Aruba JH951A Configuration Guide

Type
Configuration Guide

This manual is also suitable for

HPE FlexFabric 12900E Switch Series
ACL and QoS Configuration Guide
Software
version: Release 5210
Document version: 6W100-20230424
© Copyright 2023 Hewlett Packard Enterprise Development LP
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s
standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Java and Oracle are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
i
Contents
Configuring ACLs··························································································· 6
About ACLs ························································································································································ 6
Numbering and naming ACLs ···················································································································· 6
ACL types ··················································································································································· 6
Match order ················································································································································ 6
Rule numbering ·········································································································································· 7
Fragment filtering with ACLs ······················································································································ 8
Restrictions and guidelines: ACL configuration·································································································· 8
ACL tasks at a glance ········································································································································ 9
Configuring a basic ACL ···································································································································· 9
About basic ACLs ······································································································································· 9
Configuring an IPv4 basic ACL ·················································································································· 9
Configuring an IPv6 basic ACL ················································································································ 10
Configuring an advanced ACL ························································································································· 11
About advanced ACLs ····························································································································· 11
Configuring an IPv4 advanced ACL ········································································································· 11
Configuring an IPv6 advanced ACL ········································································································· 13
Configuring a Layer 2 ACL ······························································································································· 14
Configuring a user-defined ACL ······················································································································· 15
Copying an ACL ··············································································································································· 16
Configuring the QoS and ACL resource hardware mode················································································· 16
Verifying and maintaining ACLs ······················································································································· 16
Verifying ACL configuration and running status ······················································································· 16
Clearing ACL statistics ····························································································································· 17
QoS overview ······························································································ 18
QoS service models ········································································································································· 18
Best-effort service model ························································································································· 18
IntServ model ··········································································································································· 18
DiffServ model ·········································································································································· 18
QoS techniques in a network ··························································································································· 18
QoS processing flow in a device ······················································································································ 19
QoS configuration approaches ························································································································ 20
Configuring a QoS policy ············································································· 21
About QoS policies··········································································································································· 21
QoS policy tasks at a glance ···························································································································· 21
Defining a traffic class ······································································································································ 21
Defining a traffic behavior ································································································································ 21
Defining a QoS policy······································································································································· 22
Applying the QoS policy ··································································································································· 22
Application destinations ··························································································································· 22
Restrictions and guidelines for applying a QoS policy ············································································· 22
Applying the QoS policy to an Ethernet service instance········································································· 23
Applying the QoS policy to an interface ··································································································· 23
Applying the QoS policy to VLANs ··········································································································· 24
Applying the QoS policy globally ·············································································································· 24
Applying the QoS policy to a control plane ······························································································ 25
Verifying and maintaining QoS policies ··········································································································· 25
Verifying QoS policy configuration ··········································································································· 25
Verifying QoS policy running status ········································································································· 26
Displaying QoS and ACL resource usage································································································ 26
Clearing QoS policy statistics··················································································································· 26
Configuring priority mapping ········································································ 27
About priority mapping ····································································································································· 27
About priorities ········································································································································· 27
ii
Priority maps ············································································································································ 28
Priority mapping configuration methods ··································································································· 28
Priority mapping process ·························································································································· 28
Priority mapping tasks at a glance ··················································································································· 29
Configuring a priority map ································································································································ 29
Configuring a port to trust packet priority for priority mapping ········································································· 30
Changing the port priority of an interface ········································································································· 30
Verifying and maintaining commands for priority mapping ·············································································· 31
Priority mapping configuration examples ········································································································· 31
Example: Configuring a priority trust mode ······························································································ 31
Example: Configuring priority mapping tables and priority marking ························································· 32
Configuring traffic policing, GTS, and rate limit ············································ 36
About traffic policing, GTS, and rate limit ········································································································· 36
Traffic evaluation and token buckets········································································································ 36
Traffic policing ·········································································································································· 37
GTS ·························································································································································· 38
Rate limit ·················································································································································· 39
Configuring traffic policing ································································································································ 40
Configuring traffic policing by using the MQC approach ·········································································· 40
Configuring traffic policing for all traffic ···································································································· 41
Configuring GTS ·············································································································································· 41
Configuring queue-based GTS ················································································································ 41
Configuring the rate limit ·································································································································· 42
Configuring the rate limit for an interface ································································································· 42
Verifying and maintaining traffic policing, GTS, and rate limit ·········································································· 42
