H3C SR6600 SPE-FWM Configuration manual

Category
Software
Type
Configuration manual
H3C SR6600 Routers
ACL and QoS
Configuration Guide
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Document Version: 20100930-C-1.08
Product Version: SR6600-CMW520-R2420
Copyright © 2007-2010, Hangzhou H3C Technologies Co., Ltd. and its licensors
All Rights Reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
H3C, , Aolynk, , H
3
Care,
, TOP G, , IRF, NetPilot, Neocean, NeoVTL,
SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V
2
G, V
n
G, PSPT,
XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co.,
Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners.
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
The H3C SR6600 documentation set includes 13 configuration guides, which describe the software
features for the H3C SR6600 Routers and guide you through the software configuration procedures.
These configuration guides also provide configuration examples to help you apply software features to
different network scenarios.
The ACL and QoS Configuration Guide describes fundamentals and configuration for QoS-related
features, including traffic classification, traffic policing, traffic shaping, QoS policy, congestion
management, congestion avoidance, priority mapping, hardware congestion management, EACL, DAR,
MPLS QoS, and FR QoS.
This preface includes:
z Audience
z Conventions
z About the H3C SR6600 Documentation Set
z Obtaining Documentation
z Documentation Feedback
Audience
This documentation is intended for:
z Network planners
z Field technical support and servicing engineers
z Network administrators working with the SR6600
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention Description
Boldface Bold
text represents commands and keywords that you enter literally as shown.
italic
Italic text represents arguments that you replace with actual values.
[ ]
Square brackets enclose syntax choices (keywords or arguments) that are
optional.
{ x | y | ... }
Braces enclose a set of required syntax choices separated by vertical bars,
from which you select one.
[ x | y | ... ]
Square brackets enclose a set of optional syntax choices separated by vertical
bars, from which you select one or none.
{ x | y | ... } *
Asterisk marked braces enclose a set of required syntax choices separated by
vertical bars, from which you select at least one.
[ x | y | ... ] *
Asterisk marked square brackets enclose optional syntax choices separated by
vertical bars, from which you may select multiple choices or none.
&<1-n>
The argument or keyword and argument combination before the ampersand (&)
sign can be entered 1 to n times.
Convention Description
# A line that starts with a pound (#) sign is comments.
GUI conventions
Convention Description
Boldface
Window names, button names, field names, and menu items are in Boldface.
For example, the
New User
window appears; click
OK
.
>
Multi-level menus are separated by angle brackets. For example,
File
>
Create
>
Folder
.
Symbols
Convention Description
Means reader be extremely careful. Improper operation may cause bodily
injury.
Means reader be careful. Improper operation may cause data loss or damage to
equipment.
Means an action or information that needs special attention to ensure
successful configuration or good performance.
Means a complementary description.
Means techniques helpful for you to make configuration with ease.
Network topology icons
Convention Description
Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router
that supports Layer 2 forwarding and other Layer 2 features.
About the H3C SR6600 Documentation Set
The H3C SR6600 documentation set includes:
Category Documents Purposes
Marketing brochures Describe product specifications and benefits.
Technology white papers
Provide an in-depth description of software features
and technologies.
Product description and
specifications
Card datasheets Describe card specifications, features, and standards.
Hardware specifications
and installation
Compliance and safety
manual
Provides regulatory information and the safety
instructions that must be followed during installation.
Category Documents Purposes
Installation guide
Provides a complete guide to hardware installation
and hardware specifications.
Card manuals Provide the hardware specifications of cards.
H3C N68 Cabinet
Installation and Remodel
Introduction
Guides you through installing and remodeling H3C
N68 cabinets.
Configuration guides
Describe software features and configuration
procedures.
Software configuration
Command references Provide a quick reference to all available commands.
H3C SR6608 Release
notes
Operations and
maintenance
H3C SR6602 Release
notes
Provide information about the product release,
including the version history, hardware and software
compatibility matrix, version upgrade information,
technical support information, and software upgrading.
Obtaining Documentation
You can access the most up-to-date H3C product documentation on the World Wide Web at
http://www.h3c.com.
Click the links on the top navigation bar to obtain different categories of product documentation:
[Technical Support & Documents > Technical Documents] – Provides hardware installation, software
upgrading, and software feature configuration and maintenance documentation.
