HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1586
13
[Switch] time-range telnet 8:30 to 18:00 working-day
# Create IPv4 basic ACL 2000, and configure a rule for the ACL to permit the packets sourced
from 10.1.3.1 during only the time specified by time range telnet.
[Switch] acl number 2000
[Switch-acl-basic-2000] rule permit source 10.1.3.1 0 time-range telnet \
[Switch-acl-basic-2000] quit
# Apply ACL 2000 to the inbound traffic of all telnet user interfaces to limit the telnet login
requests.
[Switch] user-interface vty 0 4...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1585.png "Page 1586
13
[Switch] time-range telnet 8:30 to 18:00 working-day
# Create IPv4 basic ACL 2000, and configure a rule for the ACL to permit the packets sourced
from 10.1.3.1 during only the time specified by time range telnet.
[Switch] acl number 2000
[Switch-acl-basic-2000] rule permit source 10.1.3.1 0 time-range telnet \
[Switch-acl-basic-2000] quit
# Apply ACL 2000 to the inbound traffic of all telnet user interfaces to limit the telnet login
requests.
[Switch] user-interface vty 0 4...")
![Page 1587
14
Configuration procedure
# Create a time range from 08:00 to 18:00 every day.
system-view
[DeviceA] time-range study 8:00 to 18:00 daily
# Create IPv4 ACL 2009, and configure two rules in the ACL. One rule permits packets sourced from
Host A and the other denies packets sourced from any other host during the time range study. Enable
logging for the permit rule.
[DeviceA] acl number 2009
[DeviceA-acl-basic-2009] rule permit source 192.168.1.2 0 time-range stu\
dy logging...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1586.png "Page 1587
14
Configuration procedure
# Create a time range from 08:00 to 18:00 every day.
system-view
[DeviceA] time-range study 8:00 to 18:00 daily
# Create IPv4 ACL 2009, and configure two rules in the ACL. One rule permits packets sourced from
Host A and the other denies packets sourced from any other host during the time range study. Enable
logging for the permit rule.
[DeviceA] acl number 2009
[DeviceA-acl-basic-2009] rule permit source 192.168.1.2 0 time-range stu\
dy logging...")
![Page 1588
15
# Create IPv6 ACL 2009, and configure two rules for the ACL. One permits packets sourced from Host
A and the other denies packets sourced from any other host during the time range study. Enable logging
for the permit rule.
[DeviceA] acl ipv6 number 2009
[DeviceA-acl6-basic-2009] rule permit source 1001::2 128 time-range stud\
y logging
[DeviceA-acl6-basic-2009] rule deny source any time-range study
[DeviceA-acl6-basic-2009] quit
# Configure the device to collect and output IPv6 packet...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1587.png "Page 1588
15
# Create IPv6 ACL 2009, and configure two rules for the ACL. One permits packets sourced from Host
A and the other denies packets sourced from any other host during the time range study. Enable logging
for the permit rule.
[DeviceA] acl ipv6 number 2009
[DeviceA-acl6-basic-2009] rule permit source 1001::2 128 time-range stud\
y logging
[DeviceA-acl6-basic-2009] rule deny source any time-range study
[DeviceA-acl6-basic-2009] quit
# Configure the device to collect and output IPv6 packet...")
18 QoS configuration approaches You can configure QoS in these approaches: • MQC approach • Non-MQC approach S ome features support both approaches, but some support only one. MQC approach In modular QoS configuration (MQC) approach, you configure QoS service parameters by using QoS policies (see Configuring a QoS policy ) . Non-MQC approach In non-MQC approach, you configure QoS service par ameters without using a QoS policy. For example, you can use the line rate feature to set a rate limit on an interface without using a QoS policy.
19 Configuring a QoS policy Overview A QoS policy is a set of class-behavior associations and defines the shaping, policing, or other QoS actions to take on different classes of traffic. A class is a set of match criteria for identifying traffic and it uses the AND or OR operator: • AND —A packet must match all the criteria to match the class. • OR—A packet matches the class if it matches any of the criteria in the class. A traffic behavior defines a set of QoS actions to take on packets, such as priority marking and redirect. By associating a traffic behavior with a class in a QoS policy, you apply the specific set of QoS actions to the class of traffic. Figure 5 sh ows how to configure a QoS policy. Figure 5 QoS policy configuration procedure Defining a class To define a class, specify its name and then configure the match criteria in class view.