Verifying MQC-based traffic policing configuration ·················································································· 42
Verifying non-MQC traffic policing, GTS, and rate limit configurations and statistics ······························ 42
Displaying QoS and ACL resource usage································································································ 42
Configuring congestion management ·························································· 43
About congestion management ······················································································································· 43
Cause, negative results, and countermeasure of congestion ·································································· 43
Congestion management methods ·········································································································· 43
Configuring queuing on an interface ················································································································ 46
Restrictions and guidelines for queuing configuration·············································································· 46
Configuring SP queuing ··························································································································· 46
Configuring WRR queuing ······················································································································· 46
Configuring WFQ queuing ························································································································ 47
Configuring SP+WRR queuing ················································································································ 47
Configuring SP+WFQ queuing ················································································································· 47
Configuring a queue scheduling profile ············································································································ 48
About queue scheduling profiles ·············································································································· 48
Restrictions and guidelines for queue scheduling profile configuration ··················································· 48
Configuring a queue scheduling profile ···································································································· 49
Applying a queue scheduling profile ········································································································ 49
Example: Configuring a queue scheduling profile ···················································································· 49
Verifying and maintaining congestion management ························································································ 50
Verifying queuing configuration on interfaces ·························································································· 50
Verifying queue scheduling profile configuration and running status ······················································· 51
Displaying queue-based outgoing traffic statistics for interfaces ····························································· 51
Configuring congestion avoidance ······························································· 52
About congestion avoidance ···························································································································· 52
Tail drop ··················································································································································· 52
RED and WRED ······································································································································· 52
Relationship between WRED and queuing mechanisms ········································································· 53
ECN ·························································································································································· 53
WRED parameters ··································································································································· 54
Configuring WRED parameters for a queue ···································································································· 54
Configuring and applying a queue-based WRED table ··················································································· 55
Restrictions and guidelines ······················································································································ 55
iii
Procedure ················································································································································· 55
Example: Configuring and applying a queue-based WRED table···························································· 56
Verifying and maintaining WRED ····················································································································· 57
Configuring traffic filtering ············································································ 58
About traffic filtering ········································································································································· 58
Restrictions and guidelines: Traffic filtering configuration ················································································ 58
Procedure························································································································································· 58
Verifying and maintaining traffic filtering ······································································································· 59
Traffic filtering configuration examples············································································································· 59
Example: Configuring traffic filtering ········································································································ 59
Configuring protocol packet rate limiting ······················································ 61
About protocol packet rate limiting ··················································································································· 61
Procedure························································································································································· 61
Protocol packet rate limiting configuration examples ······················································································· 62
Example: Configuring protocol packet rate limiting ·················································································· 62
Configuring priority marking ········································································· 63
About priority marking ······································································································································ 63
Configuring priority marking ····························································································································· 63
Priority marking configuration examples ·········································································································· 64
Example: Configuring priority marking ····································································································· 64
Configuring nesting ······················································································ 67
About nesting ··················································································································································· 67
Restrictions and guidelines: Nesting configuration ·························································································· 67
Procedure························································································································································· 67
Verifying and maintaining nesting················································································································· 68
Nesting configuration examples ······················································································································· 68
Example: Configuring nesting ·················································································································· 68
Configuring traffic redirecting ······································································· 70
About traffic redirecting ···································································································································· 70
Restrictions and guidelines: Traffic redirecting configuration ··········································································· 70
Procedure························································································································································· 70
Verifying and maintaining traffic redirecting·································································································· 71
Traffic redirecting configuration examples ······································································································· 71
Example: Configuring traffic redirecting ··································································································· 71
Configuring global CAR ··············································································· 74
About global CAR············································································································································· 74
Aggregate CAR ········································································································································ 74
Hierarchical CAR ······································································································································ 74
Restrictions and guidelines: Global CAR configuration···················································································· 75
Configuring aggregate CAR ····························································································································· 75
Verifying and maintaining global CAR ············································································································· 76
Verifying global CAR configuration and statistics····················································································· 76
Clearing global CAR statistics ·················································································································· 76
Configuring class-based accounting ···························································· 77
About class-based accounting ························································································································· 77
Restrictions and guidelines: Class-based accounting configuration ································································ 77
Procedure························································································································································· 77
Verifying and maintaining class-based accounting······················································································· 78
Class-based accounting configuration examples ····························································································· 78
Example: Configuring class-based accounting ························································································ 78
Appendixes ·································································································· 80
Appendix A Acronyms ······································································································································ 80
Appendix B Default priority maps ····················································································································· 81
Uncolored priority maps ··························································································································· 81
iv
Appendix C Introduction to packet precedence ······························································································· 83
IP precedence and DSCP values ············································································································· 83
802.1p priority ·········································································································································· 84
EXP values ··············································································································································· 85
Configuring data buffers ·············································································· 87
About data buffers ············································································································································ 87
Data buffer types ······································································································································ 87
Data buffer tasks at a glance ··························································································································· 87
Enabling the Burst feature································································································································ 87
Configuring data buffer monitoring ··················································································································· 88
Configuring data buffer alarms ························································································································· 88
About data buffer alarms ·························································································································· 88
Configuring threshold-crossing alarms for the ingress or egress buffer··················································· 88
Configuring threshold-crossing alarms for the Headroom buffer ····························································· 89
Configuring packet-drop alarms ··············································································································· 89
Configuring time ranges ··············································································· 91
About time ranges ············································································································································ 91
Restrictions and guidelines: Time range configuration ···················································································· 91
Procedure························································································································································· 91
Verifying and maintaining time ranges ············································································································· 91
Time range configuration examples ················································································································· 92
Example: Configuring a time range ·········································································································· 92
Configuring Flowspec ·················································································· 93
About Flowspec················································································································································ 93
Flowspec device roles ······························································································································ 93
How Flowspec works ······························································································································· 93
Protocols and standards ·························································································································· 94
Prerequisites for Flowspec configuration ········································································································· 94
Configuring IPv4 Flowspec ······························································································································ 94
IPv4 Flowspec tasks at a glance ·············································································································· 94
Creating and activating an IPv4 Flowspec rule ························································································ 95
Applying an IPv4 Flowspec rule ··············································································································· 95
Enabling BGP to distribute IPv4 Flowspec rules ······················································································ 97
Configuring BGP Flowspec route reflection ··························································································· 100
Configuring IPv6 Flowspec ···························································································································· 101
IPv6 Flowspec tasks at a glance ············································································································ 101
Creating and activating an IPv6 Flowspec rule ······················································································ 102
Applying an IPv6 Flowspec rule ············································································································· 103
Enabling BGP to distribute IPv6 Flowspec rules ···················································································· 104
Configuring BGP Flowspec route reflection ··························································································· 107
Verifying and maintaining Flowspec··············································································································· 108
Verifying Flowspec rule running status ·································································································· 108
Displaying Flowspec peer information ··································································································· 108
Displaying Flowspec routing information································································································ 109
Displaying BGP IPv4 Flowspec update group information····································································· 110
Manually soft-resetting BGP sessions ··································································································· 110
Resetting BGP sessions ························································································································ 110
Clearing Flowspec rule statistics ············································································································ 111
Flowspec configuration examples ·················································································································· 111
Example: Configuring IPv4 Flowspec ···································································································· 111
Configuring MPLS QoS ············································································· 114
About MPLS QoS ··········································································································································· 114
Configuring MPLS priority marking ················································································································ 114
Configuring the MPLS DiffServ mode ············································································································ 115
About this task ········································································································································ 115
Restrictions and guidelines for MPLS DiffServ mode configuration ······················································· 116
Configuring the global MPLS DiffServ mode·························································································· 116
Configuring the MPLS DiffServ mode for a VPN instance, VSI, or cross-connect ································· 116
v
Appendixes ································································································ 117
Appendix A Default priority maps ··················································································································· 117
Document conventions and icons ······························································ 119
Conventions ··················································································································································· 119
Network topology icons ·································································································································· 120
Support and other resources ····································································· 121
Accessing Hewlett Packard Enterprise Support····························································································· 121
Accessing updates ········································································································································· 121
Websites ················································································································································ 122
Customer self repair ······························································································································· 122
Remote support ······································································································································ 122
Documentation feedback ······················································································································· 122
Index ·········································································································· 124
6
Configuring ACLs
About ACLs
An access control list (ACL) is a set of rules for identifying traffic based on criteria such as source IP
address, destination IP address, and port number. The rules are also called permit or deny
statements.
ACLs are primarily used for packet filtering. You can also use ACLs in QoS, security, routing, and
other modules for identifying traffic. The packet drop or forwarding decisions depend on the modules
that use ACLs.
Numbering and naming ACLs
When creating an ACL, you must assign it a number or name for identification. You can specify an
existing ACL by its number or name. Each ACL type has a unique range of ACL numbers.
For basic or advanced ACLs with the same number, you must use the ipv6 keyword to distinguish
them. For ACLs with the same name, you must use the ipv6, mac, and user-defined keywords
to distinguish them.
ACL types
Type
ACL number
IP version
Match criteria
Basic ACLs 2000 to 2999 IPv4 Source IPv4 address.
IPv6 Source IPv6 address.
Advanced ACLs 3000 to 3999
IPv4 Source IPv4 address, destination IPv4
address, packet priority, protocol number, and
other Layer 3 and Layer 4 header fields.
IPv6 Source IPv6 address, destination IPv6
address, packet priority, protocol number, and
other Layer 3 and Layer 4 header fields.
Layer 2 ACLs 4000 to 4999 IPv4 and IPv6 Layer 2 header fields, such as source and
destination MAC addresses, 802.1p priority,
and link layer protocol type.
User-defined ACLs 5000 to 5999 IPv4 and IPv6 User specified matching patterns in protocol
headers.
Match order
The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops
the match process and performs the action defined in the rule. If an ACL contains overlapping or
conflicting rules, the matching result and action to take depend on the rule order.
The following ACL match orders are available:
•
config—Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before
a rule with a higher ID. If you use this method, check the rules and their order carefully.
7
NOTE:
The match order of user-defined ACLs can only be config.
•
auto—Sorts ACL rules in depth-first order. Depth-first ordering makes sure any subset of a rule
is always matched before the rule. Table 1 lists the sequence of tie breakers that depth-first
ordering uses to sort rules for each type of ACL.
Table 1 Sort ACL rules in depth-first order
ACL type
IPv4 basic ACL
1. VPN instance.
2. More 0s in the source IPv4 address wildcard (more 0s means a
narrower IPv4 address range).
3. Rule configured earlier.
IPv4 advanced ACL
4. VPN instance.
5. Specific protocol number.
6. More 0s in the source IPv4 address wildcard mask.
7. More 0s in the destination IPv4 address wildcard.
8. Narrower TCP/UDP service port number range.
Rule configured earlier.
IPv6 basic ACL
10. VPN instance.
11. Longer prefix for the source IPv6 address (a longer prefix means a
narrower IPv6 address range).
12. Rule configured earlier.
IPv6 advanced ACL
13. VPN instance.
14. Specific protocol number.
15. Longer prefix for the source IPv6 address.
16. Longer prefix for the destination IPv6 address.
17. Narrower TCP/UDP service port number range.
18. Rule configured earlier.
Layer 2 ACL
19. More 1s in the source MAC address mask (more 1s means a smaller
MAC address).
20. More 1s in the destination MAC address mask.
21. Rule configured earlier.
A wildcard mask, also called an inverse mask, is a 32-bit binary number represented in dotted
decimal notation. In contrast to a network mask, the 0 bits in a wildcard mask represent "do care" bits,
and the 1 bits represent "don't care" bits. If the "do care" bits in an IP address are identical to the "do
care" bits in an IP address criterion, the IP address matches the criterion. All "don't care" bits are
ignored. The 0s and 1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a
valid wildcard mask.
Rule numbering
ACL rules can be manually numbered or automatically numbered. This section describes how
automatic ACL rule numbering works.
Rule numbering step
If you do not assign an ID to the rule you are creating, the system automatically assigns it a rule ID.
The rule numbering step sets the increment by which the system automatically numbers rules. For
example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating,
they are automatically numbered 5, 10, 15, 20, and so on. The wider the numbering step, the more
rules you can insert between two rules.
8
By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility
of inserting rules in an ACL. This feature is important for a config-order ACL, where ACL rules are
matched in ascending order of rule ID.
The rule numbering step sets the increment by which the system numbers rules automatically. If you
do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. This
rule ID is the nearest higher multiple of the numbering step to the current highest rule ID, starting
from the start rule ID. For example, if the rule numbering step is 5 and the current highest rule ID is
12, the rule is numbered 15.
The wider the numbering step, the more rules you can insert between two rules. Whenever the step
or start rule ID changes, the rules are renumbered, starting from the start rule ID. For example, if
there are five rules numbered 0, 5, 9, 10, and 15, changing the step from 5 to 2 causes the rules to be
renumbered 5, 7, 9, 11, and 13.
Automatic rule numbering and renumbering
The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step
to the current highest rule ID, starting with 0.
For example, if the step is 5, and there are five rules numbered 0, 5, 9, 10, and 12, the newly defined
rule is numbered 15. If the ACL does not contain a rule, the first rule is numbered 0.
Whenever the step changes, the rules are renumbered, starting from 0. For example, changing the
step from 5 to 2 renumbers rules 5, 10, 13, and 15 as rules 5, 7, 9, and 11.
For an ACL of the match order auto, rules are sorted in depth-first order, and are renumbered based
on the match order. For example, rules are in the match order of 5, 10, and 15. Changing the
numbering step to 2 renumbers rules 5, 15, and 10 (not 5, 10, and 15) as rules 5, 7, 9.
Fragment filtering with ACLs
Traditional packet filtering matches only first fragments of packets, and allows all subsequent
non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks.
To avoid risks, the ACL feature is designed as follows:
•
Filters all fragments by default, including non-first fragments.
•
Allows for matching criteria modification for efficiency. For example, you can configure the ACL
to filter only non-first fragments.
Restrictions and guidelines: ACL configuration
•
If you create a numbered ACL, you can enter the view of the ACL by using either of the following
commands:
ï‚¡ acl [ ipv6 ] number acl-number.
ï‚¡ acl { [ ipv6 ] { advanced | basic } | mac | user-defined } acl-number.
•
If you create a named ACL by using the acl [ ipv6 ] number acl-number name
acl-name command, you can enter the view of the ACL by using either of the following
commands:
ï‚¡ acl [ ipv6 ] number acl-number [ name acl-name ].