[Products & Solutions] – Provides information about products and technologies, as well as solutions.
[Technical Support & Documents > Software Download] – Provides the documentation released with
the software version.
Technical Support
customer_service@h3c.com
http://www.h3c.com
Documentation Feedback
You can e-mail your comments about product documentation to [email protected].
We appreciate your comments.
i
Table of Contents
1 ACL Configuration·····································································································································1-1
ACL Overview ·········································································································································1-1
ACL Classification ···························································································································1-1
ACL Numbering and Naming ··········································································································1-2
Match Order·····································································································································1-2
ACL Rule Numbering·······················································································································1-3
Implementing Time-Based ACL Rules ····························································································1-4
IPv4 Fragments Filtering with ACLs ································································································1-4
ACL Application ·······························································································································1-4
ACL Configuration Task List ···················································································································1-4
Configuring an ACL·································································································································1-5
Creating a Time Range ···················································································································1-5
Configuring a Basic ACL ·················································································································1-5
Configuring an Advanced ACL ········································································································1-7
Configuring an Ethernet Frame Header ACL ··················································································1-9
Copying an ACL ····························································································································1-10
Enabling ACL Acceleration for an IPv4 ACL ·················································································1-10
Displaying and Maintaining ACLs ·········································································································1-11
ACL Configuration Examples················································································································1-12
IPv4 ACL Configuration Examples ································································································1-12
IPv6 ACL Configuration Example··································································································1-13
2 QoS Overview ············································································································································2-1
Introduction to QoS ·································································································································2-1
QoS Service Models ·······························································································································2-1
Best-Effort Service Model················································································································2-1
IntServ Model ··································································································································2-1
DiffServ Model ·································································································································2-2
QoS Techniques Overview ·····················································································································2-2
Applying QoS Techniques in a Network··························································································2-2
QoS Processing Flow ······················································································································2-3
3 QoS Configuration Approaches···············································································································3-1
QoS Configuration Approach Overview ··································································································3-1
Non-Policy Approach·······················································································································3-1
Policy Approach·······························································································································3-1
Configuring a QoS Policy························································································································3-1
Defining a Class ······························································································································3-2
Defining a Traffic Behavior ··············································································································3-2
Defining a Policy······························································································································3-3
Applying the QoS Policy··················································································································3-4
Displaying and Maintaining QoS Policies························································································3-6
ii
4 Priority Mapping Configuration················································································································4-1
Priority Mapping Overview ······················································································································4-1
Introduction to Priority Mapping·······································································································4-1
Introduction to Priorities···················································································································4-1
Priority Mapping Tables···················································································································4-2
Priority Mapping Configuration Tasks·····································································································4-2
Configuring Priority Mapping···················································································································4-2
Configuring a Priority Mapping Table ······························································································4-2
Configuring an Interface to Trust Packet Priority for Priority Mapping ············································4-3
Changing the Port Priority of an Interface ·······················································································4-3
Displaying and Maintaining Priority Mapping··························································································4-4
Priority Mapping Configuration Examples·······························································································4-4
Priority Trust Mode Configuration Example·····················································································4-4
Priority Mapping Table and Priority Marking Configuration Example··············································4-5
5 Traffic Policing and Traffic Shaping Configuration···············································································5-1
Traffic Policing and Traffic Shaping Overview ························································································5-1
Traffic Evaluation and Token Bucket·······························································································5-1
Traffic Policing ·································································································································5-2
Traffic Shaping ································································································································5-3
Line Rate ·········································································································································5-4
Traffic Policing, Traffic Shaping, and Line Rate Configuration ·······························································5-5
Configuring Traffic Policing ·············································································································5-5
Configuring Traffic Policing in Policy Approach ··············································································5-6
Configuring Traffic Policing in Non-Policy Approach·······································································5-7
Configuring Traffic Shaping·············································································································5-8
Configuring GTS in Policy Approach·······························································································5-8
Configuring GTS in Non-Policy Approach·······················································································5-8
Configuring the Line Rate················································································································5-9
Displaying and Maintaining Traffic Policing, GTS and Line Rate ·························································5-10
Traffic Policing and GTS Configuration Examples················································································5-10
Traffic Policing and GTS Configuration Example··········································································5-10
IP Rate Limiting Configuration Example························································································5-12
6 Congestion Management Configuration·································································································6-1
Congestion Management Overview········································································································6-1
Causes, Impacts, and Countermeasures of Congestion·································································6-1
Congestion Management Policies···································································································6-2
Congestion Management Technology Comparison ········································································6-7
Configuring FIFO·····································································································································6-8
FIFO Configuration Procedure ········································································································6-8
FIFO Configuration Example···········································································································6-9
Configuring PQ········································································································································6-9
PQ Configuration Procedure ·········································································································6-10
PQ Configuration Example············································································································6-10
Configuring CQ ·····································································································································6-11
Configuration Procedure················································································································6-12
iii
CQ Configuration Example············································································································6-12
Configuring WFQ ··································································································································6-13
Configuration Procedure················································································································6-13
WFQ Configuration Example·········································································································6-13
Configuring CBQ ···································································································································6-14
Defining a Class ····························································································································6-14
Defining a Traffic Behavior ············································································································6-15
Defining a QoS Policy····················································································································6-19
Applying the QoS Policy················································································································6-19
Setting the Maximum Reserved Bandwidth as a Percentage of Available Bandwidth ·················6-22
Displaying and Maintaining CBQ···································································································6-22
CBQ Configuration Example ·········································································································6-22
Configuring RTP Priority Queuing·········································································································6-24
Configuration Procedure················································································································6-24
RTP Priority Queuing Configuration Example···············································································6-24
QoS Token Configuration ·····················································································································6-25
QoS Token Configuration Procedure ····························································································6-25
QoS Token Configuration Example·······························································································6-25
Configuring Packet Information Pre-Extraction·····················································································6-26
Configuration Procedure················································································································6-26
Configuration Example ··················································································································6-26
7 Hardware Congestion Management Configuration················································································7-1
Hardware Congestion Management Overview ·······················································································7-1
Causes, Impacts, and Countermeasures ························································································7-1
Congestion Management Techniques·····························································································7-2
Hardware Congestion Management Configuration Approach ································································7-4
Per-Queue Hardware Congestion Management ····················································································7-5
Configuring SP Queuing··················································································································7-5
Configure WRR Queuing·················································································································7-5
Configuring WFQ Queuing ··············································································································7-7
8 Congestion Avoidance······························································································································8-1
Congestion Avoidance Overview ············································································································8-1
Introduction to WRED Configuration·······································································································8-3
Configuring WRED on an Interface·········································································································8-3
Configuration Procedure··················································································································8-3
Configuration Example ····················································································································8-3
Displaying and Maintaining WRED ·········································································································8-4
WRED Configuration Example················································································································8-4
9 Traffic Filtering Configuration··················································································································9-1
Traffic Filtering Overview ························································································································9-1
Configuring Traffic Filtering·····················································································································9-1
Traffic Filtering Configuration Example···································································································9-2
Traffic Filtering Configuration Example ···························································································9-2
iv
10 Priority Marking Configuration·············································································································10-1
Priority Marking Overview ·····················································································································10-1
Configuring Priority Marking··················································································································10-1
Priority Marking Configuration Example································································································10-2
Priority Marking Configuration Example························································································10-2
11 Traffic Redirecting Configuration········································································································11-1
Traffic Redirecting Overview·················································································································11-1
Configuring Traffic Redirecting ·············································································································11-1
Traffic Redirecting Configuration Examples ·························································································11-2
Redirecting Traffic to an Interface ·································································································11-2
12 EACL Configuration ······························································································································12-1
EACL Overview·····································································································································12-1
EACL Configuration Task List···············································································································12-1
Configuring BT Traffic Limiting··············································································································12-1
EACL Configuration Example ···············································································································12-2
BT Traffic Limiting Configuration Example····················································································12-2
Troubleshooting EACL··························································································································12-4
13 DAR Configuration ································································································································13-1
DAR Overview·······································································································································13-1
Configuring DAR for P2P Traffic Identification······················································································13-1
Loading the P2P Signature File·····································································································13-1
Configuring a P2P Protocol Group ································································································13-2
Enabling P2P Traffic Recognition··································································································13-2
Configuring Protocol Match Criteria ······························································································13-2
Configuring DAR Packet Accounting·····························································································13-2
Displaying and Maintaining DAR ··········································································································13-3
DAR Configuration Examples ···············································································································13-3
P2P Downloading Traffic Blocking Configuration Example···························································13-3
14 Class-Based Accounting Configuration ·····························································································14-1
Class-Based Accounting Overview·······································································································14-1
Configuring Class-Based Accounting ···································································································14-1
Displaying and Maintaining Class-Based Traffic Accounting································································14-2
Class-Based Accounting Configuration Example ·················································································14-2
Class-Based Accounting Configuration Example··········································································14-2
15 Appendix ················································································································································15-1
Appendix A Acronym·····························································································································15-1
Appendix B Default Priority Mapping Tables ························································································15-2
Appendix C Introduction to Packet Precedences ·················································································15-4
IP Precedence and DSCP Values·································································································15-4
802.1p Priority ·······························································································································15-5
802.11e Priority ·····························································································································15-6
EXP Values ···································································································································15-6
16 MPLS QoS Configuration······················································································································16-1
MPLS QoS Overview ····························································································································16-1
v
Configuring MPLS QoS·························································································································16-2
Configuring MPLS CAR·················································································································16-2
Configuring MPLS Priority Marking ·······························································································16-3
Configuring MPLS Congestion Management ················································································16-3
MPLS QoS Configuration Example·······································································································16-4
Configuring QoS for Traffic Within a VPN ·····················································································16-4
17 FR QoS Configuration···························································································································17-1
FR QoS Overview ·································································································································17-1
FR QoS··········································································································································17-1
Key Parameters·····························································································································17-1
FR QoS Implementation················································································································17-2
Configuring FR QoS······························································································································17-7
FR QoS Configuration Task List····································································································17-7
Creating and Configuring an FR Class··························································································17-7
Configuring FRTS··························································································································17-8
Configuring FR Traffic Policing······································································································17-9
Configuring FR Congestion Management···················································································17-10
Configuring FR DE Rule List ·······································································································17-10
Configuring FR Queuing··············································································································17-11
Configuring FR Fragmentation ····································································································17-12
Displaying and Maintaining FR QoS ···································································································17-13
FR QoS Configuration Examples········································································································17-14
FRTS Configuration Example······································································································17-14
FR Fragmentation Configuration Example··················································································17-14
18 Index ·······················································································································································18-1
1-1
1 ACL Configuration
This chapter includes these sections:
z ACL Overview
z ACL Configuration Task List
z Configuring an ACL
z Creating a Time Range
z Configuring a Basic ACL
z Configuring an IPv4 basic ACL
z Configuring an Advanced ACL
z Configuring an Ethernet Frame Header ACL
z Copying an ACL
z Enabling ACL Acceleration for an IPv4 ACL
z Displaying and Maintaining ACLs
z ACL Configuration Examples
Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document.
ACL Overview
An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based
on criteria such as the source IP address, destination IP address, and port number.
ACLs are essentially used for packet filtering. A packet filter drops packets that match a deny rule and
permits packets that match a permit rule. ACLs are also widely used by many modules, for example,
QoS and IP routing, for traffic identification.
This section covers these topics:
z ACL Classification
z ACL Numbering and Naming
z Match Order
z Implementing Time-Based ACL Rules
z IPv4 Fragments Filtering with ACLs
z ACL Application
ACL Classification
The SR6600 supports three categories of ACLs, as shown in Table 1-1.
1-2
Table 1-1 ACL categories
Category ACL number IP version Match criteria
IPv4 Source IPv4 address
Basic ACLs 2000 to 2999
IPv6 Source IPv6 address
IPv4
Source/destination IPv4 address, protocols over
IPv4, and other Layer 3 and Layer 4 header
fields
Advanced ACLs 3000 to 3999
IPv6
Source/destination IPv6 address, protocols over
IPv6, and other Layer 3 and Layer 4 header
fields
Ethernet frame
header ACLs
4000 to 4999 IPv4
Layer 2 header fields, such as source and
destination MAC addresses, 802.1p priority, and
link layer protocol type
ACL Numbering and Naming
Each ACL category has a unique range of ACL numbers. When creating an ACL, you must assign it a
number for identification, and in addition, you can also assign the ACL a name for the ease of
identification. After creating an ACL with a name, you can neither rename it nor delete its name.
The number and name for an Ethernet frame header ACL must be globally unique. The number and
name for an IPv4 basic or advanced ACL must be unique among all IPv4 ACLs, and for an IPv6 basic or
advanced ACL, among all IPv6 ACLs. You can assign an IPv4 ACL the same number and name as an
IPv6 ACL.
Match Order
The rules in an ACL are sorted in a certain order. When a packet matches a rule, the device stops the
match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting
rules, the matching result and action to take depend on the rule order.
Two ACL match orders are available:
z config: Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a rule
with a higher ID. If you use this approach, check the rules and their order carefully.
z auto: Sorts ACL rules in depth-first order, as described in Table 1-2. The depth-first order varies
with ACL categories.
Table 1-2 Sorting ACL rules in depth-first order
ACL category Depth-first rule sorting procedures
IPv4 basic ACL
1) The rule configured with a VPN instance takes precedence.
2) The rule with more 0s in the source IP address wildcard mask takes precedence.
More 0s means a narrower IP address range.
3) The rule with a smaller ID takes precedence.
1-3
ACL category Depth-first rule sorting procedures
IPv4 advanced ACL
1) The rule configured with a VPN instance takes precedence.
2) The rule configured with a specific protocol is prior to a rule with the protocol type
set to IP. IP represents any protocol over IP.
3) The rule with more 0s in the source IP address wildcard mask takes precedence.
More 0s means a narrower IP address range.
4) The rule with more 0s in the destination IP address wildcard mask takes
precedence.
5) The rule with a narrower TCP/UDP service port number range takes precedence.
6) The rule with a smaller ID takes precedence.
IPv6 basic ACL
1) The rule configured with a longer prefix for the source IP address takes
precedence. A longer prefix means a narrower IP address range.
2) The rule with a smaller ID takes precedence.
IPv6 advanced ACL
1) The rule configured with a specific protocol is prior to a rule with the protocol type
set to IP. IP represents any protocol over IPv6.
2) The rule configured with a longer prefix for the source IPv6 address has a higher
priority.
3) The rule configured with a longer prefix for the destination IPv6 address takes
precedence.
4) The rule with a narrower TCP/UDP service port number range takes precedence.
5) The rule with a smaller ID takes precedence.
Ethernet frame
header ACL
1) The rule with more 1s in the source MAC address mask takes precedence. More
1s means a smaller MAC address.
2) The rule with more 1s in the destination MAC address mask takes precedence.
3) The rule with a smaller ID takes precedence.
A wildcard mask, also called an inverse mask, is a 32-bit binary and represented in dotted decimal
notation. In contrast to a network mask, the 0 bits in a wildcard mask represent ‘do care’ bits, while the
1 bits represent 'don’t care bits'. If the 'do care' bits in an IP address identical to the 'do care' bits in an IP
address criterion, the IP address matches the criterion. All 'don’t care' bits are ignored. The 0s and 1s in
a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a valid wildcard mask. With
wildcard masks, you can create more granular match criteria than network masks.
ACL Rule Numbering
What is the ACL rule numbering step
If you do not assign an ID for the rule you are creating, the system automatically assigns it a rule ID. The
rule numbering step sets the increment by which the system numbers rules automatically. For example,
the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are
numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between
two rules.
By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of
inserting rules in an ACL. This feature is important for a config order ACL, where ACL rules are matched
in ascending order of rule ID.
1-4
Automatic rule numbering and re-numbering
The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to
the current highest rule ID, starting with 0.
For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10,
and 12, the newly defined rule will be numbered 15. If the ACL does not contain any rule, the first rule
will be numbered 0.
Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five
rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered
0, 2, 4, 6 and 8.
Implementing Time-Based ACL Rules
You can implement ACL rules based on the time of day by applying a time range to them. A time-based
ACL rule takes effect only in any time periods specified by the time range.
Two basic types of time range are available:
z Periodic time range, which recurs periodically on a day or days of the week.
z Absolute time range, which represents only a period of time and does not recur.
You may apply a time range to ACL rules before or after you create it. However, the rules using the time
range can take effect only after you define the time range.
IPv4 Fragments Filtering with ACLs
Traditional packet filtering matched only first fragments of IPv4 packets, and allowed all subsequent
non-first fragments to pass through. This mechanism resulted in security risks, because attackers may
fabricate non-first fragments to attack networks.
To avoids the risks, the H3C ACL implementation:
z Filters all fragments by default, including non-first fragments.
z Provides ACL-based firewalls with standard and exact match modes for matching ACLs that
contain advanced attributes such as TCP/UDP port number and ICMP type. Standard match is the
default mode. It considers only Layer 3 attributes. Exact match considers all header attributes
defined in IPv4 ACL rules. For more information, see Firewall in the Security Configuration Guide.
ACL Application
You can use ACLs in QoS, firewall, routing, and other technologies for identifying traffic.
ACL Configuration Task List
IPv4 configuration task list
Perform the following tasks to configure an IPv4 ACL:
Task Remarks
Creating a Time Range Optional
Configuring an IPv4 basic ACL
Configuring an IPv4 advanced ACL
Configuring an Ethernet Frame Header ACL
Required
Perform at least one task.
1-5
Task Remarks
Copying an IPv4 ACL Optional
Enabling ACL Acceleration for an IPv4 ACL Optional
IPv6 ACL configuration task list
Perform the following tasks to configure an IPv6 ACL:
Task Remarks
Creating a Time Range Optional
Configuring an IPv6 basic ACL
Configuring an IPv6 Advanced ACL
Required
Perform at least one task.
Copying an IPv6 ACL Optional
Configuring an ACL
Creating a Time Range
Follow these steps to create a time range:
To do… Use the command… Remarks
Enter system view
system-view
––
Create a time range
time-range
time-range-name
{ start-time
to
end-time days [
from
time1 date1 ] [
to
time2 date2 ] |
from
time1 date1 [
to
time2 date2 ]
|
to
time2 date2 }
Required
By default, no time range exists.
You may create time ranges identified with the same name. They are regarded as one time range
whose active period is the result of ORing periodic ones, ORing absolute ones, and ANDing periodic
and absolute ones.
You may create a maximum of 256 uniquely named time ranges, each with up to 32 periodic time
ranges and up to 12 absolute time ranges.
Configuring a Basic ACL
Configuring an IPv4 basic ACL
IPv4 basic ACLs match packets based on only source IP address.
Follow these steps to configure an IPv4 basic ACL:
To do… Use the command… Remarks
Enter system view
system-view
––
1-6
To do… Use the command… Remarks
Create an IPv4 basic ACL and
enter its view
acl number
acl-number [
name
acl-name ] [
match-order
{
auto
|
config
} ]
Required
By default, no ACL exists.
IPv4 basic ACLs are numbered in
the range 2000 to 2999.
You can use the
acl
name
acl-name command to enter the
view of an existing named IPv4
ACL.
Configure a description for the IPv4
basic ACL
description
text
Optional
By default, an IPv4 basic ACL has
no ACL description.
Set the rule numbering step
step
step-value
Optional
5 by default.
Create or edit a rule
rule
[ rule-id ] {
deny
|
permit
}
[
counting
|
fragment
|
logging
|
source
{ sour-addr sour-wildcard |
any
} |
time-range
time-range-name |
vpn-instance
vpn-instance-name ] *
Required
By default, an IPv4 basic ACL does
not contain any rule.
To create or edit multiple rules,
repeat this step.
The
logging
keyword takes effect
only when the module (for
example, a firewall) that uses the
ACL supports logging.
Configure or edit a rule description
rule
rule-id
comment
text
Optional
By default, an IPv4 ACL rule has
no rule description.
Configuring an IPv6 basic ACL
Follow these steps to configure an IPv6 basic ACL:
To do… Use the command… Remarks
Enter system view
system-view
––
Create an IPv6 basic ACL view and
enter its view
acl ipv6 number
acl6-number
[
name
acl6-name ] [
match-order
{
auto
|
config
} ]
Required
By default, no ACL exists.
IPv6 basic ACLs are numbered in
the range 2000 to 2999.
You can use the
acl
ipv6
name
acl6-name command to enter the
view of an existing named IPv6
ACL.
Configure a description for the IPv6
basic ACL
description
text
Optional
By default, an IPv6 basic ACL has
no ACL description.
Set the rule numbering step
step
step-value
Optional
5 by default
1-7
To do… Use the command… Remarks
Create or edit a rule
rule
[ rule-id ] {
deny
|
permit
}
[
counting
|
fragment
|
logging
|
source
{ ipv6-address
prefix-length |
ipv6-address/prefix-length
|
any
} |
time-range
time-range-name ] *
Required
By default, an IPv6 basic ACL does
not contain any rule.
To create or edit multiple rules,
repeat this step.
The
logging
keyword takes effect
only when the module (for
example, a firewall) using the ACL
supports logging.
Configure or edit a rule description
rule
rule-id
comment
text
Optional
By default, an IPv6 basic ACL rule
has no rule description.
Configuring an Advanced ACL
Configuring an IPv4 advanced ACL
IPv4 advanced ACLs match packets based on source and destination IP addresses, protocols over IP,
and other protocol header information, such as TCP/UDP source and destination port numbers, TCP
flags, ICMP message types, and ICMP message codes.
IPv4 advanced ACLs also allow you to filter packets based on three priority criteria: type of service (ToS),
IP precedence, and differentiated services codepoint (DSCP) priority.
Compared with IPv4 basic ACLs, IPv4 advanced ACLs allow of more flexible and accurate filtering.
Follow these steps to configure an IPv4 advanced ACL:
To do… Use the command… Remarks
Enter system view
system-view
––
Create an IPv4 advanced ACL and
enter its view
acl number
acl-number [
name
acl-name ] [
match-order
{
auto
|
config
} ]
Required
By default, no ACL exists.
IPv4 advanced ACLs are
numbered in the range 3000 to
3999.
You can use the
acl
name
acl-name command to enter the
view of an existing named IPv4
ACL.
Configure a description for the IPv4
advanced ACL
description
text
Optional
By default, an IPv4 advanced ACL
has no ACL description.
Set the rule numbering step
step
step-value
Optional
5 by default.
1-8
To do… Use the command… Remarks
Create or edit a rule
rule
[ rule-id ] {
deny
|
permit
}
protocol [ { {
ack
ack-value |
fin
fin-value |
psh
psh-value |
rst
rst-value |
syn
syn-value |
urg
urg-value } * |
established
} |
counting
|
destination
{ dest-addr
dest-wildcard |
any
} |
destination-port
operator port1
[ port2 ] |
dscp
dscp |
fragment
|
icmp-type
{ icmp-type icmp-code |
icmp-message } |
logging
|
precedence
precedence |
reflective
|
source
{ sour-addr
sour-wildcard |
any
} |
source-port
operator port1 [ port2 ] |
time-range
time-range-name |
tos
tos |
vpn-instance
vpn-instance-name
] *
Required
By default, an IPv4 advanced ACL
does not contain any rule.
To create or edit multiple rules,
repeat this step.
The
logging
keyword takes effect
only when the module (for
example, a firewall) using the ACL
supports logging.
Configure or edit a rule description
rule
rule-id
comment
text
Optional
By default, an IPv4 advanced ACL
rule has no rule description.
Configuring an IPv6 Advanced ACL
IPv6 advanced ACLs match packets based on the source IPv6 address, destination IPv6 address,
protocol carried over IPv6, and other protocol header fields such as the TCP/UDP source port number,
TCP/UDP destination port number, ICMP message type, and ICMP message code.
Compared with IPv6 basic ACLs, they allow of more flexible and accurate filtering.
Follow these steps to configure an IPv6 advanced ACL:
To do… Use the command… Remarks
Enter system view
system-view
––
Create an IPv6 advanced ACL
and enter its view
acl ipv6
number
acl6-number [
name
acl6-name ] [
match-order
{
auto
|
config
} ]
Required
By default, no ACL exists.
IPv6 advanced ACLs are
numbered in the range 3000 to
3999.
You can use the
acl
ipv6
name
acl6-name command to enter the
view of an existing named IPv6
ACL.
Configure a description for the
IPv6 advanced ACL
description
text
Optional
By default, an IPv6 advanced
ACL has no ACL description.
Set the rule numbering step
step
step-value
Optional
5 by default.
1-9
To do… Use the command… Remarks
Create or edit a rule
rule
[ rule-id ] {
deny
|
permit
} protocol
[ { {
ack
ack-value |
fin
fin-value |
psh
psh-value |
rst
rst-value |
syn
syn-value |
urg
urg-value } * |
established
} |
counting
|
destination
{ dest dest-prefix
| dest/dest-prefix |
any
} |
destination-port
operator port1 [ port2 ]
|
dscp
dscp |
flow-label
flow-label-value
|
fragment
|
icmp6-type
{ icmp6-type
icmp6-code | icmp6-message } |
logging
|
source
{ source source-prefix |
source/source-prefix
| any
} |
source-port
operator port1 [ port2 ] |
time-range
time-range-name ] *
Required
By default IPv6 advanced ACL
does not contain any rule.
To create or edit multiple rules,
repeat this step.
The
logging
keyword takes
effect only when the module (for
example, a firewall) using the
ACL supports logging.
Configure or edit a rule
description
rule
rule-id
comment
text
Optional
By default, an IPv6 advanced
ACL rule has no rule description.
Configuring an Ethernet Frame Header ACL
Ethernet frame header ACLs, also called Layer 2 ACLs, match packets based on Layer 2 protocol
header fields such as source MAC address, destination MAC address, 802.1p priority (VLAN priority),
and link layer protocol type.
Follow these steps to configure an Ethernet frame header ACL:
To do… Use the command… Remarks
Enter system view
system-view ––
Create an Ethernet frame header
ACL and enter its view
acl number
acl-number [
name
acl-name ] [
match-order
{
auto
|
config
} ]
Required
By default, no ACL exists.
Ethernet frame header ACLs are
numbered in the range 4000 to
4999.
You can use the
acl
name
acl-name command to enter the
view of an existing named Ethernet
frame header ACL.
Configure a description for the
Ethernet frame header ACL
description
text
Optional
By default, an Ethernet frame
header ACL has no ACL
description.
Set the rule numbering step
step
step-value
Optional
5 by default.
Create or edit a rule
rule
[ rule-id ] {
deny
|
permit
}
[
cos
vlan-pri |
counting
|
dest-mac
dest-addr dest-mask |
{
lsap
lsap-type lsap-type-mask |
type
protocol-type
protocol-type-mask } |
source-mac
sour-addr source-mask |
time-range
time-range-name ] *
Required
By default, an Ethernet frame
header ACL does not contain any
rule.
To create or edit multiple rules,
repeat this step.
1-10
To do… Use the command… Remarks
Configure or edit a rule description
rule
rule-id
comment
text
Optional
By default, an Ethernet frame
header ACL rule has no rule
description.
Copying an ACL
You can create an ACL by copying an existing ACL. The new ACL has the same properties and content
as the source ACL except the ACL number and name.
To successfully copy an IPv4 or IPv6 ACL, ensure that:
z The destination ACL number is from the same category as the source ACL number.
z The source IPv4 or IPv6 ACL already exists but the destination IPv4 or IPv6 ACL does not.
Copying an IPv4 ACL
Follow these steps to copy an IPv4 ACL:
To do… Use the command… Remarks
Enter system view
system-view
—
Copy an existing IPv4 ACL to
create a new IPv4 ACL
acl copy
{ source-acl-number |
name
source-acl-name }
to
{ dest-acl-number |
name
dest-acl-name }
Required
Copying an IPv6 ACL
Follow these steps to copy an IPv6 ACL:
To do… Use the command… Remarks
Enter system view
system-view
—
Copy an existing IPv6 ACL to
generate a new one of the same
category
acl ipv6 copy
{ source-acl6-number |
name
source-acl6-name }
to
{ dest-acl6-number |
name
dest-acl6-name }
Required
Enabling ACL Acceleration for an IPv4 ACL
ACL acceleration speeds up ACL lookup. Its acceleration effect increases with the number of ACL rules.
ACL acceleration uses memory. To achieve the best trade-off between memory and ACL processing
performance, H3C recommends you enable ACL acceleration for large ACLs, for example, ACLs that
contain more than 50 rules.
For example, when you use a large ACL for a session-based service, such as NAT or ASPF, you can
enable ACL acceleration to avoid session timeouts caused by ACL processing delays.
Enable ACL acceleration in an ACL after you have finished editing ACL rules. ACL acceleration always
uses ACL criteria that have been set before it is enabled for rule matching. It does not synchronize with
any subsequent match criterion changes.
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143

H3C SR6600 SPE-FWM Configuration manual

Category
Software
Type
Configuration manual

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI