing in a VLAN:
l If the packets match a traffic-policy that is applied to the inbound direction and contains
a remark local-precedence traffic behavior, the system sends packets to queues based
on the re-marked PHBs.
l If the packets match a traffic-policy that is applied to the inbound direction and contains
a remark 8021p, remark ip-precedence, or remark dscp traffic behavior, the system
maps the re-marked priorities of packets to local priorities and sends the packets to
queues based on the mapped priorities.
Run the display this command in the VLAN view to check whether there are any of the
preceding configurations in the VLAN.
l If so, delete or modify the configuration as required.
l If not, go to step 4.
Step 4 Check whether any configurations are affecting packet queuing in the system.
The following configurations affect the queues that packets enter in the system:
l If the qos local-precedence-queue-map command is configured, the system sends
packets to queues based on the mapping between local priorities and queues specified by
this command.
NOTE
l If the packets match a global policy traffic-policy global that is applied to the inbound
direction and contains a remark local-precedence traffic behavior, the system sends
packets to queues based on the re-marked local priorities.
l If the packets match a global policy traffic-policy global that is applied to the inbound
direction and contains a remark 8021p, remark ip-precedence, or remark dscp traffic
behavior, the system maps the re-marked priorities of packets to local priorities and
sends the packets to queues based on the mapped priorities.
Run the display current-configuration command to check whether there are any of the
preceding configurations in the system. If so, delete or modify the configuration as required.
NOTE
When a traffic policy is applied to different objects simultaneously, it takes effect on the objects in the
order of interface, VLAN, and system.
----End
Procedure
Step 1 Check that packets enter the correct queues on the outbound interface.
Run the display qos queue statistics interface interface-type interface-number command to
check whether packets enter the correct queues on the outbound interface.
l If not, locate the fault according to 3.9.1 Packets Enter Incorrect Queues.
l If so, go to step 2.
Step 2 Check that the priority types trusted by the inbound and outbound interface are correct.
Run the display this command in the inbound or outbound interface view to check whether
the trusted priority type set using the trust command is correct. (If the trust command is not
configured, the system trusts the 802.1p priority in the outer VLAN tag by default.)
l If not, run the trust command to specify the correct priority type.
l If so, go to step 3.
Step 3 Check that the priority mapping configuration in the DiffServ domain bound to the inbound or
outbound interface is correct.
Run the display this command in the inbound or outbound interface view to check whether
the trust upstream command is configured. If not, the system trusts the DiffServ domain
default by default.
Run the display diffserv domain name domain-name command to check whether the
mappings between local priorities and packet priorities are correct.
NOTE
Local priorities are assigned to packets on the inbound interface after priority mapping.
----End
3.10 FAQ
NOTE
The DSCP priority and IP precedence use different bits of the ToS field; therefore, an interface cannot be
configured to trust DSCP priorities and IP precedences simultaneously.
The S5720SI, S5720S-SI, and S5710-X-LI do not support the trust ip-precedence command.
3.11 References
Document Description Remarks
4.2 Principles
Priority Mapping
Packets carry different types of precedence field depending on the network type. For example,
packets carry the 802.1p field in a VLAN and the DSCP field on an IP network. The mapping
between the priority fields must be configured on the gateway to retain priorities of packets
when the packets traverse different networks.
The priority mapping mechanism provides the mapping from DSCP priorities to 802.1p
priorities, IP priorities to 802.1p priorities, and DSCP priorities to drop priorities. When
packets reach the device, the device maps DSCP or IP priorities in packets to 802.1p priorities
according to the mapping table. The device then determines which queues packets enter based
on the mapping between 802.1p priorities and queues, and performs traffic shaping,
congestion avoidance, and queue scheduling. In addition, the device can re-mark precedence
fields of outgoing packets so that the downstream device can provide differentiated QoS
based on packet priorities.
0 1 2 3 4 5 6 7
Precedence D T R C
IP Precedence
DSCP
The 802.1Q header contains a 3-bit PRI field. The PRI field defines eight service priority
values 7, 6, 5, 4, 3, 2, 1 and 0, in descending order of priority.
As shown in Figure 4-3, the enterprise campus network provides voice, video, and data
services, with priorities in descending order. When different service flows of enterprise users
arrive at the ISP network, devices on the ISP network must identify priorities of the services
to provide differentiated services.
A switch can identify packets based on priority fields, such as 802.1p or DSCP. When packets
arrive at the switch, the switch maps packet priorities to local priorities and drop priorities,
and provides different QoS services based on the local priorities and drop priorities.
Traffic direction
Voice flow
ISP
Data flow Router
SwitchA SwitchB
Video flow
Service Deployment
l On SwitchA, configure a traffic policy in the inbound direction to re-mark voice, video,
and data packets with different DSCP priorities. The priorities of voice, video, and data
services are in descending order.
l Configure SwitchB to map DSCP priorities of incoming packets to 802.1p priorities and
drop priorities. SwitchB then provides differentiated services based on local priorities
mapped to the 802.1p priorities and drop priorities.
l Mappings from DSCP priorities to 802.1p priorities and drop priorities are listed in
Table 4-1. The output DSCP priorities are the same as the input DSCP priorities.
l Mappings from IP priorities to 802.1p priorities and IP priorities are listed in Table 4-2.
NOTE
S5720SI , S5720S-SI, and S5710-X-LI do not support mappings from IP priorities to 802.1p priorities or IP
priorities.
Table 4-1 Mappings from DSCP priorities to 802.1p priorities and drop priorities
Input DSCP Output 802.1p Priority Output Drop Priority
0-7 0 0
8-15 1 0
16-23 2 0
24-31 3 0
32-39 4 0
40-47 5 0
48-55 6 0
56-63 7 0
0 0 0
1 1 1
2 2 2
3 3 3
4 4 4
5 5 5
6 6 6
7 7 7
The default mappings from 802.1p priorities to local priorities are listed in Table 4-3.
0 BE
1 AF1
2 AF2
3 AF3
4 AF4
5 EF
6 CS6
7 CS7
NOTE
The devices use the default mappings from 802.1p priorities to local priorities, and the mappings cannot
be changed.
Before configuring priority mapping, configure link layer attributes of interfaces to ensure
that the interfaces work properly.
Context
You can configure the device to trust any of the following priorities on an interface:
l 802.1p priority
For VLAN-tagged incoming packets, the system maps 802.1p priorities of the packets to
local priorities based on the default mappings. For untagged incoming packets, the
system uses the default 802.1p priority of the interface for priority mapping and maps the
default 802.1p priority to a local priority based on the default mappings.
l DSCP priority
The system searches the DSCP priority mapping table based on DSCP priorities of
packets to re-mark 802.1p priorities or DSCP priorities of the packets or map DSCP
priorities of the packets to drop priorities.
l IP priority
The system searches the IP priority mapping table based on IP priorities of packets to re-
mark 802.1p priorities or IP priorities of the packets.
NOTE
The S5720SI, S5720S-SI, and S5710-X-LI do not support trusting the IP priority.
Procedure
Step 1 Run:
system-view
NOTE
The S5720SI, S5720S-SI, and S5710-X-LI do not support the ip-precedence parameter.
----End
Procedure
Step 1 Run:
system-view
----End
Context
The device performs priority mapping based on packet priorities. The mappings between
priorities can be configured in the priority mapping table. The device can map DSCP
priorities to 802.1p priorities, drop priorities, or new DSCP priorities.
Procedure
Step 1 Run:
system-view
Step 2 Run:
qos map-table { dscp-dot1p | dscp-dp | dscp-dscp }
NOTE
l The DSCP priority mapping and IP priority mapping tables cannot be used together. When you configure
DSCP priority mapping after IP priority mapping has been configured, the system displays the message
"Error: Configuration conflicts with IP precedence map-table."
l In a version earlier than V200R007, DSCP priority mapping and IP priority mapping can be configured
simultaneously. When the system software is upgraded to V200R007 or a later version, both DSCP
priority mapping and IP priority mapping tables can be restored, but only the DSCP priority mapping
table takes effect. To modify the DSCP priority mapping table, run the undo input command in the IP
priority mapping table view to delete the IP priority mapping table configuration first.
Step 3 Run:
input { input-value1 [ to input-value2 ] &<1-10> } output output-value
----End
Context
The device performs priority mapping based on packet priorities. The mappings between
priorities can be configured in the priority mapping table. The device can map IP priorities to
802.1p priorities or new IP priorities.
NOTE
The S5720SI, S5720S-SI, and S5710-X-LI do not support configuring mappings from IP priorities to
802.1p priorities or new IP priorities.
Procedure
Step 1 Run:
system-view
NOTE
l The DSCP priority mapping and IP priority mapping tables cannot be used together. When you configure
an IP priority mapping table on a device where a DSCP priority mapping has been configured, the system
displays a message "Error: Configuration conflicts with DSCP map-table."
l In a version earlier than V200R007, DSCP priority mapping and IP priority mapping can be configured
simultaneously. When the system software is upgraded to V200R007 or a later version, both DSCP
priority mapping and IP priority mapping can be restored, but only the DSCP priority mapping table takes
effect. To modify the IP priority mapping table, run the undo input command in the DSCP priority
mapping table view to delete the DSCP priority mapping table configuration first.
Step 3 Run:
input input-value1 [ to input-value2 ] output output-value
----End
Context
By configuring the mappings between local priorities and queues, the device sends packets to
the specified queue based on the mappings between local priorities and queues.
NOTE
The S5720HI does not support the mapping between local priorities and queues.
Procedure
Step 1 Run:
system-view
The mappings between local priorities and queues take effect only on the inbound interface.
That is, traffic enters queues based on the mappings.
----End
Procedure
l Run the display qos map-table [ dscp-dot1p | dscp-dp | dscp-dscp | ip-pre-dot1p | ip-
pre-ip-pre ] command to check the mapping between priorities.
l Run the display qos local-precedence-queue-map command to check the mapping
between local priorities and queues.
----End
Background
Priority re-marking is a method of changing priority fields of the packets that match certain
traffic classification rules. For example, you can configure priority mapping to change the
802.1p priority of VLAN packets or DSCP priority and local priority of IP packets.
Procedure
1. Configure a traffic classifier.
a. Run:
system-view
A traffic classifier is created and the traffic classifier view is displayed, or the view
of an existing traffic classifier is displayed.
and is the logical operator between the rules in the traffic classifier, which means
that:
n If the traffic classifier contains ACL rules, packets match the traffic classifier
only when they match one ACL rule and all the non-ACL rules.
n If the traffic classifier does not contain any ACL rules, packets match the
traffic classifier only when they match all the rules in the classifier.
The logical operator or means that packets match the traffic classifier as long as
they match any one of rules in the classifier.
By default, the logical operator used between rules in a traffic classifier is AND.
c. Configure matching rules according to the following table.
d. Run:
quit
A traffic policy is created and the traffic policy view is displayed, or the view of an
existing traffic policy is displayed.
b. Run:
classifier classifier-name behavior behavior-name
It is not recommended to use the traffic policy containing remark 8021p and remark
vlan-id in the outbound direction of an untagged interface. This configuration may
cause incorrect information in the packets.
– Applying a traffic policy to a VLAN
i. Run:
vlan vlan-id
Applying traffic policies consumes ACL resources. If there are not sufficient ACL
resources, some traffic policies may fail to be applied. For example, an if-match rule in
a traffic policy occupies an ACL. When the traffic policy is applied to M interfaces, M
ACLs are occupied. When a traffic policy is applied to a VLAN or in the system, the
number of occupied ACLs is the number of LPUs on the device. For details about
ACLs occupied by if-match rules, see Table 2-4 in 2.2 Configuration Notes.
– Applying a traffic policy to the system
i. Run:
traffic-policy policy-name global { inbound | outbound } [ slot slot-
id ]
A traffic policy that is applied to a specified slot takes effect on all the
interfaces and VLANs of the member switch with the specified stack ID.
The system then performs traffic policing for all the incoming and
outgoing packets that match traffic classification rules on this member
switch.
○ On a standalone switch, a traffic policy that is applied to the system takes
effect on all the interfaces and VLANs of the local switch. The system
then performs traffic policing for all the incoming and outgoing packets
that match traffic classification rules on the local switch. Traffic policies
applied to the slot and system have the same functions.
Core Network
Router
SwitchA SwitchB
GE0/0/2 GE0/0/2
GE0/0/1 GE0/0/1
LSW1 LSW2
Enterprise Enterprise
Branches 1 Branches 2
VLAN 100 VLAN 200
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and configure interfaces so that the enterprise can access the network.
2. Configure priority mapping to map DSCP priorities of data packets from enterprise
branches 1 and 2 to 45 and 30 respectively.
Procedure
Step 1 Configure SwitchA.
# Create VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
# Set the link type of GE 0/0/1 and GE 0/0/2 to trunk and add them to VLAN 100.
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] trust dscp
[SwitchA-GigabitEthernet0/0/2] quit
# Set the link type of GE 0/0/1 and GE 0/0/2 to trunk and add them to VLAN 200.
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 200
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 200
[SwitchB-GigabitEthernet0/0/2] quit
return
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] display this
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
trust dscp
#
return
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
trust dscp
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
trust dscp
#
qos map-table dscp-dscp
input 0 to 44 output 45
input 46 to 63 output 45
#
return
return
Common Causes
This fault is commonly caused by one of the following:
l The priority type of packets is different from the priority type trusted by the inbound
interface.
l Priority mapping in the priority mapping table is incorrect.
l There are configurations affecting the queues that packets enter on the inbound interface,
including:
l There are configurations affecting the queues that packets enter in the VLAN to which
the packets belong.
l There are configurations affecting the queues that packets enter in the system.
Procedure
Step 1 Check that the priority type of packets is the same as the priority type trusted by the inbound
interface.
Run the display this command in the inbound interface view to check the configuration of the
trust command on the inbound interface (if the trust command is not used, the system does
not trust any priority by default). Then obtain the packet header on the inbound interface, and
check whether the priority type is the same as the priority type trusted by the inbound
interface.
l If not, run the trust command to modify the priority type trusted by the inbound
interface to be the same as the priority type of the captured packets.
l If so, go to step 2.
The router sends packets to queues based on the internal priority; therefore, check the
mappings between DSCP or 802.1p priorities trusted by the interface and internal priorities.
Enter the priority mapping table view and run the display this command to check whether
priority mapping is configured correctly.
l If priority mapping is configured incorrectly, run the qos map-table command to enter
the priority mapping table view, and then run the input (DSCP priority mapping table
view) or input (IP priority mapping table view) command to configure priority mapping
correctly.
NOTE
The S5720SI, S5720S-SI, S5710-X-LI do not support mappings from IP priorities to 802.1p
priorities or IP priorities, so the input (IP priority mapping table view) command, and the ip-pre-
dot1p and ip-pre-ip-pre parameters in the qos map-table command are not supported.
l If so, go to step 3.
Step 3 Check whether there are configurations affecting the queues that packets enter on the inbound
interface.
The following configurations affect the queues that packets enter on the inbound interface:
l If the port vlan-stacking command is configured with remark-8021p specified,
priorities of packets are re-marked. The mapping between 802.1p priorities and local
priorities may be incorrect and queues may enter incorrect queues.
l If the port vlan-mapping vlan inner-vlan or port vlan-mapping vlan map-vlan
command is configured with remark 8021p specified, priorities of packets are re-
marked. The mapping between 802.1p priorities and local priorities may be incorrect and
queues may enter incorrect queues.
l If the traffic-policy command is configured with remark local-precedence specified,
the system sends packets to queues based on the re-marked priorities.
l If the traffic-policy command that defines remark 8021p, remark ip-precedence, or
remark dscpis used, the system maps the re-marked priorities of packets to 802.1p
priorities and sends the packets to queues based on the mapped priorities.
l If the port link-type dot1q-tunnel command is configured, all the packets reaching the
interface enter queues based on the default 802.1p priority of the interface. The default
802.1p priority of an interface is set by using the port priority command. The default
802.1p priority of an interface is 0.
Run the display this command in the inbound interface view to check whether there are
configurations affecting packets queuing on the inbound interface.
Step 4 Check whether there are configurations affecting the queues that packets enter in the VLAN
that the inbound interface of the packets belongs to.
The following configurations affect the queues that packets enter:
l If the traffic-policy command where remark local-precedence is defined is used, the
system sends packets to queues based on the re-marked priorities.
Run the display this command in the view of the VLAN that the inbound interface of the
packets belongs to and check whether there are configurations affecting the queues that
packets enter in the VLAN.
l If so, delete or modify the configuration as required.
l If not, go to step 5.
Step 5 Check whether there are configurations affecting the queues that packets enter in the system.
Run the display current-configuration command to check whether there are configurations
affecting the queues that packets enter in the system. If so, delete or modify the configuration.
NOTE
If the packets match traffic classifiers in two or all traffic policies applied to an interface, a VLAN, and
the system, the traffic policies applied to the interface, VLAN, and system take effect in descending
order of priorities.
----End
Common Causes
This fault is commonly caused by one of the following:
l On the inbound interface, packets do not enter queues corresponding to the priority of
packets.
l The type of the priority trusted by the inbound interface is incorrect.
l Priority mapping in the priority mapping table is incorrect.
l There are configurations affecting priority mapping on the inbound or outbound
interface.
Procedure
Step 1 Check that packets enter the correct queues on the inbound interface.
Run the display qos queue statistics command to check whether packets enter the correct
queues on the inbound interface.
l If not, locate the fault according to 4.8.1 Packets Enter Incorrect Queues.
l If so, go to step 2.
Step 2 Check that the priority type trusted by the inbound interface is correct.
Run the display this command in the view of the inbound interface to check whether the
trusted priority type set by using the trust command on the inbound interface is correct. (If
the trust command is not used, the system does not trust any priority by default.)
l If not, run the trust command to correctly configure the priority type trusted by the
inbound interface.
l If so, go to step 3.
Step 3 Check whether priority mappings are correct.
Enter the priority mapping table view and run the display this command to check whether
priority mapping is configured correctly.
l If priority mapping is configured incorrectly, run the qos map-table command to enter
the priority mapping table view and the input (DSCP priority mapping table view) or
input (IP priority mapping table view) command to configure priority mapping correctly.
NOTE
The S5720SI, S5720S-SI, and S5710-X-LI do not support mapping from IP priorities to 802.1p
priorities or IP priorities, so the input (IP mapping table view) command, and the ip-pre-dot1p and ip-
pre-ip-pre parameters in the qos map-table command are not supported.
l If so, go to step 4.
Step 4 Check whether there are configurations affecting priority mapping on the inbound or
outbound interface.
The following configurations affect priority mapping on the inbound or outbound interface:
l If the traffic-policy command that defines remark 8021p, remark ip-precedence, or
remark dscp is used on the inbound or outbound interface, the re-marked priority is the
packet priority.
Run the display this command in the view of the inbound or outbound interface to check
whether there are configurations affecting priority mapping. If so, delete or modify the
configuration.
----End
4.9 FAQ
NOTE
The DSCP priority and IP precedence use different bits of the ToS field; therefore, an interface cannot be
configured to trust DSCP priorities and IP precedences simultaneously.
The S5720SI, S5720S-SI, and S5710-X-LI do not support the trust ip-precedence command.
4.10 References
Document Description Remarks
This chapter describes how to configure traffic policing, traffic shaping, and interface-based
rate limiting.
5.1 Overview
5.2 Principles
This section describes the principles behind the token bucket, traffic measurement, traffic
policing, traffic shaping, and interface-based rate limiting mechanisms.
5.3 Applications
5.4 Configuration Notes
5.5 Default Configuration
5.6 Configuring Traffic Policing
5.7 Configuring Traffic Shaping
5.8 Configuring Interface-based Rate Limiting
5.9 Maintaining Traffic Policing, Traffic Shaping, and Interface-based Rate Limiting
5.10 Configuration Examples
5.11 FAQ
5.12 References
5.1 Overview
Traffic policing, traffic shaping, and interface-based rate limiting can control the traffic rate to
improve network resource utilization and provide better services.
Network congestion may occur when the transmit rate is higher than the receive rate or the
interface rate on a downstream device is lower than the interface rate on an upstream device.
If rates of traffic sent from users are not limited, continuous burst traffic from many users will
worsen network congestion. To deliver better services to users leveraging limited network
resources, user traffic rates must be limited.
Traffic policing, traffic shaping, and interface-based rate limiting are mechanisms to monitor
and control traffic rates and resource usage.
Traffic Policing
Traffic policing monitors rates of traffic entering a network and discards excess traffic to
control incoming traffic rates within a specified range, thereby conserving network resources
and protecting user interests.
Traffic Shaping
Traffic shaping adjusts the traffic rates to enable traffic to be transmitted at an even rate,
preventing congestion on the downstream device.
5.2 Principles
This section describes the principles behind the token bucket, traffic measurement, traffic
policing, traffic shaping, and interface-based rate limiting mechanisms.
A network needs to transmit various types of service traffic for different types of users. If
rates of service traffic are not limited on the network, the network will be congested when
many users continuously generate burst traffic. To provide better service for more users with
limited network resources, rates of service traffic must be limited.
Traffic policing, traffic shaping, and interface-based rate limiting control traffic rates and
resource usage by monitoring the rates of incoming traffic entering a network. The incoming
traffic must be measured first so that measures can be taken to limit the traffic rate based on
the measurement result. Generally, the token bucket mechanism is used to measure traffic.
Overview
Traffic metering is the prerequisite for implementing traffic policing, traffic shaping, and
interface-based rate limiting to provide better service for more users with limited network
resources. Network devices determine whether the incoming traffic rate exceeds the limit and
take measures based on the metering result. Generally, the token bucket mechanism is used to
measure traffic.
A token bucket is a container that can store a certain number of tokens. The system places
tokens into a token bucket at the configured rate. If the token bucket is full, excess tokens
overflow and the number of tokens in the bucket can no longer increase. The system
determines whether there are enough tokens in the bucket for packet forwarding. If so, the
traffic rate conforms to the rate limit. Otherwise, the traffic rate exceeds or violates the rate
limit.
The token bucket algorithms mark packets red, yellow, or green based on traffic metering
results. Then the system processes packets based on their colors. The two algorithms can
work in color-aware and color-blind modes. The color-blind mode is used as an example in
the following descriptions.
Single-Rate-Two-Bucket Mechanism
The single-rate-two-bucket mechanism uses the srTCM algorithm defined in RFC 2697 to
measure traffic and marks packets green, yellow, or red based on the metering result.
As shown in Figure 5-1 buckets C and E contain Tc and Te tokens respectively. The single-
rate-two-bucket mechanism uses three parameters:
l Committed information rate (CIR): indicates the rate at which tokens are put into bucket
C, that is, the average traffic rate that bucket C allows.
l Committed burst size (CBS): indicates the capacity of bucket C, that is, the maximum
volume of burst traffic that bucket C allows.
l Excess burst size (EBS): indicates the capacity of bucket E, that is, the maximum volume
of excess burst traffic that bucket E allows.
The single-rate-two-bucket mechanism allows burst traffic. When the traffic rate is lower than
the CIR, packets are marked green. When the burst traffic volume is greater than the CBS and
lower than the EBS, packets are marked yellow. When the burst traffic volume is greater than
the EBS, packets are marked red.
CIR
Overflow
CBS EBS
NO NO
B≦Tc B≦Te
YES YES
Packets(B)
This example uses the CIR of 1 Mbit/s and the CBS and EBS both of 2000 bytes. Buckets C
and E are initially full of tokens. In single-rate-two-bucket mode, the token buckets process
packets as follows:
NOTE
Mbit/s x 20 ms = 20000 bits = 2500 bytes). Bucket C now has 3250-byte tokens. The
excess 1250-byte tokens over the CBS (2000 bytes) are put into bucket E, so bucket E
has 1750-byte tokens. The packet is marked yellow because the number of tokens in
bucket C is greater than the packet length. The number of tokens in bucket C decreases
by 1500 bytes, with 500 bytes remaining. The number of tokens in bucket E remains
unchanged.
Single-Rate-Single-Bucket Mechanism
If burst traffic is not allowed, the EBS must be set to 0 in the single-rate-two-bucket system.
In this case, only one token bucket is used because there are always 0 tokens in bucket E.
The system places tokens into the bucket at the CIR. If Tc is less than the CBS, Tc increases.
If Tc is less than or equal to the CBS, Tc remains unchanged.
The single-rate-single-bucket mechanism does not allow burst traffic. When the traffic rate is
lower than the CIR, packets are marked green. When the traffic rate is higher than the CIR,
packets are marked red.
Tokens
CIR
CBS
NO
B≦Tc
YES
Packets(B) Violate
Conform
This example uses the CIR of 1 Mbit/s and the CBS of 2000 bytes. Bucket C is initially full of
tokens. In single-rate-single-bucket mode, the token buckets process packets as follows:
NOTE
- - - - - 2000 2000 -
Two-Rate-Two-Bucket Mechanism
The two-rate-two-bucket mechanism uses the trTCM algorithm defined in RFC 2698 to
measure traffic and marks packets green, yellow, or red based on the metering result.
As shown in Figure 5-3, buckets P and C contain Tp and Tc tokens respectively. Two-rate-
two-bucket mechanism uses four parameters:
l Peak information rate (PIR): indicates the rate at which tokens are put into bucket P, that
is, the maximum traffic rate that bucket P allows. The PIR is greater than the CIR.
l CIR: indicates the rate at which tokens are put into bucket C, that is, the average traffic
rate that bucket C allows.
l Peak burst size (PBS): indicates the capacity of bucket P, that is, the maximum volume
of burst traffic that bucket P allows.
l CBS: indicates the capacity of bucket C, that is, the maximum volume of burst traffic
that bucket C allows.
The system places tokens into bucket P at the PIR and places tokens into bucket C at the CIR:
l If Tp is less than the PBS, Tp increases. If Tp is greater than or equal to the PBS, Tp
remains unchanged.
l If Tc is less than the CBS, Tc increases. If Tc is greater than or equal to the CBS, Tp
remains unchanged.
The two-rate-two-bucket mechanism allows burst traffic rates. When the traffic rate is lower
than the CIR, packets are marked green. When the traffic rate is higher than the CIR and less
than the PIR, packets are marked yellow. When the traffic rate is higher than the PIR, packets
are marked red.
PIR CIR
PBS CBS
NO NO
B>Tp B>Tc
YES YES
Packets(B)
This example uses the CIR of 1 Mbit/s, the PIR of 2 Mbit/s, the CBS of 2000 bytes, and the
PBS of 3000 bytes. Buckets C and P are initially full of tokens. In two-rate-two-bucket mode,
the token buckets process packets as follows:
NOTE
The packet is marked yellow. The number of tokens in bucket P decreases by 1000 bytes,
with 1000 bytes remaining. The number of tokens in bucket C remains unchanged.
l Assume that the fourth packet arriving at the interface after a delay of 20 ms is 1500
bytes long. Additional 5000-byte tokens are put into bucket P (PIR x time period = 2
Mbit/s x 20 ms = 40000 bits = 5000 bytes), but excess tokens over the PBS (3000 bytes)
are dropped. Bucket P has 2000-byte tokens, which are enough for the 1500-byte fourth
packet. Additional 2500-byte tokens are put into bucket C (CIR x time period = 1 Mbit/s
x 20 ms = 2000 bits = 250 bytes), but excess tokens over the CBS (2000 bytes) are
dropped. Bucket C then has 2000-byte tokens, which are enough for the 1500-byte fourth
packet. Therefore, the fourth packet is marked green. The number of tokens in bucket P
decreases by 1500 bytes, with 1500 bytes remaining. The number of tokens in bucket C
decreases by 1500 bytes, with 500 bytes remaining.
Number of Number of
Pack Tokens Tokens
Token
et Before After Packet
Dela Addition
Time Leng Packet Processing Mar
No. y (Bytes)
(ms) th Processing (Bytes) king
(ms) (Bytes)
(Byte
s) Buck Buck Buck Buck Buck Buck
et C et P et C et P et C et P
Parameters CIR and CBS CIR, CBS, and EBS CIR, CBS, PIR, and
PBS
Mode in which Tokens are put into When bucket C is Tokens are put into
tokens are placed bucket C at the CIR. full, tokens are put bucket C at the CIR
Excess tokens are into bucket E. When and tokens are put
dropped when buck buckets C and E are into bucket P at the
C is full. not full, tokens are PIR. Buckets C and
put into bucket C P are independent.
only. Excess tokens are
dropped when
tokens in buckets C
and P are full.
Whether traffic burst Traffic burst is not Traffic burst is Traffic burst is
is allowed allowed. Packet allowed. Tokens in allowed. When
processing depends bucket C are first buckets C and P
on whether bucket C used. When tokens have sufficient
has enough tokens. in bucket C are tokens, tokens in
insufficient, tokens both buckets C and
in bucket E are used. P are used. When
tokens in bucket C
are insufficient,
tokens in bucket P
are used only.
Table 5-5 describes the functions and scenarios of three token bucket modes.
Color-Aware Mode
In color-aware mode, if an arriving packet has been marked red, yellow, or green, the packet
color affects metering results of the token bucket mechanism in the following ways:
l If the packet has been marked green, the metering mechanism is the same as that in
color-blind mode.
l If the packet has been marked yellow, the systems marks the packet yellow if it conforms
to the limit and marks the packet red if it violates the limit, depending on the packet
length and the number of tokens. In the single-rate-single-bucket system, the packet is
marked red directly.
l If the packet has been marked red, it is marked red in the token bucket.
Traffic policing controls the rate of traffic entering a network within a specified range by
metering traffic and taking punitive action on excess traffic. This feature protects network
resources and interests of the enterprise users.
Result
Packet Packet
Meter Marker Action
Stream Stream
l Meter: uses the token bucket mechanism to measure network traffic and sends the result
to the marker.
l Marker: colors packets green, yellow, or red based on the measurement result received
from the meter.
l Action: performs actions based on packet colors. The following actions are defined:
– Pass: forwards the packets that conform to the limit.
– Re-mark + pass: changes the local priorities of those packets that exceed the limit
and forwards the packets.
– Discard: drops the packets that exceed the limit.
If the rate of a packet stream exceeds the limit, the system lowers the priority of extra packets
in the stream before forwarding them or discards the packets. By default, the system forwards
green and yellow packets, and discards red packets.
Traffic shaping adjusts the rate of outgoing traffic to reduce traffic bursts so that outgoing
packets can be transmitted at a stable rate. Traffic shaping uses a buffer and token buckets to
control the traffic rate. When packets are sent at a high speed, the system buffers packets and
then sends these packets evenly under the control of the token buckets.
Process
Traffic shaping is a queue-based traffic control mechanism that limits the rate at which
packets pass through an interface.
Figure 5-5 shows an example of the traffic shaping process, using flow-based queue shaping
in single-rate-single-bucket mode.
Packets exceeding
the rate limit
Buffer queue
1. When packets arrive, the system classifies packets and places them into different queues.
2. If a queue is not configured with traffic shaping, packets placed in this queue are
immediately sent. For the queues configured with traffic shaping, the system proceeds to
the next step.
3. The system places tokens in the bucket at the specified rate (CIR):
– If there are sufficient tokens in the bucket, the system sends the packets and
decreases the number of tokens accordingly.
– If tokens in the bucket are insufficient for packet forwarding, the system places the
packets into the buffer queue. If the buffer queue is full, the system discards the
packets.
4. When there are packets in the buffer queue, the system compares the number of packets
with the number of tokens in the token bucket. If there are sufficient tokens, the system
forwards packets until all the packets in the buffer queue are sent.
Process
The following example illustrates the process of outbound traffic shaping on an interface
using the single-rate-single-bucket rate.
... ...
Packets
Token bucket within the
rate limit
Packets exceeding
the rate limit
Buffer queue
5.3 Applications
Application of Traffic Policing
As shown in Figure 5-7, voice, video, and data services are transmitted on an enterprise
network. When a large amount of traffic enters the network side, congestion may occur due to
insufficient bandwidth. Different guaranteed bandwidth must be provided for the voice, video,
and data services, listed in descending order of priority. In this situation, traffic policing can
be configured to provide the highest guaranteed bandwidth for voice packets and lowest
guaranteed bandwidth for data packets. This configuration ensures preferential transmission
of voice packets when congestion occurs.
Traffic direction
Voice
Network
Data
Switch
Video Enterprise
campus network
Service Deployment
l Configure traffic classifiers to classify voice, video, and data packets.
l Configure traffic behaviors to limit rates of the voice, video, and data packets.
l Associate the traffic classifiers with the traffic behaviors in a traffic policy, and apply the
traffic policy to the inbound direction of an interface.
Traffic direction
Branch 1
Internet
Service Deployment
l Configure priority mapping for incoming traffic on the interfaces of the switch connected
to the branches. Then packets from different branches are marked with different local
priorities and enter different queues.
l Configure traffic policing on the outbound interface of the switch connected to the egress
gateway to limit rates of traffic from different branches.
Traffic direction
Department A
Internet
Switch
Department B
Service Deployment
l Configure rate limiting on the switch's interfaces connected to departments A and B to
limit the traffic rate of each department within a specified range.
License Support
Traffic policing, traffic shaping, and interface-based rate limiting are basic features of the
switch, and are not under license control.
Version Support
Table 5-6 describes the products and minimum version supporting traffic policing and traffic
shaping.
Table 5-6 Products and minimum version supporting traffic policing and traffic shaping
S2750EI V200R003
S5710-X-LI V200R008
S5720EI V200R007
S5720SI/S5720S-SI V200R008
S5720HI V200R006
S6720EI V200R008
S6720S-EI V200R009
Table 5-7 describes the products and minimum version supporting interface-based rate
limiting.
Table 5-7 Products and minimum version supporting interface-based rate limiting
Series Product Minimum Version
Required
S2750EI V200R003
S5710-X-LI V200R008
S5720EI V200R007
S5720SI/S5720S-SI V200R008
S5720HI V200R006
S6720EI V200R008
S6720S-EI V200R009
Table 5-8 Traffic policing, traffic shaping, and interface-based rate limiting supported by
different switch models
Device MQC- Hierarchic Queue- Inbound Outbound
Model based al Traffic based Interface- Interface-
Traffic Policing Traffic based based
Policing Shaping Rate Rate
Limiting Limiting
l To limit the rate of packets from different VLANs, configure rate limiting based on
VLAN IDs. When a traffic policy is applied to a VLAN, the traffic policy is valid for all
interfaces in the VLAN.
l After rate limiting is configured on the device, the Internet access may be slow or packet
loss may occur on the downstream device. The rate limit needs to be set properly.
l Traffic policing, traffic shaping, and interface-based rate limiting are valid only for data
packets and are invalid for protocol packets, so that the device performance is not
affected.
l Traffic suppression in a VLAN, inbound interface-based rate limiting, traffic policy
containing rate limiting, and simplified ACL-based traffic policy containing rate limiting
share CAR resources of the device. When CAR resources are insufficient, some of the
preceding functions may fail to be configured. Run the display acl resource [ slot slot-
id ] command to view the usage of CAR resources.
l The inbound traffic statistics takes effect before interface-based rate limiting. That is,
you cannot check whether interface-based rate limiting takes effect according to the
traffic statistics. Run the display qos statistics interface interface-type interface-number
inbound command on the S5720EI, S5720HI, S6720EI, and S6720S-EI to view traffic
statistics after rate limiting is configured.
l When traffic policing and another flow action are defined in different traffic behaviors of
the same traffic policy and priorities of matching traffic classifiers are different, if
packets match multiple traffic classifiers, only the action corresponding to the high-
priority traffic classifier takes effect. In this case, rate limiting may fail.
NOTE
When inbound interface-based rate limiting, VLAN-based broadcast traffic suppression, and inbound
MQC-based traffic policing are configured simultaneously on the S2750, S5700LI, S5700S-LI, S5710-
X-LI, S5720SI, and S5720S-SI, these rules take effect in descending order of priority: inbound
interface-based rate limiting > VLAN-based broadcast traffic suppression > inbound MQC-based
traffic policing. For example, if both inbound interface-based rate limiting and VLAN-based
broadcast traffic suppression are configured, inbound interface-based rate limiting takes effect.
Procedure
1. Configure a traffic classifier.
a. Run:
system-view
A traffic classifier is created and the traffic classifier view is displayed, or the
existing traffic classifier view is displayed.
and is the logical operator between the rules in the traffic classifier, which means
that:
n If the traffic classifier contains ACL rules, packets match the traffic classifier
only when they match one ACL rule and all the non-ACL rules.
n If the traffic classifier does not contain any ACL rules, packets match the
traffic classifier only when they match all the rules in the classifier.
The logical operator or means that packets match the traffic classifier as long as
they match one of rules in the classifier.
By default, the relationship between rules in a traffic classifier is AND.
The S5720HI does not support traffic classifiers with advanced ACLs containing the ttl-
expired field or user-defined ACLs.
When a traffic classifier contains if-match ipv6 acl { acl-number | acl-name }, the S5720HI
does not support remark 8021p [ 8021p-value | inner-8021p ], remark cvlan-id cvlan-id,
or remark vlan-id vlan-id.
d. Run:
quit
A traffic behavior is created and the traffic behavior view is displayed, or the view
of an existing traffic behavior is displayed.
b. Run any of the following commands depending on the product model to configure
the CAR action:
n On the S2750, S5700LI, S5700S-LI, S5710-X-LI, S5720SI, and S5720S-SI,
run:
car [ aggregation ] cir cir-value [ pir pir-value ] [ cbs cbs-value
pbs pbs-value ] [ green pass ] [ yellow { discard | pass [ remark-
dscp dscp-value | remark-8021p 8021p-value ] } ] [ red { discard |
pass [ remark-dscp dscp-value | remark-8021p 8021p-value ] } ]
NOTE
Only the S5710-X-LI, S5720SI, and S5720S-SI support the aggregation parameter.
n On the S5720HI, S5720EI, and S6720EI, run:
car cir cir-value [ pir pir-value ] [ cbs cbs-value pbs pbs-value ]
[ green { discard | pass } ] [ yellow { discard | pass } ] [ red
{ discard | pass } ]
The system is configured not to count the inter-frame gap and preamble of packets
when calculating the traffic rate for traffic shaping.
NOTE
The qos-car exclude-interframe command configures the system not to count the inter-
frame gap and preamble of packets when calculating the traffic rate for traffic policing or
inbound interface-based rate limiting.
f. Run:
quit
A traffic policy is created and the traffic policy view is displayed, or the view
of an existing traffic policy is displayed.
n On the S6720EI, S5720EI and S5720HI, run:
traffic policy policy-name [ match-order { auto | config } ]
A traffic policy is created and the traffic policy view is displayed, or the view
of an existing traffic policy is displayed.If no matching order is specified when
you create a traffic policy, the default matching order is config.
After a traffic policy is applied, you cannot use the traffic policy command to
modify the matching order of traffic classifiers in the traffic policy. To modify
the matching order, delete the traffic policy, create a new traffic policy and
specify the matching order.
When creating a traffic policy, you can specify the matching order of matching
rules in the traffic policy. The matching order can be either automatic order or
configuration order:
If more than 128 ACL rules defining CAR are configured, a traffic policy must be
applied to an interface, a VLAN, and the system in sequence in the outbound direction.
In the preceding situation, if ACL rules need to be updated, delete the traffic policy
from the interface, VLAN, and system and reconfigure it in sequence.
c. Run:
classifier classifier-name behavior behavior-name
Applying traffic policies consumes ACL resources. If there are not sufficient ACL
resources, some traffic policies may fail to be applied. For example, an if-match rule in
a traffic policy occupies an ACL. When the traffic policy is applied to M interfaces, M
ACLs are occupied. When a traffic policy is applied to a VLAN or in the system, the
number of occupied ACLs is the number of LPUs on the device. For details about
ACLs occupied by if-match rules, see Table 2-4 in 2.2 Configuration Notes.
– Applying a traffic policy to the system
i. Run:
system-view
The system then performs traffic policing for all the incoming and
outgoing packets that match traffic classification rules on this member
switch.
○ On a standalone switch, a traffic policy that is applied to the system takes
effect on all the interfaces and VLANs of the local switch. The system
then performs traffic policing for all the incoming and outgoing packets
that match traffic classification rules on the local switch. Traffic policies
applied to the slot and system have the same functions.
Context
The device supports hierarchical traffic policing. After the system uses MQC to implement
traffic policing (level-1 CAR) for service flows matching a traffic classifier in a traffic policy,
the system aggregates all the service flows matching the traffic classifiers associated with the
level-1 CAR in the same traffic policy and performs traffic policing (level-2 CAR) for the
aggregated flow. Hierarchical traffic policing implements statistical multiplexing of traffic
and fine-grained service control. For details about level-1 CAR, see 5.6.1 Configuring MQC
to Implement Traffic Policing.
Procedure
1. Run:
system-view
l The S2750, S5700LI, S5700S-LI, S5710-X-LI, S5720SI, S5720S-SI, and S6720EI do not
support aggregated CAR.
l The traffic policy defining the aggregated CAR action can only be used in the inbound
direction.
l After aggregated CAR is configured, all the rules in the traffic classifiers bound to the same
traffic behavior share the CAR index. The system aggregates all the flows matching these
traffic classifiers and uses CAR to limit the rate of the flows. If the traffic classifiers define
both Layer 2 and Layer 3 information, the aggregated CAR configuration is invalid.
Context
Packets received on an interface enter different queues based on priority mapping. The device
can provide differentiated services for queues of different priorities using different traffic
shaping parameter settings for these queues.
Before configuring traffic shaping for queues on an interface, configure priority mapping to
map packet priorities to per hop behaviors (PHBs) so that packets of different services enter
different queues. For details about priority mapping, see 3.6 Configuring Priority Mapping
for the S5720HI, S5720EI, and S6720EI, and 4.5 Configuring Priority Mapping for the
S2750, S5700LI, S5700S-LI, S5710-X-LI, S5720SI, and S5720S-SI.
Procedure
Step 1 Run:
system-view
The system is configured not to count the inter-frame gap and preamble of packets when
calculating the traffic rate for traffic shaping.
The qos-shaping exclude-interframe command configures the system not to count the inter-
frame gap and preamble of packets when calculating the traffic rate for traffic shaping or
outbound interface-based rate limiting.
Step 3 Run:
interface interface-type interface-number
The traffic shaping rate is configured for a queue. It is recommended that the CBS should be
120 times the CIR.
By default, the traffic shaping rate for a queue is the maximum bandwidth of the interface.
NOTE
If both queue-based traffic shaping and outbound rate limiting (configured by the qos lr outbound
command) are configured on an interface, the CIR for outbound rate limiting must be greater than or
equal to the sum of CIR values of all queues on the interface; otherwise, the traffic shaping result may
be incorrect. For example, a low-priority queue may preempt the bandwidth of a high-priority queue.
----End
Context
The data buffer caches packets to be sent from an interface to prevent packet loss upon traffic
bursts. When the data buffer is full, the device does not cache packets and directly discards
packets not entering the buffer. You can adjust the buffering capacity of interface queues to
improve the forwarding performance.
Procedure
l Configure a burst traffic buffering mode on an interface of the S5720EI and S6720EI.
a. Run:
system-view
b. Run:
qos tail-drop-profile profile-name
----End
Procedure
l Run the display qos queue statistics interface interface-type interface-number [ queue
queue-index ] command to check statistics about interface queues.
----End
Procedure
Step 1 Run:
system-view
The system is configured not to count the inter-frame gap and preamble of packets when
calculating the incoming traffic rate on an interface.
NOTE
The qos-car exclude-interframe command configures the system not to count the inter-frame gap and
preamble of packets when calculating the traffic rate for inbound interface-based rate limiting and traffic
policing.
Step 3 Run:
interface interface-type interface-number
NOTE
When inbound interface-based rate limiting, Configuring Traffic Suppression in a VLAN, and 5.6.1
Configuring MQC to Implement Traffic Policing are configured simultaneouslyon the S2750,
S5700LI, S5700S-LI, S5710-X-LI, S5720SI, and S5720S-SI, these rules take effect in descending order
of priority: inbound interface-based rate limiting > Configuring Traffic Suppression in a VLAN > 5.6.1
Configuring MQC to Implement Traffic Policing. For example, if both inbound interface-based rate
limiting and Configuring Traffic Suppression in a VLAN are configured, inbound interface-based rate
limiting takes effect.
The S2750EI, S5700-10P-LI-AC, and S5700-10P-PWR-LI-AC that are enabled with Layer 3 hardware
forwarding for IPv4 packets do not support inbound interface-based rate limiting.
When interface-based 802.1x authentication is configured and the RADIUS server delivers the rate limit,
the interface does not support the rate limit.
----End
Configuration Tips
Deleting the Configuration of Inbound Interface-based rate Limiting
Run the undo qos lr inbound command in the interface view to delete the configuration of
inbound interface-based rate limiting configuration
Context
To control the rate of all outgoing traffic on an interface, configure outbound interface-based
rate limiting. When the transmit rate of packets exceeds the rate limit, excess packets are
placed in the buffer queue. When there are sufficient tokens in the token bucket, the device
forwards the buffered packets at an even rate. When the buffer queue is full, the device
discards the buffered packets.
Procedure
Step 1 Run:
system-view
The system is configured not to count the inter-frame gap and preamble of packets when
calculating the outgoing traffic rate.
NOTE
The qos-shaping exclude-interframe command configures the system not to count the inter-frame gap
and preamble of packets when calculating the traffic rate for traffic shaping or outbound interface-based
rate limiting.
Step 3 Run:
interface interface-type interface-number
Step 4 Run:
qos lr outbound cir cir-value [ cbs cbs-value ]
By default, the rate limit on an interface is the maximum bandwidth of the interface.
NOTE
If both queue-based traffic shaping and rate limiting are configured on an interface, the CIR configured
for the interface must be greater than or equal to the sum of CIR values of all queues on the interface;
otherwise, traffic shaping may be incorrect. For example, a low-priority queue may preempt the
bandwidth of a high-priority queue.
When interface-based 802.1x authentication is configured and the RADIUS server delivers the rate limit,
the interface does not support the rate limit.
S5720HI does not support cbs cbs-value.
----End
Configuration Tips
Deleting the configuration of Outbound Interface-based Rate Limiting
Run the undo qos lr outbound command in the interface view to delete the configuration of
outbound interface-based rate limiting.
Context
If there is heavy traffic on the management interface due to malicious attacks or network
exceptions, the CPU of the device is overloaded, which affects system operations. You can
configure a rate limit on the management interface to limit the rate of traffic entering the
device through the management interface, ensuring normal system operations.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface meth 0/0/1
Step 3 Run:
qos lr pps packets
NOTE
A small rate limit may affect the FTP, Telnet, SFTP, STelnet, and SSH functions.
----End
Procedure
l Run the display qos car { all | name car-name } command to check the QoS CAR
configuration.
NOTE
Only the S5720HI and S5720EI support the display qos car command.
l Run the display qos queue statistics interface interface-type interface-number [ queue
queue-index ] command to check statistics about interface queues.
l Run the display qos lr { inbound | outbound } interface interface-type interface-
number command to check the interface-based rate limiting configuration.
NOTE
The S2750EI, S5700-10P-LI-AC, and S5700-10P-PWR-LI-AC that are enabled with Layer 3
hardware forwarding for IPv4 packets do not support inbound.
----End
Context
To view MQC-based traffic statistics, ensure that a traffic policy has been created and
contains the traffic statistics collection action.
Procedure
l Run the display traffic policy statistics { global [ slot slot-id ] | interface interface-type
interface-number | vlan vlan-id } { inbound | outbound } [ verbose { classifier-base |
rule-base } [ class classifier-name ] ] command to check MQC-based traffic statistics.
l Run the display qos statistics interface interface-type interface-number inbound
command to check packet statistics after inbound rate limiting is configuredon the
S6720EI, S5720HI, and S5720EI.
l Run the display qos queue statistics interface interface-type interface-number [ queue
queue-index ] command to check queue-based traffic statistics on an interface.
----End
Context
NOTICE
Cleared flow-based traffic statistics cannot be restored. Exercise caution when you run the
reset command.
Procedure
l Run the reset qos queue statistics interface interface-type interface-number command
to clear queue-based traffic statistics on an interface.
----End
Networking Requirements
As shown in Figure 5-10, the Switch connects to the router through GE0/0/2, and the
enterprise connects to the Internet through the Switch and router.
Voice, video, and data services are transmitted in VLAN 120, VLAN 110, and VLAN 100
respectively.
Traffic policing must be configured on the Switch to limit the rates of different service
packets within proper ranges and guarantee bandwidth for each service.
Voice, video, and data services have QoS requirements in descending order of priority. The
Switch needs to re-mark DSCP priorities in different service packets so that the downstream
router can process the service packets based on priorities, ensuring QoS of different services.
Phone
Traffic direction
VLAN 120
SwitchA GE0/0/1
PC GE0/0/2
Network
VLAN 100 Switch Router
TV
Enterprise
VLAN110 campus network
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and configure interfaces to enable the enterprise to connect to the Internet
through the Switch.
2. Configure traffic classifiers on the Switch to classify packets based on VLAN IDs.
3. Configure traffic behaviors on the Switch to limit the rate of packets and re-mark DSCP
priorities of packets.
4. Configure a traffic policy on the Switch, associate the traffic behaviors with the traffic
classifiers in the traffic policy, and apply the traffic policy to the interface of the Switch
connected to the LSW.
Procedure
Step 1 Create VLANs and configure interfaces.
# Create VLAN 100, VLAN 110, and VLAN 120 on the Switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 110 120
# Configure GE0/0/1 and GE0/0/2 as trunk interfaces, and add them to VLAN 100, VLAN
110, and VLAN 120.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 110 120
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 110 120
[Switch-GigabitEthernet0/0/2] quit
# Configure traffic classifiers c1, c2, and c3 on the Switch to match different service flows
from the enterprise based on VLAN IDs.
[Switch] traffic classifier c1 operator and
[Switch-classifier-c1] if-match vlan-id 120
[Switch-classifier-c1] quit
[Switch] traffic classifier c2 operator and
[Switch-classifier-c2] if-match vlan-id 110
[Switch-classifier-c2] quit
[Switch] traffic classifier c3 operator and
[Switch-classifier-c3] if-match vlan-id 100
[Switch-classifier-c3] quit
Step 4 Configure a traffic policy and apply the traffic policy to the interface connected to the LSW.
# Create a traffic policy named p1 on the Switch, associate the traffic behaviors with the
traffic classifiers in the traffic policy, and apply the traffic policy to GE0/0/1 in the inbound
direction to limit the rates and re-mark packet priorities.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] classifier c2 behavior b2
[Switch-trafficpolicy-p1] classifier c3 behavior b3
[Switch-trafficpolicy-p1] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] traffic-policy p1 inbound
[Switch-GigabitEthernet0/0/1] quit
Classifier: c3
Operator: AND
Rule(s) : if-match vlan-id 100
Classifier: c1
Operator: AND
Rule(s) : if-match vlan-id 120
# View the traffic policy configuration. The traffic policy p1 is used as an example.
[Switch] display traffic policy user-defined p1
User Defined Traffic Policy Information:
Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
Committed Access Rate:
CIR 2000 (Kbps), CBS 250000 (Byte)
PIR 10000 (Kbps), PBS 1250000 (Byte)
Green Action : pass
Yellow Action : pass
Red Action : discard
Remark:
Remark DSCP ef
Statistic: enable
Classifier: c2
Operator: AND
Behavior: b2
Committed Access Rate:
CIR 4000 (Kbps), CBS 500000 (Byte)
PIR 10000 (Kbps), PBS 1250000 (Byte)
Green Action : pass
Yellow Action : pass
Red Action : discard
Remark:
Remark DSCP af33
Statistic: enable
Classifier: c3
Operator: AND
Behavior: b3
Committed Access Rate:
CIR 4000 (Kbps), CBS 500000 (Byte)
PIR 10000 (Kbps), PBS 1250000 (Byte)
Green Action : pass
Yellow Action : pass
Red Action : discard
Remark:
Remark DSCP af13
Statistic: enable
# View information about the traffic policy that is applied to the interface. GE0/0/1 is used as
an example.
[Switch] display traffic policy statistics interface gigabitethernet 0/0/1 inbound
Interface: GigabitEthernet0/0/1
Traffic policy inbound: p1
Rule number: 3
Current status: success
Statistics interval: 300
---------------------------------------------------------------------
Board : 0
---------------------------------------------------------------------
Matched | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Filter | Packets: 0
| Bytes:
0
---------------------------------------------------------------------
Car | Packets: 0
| Bytes: 0
---------------------------------------------------------------------
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100 110 120
#
traffic classifier c1 operator and
if-match vlan-id 120
traffic classifier c2 operator and
if-match vlan-id 110
traffic classifier c3 operator and
if-match vlan-id 100
#
traffic behavior b1
car cir 2000 pir 10000 cbs 250000 pbs 1250000 green pass yellow pass red
discard
remark dscp ef
statistic enable
traffic behavior b2
car cir 4000 pir 10000 cbs 500000 pbs 1250000 green pass yellow pass red
discard
remark dscp af33
statistic enable
traffic behavior b3
car cir 4000 pir 10000 cbs 500000 pbs 1250000 green pass yellow pass red
discard
remark dscp af13
statistic enable
#
traffic policy p1 match-order config
classifier c1 behavior b1
classifier c2 behavior b2
classifier c3 behavior b3
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 110 120
traffic-policy p1 inbound
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 110 120
#
return
On an enterprise network, network-side interfaces are often congested because the WAN
network bandwidth is less than enterprise's LAN bandwidth. Congestion may cause loss of
service data. To prevent this problem, configure traffic policing on the inbound interface of
upstream traffic. In this example, the total bandwidth on the interface needs to be limited to
12000 kbit/s, and the rates of voice, video, and data service flows need to be limited within
proper ranges.
Voice, video, and data services are transmitted in VLAN 120, VLAN 110, and VLAN 100
respectively, and have QoS requirements in descending order of priority. The Switch needs to
re-mark DSCP priorities in different service packets so that the router can provide QoS
guarantee based on priorities of packets.
Table 5-13 describes QoS requirements of different services.
Table 5-13 QoS guarantee that the Switch provides for upstream traffic
Traffic Type CIR (kbit/s) PIR (kbit/s) DSCP Priority
Phone
Traffic direction
VLAN 120
SwitchA GE0/0/1
PC GE0/0/2
Network
VLAN 100 Switch Router
TV
Enterprise
VLAN110 campus network
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and configure interfaces to enable the enterprise to connect to the
network through the Switch.
2. Configure a CAR profile to limit the total bandwidth of voice, data, and video services.
3. Configure traffic classifiers on the Switch to classify voice, video, and data packets
based on VLAN IDs.
4. Configure traffic behaviors on the Switch to limit the rate of packets and re-mark DSCP
priorities of packets.
5. Configure a traffic policy on the Switch, bind traffic behaviors and traffic classifiers to
the traffic policy, and apply the traffic policy to the interface on the Switch connected to
the enterprise.
Procedure
Step 1 Configure VLANs and interfaces.
# Create VLAN 100, VLAN 110, and VLAN 120 on the Switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 110 120
# Configure GE 0/0/1 and GE 0/0/2 as trunk interfaces, and add GE0/0/1 and GE 0/0/2 to
VLAN 100, VLAN 110, and VLAN 120.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 110 120
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 110 120
[Switch-GigabitEthernet0/0/2] quit
Step 5 Create a traffic policy and apply it to the interface connected to the enterprise.
# Create a traffic policy p1 on the Switch, associate traffic classifiers with traffic behaviors in
the traffic policy, and apply the traffic policy to the inbound direction on GE 0/0/1to limit the
packets received from the enterprise and re-mark priorities of the packets.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] classifier c2 behavior b2
[Switch-trafficpolicy-p1] classifier c3 behavior b3
[Switch-trafficpolicy-p1] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] traffic-policy p1 inbound
[Switch-GigabitEthernet0/0/1] quit
Classifier: c3
Operator: AND
Rule(s) : if-match vlan-id 100
Classifier: c1
Operator: AND
Rule(s) : if-match vlan-id 120
Interface: GigabitEthernet0/0/1
Traffic policy inbound: p1
Rule number: 3
Current status: success
Statistics interval:
300
---------------------------------------------------------------------
Board : 0
---------------------------------------------------------------------
Matched | Packets:
0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Filter | Packets: 0
| Bytes: 0
---------------------------------------------------------------------
Car | Packets:
0
| Bytes: 0
---------------------------------------------------------------------
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100 110 120
#
qos car car1 cir 12000 cbs 2256000
#
IP:192.168.1.10/24
Traffic direction
HostA
IP:192.168.1.11/24
GE0/0/1 GE0/0/2
Internet
HostB LSW Switch Router
IP:192.168.1.12/24
Enterprise
HostC campus network
Configuration Roadmap
A time-range-based traffic policy can be used to implement rate limiting. The configuration
roadmap is as follows:
1. Configure interfaces to enable the enterprise to connect to the Internet through the
Switch.
2. Configure a time range, which will be applied to an ACL.
3. Configure an ACL to match traffic passing through the Switch in the specified time
range.
4. Configure a traffic policy to limit the rate of packets matching the ACL.
5. Apply the traffic policy to the inbound direction of GE0/0/1.
Procedure
Step 1 Create VLANs and configure interfaces.
# Configure GE0/0/1 and GE0/0/2 on the Switch as trunk interfaces and add them to VLAN
10.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/2] quit
NOTE
Configure the interface of the LSW connected to the Switch as a trunk interface and add it to VLAN 10.
NOTE
Configure IP address 192.168.1.2/24 for the router interface connected to the Switch.
Step 2 Create a time range working_time that defines work hours from 8:30 to 18:00.
[Switch] time-range working_time 08:30 to 18:00 working-day
Step 3 Configure ACL 2001 and define three rules to limit the bandwidth of packets from
192.168.1.10, 192.168.1.11, and 192.168.1.12 during work hours.
[Switch] acl number 2001
[Switch-acl-basic-2001] rule permit source 192.168.1.10 0 time-range working_time
[Switch-acl-basic-2001] rule permit source 192.168.1.11 0 time-range working_time
[Switch-acl-basic-2001] rule permit source 192.168.1.12 0 time-range working_time
[Switch-acl-basic-2001] quit
Step 5 Configure a traffic behavior and set the rate limit to 4 Mbit/s.
[Switch] traffic behavior b1
[Switch-behavior-b1] car cir 4096
[Switch-behavior-b1] quit
Step 6 Configure a traffic policy and apply the traffic policy on GE0/0/1 in the inbound direction.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] traffic-policy p1 inbound
[Switch-GigabitEthernet0/0/1] quit
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 10
#
time-range working_time 08:30 to 18:00 working-day
#
acl number 2001
rule 5 permit source 192.168.1.10 0 time-range working_time
rule 10 permit source 192.168.1.11 0 time-range working_time
rule 15 permit source 192.168.1.12 0 time-range working_time
#
traffic classifier c1 operator and
if-match acl 2001
#
traffic behavior b1
car cir 4096 pir 4096 cbs 512000 pbs 512000 green pass yellow pass red
discard
#
traffic policy p1 match-order config
classifier c1 behavior b1
#
interface
Vlanif10
ip address 192.168.1.1
255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
traffic-policy p1 inbound
#
interface GigabitEthernet0/0/2
port link-type
trunk
port trunk allow-pass vlan
10
#
return
Networking Requirements
As shown in Figure 5-13, the Switch connects to the router through GE0/0/3, and the
enterprise connects to the Internet through the Switch and router.
Users on different floors connect to the network through different access switches and belong
to different network segments. Different bandwidth needs to be provided for users on different
network segments.
Table 5-14 describes the QoS requirements.
Figure 5-13 Networking for rate limiting for users on different network segments
Floor 1 :
192.168.1.0/24
LSW A
PC1
GE0/0/1
PC2 GE0/0/3 Network
GE0/0/2
Switch Router
PC1
LSW B
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and configure interfaces to enable the enterprise to connect to the Internet
through the Switch.
2. Configure ACLs to match different network segments on the Switch.
3. Configure traffic classifiers and apply the ACLs to the traffic classifiers on the Switch.
4. Configure traffic behaviors on the Switch to limit the rates of packets from users on
different floors.
5. Configure a traffic policy on the Switch, associate the traffic behaviors with the traffic
classifiers in the traffic policy, and apply the traffic policy to the interface on the Switch
connected to the router.
Procedure
Step 1 Create VLANs and configure interfaces.
# Create VLAN 100 and VLAN 200 on the Switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 200
# Configure GE0/0/1 and GE0/0/2 as trunk interfaces and add them to VLAN 100 and VLAN
200. Configure GE0/0/3 as a trunk interface and add it to VLAN 100 and VLAN 200.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 200
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 200
[Switch-GigabitEthernet0/0/3] quit
# Configure traffic classifiers c1 and c2 on the Switch to classify packets from users in
different floors.
[Switch] traffic classifier c1 operator and
[Switch-classifier-c1] if-match acl 2000
[Switch-classifier-c1] quit
[Switch] traffic classifier c2 operator and
[Switch-classifier-c2] if-match acl 2001
[Switch-classifier-c2] quit
# Create traffic behaviors b1 and b2 on the Switch to limit the rates of different service flows.
[Switch] traffic behavior b1
[Switch-behavior-b1] car cir 4000 pir 10000 green pass
[Switch-behavior-b1] quit
[Switch] traffic behavior b2
[Switch-behavior-b2] car cir 6000 pir 10000 green pass
[Switch-behavior-b2] quit
Step 5 Configure a traffic policy and apply the traffic policy to the interface connected to the router.
# Create a traffic policy named p1 on the Switch, associate traffic classifiers with traffic
behaviors in the traffic policy, and apply the traffic policy to the outbound direction of
GE0/0/3 to police packets from the enterprise.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] classifier c2 behavior b2
[Switch-trafficpolicy-p1] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] traffic-policy p1 outbound
[Switch-GigabitEthernet0/0/3] quit
Classifier: c1
Operator: AND
Rule(s) : if-match acl 2000
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100 200
#
acl number 2000
rule 5 permit source 192.168.1.0 0.0.0.255
acl number 2001
rule 5 permit source 192.168.2.0 0.0.0.255
#
traffic classifier c1 operator and
if-match acl 2000
traffic classifier c2 operator and
if-match acl 2001
#
traffic behavior b1
car cir 4000 pir 10000 cbs 500000 pbs 1250000 green pass yellow pass red
discard
traffic behavior b2
car cir 6000 pir 10000 cbs 750000 pbs 1250000 green pass yellow pass red
discard
#
traffic policy p1 match-order config
classifier c1 behavior b1
classifier c2 behavior b2
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 200
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100 200
traffic-policy p1 outbound
#
return
Networking Requirements
The Switch is connected to the router through GE0/0/2. The voice, video, and data services,
with 802.1p priorities of 6, 5, and 2, are transmitted to users through the router and Switch, as
shown in Figure 5-14. The rate of traffic from the enterprise campus network is higher than
the interface rate on the router; therefore, jitter may occur on GE0/0/2. The following
requirements must be met to reduce jitter and ensure bandwidth of services:
Phone
Traffic direction
8021p=6
SwitchA GE0/0/1
PC GE0/0/2
Network
8021p=2 Switch Router
TV
Enterprise
8021p=5 campus network
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and configure interfaces to enable the enterprise to access the network
through the Switch.
2. Configure the inbound interface of service packets to trust 802.1p priorities in packets.
3. Configure traffic shaping on the outbound interface of service packets to limit the
bandwidth of the interface.
4. Configure queue-based traffic shaping on the outbound interface to limit the CIR values
of voice, video, and data services.
Procedure
Step 1 Configure VLANs and interfaces.
# Create VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10
# Configure GE0/0/1 and GE0/0/2 as trunk interfaces, and add GE0/0/1 and GE0/0/2 to
VLAN 10.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/2] quit
NOTE
Step 2 Configure the inbound interface of service packets to trust packet priorities.
# Configure gigabitethernet0/0/1 to trust 802.1p priorities of packets.
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
trust 8021p
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10
qos lr outbound cir 10000 cbs 1250000
qos queue 2 shaping cir 2000 pir 3000
qos queue 5 shaping cir 5000 pir 8000
qos queue 6 shaping cir 3000 pir 5000
#
return
Networking Requirements
As shown in Figure 5-15, the Switch connects to the router through GE0/0/3. Enterprise
departments 1 and 2 are connected to GE0/0/1 and GE0/0/2 of the Switch and access the
Internet through the Switch and router.
Services do not need to be differentiated, but bandwidth for each department needs to be
limited. For department 1, incoming traffic must be allocated guaranteed bandwidth of 8
Mbit/s and maximum bandwidth of 10 Mbit/s. For department 2, incoming traffic must be
allocated guaranteed bandwidth of 5 Mbit/s and maximum bandwidth of 8 Mbit/s.
Network
Router
GE0/0/3
Traffic
GE0/0/1 GE0/0/2 direction
Switch
SwitchA SwitchB
Department 1 Department 2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure interfaces of the Switch to enable users to access the Internet.
2. Configure rate limiting for all incoming traffic on GE0/0/1 and GE0/0/2 of the Switch.
Procedure
Step 1 Create VLANs and configure interfaces on the Switch.
# Create VLAN 100 and VLAN 200.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 200
# Configure GE0/0/1, GE0/0/2, and GE0/0/3 as trunk interfaces, and configure GE0/0/1 to
allow VLAN 100, GE0/0/2 to allow VLAN 200, and GE0/0/3 to allow VLAN 100 and VLAN
200.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 200
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 200
[Switch-GigabitEthernet0/0/3] quit
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 100 200
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
qos lr inbound cir 8192 cbs 1024000
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 200
qos lr inbound cir 5120 cbs 640000
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100 200
#
return
5.11 FAQ
commands have the same effect. If you want to limit the rate of all incoming packets, choose
a proper command.
5.12 References
Document Description Remarks
This chapter describes how to configure congestion avoidance and congestion management.
6.1 Overview
6.2 Principles
This section describes the principles of congestion management and congestion avoidance.
6.3 Applicable Scenario
6.4 Configuration Notes
6.5 Configuring Congestion Avoidance on the S2750, S5700LI, S5700S-LI, S5710-X-LI,
S5720SI, and S5720S-SI
6.6 Configuring Congestion Avoidance on the S6720EI, S5720HI, and S5720EI
6.7 Configuring Congestion Management on the S2750, S5700LI, S5700S-LI, S5710-X-LI,
S5720SI, and S5720S-SI
6.8 Configuring Congestion Management on the S6720EI, S5720HI, and S5720EI
6.9 Configuring Congestion Management on a Stack Interface of the S2750, S5700LI,
S5700S-LI, S5710-X-LI, S5720SI, and S5720S-SI
6.10 Configuring Congestion Management on a Stack Interfaceon the S6720EI and S5720EI
6.11 Maintaining Congestion Avoidance and Congestion Management
6.12 Configuration Examples
6.13 References
6.1 Overview
Congestion avoidance prevents a network from being overloaded using a packet discarding
policy. Congestion management ensures that high-priority services are preferentially
processed based on the specified packet scheduling sequence.
On a traditional network, quality of service (QoS) is affected by network congestion.
Congestion means the low data forwarding rate and delay resulting from insufficient network
resources. Congestion results in delay of packet transmission, low throughput rate, and high
resource consumption. Congestion frequently occurs in a complex networking environment
where packet transmission and provision of various services are both required.
Congestion avoidance and congestion management are two flow control mechanisms for
resolving congestion on a network.
Congestion Avoidance
Congestion avoidance is a flow control mechanism. A system configured with congestion
avoidance monitors network resources such as queues and memory buffers. When congestion
occurs or aggravates, the system discards packets.
The device supports the following congestion avoidance features:
l Tail drop
Tail drop is the traditional congestion avoidance mechanism that processes all packets
equally without classifying the packets into different types. When congestion occurs,
packets at the end of a queue are discarded until the congestion problem is solved.
Tail drop causes global Transmission Control Protocol (TCP) synchronization. In tail
drop mechanism, all newly arrived packets are dropped when congestion occurs, causing
all TCP sessions to simultaneously enter the slow start state and the packet transmission
to slow down. Then all TCP sessions restart their transmission at roughly the same time
and then congestion occurs again, causing another burst of packet drops, and all TCP
sessions enters the slow start state again. The behavior cycles constantly, severely
reducing the network resource usage.
By default, an interface uses tail drop.
l WRED
Weighted Random Early Detection (WRED) randomly discards packets based on drop
parameters. WRED defines different drop policies for packets of different services.
WRED discards packets based on packet priorities, so the drop probability of packets
with higher priorities is low. In addition, WRED randomly discards packets so that rates
of TCP connections are reduced at different times. This prevents global TCP
synchronization.
WRED defines upper and lower threshold for the length of each queue. The packet drop
policy is as follows:
– When the length of a queue is shorter than the lower threshold, no packet is
discarded.
– When the length of a queue exceeds the upper threshold, all received packets are
discarded.
– When the length of a queue ranges from the lower threshold to the upper threshold,
incoming packets are discarded randomly. Random Early Detection (RED)
generates a random number for each incoming packet and compares it with the drop
probability of the current queue. If the random number is smaller than the drop
probability, the packet is discarded. A longer queue indicates a higher drop
probability.
NOTE
Congestion Management
When a network is congested intermittently and delay-sensitive services require higher
bandwidth than other services, congestion management adjusts the scheduling order of
packets.
The device supports the following congestion management features:
l PQ scheduling
Priority queuing (PQ) schedules packets in descending order of priority. Packets in
queues with a low priority can be scheduled only after all packets in queues with a high
priority have been scheduled.
By using PQ scheduling, the device puts packets of delay-sensitive services into queues
with higher priorities and packets of other services into queues with lower priorities so
that packets of delay-sensitive services are preferentially scheduled.
The disadvantage of PQ is that the packets in lower-priority queues are not processed
until all the higher-priority queues are empty. As a result, a congested higher-priority
queue causes all lower-priority queues to starve out.
l WRR scheduling
Weighted Round Robin (WRR) ensures that packets in all the queues are scheduled in
turn.
For example, eight queues are configured on an interface. Each queue is configured with
a weight, namely, w7, w6, w5, w4, w3, w2, w1, and w0. The weight value represents the
percentage of obtaining resources. This example assumes that the weights of queues on a
100M interface are 50, 50, 30, 30, 10, 10, 10, and 10, which correspond to w7, w6, w5,
w4, w3, w2, w1, and w0 respectively. The queue with the lowest priority can obtain at
least 5 Mbit/s bandwidth. This ensures that packets in all the queues can be scheduled.
In addition, WRR can dynamically change the time of scheduling packets in queues. For
example, if a queue is empty, WRR ignores this queue and starts to schedule the next
queue. This ensures efficient use of bandwidth.
WRR scheduling has two disadvantages:
– WRR schedules packets based on the number of packets, whereas users concern the
bandwidth. When the average packet length in each queue is the same or known,
users can obtain the required bandwidth by setting WRR weight values. When the
average packet length in each queue is variable, users cannot obtain the required
bandwidth by setting WRR weight values.
– Delay-sensitive services, such as voice services, cannot be scheduled in a timely
manner.
NOTE
The difference between DRR and WRR is as follows: WRR schedules packets based on
the number of packets, whereas DRR schedules packets based on the packet length. If
the packet length is too long, DRR allows the negative weight value so that long packets
can be scheduled. In the next round, the queue with the negative weight value is not
scheduled until its weight value becomes positive.
DRR offsets the disadvantages of PQ scheduling and WRR scheduling. That is, in PQ
scheduling, packets in queues with lower priorities cannot be scheduled for a long time,
in WRR scheduling, bandwidth is allocated improperly when the packet length of each
queue is different or variable.
DRR cannot schedule delay-sensitive services such as voice services in a timely manner.
l PQ+WRR/PQ+DRR scheduling
PQ, WRR, and DRR have their own advantages and disadvantages. If only PQ
scheduling is used, packets in the queues with a low priority may not obtain bandwidth
for a long time. If only WRR or DRR scheduling is used, delay-sensitive services, such
as voice services, cannot be scheduled in a timely manner. PQ+WRR or PQ+DRR
scheduling integrates the advantages of PQ scheduling and WRR or DRR scheduling and
can avoid their disadvantages.
By using PQ+WRR or PQ+DRR scheduling, the device puts important packets such as
protocol packets and packets of delay-sensitive services to the PQ queue, and allocates
bandwidth to the PQ queue. Then, the device can put other packets into the WRR or
DRR queues based on the packet priority. Packets in WRR or DRR queues can be
scheduled based on weight values in turn.
NOTE
6.2 Principles
This section describes the principles of congestion management and congestion avoidance.
l WRED
To avoid global TCP synchronization, Random Early Detection (RED) is used. The RED
mechanism randomly discards packets so that the transmission speed of multiple TCP
connections is not reduced simultaneously. In this manner, global TCP synchronization is
prevented. The rate of TCP traffic and network traffic become stable.
The device provides Weighted Random Early Detection (WRED) based on RED
technology.
– WRED
WRED discards packets in queues based on DSCP priorities or IP priorities. The
upper drop threshold, lower drop threshold, and drop probability can be set for each
priority. When the total size of packets in a queue reaches the lower drop threshold,
the device starts to discard packets. As the total size of packets in the queue
increases, the packet loss ratio increases accordingly. The maximum drop
probability cannot exceed the configured packet loss ratio. All packets are discarded
when the total size of packets in the queue reaches the upper drop threshold. WRED
discards packets in queues based on the drop probability, thereby preventing
congestion to a certain degree.
Packet flow
......
Queue 1
Interface
Queue 0
Low priority
l WRR scheduling
WRR scheduling is an extension of Round Robin (RR) scheduling. Packets in each
queue are scheduled in a polling manner based on the queue weight. RR scheduling
equals WRR scheduling with the weight being 1.
Figure 6-4 shows WRR scheduling.
Queue 7
Packet flow
......
Queue 1
Interface
Classification
Queue 0
In WRR scheduling, the device schedules packets in queues in a polling manner round
by round based on the queue weight. After one round of scheduling, the weights of all
queues are decreased by 1. The queue whose weight is decreased to 0 cannot be
scheduled. When the weights of all the queues are decreased to 0, the next round of
scheduling starts. For example, the weights of eight queues on an interface are set to 4, 2,
5, 3, 6, 4, 2, and 1. Table 6-1 lists the WRR scheduling results.
Queue 4 2 5 3 6 4 2 1
Weight
Queue - - - - Queue - - -
in the 3
sixth
round
of
schedu
ling
Queue - - - - Queue - - -
in the 3
twelfth
round
of
schedu
ling
The statistics show that the number of times packets are scheduled in each queue
corresponds to the queue weight. A higher queue weight indicates a greater number of
times packets in the queue are scheduled. The unit for WRR scheduling is packet;
therefore, there is no fixed bandwidth for each queue. If packets are scheduled fairly,
large-sized packets obtain more bandwidth than small-sized packets.
WRR scheduling offsets the disadvantage of PQ scheduling in which packets in queues
with lower priories may be not processed for a long period of time. In addition, WRR
can dynamically change the time of scheduling packets in queues. For example, if a
queue is empty, WRR scheduling ignores this queue and starts to schedule the next
queue. This ensures bandwidth usage. WRR scheduling, however, cannot schedule short-
delay services in time.
l DRR scheduling
DRR is also based on RR. DRR solves the WRR problem. In WRR scheduling, a large-
sized packet obtains less bandwidth than a small-sized packet. DRR schedules packets
considering the packet length, ensuring that packets are scheduled equally.
Deficit indicates the bandwidth deficit of each queue. The initial value is 0. The system
allocates bandwidth to each queue based on the weight and calculates the deficit. If the
deficit of a queue is greater than 0, the queue participates in scheduling. The device
sends a packet and calculates the deficit based on the length of the sent packet. If the
deficit of a queue is smaller than 0, the queue does not participate in scheduling. The
current deficit is used as the basis for the next round of scheduling.
(Q7,20%)
400 600 900
(Q6,15%)
500 300 400
(Q5,10%)
800 400 600
(Q4,5%)
800 800 400
(Q3,20%)
500 400 800
(Q2,15%)
700 700 700
(Q1,10%)
700 800 600
(Q0,5%)
700 800 600
In Figure 6-5, the weights of Q7, Q6, Q5, Q4, Q3, Q2, Q1, and Q0 are set to 40, 30, 20,
10, 40, 30, 20, and 10 respectively. During scheduling, Q7, Q6, Q5, Q4, Q3, Q2, Q1, and
Q0 obtain 20%, 15%, 10%, 5%, 20%, 15%, 10%, and 5% of the bandwidth respectively.
Q7 and Q6 are used as examples to describe DRR scheduling. Assume that Q7 obtains
400 bytes/s bandwidth and Q6 obtains 300 bytes/s bandwidth.
– First round of scheduling
Deficit[7][1] = 0+400 = 400
Deficit[6][1] = 0+300 = 300
After packet of 900 bytes in Q7 and packet of 400 bytes in Q6 are sent, the values
are as follows:
Deficit[7][1] = 400-900 =-500
Deficit[6][1] = 300-400 =-100
– Second round of scheduling
Deficit [7][2] = -500 + 400 = -100
Deficit [6][2] = -100 + 300 = 200
Packet in Q7 is not scheduled because the deficit of Q7 is negative. Packet of 300
bytes in Q6 are sent, the value is as follows:
Deficit [6][2] = 200-300 =-100
Queue 1 weight 1
Packet flow
Scheduling
......
Queue N-1 weight N-1
Interface
Classification
Queue N weight N
l PQ+WRR scheduling
PQ scheduling and WRR scheduling have advantages and disadvantages. To offset
disadvantages of PQ scheduling or DRR scheduling, use PQ+WRR scheduling. Packets
from queues with lower priorities can obtain the bandwidth by WRR scheduling and
short-delay services can be scheduled first by PQ scheduling.
On the device, you can set WRR parameters for queues. The eight queues on each
interface are classified into two groups. One group includes queue 7, queue 6, and Queue
5, and is scheduled in PQ mode; the other group includes queue 4, queue 3, queue 2,
queue 1, and queue 0, and is scheduled in WRR mode. Only LAN-side interfaces on the
device support PQ+WRR scheduling. Figure 6-7 shows PQ+WRR scheduling.
Queue 7
PQ scheduling
Packet flow
Queue 6
Packet flow
Queue 5
WRR scheduling
Queue 4
Interface
Classification Queue 3
Queue 2
Queue 1
Queue 0
During scheduling, the device first schedules traffic in queue 7, queue 6, and queue 5 in
PQ mode. The device schedules traffic in other queues in WRR mode only after the
traffic in queue 7, queue 6, and queue 5 are scheduled. Queue 4, queue 3, queue 2, queue
1, and queue 0 have their own weights. Important protocol packets or short-delay service
packets must be placed in queues using PQ scheduling so that they can be scheduled
first. Other packets are placed in queues using WRR scheduling.
l PQ+DRR scheduling
Similar to PQ+WRR, PQ+DRR scheduling offsets disadvantages of PQ scheduling and
DRR scheduling. If only PQ scheduling is used, packets in queues with lower priorities
cannot obtain bandwidth for a long period of time. If only DRR scheduling is used,
short-delay services such as voice services cannot be scheduled first. PQ+DRR
scheduling has advantages of both PQ and DRR scheduling and offsets their
disadvantages.
Eight queues on the device interface are classified into two groups. You can specify PQ
scheduling for certain groups and DRR scheduling for other groups.
Queue 7
PQ scheduling
Packet flow
Queue 6
Packet flow
Queue 5
DRR scheduling
Queue 4
Interface
Classification Queue 3
Queue 2
Queue 1
Queue 0
As shown in Figure 6-8, the device first schedules traffic in queues 7, 6, and 5 in PQ
mode. After traffic scheduling in queues 7, 6, and 5 is complete, the device schedules
traffic in queues 4, 3, 2, 1, and 0 in DRR mode. Queues 4, 3, 2, 1, and 0 have their own
weight.
Important protocol packets or short-delay service packets must be placed in queues using
PQ scheduling so that they can be scheduled first. Other packets are placed in queues
using DRR scheduling.
Traffic direction
Data flow
Data server
Video flow
Video server
As shown in Figure 6-10, when two LANs need to communicate through the WAN,
congestion may occur on the edge switch between the WAN and LANs because WAN
bandwidth is lower than LAN bandwidth. Congestion avoidance can be configured on the
edge switch to discard low-priority packets such as data packets, reducing network overload
and ensuring forwarding of high-priority services.
Traffic direction
Voice flow
WAN
Data flow
License Support
Congestion management and congestion avoidance are basic features of a switch and are not
under license control.
Version Support
Table 6-2 describes the products and minimum version supporting congestion management
and congestion avoidance.
Table 6-2 Products and minimum version supporting congestion management and congestion
avoidance
Series Product Minimum Version
Required
S2750EI V200R003
S5710-X-LI V200R008
S5720EI V200R007
S5720SI/S5720S-SI V200R008
S5720HI V200R006
S6720EI V200R008
S6720S-EI V200R009
Item Specification
NOTE
Before setting the maximum number of bytes or packets to be cached in a queue, run the shutdown
command to shut down the interface. After the maximum number of bytes or packets to be cached in a
queue is set, run the undo shutdown command to enable the interface. These operations may cause
network interruption in a short period of time.
Procedure
Step 1 Run:
system-view
Step 7 Run:
qos tail-drop-profile profile-name
----End
Pre-configuration Tasks
When packets are discarded due to congestion, configure congestion avoidance on the device.
Then the device processes packets of different services (differentiated by CoS values or
colors) in a different manner, and ensures bandwidth of important services so that less packets
of important services are discarded.
Before configuring congestion avoidance, complete the following task, map the priority of
packets to a per-hop behavior (PHB) and color.
NOTE
Congestion avoidance applies only to unicast traffic.
Context
The Canonical Format Indicator (CFI) in the VLAN tag, also called Drop Eligible Indicator
(DEI), identifies the drop priority of packets in certain situations. When the rate of packets on
certain devices exceeds the committed information rate (CIR) value, the value of the DEI field
is set to 1. In this case, the drop priority of the packets is high. When congestion occurs, the
devices first discard the packets whose DEI field is 1.
If packets whose rate exceeds the CIR need to be discarded, configure CFI as the internal drop
priority.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
dei enable
----End
Context
WRED randomly discards packets based on drop parameters to prevent global TCP
synchronization, and defines different drop policies based on packet colors. WRED discards
packets based on packet priorities, so the drop probability of packets with higher priorities is
low. A WRED drop profile defines upper and lower drop thresholds and maximum drop
probability for packets of different colors. For more information about packet colors, see 3.6
Configuring Priority Mapping.
Procedure
Step 1 Run:
system-view
Step 2 Run:
drop-profile drop-profile-name
A WRED drop profile is created and the drop profile view is displayed.
By default, the WRED drop profile default exists. The WRED drop profile default can be
modified but cannot be deleted.
Step 3 Run:
color { green | non-tcp | red | yellow } low-limit low-limit-percentage high-
limit high-limit-percentage discard-percentage discard-percentage
By default, the upper threshold, lower threshold, and maximum drop probability of a WRED
drop profile are 100.
NOTE
----End
Context
On the device, you can apply a WRED drop profile to an interface, the system, or a queue on
an interface.
If a WRED drop profile is applied to the system and an interface simultaneously, the WRED
drop profile applied to the interface takes effect. After a WRED drop profile is applied to the
system, it takes effect on all the interfaces.If you apply a WRED drop profile to an interface
and a queue on an interface simultaneously, the system first matches the packets with the
profile applied to the queue, and then the profile applied to the interface. Then the device
performs congestion avoidance on the packets that match the WRED drop profile.
Procedure
l Applying a WRED drop profile to the system
a. Run:
system-view
NOTE
The parameter drop-profile-name specifies the name of a WRED drop profile. The value
must be the same as that configured in 6.6.2 Configuring a WRED Drop Profile.
----End
Context
Each interface can be configured with a maximum of eight queues. Different queues can use
different scheduling modes. The device schedules the PQ queue first. If multiple PQ queues
exist, the device schedules the queues in descending order of priority. A larger queue index
indicates higher priority of a queue. After all the PQ queues are scheduled, the device
schedules the WRR or DRR queues in turn.
Procedure
Step 1 Run:
system-view
A global schedule template is created and the schedule template view is displayed.
Step 3 Run:
qos { pq | wrr | drr }
NOTE
Perform this step only when the scheduling mode of a port queue is set to PQ+WRR or WRR.
When WRR scheduling is applied and the weight of a queue is set to 0, the queue applies PQ
scheduling and other queues apply WRR scheduling. When configuring the PQ+WRR scheduling
mode, ensure that the queue with weight 0 (PQ queue) is consecutively configured, without being
interrupted by the configuration of the DRR or WRR queue.
l If the scheduling mode is DRR, run the qos queue queue-index drr weight weight
command to set the DRR weight for a port queue.
By default, the weight in DRR mode is 1.
NOTE
Perform this step only when the scheduling mode of a port queue is set to DRR or PQ+DRR.
When DRR scheduling is applied and the weight of a queue is set to 0, the queue applies PQ
scheduling and other queues apply DRR scheduling.
Step 5 Run:
quit
Pre-configuration Tasks
When a network is congested intermittently, configure congestion management on the device.
The device then determines the sequence at which packets are forwarded according to the
defined scheduling policy and ensures that high-priority services are scheduled preferentially.
Before configuring congestion management, map the priority of packets to a PHB.
Context
Each interface can be configured with a maximum of eight queues. Different queues can use
different scheduling modes. The device schedules the PQ queue first. If multiple PQ queues
exist, the device schedules the queues in descending order of priority. A larger queue index
indicates higher priority of a queue. After all the PQ queues are scheduled, the device
schedules the WRR or DRR queues in turn.
Procedure
Step 1 Run:
system-view
The scheduling mode of queues on the interface is set to PQ, WRR, or DRR.
By default, the scheduling mode of queues on an interface of the S5720HI is DRR, and the
scheduling mode of queues on an interface of other models is WRR.
Step 4 Configure the weight.
l In WRR scheduling, run:
qos queue queue-index wrr weight weight
This step is required only when the scheduling mode is WRR or PQ+WRR.
When WRR scheduling is applied and the weight of a queue is set to 0, PQ scheduling is used.
That is, the queue uses PQ+WRR.
l In DRR scheduling, run:
qos queue queue-index drr weight weight
This step is required only when the scheduling mode is DRR or PQ+DRR.
When DRR scheduling is applied and the weight of a queue is set to 0, PQ scheduling is used.
That is, the queue uses PQ+DRR.
During queue scheduling on the S5720EI and S6720EI, changing the weight may cause packet
loss within 250 ms.
The S5720HI does not support WRR and PQ+WRR.
----End
Pre-configuration Tasks
After congestion management is configured on a stack interface, if congestion occurs on a
network, the device determines the sequence at which packets are forwarded according to the
defined scheduling policy and ensures that high-priority services are sent preferentially.
Context
After the stack is configured, stack protocol packets and packets between chassis are
exchanged on the stack interface. If a large number of packets are exchanged, congestion may
occur on the stack interface. As a result, core services such as video services and voice
services cannot be processed in a timely manner. You can set the scheduling mode on the
stack interface so that services with the same priority are processed in the same manner and
services with different priorities are processed based on weights.
Procedure
Step 1 Run:
system-view
Step 2 Run:
qos schedule-profile profile-name
A global schedule template is created and the schedule template view is displayed.
Step 3 Run:
qos { pq | wrr | drr }
NOTE
Perform this step only when the scheduling mode of a port queue is set to PQ+WRR or WRR.
When WRR scheduling is applied and the weight of a queue is set to 0, the queue applies PQ
scheduling and other queues apply WRR scheduling. When configuring the PQ+WRR scheduling
mode, ensure that the queue with weight 0 (PQ queue) is consecutively configured, without being
interrupted by the configuration of the DRR or WRR queue.
l If the scheduling mode is DRR, run the qos queue queue-index drr weight weight
command to set the DRR weight for a port queue.
By default, the weight in DRR mode is 1.
NOTE
Perform this step only when the scheduling mode of a port queue is set to DRR or PQ+DRR.
When DRR scheduling is applied and the weight of a queue is set to 0, the queue applies PQ
scheduling and other queues apply DRR scheduling.
Step 5 Run:
quit
Step 6 Run:
stack-port qos schedule-profile profile-name
----End
Context
After the stack is configured, stack protocol packets and packets between chassis are
exchanged on the stack interface. If a large number of packets are exchanged, congestion may
occur on the stack interface. As a result, core services such as video services and voice
services cannot be processed in a timely manner. You can set the scheduling mode on the
stack interface so that services with the same priority are processed in the same manner and
services with different priorities are processed based on weights.
Procedure
Step 1 Run:
system-view
Step 2 Run:
stack-port qos { pq | wrr | drr }
The scheduling mode of queues on the stack interface is set to PQ, WRR, or DRR.
By default, PQ is used.
Step 3 Run:
stack-port qos queue queue-index { wrr | drr } weight weight
When using WRR or DRR scheduling, you can set the weight for each queue. Then the device
schedules queues in turn based on the weights. If the weight of a queue is set to 0, the queue
uses PQ scheduling. In this case, PQ+WRR or PQ+DRR is used.
----End
Procedure
l Run the display qos queue statistics interface interface-type interface-number [ queue
queue-index ] command to view queue-based traffic statistics on the interface.
----End
Context
Before recollecting queue-based traffic statistics on an interface, run the following command
in the user view to clear the existing statistics.
NOTICE
The cleared queue-based traffic statistics cannot be restored. Exercise caution when you run
the command.
Procedure
l Run the reset qos queue statistics interface interface-type interface-number command
to clear queue-based traffic statistics on the interface.
----End
Networking Requirements
As shown in Figure 6-11, The Switch is connected to the router through GE 0/0/3. The
802.1p priorities of voice, video, and data services from the Internet are 7, 5, and 2, and these
services can reach users through the router and Switch. To reduce the impact of network
congestion and ensure bandwidth for high-priority and low-delay services, you need to set the
related parameters according to the following table.
Voice CS7 0
Video EF 20
Data AF2 10
Network
Router
GE0/0/3
GE0/0/1 GE0/0/2
Switch
PC TV
802.1p=2 LSW LSW 802.1p=5
TV Phone PC Phone
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the VLAN for each interface so that devices can communicate with each other
at the link layer.
2. Configure interfaces to trust 802.1p priorities of packets.
3. Configure the scheduling template and apply the scheduling template to the interface.
Procedure
Step 1 Configure the VLAN for each interface so that devices can communicate with each other at
the link layer.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 20 30
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 20 30
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 20 30
[Switch-GigabitEthernet0/0/3] quit
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 10 20 30
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 30
qos schedule-profile p1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 20 30
qos schedule-profile p1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 10 20 30
trust 8021p
#
qos schedule-profile p1
qos queue 2 wrr weight 10
qos queue 5 wrr weight 20
qos queue 7 wrr weight 0
#
return
Networking Requirements
The Switch is connected to the router through GE 0/0/3; the 802.1p priorities of voice, video,
and data services on the Internet are 6, 5, and 2 respectively, and these services can reach
users through the router and Switch, as shown in Figure 6-12. The rate of incoming interface
GE 0/0/3 on the Switch is greater than the rates of outgoing interfaces GE 0/0/1 and GE 0/0/2;
therefore, congestion may occur on these two outgoing interfaces.
To reduce the impact of network congestion and ensure bandwidth for high-priority and
delay-sensitive services, set the related parameters according to Table 6-5 and Table 6-6.
Video Yellow 60 80 20
Data Red 40 60 40
Voice EF 0
Data AF1 50
Figure 6-12 Networking diagram for configuring congestion avoidance and congestion
management
Network
Router
GE0/0/3
GE0/0/1 GE0/0/2
Switch
802.1p
=2 802.1p PC
PC
=2
Individual
Individual
user n
user 1
802.1p
802.1p 802.1p 802.1p
=5
=5 =6 =6
TV Phone TV Phone
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the VLAN for each interface so that devices can communicate with each
other.
2. Create and configure a DiffServ domain on the Switch, map packets of 802.1p priorities
to PHBs and colors of packets, and bind the DiffServ domain to an incoming interface on
the Switch.
3. Create a WRED drop profile on the Switch and apply the WRED drop profile on an
outgoing interface.
4. Set scheduling parameters of queues of different CoS on outgoing interfaces of the
Switch.
Procedure
Step 1 Configure the VLAN for each interface so that the devices can communicate with each other.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 2 5 6
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 5 6
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
# Create DiffServ domain ds1, map packets of 802.1p priorities being 6, 5, and 2 to PHBs EF,
AF3, and AF1, and color packets as green, yellow, and red.
[Switch] diffserv domain ds1
[Switch-dsdomain-ds1] 8021p-inbound 6 phb ef green
[Switch-dsdomain-ds1] 8021p-inbound 5 phb af3 yellow
[Switch-dsdomain-ds1] 8021p-inbound 2 phb af1 red
[Switch-dsdomain-ds1] quit
# Create drop profile wred1 on the Switch and set parameters of packets of three colors.
[Switch] drop-profile wred1
[Switch-drop-wred1] color green low-limit 80 high-limit 100 discard-percentage 10
[Switch-drop-wred1] color yellow low-limit 60 high-limit 80 discard-percentage 20
[Switch-drop-wred1] color red low-limit 40 high-limit 60 discard-percentage 40
[Switch-drop-wred1] quit
# Apply drop profile wred1 on outgoing interfaces GE 0/0/1 and GE 0/0/2 of the Switch.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] qos wred wred1
[Switch-GigabitEthernet0/0/1] qos queue 5 wred wred1
[Switch-GigabitEthernet0/0/1] qos queue 3 wred wred1
[Switch-GigabitEthernet0/0/1] qos queue 1 wred wred1
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] qos wred wred1
[Switch-GigabitEthernet0/0/2] qos queue 5 wred wred1
[Switch-GigabitEthernet0/0/2] qos queue 3 wred wred1
[Switch-GigabitEthernet0/0/2] qos queue 1 wred wred1
[Switch-GigabitEthernet0/0/2] quit
# Set scheduling parameters of queues of different CoS on outgoing interfaces GE 0/0/1 and
GE 0/0/2 of the Switch.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] qos drr
[Switch-GigabitEthernet0/0/1] qos queue 5 drr weight 0
[Switch-GigabitEthernet0/0/1] qos queue 3 drr weight 100
[Switch-GigabitEthernet0/0/1] qos queue 1 drr weight 50
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] qos drr
[Switch-GigabitEthernet0/0/2] qos queue 5 drr weight 0
[Switch-GigabitEthernet0/0/2] qos queue 3 drr weight 100
[Switch-GigabitEthernet0/0/2] qos queue 1 drr weight 50
[Switch-GigabitEthernet0/0/2] quit
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 2 5 to 6
#
diffserv domain ds1
8021p-inbound 2 phb af1 red
8021p-inbound 5 phb af3 yellow
8021p-inbound 6 phb ef green
#
drop-profile wred1
color green low-limit 80 high-limit 100 discard-percentage 10
color yellow low-limit 60 high-limit 80 discard-percentage 20
color red low-limit 40 high-limit 60 discard-percentage 40
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 5 to 6
qos drr
qos queue 1 drr weight 50
qos queue 3 drr weight 100
qos queue 5 drr weight 0
qos wred wred1
qos queue 1 wred wred1
qos queue 3 wred wred1
qos queue 5 wred wred1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 5 to 6
qos drr
qos queue 1 drr weight 50
qos queue 3 drr weight 100
6.13 References
Document Description Remarks
Traffic direction
R&D
department
Marketing
Internet department
Switch A
Administrative
A
department
Procedure
1. Configure a traffic classifier.
a. Run:
system-view
A traffic classifier is created and the traffic classifier view is displayed, or the
existing traffic classifier view is displayed.
and is the logical operator between the rules in the traffic classifier, which means
that:
n If the traffic classifier contains ACL rules, packets match the traffic classifier
only when they match one ACL rule and all the non-ACL rules.
n If the traffic classifier does not contain any ACL rules, packets match the
traffic classifier only when they match all the rules in the classifier.
The logical operator or means that packets match the traffic classifier as long as
they match one of rules in the classifier.
By default, the relationship between rules in a traffic classifier is AND.
c. Configure matching rules according to the following table.
NOTE
The S5720HI does not support traffic classifiers with advanced ACLs containing the ttl-
expired field or user-defined ACLs.
When a traffic classifier contains if-match ipv6 acl { acl-number | acl-name }, the S5720HI
does not support remark 8021p [ 8021p-value | inner-8021p ], remark cvlan-id cvlan-id,
or remark vlan-id vlan-id.
d. Run:
quit
a. Run:
traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is displayed, or the view
of an existing traffic behavior is displayed.
b. Run the following commands as required.
n Run:
permit
l When permit and other actions are configured in a traffic behavior, the actions are
performed in sequence. deny cannot be configured with other actions. When deny is
used, other configured actions except traffic statistics and flow mirroring do not take
effect.
l To specify the packet filtering action for packets matching an ACL rule that defines
permit, the action taken for the packets depends on deny or permit in the traffic
behavior. If the ACL rule defines deny, the packets are discarded regardless of whether
deny or permit is configured in the traffic behavior.
c. (Optional) Run:
statistic enable
A traffic policy is created and the traffic policy view is displayed, or the view
of an existing traffic policy is displayed.
n On the S6720EI, S5720EI and S5720HI, run:
traffic policy policy-name [ match-order { auto | config } ]
A traffic policy is created and the traffic policy view is displayed, or the view
of an existing traffic policy is displayed.If no matching order is specified when
you create a traffic policy, the default matching order is config.
After a traffic policy is applied, you cannot use the traffic policy command to
modify the matching order of traffic classifiers in the traffic policy. To modify
the matching order, delete the traffic policy, create a new traffic policy and
specify the matching order.
When creating a traffic policy, you can specify the matching order of matching
rules in the traffic policy. The matching order can be either automatic order or
configuration order:
○ If automatic order is used, traffic classifiers are matched based on the
priorities of their types. Traffic classifiers based on Layer 2 and Layer 3
information, Layer 2 information, and Layer 3 information are matched in
descending order of priority. The traffic classifier with the highest priority
is matched first. If data traffic matches multiple traffic classifiers, and the
traffic behaviors conflict with each other, the traffic behavior
corresponding to the highest priority rule takes effect.
○ If configuration order is used, traffic classifiers are matched based on the
sequence in which traffic classifiers were bound to traffic behaviors.
NOTE
If more than 128 ACL rules defining CAR are configured, a traffic policy must be
applied to an interface, a VLAN, and the system in sequence in the outbound direction.
In the preceding situation, if ACL rules need to be updated, delete the traffic policy
from the interface, VLAN, and system and reconfigure it in sequence.
c. Run:
classifier classifier-name behavior behavior-name
NOTE
Applying traffic policies consumes ACL resources. If there are not sufficient ACL
resources, some traffic policies may fail to be applied. For example, an if-match rule in
a traffic policy occupies an ACL. When the traffic policy is applied to M interfaces, M
ACLs are occupied. When a traffic policy is applied to a VLAN or in the system, the
number of occupied ACLs is the number of LPUs on the device. For details about
ACLs occupied by if-match rules, see Table 2-4 in 2.2 Configuration Notes.
– Applying a traffic policy to the system
i. Run:
system-view
Traffic policies can be applied to a sub-interface, but the display traffic-applied command cannot be
used to check the ACL-based simplified and MQC-based traffic policies applied to the sub-interface.
l Run the display traffic policy { interface [ interface-type interface-number
[.subinterface-number ] ] | vlan [ vlan-id ] | global } [ inbound | outbound ] command
to check the traffic policy configuration.
l Run the display traffic-policy applied-record [ policy-name ] command to check the
application record of a specified traffic policy.
Configuration Roadmap
You can define the deny action in a traffic policy to filter packets. The configuration roadmap
is as follows:
1. Configure interfaces so that enterprise users can access the external network through
SwitchA.
2. Configure traffic classifiers to classify packets based on 802.1p priorities.
3. Configure traffic behaviors so that the device permits or rejects packets matching rules.
4. Configure a traffic policy, bind the traffic policy to the traffic classifiers and traffic
behaviors, and apply the traffic policy to GE0/0/1 in the inbound direction to filter
packets.
Procedure
Step 1 Create VLANs and configure interfaces.
# Create VLAN 10 on the Switch.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan 10
[SwitchA-vlan10] quit
# Configure GE0/0/1 and GE0/0/2 on SwitchA as trunk interfaces and add them to VLAN 10.
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
NOTE
Configure the interface of the LSW connected to SwitchA as a trunk interface and add it to VLAN 10.
NOTE
Configure IP address 192.168.2.2/24 for the router interface connected to the Switch.
# Configure traffic behaviors b2 and b3 on SwitchA and define the permit action.
[SwitchA] traffic behavior b2
[SwitchA-behavior-b2] permit
[SwitchA-behavior-b2] quit
[SwitchA] traffic behavior b3
[SwitchA-behavior-b3] permit
[SwitchA-behavior-b3] quit
Step 4 Configure a traffic policy and apply the traffic policy to an interface.
# Create a traffic policy named p1 on SwitchA, bind the traffic behaviors and traffic
classifiers to the traffic policy, and apply the traffic policy to GE0/0/1 in the inbound direction
to filter packets.
[SwitchA] traffic policy p1
[SwitchA-trafficpolicy-p1] classifier c1 behavior b1
[SwitchA-trafficpolicy-p1] classifier c2 behavior b2
[SwitchA-trafficpolicy-p1] classifier c3 behavior b3
[SwitchA-trafficpolicy-p1] quit
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] traffic-policy p1 inbound
[SwitchA-GigabitEthernet0/0/1] quit
Classifier: c3
Operator: AND
Rule(s) : if-match 8021p 6
Classifier: c1
Operator: AND
Rule(s) : if-match 8021p 2
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10
#
traffic classifier c1 operator and
if-match 8021p 2
traffic classifier c2 operator and
if-match 8021p 5
traffic classifier c3 operator and
if-match 8021p 6
#
traffic behavior b1
deny
traffic behavior b2
permit
traffic behavior b3
permit
#
traffic policy p1 match-order config
classifier c1 behavior
b1
classifier c2 behavior
b2
classifier c3 behavior b3
#
interface
Vlanif10
ip address 192.168.2.1
255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type
trunk
port trunk allow-pass vlan
10
traffic-policy p1
inbound
#
interface GigabitEthernet0/0/2
port link-type
trunk
port trunk allow-pass vlan
10
#
return
7.5 References
Document Description Remarks
8 Redirection Configuration
Layer 3
Internet
Router
Layer 2
Firewall Switch A
Switch B
……
User 1 User N
Configure redirection
Traffic direction
Service Deployment
A traffic policy that contains redirection can only be applied in the inbound direction of the
system, interface or VLAN.
NOTE
The S2750, S5700LI, S5700S-LI, S5710-X-LI, S5720SI, and S5720S-SI do not support redirection to
the CPU.
If redirect interface is configured in a traffic behavior, you are advised to apply the traffic policy
containing the traffic behavior only to Layer 2 data traffic.
Procedure
1. Configure a traffic classifier.
a. Run:
system-view
A traffic classifier is created and the traffic classifier view is displayed, or the
existing traffic classifier view is displayed.
and is the logical operator between the rules in the traffic classifier, which means
that:
n If the traffic classifier contains ACL rules, packets match the traffic classifier
only when they match one ACL rule and all the non-ACL rules.
n If the traffic classifier does not contain any ACL rules, packets match the
traffic classifier only when they match all the rules in the classifier.
The logical operator or means that packets match the traffic classifier as long as
they match one of rules in the classifier.
By default, the relationship between rules in a traffic classifier is AND.
c. Configure matching rules according to the following table.
NOTE
The S5720HI does not support traffic classifiers with advanced ACLs containing the ttl-
expired field or user-defined ACLs.
When a traffic classifier contains if-match ipv6 acl { acl-number | acl-name }, the S5720HI
does not support remark 8021p [ 8021p-value | inner-8021p ], remark cvlan-id cvlan-id,
or remark vlan-id vlan-id.
d. Run:
quit
a. Run:
traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is displayed, or the view
of an existing traffic behavior is displayed.
b. Run the following commands as required.
n Run:
redirect interface interface-type interface-number [ forced ]
NOTICE
After the traffic policy containing redirect cpu is applied, the device redirects
traffic matching traffic classification rules to the CPU, affecting system
performance. Exercise caution when you run the redirect cpu command.
c. Run:
quit
A traffic policy is created and the traffic policy view is displayed, or the view
of an existing traffic policy is displayed.
n On the S6720EI, S5720EI and S5720HI, run:
traffic policy policy-name [ match-order { auto | config } ]
A traffic policy is created and the traffic policy view is displayed, or the view
of an existing traffic policy is displayed.If no matching order is specified when
you create a traffic policy, the default matching order is config.
After a traffic policy is applied, you cannot use the traffic policy command to
modify the matching order of traffic classifiers in the traffic policy. To modify
the matching order, delete the traffic policy, create a new traffic policy and
specify the matching order.
When creating a traffic policy, you can specify the matching order of matching
rules in the traffic policy. The matching order can be either automatic order or
configuration order:
○ If automatic order is used, traffic classifiers are matched based on the
priorities of their types. Traffic classifiers based on Layer 2 and Layer 3
information, Layer 2 information, and Layer 3 information are matched in
descending order of priority. The traffic classifier with the highest priority
is matched first. If data traffic matches multiple traffic classifiers, and the
traffic behaviors conflict with each other, the traffic behavior
corresponding to the highest priority rule takes effect.
○ If configuration order is used, traffic classifiers are matched based on the
sequence in which traffic classifiers were bound to traffic behaviors.
NOTE
If more than 128 ACL rules defining CAR are configured, a traffic policy must be
applied to an interface, a VLAN, and the system in sequence in the outbound direction.
In the preceding situation, if ACL rules need to be updated, delete the traffic policy
from the interface, VLAN, and system and reconfigure it in sequence.
c. Run:
classifier classifier-name behavior behavior-name
The traffic policy containing redirection cannot be applied in the outbound direction.
– Apply a traffic policy to an interface.
i. Run:
system-view
NOTE
To apply traffic policies, the device must have sufficient ACL resources. Otherwise,
traffic policies may fail to be applied. For example, an if-match rule in a traffic policy
occupies an ACL. When the traffic policy is applied to M interfaces, M ACLs are
occupied. When a traffic policy is applied to a VLAN or in the system, the number of
occupied ACLs is the number of LPUs on the device. For details about ACLs occupied
by if-match rules, see Table 2-4 in 2.2 Configuration Notes.
– Apply a traffic policy to the system.
i. Run:
system-view
stack ID. The system then performs traffic policing for all the incoming
and outgoing packets that match traffic classification rules on this
member switch.
○ In a non-stack scenario, a traffic policy that is applied to the system takes
effect on all the interfaces and VLANs of the local switch. The system
then performs traffic policing for all the incoming and outgoing packets
that match traffic classification rules on the local switch. Traffic policies
applied to the slot and system have the same functions.
Traffic policies can be applied to a sub-interface, but the display traffic-applied command cannot be
used to check the ACL-based simplified and MQC-based traffic policies applied to the sub-interface.
l Run the display traffic policy { interface [ interface-type interface-number
[.subinterface-number ] ] | vlan [ vlan-id ] | global } [ inbound | outbound ] command
to check the traffic policy configuration.
l Run the display traffic-policy applied-record [ policy-name ] command to check the
application record of a specified traffic policy.
Internet
Router
GE0/0/1 Lay 2
GE0/0/3
Firewall Switch A
GE0/0/4
GE0/0/2
GE0/0/1
Switch B
GE0/0/2 GE0/0/3
……
User 1 User N
VLAN200 VLAN100
Configure redirection
Traffic direction
Configuration Roadmap
l Connect SwitchA to the core firewall in bypass mode to filter traffic.
l Configure the device to redirect all traffic from the Internet to the firewall because traffic
entering the firewall is Layer 2 traffic.
l Configure port isolation on the interface of SwitchA connected to the firewall to prevent
loops, and disable MAC address learning to prevent MAC address flapping.
Procedure
Step 1 Create VLANs and configure interfaces to ensure Layer 2 connectivity.
# Configure GE0/0/2 and GE0/0/3 on SwitchB as access interfaces, add GE0/0/2 to VLAN
200 and GE0/0/3 to VLAN 100, and configure GE0/0/1 as a trunk interface and add GE0/0/1
to VLAN 100 and VLAN 200.
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type access
[SwitchB-GigabitEthernet0/0/2] port default vlan 200
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type access
[SwitchB-GigabitEthernet0/0/3] port default vlan 100
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 200
[SwitchB-GigabitEthernet0/0/1] quit
# Configure GE0/0/1, GE0/0/2, GE0/0/3, and GE0/0/4 on SwitchA as trunk interfaces and add
them to VLAN 100 and VLAN 200. Add GE0/0/3 and GE0/0/4 to the same port isolation
group. Disable MAC address learning on GE0/0/4 to prevent MAC address flapping.
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 200
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 200
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 200
[SwitchA-GigabitEthernet0/0/3] port-isolate enable
[SwitchA-GigabitEthernet0/0/3] quit
[SwitchA] interface gigabitethernet 0/0/4
[SwitchA-GigabitEthernet0/0/4] port link-type trunk
[SwitchA-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 200
[SwitchA-GigabitEthernet0/0/4] port-isolate enable
[SwitchA-GigabitEthernet0/0/4] mac-address learning disable
[SwitchA-GigabitEthernet0/0/4] quit
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] quit
Classifier:
c1
Operator:
AND
Policy:
p1
Classifier:
c1
Operator:
AND
Behavior:
b1
Redirect: no
forced
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 200
#
traffic classifier c1 operator and
if-match any
#
traffic behavior b1
redirect interface GigabitEthernet0/0/3
#
traffic policy p1 match-order config
classifier c1 behavior b1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 200
traffic-policy p1 inbound
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 200
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100 200
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type trunk
mac-address learning disable
port trunk allow-pass vlan 100 200
port-isolate enable group 1
#
return
8.5 References
Document Description Remarks
You can run the display traffic policy statistics command to view the statistics on forwarded
and discarded packets matching a traffic policy only after MQC is used to implement traffic
statistics.
Table 9-1 describes the differences between traffic statistics and interface statistics.
Router
Network
Switch
Traffic direction
Configure traffic statistics
in the inbound direction
Service Deployment
l Configure a traffic classifier based on MAC addresses to differentiate different types of
data traffic.
l Configure a traffic behavior and define traffic statistics in the traffic behavior.
l Configure a traffic policy, bind the traffic classifier and traffic behavior to the traffic
policy, and apply the traffic policy to the inbound direction of the switch so that the
device collects statistics on packets from different users.
Procedure
1. Configure a traffic classifier.
a. Run:
system-view
A traffic classifier is created and the traffic classifier view is displayed, or the
existing traffic classifier view is displayed.
and is the logical operator between the rules in the traffic classifier, which means
that:
n If the traffic classifier contains ACL rules, packets match the traffic classifier
only when they match one ACL rule and all the non-ACL rules.
n If the traffic classifier does not contain any ACL rules, packets match the
traffic classifier only when they match all the rules in the classifier.
The logical operator or means that packets match the traffic classifier as long as
they match one of rules in the classifier.
By default, the relationship between rules in a traffic classifier is AND.
c. Configure matching rules according to the following table.
NOTE
The S5720HI does not support traffic classifiers with advanced ACLs containing the ttl-
expired field or user-defined ACLs.
When a traffic classifier contains if-match ipv6 acl { acl-number | acl-name }, the S5720HI
does not support remark 8021p [ 8021p-value | inner-8021p ], remark cvlan-id cvlan-id,
or remark vlan-id vlan-id.
d. Run:
quit
A traffic behavior is created and the traffic behavior view is displayed, or the view
of an existing traffic behavior is displayed.
b. Run:
statistic enable
d. Run:
quit
A traffic policy is created and the traffic policy view is displayed, or the view
of an existing traffic policy is displayed.
n On the S6720EI, S5720EI and S5720HI, run:
traffic policy policy-name [ match-order { auto | config } ]
A traffic policy is created and the traffic policy view is displayed, or the view
of an existing traffic policy is displayed.If no matching order is specified when
you create a traffic policy, the default matching order is config.
After a traffic policy is applied, you cannot use the traffic policy command to
modify the matching order of traffic classifiers in the traffic policy. To modify
the matching order, delete the traffic policy, create a new traffic policy and
specify the matching order.
When creating a traffic policy, you can specify the matching order of matching
rules in the traffic policy. The matching order can be either automatic order or
configuration order:
○ If automatic order is used, traffic classifiers are matched based on the
priorities of their types. Traffic classifiers based on Layer 2 and Layer 3
information, Layer 2 information, and Layer 3 information are matched in
descending order of priority. The traffic classifier with the highest priority
is matched first. If data traffic matches multiple traffic classifiers, and the
traffic behaviors conflict with each other, the traffic behavior
corresponding to the highest priority rule takes effect.
○ If configuration order is used, traffic classifiers are matched based on the
sequence in which traffic classifiers were bound to traffic behaviors.
NOTE
If more than 128 ACL rules defining CAR are configured, a traffic policy must be
applied to an interface, a VLAN, and the system in sequence in the outbound direction.
In the preceding situation, if ACL rules need to be updated, delete the traffic policy
from the interface, VLAN, and system and reconfigure it in sequence.
c. Run:
classifier classifier-name behavior behavior-name
After a traffic policy is applied a VLAN, the system performs traffic policing
for the packets that belong to the VLAN and match traffic classification rules
in the inbound or outbound direction.
NOTE
Applying traffic policies consumes ACL resources. If there are not sufficient ACL
resources, some traffic policies may fail to be applied. For example, an if-match rule in
a traffic policy occupies an ACL. When the traffic policy is applied to M interfaces, M
ACLs are occupied. When a traffic policy is applied to a VLAN or in the system, the
number of occupied ACLs is the number of LPUs on the device. For details about
ACLs occupied by if-match rules, see Table 2-4 in 2.2 Configuration Notes.
– Applying a traffic policy to the system
i. Run:
system-view
NOTE
Traffic policies can be applied to a sub-interface, but the display traffic-applied command cannot be
used to check the ACL-based simplified and MQC-based traffic policies applied to the sub-interface.
l Run the display traffic policy { interface [ interface-type interface-number
[.subinterface-number ] ] | vlan [ vlan-id ] | global } [ inbound | outbound ] command
to check the traffic policy configuration.
l Run the display traffic-policy applied-record [ policy-name ] command to check the
application record of a specified traffic policy.
Configuration Roadmap
You can define the traffic statistics action in a traffic policy. The configuration roadmap is as
follows:
1. Configure interfaces so that the Switch can connect to the router and PC1.
2. Configure an ACL to match packets with the source MAC address of 0000-0000-0003.
3. Configure a traffic classifier and reference the ACL in the traffic classifier.
4. Configure a traffic behavior so that the Switch collects statistics on packets matching
rules.
5. Configure a traffic policy, bind the traffic policy to the traffic classifier and traffic
behavior, and apply the traffic policy to the inbound direction of GE0/0/1 so that the
Switch collects statistics on packets with the source MAC address of 0000-0000-0003.
Procedure
Step 1 Create VLANs and configure interfaces.
# Create VLAN 20 on the Switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 20
[Switch-vlan20] quit
# Configure GE0/0/1 as an access interface and GE0/0/2 as a trunk interface, and add them to
VLAN 20.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 20
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 20
[Switch-GigabitEthernet0/0/2] quit
NOTE
Configure IP address 10.10.10.1/24 for the router interface connected to the Switch.
Step 5 Configure a traffic policy and apply the traffic policy to an interface.
# Create a traffic policy p1 on the Switch and bind the traffic policy to the traffic classifier
and traffic behavior.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] quit
Interface:
GigabitEthernet0/0/1
Traffic policy inbound: p1
Rule number: 1
Current status:
success
Statistics interval: 300
---------------------------------------------------------------------
Board : 0
---------------------------------------------------------------------
Matched | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Filter | Packets: 0
| Bytes: 0
---------------------------------------------------------------------
Car | Packets: 0
| Bytes: 0
---------------------------------------------------------------------
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 20
#
acl number 4000
rule 5 permit source-mac 0000-0000-0003
#
traffic classifier c1 operator and
if-match acl 4000
#
traffic behavior b1
statistic enable
#
traffic policy p1 match-order config
classifier c1 behavior b1
#
interface Vlanif20
ip address 10.10.10.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type
access
port default vlan 20
traffic-policy p1
inbound
#
interface GigabitEthernet0/0/2
port link-type
trunk
port trunk allow-pass vlan
20
#
return
This chapter describes how to configure an ACL-based simplified traffic policy. The device to
which an ACL-based simplified traffic policy is applied filters, polices, re-marks, counts,
mirrors, or redirects packets matching access control list (ACL) rules.
To control traffic entering a network, configure ACL rules to match information such as the
source IP address, fragment flag, destination IP address, source port number, and source MAC
address in packets and then configure an ACL-based simplified traffic policy so that the
device can filter, polices, re-marks, counts, mirrors, or redirects packets matching ACL rules.
Compared with a common traffic policy, an ACL-based simplified traffic policy is easy to
configure because you do not need to configure a traffic classifier, traffic behavior, or traffic
policy independently. However, an ACL-based simplified traffic policy defines less matching
rules than a common traffic policy because only ACL rules are used to match packets.
License Support
The ACL-based simplified traffic policy is a basic feature of a switch and is not under license
control.
Version Support
Table 10-1 describes the products and minimum version supporting the ACL-based simplified
traffic policy.
Table 10-1 Products and minimum version supporting the ACL-based simplified traffic
policy
S2750EI V200R003
S5710-X-LI V200R008
S5720EI V200R007
S5720SI/S5720S-SI V200R008
S5720HI V200R006
S6720EI V200R008
S6720S-EI V200R009
You can run the traffic-filter or traffic-secure command to configure packet filtering based
on the following rules:
l If the ACL referenced by the traffic-filter or traffic-secure command is not referenced
by other ACL-based simplified traffic policies, and packets do not match both ACLs
associated with packet filtering and simplified traffic policies, use traffic-filter or
traffic-secure.
l If the ACL referenced by the traffic-filter or traffic-secure command is referenced by
other ACL-based simplified traffic policies, or packets match both ACLs associated with
packet filtering and simplified traffic policies, the differences between the traffic-filter
and traffic-secure commands are as follows:
– When the traffic-secure command and other ACL-based simplified traffic policies
are configured simultaneously, and the ACL defines the deny action, only the
traffic-secure, traffic-mirror, and traffic-statistics commands take effect and
packets are filtered.
– When the traffic-secure command and other ACL-based simplified traffic policies
are configured simultaneously, and the ACL defines the permit action, the traffic-
secure command and other ACL-based simplified traffic policies take effect.
– When the traffic-filter command and other ACL-based simplified traffic policies
are configured simultaneously, and the ACL defines the deny action, only the
traffic-filter, traffic-mirror, and traffic-statistics commands take effect and
packets are filtered.
– When the traffic-filter command and other ACL-based simplified traffic policies
are configured simultaneously, and the ACL defines the permit action, the traffic
policy that was configured first takes effect.
NOTE
The S2750EI, S5700-10P-LI-AC, and S5700-10P-PWR-LI-AC that are enabled with Layer 3 hardware
forwarding for IPv4 packets do not support traffic-secure.
Procedure
l Configuring packet filtering globally or in a VLAN
a. Run:
system-view
Or,
The device is configured to filter packets matching Layer 2 and Layer 3 ACLs.
n Run:
traffic-secure [ vlan vlan-id ] inbound acl { l2-acl | name acl-
name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name }
[ rule rule-id ]
Or,
traffic-filter { inbound | outbound } acl { bas-acl | adv-acl | name
acl-name } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule
rule-id ]
The device is configured to filter packets matching Layer 2 and Layer 3 ACLs.
n Run:
traffic-secure inbound acl { l2–acl | name acl-name } [ rule rule-
id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ]
----End
Procedure
l Configuring traffic policing globally or in a VLAN
a. Run:
system-view
NOTE
----End
Pre-configuration Tasks
ACL-based traffic policing allows the device to limit the rate of packets matching ACLs and
take different actions for packets of different colors.
Procedure
l Configuring traffic policing globally or in a VLAN
a. Run:
system-view
n Run:
traffic-limit [ vlan vlan-id ] outbound acl { l2-acl | name acl-
name } [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name }
[ rule rule-id ] cir cir-value [ pir pir-value ] [ cbs cbs-value pbs
pbs-value ] [ [ green { drop | pass } ] [ yellow { drop | pass } ]
[ red { drop | pass } ] ]
Procedure
l Configuring ACL-based redirection globally or in a VLAN
a. Run:
system-view
Pre-configuration Tasks
Before configuring ACL-based redirection, complete the following tasks:
l Configure link layer attributes of interfaces to ensure that the interfaces work properly.
l Configure an ACL.
Procedure
l Configuring ACL-based redirection globally or in a VLAN
a. Run:
system-view
Pre-configuration Tasks
ACL-based re-marking allows the device to re-mark priorities of packets matching an ACL,
for example, MAC address, 802.1p priorities in VLAN packets and DSCP priorities in IP
packets.
Before configuring ACL-based re-marking, complete the following tasks:
l Configure link layer attributes of interfaces to ensure that the interfaces work properly.
l Configure an ACL.
Procedure
l Configuring ACL-based re-marking globally or in a VLAN
a. Run:
system-view
The S2750, S5700LI, S5700S-LI, S5710-X-LI, S5720SI, and S5720S-SI cannot re-mark
inner VLAN tags in QinQ packets.
l Configuring ACL-based re-marking on an interface
a. Run:
system-view
n Run:
traffic-remark inbound acl { [ ipv6 ] { bas-acl | adv-acl | name acl-
name } | l2-acl | user-acl } [ rule rule-id ] { 8021p 8021p-value |
dscp { dscp-name | dscp-value } | local-precedence local-precedence-
value | ip-precedence ip-precedence-value | vlan-id vlan-id }
The S2750, S5700LI, S5700S-LI, S5710-X-LI, S5720SI, and S5720S-SI cannot re-mark
inner VLAN tags in QinQ packets.
----End
Procedure
l Configuring ACL-based traffic statistics globally or in a VLAN
a. Run:
system-view
n Run:
traffic-statistic [ vlan vlan-id ] inbound acl { [ ipv6 ] { bas-acl
| adv-acl | name acl-name } | l2-acl | user-acl } [ rule rule-id ]
[ by-bytes ]
Context
After ACL-based packet filtering is configured on the device, you can run the following
command to view statistics on forwarded and discarded packets.
Procedure
l Run the following commands to view statistics about ACL-based packet filtering on the
device.
– display traffic-statistics [ vlan vlan-id | interface interface-type interface-
number ] { inbound | outbound } [ acl { bas-acl | adv-acl | user-acl } [ rule rule-
id ] ]
– display traffic-statistics [ vlan vlan-id | interface interface-type interface-
number ] { inbound | outbound } [ acl { acl-name | l2-acl } [ rule rule-id ] [ acl
{ bas-acl | adv-acl | acl-name } [ rule rule-id ] ] ]
– display traffic-statistics interface { inbound | outbound }
– display traffic-statistics [ vlan vlan-id | interface interface-type interface-
number ] { inbound | outbound } [ acl ipv6 { bas-acl | adv-acl | acl-name } [ rule
rule-id ] ]
----End
Context
To recollect statistics on ACL-based packet filtering, run the following command to clear
existing statistics.
NOTICE
The cleared statistics on ACL-based packet filtering cannot be restored. Exercise caution
when you run the command.
Procedure
l Run the following commands to clear statistics about ACL-based packet filtering on the
device.
– reset traffic-statistics [ vlan vlan-id | interface interface-type interface-number ]
{ inbound | outbound } [ acl { bas-acl | adv-acl | user-acl } [ rule rule-id ] ]
– reset traffic-statistics [ vlan vlan-id | interface interface-type interface-number ]
{ inbound | outbound } [ acl { acl-name | l2-acl } [ rule rule-id ] [ acl { bas-acl |
adv-acl | acl-name } [ rule rule-id ] ] ]
– reset traffic-statistics { interface | vlan } { inbound | outbound }
– reset traffic-statistics [ vlan vlan-id | interface interface-type interface-number ]
{ inbound | outbound } [ acl ipv6 { bas-acl | adv-acl | acl-name } [ rule rule-id ] ]
----End
Figure 10-1 Networking for preventing a specified host to access the external network
IP:192.168.1.10/24
HostA
IP:192.168.1.11/24
GE0/0/1 GE0/0/2
Network
HostB LSW Switch Router
IP:192.168.1.12/24
Enterprise Traffic
campus network direction
HostC
Configuration Roadmap
You can define the deny action in a traffic policy to filter packets. The configuration roadmap
is as follows:
1. Configure interfaces so that enterprise users can access the external network through the
Switch.
2. Configure a time range and reference the time range in an ACL.
3. Configure an ACL to deny packets during work hours.
4. Configure packet filtering in the inbound direction of GE0/0/1.
Procedure
Step 1 Create VLANs and configure interfaces.
# Configure GE0/0/1 and GE0/0/2 on the Switch as trunk interfaces and add them to VLAN
10.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/2] quit
NOTE
Configure the interface of the LSW connected to the Switch as a trunk interface and add it to VLAN 10.
NOTE
Configure IP address 192.168.1.2/24 for the router interface connected to the Switch.
Step 2 Create a periodic time range working_time that defines work hours from 8:30 to 18:00.
[Switch] time-range working_time 08:30 to 18:00 working-day
Step 3 Configure ACL 3001 and define three rules to prevent packets from 192.168.1.10,
192.168.1.11, and 192.168.1.12 passing through during work hours.
[Switch] acl number 3001
[Switch-acl-adv-3001] rule deny ip source 192.168.1.10 0 time-range
working_time
[Switch-acl-adv-3001] rule deny ip source 192.168.1.11 0 time-range working_time
[Switch-acl-adv-3001] rule deny ip source 192.168.1.12 0 time-range working_time
[Switch-acl-adv-3001] quit
ACL 3001
rule 5 deny ip source 192.168.1.10 0 time-range working_time (match-counter 0)
ACTIONS:
filter
-----------------------------------------------------------
ACL 3001
rule 10 deny ip source 192.168.1.11 0 time-range working_time (match-counter 0)
ACTIONS:
filter
-----------------------------------------------------------
ACL 3001
rule 15 deny ip source 192.168.1.12 0 time-range working_time (match-counter 0)
ACTIONS:
filter
-----------------------------------------------------------
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 10
#
time-range working_time 08:30 to 18:00 working-day
#
acl number
3001
rule 5 deny ip source 192.168.1.10 0 time-range
working_time
rule 10 deny ip source 192.168.1.11 0 time-range
working_time
rule 15 deny ip source 192.168.1.12 0 time-range working_time
#
interface
Vlanif10
ip address 192.168.1.1
255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type
trunk
port trunk allow-pass vlan
10
traffic-filter inbound acl
3001
#
interface GigabitEthernet0/0/2
port link-type
trunk
port trunk allow-pass vlan
10
#
return
Networking Requirements
Voice, video, and data services are transmitted in VLAN 120, VLAN 110, and VLAN 100
respectively.
Traffic policing needs to be configured on the Switch to police packets of different services so
that traffic is limited within a proper range and bandwidth of each service is guaranteed.
Table 10-2 describes QoS required by different services.
Phone
VLAN 120
SwitchA GE0/0/1
PC GE0/0/2
Network
VLAN 100 Switch Router
TV
Enterprise Traffic
campus network direction
VLAN 110
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and configure interfaces so that the enterprise can access the Network
through the Switch.
2. Configure ACLs on the Switch to match services from different VLANs.
3. Configure ACL-based traffic policing on the Switch to limit different packets from the
enterprise.
Procedure
Step 1 Create VLANs and configure interfaces.
# Create VLAN 100, VLAN 110, and VLAN 120 on the Switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 110 120
# Configure GE0/0/1 and GE0/0/2 as trunk interfaces, and add GE0/0/1 and GE0/0/2 to
VLAN 100, VLAN 110, and VLAN 120.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 110 120
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 110 120
[Switch-GigabitEthernet0/0/2] quit
[Switch-acl-L2-4001] quit
[Switch] acl 4002
[Switch-acl-L2-4002] rule 1 permit vlan-id 110
[Switch-acl-L2-4002] quit
[Switch] acl 4003
[Switch-acl-L2-4003] rule 1 permit vlan-id 100
[Switch-acl-L2-4003] quit
ACL 4001
rule 1 permit vlan-id 120
ACTIONS:
limit cir 2000 ,cbs 250000
pir 10000 ,pbs 1250000
green : pass
yellow : pass
red : drop
-----------------------------------------------------------
ACL 4002
rule 1 permit vlan-id 110
ACTIONS:
limit cir 4000 ,cbs 500000
pir 10000 ,pbs 1250000
green : pass
yellow : pass
red : drop
-----------------------------------------------------------
ACL 4003
rule 1 permit vlan-id 100
ACTIONS:
limit cir 4000 ,cbs 500000
pir 10000 ,pbs 1250000
green : pass
yellow : pass
red : drop
-----------------------------------------------------------
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 100 110 120
#
acl number 4001
rule 1 permit vlan-id 120
acl number 4002
rule 1 permit vlan-id 110
acl number 4003
rule 1 permit vlan-id 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 110 120
traffic-limit inbound acl 4001 cir 2000 pir 10000 cbs 250000 pbs 1250000
traffic-limit inbound acl 4002 cir 4000 pir 10000 cbs 500000 pbs 1250000
traffic-limit inbound acl 4003 cir 4000 pir 10000 cbs 500000 pbs 1250000
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 110 120
#
return
Networking Requirements
As shown in Figure 10-3, enterprise users need to access the Internet. User devices connect to
the gateway router through access switch SwitchB and core switch SwitchA and communicate
with the Internet through the gateway.
To ensure enterprise data and network security, the enterprise wants to ensure security of all
traffic from the Internet to servers. Redirection can be configured to send all traffic from the
external network to the internal network to the firewall.
Internet
Router
GE0/0/1 Lay 2
GE0/0/3
Firewall Switch A
GE0/0/4
GE0/0/2
GE0/0/1
Switch B
GE0/0/2 GE0/0/3
……
User 1 User N
VLAN200 VLAN100
Configure redirection
Traffic direction
Configuration Roadmap
l Connect SwitchA to the core firewall in bypass mode to filter traffic.
l Configure the device to redirect all traffic from the Internet to the firewall because traffic
entering the firewall is Layer 2 traffic.
l Configure port isolation on the interface of SwitchA connected to the firewall to prevent
loops, disable MAC address learning to prevent MAC address flapping..
Procedure
Step 1 Create VLANs and configure interfaces to ensure Layer 2 connectivity.
# Create VLAN 100 and VLAN 200 on SwitchB.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 200
# Configure GE0/0/2 and GE0/0/3 on SwitchB as access interfaces, add GE0/0/2 to VLAN
200 and GE0/0/3 to VLAN 100; configure GE0/0/1 as a trunk interface and add GE0/0/1 to
VLAN 100 and VLAN 200.
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type access
[SwitchB-GigabitEthernet0/0/2] port default vlan 200
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type access
[SwitchB-GigabitEthernet0/0/3] port default vlan 100
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 200
[SwitchB-GigabitEthernet0/0/1] quit
# Configure GE0/0/1, GE0/0/2, GE0/0/3, and GE0/0/4 on SwitchA as trunk interfaces and add
them to VLAN 100 and VLAN 200. Add GE0/0/3 and GE0/0/4 to the same port isolation
group. Disable MAC address learning on GE0/0/4 to prevent MAC address flapping.
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 200
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 200
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 200
[SwitchA-GigabitEthernet0/0/3] port-isolate enable
[SwitchA-GigabitEthernet0/0/3] quit
[SwitchA] interface gigabitethernet 0/0/4
[SwitchA-GigabitEthernet0/0/4] port link-type trunk
[SwitchA-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 200
[SwitchA-GigabitEthernet0/0/4] port-isolate enable
[SwitchA-GigabitEthernet0/0/4] mac-address learning disable
[SwitchA-GigabitEthernet0/0/4] quit
ACL 4001
rule 5 permit vlan-id 100
ACTIONS:
redirect interface GigabitEthernet0/0/3
-----------------------------------------------------------
ACL 4001
rule 10 permit vlan-id 200
ACTIONS:
redirect interface GigabitEthernet0/0/3
-----------------------------------------------------------
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 200
#
acl number 4001
rule 5 permit vlan-id 100
rule 10 permit vlan-id 200
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 200
traffic-redirect inbound acl 4001 interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 200
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100 200
port-isolate enable group 1
#
interface GigabitEthernet0/0/4
port link-type trunk
mac-address learning disable
port trunk allow-pass vlan 100 200
port-isolate enable group 1
#
return
Networking Requirements
As shown in Figure 10-4, GE0/0/3 on the Switch connects to the router. Enterprise
departments 1 and 2 access the Internet through the switch and router. Enterprise departments
1 and 2 belong to VLAN 100 and VLAN 200 respectively.
Enterprise branch 1 requires better QoS guarantee. 802.1p priorities of packets from
enterprise departments 1 and 2 are both 0. Priority mapping needs to be configured to map
priorities of packets from enterprise departments 1 and 2 to 4 and 2 respectively so that
differentiated services are provided.
Core Network
Router
GE0/0/3
GE0/0/1 GE0/0/2
VLAN 100 Switch VLAN 200
Enterprise Enterprise
department 1 department 2
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and configure interfaces so that enterprise departments 1 and 2 can
connect to the Internet through the Switch.
2. Configure ACLs to differentiate packets from enterprise departments based on the
VLAN ID.
3. Configure priority mapping on inbound interfaces GE0/0/1 and GE0/0/2 of the Switch.
Procedure
Step 1 Create VLANs and configure interfaces.
# Configure GE0/0/1, GE0/0/2, and GE0/0/3 as trunk interfaces, add GE0/0/1 and GE0/0/2 to
VLAN 100 and VLAN 200, and add GE0/0/3 to VLAN 100 and VLAN 200.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 200
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 200
[Switch-GigabitEthernet0/0/3] quit
# Configure ACL 4001 and 4002 on the Switch to differentiate packets from enterprise
departments based on the VLAN ID.
Step 3 Configure priority mapping on inbound interfaces GE0/0/1 and GE0/0/2 of the Switch.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] traffic-remark inbound acl 4001 8021p 4
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] traffic-remark inbound acl 4002 8021p 2
[Switch-GigabitEthernet0/0/2] quit
# Check information about ACL rules and actions on the interface in the inbound direction.
[Switch] display traffic-applied interface gigabitethernet 0/0/1 inbound
-----------------------------------------------------------
ACL applied inbound interface GigabitEthernet0/0/1
ACL 4001
rule 5 permit vlan-id 100
ACTIONS:
remark 8021p 4
-----------------------------------------------------------
[Switch] display traffic-applied interface gigabitethernet 0/0/2 inbound
-----------------------------------------------------------
ACL applied inbound interface GigabitEthernet0/0/2
ACL 4002
rule 5 permit vlan-id 200
ACTIONS:
remark 8021p 2
-----------------------------------------------------------
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100 200
#
acl number
4001
acl number
4002
Networking Requirements
As shown in Figure 10-5, the MAC address of PC1 is 0000-0000-0003, and PC1 connects to
GE0/0/1 on the Switch. The Switch is required to collect statistics on packets with the source
MAC address of 0000-0000-0003.
Configuration Roadmap
Configure an ACL to match packets with the specified source MAC address so that the
Switch collects statistics on the packets. The configuration roadmap is as follows:
1. Configure interfaces so that the Switch can connect to the router and PC1.
2. Configure an ACL to match packets with the source MAC address of 0000-0000-0003.
3. Configure traffic statistics in the inbound direction of GE0/0/1 so that the statistics on
packets with the source MAC address of 0000-0000-0003 are collected.
Procedure
Step 1 Create VLANs and configure interfaces.
# Create VLAN 20 on the Switch.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 20
[Switch-vlan20] quit
# Configure GE0/0/1 as an access interface and GE0/0/2 as a trunk interface, and add them to
VLAN 20.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 20
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 20
[Switch-GigabitEthernet0/0/2] quit
NOTE
Configure IP address 10.10.10.1/24 for the router interface connected to the Switch.
ACL 4000
rule 5 permit source-mac 0000-0000-0003
ACTIONS:
statistic by bytes
-----------------------------------------------------------
Interface
GigabitEthernet0/0/1
ACL:4000 Rule:
5
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 20
#
acl number 4000
rule 5 permit source-mac 0000-0000-0003
#
interface Vlanif20
ip address 10.10.10.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type
access
port default vlan 20
traffic-statistic inbound acl 4000 by-
bytes
#
interface GigabitEthernet0/0/2
port link-type
trunk
port trunk allow-pass vlan
20
#
return
Networking Requirements
As shown in Figure 10-6, HostA connects to SwitchA through GigabitEthernet0/0/1. The
server directly connects to GigabitEthernet0/0/2 on SwitchA.
The server (monitoring device) is required to monitor packets with the 802.1p priority of 6
sent by HostA.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure GigabitEthernet0/0/2 as the local observing interface so that the server can
receive mirroring packets.
2. Configure a Layer 2 ACL to match packets with the 802.1p priority of 6.
3. Configure an ACL-based traffic policy on GigabitEthernet0/0/1 to mirror packets with
the 802.1p priority of 6.
Procedure
Step 1 Configure an observing interface.
Step 2 Configure a Layer 2 ACL to match packets with the 802.1p priority of 6.
# Create ACL 4001 (Layer 2 ACL) on SwitchA to match packets with the 802.1p priority of
6.
[SwitchA] acl 4001
[SwitchA-acl-L2-4001] rule permit 8021p 6
[SwitchA-acl-L2-4001] quit
# Check the ACL-based traffic policy that has been applied to GigabitEthernet0/0/1 and the
traffic behavior.
<SwitchA> display traffic-applied interface gigabitethernet 0/0/1 inbound
-----------------------------------------------------------
ACL applied inbound interface GigabitEthernet0/0/1
ACL 4001
rule 5 permit 8021p 6
ACTIONS:
mirror to observe-port 1
-----------------------------------------------------------
The preceding information shows that the traffic behavior in the ACL-based traffic policy
defines the action of mirroring packets with the 802.1p priority of 6 on GigabitEthernet0/0/1.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
observe-port 1 interface GigabitEthernet0/0/2
#
acl number 4001
rule 5 permit 8021p 6
#
interface GigabitEthernet0/0/1
traffic-mirror inbound acl 4001 to observe-port 1
#
return
11 HQoS Configuration
This chapter configures how to configure Hierarchical Quality of Service (HQoS). HQoS uses
queue-based hierarchical scheduling to differentiate service flows from different users and
provide fine-granular service quality.
11.1 Introduction to HQoS
11.2 Principles
11.3 Applications
11.4 Configuration Notes
11.5 Default Configuration
11.6 Configuring HQoS
11.7 Maintaining HQoS
11.8 Configuration Examples
NOTE
11.2 Principles
HQoS implements hierarchical scheduling based on queues. The device supports flow queue
(FQ) and subscriber queue (SQ). The HQoS hierarchy is a tree structure, with flow queues as
the leaf nodes and subscriber queues as root nodes. Packets on an interface are first sent to
leaf nodes and then sent out of the root node upon scheduling. In addition, packets can be
further scheduled. For example, the packets can be scheduled in port queues. The device
supports the mapping between flow queues and port queues to schedule the same service from
different users, as shown in Figure 11-1.
FQ 0
FQ 1
FQ 2 SQ 0
FQ 3 PQ 0
PQ/WFQ
FQ 4 PQ 1
FQ 5 PQ 2
......
shapping
PQ/DRR
FQ 6 PQ 3
TP
FQ 7 shapping
PQ 4
Shapping/ shapping
WRED PQ 5
FQ 0 PQ 6
FQ 1 PQ 7
PQ/WFQ
...... SQ N
FQ 7
Flow Queue
Based on the DiffServ model, HQoS sends packets to flow queues based on mapped internal
priorities to differentiate services. Each user has eight flow queues that correspond to eight
service priorities (BE, AF1, AF2, AF3, AF4, EF, CS6, and CS7). You can configure Priority
Queuing (PQ) or Weighted Fair Queueing (WFQ) for the eight flow queues. Each flow queue
supports Weighted Random Early Detection (WRED) and traffic shaping to ensure that high-
priority services are scheduled preferentially and obtain higher bandwidth.
Subscriber Queue
Subscriber queues differentiate users. Here, a user refers to a VLAN or VPN. Users are
differentiated using access control lists (ACLs). Each user has a subscriber queue that is an
aggregation of eight flow queues. Traffic shaping can be configured for a subscriber queue to
limit the total bandwidth of each user.
Interface Queue
Similar to flow queues, eight port queues correspond to eight service types. You can configure
PQ or Deficit Round Robin (DRR) scheduling for eight port queues. Each queue supports
WRED and traffic shaping. For details, see 6.8 Configuring Congestion Management on
the S6720EI, S5720HI, and S5720EI, 6.6 Configuring Congestion Avoidance on the
S6720EI, S5720HI, and S5720EI, and 5.7 Configuring Traffic Shaping. The device
supports the mapping between flow queues (BE, AF1, AF2, AF3, AF4, EF, CS6, and CS7)
and port queues. The mapping allows the device to flexibly send service traffic in a flow
queue to a port queue.
Target Port
The target port is a physical interface through which data is sent out. After flow Queue and
subscriber Queue scheduling and port queue scheduling are complete, traffic shaping can be
performed for each target port. For details, see 5.8.2 Configuring Outbound Interface-
based Rate Limiting.
11.3 Applications
Voice, video, and data services from multiple users are transmitted on an enterprise campus
network. Because the bandwidth is limited, different guaranteed bandwidth values are
allocated to users in VLAN 10 and VLAN 20, and different scheduling priorities are set for
the three services of each user. Bandwidth guarantee needs to be provided for the voice,
video, and data services in descending order of priority. To meet the requirements, deploy
HQoS, as shown in Figure 11-2.
User 3
Service Deployment
l Deploy priority mapping to map packet priorities of different services to local priorities
and mark packets in different colors.
l Deploy ACLs to differentiate users.
l Deploy HQoS to implement differentiated services based on users and services.
License Support
HQoS is a basic feature of a switch and is not under license control.
Version Support
Only the S5720HI in V200R006 and later versions supports HQoS.
BE 0
AF1 1
AF2 2
AF3 3
AF4 4
EF 5
CS6 6
CS7 7
Pre-configuration Tasks
Before configuring HQoS, configure priority mapping and map packet priorities to CoS
values or colors.
Configure subscriber
queue and parameters
to implement HQoS
Mandatory
Optional
NOTE
Context
Priority mapping enables the device to map packet priorities (802.1p/DSCP priorities) to local
priorities and mark packet colors. Packets enter different flow queues according to the
mapped local priorities so that differentiated services are implemented. For details about
priority mapping, see 3.6 Configuring Priority Mapping.
Procedure
Step 1 (Optional) Configure a flow queue WRED drop profile and congestion avoidance parameters.
1. Run:
system-view
A flow queue WRED drop profile is created or the view of an existing flow queue
WRED drop profile is displayed.
By default, the system predefines a flow queue WRED drop profile default. This flow
queue WRED drop profile cannot be modified or deleted.
3. Run:
color { green | yellow | red } low-limit low-limit-percentage high-limit high-
limit-percentage discard-percentage discard-percentage
The upper and lower drop thresholds and maximum drop probability are set.
4. (Optional) Run:
queue-depth queue-depth-value
NOTE
In the flow queue WRED drop profile default, the upper and lower drop thresholds and maximum
drop probability are 100. To adjust parameters in the flow queue WRED drop profile to implement
congestion avoidance, perform the preceding configurations. If the preceding configurations are
not performed, a flow queue references the flow queue WRED drop profile default.
Step 2 Configure a flow queue profile and set parameters for the flow queue, including congestion
management, traffic shaping, and flow queue WRED drop profile.
1. Run:
flow-queue-profile flow-queue-profile-name
A flow queue profile is created or the view of an existing flow queue profile is displayed.
By default, the system predefines a flow queue profile default. This flow queue profile
cannot be modified or deleted.
2. Run:
qos queue queue-index { { pq | wfq weight weight-value } | { shaping
{ shaping-value | shaping-percentage shaping-percentage-value } } | { flow-
wred-profile flow-wred-profile-name } } *
The scheduling mode, traffic shaping rate, and flow queue WRED drop profile are
configured.
If no flow queue WRED drop profile is specified, the flow queue WRED drop profile
default is used.
----End
Context
The mapping between flow queues and port queues allows the device to flexibly send service
traffic in a flow queue to a port queue. Then the device can deliver differentiated services for
the same service traffic from different users.
Procedure
Step 1 Run:
system-view
Step 2 Run:
flow-mapping-profile flow-mapping-profile-name
A flow mapping profile is created or the view of an existing flow mapping profile is
displayed.
By default, the system predefines a flow mapping profile default. This flow mapping profile
cannot be modified or deleted.
Step 3 Run:
map flow-queue flow-queue-index to port-queue port-queue-index
To adjust the mapping between flow queues and port queues, perform the preceding
configurations. If the preceding configurations are not performed, a subscriber queue
references the flow mapping profile default.
----End
Background
You can set different traffic shaping rates for different users by configuring subscriber queues
so that the device provides higher bandwidth for high-priority users. Traffic from different
users is differentiated based on ACLs that define items such as the source and destination
MAC addresses, source and destination IP addresses, and VLAN IDs.
Pre-configuration Tasks
Before configuring a subscriber queue, configure an ACL.
Procedure
Step 1 Run:
system-view
The device is configured to shape packets in a subscriber queue matching a single ACL
rule and to reference the flow queue and flow mapping profile to implement HQoS.
l Run:
traffic-user-queue outbound acl { l2-acl | name acl-name } acl { bas-acl |
adv-acl | name acl-name } pir pir-value [ flow-queue-profile flow-queue-
profile-name | flow-mapping-profile flow-mapping-profile-name ]*
The device is configured to shape packets in a subscriber queue matching both Layer 2
and Layer 3 ACL rules and to reference the flow queue and flow mapping profile to
implement HQoS.
l Run:
traffic-user-queue outbound acl { bas-acl | adv-acl | name acl-name } acl
{ l2–acl | name acl-name } pir pir-value [ flow-queue-profile flow-queue-
profile-name | flow-mapping-profile flow-mapping-profile-name ]*
The device is configured to shape packets in a subscriber queue matching both Layer 2
and Layer 3 ACL rules and to reference the flow queue and flow mapping profile to
implement HQoS.
----End
Procedure
Step 1 Run the display flow-wred-profile [ name flow-wred-profile-name | all ] command to check
the flow queue WRED drop profile.
Step 4 Run the display traffic-applied [ interface [ interface-type interface-number ] | vlan [ vlan-
id ] ] { inbound | outbound } [ verbose ] command to check the subscriber queue
configuration.
----End
Context
After subscriber queues are configured to implement HQoS, to learn forwarded and discarded
packets in each flow queue of subscriber queues, run the following commands to view traffic
statistics based on matched ACL rules.
Procedure
l Run the display traffic-user-queue statistics interface interface-type interface-number
outbound acl { bas-acl | adv-acl } [ acl { l2-acl | name acl-name } ] command to check
traffic statistics on subscriber queues.
l Run the display traffic-user-queue statistics interface interface-type interface-number
outbound acl l2-acl [ acl { bas-acl | adv-acl | name acl-name } ] command to check
traffic statistics on subscriber queues.
l Run the display traffic-user-queue statistics interface interface-type interface-number
outbound acl name name-acl [ acl { bas-acl | adv-acl | l2-acl | name acl-name } ]
command to check traffic statistics on subscriber queues.
l Run the display traffic-user-queue statistics interface interface-type interface-number
outbound acl ipv6 { bas-acl | adv-acl | name acl-name } command to check traffic
statistics on subscriber queues.
----End
Context
Before recollecting traffic statistics on subscriber queues, run the following commands in the
user view to clear existing traffic statistics based on matched ACLs.
NOTICE
The cleared traffic statistics on subscriber queues cannot be restored. Exercise caution when
you run the reset command.
Procedure
Step 1 Run the reset traffic-user-queue statistics interface interface-type interface-number
outbound acl { bas-acl | adv-acl } [ acl { l2-acl | name acl-name } ] command to clear traffic
statistics on subscriber queues.
----End
Networking Requirements
Voice, video, and data services from multiple users are transmitted on an enterprise campus
network, and 802.1p priorities of voice, video, and data services are 6, 5, and 2 respectively.
Bandwidth needs to be guaranteed for the voice, video, and data services in descending order
of priority. Table 11-6 and Table 11-7 describe the configuration requirements.
Because the bandwidth is limited, the device needs to differentiate service priorities and shape
traffic from different users to provide different bandwidth. Table 11-8 describes the
configuration requirement.
Video Yellow 60 80 20
Data Red 40 60 40
Voice EF
Video AF3
Data AF1
Traffic direction
GE0/0/1
User 1
GE0/0/2 GE0/0/3
Video, data, voice
SwitchA GE0/0/1
GE0/0/1 GE0/0/2
User 2 VLAN10 Internet
GE0/0/2
Video, data, voice GE0/0/3
Switch SwitchC Router
GE0/0/1
User 3 GE0/0/3
GE0/0/2
Video, data, voice SwitchB
VLAN20
User 4
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and configure interfaces so that the enterprise can access the Internet
through the Switch.
2. Create a DiffServ domain on the Switch, map the 802.1p priorities of different service
packets to PHBs and color, and bind the DiffServ domain to the inbound interface of the
Switch.
3. Configure a flow queue WRED drop profile, flow queue profile, and profile parameters
on the Switch so that the Switch provides different scheduling priorities, drop profile
parameters, and traffic shaping parameters for different services.
4. Configure ACLs on the Switch to differentiate service traffic of different users based on
VLAN IDs.
5. Configure subscriber queues and traffic shaping parameters on the Switch, and reference
the flow queue WRED drop profile and flow queue profile to implement HQoS.
Procedure
Step 1 Create VLANs and configure interfaces.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] vlan batch 10 20
[SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] port link-type trunk
[SwitchC-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 20
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] interface gigabitethernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] port link-type trunk
[SwitchC-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 20
[SwitchC-GigabitEthernet0/0/2] quit
# Create VLAN 10 and VLAN 20 on the Switch, configure GE0/0/1, GE0/0/2, and GE0/0/3
as trunk interfaces, and add GE0/0/1 to VLAN 10, GE0/0/2 to VLAN 20, and GE0/0/3 to
VLAN 10 and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 20
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 20
[Switch-GigabitEthernet0/0/3] quit
# Create DiffServ domain ds1, map 802.1p priorities 6, 5, 2 to EF, AF3, and AF1, and color
packets green, yellow, and red.
[Switch] diffserv domain ds1
[Switch-dsdomain-ds1] 8021p-inbound 6 phb ef green
[Switch-dsdomain-ds1] 8021p-inbound 5 phb af3 yellow
[Switch-dsdomain-ds1] 8021p-inbound 2 phb af1 red
[Switch-dsdomain-ds1] quit
Step 3 Configure a flow queue WRED drop profile and define parameters in the profile.
# Create flow queue WRED drop profile wred1 on the Switch and set parameters of green,
yellow, and red packets in the flow queue WRED drop profile.
[Switch] flow-wred-profile wred1
[Switch-flow-wred-wred1] color green low-limit 80 high-limit 100 discard-
percentage 10
[Switch-flow-wred-wred1] color yellow low-limit 60 high-limit 80 discard-
percentage 20
[Switch-flow-wred-wred1] color red low-limit 40 high-limit 60 discard-percentage
40
[Switch-flow-wred-wred1] quit
Step 4 Configure a flow queue profile and define parameters in the profile.
# Configure flow queue profile flow1 on the Switch, bind flow queue profile flow1 to flow
queue WRED drop profile wred1, and configure different scheduling parameters.
[Switch] flow-queue-profile flow1
[Switch-flow-queue-flow1] qos queue 5 pq flow-wred-profile wred1
[Switch-flow-queue-flow1] qos queue 3 wfq weight 20 flow-wred-profile wred1
[Switch-flow-queue-flow1] qos queue 1 wfq weight 10 flow-wred-profile wred1
[Switch-flow-queue-flow1] quit
# Check the flow queue profile configuration, including the profile name and WFQ weights.
<Switch> display flow-queue-profile name flow1
Flow-queue-profile[1]: flow1
Queue Schedule(Weight) Shaping flow-wred-profile
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 PQ None default
1 WFQ(10) None wred1
2 PQ None default
3 WFQ(20) None wred1
4 PQ None default
5 PQ None wred1
6 PQ None default
7 PQ None default
-----------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
0 | packets: pass:
4,127
| drop:
2,798,787,076
| bytes: pass:
610,796
| drop:
414,220,487,248
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
1 | packets: pass:
4,127
| drop:
5,597,436,717
| bytes: pass:
610,796
| drop:
828,420,634,116
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
2 | packets: pass:
0
| drop:
0
| bytes: pass:
0
| drop:
0
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
3 | packets: pass:
4,127
| drop:
5,597,436,713
| bytes: pass:
610,796
| drop:
828,420,633,524
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
4 | packets: pass:
4,127
| drop:
2,798,716,293
| bytes: pass:
610,796
| drop:
414,210,011,364
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
5 | packets: pass:
4,127
| drop:
2,798,716,294
| bytes: pass:
610,796
| drop:
414,210,011,512
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
6 | packets: pass:
0
| drop:
0
| bytes: pass:
0
| drop:
0
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
7 | packets: pass:
1,119,509,460
| drop:
1,679,210,961
| bytes: pass:
165,687,400,080
| drop:
248,523,222,228
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
0 | packets: pass:
4,125
| drop:
5,218,026
| bytes: pass:
610,500
| drop:
772,267,848
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
1 | packets: pass:
4,125
| drop:
10,440,178
| bytes: pass:
610,500
| drop:
1,545,146,344
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
2 | packets: pass:
0
| drop:
0
| bytes: pass:
0
| drop:
0
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
3 | packets: pass:
4,125
| drop:
10,440,178
| bytes: pass:
610,500
| drop:
1,545,146,344
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
4 | packets: pass:
4,125
| drop:
5,218,027
| bytes: pass:
610,500
| drop:
772,267,996
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
5 | packets: pass:
4,125
| drop:
5,218,027
| bytes: pass:
610,500
| drop:
772,267,996
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
6 | packets: pass:
0
| drop:
0
| bytes: pass:
0
| drop:
0
--------------------------------------------------------------------------------
Queue ID | Statistics
information
--------------------------------------------------------------------------------
7 | packets: pass:
2,092,988
| drop:
3,129,165
| bytes: pass:
309,762,224
| drop:
463,116,420
--------------------------------------------------------------------------------
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch
10
#
interface
GigabitEthernet0/0/1
port link-type
access
port default vlan
10
#
interface
GigabitEthernet0/0/2
port link-type
access
port default vlan
10
#
interface
GigabitEthernet0/0/3
port link-type
trunk
port trunk allow-pass vlan
10
#
return
vlan batch
20
#
interface
GigabitEthernet0/0/1
port link-type
access
port default vlan
20
#
interface
GigabitEthernet0/0/2
port link-type
access
port default vlan
20
#
interface
GigabitEthernet0/0/3
port link-type
trunk
port trunk allow-pass vlan
20
#
return
vlan batch 10
20
#
interface
GigabitEthernet0/0/1
port link-type
trunk
port trunk allow-pass vlan 10
20
#
interface
GigabitEthernet0/0/2
port link-type
trunk
port trunk allow-pass vlan 10
20
#
return
interface
GigabitEthernet0/0/3
port link-type
trunk
port trunk allow-pass vlan 10
20
traffic-user-queue outbound acl 4001 pir 8000 flow-queue-profile flow1
traffic-user-queue outbound acl 4002 pir 5000 flow-queue-profile flow1
#
return