ï‚¡ acl { [ ipv6 ] { advanced | basic } | mac | user-defined } acl-number.
ï‚¡ acl { [ ipv6 ] { advanced | basic } | mac | user-defined } name acl-name.
•
If you create a named ACL by using the acl { [ ipv6 ] { advanced | basic } | mac |
user-defined } name acl-name command, you can enter the view of the ACL by using
only the command that is used to create the ACL.
•
To specify the IPv4 ACL type, do not specify the ipv6 keyword.
9
•
Matching packets are forwarded through slow forwarding if an ACL rule contains match criteria
or has functions enabled in addition to the following match criteria and functions:
ï‚¡ Source and destination IP addresses.
ï‚¡ Source and destination ports.
ï‚¡ Transport layer protocol.
ï‚¡ ICMP or ICMPv6 message type, message code, and message name.
ï‚¡ VPN instance.
ï‚¡ Logging.
ï‚¡ Time range.
Slow forwarding requires packets to be sent to the control plane for forwarding entry calculation,
which affects the device forwarding performance.
ACL tasks at a glance
To configure an ACL, perform the following tasks:
•
Configure ACLs according to the characteristics of the packets to be matched
ï‚¡ Configuring a basic ACL
ï‚¡ Configuring an advanced ACL
ï‚¡ Configuring a Layer 2 ACL
ï‚¡ Configuring a user-defined ACL
•
(Optional.) Copying an ACL
•
(Optional.) Configuring the QoS and ACL resource hardware mode
Configuring a basic ACL
About basic ACLs
Basic ACLs can be used in the following scenarios:
•
To improve security when the device acts as an FTP or TFTP server, you can use basic ACLs to
allow only matching clients to access the server. For more information, see FTP and TFTP
configuration in Fundamentals Configuration Guide.
•
In a multicast scenario, you can use basic ACLs in a multicast source policy to receive or
forward only matching multicast packets. For more information about multicast source policy,
see PIM configuration and IPv6 PIM configuration in IP Multicast Configuration Guide.
•
To filter routes in a routing policy, you can use basic ACLs to receive or send matching routes.
For more information about routing policy, see Layer 3—IP Routing Configuration Guide.
•
To take different QoS actions on different traffic types, you can use basic ACLs to classify traffic.
For more information about traffic classes, see "Configuring QoS."
Basic ACLs match packets based only on source IP addresses.
Configuring an IPv4 basic ACL
1. Enter system view.
system-view
2. Create an IPv4 basic ACL and enter its view. Choose one option as needed:
ï‚¡ Create an IPv4 basic ACL by specifying an ACL number.
10
acl number acl-number [ name acl-name ] [ match-order { auto |
config } ]
ï‚¡ Create an IPv4 basic ACL by specifying the basic keyword.
acl basic { acl-number | name acl-name } [ match-order { auto |
config } ]
3. (Optional.) Configure a description for the IPv4 basic ACL.
description text
By default, an IPv4 basic ACL does not have a description.
4. (Optional.) Set the rule numbering step.
step step-value [ start start-value ]
By default, the rule numbering step is 5 and the start rule ID is 5.
5. Create or edit a rule.
rule [ rule-id ] { deny | permit } [ counting | fragment | logging | source
{ source-address source-wildcard | any } | time-range time-range-name |
vpn-instance vpn-instance-name ] *
6. (Optional.) Add or edit a rule comment.
rule rule-id comment text
By default, no rule comment is configured.
7. (Optional.) Add a rule remark.
rule [ rule-id ] remark text
By default, no rule remark is configured.
Configuring an IPv6 basic ACL
1. Enter system view.
system-view
2. Create an IPv6 basic ACL view and enter its view. Choose one option as needed:
ï‚¡ Create an IPv6 basic ACL by specifying an ACL number.
acl ipv6 number acl-number [ name acl-name ] [ match-order { auto |
config } ]
ï‚¡ Create an IPv6 basic ACL by specifying the basic keyword.
acl ipv6 basic { acl-number | name acl-name } [ match-order { auto |
config } ]
3. (Optional.) Configure a description for the IPv6 basic ACL.
description text
By default, an IPv6 basic ACL does not have a description.
4. (Optional.) Set the rule numbering step.
step step-value [ start start-value ]
By default, the rule numbering step is 5 and the start rule ID is 5.
5. Create or edit a rule.
rule [ rule-id ] { deny | permit } [ counting | fragment | routing [ type
routing-type ] | source { source-address source-prefix |
source-address/source-prefix | any } | time-range time-range-name |
vpn-instance vpn-instance-name ] *
6. (Optional.) Add or edit a rule comment.
rule rule-id comment text
11
By default, no rule comment is configured.
7. (Optional.) Add a rule remark.
rule [ rule-id ] remark text
By default, no rule remark is configured.
Configuring an advanced ACL
About advanced ACLs
Advanced ACLs can be used in the following scenarios:
•
When the device acts as an FTP or TFTP server, you can use advanced ACLs to allow only
matching clients to access the server. For more information, see FTP and TFTP configuration in
Fundamentals Configuration Guide.
•
In a multicast scenario, you can use advanced ACLs in a multicast source policy to receive or
forward only matching multicast packets. For more information about multicast source policy,
see PIM configuration and IPv6 PIM configuration in IP Multicast Configuration Guide.
•
To filter routes in a routing policy, you can use advanced ACLs to receive or send matching
routes. For more information about routing policy, see Layer 3—IP Routing Configuration
Guide.
•
To take different QoS actions on different traffic types, you can use advanced ACLs to classify
traffic. For more information about traffic classification see "Configuring QoS."
Advanced ACLs match packets based on the following criteria:
•
Source IP addresses.
•
Destination IP addresses.
•
Packet priorities.
•
Local QoS IDs.
•
Protocol types.
•
Other protocol header information, such as TCP/UDP source and destination port numbers,
TCP flags, ICMP message types, and ICMP message codes.
•
Encapsulation types.
•
Inner source IPv4 addresses.
•
Inner destination IPv4 addresses.
•
Inner protocol types.
•
Other inner protocol header information, such as inner TCP/UDP source and destination port
numbers.
Compared to basic ACLs, advanced ACLs allow more flexible and accurate filtering.
Configuring an IPv4 advanced ACL
1. Enter system view.
system-view
2. Create an IPv4 advanced ACL and enter its view. Choose one option as needed:
ï‚¡ Create a numbered IPv4 advanced ACL by specifying an ACL number.
acl number acl-number [ name acl-name ] [ match-order { auto |
config } ]
ï‚¡ Create an IPv4 advanced ACL by specifying the advanced keyword.
12
acl advanced { acl-number | name acl-name } [ match-order { auto |
config } ]
3. (Optional.) Configure a description for the IPv4 advanced ACL.
description text
By default, an IPv4 advanced ACL does not have a description.
4. (Optional.) Set the rule numbering step.
step step-value [ start start-value ]
By default, the rule numbering step is 5 and the start rule ID is 5.
5. Create or edit a rule.
ï‚¡ Create or edit a rule for matching non-encapsulated packets.
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin
fin-value | psh psh-value | rst rst-value | syn syn-value | urg
urg-value } * | established } | counting | destination { dest-address
dest-wildcard | any } | destination-port operator port1 [ port2 ] |
{ { precedence precedence | tos tos } * | { precedence precedence | ecn
ecn } * | { dscp dscp | ecn ecn } * } | fragment | icmp-type { icmp-type
[ icmp-code ] | icmp-message } | qos-local-id local-id-value | source
{ source-address source-wildcard | any } | source-port operator
port1 [ port2 ] | time-range time-range-name | vpn-instance
vpn-instance-name ] *
ï‚¡ Create or edit a rule for matching encapsulated packets.
rule [ rule-id ] { deny | permit } { gre-encapsulation |
ipinip-encapsulation | vxlan } [ destination { dest-address
dest-wildcard | any } | source { source-address source-wildcard | any }
| source-port operator port1 [ port2 ] | vxlan-id vxlan-id ] *
inner-protocol inner-protocol [ counting | inner-destination
{ dest-address dest-wildcard | any } | inner-destination-port
operator port1 [ port2 ] | inner-established | inner-source
{ source-address source-wildcard | any } | inner-source-port
operator port1 [ port2 ] | time-range time-range-name ] *
Parameter
Description
gre-encapsulation
Matches GRE packets. The
source-port
operator
port1 [ port2 ] and vxlan-id vxlan-id options
cannot be configured if you specify the
gre-encapsulation
keyword.
ipinip-encapsulation
Matches IP-in-IP encapsulation packets. The
source-port
operator port1 [ port2 ] and vxlan-id vxlan-id
options cannot be configured if you specify the
ipinip-encapsulation
keyword.
vxlan Matches VXLAN packets by both outer and inner packet
information.
6. (Optional.) Add or edit a rule comment.
rule rule-id comment text
By default, no rule comment is configured.
7. (Optional.) Add a rule remark.
rule [ rule-id ] remark text
By default, no rule remark is configured.
13
Configuring an IPv6 advanced ACL
1. Enter system view.
system-view
2. Create an IPv6 advanced ACL and enter its view. Choose one option as needed:
ï‚¡ Create a numbered IPv6 advanced ACL by specifying an ACL number.
acl ipv6 number acl-number [ name acl-name ] [ match-order { auto |
config } ]
ï‚¡ Create an IPv6 advanced ACL by specifying the advanced keyword.
acl ipv6 advanced { acl-number | name acl-name } [ match-order { auto
| config } ]
3. (Optional.) Configure a description for the IPv6 advanced ACL.
description text
By default, an IPv6 advanced ACL does not have a description.
4. (Optional.) Enable rule ID preemption.
rule insert-only enable
By default, rule ID preemption is disabled.
5. (Optional.) Set the rule numbering step.
step step-value [ start start-value ]
By default, the rule numbering step is 5 and the start rule ID is 5.
6. Create or edit a rule.
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin
fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value }
* | established } | counting | destination { microsegment
microsegment-id [ mask-length mask-length ] | object-group
address-group-name | dest-address dest-prefix |
dest-address/dest-prefix | any } | destination-port { object-group
port-group-name | operator port1 [ port2 ] } | dscp dscp | ecn ecn |
flow-label flow-label-value | fragment | icmp6-type { icmp6-type
icmp6-code | icmp6-message } | packet-length operator length-value1
[ length-value2 ] | qos-local-id local-id-value | routing [ type
routing-type ] | hop-by-hop [ type hop-type ] | source { microsegment
microsegment-id [ mask-length mask-length ] | object-group
address-group-name | source-address source-prefix |
source-address/source-prefix | any } | source-port { object-group
port-group-name | operator port1 [ port2 ] } | time-range
time-range-name | ttl operator ttl-value1 [ ttl-value2 ] |
vpn-instance vpn-instance-name ] *
7. (Optional.) Add or edit a rule comment.
rule rule-id comment text
By default, no rule comment is configured.
8. (Optional.) Add a rule remark.
rule [ rule-id ] remark text
By default, no rule remark is configured.
14
Configuring a Layer 2 ACL
About this task
Layer 2 ACLs can be used in the following scenarios:
•
To improve security when the device acts as a Telnet server, you can use Layer 2 ACLs to allow
only matching clients to access the server. For more information, see login management in
Fundamentals Configuration Guide.
•
To take different QoS actions on different traffic types, you can use Layer 2 ACLs to classify
traffic. For more information about traffic classes, see "Configuring QoS."
Layer 2 ACLs, also called Ethernet frame header ACLs, match packets based on Layer 2 Ethernet
header fields, such as:
•
Source MAC address.
•
Destination MAC address.
•
802.1p priority (VLAN priority).
•
Link layer protocol type.
•
Encapsulation type.
•
Inner source MAC address.
•
Inner destination MAC address.
•
Inner link layer protocol type.
Procedure
1. Enter system view.
system-view
2. Create a Layer 2 ACL and enter its view. Choose one option as needed:
ï‚¡ Create a Layer 2 ACL by specifying an ACL number.
acl number acl-number [ name acl-name ] [ match-order { auto |
config } ]
ï‚¡ Create a Layer 2 ACL by specifying the mac keyword.
acl mac { acl-number | name acl-name } [ match-order { auto | config } ]
3. (Optional.) Configure a description for the Layer 2 ACL.
description text
By default, a Layer 2 ACL does not have a description.
4. (Optional.) Set the rule numbering step.
step step-value [ start start-value ]
By default, the rule numbering step is 5 and the start rule ID is 5.
5. Create or edit a rule.
ï‚¡ Create or edit a rule for matching non-VXLAN packets.
rule [ rule-id ] { deny | permit } [ cos dot1p | counting | dest-mac
dest-address dest-mask | { lsap lsap-type lsap-type-mask | type
protocol-type protocol-type-mask } | source-mac source-address
source-mask | time-range time-range-name ] *
ï‚¡ Create or edit a rule for matching VXLAN packets.
rule [ rule-id ] { deny | permit } vxlan [ counting | dest-mac
dest-address dest-mask | inner-dest-mac inner-dest-address
inner-dest-mask | inner-source-mac inner-source-address
inner-source-mask | inner-type inner-protocol-type
15
inner-protocol-type-mask | source-mac source-address source-mask |
time-range time-range-name | type protocol-type protocol-type-mask
| vxlan-id vxlan-id ] *
6. (Optional.) Add or edit a rule comment.
rule rule-id comment text
By default, no rule comment is configured.
7. (Optional.) Add a rule remark.
rule [ rule-id ] remark text
By default, no rule remark is configured.
Configuring a user-defined ACL
About this task
User-defined ACLs allow you to customize rules based on information in protocol headers. You can
define a user-defined ACL to match packets. A specific number of bytes after an offset (relative to the
specified header) are compared against a match pattern after being ANDed with a match pattern
mask.
Procedure
1. Enter system view.
system-view
2. Create a user-defined ACL and enter its view. Choose one option as needed:
ï‚¡ Create a user-defined ACL by specifying an ACL number.
acl number acl-number [ name acl-name ]
ï‚¡ Create a user-defined ACL by specifying the user-defined keyword.
acl user-defined { acl-number | name acl-name }
3. (Optional.) Configure a description for the user-defined ACL.
description text
By default, a user-defined ACL does not have a description.
4. Create or edit a rule.
Command 1:
rule [ rule-id ] { deny | permit } [ { { ipv4 | l2 | l4 }rule-string
rule-mask offset }&<1-8> ] [ counting | time-range time-range-name ] *
Command 2:
rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin
fin-value | psh psh-value | rst rst-value | syn syn-value | urg urg-value }
* | established } | destination { dest-address dest-wildcard | any } |
destination-port { operator port1 [ port2 ] } | { { precedence precedence
| tos tos } * | { precedence precedence | ecn ecn } * | { dscp dscp | ecn ecn }
* } { source-address source-wildcard | any } | source-port { operator
port1 [ port2 ] } | vpn-instance vpn-instance-name ] * [ { { ipv4 | l2 | l4
| l5 } rule-string rule-mask offset }&<1-8> ] [ counting | time-range
time-range-name ] *
5. (Optional.) Add or edit a rule comment.
rule rule-id comment text
By default, no rule comment is configured.
6. (Optional.) Add a rule remark.
16
rule [ rule-id ] remark text
By default, no rule remark is configured.
Copying an ACL
About this task
You can create an ACL by copying an existing ACL (source ACL). The new ACL (destination ACL)
has the same properties and content as the source ACL, but uses a different number or name than
the source ACL.
Restrictions and guidelines
To successfully copy an ACL, make sure:
•
The destination ACL is the same type as the source ACL.
•
The source ACL already exists, but the destination ACL does not.
The acceleration feature is not inherited when an ACL is copied.
Procedure
1. Enter system view.
system-view
2. Copy an existing ACL to create a new ACL.
acl [ ipv6 | mac | user-defined ] copy { source-acl-number | name
source-acl-name } to { dest-acl-number | name dest-acl-name }
Configuring the QoS and ACL resource hardware
mode
About this task
Different chips produce different packet matching results for QoS and ACL resources. Perform this
task to enhance matching capabilities of QoS and ACL resources.
Restrictions and guidelines
This feature occupies more QoS and ACL resources when an ACL is applied.
Procedure
1. Enter system view.
system-view
2. Configure the QoS and ACL resource hardware mode.
qos-acl resource hardware-mode hardware-mode-value
By default, no QoS and ACL resource hardware mode is configured.
Verifying and maintaining ACLs
Verifying ACL configuration and running status
To verify the ACL configuration and running status, execute the following command in any view:
display acl [ ipv6 | mac | user-defined ] { acl-number | all | name acl-name }
17
Clearing ACL statistics
To clear ACL statistics, execute the following command in user view:
reset acl [ ipv6 | mac | user-defined ] counter { acl-number | all | name
acl-name }
18
QoS overview
In data communications, Quality of Service (QoS) provides differentiated service guarantees for
diversified traffic in terms of bandwidth, delay, jitter, and drop rate, all of which can affect QoS.
QoS manages network resources and prioritizes traffic to balance system resources.
The following section describes typical QoS service models and widely used QoS techniques.
QoS service models
This section describes several typical QoS service models.
Best-effort service model
The best-effort model is a single-service model. The best-effort model is not as reliable as other
models and does not guarantee delay-free delivery.
The best-effort service model is the default model for the Internet and applies to most network
applications. It uses the First In First Out (FIFO) queuing mechanism.
IntServ model
The integrated service (IntServ) model is a multiple-service model that can accommodate diverse
QoS requirements. This service model provides the most granularly differentiated QoS by identifying
and guaranteeing definite QoS for each data flow.
In the IntServ model, an application must request service from the network before it sends data.
IntServ signals the service request with the RSVP. All nodes receiving the request reserve resources
as requested and maintain state information for the application flow.
The IntServ model demands high storage and processing capabilities because it requires all nodes
along the transmission path to maintain resource state information for each flow. This model is
suitable for small-sized or edge networks. However, it is not suitable for large-sized networks, for
example, the core layer of the Internet, where billions of flows are present.
DiffServ model
The differentiated service (DiffServ) model is a multiple-service model that can meet diverse QoS
requirements. It is easy to implement and extend. DiffServ does not signal the network to reserve
resources before sending data, as IntServ does.
QoS techniques in a network
The QoS techniques include the following features:
•
Traffic classification.
•
Traffic policing.
•
Traffic shaping.
•
Rate limit.
•
Congestion management.
•
Congestion avoidance.
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136

Aruba JH951A Configuration Guide

Type
Configuration Guide
This manual is also suitable for

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI