HP 12500 Routing Switch Series ACL and QoS Configuration Guide Part number: 5998-3415 Software version: 12500-CMW710-R1728 Document version: 6W710-20121130 Legal and notice information © Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Contents Configuring ACLs ······················································································································································································· 1  Overview ·········································································································································································································· 1  ACL categories ····················································································································································································· 1  Numbering and Naming ACLs ······················································································································································ 1  Match order ·························································································································································································· 1  Rule numbering ·················································································································································································· 3  Fragments filtering with ACLs ······················································································································································· 3  Configuration task list ················································································································································································· 3  Configuring a basic ACL ············································································································································································ 4  Configuring an IPv4 basic ACL ······················································································································································ 4  Configuring an IPv6 basic ACL ······················································································································································ 4  Configuring an advanced ACL································································································································································· 5  Configuring an IPv4 advanced ACL ············································································································································ 5  Configuring an IPv6 advanced ACL ············································································································································ 6  Configuring an Ethernet frame header ACL ······································································································································ 7  Configuring a user-defined ACL ····························································································································································· 8  Copying an ACL ····························································································································································································· 9  Configuring IPv6 for the ACL hardware mode ································································································································· 9  Configuring packet filtering with ACLs ·············································································································································· 10  Applying an ACL to filter packets globally ·····························································································································1 0  Applying an ACL to an interface for packet filtering ········································································································· 10  Applying an ACL to a VLAN for packet filtering ·················································································································· 11  Setting the interval for generating and outputting packet filtering logs ································································· 11  Setting the packet filtering default action ····························································································································· 11  Enabling hardware-count for the packet filtering default action ················································································· 11  Displaying and maintaining ACLs ························································································································································1 2  ACL configuration examples ··································································································································································1 3  IPv4 ACL configuration example ················································································································································ 13  IPv6 ACL configuration example ················································································································································ 14  IPv4 packet filtering configuration example ························································································································· 15  QoS overview ···························································································································································································· 17  QoS service models ···················································································································································································1 7  Best-effort service model ······························································································································································1 7  IntServ model ·····················································································································································································1 7  DiffServ model ···················································································································································································1 8  QoS techniques overview ········································································································································································1 8  Deploying QoS in a network ·······················································································································································1 8  QoS processing flow in a device ················································································································································1 9  Configuring a QoS policy ····································································································································································· 20  Non-MQC approach··················································································································································································2 0  MQC approach ····························································································································································································2 0  Configuration procedure diagram ······················································································································································· 20  Defining a traffic class ··············································································································································································2 1  Defining a traffic behavior ······································································································································································2 1  Defining a QoS policy ···············································································································································································2 2  Applying the QoS policy ··········································································································································································2 2  Applying the QoS policy to an interface ································································································································· 22  i Applying the QoS policy to a VLAN ·········································································································································2 3  Applying the QoS policy globally ·············································································································································· 23  Displaying and maintaining QoS policies ········································································································································· 24  Configuring priority mapping ····························································································································································· 25  Overview ········································································································································································································2 5  Introduction to priorities ······························································································································································· 25  Priority maps ······················································································································································································2 5  Priority mapping configuration tasks ·················································································································································2 5  Configuring a priority map ·····································································································································································2 6  Configuring a colored priority map ··········································································································································2 7  Configuring an uncolored priority map ·································································································································· 27  Configuring a port to trust packet priority for priority mapping ····························································································2 7  Changing the port priority of an interface ······································································································································· 28  Configuring primap ···················································································································································································2 9  Displaying and maintaining priority mapping ································································································································ 30  Priority trust mode configuration example ······································································································································ 30  Network requirements ···································································································································································3 0  Configuration procedure ······························································································································································· 31  Primap configuration example ······························································································································································3 1  Network requirements ···································································································································································3 1  Configuration procedure ······························································································································································· 32  Configuring traffic policing and GTS ··············································································································································· 34  Overview ········································································································································································································3 4  Traffic evaluation and token buckets ······································································································································· 34  Traffic policing ···················································································································································································3 5  GTS ·········································································································································································································3 6  Configuring traffic policing ····································································································································································3 6  Configuring GTS ··························································································································································································3 7  Configuring queue-based GTS ··················································································································································· 37  Configuring GTS for all traffic ·····················································································································································3 8  Displaying and maintaining traffic policing and GTS ·················································································································· 38  Traffic policing and GTS configuration example ··························································································································· 38  Network requirements ···································································································································································3 8  Configuration procedure ······························································································································································· 39  Configuring hardware congestion management ························································································································ 41  Overview ········································································································································································································4 1  Impacts and countermeasures ···················································································································································· 41  Congestion management techniques ······································································································································ 41  Configuring queue scheduling profiles ············································································································································· 43  Configuring a queue scheduling profile ································································································································· 44  Displaying and maintaining queue scheduling profiles ··································································································· 45  Queue scheduling profile configuration example ·············································································································· 45  Network requirements ···································································································································································4 5  Configuration procedure ······························································································································································· 45  Configuring low-latency queuing ························································································································································4 6  Configuring traffic filtering ·································································································································································· 47  Configuration procedure ·········································································································································································4 7  Configuration example ·············································································································································································4 8  Network requirements ···································································································································································4 8  Configuration procedure ······························································································································································· 48  ii Configuring priority marking ······························································································································································ 49  Configuration procedure ·········································································································································································4 9  Configuration example ·············································································································································································5 0  Network requirements ···································································································································································5 0  Configuration procedure ······························································································································································· 50  Configuring traffic redirecting ···························································································································································· 53  Configuration procedure ·········································································································································································5 3  Configuration example ·············································································································································································5 4  Network requirements ···································································································································································5 4  Configuration procedure ······························································································································································· 55  Configuring global CAR ········································································································································································ 57  Overview ········································································································································································································5 7  Configuring aggregate CAR ···································································································································································5 7  Displaying and maintaining global CAR configuration ···············································································································5 7  Configuration example ·············································································································································································5 8  Configuring class-based accounting ··············································································································································· 59  Configuration procedure ·········································································································································································5 9  Configuration example ·············································································································································································6 0  Network requirements ···································································································································································6 0  Configuration procedure ······························································································································································· 60  Configuring traffic accounting ··························································································································································· 62  Configuration procedure ·········································································································································································6 2  Displaying and maintaining traffic accounting ······························································································································ 62  Configuring MPLS QoS ········································································································································································· 63  Overview ········································································································································································································6 3  Configuration procedure ·········································································································································································6 3  Configuring data buffers ······································································································································································ 65  Overview ········································································································································································································6 5  Buffer resource ··················································································································································································6 5  Shared area and fixed area· ·························································································································································· 65  Configuring a data buffer ·······································································································································································6 6  Configuring the shared-area size ·············································································································································· 66  Applying data buffer configuration ·········································································································································· 67  Displaying and maintaining data buffers ·········································································································································6 7  Configuring time ranges ······································································································································································· 68  Configuration procedure ·········································································································································································6 8  Displaying and maintaining time ranges ·········································································································································· 68  Time range configuration example ····················································································································································· 68  Appendix ····································································································································································································· 70  Appendix A Acronym ················································································································································································7 0  Appendix B Default priority maps ·······················································································································································7 1  Colored priority maps ···································································································································································· 71  Uncolored priority maps ·······························································································································································7 4  Appendix C Introduction to packet precedences ··························································································································7 5  IP precedence and DSCP values ·················································································································································7 5  802.1p priority ···················································································································································································7 7  EXP values ···························································································································································································7 7  iii Configuring ACLs A switch can operate in standalone mode (the default) or IRF mode. For more information about the IRF mode, see IRF Configuration Guide. Overview An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number. ACLs are primarily used for packet filtering. "Configuring packet filtering with ACLs" provides an example. You can use ACLs in QoS, security, routing, and other feature modules for identifying traffic. The packet drop or forwarding decisions varies with the modules that use ACLs. ACL categories Category ACL number IP version Match criteria IPv4 Source IPv4 address Basic ACLs 2000 to 2999 IPv6 Source IPv6 address Source IPv4 address, destination IPv4 address, IPv4 packet priority, protocols over IPv4, and other Layer 3 and Layer 4 header fields Advanced ACLs 3000 to 3999 Source IPv6 address, destination IPv6 address, IPv6 packet priority, protocols over IPv6, and other Layer 3 and Layer 4 header fields Layer 2 header fields, such as source and Ethernet frame 4000 to 4999 IPv4 and IPv6 destination MAC addresses, 802.1p priority, header ACLs and link layer protocol type User-defined User specified matching patterns in protocol 5000 to 5999 IPv4 and IPv6 ACLs headers Numbering and Naming ACLs Each ACL category has a unique range of ACL numbers. When creating an ACL, you must assign it a number. In addition, you can assign the ACL a name for ease of identification. After creating an ACL with a name, you cannot rename it or delete its name. For an IPv4 basic or advanced ACLs, its ACL number and name must be unique in IPv4. For an IPv6 basic or advanced ACL, its ACL number and name must be unique in IPv6. Match order The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops the match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting rules, the matching result and action to take depend on the rule order. 1 The following ACL match orders are available: • config—Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a rule with a higher ID. If you use this approach, carefully check the rules and their order. • auto—Sorts ACL rules in depth-first order. Depth-first ordering makes sure any subset of a rule is always matched before the rule. Table 1 lists the sequence of tie breakers that depth-first ordering uses to sort rules for each type of ACL. NOTE: The match order of user-defined ACLs can only be config. Table 1 Sort ACL rules in depth-first order ACL category Sequence of tie breakers 1. VPN instance 2. More 0s in the source IP address wildcard (more 0s means a narrower IP IPv4 basic ACL address range) 3. Rule configured earlier 1. VPN instance 2. Specific protocol type rather than IP (IP represents any protocol over IP) 3. More 0s in the source IP address wildcard mask IPv4 advanced ACL 4. More 0s in the destination IP address wildcard 5. Narrower TCP/UDP service port number range 6. Rule configured earlier 1. VPN instance 2. Longer prefix for the source IP address (a longer prefix means a IPv6 basic ACL narrower IP address range) 3. Rule configured earlier 1. VPN instance 2. Specific protocol type rather than IP (IP represents any protocol over IPv6) IPv6 advanced ACL 3. Longer prefix for the source IPv6 address 4. Longer prefix for the destination IPv6 address 5. Narrower TCP/UDP service port number range 6. Rule configured earlier 1. More 1s in the source MAC address mask (more 1s means a smaller MAC address) Ethernet frame header ACL 2. More 1s in the destination MAC address mask 3. Rule configured earlier A wildcard mask, also called an inverse mask, is a 32-bit binary number represented in dotted decimal notation. In contrast to a network mask, the 0 bits in a wildcard mask represent "do care" bits, and the 1 bits represent "don't care" bits. If the "do care" bits in an IP address are identical to the "do care" bits in an IP address criterion, the IP address matches the criterion. All "don't care" bits are ignored. The 0s and 1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a valid wildcard mask. 2 Rule numbering ACL rules can be manually numbered or automatically numbered. This section describes how automatic ACL rule numbering works. Rule numbering step If you do not assign an ID to the rule you are creating, the system automatically assigns it a rule ID. The rule numbering step sets the increment by which the system automatically numbers rules. For example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are automatically numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between two rules. By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of inserting rules in an ACL. This feature is important for a config-order ACL, where ACL rules are matched in ascending order of rule ID. Automatic rule numbering and renumbering The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to the current highest rule ID, starting with 0. For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10, and 12, the newly defined rule is numbered 15. If the ACL does not contain any rule, the first rule is numbered 0. Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6, and 8. Fragments filtering with ACLs Traditional packet filtering matches only first fragments of packets, and allows all subsequent non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks. To avoid the risks, the HP ACL implementation does the follows: • Filters all fragments by default, including non-first fragments. • Allows for matching criteria modification, for example, filters fragments only. Configuration task list Tasks at a glance (Required.) Perform at least one of the following tasks: • Configuring a basic ACL (cid:123) Configuring an IPv4 basic ACL (cid:123) Configuring an IPv6 basic ACL • Configuring an advanced ACL (cid:123) Configuring an IPv4 advanced ACL (cid:123) Configuring an IPv6 advanced ACL • Configuring an Ethernet frame header ACL • Configuring a user-defined ACL 3 Tasks at a glance (Optional.) Copying an ACL (Optional.) Configuring IPv6 for the ACL hardware mode (Optional.) Configuring packet filtering with ACLs Configuring a basic ACL This section describes procedures for configuring IPv4 and IPv6 basic ACLs. Configuring an IPv4 basic ACL IPv4 basic ACLs match packets based only on source IP addresses. To configure an IPv4 basic ACL: Step Command Remarks 1. Enter system view. system-view N/A By default, no ACL exists. IPv4 basic ACLs are numbered in acl number acl-number [ name 2. Create an IPv4 basic ACL and the range of 2000 to 2999. acl-name ] [ match-order { auto | enter its view. config } ] You can use the acl name acl-name command to enter the view of a named ACL. 3. (Optional.) Configure a By default, an IPv4 basic ACL has description for the IPv4 description text no ACL description. basic ACL. 4. (Optional.) Set the rule step step-value The default setting is 5. numbering step. By default, an IPv4 basic ACL does not contain any rule. rule [ rule-id ] { deny | permit } The logging keyword takes effect [ counting | fragment | logging | only when the module (for source { source-address example, packet filtering) that 5. Create or edit a rule. source-wildcard | any } | uses the ACL supports logging. time-range time-range-name | On a PE or MCE, this option does vpn-instance not apply to packets received vpn-instance-name ] * from a VPN site. For more information about PE and MCE, see MPLS Configuration Guide. 6. (Optional.) Add or edit a rule By default, no rule comments are rule rule-id comment text comment. configured. Configuring an IPv6 basic ACL IPv6 basic ACLs match packets based only on source IP addresses. To configure an IPv6 basic ACL: 4 Step Command Remarks 1. Enter system view. system-view N/A By default, no ACL exists. IPv6 basic ACLs are numbered in acl ipv6 number acl-number 2. Create an IPv6 basic ACL the range of 2000 to 2999. [ name acl-name ] [ match-order view and enter its view. { auto | config } ] You can use the acl ipv6 name acl-name command to enter the view of a named ACL. 3. (Optional.) Configure a By default, an IPv6 basic ACL has description for the IPv6 description text no ACL description. basic ACL. 4. (Optional.) Set the rule step step-value The default setting is 5. numbering step. By default, an IPv6 basic ACL does not contain any rule. rule [ rule-id ] { deny | permit } [ counting | fragment | logging | The logging keyword takes effect routing [ type routing-type ] | only when the module (for source { source-address example, packet filtering) that 5. Create or edit a rule. source-prefix | uses the ACL supports logging. source-address/source-prefix | The vpn-instance keyword is any } | time-range option is not supported in the time-range-name | vpn-instance current software version. The vpn-instance-name ] * option is reserved for future support. 6. (Optional.) Add or edit a rule By default, no rule comments are rule rule-id comment text comment. configured. Configuring an advanced ACL This section describes procedures for configuring IPv4 and IPv6 advanced ACLs. Configuring an IPv4 advanced ACL IPv4 advanced ACLs match packets based on source IP addresses, destination IP addresses, packet priorities, protocols over IP, and other protocol header information, such as TCP/UDP source and destination port numbers, TCP flags, ICMP message types, and ICMP message codes. Compared to IPv4 basic ACLs, IPv4 advanced ACLs allow more flexible and accurate filtering. To configure an IPv4 advanced ACL: Step Command Remarks 1. Enter system view. system-view N/A 5