20
Configuration restrictions and guidelines
• If a class that uses the AND operator has multiple if-match acl , if-match acl ipv6 , if-match
customer-vlan-id or if-match service-vlan-id clauses, a packet that matches any of the clauses
matches the class.
• To successfully execute the traffic behavior associated with a traffic class that uses the AND operator,
define only one if-match clause for any of the following match criteria and input only one value for
any of the following list arguments. To create multiple if-match clauses for these match criteria or
specify multiple values for the list arguments, specify the operator of the class as OR and use the
if-match command multiple times.
{ customer-dot1p 8021p-list
{ destination-mac mac-address
{ dscp dscp-list
{ ip-precedence ip-precedence-list
{ service-dot1p 8021p-list
{ source-mac mac-address
{ system-index index-value-list
Configuration procedure
To define a class:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create a class and
enter class view. traffic classifier
tcl-name
[ operator { and | or } ] By default, the operator of a class is AND.
The operator of a class can be AND or OR: •
AND —A packet is assigned to a class only when
the packet matches all the criteria in the class.
• OR —A packet is assigned to a class if it matches
any of the criteria in the class.
3. Configure match
criteria. if-match
match-criteria N/A
match-criteria: Match criterion.
Table 2 The value range for the
match-criteria argument
O
ption Description
acl [ ipv6 ] { acl-numbe r |
name acl-name } Matches an ACL.
The
acl-number argument ranges from 2000 to 3999 for an IPv4 ACL, 2000
to 3999 for an IPv6 ACL, and 4000 to 4999 for an Ethernet frame header
ACL.
The acl-name argument is a case-insensitive string of 1 to 63 characters, which
must start with an alphabetic letter fr om a to z (or A to Z), and to avoid
confusion, cannot be all.
any Matches all packets.
21
Option Description
dscp dscp-list Matches DSCP values.
The
dscp-list argument is a list of up to eight DSCP values. A DSCP value can
be a number from 0 to 63 or any keyword in Table 9.
destination-mac mac-address Matches a destination MAC address.
customer-dot1p 8021p-list Matches the 802.1p priority of the customer network.
The
8021p-list argument is a list of up to eight 802.1p priority values. An
802.1p priority ranges from 0 to 7.
service-dot1p 8021p-list Matches the 802.1p priority of th
e service provider network.
The 8021p-list argument is a list of up to eight 802.1p priority values. An
802.1p priority ranges from 0 to 7.
ip-precedence
ip-precedence-list Matches IP precedence.
The
ip-precedence-list a r g u m e n t i s a l i s t o f u p t o e i g h t I P p r e c e d e n c e v a l u e s . A n
IP precedence ranges from 0 to 7.
protocol protocol-name Matches a protocol.
The
protocol-name argument can be IP or IPv6.
source-mac mac-address Matches a source MAC address.
customer-vlan-id { vlan-id-list
| vlan-id1 to vlan-id2 } Matches the VLAN IDs of customer networks.
The
vlan-id-list argument is a list of up to eight VLAN IDs. The vlan-id1 to
vlan-id2 specifies a VLAN ID range, where the vlan-id1 must be smaller than
the vlan-id2 . A VLAN ID ranges from 1 to 4094.
service-vlan-id { vlan-id-list |
vlan-id1 to vlan-id2 } Matches the VLAN IDs of ISP networks.
The
vlan-id-list is a list of up to eight VLAN IDs. The vlan-id1 to vlan-id2
specifies a VLAN ID range, where the vlan-id1 must be smaller than the
vlan-id2 . A VLAN ID ranges from 1 to 4094.
system-index index-value-list Matches a pre-defined match criterion (system-index) for packets sent to the
control plane.
The index-value-list argument specifies a list of up
to eight system indexes. The
system index ranges from 1 to 128.
Defining a traffic behavior
A traffic behavior is a set of QoS actions (such as traf fic filtering, shaping, policing, and priority marking)
to take on a class of traffic. To define a traffic be havior, first create it and then configure QoS actions,
such as priority marking and traffic redirecting, in traffic behavior view.
To define a traffic behavior:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create a traffic behavior and
enter traffic behavior view. traffic behavior
behavior-name N/A
3. Configure actions in the traffic
behavior. See the subsequent chapters, dependin
g on the purpose of the traffic
behavior: traffic policing, traffic filt ering, traffic redirecting, priority
marking, traffic accounting, and so on.
22 Defining a policy You associate a behavior with a class in a QoS policy to perform the actions defined in the behavior for the class of packets. Configuration restrictions and guidelines • If an ACL is referenced by a QoS policy for defining traffic match criteria, packets matching the ACL are organized as a class and the behavior defined in the QoS policy applies to the class regardless of whether the action in the rule is deny or permit . • In a QoS policy with multiple class-to-traffic-behavior associations, if the action of creating an outer VLAN tag, setting customer network VLAN ID, or setting service provider network VLAN ID is configured in a traffic behavior, do not configure any other action in this traffic behavior; otherwise, the QoS policy may not function as expected after it is applied. For more information about the action of setting customer network VLAN ID or service provider network VLAN ID, see Layer 2—LAN Switching Configuration Guide . Configuration procedure To associate a class with a behavior in a policy: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a policy and enter policy view. qos policy policy-name N/A 3. Associate a class with a behavior in the policy. classifier tcl-name behavior behavior-name [ mode dot1q-tag-manipulation ] Repeat this step to create more class-behavior associations. The dot1q-tag-manipulation keyword is only for VLAN mapping purposes. For more information about VLAN mapping, see Layer 2—LAN Switching Configuration Guide . Applying the QoS policy You can apply a QoS policy to the following occasions: • An interface —The policy takes effect on the traffic sent or received on the interface. • A user profile —The policy takes effect on the traffic sent or received by the online users of the user profile. • A VLAN—The policy takes effect on the traffic sent or received on all ports in the VLAN. • Globally —The policy takes effect on the traffic sent or received on all ports. • Control plane —The policy takes effect on the traffic received on the control plane. The QoS policies applied to ports, to VLANs, and glo bally are in the descending priority order. If the system finds a matching QoS policy for the incoming/outgoing traffic, the system stops matching the traffic against QoS policies.
23
You can modify classes, behaviors, and class-behavior associations in a QoS policy applied to an
interface, VLAN, or inactive user profile, or globally. If a class references an ACL for traffic classification,
you can delete or modify the ACL (such as add rules to, delete rules from, and modify rules of the ACL).
If a QoS policy has been applied to an active user profile, you cannot modify classes, behaviors, and
class-behavior associations of the QoS policy, or delete the QoS policy.
Applying the QoS policy to an interface
Both bridge mode (Layer 2) and route mode (Layer 3) Ethernet ports support QoS policies. The term
interface in this section collectively refers to these types of ports. You can use the port link-mode
command to set an Ethernet port to operate in bridge or route mode (see Layer 2—LAN Switching
Configuration Guide ).
The 5500 SI Switch Series does not support Layer 3 Ethernet ports.
A policy can be applied to multiple interfaces, bu t only one policy can be applied in one direction
(inbound or outbound) of an interface.
The QoS policy applied to the outgoing traffic of a port does not regulate local packets, which are critical
protocol packets sent by the device that hosts the interface for maintaining the normal operation of the
device. The most common local packets include link maintenance packets, STP, LDP, and RSVP packets.
To apply the QoS policy to an interface:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter interface view or
port group view.
• Enter interface view:
interface interface-type
interface-number
• Enter port group view:
port-group manual port-group-name
Use either command.
Settings in interface view take
effect on the current interface.
Settings in port group view take
effect on all ports in the port group.
3. Apply the policy to the
interface or port group. qos apply policy
policy-name { inbound
| outbound } The
outbound keyword is not
available on the 5500 SI Switch
Series.
Applying the QoS policy to online users
You can apply a QoS policy to multiple online users. In one direction of each online user, only one policy
can be applied. To modify a QoS policy already appl ied in a certain direction, remove the QoS policy
application first.
Configuration restrictions and guidelines
• The QoS policy applied to a user profile supports only the remark, car, and filter actions.
• Do not apply a null policy to a user profile. The us er profile using a null policy cannot be activated.
• The authentication methods available for online users include 802.1X and Portal.
Configuration procedure
To apply the QoS policy to online users:
24
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter user profile
view. user-profile
profile-name The configuration made in user profile view takes
effect when the user profile is activated and the
users of the user profile are online.
For more information about user profiles, see
Security Configuration Guide
.
3. Apply the QoS
policy. qos apply policy
policy-name
{ inbound | outbound } Use the
inbound keyword to apply the QoS policy
to the incoming traffic of the device (traffic sent by
the online users). Use the outbound keyword to
apply the QoS policy to th e outgoing traffic (traffic
received by the online users).
The outbound keyword is not available on the
5500 SI Switch Series.
4. Return to system
view. quit
N/A
5. Activate the user
profile. user-profile
profile-name
enable By default, a user profile is inactive.
Applying the QoS policy to a VLAN
You can apply a QoS policy to a VLAN to regulate traffic of the VLAN.
QoS policies cannot be applied to dynamic VLANs, such as VLANs created by GVRP.
To apply the QoS policy to a VLAN:
Step Command Remarks
1.
Enter system view.
system-view N/A
2. Apply the QoS policy to
VLANs. qos vlan-policy
policy-name vlan
vlan-id-list { inbound | outbound } The
outbound keyword is not
available on the 5500 SI Switch
Series.
Applying the QoS policy globally
You can apply a QoS policy globally to the inbound or outbound direction of all ports.
To apply the QoS policy globally:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Apply the QoS policy
globally. qos apply policy
policy-name
global { inbound | outbound } The
outbound keyword is not
available on the 5500 SI Switch
Series.
25 Applying the QoS policy to the control plane A device provides the data plane and the control plane. • The data plane has units responsible for receiving, transmitting, and switching (forwarding) packets, such as various dedicated forwarding chips. They deliver super processing speeds and throughput. • The control plane has processing units running most routing and switching protocols and responsible for protocol packet resolution and calculation, such as CPUs. Compared with data plane units, the control plane units allow for great packet processing flexibility, but have lower throughput. When the data plane receives packets that it cannot recognize or process, it transmits them to the control plane. If the transmission rate exceeds the processing capability of the control plane, which very likely occurs at times of DoS attacks, the control plane will be busy handling undesired packets and fail to handle legitimate packets correctly or timely. As a result, protocol performance is affected. To address this problem, apply a QoS policy to the control plane to take QoS actions, such as traffic filtering or rate limiting, on inbound traffic. This action ensures that the control plane can receive, transmit, and process packets properly. Configuration restrictions and guidelines • By default, devices are configured with pre-defined control plane policies, which take effect on the control planes by default. A pre-defined control pl ane QoS policy uses the system-index to identify the type of packets sent to the control plane. You can reference system-indexes in if-match commands in class view for traffic classification and then re-configure traffic behaviors for these classes as required. You can use the display qos policy control-plane pre-defined command to display them. • In a QoS policy for control planes, if a system inde x classifier is configured, the associated traffic behavior can contain only the car action or the combination of car and accounting packet actions. In addition, if the CAR action is configured, only its CIR setting can be applied. • In the QoS policy for a control plane, if a system index classifier is not configured, the associated traffic behaviors also take effect on the data traffic of the device where the control plane resides. Configuration procedure To apply the QoS policy to the control plane: Step Command 1. Enter system view. system-view 2. Enter control plane view. control-plane slot slot-number 3. Apply the QoS policy to the control plane. qos apply policy policy-name inbound Displaying and maintaining QoS policies IMPORTANT: The outbound keyword is not available on the 5500 SI Switch Series.
26
Task Command Remarks
Display traffic class configuration. display traffic classifier
user-defined [ tcl-name ] [ |
{ begin | exclude | include } regular-expression ] Available in any
view
Display traffic behavior
configuration.
display traffic behavior user-defined
[ behavior-name ] [ | { begin | exclude | include }
regular-expression ] Available in any
view
Display user-defined QoS policy
configuration.
display qos policy
user-defined [ policy-name
[ classifier tcl-name ] ] [ | { begin | exclude |
include } regular-expression ] Available in any
view
Display QoS policy configuration
on the specified or all interfaces.
display qos policy interface
[ interface-type
interface-number ] [ inbound | outbound ] [ |
{ begin | exclude | include } regular-expression ] Available in any
view
Display VLAN QoS policy
configuration. display qos vlan-policy
{ name policy-name | vlan
vlan-id } [ slot slot-number ] [ inbound | outbound ]
[ | { begin | exclude | include }
regular-expression ] Available in any
view
Display information about QoS
policies applied globally. display qos policy global
[ slot slot-number ]
[ inbound | outbound ] [ | { begin | exclude |
include } regular-expression ] Available in any
view
Display information about QoS
policies applied to a control plane. display qos policy control-plane
slot slot-number
[ inbound ] [ | { begin | exclude | include }
regular-expression ] Available in any
view
Display information about
pre-defined QoS policies applied
to a control plane. display qos policy control-plane
pre-defined [ slot
slot-number ] [ | { begin | exclude | include }
regular-expression ] Available in any
view
Clear VLAN QoS policy statistics. reset qos vlan-policy
[ vlan vlan-id ] [ inbound |
outbound ] Available in user
view
Clear the statistics for a QoS policy
applied globally. reset qos policy global
[ inbound | outbound ] Available in user
view
Clear the statistics for the QoS
policy applied to a control plane. reset qos policy control-plane slot
slot-number
[ inbound ] Available in user
view
27 Configuring priority mapping Both bridge mode (Layer 2) and route mode (Layer 3) Ethernet ports support the priority mapping function. The term interface i n thi s chapter c ol le ctively refers to these t ypes of por ts. You c an use the port link-mode command to set an Ethernet port to operate in bridge or route mode (see Layer 2—LAN Switching Configuration Guide ). The 5500 SI Switch Series does not support Layer 3 Ethernet ports. Overview When a packet enters a device, depending on your configuration, the device assigns a set of QoS priority parameters to the packet based on either a certain priority field carried in the packet or the port priority of the incoming port. This process is called priority mapping. During this process, the device can modify the priority of the packet depending on device status. The set of QoS priority parameters decides the scheduling priority and forwarding priority of the packet. Priority mapping is implemented with priority mappin g tables and involves priorities such as 802.1p priority, DSCP, IP precedence, local precedence, and drop precedence. Types of priorities Priorities fall into the following types: priorities ca rried in packets, and priorities locally assigned for scheduling only. The packet-carried priorities include 802.1p priority, DSCP precedence, IP precedence, and so on. These priorities have global significance and affect the forwarding priority of packets across the network. For more information about these priorities, see Appendix B Packet precedences. T he locally assigned priorities only have local significance. They are assigned by the device for scheduling only. These priorities include the local precedence and drop precedence, as follows: • Local precedence —Local precedence is used for queuing. A local precedence value corresponds to an output queue. A packet with higher local precedence is assigned to a higher priority output queue to be preferentially scheduled. • Drop precedence —Drop precedence is used for making packet drop decisions. Packets with the highest drop precedence are dropped preferentially. Priority mapping tables Priority mapping is implemented with priority mapping tables. By looking up a priority mapping table, the device decides which priority value to assign to a packet for subsequent packet processing. The switch provides the following priority mapping tables: • dot1p-dp—802.1p-to-drop priority mapping table. • dot1p-lp —802.1p-to-local priority mapping table. • dscp-dot1p —DSCP-to-802.1p priority mapping table, which is applicable to only IP packets. • dscp-dp—DSCP-to-drop priority mapping table, which is applicable to only IP packets. • dscp-dscp —DSCP-to-DSCP priority mapping table, which is applicable to only IP packets.